dynamic updates are downloaded but not installed

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

dynamic updates are downloaded but not installed

L4 Transporter

hey

we have a cluster that is configured to download and install updaetd but we can see that it is only downloading them and doen not update,

where can i find related logs on the device? (PAN-OS 5)

12 REPLIES 12

L6 Presenter

as I know you can see them

less mp-log ms.log

also for the errors

Updater Error Codes

for installation I am not sure.maybe you'll see there also.

L7 Applicator

On the monitor tab -- Logs -- System

This will show logging for the updates

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L6 Presenter

did you check job details ?

show jobs all | match Content

show jobs id ....

L4 Transporter

Hello Minow,

Can you pls verify as shown below if it is set to "Download and Install" and not just download.

DandI.PNG.png

Even after this if it is just downloading. We can look output in the "show jobs all"

We should see for example 3 jobs in this order 1> Download 2> Content 3> Antivirus

If not we can find details in the ms.log and devsrv.log for related details.

Hope this helps

Thanks

L7 Applicator

Also make sure the multiple schedules are at different times so there are no conflicts.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L7 Applicator

Hello, Minow,

Do you have independent internet connectivity through both firewall's ( both HA node) management interface...? If so, then I would recommend to use download and install time slightly different on both nodes while "sync To Peer" is enabled.

sync-to-peer.JPG.jpg

You can verify the same information under Monitor >> System logs and CLI command mentioned below

PAN-FW> less mp-log paninstaller_content.log

PAN-FW> less mp-log ms.log

Thanks

L4 Transporter

hey

only the active machine has internet through a L3 interface,

how should the dynamic update page should look like?

should i configure download and install on both members? because i didnt see this is a synced configuration.

didnt find any interesting logs

thanks

by default firewall will use management interface for updates.

you can change this from Services tab(look if it is changed)

also read this for HA

https://live.paloaltonetworks.com/docs/DOC-2038

Hello Minow,

You should enable sync-with peer option on the active firewall in order to push the downloaded database to the passive FW.

Which model of PAN FW you are having and what is the running PAN OS version..?

Could you please share CLI output FW>show system info  

Thanks

L4 Transporter


hey

we just configured the two device to download and install the configuration and push to the other member on different times of the day, and now it work smoothly,

I think PA should do or know how to handle it by it own, since it is a cluster and each device should know what the other one is doing,

Minow,

On a cluster you should configure the updates on your primary member then choose the option to sync those updates to the secondary.  This will keep both cluster members in sync smoothly and only require one set of downloads.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

yes but if the cluster had fail-over... why shouldn't this process be "wise" ??

i think there are a lot of tasks regarding cluster operation and a lot about panorama that could have been done better

and need some improvement.

lets say for example the update thing or when panorama should manage HA in active passive... so first you have to choose in the PA device to use the MGMT interface to register to panorama, because panorama cant push policy for example to the external interface.... amm actually it can be done, but the commit will commit only on the active device... it is like Panorama doesn't know (or should i say, does not check in the information it already has) that we are talking about a cluster, so i will send a commit to the active device with the SN of both of the device, and the best thing is that even when i push policy using the "external" interface, the active device wont issue a commit to the passive device like it will normally do when you commit locally.

it is like those little thinks that are missing and you say how they didn't think about that

  • 6640 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!