panorama in management only mode

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

panorama in management only mode

L3 Networker

we have a panorama pair in ha (vm), in management only mode. Having 3 pairs of managed firewalls wherein only configuration push is being applied. Dynamic updates for each pair of Fws is being applied manually since it is an air-gap infra (no-internet).

Now, i see the panoramas were never updated with content updates, since the active one is having a different version than the passive panorama.

Since, i have to take care the infra, what shall be the steps to make it both equal?

Secondly, it is necessary/mandatory to have the panoramas updated to the same versions as that of firewalls, i assume that since it is only for config push, it wont be required.

Please guide.

8 REPLIES 8

Cyber Elite
Cyber Elite

Hello @zaidshaikh

 

thanks for post!

 

Panorama has 3 different types of dynamic updates. The details are described in this KB: What are the different Dynamic Updates configurations in Panorama?.

To resolve the issue with Panorama itself being behind with latest content updates, configure the option No.1.

To resolve the issue where air gapped Firewalls do not have access to download content updates, configure the option No.3. If your Firewalls do not have latest content update installed you might eventually run into an issue that configuration push might fail because of missing application or application dependency.

 

Ideally, you should keep both Panorama and Firewalls up to date with latest content updates.

 

Kind Regards

Pavel 

Help the community: Like helpful comments and mark solutions.

Thanks @PavelK ,

the firewalls are upto date with latest updates, however, the panorama is having old updates.

Secondly, if i were to fix the issue with respect to commit fail due to application-status-- huggingface is a invalid reference showing in commit failure details, how i can fix this.

Later on i will schedule the panorama updates.

Hi,

Also i need some clarity with respect to panorama APP and Threats update image to be downloaded from PA portal.

in Panorama Dynamic updates the file to be uploaded should be which one "panupv2-all-apps-8843-XXXX OR "panupv2-all-contents-8839-XXXX

Just want to know which one to download and upload in Panorama.

Cyber Elite
Cyber Elite

Hello @zaidshaikh

 

thank you for reply.

 

The APP-ID for huggingface has been release in content update 8825 released on 20th March 2024. Any installed content update on Firewall released after this date should resolve the issue with invalid reference commit failure. Since Panorama is reporting the failure, it makes me think that outdated content update is on Firewall side and not on Panorama.

 

To manually Panorama's content update to latest version navigate to: Panorama > Dynamic Updates > Upload, then install. As of now the latest content update file is: panupv2-all-apps-8923-9118.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Thanks pavel,

 

I updated both panorama and firewalls to the above release content updates. Panorama and firewalls updates is being done manually on each device separately.

(Note: Disable new apps in content updates is Enable)

Now while commiting i am seeing amazon-titan-embed as already in use, when commit is failing.

However, on Panorama> device groups> Objects> applications> amazon-titan-embed > is disabled same as firewalls.

I raised TAC and they suggested to Disable the Disable new apps in content updates on Panorama and Commit and Push it should resolve the issue,

But on Panorama>dynamic updates>app and threats i dont see to Disable the Disable new apps in content updates

Pls guide.

Also this same has to be done to firewalls before commiting?

Cyber Elite
Cyber Elite

Hello @zaidshaikh

 

thank you for reply.

 

What TAC advised you is something similar what is described in this KB: Validation Error : Application-status is invalid. The option to disable it should be there. Would you mind sharing screen shot to see what options you have?

For now I would disable it only on Panorama. If it does not resolve the issue I would disable it on Firewall side as well.

 

Kind Regards

Pavel

 

 

Help the community: Like helpful comments and mark solutions.

Thanks @PavelK  for the reply,

Actually site is a restricted so cant share.

Secondly, under Panorama Dynamic updates>apps and threats > i see hyperlinks for Review Policies and APPS thats it, which doesnt show me option to Enable the Disable new apps in content updates.

Any other place wherein i can achieve the same objective?

Cyber Elite
Cyber Elite

Hello @zaidshaikh

 

thank you for reply.

 

The option to disable new apps in content updates is located under scheduling option: 

 

PavelK_0-1734406081214.png

PavelK_1-1734406135921.png

 

When you install content update manually you will have an option to disable new apps as well. Could you refer to below articles:

Tips & Tricks: How to Use 'Disable New Apps' in Content Update

Tips for Managing Content Updates 

 

Other than this I am not aware of any other option to set it.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.
  • 525 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!