01-09-2014 04:43 AM
hey
we have a cluster that is configured to download and install updaetd but we can see that it is only downloading them and doen not update,
where can i find related logs on the device? (PAN-OS 5)
01-09-2014 04:53 AM
as I know you can see them
less mp-log ms.log
also for the errors
for installation I am not sure.maybe you'll see there also.
01-09-2014 05:19 AM
On the monitor tab -- Logs -- System
This will show logging for the updates
01-09-2014 05:31 AM
did you check job details ?
show jobs all | match Content
show jobs id ....
01-09-2014 07:14 AM
Hello Minow,
Can you pls verify as shown below if it is set to "Download and Install" and not just download.
Even after this if it is just downloading. We can look output in the "show jobs all"
We should see for example 3 jobs in this order 1> Download 2> Content 3> Antivirus
If not we can find details in the ms.log and devsrv.log for related details.
Hope this helps
Thanks
01-10-2014 04:52 AM
Also make sure the multiple schedules are at different times so there are no conflicts.
01-10-2014 07:23 AM
Hello, Minow,
Do you have independent internet connectivity through both firewall's ( both HA node) management interface...? If so, then I would recommend to use download and install time slightly different on both nodes while "sync To Peer" is enabled.
You can verify the same information under Monitor >> System logs and CLI command mentioned below
PAN-FW> less mp-log paninstaller_content.log
PAN-FW> less mp-log ms.log
Thanks
01-12-2014 01:11 AM
hey
only the active machine has internet through a L3 interface,
how should the dynamic update page should look like?
should i configure download and install on both members? because i didnt see this is a synced configuration.
didnt find any interesting logs
thanks
01-12-2014 02:02 AM
by default firewall will use management interface for updates.
you can change this from Services tab(look if it is changed)
also read this for HA
01-12-2014 11:05 AM
Hello Minow,
You should enable sync-with peer option on the active firewall in order to push the downloaded database to the passive FW.
Which model of PAN FW you are having and what is the running PAN OS version..?
Could you please share CLI output FW>show system info
Thanks
02-07-2014 11:53 PM
hey
we just configured the two device to download and install the configuration and push to the other member on different times of the day, and now it work smoothly,
I think PA should do or know how to handle it by it own, since it is a cluster and each device should know what the other one is doing,
02-08-2014 04:05 AM
Minow,
On a cluster you should configure the updates on your primary member then choose the option to sync those updates to the secondary. This will keep both cluster members in sync smoothly and only require one set of downloads.
02-09-2014 01:18 PM
yes but if the cluster had fail-over... why shouldn't this process be "wise" ??
i think there are a lot of tasks regarding cluster operation and a lot about panorama that could have been done better
and need some improvement.
lets say for example the update thing or when panorama should manage HA in active passive... so first you have to choose in the PA device to use the MGMT interface to register to panorama, because panorama cant push policy for example to the external interface.... amm actually it can be done, but the commit will commit only on the active device... it is like Panorama doesn't know (or should i say, does not check in the information it already has) that we are talking about a cluster, so i will send a commit to the active device with the SN of both of the device, and the best thing is that even when i push policy using the "external" interface, the active device wont issue a commit to the passive device like it will normally do when you commit locally.
it is like those little thinks that are missing and you say how they didn't think about that
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
