PAN-OS 8.0.4 - Sporadic Success on Content & Anti-Virus upgrades (PA-200)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN-OS 8.0.4 - Sporadic Success on Content & Anti-Virus upgrades (PA-200)

L4 Transporter

All,

 

I opened a ticket on this with Palo Alto but I thought I would reach out here as well.  Even since upgrading from 7.1.x to 8.0.4 on PAN-200 firewalls I am getting inconsistant success in upgrading Content or Anti-Virus packages.  It's so inconsistant that I have two of our firewalls working without issue, but several others failing to upgrade content on the scheduled time.  

 

All Palo Altos are upgrading locally (not pushed via Panorama) and are using a Global Template Stack so those firewalls that are working have the same global configuration of those that don't.  I have also tried Global Overrides on several firewalls which appeared to work (cooincednece at first) and then didn't work again.  I have sent multiple support files to Palo Alto and they have been on our firewalls remotely but still don't have an answer.  I am having similar issue with Anti-Virus where I have a few firewalls behind, more than its every hour scheduled update (some are 5-6 hours out of date) but eventually they seem to catch up.  Same thing where Global Override does not change things.

 image.png

* I know about content 729, we reverted yesterday and now we are running all 730 but I had to push it via Panorama to get it installed.

 

Anyone else having this issue?  We had zero issues with 6.x through 7.x as far as Content and Antivirus upgrades were concerned.

 

- Matt

3 REPLIES 3

Cyber Elite
Cyber Elite

@mlinsemier,

I ran into this starting at 8.0.2 on one of my 3020 pairs but I resolved it by simply setting different update servers for both members and having them push to peer on both. Funny enough my issues seem to have been solved with the 8.0.4 update, but I also only noticed them on one pair so I didn't think it was widespread enough to really waste time on. 

 

I kind of assume that the update server you get directed to is overloaded and can't provide you with the file in a timely manor, hense it's a random sporadic occurrence. 

 @BPry,

 

Can you tell me what update servers you are pointing yours too?  The funny thing is since all of my firewalls use the same Global Template Stack, they all point to the same URL, both the ones that are working and ones that are not.  I am not having any issues with my 3000 of 5000 series Palo Alto hardware.

 

I did just got a message back on my ticket about a potential memory leak that was being investigated.  I'll post here if I get a resolution.


Thanks for your input!

 

Matt

@mlinsemier,

You really only have two URLs to set it to; updates.paloaltonetworks.com which is the standard and changes due to it being on a CDN network, or the static staticupdates.paloaltonetworks.com. You can statically set the IP to other regions by resolving the updates.paloaltonetworks.com IP through nslookup tools hosted elsewhere.

 

 

  • 1746 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!