Important information regarding Content Apps & Threats version 709 -dataplane restart

Reply
jdprovine
L4 Transporter

Important information regarding Content Apps & Threats version 709 -dataplane restart

I just move to 7.1.9 about a week ago and there seem to be warning of issues with dataplane restart and I thought it was related to the threat version 709 and I am now on 710. I have seen no issues so do I still need to upgrade to 7.1.10

Willian
L4 Transporter

HI @jdprovine

I just wanted to provide an update regarding the Palo Alto Content Apps & Threats version 709.

 

As you've mentioned, Palo Alto Networks has issued an advisory last week about Dynamic Content Update problems, that caused platforms running specific PAN-OS release versions to restart its dataplane.
https://live.paloaltonetworks.com/t5/Customer-Advisories/UPDATED-Important-information-regarding-Con...

 

A customer notice has just been released today (06/22/2017) regarding a hotfix to address the issue; however the official recommendation is that customers running PAN-OS 7.1.9 upgrade their firewalls to PAN-OS 7.1.10.

 

To facilitate the update process for customers who cannot imminently update their firewalls to PAN-OS 7.1.10, Palo Alto has made a hotfix available (PAN-OS 7.1.9-h4) on Wednesday, June 21 that includes a fix for this regression.

 

I hope this helps.

 

Follow me on twitter @willguibr

Tags (1)
jdprovine
L4 Transporter

@Willian

I went ahead and upgraded to 7.1.10 just to be safe. Just curious does the hot fix require a reboot at all?

jdprovine
L4 Transporter

@Willian

One more thing if you are on 710 and not 709 but on 7.1.9 is the dataplane reboot still and issue?

BPry
Cyber Elite

@jdprovine,

Content update 710 and future content updates will include a process designed around getting the content updates to not trigger a dataplane reboot on affected software versions; that being said the only true fix that does not include work arounds on PAs side of things are once you are no longer on an effected software release.

There is a lot of information in the actual advisory but at this point I think it's safe to say that the only course of action is for anybody that is running effected software versions to update to the latest maintenance release as the changes that PA has had to make to guarantee that the dataplane will not restart are a limiting factor in the firewalls day to day operations.   

jdprovine
L4 Transporter

@BPry

Yes I figured it was safer to upgrade to 7.1.10 than to wonder, though I had not had any issues and my threat ID was at 710 but the initial notifications sounded like it was an issue with 709 interacting with certain os's such as 7.1.9. I am just curious if I had stayed on 7.1.9 with 710 if I would have had any issues with the dataplane

BPry
Cyber Elite

@jdprovine,

No, but the fix for this was that once a new content update is installed all existing sessions pre-install will transition to layer-4 inspection and then once the new content update is fully installed new sessions will again process with layer-7 inspection. Obviously since your dropping existing sessions down to layer-4 the solution is less than ideal, however it's a good bit better than having your dataplane restart I guess. 

jdprovine
L4 Transporter

@BPry

Well I am on 7.1.10 now either way I was just curious if the issue was resolved by going to 710 even if I had stayed on 7.1.9

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!