PAN-OS ® New Features Guide
    : Automatic Content Push for VM-Series and CN-Series Firewalls
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS ® New Features Guide
    4. Panorama Features
    5. Automatic Content Push for VM-Series and CN-Series Firewalls
    Download PDF

    PAN-OS ® New Features Guide

    Automatic Content Push for VM-Series and CN-Series Firewalls

    Table of Contents

    Automatic Content Push for VM-Series and CN-Series Firewalls

    Automatically push dynamic content updates to VM-Series and CN-Series firewalls on first connection to the Panorama™ management server.
    PAN-OS 10.2 introduces the ability to automatically push the latest Antivirus and Applications and Threats content updates on first connection when onboarding a new VM-Series and CN-Series firewall to the Panorama™ management server. When leveraging auto-scale, enabling this setting allows you to maintain existing images for VM-Series and CN-Series firewalls leveraging dynamic content in their configurations, such as in policies and App-ID. This helps eliminate the operational overhead required to update VM-Series and CN-Series firewall images when new dynamic content update versions are introduced.
    Panorama attempts to push the installed dynamic content updates on the first connection only and does not attempt any subsequent pushes if the initial push fails for any reason.
    For example, you add a VM-Series firewall to Panorama management and enable Auto Push on 1st Connect to automatically push the device group and template stack configuration to the VM-Series firewall on first connection. However, the template stack contains an invalid configuration and the push to the VM-Series firewall fails. In this scenario, the automatic content push to the VM-Series firewall also fails because the configuration push and dynamic content version push are included in the same push operation to the VM-Series firewall.
    VM-Series firewalls deployed on NSX and hardware firewalls are not supported.
    1. Log in to the Panorama web interface.
    2. Install the latest dynamic content updates on Panorama.
      This is required to automatically push the Antivirus and Applications and Threats content updates. Panorama only the Antivirus and Applications and Threats versions it has installed to VM-Series and CN-Series firewalls.
    3. Configure Panorama to automatically push the latest dynamic content updates to VM-Series and CN-Series firewalls on first connection.
      This step assumes you have already configured a template stack for your VM-Series and CN-Series firewall configuration.
      1. Select PanoramaTemplates and click the template stack that contains the VM-Series and CN-Series firewall configuration.
      2. Check (enable) Automatically push content when software device registers to Panorama.
      3. Click OK.
    4. Commit and Commit to Panorama.
    5. Add a Firewall as a Managed Device.
      When adding the VM-Series or CN-Series firewall to Panorama management, be sure to Associate Devices and assign the firewalls to the Template Stack where you enabled Panorama to automatically push the dynamic content updates installed on Panorama to the firewalls on first connection.
      Panorama does not push the installed dynamic content updates if the VM-Series or CN-Series firewall is not assigned to a Template Stack prior to first connection.
    6. Verify the dynamic content version installed on the firewall.
      1. Select PanoramaManaged DevicesSummary and locate the managed firewalls you added.
      2. Verify the Device State is Connected.
      3. Verify the Antivirus and Apps and Threat versions match the versions installed on Panorama.

    © 2024 Palo Alto Networks, Inc. All rights reserved.