Palo Alto Networks Knowledgebase: PAN-OS 7.1 Five-minute dynamic update interval for WildFire public cloud

PAN-OS 7.1 Five-minute dynamic update interval for WildFire public cloud

3419
Created On 07/29/19 17:24 PM - Last Updated 07/29/19 17:51 PM
Resolution

Description:

 

  • This new feature makes WildFire dynamic updates available every 5 minutes and gives firewalls a 1-minute polling interval option for WildFire dynamic update.
  • This feature also includes an enhancement to reduce commit times.

 

New WildFire signature package for PAN-OS 7.1 and later:

 

  • WildFire 7.1 content and WildFire 7.0 content will be different!
  • Both versions of content have the same set of signatures.
  • The new naming convention is panupv2-all-wildfire-<version number>-<build number>
  • WildFire 7.1 content has the minimum content version set to 7.1.  Therefor, WildFire 7.1 content will not install on PAN-OS 7.0 and earlier versions.
  • WildFire 7.0 and earlier content should have the maximum content version set to 7.0 and will not install on PAN-OS 7.1 and later systems.
  • Screen capture in Device/Panorama > Dynamic Update appears as shown:

 

wildfire dynamic updates.png

 

Customer Support Portal will have both the content versions available for download:

 

  • Both content versions are available for download in the portal > Dynamic updates:

 

portal download.png

 

 

Changes in the WebUI:

 

  • New WildFire dynamic update package is available every 5 minutes.
  • PAN-OS has a recurrence interval of 'Every Minute' (via Device > Dynamic Updates > WildFire > Schedule).
  • Panorama has an equivalent setting as shown:

panorama schedule.png

 

 

Panorama schedule update (deployment):

 

  • A recurrence interval of 'Every Minute' is added to Device > Dynamic Updates > WildFire > Schedule in PAN-OS and the equivalent area of Panorama. When this option is selected, the firewall checks and, if available, retrieves/installs (as appropriate) any new WildFire dynamic update:

 

schedule update.png

 

CLI change:

 

  • For Device/Panorama local update:
admin@PA-5020# set deviceconfig system update-schedule wildfire recurring
+ sync-to-peer Synchorinize content with HA peer after download/install
> every-15-mins Every 0, 15, 30, 45 minutes past the hour
> every-30-mins Every 0, 30 minutes past the hour
> every-hour Every 0 minutes past the hour
> every-min Every minute
<Enter> Finish input

 

  • For Panorama Deployment:
set deviceconfig system deployment-update-schedule test-av-update wildfire recurring every-min action download-and-install devices <serial number>

 

Other enhancement:

 

  • Faster commit time: this feature divides the Wildfire cache, currently containing Wildfire public content and private content, into two separate caches, one for public content and the other for private content. This change reduces the commit time when only the public content or the private content is updated.

 

Panorama interaction:

 

  • There are now two different content packages for WildFire content updates (WildFire for 7.1+ and WildFire for 7.0 and earlier). To help customers understand which package is installed or is to be deployed on Panorama, we should display the content version using the 'Features" Field in Panorama.
  • In the Device Deployment tree / Dynamic Updates, the WildFire packages will display the content version in the 'Features' tab.

 

features.png

 

  • Panorama is WildFire-version-aware and pushes out the correct content to each managed device.
  • Schedules - Content type "WildFire"/ Download & install updates schedule and download the correct content version to each managed device.

 

Panorama Deployment limit:

 

  • To prevent choking of Panorama functionality, a commit warning message is issued if the number of devices used in all 1 minute Wildfire Update Schedules exceeds a certain limit. The limits will be enforced as follows:
    • VM Panorama: 300
    • M-100: 300
    • M-500: TBD

 

Upgrade/Downgrade considerations:

 

  • Upgrade: version1 WildFire content will succeed to commit when upgrading
  • Downgrade:
    • The 'Every Minute' recurrence interval reverts back to 'Every 15 Minutes.'
    • The 7.1 content is removed and the new 7.0 content must be retrieved.

 

Additional details:

 

  • Supported platforms: This feature is supported by all platforms (Device and Panorama).
  • Troubleshooting: System log, mp-log/ms.log, mp-log/devsvr.log, dp/pan_comm.log should be useful.


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClESCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language