Tips for Content Updates
Table of Contents
Expand all | Collapse all
-
-
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 10.2
- Troubleshoot Your Panorama Upgrade
-
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
-
Tips for Content Updates
Here’s what you should do to reduce the chance that a
content release might impact your network in an unexpected way.
Palo Alto Networks application and threat
content releases undergo rigorous performance and quality assurance.
However, because there are so many possible variables in a customer
environment, there are rare occasions where a content release might
impact a network in an unexpected way. Follow these tips to mitigate
or troubleshoot an issue with a content release, so that there is
as little impact to your network as possible.
- Follow the best practices for Application and Threat Content Updates.Review and implement the Best Practices for Applications and Threats Content Updates. How you choose to deploy content updates might depend on your network security and application availability requirements.
- Ensure that you’re running the latest content.Get the latest content update, if you haven’t configured the firewall to download and install it automatically.The firewall validates that downloaded content updates are still Palo Alto Networks- recommended at the time of installation. This check, which the firewall performs by default, is helpful in cases where content updates are downloaded from the Palo Alto Networks update server (either manually or on a schedule) ahead of installation. Because there are rare instances where Palo Alto Networks removes a content update from availability, this option prevents the firewall from installing a content update that Palo Alto Networks has removed, even if the firewall has already downloaded it. If you see an error message that the content update you’re attempting to install is no longer valid, Check Now to get the most recent content update and install that version instead (DeviceDynamic Updates).
- Turn on threat intelligence telemetry.Turn on the threat intelligence telemetry that the firewall sends to Palo Alto Networks. We use telemetry data to identify and troubleshoot issues with content updates.Telemetry data helps us to quickly recognize a content update that is impacting firewall performance or security policy enforcement in unexpected ways, across the Palo Alto Networks customer base. The more quickly we can identify an issue, the more quickly we can help you to avoid the issue altogether or mitigate impact to your network.To enable the firewall to collect and share telemetry data with Palo Alto Networks:
- Select DeviceSetupTelemetry.
- Edit the Telemetry settings and Select All.
- Click OK and Commit to save your changes.
- Forward Palo Alto Networks content update alerts to the right people.Enable log forwarding for Palo Alto Networks critical content alerts, so that important messages about content release issues go directly to the appropriate personnel.Palo Alto Networks can now issue alerts about content update issues directly to the firewall web interface or—if you have log forwarding enabled—to the external service you use for monitoring. Critical content alerts describe the issue so that you can understand how it affects you, and include steps to take action if needed.In the firewall web interface, critical alerts about content issues are displayed similarly to the Message of the Day. When Palo Alto Networks issues a critical alert about a content update, the alert is displayed by default when you log into the firewall web interface. If you’re already logged into the firewall web interface, you will notice an exclamation appear over the message icon on the menu bar located at the bottom of the web interface—click on the message icon to view the alert.Critical content update alerts are also logged as system log entries with the Type dynamic-updates and the Event palo-alto-networks-message. Use the following filter to view these log entries: ( subtype eq dynamic-updates) and ( eventid eq palo-alto-networks-message).
- If needed, use Panorama to rollback to an earlier content release.After being notified about an issue with a content update, you can use Panorama to quickly revert managed firewalls to the last content update version, instead of manually reverting the content version for individual firewalls: Revert Content Updates from Panorama.