Tools to Avoid or Mitigate Content Update Issues
Review the Best Practices for Application and Threat Content Updates for guidance on how to best deploy content updates based on your organization’s network security and application availability needs.
Palo Alto Networks Application and Threat Content Updates undergo rigorous performance and quality assurance; however, because there are so many possible variables in a customer environment, there are rare occasions where a content release might impact a network in a way that we did not foresee. The following features are intended to help both you and us avoid and mitigate an issue with a content release, so that there is as little impact to your network as possible.
- The firewall can now validate that a downloaded content update is still Palo Alto Networks-recommended at the time of installation.This check, which the firewall performs by default, is helpful in cases where content updates are downloaded from the Palo Alto Networks update server (either manually or on a schedule) ahead of installation. Because there are rare instances where Palo Alto Networks removes a content update from availability, this option prevents the firewall from installing a content update that Palo Alto Networks has deprecated, even if the firewall has already downloaded it.
- The threat intelligence telemetry data that the firewall sends to Palo Alto Networks now includes information that Palo Alto Networks can use to identify and troubleshoot issues with content updates.This new telemetry data helps us to quickly recognize a content update that is impacting firewall performance or security policy enforcement in unexpected ways, across the Palo Alto Networks customer base. We can quickly determine the firewall platforms or types of firewall deployments that are affected in order to help you to mitigate impact to your own network, or avoid the issue altogether.Make sure that you’ve enabled the firewall to collect and share telemetry data with Palo Alto Networks:
- Edit theTelemetrysettings andSelect All.
- ClickOKandCommitto save your changes.
- Palo Alto Networks can now directly alert you to a critical content release issue; we’ll give you the information you need to understand if and how the issue affects you, along with steps to move forward.Palo Alto Networks can now issue alerts about content update issues directly to the firewall web interface or—if you have log forwarding enabled—to the external service you use for monitoring.In the firewall web interface, critical alerts about content issues are displayed similarly to the Message of the Day. When Palo Alto Networks issues a critical alert about a content update, the alert is displayed by default when you log into the firewall web interface. If you’re already logged into the firewall web interface, you will notice an exclamation appear over the message icon on the menu bar located at the bottom of the web interface—click on the message icon to view the alert.Critical content update alerts are also logged as system log entries with the Typegeneraland the event IDpalo-alto-networks-message. Use the following filter to view these log entries:( subtype eq dynamic-updates ) and ( eventid eq palo-alto-networks-message).Set up log forwarding to send these entries to any external services that you use for monitoring network and firewall activity. This allows you to make sure that the appropriate personnel is notified when Palo Alto Networks issues an alert, so that they can take action as needed.
- After being notified about an issue with a content update, you can now use Panorama to revert managed firewalls to the last content update version, instead of manually reverting the content version for individual firewalls. To learn more, see Content Update Reversion from Panorama.