https://live.paloaltonetworks.com/t5/general-topics/5250-s-failing-to-pass-traffic-after-av-software-update/m-p/224081#M64380 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/37645">@Bomi</a>,</P><P>So this has more possibility of being due to the Applications and Threats version then the AV upgrade. When the traffic was failing how was the traffic getting recognized, and did that traffic actually have any rules allowing it to go as the firewall was identifying it?&nbsp;</P> Mon, 30 Jul 2018 21:38:32 GMT BPry 2018-07-30T21:38:32Z https://live.paloaltonetworks.com/t5/general-topics/5250-s-failing-to-pass-traffic-after-av-software-update/m-p/224001#M64361 <P>&nbsp;</P><P>Hi,</P><P>&nbsp;</P><P><SPAN>We are on the version 8.1.2 and If I upgrade to the latest ‘Applications and Threats’ version, &nbsp;currently 8044-4859, and then upgrade AV from 2678-3175 to 2683-3180 all rules fail, and traffic drops through the default deny.</SPAN></P><P>&nbsp;</P><P><SPAN>I do not see any particular logs except "HA peer Anti-Virus set to Unknown".</SPAN></P><P>&nbsp;</P><P class="x_MsoNormal">2018-07-25 08:49:54:user:admin,client:Web,cmd:request anti-virus upgrade download file panup-all-antivirus-2683-3180</P><P class="x_MsoNormal">opcmdhistory.log&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P class="x_MsoNormal">2018-07-25 08:50:13</P><P class="x_MsoNormal">2018-07-25 08:50:13:user:admin,client:Web,cmd:request anti-virus upgrade info</P><P class="x_MsoNormal">opcmdhistory.log&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P class="x_MsoNormal">2018-07-25 08:50:43</P><P class="x_MsoNormal">2018-07-25 08:50:43:user:admin,client:Web,cmd:request anti-virus upgrade install commit yes file panup-all-antivirus-2683-3180.tgz</P><P class="x_MsoNormal">ha_agent.log&nbsp;&nbsp;&nbsp;&nbsp;</P><P class="x_MsoNormal">2018-07-25 08:51:42</P><P class="x_MsoNormal">2018-07-25 08:51:42.015 +0100 debug: ha_sysd_general_vers_string(src/ha_sysd_version.c:1800): Got new Anti-Virus: 2683-3180; for local value</P><P class="x_MsoNormal">ha_agent.log&nbsp;&nbsp;&nbsp;&nbsp;</P><P class="x_MsoNormal">2018-07-25 08:51:42</P><P class="x_MsoNormal">2018-07-25 08:51:42.015 +0100 HA peer Anti-Virus set to Unknown</P><P class="x_MsoNormal">opcmdhistory.log&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P class="x_MsoNormal">2018-07-25 08:56:41</P><P class="x_MsoNormal">2018-07-25 08:56:41:user:admin,client:Web,cmd:request anti-virus upgrade info</P><P class="x_MsoNormal">pan_comm_0.log&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P class="x_MsoNormal">2018-07-25 09:15:25</P><P class="x_MsoNormal">url get-your-anti-virus-checked.com, delete 0 children more</P><P class="x_MsoNormal">pan_comm_0.log&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P class="x_MsoNormal">2018-07-25 09:15:25</P><P class="x_MsoNormal">url get-your-anti-virus-checked.com, delete 0 children more</P><P class="x_MsoNormal">opcmdhistory.log&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P class="x_MsoNormal">2018-07-25 11:26:03</P><P class="x_MsoNormal">2018-07-25 11:26:03:user:admin,client:Web,cmd:request anti-virus upgrade info</P><P class="x_MsoNormal">opcmdhistory.log&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;</P><P class="x_MsoNormal">2018-07-26 12:41:37</P><P class="x_MsoNormal">2018-07-26 12:41:37:user:admin,client:Web,cmd:request anti-virus upgrade info</P><P class="x_MsoNormal">&nbsp;</P><P class="x_MsoNormal">Any ideas?</P><P class="x_MsoNormal">Thanks.</P><P class="x_MsoNormal">&nbsp;</P><P class="x_MsoNormal">Best regards,</P><P class="x_MsoNormal">Bomi</P><P class="x_MsoNormal"><SPAN>&nbsp;</SPAN></P> Mon, 30 Jul 2018 14:01:59 GMT https://live.paloaltonetworks.com/t5/general-topics/5250-s-failing-to-pass-traffic-after-av-software-update/m-p/224001#M64361 Bomi 2018-07-30T14:01:59Z https://live.paloaltonetworks.com/t5/general-topics/5250-s-failing-to-pass-traffic-after-av-software-update/m-p/224081#M64380 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/37645">@Bomi</a>,</P><P>So this has more possibility of being due to the Applications and Threats version then the AV upgrade. When the traffic was failing how was the traffic getting recognized, and did that traffic actually have any rules allowing it to go as the firewall was identifying it?&nbsp;</P> Mon, 30 Jul 2018 21:38:32 GMT https://live.paloaltonetworks.com/t5/general-topics/5250-s-failing-to-pass-traffic-after-av-software-update/m-p/224081#M64380 BPry 2018-07-30T21:38:32Z https://live.paloaltonetworks.com/t5/general-topics/5250-s-failing-to-pass-traffic-after-av-software-update/m-p/224146#M64389 <P>&nbsp;</P><P><SPAN><SPAN class=""><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</SPAN>The same thing happend when only AV was updated. Applications were showing up as ‘not-applicable’ for services that should have been matched with our rules, but were dropping to the default deny rule.</SPAN></P> Tue, 31 Jul 2018 10:39:07 GMT https://live.paloaltonetworks.com/t5/general-topics/5250-s-failing-to-pass-traffic-after-av-software-update/m-p/224146#M64389 Bomi 2018-07-31T10:39:07Z https://live.paloaltonetworks.com/t5/general-topics/5250-s-failing-to-pass-traffic-after-av-software-update/m-p/224159#M64390 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/37645">@Bomi</a>,</P><P>Personally I would contact TAC at this point. It sounds like the update is somehow negating your entire &lt;security/&gt; rulebase, either by making the XML malformed or something like that. I've seen this through OS updates, but never through dynamic updates.&nbsp;</P> Tue, 31 Jul 2018 13:55:49 GMT https://live.paloaltonetworks.com/t5/general-topics/5250-s-failing-to-pass-traffic-after-av-software-update/m-p/224159#M64390 BPry 2018-07-31T13:55:49Z