topic Re: Question about Wildfire signature updates in Palo Alto Active-Passive mode. in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/question-about-wildfire-signature-updates-in-palo-alto-active/m-p/1246012#M6613 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/109787">@Kyungsoo-Choi</a>&nbsp;,</P> <P>&nbsp;</P> <P data-start="163" data-end="592">I would first ask the customer to clarify how they believe content updates are being synchronized from the passive firewall to the active firewall, or to verify that this is actually happening. Content updates are <STRONG>NOT&nbsp;</STRONG>synchronized via HA. Only configuration elements (policies, objects, settings) are synchronized. Dynamic updates such as App-ID, Threat, AV, and WildFire are installed independently on each firewall.</P> <P data-start="163" data-end="592">&nbsp;</P> <P data-start="594" data-end="969">From a best-practice standpoint, there’s no requirement to install content updates on the passive firewall first and then the active firewall. The recommended approach is to install content updates on both the active and passive firewalls so they remain on the same content version. This ensures consistent security enforcement and predictable behavior during a failover.</P> <P data-start="594" data-end="969">&nbsp;</P> <P data-start="971" data-end="1096">Using scheduled content updates (optionally with an install threshold) on both HA peers is the best way to keep them aligned. For example, Advanced WildFire is designed to provide near real-time threat protection, and best practice is to configure <STRONG data-start="1270" data-end="1309">real-time </STRONG>WildFire updates. This ensures the firewall retrieves signatures for newly discovered malware as soon as they are published to the WildFire public cloud.</P> Tue, 20 Jan 2026 13:14:58 GMT JayGolf 2026-01-20T13:14:58Z Question about Wildfire signature updates in Palo Alto Active-Passive mode. https://live.paloaltonetworks.com/t5/next-generation-firewall/question-about-wildfire-signature-updates-in-palo-alto-active/m-p/1245995#M6612 <P>Hi,</P> <P>Currently, the customer has a configuration where signature updates are performed on the passive device and then synchronized with the active device.<BR />In this configuration, is it appropriate to perform signature updates on the active device?<BR />Or what are the recommended settings for Palo Alto Active-Passive Mode?</P> <P>&nbsp;</P> <P>Thank you.</P> Tue, 20 Jan 2026 09:05:44 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/question-about-wildfire-signature-updates-in-palo-alto-active/m-p/1245995#M6612 Kyungsoo-Choi 2026-01-20T09:05:44Z Re: Question about Wildfire signature updates in Palo Alto Active-Passive mode. https://live.paloaltonetworks.com/t5/next-generation-firewall/question-about-wildfire-signature-updates-in-palo-alto-active/m-p/1246012#M6613 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/109787">@Kyungsoo-Choi</a>&nbsp;,</P> <P>&nbsp;</P> <P data-start="163" data-end="592">I would first ask the customer to clarify how they believe content updates are being synchronized from the passive firewall to the active firewall, or to verify that this is actually happening. Content updates are <STRONG>NOT&nbsp;</STRONG>synchronized via HA. Only configuration elements (policies, objects, settings) are synchronized. Dynamic updates such as App-ID, Threat, AV, and WildFire are installed independently on each firewall.</P> <P data-start="163" data-end="592">&nbsp;</P> <P data-start="594" data-end="969">From a best-practice standpoint, there’s no requirement to install content updates on the passive firewall first and then the active firewall. The recommended approach is to install content updates on both the active and passive firewalls so they remain on the same content version. This ensures consistent security enforcement and predictable behavior during a failover.</P> <P data-start="594" data-end="969">&nbsp;</P> <P data-start="971" data-end="1096">Using scheduled content updates (optionally with an install threshold) on both HA peers is the best way to keep them aligned. For example, Advanced WildFire is designed to provide near real-time threat protection, and best practice is to configure <STRONG data-start="1270" data-end="1309">real-time </STRONG>WildFire updates. This ensures the firewall retrieves signatures for newly discovered malware as soon as they are published to the WildFire public cloud.</P> Tue, 20 Jan 2026 13:14:58 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/question-about-wildfire-signature-updates-in-palo-alto-active/m-p/1246012#M6613 JayGolf 2026-01-20T13:14:58Z