Here’s what you should do to reduce the chance that a
content release might impact your network in an unexpected way.
Palo Alto Networks application and threat
content releases undergo rigorous performance and quality assurance.
However, because there are so many possible variables in a customer
environment, there are rare occasions where a content release might
impact a network in an unexpected way. Follow these tips to mitigate
or troubleshoot an issue with a content release, so that there is
as little impact to your network as possible.
Follow the best practices
for Application and Threat Content Updates.
Ensure that you’re running the latest content.
Get
the latest content update, if you haven’t configured the firewall
to download and install it automatically.
The firewall validates
that downloaded content updates are still Palo Alto Networks- recommended
at the time of installation. This check, which the firewall performs
by default, is helpful in cases where content updates are downloaded
from the Palo Alto Networks update server (either manually or on
a schedule) ahead of installation. Because there are rare instances
where Palo Alto Networks removes a content update from availability,
this option prevents the firewall from installing a content update
that Palo Alto Networks has removed, even if the firewall has already
downloaded it. If you see an error message that the content update
you’re attempting to install is no longer valid, Check
Now to get the most recent content update and install
that version instead ().
Turn on threat intelligence telemetry.
Turn
on the
threat intelligence telemetry that the
firewall sends to Palo Alto Networks. We use telemetry data to identify
and troubleshoot issues with content updates.
Telemetry data
helps us to quickly recognize a content update that is impacting
firewall performance or security policy enforcement in unexpected ways,
across the Palo Alto Networks customer base. The more quickly we
can identify an issue, the more quickly we can help you to avoid
the issue altogether or mitigate impact to your network.
To
enable the firewall to collect and share telemetry data with Palo
Alto Networks:
Select .
Edit the Telemetry settings and Select
All.
Click OK and Commit to
save your changes.
Forward Palo Alto Networks content update alerts
to the right people.
Enable log forwarding for
Palo Alto Networks critical content alerts, so that important messages
about content release issues go directly to the appropriate personnel.
Palo
Alto Networks can now issue alerts about content update issues directly
to the firewall web interface or—if you have log forwarding enabled—to the
external service you use for monitoring. Critical content alerts
describe the issue so that you can understand how it affects you,
and include steps to take action if needed.
In the firewall
web interface, critical alerts about content issues are displayed
similarly to the
Message of the Day. When Palo Alto Networks
issues a critical alert about a content update, the alert is displayed
by default when you log into the firewall web interface. If you’re
already logged into the firewall web interface, you will notice
an exclamation appear over the message icon on the menu bar located
at the bottom of the web interface—click on the message icon to
view the alert.
Critical content update alerts are also logged
as system log entries with the Type dynamic-updates and the
Event palo-alto-networks-message. Use the following filter
to view these log entries: ( subtype eq dynamic-updates) and ( eventid
eq palo-alto-networks-message).
If needed, use Panorama to rollback to an earlier content
release.
After being notified about an issue with
a content update, you can use Panorama to quickly revert managed
firewalls to the last content update version, instead of manually
reverting the content version for individual firewalls:
Revert Content Updates on Managed Firewalls.