Auto-Upgrade Best Practices

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Auto-Upgrade Best Practices

L2 Linker

Hi, I recently created an Agent Settings auto-upgrade profile to test with in Cortex XDR.

 

After creating the profile I created a new policy and then applied it to a small group of endpoints to start with. This worked as expected so I then ramped up to 50, 250 and finally 500 computers. Our environment has almost 16000 endpoints total. 

 

I'd like to know what Palo thinks is the best practice to now apply that policy to the entire environment.

 

Is it best to replace our default policy with the one I created and then just delete/disable my "test" policy? I will also need to get creative with rolling out to our retail environment since that is the company's bread & butter. 😉 

 

I appreciate your help. 

Thank you,

Joe

1 accepted solution

Accepted Solutions

L4 Transporter

Hi @Joe_Carissimo,

 

Thank you for reaching out through LIVEcommunity!

 

In reference to best practices for agent auto upgrade I think you're on the right track.  We'd like all of our customers to be on the lastest available agent versions to ensure they're getting the most out of the agent and it's features.

 

As far as best practices for your roll out that's entirely up to you and your organization.  The most common issue i'm aware of is some customers reporting bandwidth issues when enabling agent auto upgrade.  This is why there's a P2P feature that can be enabled.  In this scenario overall bandwidth is decreased because the agents will begin reach out to other agents on the internal network before attempting to reach outside of the network for the new agent download package.  If you haven't been having any of these issues I'd say continue to roll this out to the rest of your environment.  To ensure you have the proper configuration for Download Source take a look at the image below.

Screen Shot 2023-04-14 at 5.25.02 PM.png

 

As far as creating a new policy or using the existing policy I think that's just personal preference.  I'd think it would be faster to edit the existing policy as it's already applied to the endpoints you want affected. Once that's done you could just delete the 'test policy'.  

 

I hope you find this information helpful.

 

Have a great day!

View solution in original post

1 REPLY 1

L4 Transporter

Hi @Joe_Carissimo,

 

Thank you for reaching out through LIVEcommunity!

 

In reference to best practices for agent auto upgrade I think you're on the right track.  We'd like all of our customers to be on the lastest available agent versions to ensure they're getting the most out of the agent and it's features.

 

As far as best practices for your roll out that's entirely up to you and your organization.  The most common issue i'm aware of is some customers reporting bandwidth issues when enabling agent auto upgrade.  This is why there's a P2P feature that can be enabled.  In this scenario overall bandwidth is decreased because the agents will begin reach out to other agents on the internal network before attempting to reach outside of the network for the new agent download package.  If you haven't been having any of these issues I'd say continue to roll this out to the rest of your environment.  To ensure you have the proper configuration for Download Source take a look at the image below.

Screen Shot 2023-04-14 at 5.25.02 PM.png

 

As far as creating a new policy or using the existing policy I think that's just personal preference.  I'd think it would be faster to edit the existing policy as it's already applied to the endpoints you want affected. Once that's done you could just delete the 'test policy'.  

 

I hope you find this information helpful.

 

Have a great day!

  • 1 accepted solution
  • 1042 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!