Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

Reply
L4 Transporter

Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

Hi Community,

 

I have a PA-850 Cluster with PAN-OS 8.1.0 and a valid Threat license.

The active firewall is configured to download and install antivirus updates and sync them to his peer.

 

Unfortunately, the update failed lately, so we were 4 days behind the current versions.

After manually using "check now" the new updates were found without problems.

In the system log the update-lookup was logged during the scheduled time, but there were no updates found.

 

After looking in the ms.log during these time period I saw these entries:

'cfg.fail-conn-on-cert': NO_MATCHES
NO_MATCHES
NO_MATCHES
/tmp/.avinfo.xml.11208:1: parser error : Start tag expected, '<' not found
The service is unavailable.
^
2018-04-05 13:15:39.368 +0200 Error:  pan_file_to_xml(pan_xml_utils.c:550): error parsing file /tmp/.avinfo.xml.11208

Does anybody experienced the same behavior?

 

Manually installing the updates once doesn't solve the problem

 

Best Regards

Chacko

L7 Applicator

Re: Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

@Chacko42,

So just to be clear and ensure that I'm understanding this correctly; when you manually update everything finishes correctly, but even once it has been updated you continue to run into issues using the update scheduler? 

Did this happen after you upgraded to 8.1.0 or has this been constant through 8.0.* and 8.1.0? 

L4 Transporter

Re: Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

@BPry - it's a new system, we directly went to 8.1.0 because of the hit counters.

This morning there was an information by PaloAlto regarding a similar issue

https://live.paloaltonetworks.com/t5/Customer-Advisories/Content-Update-Advisory-Important-Informati...

 

Apps & Threats are on 8000-4618 and Antivirus is now manually on 2571-3067.

 

The firewall will check again at 13:15 - I will update the status after reviewing the logs.

L4 Transporter

Re: Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

Well, the manual update unfortunately didn't fix the problem.

Importing the data file manually didn't worked as well.

 

I opened up a case and we will see what's going on.

L2 Linker

Re: Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

 

This exact issue is happening for our PA-820's setup for HA. However, it is also happening for our PA-220 not setup for HA. All three of these firewalls are running 8.0.8 though. Manual check and download did fix the issue for these three firewalls.

 

We do have on other firewall running 7.1.5 PA-200 that has no issues download and installing updates on the schedule. Seems to be related to the PANOS verison. Not sure if something changed in regards to Dynamic updates from 7.1 to 8.0 but something is wrong. I know the 3 digit to 4 digit issue they sent an email about but this was happening before that update for us and after the upgrade in PANOS to 8.0.

L2 Linker

Re: Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

I checked all three firewalls and I did find a difference between the two different PANOS's. This was unchecked on 7.1.x and Checked on 8.0. Wonder if this is the issue with dyynamic updates.

 

Updates.JPG

L4 Transporter

Re: Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

@RyanGates: I thought the same because of the

'cfg.fail-conn-on-cert' 

 in the log - but the certificate chain is trusted and the root certificate for updates.paloaltonetworks.com is stored on both nodes.

L2 Linker

Re: Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

From another thread seems like when you change the Schedule time, this fixes the issue. I am going to test that out tonight.

 

Also, unchecking that box did not fix the issue.

L4 Transporter

Re: Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

@RyanGates yeah, I tested that as well, but that didn't work.

When I set the primary firewall to download and install and sync-to-peer, everything is fine.

 

But as soon as the secondary firewall tries to look up to the updates on its own, the posted logs are occuring and the update fails, even if the GUI logs look good.

Highlighted
L4 Transporter

Re: Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

Ok, I have a solution.

Both cluster nodes were configured to download the dynamic updates on their own - we already configure the timers, so there is a little delay between the downloads.

 

Nevertheless, there was a donwload collision with some other scheduler.
The Tech Support analyzed the log files and told us to reschedule the updates - that worked indeed.

 

I guess it would be a good idea to create a clever log message if these things happen, so that administrators do not need to open tickets for that. Furthermore it's possible by configuration to schedule all of the dynamic updates to download and install at 0 minutes after each hour, so it's a little bit poor, that a NGFW cannot offer a decent queue/sync to deal with these issues...

 

Best Regards

Chacko42

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!