HA pair App and Threat sync to peer question.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HA pair App and Threat sync to peer question.

L6 Presenter

Hi All,

 

Apps and threats on the currently active box are set to download and install, on the passive to download only.  Active box received and installed new updates. Will that automatically be synced to the passive? If we have a revert scenario where the Passive device has its apps and threats configuration to download and install, but the Active to download only. What will happen and what is the best practice to configure these setting on the both firewalls?

 

Thx,

Myky

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

well there's 2 strategies:

 

- you can have the active member download, install and sync to peer, this will download and install, then copy the file over to passive and install there too (or you can download and sync, which will download and copy but not install)

with this setting the secondary device does not really need a schedule ince the primary will perform that task

schedule updates and sync.png

 

- or you can have each member do their own schedule and not use the sync option but that could lead to mismatch if one has install and the other has download only

 

 

There is a revert option available in the dynamic updates themselves which i would recommend to prevent running into the mismatch:

revert.png

 

If your main concern is that a bad content package would be installed and you need a fallback, i would look into using the 'threshold' function first

 

This will check for the release date/time of a content package and adds x time (as configured in the threshold) before checking the update server again. if the same file is still available it will go ahead and install, if a newer update is available (emergency content release or content package retracted) the instll will be aborted and the threshold is reset if a new package is available. after the second threshold a last check is done and if the package is still available, the emergency package is installed. if yet another version is see, the install will be abortted altogether and wait until the next scheduled event (watch out for AV updates as these can have several valid releases in a day where content is usually updated once to twice a week)

 

on top of the above, there's still the manual revert

 

hope this helps!

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

well there's 2 strategies:

 

- you can have the active member download, install and sync to peer, this will download and install, then copy the file over to passive and install there too (or you can download and sync, which will download and copy but not install)

with this setting the secondary device does not really need a schedule ince the primary will perform that task

schedule updates and sync.png

 

- or you can have each member do their own schedule and not use the sync option but that could lead to mismatch if one has install and the other has download only

 

 

There is a revert option available in the dynamic updates themselves which i would recommend to prevent running into the mismatch:

revert.png

 

If your main concern is that a bad content package would be installed and you need a fallback, i would look into using the 'threshold' function first

 

This will check for the release date/time of a content package and adds x time (as configured in the threshold) before checking the update server again. if the same file is still available it will go ahead and install, if a newer update is available (emergency content release or content package retracted) the instll will be aborted and the threshold is reset if a new package is available. after the second threshold a last check is done and if the package is still available, the emergency package is installed. if yet another version is see, the install will be abortted altogether and wait until the next scheduled event (watch out for AV updates as these can have several valid releases in a day where content is usually updated once to twice a week)

 

on top of the above, there's still the manual revert

 

hope this helps!

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you for taking the time to reply and yes, it does help a lot. I don't have any further questions yet 😉

  • 1 accepted solution
  • 6594 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!