This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Pushing dynamic updates from Panorama to firewalls or download direct to firewall

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Pushing dynamic updates from Panorama to firewalls or download direct to firewall

clewis1
L3 Networker

‎06-28-2024 10:01 AM

Looking for advice on best practice regarding dynamic updates (AV, IPS, WF) when managing firewalls from a Panorama. Currently we are download and pushing these dynamic updates from Panorama to about 15 firewalls but will be managing more firewalls from Panorama in the future. We have discovered some of these dynamic update jobs becoming hung and the push to the firewall never completes. 

 

Possible we should consider configuring each firewall to download from the cloud instead of our on prem Panorama?  

0 Likes Likes
4 REPLIES 4

clewis1
L3 Networker

‎07-02-2024 07:49 AM

Here is a screenshot of the failed attempts which were pushed from Panorama.

 

clewis1_0-1719931638710.png

 

0 Likes Likes

PavelK
Cyber Elite
Cyber Elite

‎08-19-2024 08:05 PM

Hello @clewis1

 

personally, I think especially for larger amount of Firewalls it is better to have each Firewall retrieve dynamic updates directly instead of deploying it through Panorama. I would limit the Panorama deployed updates only to Firewalls that do not have internet access to retrieve updates directly.

 

Regarding the error you shared in screen shot this looks like a bug documented in this KB: Commit error on Panorama "Too many (30) deploy jobs pending". If you upgrade to version where this defect is addressed, you will likely be able to continue to use Panorama deployed updates.

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.

clewis1
L3 Networker
In response to PavelK

‎08-20-2024 04:20 AM

Thank you for the reply. I was able to resolve the issue a while back. I don't recall the exact solution, but I didn't upgrade PAN OS on either of the Panorama or Firewalls.

 

If I recall correctly, I was able resolve by updating the schedule and ensuring I had all the firewalls added. I no longer see the errors and all the firewalls are receiving the updates correctly.

 

clewis1_0-1724152619886.png

 

I do agree with your idea of having the firewalls get their updates directly from the internet if they have a path out. I will be exploring it as an option once internet is available at each of our sites.

laurence64
L4 Transporter

‎08-31-2024 04:19 AM

Hi @clewis1 

 

I agree with @PavelK where you have a small amount of firewalls or you have firewalls that have no internet access I would utilize the push from Panorama, but you can quickly end up in a situation where the Panorama is constantly queuing commits made by admins for rules/config changes due to high frequency update schedules like Wildfire for example.

PCCSA PCNSA PCNSE PCSAE
Mode44 LTD Palo Alto Consultants
0 Likes Likes
  • 1231 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks