12-10-2024 07:05 AM
we have a panorama pair in ha (vm), in management only mode. Having 3 pairs of managed firewalls wherein only configuration push is being applied. Dynamic updates for each pair of Fws is being applied manually since it is an air-gap infra (no-internet).
Now, i see the panoramas were never updated with content updates, since the active one is having a different version than the passive panorama.
Since, i have to take care the infra, what shall be the steps to make it both equal?
Secondly, it is necessary/mandatory to have the panoramas updated to the same versions as that of firewalls, i assume that since it is only for config push, it wont be required.
Please guide.
12-10-2024 01:46 PM
Hello @zaidshaikh
thanks for post!
Panorama has 3 different types of dynamic updates. The details are described in this KB: What are the different Dynamic Updates configurations in Panorama?.
To resolve the issue with Panorama itself being behind with latest content updates, configure the option No.1.
To resolve the issue where air gapped Firewalls do not have access to download content updates, configure the option No.3. If your Firewalls do not have latest content update installed you might eventually run into an issue that configuration push might fail because of missing application or application dependency.
Ideally, you should keep both Panorama and Firewalls up to date with latest content updates.
Kind Regards
Pavel
12-10-2024 08:05 PM
Thanks @PavelK ,
the firewalls are upto date with latest updates, however, the panorama is having old updates.
Secondly, if i were to fix the issue with respect to commit fail due to application-status-- huggingface is a invalid reference showing in commit failure details, how i can fix this.
Later on i will schedule the panorama updates.
12-10-2024 09:02 PM
Hi,
Also i need some clarity with respect to panorama APP and Threats update image to be downloaded from PA portal.
in Panorama Dynamic updates the file to be uploaded should be which one "panupv2-all-apps-8843-XXXX OR "panupv2-all-contents-8839-XXXX
Just want to know which one to download and upload in Panorama.
12-12-2024 02:14 PM
Hello @zaidshaikh
thank you for reply.
The APP-ID for huggingface has been release in content update 8825 released on 20th March 2024. Any installed content update on Firewall released after this date should resolve the issue with invalid reference commit failure. Since Panorama is reporting the failure, it makes me think that outdated content update is on Firewall side and not on Panorama.
To manually Panorama's content update to latest version navigate to: Panorama > Dynamic Updates > Upload, then install. As of now the latest content update file is: panupv2-all-apps-8923-9118.
Kind Regards
Pavel
12-12-2024 06:30 PM
Thanks pavel,
I updated both panorama and firewalls to the above release content updates. Panorama and firewalls updates is being done manually on each device separately.
(Note: Disable new apps in content updates is Enable)
Now while commiting i am seeing amazon-titan-embed as already in use, when commit is failing.
However, on Panorama> device groups> Objects> applications> amazon-titan-embed > is disabled same as firewalls.
I raised TAC and they suggested to Disable the Disable new apps in content updates on Panorama and Commit and Push it should resolve the issue,
But on Panorama>dynamic updates>app and threats i dont see to Disable the Disable new apps in content updates
Pls guide.
Also this same has to be done to firewalls before commiting?
12-13-2024 01:27 PM
Hello @zaidshaikh
thank you for reply.
What TAC advised you is something similar what is described in this KB: Validation Error : Application-status is invalid. The option to disable it should be there. Would you mind sharing screen shot to see what options you have?
For now I would disable it only on Panorama. If it does not resolve the issue I would disable it on Firewall side as well.
Kind Regards
Pavel
12-14-2024 03:02 AM
Thanks @PavelK for the reply,
Actually site is a restricted so cant share.
Secondly, under Panorama Dynamic updates>apps and threats > i see hyperlinks for Review Policies and APPS thats it, which doesnt show me option to Enable the Disable new apps in content updates.
Any other place wherein i can achieve the same objective?
12-16-2024 07:37 PM
Hello @zaidshaikh
thank you for reply.
The option to disable new apps in content updates is located under scheduling option:
When you install content update manually you will have an option to disable new apps as well. Could you refer to below articles:
Tips & Tricks: How to Use 'Disable New Apps' in Content Update
Tips for Managing Content Updates
Other than this I am not aware of any other option to set it.
Kind Regards
Pavel
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
