Tips for Managing Content Updates
Environment
- Palo Alto Firewall.
- PAN-OS 8.1 onwards
Resolution
This document shows the various methods that can be used to manage the content updates. Content updates can be managed using the Graphical User Interface of the firewall, an end host CLI, or via a manual process where one can download content updates from the Customer Service Portal (CSP).
GRAPHICAL USER INTERFACE (GUI)
To view the currently available content on the firewall, go to Device > Dynamic Updates. From there, the following functions may be performed:
- Click “Check Now” to trigger the request to download the latest content for all content versions the firewall is licensed to support
- Click on the Release Notes to view a description of the content update.
- Click Download in the Action column, on a row that contains the desired content version, to download that version on the firewall. When the download is complete, a checkmark is displayed in the “Downloaded” column and the Action column shows the option to now “Install” that same content
- Click Install in the Action column, on the row of a previously “downloaded” content version, to install the downloaded content update to make it the “Currently Installed” content version.
Palo Alto Networks provides the configuration flexibility to accommodate customer policy.
Following documents can be used to check the release schedule of content updates and then schedule can be configured accordingly on PANOS devices to automatically take action of either download or download-and-install.
- 10.1 content release schedule
- 10.2 content release schedule
- 11.0 content release schedule
- 11.1 content release schedule
Note: To obtain information about content release schedule for any new PANOS version, one of the above URLs can be used. A dropdown menu on the left side of the page allows users to select the desired PANOS version and retrieve the release schedule.
- To set the schedule for a content type, click the marked-up text next to the characters "Schedule:"
- Specify the frequency and timing of the updates and whether the update will be downloaded and installed or only downloaded. For best results, set the hourly offset to a value different from other updates to prevent multiple downloads and installs occurring simultaneously.
- If Download Only is selected, the downloaded update can be installed by clicking the Upgrade link on the Dynamic Updates page. When OK is clicked, the update is scheduled. Additionally, there is an option to delay the Action taken by setting a Threshold dictating how old the new content must be before either action takes place.
- Additionally, there is an option to delay the Action taken by setting a Threshold.
- Threshold (hours) - To delay the selected Action (in this case download-and-install)
- New App-ID Threshold - This is to further delay the install (only install) of new content updates to allow admins to adjust their security policies based on new App-IDs. Recommendation is different for mission-critical and security-first deployments which can be referred to here - Mission-critical and security-first deployments
- If there are concerns that newly downloaded applications could interfere with an existing security policy, they can be disabled until an admin manually reviews and enables them, please read this article for more information:Tips & Tricks: How to Use 'Disable New Apps' in Content Update
We recommend scheduling AV and Apps/Threats content for Daily Recurrence with an action of Download and Install and a Threshold in accordance with the risk-versus-benefit tolerance of the site.
Daily recurrence allows the opportunity to download any new off-schedule releases for critical bug fixes or filtering updates. Download and install prevent having to manually interact with the system.
If a new update is not available at the time that the firewall checks with updates.paloaltonetworks.com it will wait till the next scheduled time to check.
It is also recommended that the update schedule not be set at the same times as other updates as this can cause a resource conflict on the firewall and one update will not install.
Wildfire updates should be scheduled for Download and install every 15 minutes, 5 minutes, or every minute depending on the customer's need and network bandwidth.
COMMAND LINE INTERFACE (CLI)
In the CLI, the various content types can be accessed via the following commands:
- Antivirus
- admin@PA-VM> request anti-virus upgrade
- > check Get information from PaloAlto Networks server
- > download Download anti-virus packages
- > info Show information about available anti-virus packages
- > install Install anti-virus packages
- admin@PA-VM> request anti-virus upgrade
- Apps & Threats
- admin@PA-VM> request content upgrade
- > check Get information from PaloAlto Networks server
- > download Download content packages
- > info Show information about available content packages
- > install Install content packages
- admin@PA-VM> request content upgrade
- Wildfire
- admin@PA-VM> request wildfire upgrade
- > check Get information from PaloAlto Networks server
- > download Download wildfire packages
- > info Show information about available wildfire packages
- > install Install wildfire packages
- admin@PA-VM> request wildfire upgrade
To view the currently available content on the firewall, one can run the following commands for each content type:
request anti-virus upgrade info
request content upgrade info
request wildfire upgrade info
To upgrade any of these content types in the CLI, one can run the following commands, in order, to check their content, download the desired content version, and then install that same content version.
admin@PA-VM> request content upgrade check Version Size Released on Downloaded Installed ------------------------------------------------------------------------- 8496-7089 52MB 2021/12/06 21:50:02 EST no no 8504-7131 52MB 2021/12/16 23:49:11 EST no no 8501-7114 52MB 2021/12/14 13:09:49 EST no no 8502-7118 52MB 2021/12/15 00:35:39 EST no no 8493-7073 52MB 2021/11/29 17:35:04 EST no no 8506-7141 52MB 2021/12/19 02:17:12 EST no no 8497-7093 52MB 2021/12/07 20:29:09 EST no no 8494-7079 52MB 2021/11/30 19:54:37 EST no no 8499-7107 52MB 2021/12/10 22:12:28 EST no no 8498-7098 52MB 2021/12/09 23:57:24 EST no no 8500-7110 52MB 2021/12/12 23:12:26 EST no no 8503-7125 52MB 2021/12/16 01:10:38 EST yes previous 8505-7134 52MB 2021/12/17 21:35:31 EST yes current 8495-7081 52MB 2021/12/02 17:28:58 EST no no admin@PA-VM> request content upgrade download latest force yes Download job enqueued with jobid 207 207 admin@PA-VM> show jobs id 207 Enqueued Dequeued ID Type Status Result Completed ------------------------------------------------------------------------------------------------------------------------------ 2021/12/21 00:09:40 00:09:40 207 Downld FIN OK 00:09:43 Warnings: Details:File successfully downloaded admin@PA-VM> request content upgrade info Version Size Released on Downloaded Installed ------------------------------------------------------------------------- 8496-7089 52MB 2021/12/06 21:50:02 EST no no 8504-7131 52MB 2021/12/16 23:49:11 EST no no 8501-7114 52MB 2021/12/14 13:09:49 EST no no 8502-7118 52MB 2021/12/15 00:35:39 EST no no 8493-7073 52MB 2021/11/29 17:35:04 EST no no 8506-7141 52MB 2021/12/19 02:17:12 EST yes no 8497-7093 52MB 2021/12/07 20:29:09 EST no no 8494-7079 52MB 2021/11/30 19:54:37 EST no no 8499-7107 52MB 2021/12/10 22:12:28 EST no no 8498-7098 52MB 2021/12/09 23:57:24 EST no no 8500-7110 52MB 2021/12/12 23:12:26 EST no no 8503-7125 52MB 2021/12/16 01:10:38 EST yes previous 8505-7134 52MB 2021/12/17 21:35:31 EST no current 8495-7081 52MB 2021/12/02 17:28:58 EST no no admin@PA-VM> request content upgrade install version latest Content install job enqueued with jobid 214 214 admin@PA-VM> show jobs id 214 Enqueued Dequeued ID Type Status Result Completed ------------------------------------------------------------------------------------------------------------------------------ 2021/12/21 00:13:06 00:13:06 214 Content ACT PEND 49% Warnings: Details: admin@PA-VM> show jobs id 214 Enqueued Dequeued ID Type Status Result Completed ------------------------------------------------------------------------------------------------------------------------------ 2021/12/21 00:13:06 00:13:06 214 Content FIN OK 00:15:15 Warnings: Details:Configuration committed successfully Successfully committed last configuration
Please notice the content upgrade is automatically committed after the “request content upgrade install version latest” command is run. You can run the “request content upgrade info” command to see the content version that is currently installed.
admin@PA-VM> request content upgrade info Version Size Released on Downloaded Installed ------------------------------------------------------------------------- 8496-7089 52MB 2021/12/06 21:50:02 EST no no 8504-7131 52MB 2021/12/16 23:49:11 EST no no 8501-7114 52MB 2021/12/14 13:09:49 EST no no 8502-7118 52MB 2021/12/15 00:35:39 EST no no 8493-7073 52MB 2021/11/29 17:35:04 EST no no 8506-7141 52MB 2021/12/19 02:17:12 EST yes current 8497-7093 52MB 2021/12/07 20:29:09 EST no no 8494-7079 52MB 2021/11/30 19:54:37 EST no no 8499-7107 52MB 2021/12/10 22:12:28 EST no no 8498-7098 52MB 2021/12/09 23:57:24 EST no no 8500-7110 52MB 2021/12/12 23:12:26 EST no no 8503-7125 52MB 2021/12/16 01:10:38 EST yes no 8505-7134 52MB 2021/12/17 21:35:31 EST no previous 8495-7081 52MB 2021/12/02 17:28:58 EST no no
CUSTOMER SUPPORT PORTAL (CSP)
To manually install content updates, one can log into the Customer Support Portal and select Updates > Dynamic Updates.
When selecting Dynamic Updates, one has the choice to select which content type to download.
After one has selected the desired content type, one can download and save the desired content version to their local hard drive.
One must upload the downloaded content to the firewall. Go to Device > Dynamic Updates and select “Upload” at the bottom of the screen.
The “Import Content Package” window opens and it requires one to select the content type and the previously downloaded content file.
After uploading the content to the firewall, one must install the downloaded content onto the firewall. Go to Device > Dynamic Updates and select “Install from File”.
The “Select Package Type for Installation” window opens and it requires one to select the content package type and the previously downloaded content file.
One can check Device > Dynamic Updates and see the “Currently Installed” version matches the version downloaded from the CSP portal. You can also see that the content version was not downloaded due to the manual process to upload and install the content version file.
Additional Information
For PAN-OS 9.0 and above, Refer Best Practices for Applications and Threats Content Updates