This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HA pair App and Threat sync to peer question.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA pair App and Threat sync to peer question.

Go to solution
TranceforLife
L6 Presenter

‎06-01-2017 02:17 AM - edited ‎06-02-2017 07:59 AM

Hi All,

 

Apps and threats on the currently active box are set to download and install, on the passive to download only.  Active box received and installed new updates. Will that automatically be synced to the passive? If we have a revert scenario where the Passive device has its apps and threats configuration to download and install, but the Active to download only. What will happen and what is the best practice to configure these setting on the both firewalls?

 

Thx,

Myky

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite

‎06-01-2017 04:08 AM - edited ‎06-01-2017 04:11 AM

well there's 2 strategies:

 

- you can have the active member download, install and sync to peer, this will download and install, then copy the file over to passive and install there too (or you can download and sync, which will download and copy but not install)

with this setting the secondary device does not really need a schedule ince the primary will perform that task

schedule updates and sync.png

 

- or you can have each member do their own schedule and not use the sync option but that could lead to mismatch if one has install and the other has download only

 

 

There is a revert option available in the dynamic updates themselves which i would recommend to prevent running into the mismatch:

revert.png

 

If your main concern is that a bad content package would be installed and you need a fallback, i would look into using the 'threshold' function first

 

This will check for the release date/time of a content package and adds x time (as configured in the threshold) before checking the update server again. if the same file is still available it will go ahead and install, if a newer update is available (emergency content release or content package retracted) the instll will be aborted and the threshold is reset if a new package is available. after the second threshold a last check is done and if the package is still available, the emergency package is installed. if yet another version is see, the install will be abortted altogether and wait until the next scheduled event (watch out for AV updates as these can have several valid releases in a day where content is usually updated once to twice a week)

 

on top of the above, there's still the manual revert

 

hope this helps!

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

2 REPLIES 2

Go to solution
reaper
Cyber Elite
Cyber Elite

‎06-01-2017 04:08 AM - edited ‎06-01-2017 04:11 AM

well there's 2 strategies:

 

- you can have the active member download, install and sync to peer, this will download and install, then copy the file over to passive and install there too (or you can download and sync, which will download and copy but not install)

with this setting the secondary device does not really need a schedule ince the primary will perform that task

schedule updates and sync.png

 

- or you can have each member do their own schedule and not use the sync option but that could lead to mismatch if one has install and the other has download only

 

 

There is a revert option available in the dynamic updates themselves which i would recommend to prevent running into the mismatch:

revert.png

 

If your main concern is that a bad content package would be installed and you need a fallback, i would look into using the 'threshold' function first

 

This will check for the release date/time of a content package and adds x time (as configured in the threshold) before checking the update server again. if the same file is still available it will go ahead and install, if a newer update is available (emergency content release or content package retracted) the instll will be aborted and the threshold is reset if a new package is available. after the second threshold a last check is done and if the package is still available, the emergency package is installed. if yet another version is see, the install will be abortted altogether and wait until the next scheduled event (watch out for AV updates as these can have several valid releases in a day where content is usually updated once to twice a week)

 

on top of the above, there's still the manual revert

 

hope this helps!

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
TranceforLife
L6 Presenter
In response to reaper

‎06-01-2017 04:42 AM - edited ‎06-01-2017 04:43 AM

Thank you for taking the time to reply and yes, it does help a lot. I don't have any further questions yet 😉

  • 1 accepted solution
  • 6498 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks