Streamlined Panorama Deployment for Application and Threat Content Updates

When using Panorama to deploy content updates to managed firewalls, you can now more easily configure dynamic updates schedules for multiple firewalls at once based on platform, device group, and tag (instead of applying schedules based on individual firewall serial numbers, as was previously supported). If yours is a mission-critical network, this is especially useful to stagger content updates across your network and to enforce content update installation threshold. A content update installation threshold only allows firewalls to install Applications and Threat content updates that have been successfully functioning in customer environments for a given amount of time, and a separate installation threshold for content updates with new App-IDs gives you extra time to assess how new application signatures impact your security policy. Previously, you could only use Panorama to configure content updates thresholds for managed firewalls that were connecting to the Palo Alto Networks Update Server directly, not those firewalls that retrieve content updates from Panorama.
For guidance on how to best deploy Application and Threat content updates based on your organization’s network security and application availability requirements, review the Best Practices for Application and Threat Content Updates. Then, to easily apply a Dynamic Updates Schedule to several devices at once, and to set a Content Update Threshold for those devices, start by editing or adding a Dynamic Updates schedule for managed firewalls:
  1. Select
    Panorama
    Device Deployment
    Dynamic Updates
    Schedules
    .
  2. Set the schedule
    Type
    to
    App and Threat
    .
  3. Set the schedule
    Action
    to
    Download and Install
    .
  4. Use
    Filters
    to set a Dynamic Updates schedule for many devices at once based on Platforms, Device Groups, and Tags.
  5. Set a
    Threshold
    requirement for new Applications and Threat content releases—managed firewalls only retrieve and install content releases from Panorama that have been available and functioning in customer environments for at least the amount of time that you define.
    nfg-app-threshold-and-devices.png

Related Documentation