Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Tips for Managing Content Updates - Knowledge Base - Palo Alto Networks

Tips for Managing Content Updates

102034
Created On 09/25/18 17:30 PM - Last Modified 11/03/23 06:20 AM


Environment


  • Palo Alto Firewall.
  • PAN-OS 8.1 onwards


Resolution


This document shows the various methods that can be used to manage the content updates. Content updates can be managed using the Graphical User Interface of the firewall, an end host CLI, or via a manual process where one can download content updates from the Customer Service Portal (CSP).

GRAPHICAL USER INTERFACE (GUI)

To view the currently available content on the firewall, go to Device > Dynamic Updates. From there, the following functions may be performed:

  • Click “Check Now” to trigger the request to download the latest content for all content versions the firewall is licensed to support
  • Click on the Release Notes to view a description of the content update.
  • Click Download in the Action column, on a row that contains the desired content version, to download that version on the firewall. When the download is complete, a checkmark is displayed in the “Downloaded” column and the Action column shows the option to now “Install” that same content
  • Click Install in the Action column, on the row of a previously “downloaded” content version, to install the downloaded content update to make it the “Currently Installed” content version.

DASHBOARD.png

 

Palo Alto Networks provides the configuration flexibility to accommodate customer policy.

Following documents can be used to check the release schedule of content updates and then schedule can be configured accordingly on PANOS devices to automatically take action of either download or download-and-install.

Note: To obtain information about content release schedule for any new PANOS version, one of the above URLs can be used. A dropdown menu on the left side of the page allows users to select the desired PANOS version and retrieve the release schedule.

  • To set the schedule for a content type, click the marked-up text next to the characters "Schedule:"
0 PA-VM.png
  • Specify the frequency and timing of the updates and whether the update will be downloaded and installed or only downloaded. For best results, set the hourly offset to a value different from other updates to prevent multiple downloads and installs occurring simultaneously.
Antivirus Update Schedule.png
  • If Download Only is selected, the downloaded update can be installed by clicking the Upgrade link on the Dynamic Updates page. When OK is clicked, the update is scheduled. Additionally, there is an option to delay the Action taken by setting a Threshold dictating how old the new content must be before either action takes place.
  • Additionally, there is an option to delay the Action taken by setting a Threshold.
    • Threshold (hours) - To delay the selected Action (in this case download-and-install)
    • New App-ID Threshold - This is to further delay the install (only install) of new content updates to allow admins to adjust their security policies based on new App-IDs. Recommendation is different for mission-critical and security-first deployments which can be referred to here - Mission-critical and security-first deployments
 
Applications and Threats Update Schedule.png

 

We recommend scheduling AV and Apps/Threats content for Daily Recurrence with an action of Download and Install and a Threshold in accordance with the risk-versus-benefit tolerance of the site.
Daily recurrence allows the opportunity to download any new off-schedule releases for critical bug fixes or filtering updates. Download and install prevent having to manually interact with the system.
If a new update is not available at the time that the firewall checks with updates.paloaltonetworks.com it will wait till the next scheduled time to check. 
It is also recommended that the update schedule not be set at the same times as other updates as this can cause a resource conflict on the firewall and one update will not install. 

Wildfire updates should be scheduled for Download and install every 15 minutes, 5 minutes, or every minute depending on the customer's need and network bandwidth. 
 

COMMAND LINE INTERFACE (CLI)

In the CLI, the various content types can be accessed via the following commands:

  • Antivirus
    • admin@PA-VM> request anti-virus upgrade 
      • > check         Get information from PaloAlto Networks server
      • > download   Download anti-virus packages
      • > info             Show information about available anti-virus packages
      • > install         Install anti-virus packages
  • Apps & Threats
    • admin@PA-VM> request content upgrade
      • > check         Get information from PaloAlto Networks server
      • > download   Download content packages
      • > info             Show information about available content packages
      • > install         Install content packages
  • Wildfire
    • admin@PA-VM> request wildfire upgrade
      • > check         Get information from PaloAlto Networks server
      • > download   Download wildfire packages
      • > info             Show information about available wildfire packages
      • > install         Install wildfire packages

To view the currently available content on the firewall, one can run the following commands for each content type:

request anti-virus upgrade info

[admin@PA-VM request anti-virus upgrade info.png
 

request content upgrade info

[admin@PA-VM request content upgrade info.png
 

request wildfire upgrade info


[admin@PA-VM request wildfire upgrade info.png

To upgrade any of these content types in the CLI, one can run the following commands, in order, to check their content, download the desired content version, and then install that same content version.
 

admin@PA-VM> request content upgrade check



Version               Size              Released on Downloaded  Installed

-------------------------------------------------------------------------

8496-7089             52MB  2021/12/06 21:50:02 EST         no         no

8504-7131             52MB  2021/12/16 23:49:11 EST         no         no

8501-7114             52MB  2021/12/14 13:09:49 EST         no         no

8502-7118             52MB  2021/12/15 00:35:39 EST         no         no

8493-7073             52MB  2021/11/29 17:35:04 EST         no         no

8506-7141             52MB  2021/12/19 02:17:12 EST         no         no

8497-7093             52MB  2021/12/07 20:29:09 EST         no         no

8494-7079             52MB  2021/11/30 19:54:37 EST         no         no

8499-7107             52MB  2021/12/10 22:12:28 EST         no         no

8498-7098             52MB  2021/12/09 23:57:24 EST         no         no

8500-7110             52MB  2021/12/12 23:12:26 EST         no         no

8503-7125             52MB  2021/12/16 01:10:38 EST        yes   previous

8505-7134             52MB  2021/12/17 21:35:31 EST        yes    current

8495-7081             52MB  2021/12/02 17:28:58 EST         no         no





admin@PA-VM> request content upgrade download latest force yes



Download job enqueued with jobid 207

207





admin@PA-VM> show jobs id 207



Enqueued              Dequeued           ID                              Type                         Status Result Completed 

------------------------------------------------------------------------------------------------------------------------------

2021/12/21 00:09:40   00:09:40          207                            Downld                            FIN     OK 00:09:43  

Warnings:

Details:File successfully downloaded





admin@PA-VM> request content upgrade info



Version               Size              Released on Downloaded  Installed

-------------------------------------------------------------------------

8496-7089             52MB  2021/12/06 21:50:02 EST         no         no

8504-7131             52MB  2021/12/16 23:49:11 EST         no         no

8501-7114             52MB  2021/12/14 13:09:49 EST         no         no

8502-7118             52MB  2021/12/15 00:35:39 EST         no         no

8493-7073             52MB  2021/11/29 17:35:04 EST         no         no

8506-7141             52MB  2021/12/19 02:17:12 EST        yes         no

8497-7093             52MB  2021/12/07 20:29:09 EST         no         no

8494-7079             52MB  2021/11/30 19:54:37 EST         no         no

8499-7107             52MB  2021/12/10 22:12:28 EST         no         no

8498-7098             52MB  2021/12/09 23:57:24 EST         no         no

8500-7110             52MB  2021/12/12 23:12:26 EST         no         no

8503-7125             52MB  2021/12/16 01:10:38 EST        yes   previous

8505-7134             52MB  2021/12/17 21:35:31 EST         no    current

8495-7081             52MB  2021/12/02 17:28:58 EST         no         no





admin@PA-VM> request content upgrade install version latest 



Content install job enqueued with jobid 214

214





admin@PA-VM> show jobs id 214



Enqueued              Dequeued           ID                              Type                         Status Result Completed 

------------------------------------------------------------------------------------------------------------------------------

2021/12/21 00:13:06   00:13:06          214                           Content                            ACT   PEND        49%

Warnings:

Details:





admin@PA-VM> show jobs id 214



Enqueued              Dequeued           ID                              Type                         Status Result Completed 

------------------------------------------------------------------------------------------------------------------------------

2021/12/21 00:13:06   00:13:06          214                           Content                            FIN     OK 00:15:15  

Warnings:

Details:Configuration committed successfully

Successfully committed last configuration


Please notice the content upgrade is automatically committed after the “request content upgrade install version latest” command is run.  You can run the “request content upgrade info” command to see the content version that is currently installed.
 

admin@PA-VM> request content upgrade info



Version               Size              Released on Downloaded  Installed

-------------------------------------------------------------------------

8496-7089             52MB  2021/12/06 21:50:02 EST         no         no

8504-7131             52MB  2021/12/16 23:49:11 EST         no         no

8501-7114             52MB  2021/12/14 13:09:49 EST         no         no

8502-7118             52MB  2021/12/15 00:35:39 EST         no         no

8493-7073             52MB  2021/11/29 17:35:04 EST         no         no

8506-7141             52MB  2021/12/19 02:17:12 EST        yes    current

8497-7093             52MB  2021/12/07 20:29:09 EST         no         no

8494-7079             52MB  2021/11/30 19:54:37 EST         no         no

8499-7107             52MB  2021/12/10 22:12:28 EST         no         no

8498-7098             52MB  2021/12/09 23:57:24 EST         no         no

8500-7110             52MB  2021/12/12 23:12:26 EST         no         no

8503-7125             52MB  2021/12/16 01:10:38 EST        yes         no

8505-7134             52MB  2021/12/17 21:35:31 EST         no   previous

8495-7081             52MB  2021/12/02 17:28:58 EST         no         no


CUSTOMER SUPPORT PORTAL (CSP)

To manually install content updates, one can log into the Customer Support Portal and select Updates > Dynamic Updates.

Screenshot 2023-11-03 at 1.25.38 PM.png

When selecting Dynamic Updates, one has the choice to select which content type to download.

Screenshot 2023-11-03 at 1.26.05 PM.png

After one has selected the desired content type, one can download and save the desired content version to their local hard drive.

Screenshot 2023-11-03 at 2.08.39 PM.png

One must upload the downloaded content to the firewall. Go to Device > Dynamic Updates and select “Upload” at the bottom of the screen.

DASHBOARD.png

The “Import Content Package” window opens and it requires one to select the content type and the previously downloaded content file.

Import Content Package.png
Import Content Package.png

After uploading the content to the firewall, one must install the downloaded content onto the firewall. Go to Device > Dynamic Updates and select “Install from File”.

DASHBOARD.png

The “Select Package Type for Installation” window opens and it requires one to select the content package type and the previously downloaded content file.

Select Package Type for Installation.png
Install Antivirus From File.png

One can check Device > Dynamic Updates and see the “Currently Installed” version matches the version downloaded from the CSP portal. You can also see that the content version was not downloaded due to the manual process to upload and install the content version file.

CURRENTLY.png



Additional Information


For PAN-OS 9.0 and above, Refer Best Practices for Applications and Threats Content Updates



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGRCA0&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language