: Dynamic Content Updates
Focus
Focus

Dynamic Content Updates

Table of Contents

Dynamic Content Updates

Palo Alto Networks frequently publishes updates to equip the firewall with the latest threat prevention and intelligence.
Palo Alto Networks frequently publishes updates that the firewall can use to enforce security policy, without requiring you to upgrade PAN-OS software or change the firewall configuration. These updates equip the firewall with the very latest security features and threat intelligence.
Except for application updates and some antivirus updates—which any firewall can receive—dynamic content updates available to you might depend on your subscriptions. You can set a schedule for each dynamic content update to define the frequency at which the firewall checks for and downloads or installs new updates (DeviceDynamic Updates).
Dynamic Content Update What’s in this package?
AntivirusAntivirus updates are released every 24 hours and include:
  • WildFire signatures for newly-discovered malware. To get these updates every five minutes instead of once daily, you’ll need a WildFire subscription.
  • (Requires Threat Prevention) Automatically-generated command-and-control (C2) signatures that detect certain patterns in C2 traffic. These signatures enable the firewall to detect C2 activity even when the C2 host is unknown or changes rapidly.
  • (Requires Threat Prevention) New and updated list entries for built-in external dynamic lists. These lists include malicious, high-risk, and bulletproof host-provided IP addresses, and can help to protect you against malicious hosts.
  • (Requires Threat Prevention) Updates to the local set of DNS signatures that the firewall uses to identify known malicious domains. If you’ve set up DNS sinkholing, the firewall can identify hosts on your network that try to connect to these domains. To allow the firewall to check domains against the complete database of DNS signatures, set up DNS Security.
Applications
Application updates provide new and modified application signatures, or App-IDs. This update does not require any additional subscriptions, but it does require a valid maintenance/support contract. New application updates are published only on the third Tuesday of every month, to give you time to prepare any necessary policy updates in advance.
In rare cases, publication of the update that contains new App-IDs may be delayed one or two days.
Modifications to App-IDs are released more frequently. While new and modified App-IDs enable the firewall to enforce your security policy with ever-increasing precision, resulting changes in security policy enforcement that can impact application availability. To get the most out of application updates, follow our tips to Manage New and Modified App-IDs.
Applications and Threats
Includes new and updated application and threat signatures. This update is available if you have a Threat Prevention subscription (in this case, you will get this update instead of the Applications update). New threat updates are published frequently, sometimes several times a week, along with updated App-IDs. New App-IDs are published only on the third Tuesday of every month.
In rare cases, publication of the update that contains new App-IDs may be delayed one or two days.
The firewall can retrieve the latest threat and application updates within as little as 30 minutes of availability.
For guidance on how to best enable application and threat updates to ensure both application availability and protection against the latest threats, review the Best Practices for Applications and Threats Content Updates.
Device Dictionary
The device dictionary is an XML file for firewalls to use in Security policy rules based on Device-ID. It contains entries for various device attributes and is completely refreshed on a regular basis and posted as a new file on the update server. If there are any changes to a dictionary entry, a revised file will be posted on the update server so that Panorama and firewalls will automatically download and install it the next time they check the update server, which they do automatically every two hours.
GlobalProtect Data File
Contains the vendor-specific information for defining and evaluating host information profile (HIP) data returned by GlobalProtect apps. You must have a GlobalProtect gateway subscription in order to receive these updates. In addition, you must create a schedule for these updates before GlobalProtect will function.
GlobalProtect Clientless VPN
Contains new and updated application signatures to enable Clientless VPN access to common web applications from the GlobalProtect portal. You must have a GlobalProtect subscription to receive these updates. In addition, you must create a schedule for these updates before GlobalProtect Clientless VPN will function. As a best practice, it is recommended to always install the latest content updates for GlobalProtect Clientless VPN.
WildFire
Provides access to malware and antivirus signatures generated by the WildFire public cloud in real-time. Optionally, you can configure PAN-OS to retrieve WildFire signature update packages instead. You can set the firewall to check for new updates as frequently as every minute to ensure that the firewall retrieves the latest WildFire signatures within a minute of availability. Without the WildFire subscription, you must wait at least 24 hours for the signatures to be provided in the Antivirus update.
WF-Private
Provides near real-time malware and antivirus signatures created as a result of the analysis done by a WildFire appliance. To receive content updates from a WildFire appliance, the firewall and appliance must both be running PAN-OS 6.1 or a later release and the firewall must be configured to forward files and email links to the WildFire Private Cloud.