Palo Alto Networks Knowledgebase: Scheduled Dynamic Updates having download and install issues

Scheduled Dynamic Updates having download and install issues

10125
Created On 09/25/18 19:38 PM - Last Updated 01/14/20 23:34 PM
Dynamic Updates PAN-OS
Symptom
  • Dynamic Updates are set to download, or download and install on a schedule.
  • The firewall can reach the update server, and manual updates work normally.
  • Threshold interval defined for Dynamic Updates

Example
Schedule for antivirus updates is configured with the 'Threshold' set to 48 hours.

Screen Shot 2015-03-11 at 3.10.07 PM.png
Note: Underneath the Threshold value the mentioned 'Content must be at least this many hours old for any action to be taken'



Environment
  • PAN-OS 8.x / 9.x
  • Dynamic Updates


Cause

Antivirus updates are released on a daily basis:

Screen Shot 2015-03-11 at 3.11.30 PM.png
 

The following error is observed on the log-file ms.log:

admin@pan> grep after-context 1 before-context 11 pattern "threshold=" mp-log ms.log

--2015-03-05 01:00:01--  https://updates.paloaltonetworks.com/Updates/UpdateService2.asmx/CheckForVirusUpdate
Resolving updates.paloaltonetworks.com... 199.167.52.13
Connecting to updates.paloaltonetworks.com|199.167.52.13|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 4432 (4.3K) [text/xml]
Saving to: `/tmp/.avinfo.xml.10073.tmp'
  0K                                                      100% 11.2M=0s

2015-03-05 01:00:02 (11.2 MB/s) - `/tmp/.avinfo.xml.10073.tmp' saved [4432/4432]
2015-03-05 01:00:02.886 -0500 Content time below threshold 2015/03/04  04:00:02 threshold=48 diff=18
2015-03-05 01:00:02.886 -0500 No new Antivirus updates available for download

Description of Behavior

The hours value under 'Threshold' is a setting that checks the 'maturity' of the *latest* available package. Note that it is not checking the list to find the "next one over" that is at least '48' hours older (so that you could skip updates). The way that the example above is set up (48 hours), would therefore prevent *any* update from deploying.

The reason for this is that the frequency of the antivirus releases is daily (every 24 hours), therefore, the maturity (Threshold) would have to be set to anything less than 24 hours.



Resolution

Recommendation

Observe the frequency of releases of your dynamic update, and set a schedule. If the value of the threshold is bigger than the release frequency, dynamic updates will never deploy.
 

Note: Change of Behavior

The behavior of the 'threshold' feature has changed since PAN-OS 8.0.5 with issue ID PAN-80465.

With this fix, PAN-OS checks the last five content release versions, instead of just the newest version, and performs the action for the latest version that matches the threshold you specified. For example, if content update version 701 is available for 24 hours and version 700 is available for 72 hours, and you set the threshold to 48 hours for Applications and Threats content updates, PAN-OS performs the action for version 700. PAN-OS checks the last five content release versions for Antivirus updates also.



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clb8CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language