Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L4 Transporter

Antivirus Dynamic Update fails PAN-OS 8.1.0 Cluster

Hi Community,

 

I have a PA-850 Cluster with PAN-OS 8.1.0 and a valid Threat license.

The active firewall is configured to download and install antivirus updates and sync them to his peer.

 

Unfortunately, the update failed lately, so we were 4 days behind the current versions.

After manually using "check now" the new updates were found without problems.

In the system log the update-lookup was logged during the scheduled time, but there were no updates found.

 

After looking in the ms.log during these time period I saw these entries:

'cfg.fail-conn-on-cert': NO_MATCHES
NO_MATCHES
NO_MATCHES
/tmp/.avinfo.xml.11208:1: parser error : Start tag expected, '<' not found
The service is unavailable.
^
2018-04-05 13:15:39.368 +0200 Error:  pan_file_to_xml(pan_xml_utils.c:550): error parsing file /tmp/.avinfo.xml.11208

Does anybody experienced the same behavior?

 

Manually installing the updates once doesn't solve the problem

 

Best Regards

Chacko

Best Regards
Chacko

Accepted Solutions
Highlighted
L4 Transporter

Ok, I have a solution.

Both cluster nodes were configured to download the dynamic updates on their own - we already configure the timers, so there is a little delay between the downloads.

 

Nevertheless, there was a donwload collision with some other scheduler.
The Tech Support analyzed the log files and told us to reschedule the updates - that worked indeed.

 

I guess it would be a good idea to create a clever log message if these things happen, so that administrators do not need to open tickets for that. Furthermore it's possible by configuration to schedule all of the dynamic updates to download and install at 0 minutes after each hour, so it's a little bit poor, that a NGFW cannot offer a decent queue/sync to deal with these issues...

 

Best Regards

Chacko42

Best Regards
Chacko

View solution in original post


All Replies
Highlighted
Cyber Elite

@Chacko42,

So just to be clear and ensure that I'm understanding this correctly; when you manually update everything finishes correctly, but even once it has been updated you continue to run into issues using the update scheduler? 

Did this happen after you upgraded to 8.1.0 or has this been constant through 8.0.* and 8.1.0? 

Highlighted
L4 Transporter

@BPry - it's a new system, we directly went to 8.1.0 because of the hit counters.

This morning there was an information by PaloAlto regarding a similar issue

https://live.paloaltonetworks.com/t5/Customer-Advisories/Content-Update-Advisory-Important-Informati...

 

Apps & Threats are on 8000-4618 and Antivirus is now manually on 2571-3067.

 

The firewall will check again at 13:15 - I will update the status after reviewing the logs.

Best Regards
Chacko
Highlighted
L4 Transporter

Well, the manual update unfortunately didn't fix the problem.

Importing the data file manually didn't worked as well.

 

I opened up a case and we will see what's going on.

Best Regards
Chacko
Highlighted
L2 Linker

 

This exact issue is happening for our PA-820's setup for HA. However, it is also happening for our PA-220 not setup for HA. All three of these firewalls are running 8.0.8 though. Manual check and download did fix the issue for these three firewalls.

 

We do have on other firewall running 7.1.5 PA-200 that has no issues download and installing updates on the schedule. Seems to be related to the PANOS verison. Not sure if something changed in regards to Dynamic updates from 7.1 to 8.0 but something is wrong. I know the 3 digit to 4 digit issue they sent an email about but this was happening before that update for us and after the upgrade in PANOS to 8.0.

Highlighted
L2 Linker

I checked all three firewalls and I did find a difference between the two different PANOS's. This was unchecked on 7.1.x and Checked on 8.0. Wonder if this is the issue with dyynamic updates.

 

Updates.JPG

Highlighted
L4 Transporter

@RyanGates: I thought the same because of the

'cfg.fail-conn-on-cert' 

 in the log - but the certificate chain is trusted and the root certificate for updates.paloaltonetworks.com is stored on both nodes.

Best Regards
Chacko
Highlighted
L2 Linker

From another thread seems like when you change the Schedule time, this fixes the issue. I am going to test that out tonight.

 

Also, unchecking that box did not fix the issue.

Highlighted
L4 Transporter

@RyanGates yeah, I tested that as well, but that didn't work.

When I set the primary firewall to download and install and sync-to-peer, everything is fine.

 

But as soon as the secondary firewall tries to look up to the updates on its own, the posted logs are occuring and the update fails, even if the GUI logs look good.

Best Regards
Chacko
Highlighted
L4 Transporter

Ok, I have a solution.

Both cluster nodes were configured to download the dynamic updates on their own - we already configure the timers, so there is a little delay between the downloads.

 

Nevertheless, there was a donwload collision with some other scheduler.
The Tech Support analyzed the log files and told us to reschedule the updates - that worked indeed.

 

I guess it would be a good idea to create a clever log message if these things happen, so that administrators do not need to open tickets for that. Furthermore it's possible by configuration to schedule all of the dynamic updates to download and install at 0 minutes after each hour, so it's a little bit poor, that a NGFW cannot offer a decent queue/sync to deal with these issues...

 

Best Regards

Chacko42

Best Regards
Chacko

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!