Applications and Threats Content Updates
Table of Contents
Expand all | Collapse all
- Upgrade Panorama with an Internet Connection
- Upgrade Panorama Without an Internet Connection
- Install Content Updates Automatically for Panorama without an Internet Connection
- Upgrade Panorama in an HA Configuration
- Migrate Panorama Logs to the New Log Format
- Upgrade Panorama for Increased Device Management Capacity
- Upgrade Panorama and Managed Devices in FIPS-CC Mode
- Downgrade from Panorama 11.1
- Troubleshoot Your Panorama Upgrade
- What Updates Can Panorama Push to Other Devices?
- Schedule a Content Update Using Panorama
- Panorama, Log Collector, Firewall, and WildFire Version Compatibility
- Upgrade Log Collectors When Panorama Is Internet-Connected
- Upgrade Log Collectors When Panorama Is Not Internet-Connected
- Upgrade a WildFire Cluster from Panorama with an Internet Connection
- Upgrade a WildFire Cluster from Panorama without an Internet Connection
- Upgrade Firewalls When Panorama Is Internet-Connected
- Upgrade Firewalls When Panorama Is Not Internet-Connected
- Upgrade a ZTP Firewall
- Revert Content Updates from Panorama
- PAN-OS Upgrade Checklist
- Upgrade/Downgrade Considerations
- Troubleshoot Your PAN-OS Upgrade
- Upgrade the VM-Series PAN-OS Software (Standalone)
- Upgrade the VM-Series PAN-OS Software (HA Pair)
- Upgrade the VM-Series PAN-OS Software Using Panorama
- Upgrade the VM-Series Model
- Upgrade the VM-Series Model in an HA Pair
- Downgrade a VM-Series Firewall to a Previous Release
Applications and Threats Content Updates
Applications and Threats content updates equip Palo Alto Networks next-gen firewalls with the very latest threat prevention and application identification technology.
Applications and Threats content updates deliver the very latest application and threat signatures to the firewall. The applications portion of the package includes new and modified App-IDs and does not require a license. The full Applications and Threats content package, which also includes new and modified threat signatures, requires a Threat Prevention license. As the firewall automatically retrieves and installs the latest application and threat signatures (based on your custom settings), it starts enforcing security policy based on the latest App-IDs and threat protection without any additional configuration.
New and modified threat signatures and modified App-IDs are released at least weekly and, often, more frequently. New App-IDs are released on the third Tuesday of every month.
In rare cases, publication of the update that contains new App-IDs may be delayed one or two days.
Because new App-IDs can change how the security policy enforces traffic, this more limited release of new App-IDs is intended to provide you with a predictable window in which you can prepare and update your security policy. Additionally, content updates are cumulative; this means that the latest content update always includes the application and threat signatures released in previous versions.
Because application and threat signatures are delivered in a single package—the same decoders that enable application signatures to identify applications also enable threat signatures to inspect traffic—you need to consider whether you want to deploy the signatures together or separately. How you choose to deploy content updates depends on your organization’s network security and application availability requirements. As a starting point, identify your organization as having one of the following postures (or perhaps both, depending on firewall location):
- An organization with asecurity-firstposture prioritizes protection using the latest threat signatures over application availability. You’re primarily using the firewall for its threat prevention capabilities. Any changes to App-ID that impact how security policy enforces application traffic is secondary.
- Amission-criticalnetwork prioritizes application availability over protection using the latest threat signatures. Your network has zero tolerance for downtime. The firewall is deployed inline to enforce security policy and if you’re using App-ID in security policy, any change a content releases introduces that affects App-ID could cause downtime.
You can take a mission-critical or security-first approach to deploying content updates, or you can apply a mix of both approaches to meet the needs of the business. Review and consider Best Practices for Applications and Threats Content Updates to decide how you want to implement application and threat updates. Then:
While scheduling content updates is a one-time or infrequent task, after you’ve set the schedule, you’ll need to continue to Manage New and Modified App-IDs that are included in content releases, as these App-IDs can change how security policy is enforced.