topic Re: ZTP Update on 1st Connect Fails with no Threat Protection License in Panorama Discussions

ZTP Update on 1st Connect Fails with no Threat Protection License

K.Saucier — Mon, 06 Jan 2025 15:26:21 GMT

Good morning all,

Relatively new to Palo/Pano so I apologize if this is a completely basic question but search has not turned up much/anything. I'm testing ZTP deploy for a number of new PA-445's. Everything is working as expected so far except for being able to push a PanOS update on 1st connect.

The device connects fine,but seems like it tries to update Applications and Threats DB's as part of the 'Update on 1st connect' process. That A&T update is failing because, seemingly because it's trying to update the panupv2-all-contents DB instead of just the panupv2-all-apps DB and my firewalls don't have a valid Threat Protect license so they can't update the Threat Protect DB

I've tried just deleting the all-contents file from Pano but it just comes back (gets redownloaded) on the next update attempt. Pano just repeatedly tried to push the update over and over, seemingly without a way to cancel, until I reset the firewall. I also lose connectivity to the firewall after each push attempt, even though the firewall isn't rebooting. Not sure why that is but it keeps me from being able to connect to the firewall remotely to even try a manual update.

I tried changing the 445's Template to not have an update schedule for A&T, which seems to have kept it from trying to push the A&T update over and over again. I know that's not a solution so it was a temporary test until I can figure out how to stop the A&T from trying to update the Threat DB as well.

Unfortunately, it seems that I need an Application update on the new firewall or the commit fails because it can't find one of the new Applications. 🤦‍♂️ If I manually go and perform a panv2-all-apps update on the firewall itself, this message gets resolved, but I'd really like to resolve it through Pano so I don't need to manually touch the firewall, since I'll be shipping these out to end user sites.

So, 2 questions:

1. Is there some way to disable pushing A&T when using 'Auto Push on 1st Connect' or of disabling the Threat portion of the A&T update? None of the firewalls I'm pushing with ZTP will have Threat Protection licenses so this is unnecessary. It's possible there will be firewalls added to Pano later that will have TP licenses so, ideally, I'd rather not globally disable TP updates, but I could do it at the Device Group/Template/Stack level.

2. Is it common for entire commits to fail because of a missing application? Seems crazy that the whole process just dies because it can't find an application that I'm not even using in a rule. Trying to force the Template Values during commit doesn't help as it still just failed because ms-powerapps is missing. It seems the only way around this is to directly access the firewall and update the apps package, but I can't even do that at the moment because it's still in ZTP mode because it can't finish the commit. 🤦‍♂️

Any help or pointers for the FNG would be much appreciated. Thanks!

Re: ZTP Update on 1st Connect Fails with no Threat Protection License

ozheng — Tue, 07 Jan 2025 06:19:29 GMT

Hello @K.Saucier ,

Q1 - You should be able to stop installing the content by unchecking the option "auto push on 1rst connection".

Q2 - I would say it depends on the configuration pushed by Panorama. If the configuration has a object which cannot be resolved (because not present on the firewall, for instance an app-id name), it is expected for the commit to fail. Have you disabled the "ms-powerapps" on Panorama? If yes, remove that configuration and that should do the job.

Olivier

Re: ZTP Update on 1st Connect Fails with no Threat Protection License

K.Saucier — Tue, 07 Jan 2025 14:23:20 GMT

Thanks for the reply.

Q1: Yes, I can uncheck that, but then it won't automatically update the firmware. I want the firewall to be fully updated upon deployment (some of these firewalls will sit in storage for a few months before deployment) and it seems like the firewall or Pano should be smart enough to not try to install content that isn't licensed but that doesn't seem to be the case. I figured maybe I was missing a setting to tell the Template that Threat Protection was not enabled but I feel like I have looked at every setting in Pano and I haven't found anything.

Q2: ms-powerapps exists in the Pano Template but I have not changed anything with it. I did try disabling it to see if it made a difference but it doesn't. I thought the orange cog on the entry might have meant something but a bunch of other apps have the same indicator so I guess not. If I could get the Threat Protection to stop trying to install non-licensed software, I think this issue would resolved itself as it would be able to update the application data and commit.

Re: ZTP Update on 1st Connect Fails with no Threat Protection License

ozheng — Wed, 08 Jan 2025 01:25:26 GMT

Hello @K.Saucier

I guess the best course of action is to open a case to TAC to investigate why it tries to push apps-and-threats instead of apps-only content.

Olivier