https://live.paloaltonetworks.com/t5/general-topics/pushing-dynamic-updates-from-panorama-to-firewalls-or-download/m-p/596468#M118660 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41709">@clewis1</a>&nbsp;</P> <P>&nbsp;</P> <P>I agree with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>&nbsp;where you have a small amount of firewalls or you have firewalls that have no internet access I would utilize the push from Panorama, but you can quickly end up in a situation where the Panorama is constantly queuing commits made by admins for rules/config changes due to high frequency update schedules like Wildfire for example.</P> Sat, 31 Aug 2024 11:19:55 GMT laurence64 2024-08-31T11:19:55Z https://live.paloaltonetworks.com/t5/general-topics/pushing-dynamic-updates-from-panorama-to-firewalls-or-download/m-p/590725#M117659 <P>Looking for advice on best practice regarding dynamic updates (AV, IPS, WF) when managing firewalls from a Panorama. Currently we are download and pushing these dynamic updates from Panorama to about 15 firewalls but will be managing more firewalls from Panorama in the future. We have discovered some of these dynamic update jobs becoming hung and the push to the firewall never completes.&nbsp;</P> <P>&nbsp;</P> <P>Possible we should consider configuring each firewall to download from the cloud instead of our on prem Panorama?&nbsp;&nbsp;</P> Fri, 28 Jun 2024 17:01:53 GMT https://live.paloaltonetworks.com/t5/general-topics/pushing-dynamic-updates-from-panorama-to-firewalls-or-download/m-p/590725#M117659 clewis1 2024-06-28T17:01:53Z https://live.paloaltonetworks.com/t5/general-topics/pushing-dynamic-updates-from-panorama-to-firewalls-or-download/m-p/590940#M117706 <P>Here is a screenshot of the failed attempts which were pushed from Panorama.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="clewis1_0-1719931638710.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/60632i9BDED44FCAFC9CCF/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="clewis1_0-1719931638710.png" alt="clewis1_0-1719931638710.png" /></span></P> <P>&nbsp;</P> Tue, 02 Jul 2024 14:49:07 GMT https://live.paloaltonetworks.com/t5/general-topics/pushing-dynamic-updates-from-panorama-to-firewalls-or-download/m-p/590940#M117706 clewis1 2024-07-02T14:49:07Z https://live.paloaltonetworks.com/t5/general-topics/pushing-dynamic-updates-from-panorama-to-firewalls-or-download/m-p/595302#M118469 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41709">@clewis1</a></P> <P>&nbsp;</P> <P>personally, I think especially for larger amount of Firewalls it is better to have each Firewall retrieve dynamic updates directly instead of deploying it through Panorama. I would limit the Panorama deployed updates only to Firewalls that do not have internet access to retrieve updates directly.</P> <P>&nbsp;</P> <P>Regarding the error you shared in screen shot this looks like a bug documented in this KB:&nbsp;<A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XhEKCA0" target="_self">Commit error on Panorama "Too many (30) deploy jobs pending"</A>. If you upgrade to version where this defect is addressed, you will likely be able to continue to use Panorama deployed updates.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel&nbsp;</P> Tue, 20 Aug 2024 03:05:14 GMT https://live.paloaltonetworks.com/t5/general-topics/pushing-dynamic-updates-from-panorama-to-firewalls-or-download/m-p/595302#M118469 PavelK 2024-08-20T03:05:14Z https://live.paloaltonetworks.com/t5/general-topics/pushing-dynamic-updates-from-panorama-to-firewalls-or-download/m-p/595352#M118483 <P>Thank you for the reply. I was able to resolve the issue a while back. I don't recall the exact solution, but I didn't upgrade PAN OS on either of the Panorama or Firewalls.</P> <P>&nbsp;</P> <P>If I recall correctly, I was able resolve by updating the schedule and ensuring I had all the firewalls added. I no longer see the errors and all the firewalls are receiving the updates correctly.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="clewis1_0-1724152619886.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/61610iBC67AD3CB9400F64/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="clewis1_0-1724152619886.png" alt="clewis1_0-1724152619886.png" /></span></P> <P>&nbsp;</P> <P>I do agree with your idea of having the firewalls get their updates directly from the internet if they have a path out. I will be exploring it as an option once internet is available at each of our sites.</P> Tue, 20 Aug 2024 11:20:04 GMT https://live.paloaltonetworks.com/t5/general-topics/pushing-dynamic-updates-from-panorama-to-firewalls-or-download/m-p/595352#M118483 clewis1 2024-08-20T11:20:04Z https://live.paloaltonetworks.com/t5/general-topics/pushing-dynamic-updates-from-panorama-to-firewalls-or-download/m-p/596468#M118660 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/41709">@clewis1</a>&nbsp;</P> <P>&nbsp;</P> <P>I agree with&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>&nbsp;where you have a small amount of firewalls or you have firewalls that have no internet access I would utilize the push from Panorama, but you can quickly end up in a situation where the Panorama is constantly queuing commits made by admins for rules/config changes due to high frequency update schedules like Wildfire for example.</P> Sat, 31 Aug 2024 11:19:55 GMT https://live.paloaltonetworks.com/t5/general-topics/pushing-dynamic-updates-from-panorama-to-firewalls-or-download/m-p/596468#M118660 laurence64 2024-08-31T11:19:55Z