Overview
Even when both the nodes in an HA pair are configured to fetch dynamic updates (threat or antivirus updates) at the same time, the firewall generates a version mismatch alert in the system logs. If email alerts are configured on the firewall, the system admin receives these alerts.
This article focuses on explaining the behavior of such alerts in the firewall.
Details
Even though both members of the firewall have the same update schedule, there would be a brief period of time when both members would have a different version of dynamic updates.
During this difference, HA checks generate a system log, mentioning a mismatch in the dynamic updates version.
Prior to PAN-OS 7.1, these mismatch alerts were generated with HIGH severity in system logs as follows:
2016/08/02 10:18:05 high ha HA Group 2: Threat Content version does not match
2016/08/02 10:18:05 high ha HA Group 2: Application Content version does not match
Now, if the email alerts are configured to send HIGH alerts to the system admin, they would receive a version mismatch alert on the firewalls. However, it is possible that by the time they check on the firewall, there is no version mismatch on the firewall.
The reason is, as soon as the version matches on the firewall after that brief period of difference, the firewall generates these alerts with INFO severity as follows:
2016/08/03 10:18:27 info ha HA Group 2: Threat Content version now matches
2016/08/03 10:18:27 info ha HA Group 2: Application Content version now matches
Since email alerts were set for only HIGH severity, the system admin does not receive these alerts.
Starting from PAN-OS 7.1, there is a behavior change in how these alerts are generated.
The first time the HA check detects a mismatch in the dynamic update version on both firewalls, these alerts are generated with 'informational' severity:
If this mismatch persists for longer than one hour, the HA check will generate alerts with 'high' severity:
Therefore, if email alerts are configured to send 'high' severity alerts, the system admin gets an alarm only when there is a genuine mismatch and not when there is a mismatch for just a brief period of time.