https://live.paloaltonetworks.com/t5/general-topics/ha-pair-app-and-threat-sync-to-peer-question/m-p/158872#M52025 <P>well there's 2 strategies:</P> <P>&nbsp;</P> <P>- you can have the active member download, install and sync to peer, this will download and install, then copy the file over to passive and install there too (or you can download and sync, which will download and copy but not install)</P> <P>with this setting the secondary device does not really need a schedule ince the primary will perform that task</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="schedule updates and sync.png"><img src="https://live.paloaltonetworks.com/skins/images/2F2A72B3BE70ACC5EBC3E1D7685F5297/responsive_peak/images/image_not_found.png" alt="schedule updates and sync.png" /></span></P> <P>&nbsp;</P> <P>- or you can have each member do their own schedule and not use the sync option but that could lead to mismatch if one has install and the other has download only</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>There is a revert option available in the dynamic updates themselves which i would recommend to prevent running into the mismatch:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="revert.png"><img src="https://live.paloaltonetworks.com/skins/images/2F2A72B3BE70ACC5EBC3E1D7685F5297/responsive_peak/images/image_not_found.png" alt="revert.png" /></span></P> <P>&nbsp;</P> <P>If your main concern is that a bad content package would be installed and you need a fallback, i would look into using the 'threshold' function first</P> <P>&nbsp;</P> <P>This will check for the release date/time of a content package and adds x time (as configured in the threshold) before checking the update server again. if the same file is still available it will go ahead and install, if a newer update is available (emergency content release or content package retracted) the instll will be aborted and the threshold is reset if a new package is available. after the second threshold a last check is done and if the package is still available, the emergency package is installed. if yet another version is see, the install will be abortted altogether and wait until the next scheduled event (watch out for AV updates as these can have several valid releases in a day where content is usually updated once to twice a week)</P> <P>&nbsp;</P> <P>on top of the above, there's still the manual revert</P> <P>&nbsp;</P> <P>hope this helps!</P> Thu, 01 Jun 2017 11:11:20 GMT reaper 2017-06-01T11:11:20Z https://live.paloaltonetworks.com/t5/general-topics/ha-pair-app-and-threat-sync-to-peer-question/m-p/158865#M52023 <P>Hi All,</P><P>&nbsp;</P><P>Apps and threats on the currently active box are set to download and install, on the&nbsp;passive to download only. &nbsp;Active box received and installed new updates. Will that automatically be synced to the&nbsp;passive? If we have a revert scenario where the Passive device has its a<SPAN>pps and threats configuration&nbsp;to download and install, but the Active to download only. What will happen and what is the best practice to configure these setting on the both firewalls?</SPAN></P><P>&nbsp;</P><P><SPAN>Thx,</SPAN></P><P><SPAN>Myky</SPAN></P> Fri, 02 Jun 2017 14:59:38 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-pair-app-and-threat-sync-to-peer-question/m-p/158865#M52023 TranceforLife 2017-06-02T14:59:38Z https://live.paloaltonetworks.com/t5/general-topics/ha-pair-app-and-threat-sync-to-peer-question/m-p/158872#M52025 <P>well there's 2 strategies:</P> <P>&nbsp;</P> <P>- you can have the active member download, install and sync to peer, this will download and install, then copy the file over to passive and install there too (or you can download and sync, which will download and copy but not install)</P> <P>with this setting the secondary device does not really need a schedule ince the primary will perform that task</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="schedule updates and sync.png"><img src="https://live.paloaltonetworks.com/skins/images/2F2A72B3BE70ACC5EBC3E1D7685F5297/responsive_peak/images/image_not_found.png" alt="schedule updates and sync.png" /></span></P> <P>&nbsp;</P> <P>- or you can have each member do their own schedule and not use the sync option but that could lead to mismatch if one has install and the other has download only</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>There is a revert option available in the dynamic updates themselves which i would recommend to prevent running into the mismatch:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="revert.png"><img src="https://live.paloaltonetworks.com/skins/images/2F2A72B3BE70ACC5EBC3E1D7685F5297/responsive_peak/images/image_not_found.png" alt="revert.png" /></span></P> <P>&nbsp;</P> <P>If your main concern is that a bad content package would be installed and you need a fallback, i would look into using the 'threshold' function first</P> <P>&nbsp;</P> <P>This will check for the release date/time of a content package and adds x time (as configured in the threshold) before checking the update server again. if the same file is still available it will go ahead and install, if a newer update is available (emergency content release or content package retracted) the instll will be aborted and the threshold is reset if a new package is available. after the second threshold a last check is done and if the package is still available, the emergency package is installed. if yet another version is see, the install will be abortted altogether and wait until the next scheduled event (watch out for AV updates as these can have several valid releases in a day where content is usually updated once to twice a week)</P> <P>&nbsp;</P> <P>on top of the above, there's still the manual revert</P> <P>&nbsp;</P> <P>hope this helps!</P> Thu, 01 Jun 2017 11:11:20 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-pair-app-and-threat-sync-to-peer-question/m-p/158872#M52025 reaper 2017-06-01T11:11:20Z https://live.paloaltonetworks.com/t5/general-topics/ha-pair-app-and-threat-sync-to-peer-question/m-p/158873#M52026 <P>Thank you for taking the time to reply and yes, it does help a lot. I don't have any further&nbsp;questions yet <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Thu, 01 Jun 2017 11:43:53 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-pair-app-and-threat-sync-to-peer-question/m-p/158873#M52026 TranceforLife 2017-06-01T11:43:53Z