Tips for Content Updates

Here’s what you should do to reduce the chance that a content release might impact your network in an unexpected way.
Palo Alto Networks application and threat content releases undergo rigorous performance and quality assurance. However, because there are so many possible variables in a customer environment, there are rare occasions where a content release might impact a network in an unexpected way. Follow these tips to mitigate or troubleshoot an issue with a content release, so that there is as little impact to your network as possible.
  • Follow the best practices for Application and Threat Content Updates.
    Review and implement the Best Practices for Applications and Threats Content Updates. How you choose to deploy content updates might depend on your network security and application availability requirements.
  • Ensure that you’re running the latest content.
    Get the latest content update, if you haven’t configured the firewall to download and install it automatically.
    The firewall validates that downloaded content updates are still Palo Alto Networks- recommended at the time of installation. This check, which the firewall performs by default, is helpful in cases where content updates are downloaded from the Palo Alto Networks update server (either manually or on a schedule) ahead of installation. Because there are rare instances where Palo Alto Networks removes a content update from availability, this option prevents the firewall from installing a content update that Palo Alto Networks has removed, even if the firewall has already downloaded it. If you see an error message that the content update you’re attempting to install is no longer valid,
    Check Now
    to get the most recent content update and install that version instead (
    Device
    Dynamic Updates
    ).
  • Turn on threat intelligence telemetry.
    Turn on the threat intelligence telemetry that the firewall sends to Palo Alto Networks. We use telemetry data to identify and troubleshoot issues with content updates.
    Telemetry data helps us to quickly recognize a content update that is impacting firewall performance or security policy enforcement in unexpected ways, across the Palo Alto Networks customer base. The more quickly we can identify an issue, the more quickly we can help you to avoid the issue altogether or mitigate impact to your network.
    To enable the firewall to collect and share telemetry data with Palo Alto Networks:
    1. Select
      Device
      Setup
      Telemetry
      .
    2. Edit the
      Telemetry
      settings and
      Select All
      .
    3. Click
      OK
      and
      Commit
      to save your changes.
  • Forward Palo Alto Networks content update alerts to the right people.
    Enable log forwarding for Palo Alto Networks critical content alerts, so that important messages about content release issues go directly to the appropriate personnel.
    Palo Alto Networks can now issue alerts about content update issues directly to the firewall web interface or—if you have log forwarding enabled—to the external service you use for monitoring. Critical content alerts describe the issue so that you can understand how it affects you, and include steps to take action if needed.
    In the firewall web interface, critical alerts about content issues are displayed similarly to the Message of the Day. When Palo Alto Networks issues a critical alert about a content update, the alert is displayed by default when you log into the firewall web interface. If you’re already logged into the firewall web interface, you will notice an exclamation appear over the message icon on the menu bar located at the bottom of the web interface—click on the message icon to view the alert.
    Critical content update alerts are also logged as system log entries with the Type
    dynamic-updates
    and the Event
    palo-alto-networks-message
    . Use the following filter to view these log entries: ( subtype eq dynamic-updates) and ( eventid eq palo-alto-networks-message).
  • If needed, use Panorama to rollback to an earlier content release.
    After being notified about an issue with a content update, you can use Panorama to quickly revert managed firewalls to the last content update version, instead of manually reverting the content version for individual firewalls: Revert Content Updates on Managed Firewalls.

Related Documentation