Dynamic Updates Version Mismatch Alerts for HA Firewall

Dynamic Updates Version Mismatch Alerts for HA Firewall

47521
Created On 09/25/18 19:48 PM - Last Modified 06/06/23 02:36 AM


Resolution


Overview


Even when both the nodes in an HA pair are configured to fetch dynamic updates (threat or antivirus updates) at the same time, the firewall generates a version mismatch alert in the system logs. If email alerts are configured on the firewall, the system admin receives these alerts.


This article focuses on explaining the behavior of such alerts in the firewall.


Details


Even though both members of the firewall have the same update schedule, there would be a brief period of time when both members would have a different version of dynamic updates.


During this difference, HA checks generate a system log, mentioning a mismatch in the dynamic updates version.

Prior to PAN-OS 7.1, these mismatch alerts were generated with HIGH severity in system logs as follows:


2016/08/02 10:18:05 high ha HA Group 2: Threat Content version does not match
2016/08/02 10:18:05 high ha HA Group 2: Application Content version does not match


Now, if the email alerts are configured to send HIGH alerts to the system admin, they would receive a version mismatch alert on the firewalls. However, it is possible that by the time they check on the firewall, there is no version mismatch on the firewall.


The reason is, as soon as the version matches on the firewall after that brief period of difference, the firewall generates these alerts with INFO severity as follows:


2016/08/03 10:18:27 info ha HA Group 2: Threat Content version now matches
2016/08/03 10:18:27 info ha HA Group 2: Application Content version now matches


Since email alerts were set for only HIGH severity, the system admin does not receive these alerts.

 

 

Starting from PAN-OS 7.1, there is a behavior change in how these alerts are generated.

 

The first time the HA check detects a mismatch in the dynamic update version on both firewalls, these alerts are generated with 'informational' severity:

 

info.PNG

 

 

If this mismatch persists for longer than one hour, the HA check will generate alerts with 'high' severity:

 

 

high.PNG

 

 

Therefore, if email alerts are configured to send 'high' severity alerts, the system admin gets an alarm only when there is a genuine mismatch and not when there is a mismatch for just a brief period of time.

 

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CldxCAC&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language