Am I getting my updates? (U is for Updates)

by ‎01-30-2017 10:15 AM - edited ‎05-11-2017 07:21 AM (380 Views)

U is for Updates, as in Dynamic Updates.
U is also for Ugnaughts. Remember those short pig-faced (porcine) humanoid engineers found on Bespin in Empire Strikes back? Yeah, they were engineers, but those Ugnaughts never had to worry about firewall updates, threats, or that one user who just isn’t able to watch their cat videos.

 

Today’s questions are all about updates.

  • Am I getting my updates?
  • How do I know when an update is available?
  • Can I schedule updates?

 

When I worked in support, I used to get a lot of these questions. It can be confusing, which is why I am writing this, to help you understand.

 

Note: Before I go too far, I want to stress that any updates that I will be referring to require a software subscription license in order to get the latest updates. If you do not know, you can check inside of the WebGUI > Device > License and see if you have a license for Threats. Oh, and we are also assuming that you already have internet access via the management interface.

 

So, whether you are either new to Palo Alto Networks devices or you have been with usfor a while and you want to ensure that your devices are up to date for Applications and Threats and Antivirus, we can help.

 

Am I getting my updates?
The first place that I always like to start is in the main Dashboard in the WebGUI.

Main Dashboard screen showing the update status.Main Dashboard screen showing the update status.

Inside the dashboard, you will see many things, but what we care about is the Apps and Threats and Antivirus updates.

Now, when we look at this, we can quickly see if we are up to date or not. In this example(pic above), it would appear that it has been 3 months since an update was performed. If you always want to be up to date, then there is more that we have to do.  But even if the Applications, Threats and Antivirus was up to date, we would still need to look further to ensure that you do not miss any future updates.

 

Let’s go to the Dynamic Updates section (Device > Dynamic Updates).  Inside there you will see many sections.. but the ones that we are concerned with are the Applications and Threats and the Antivirus sections.

Dynamic Updates screen showing all of the details and options.Dynamic Updates screen showing all of the details and options.

Inside of this pic, You will see many parts, and I will point out what to look at.

 

The first area to look at is to see what is currently installed. Noted by #1.  You can see that the installed  Antivirus update was 2016/10/20 and the Applications and Threats is dated a day later at 2016/10/21. Clearly updates need to be performed.  Which we will cover in the next section.

 

How do I know when an update is available?
That’s a great question.
To see if a new update is available, click on the “Check Now” button in the lower left hand corner of the Dynamic Update page. (see pic above)

This will cause the device to check for updates on the Palo Alto Networks update service as long as you have Internet access from the management interface.  If you want to use a different interface to perform updates, then please see the following article about Service Routes:

 

Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI

 

Can I schedule updates?
Update Schedule screen showing all of the details and options.Update Schedule screen showing all of the details and options.
The last question that we get is about updates and the ability to schedule updates.
Yes, you can.  To set when, click on the text to the right of Schedule. It is available for Antivirus, Applications and Threats, GlobalProtect Data Files and URL Filtering.

When it comes to scheduling the updates, there are 3 ways you can set the action:

  • None
  • Download Only
  • Download and Install

The options are obvious, because there can be times where you want the downloads to happen, but not to install those updates because you will manually perform the commit on the firewall/Panorama.

You can also set the recurrence to perform the updates and any installs.

  • None
  • Daily
  • Weekly

You can set the time of day to perform this action, and you can even set a threshold, that would delay the install of any updates in minutes from 1-120.

The last option is the “Disable new apps in content update” is new. If you would like to read more on that one, please see my Tips & Tricks I wrote about it here:

Tips & Tricks: How to Use 'Disable New Apps' in Content Update

 

OH, one more thing before I forget. I want to tell you about the “Revert” option that shows up in the Action column.  It is there so you can revert an update to a previous update. The reason that this is even here is in the unlikely event that a recent update caused issues, you can quickly go to the Dynamic Update section, and revert to a previously used update. Making the whole process quick and easy if you need to use it.

 

If you want to read more about Dynamic updates, then please check out the following articles which are very informative:

Video: Disable new apps in content update

Best Practices to Manage Weekly Content Releases


Thanks for reading, please don’t forget to check back for more!

 

Please post questions you would like to have answered, comments or suggestions below!

 

Stay Secure,

Joe “what’s the” Delio

Ask Questions Get Answers Join the Live Community