"Palo Alto Networks content validation check skipped by user 'panorama' for [content version]" is seen in System log
13653
Created On 12/17/19 05:59 AM - Last Modified 05/22/20 01:33 AM
Symptom
In the Panorama System Log, "Palo Alto Networks content validation check skipped by user 'panorama' for [content version]" is seen.
Environment
- Any Panorama.
- PAN-OS 8.1 and above.
Cause
This alert is related to the new Content Release Validation Check feature introduced in PAN-OS 8.1. This is documented under Content Inspection Features.
- From 8.1 onwards, a new feature has been introduced in which both the firewall and Panorama will perform a content validation before installing a new Dynamic Update.
- The purpose of the content validation is to check, in real-time, with the update server whether the specific content version has been revoked or not.
- If the update server reports that the content update has been revoked then the validation fails. The admin is then advised to click on 'Check Now' and select a different, older, content version.
- When Panorama is configured to install content packages on its managed firewalls, it will check for the validity of the package first and then push it to the firewalls. If Panorama has already performed the validation then it informs the firewalls to not do validation again.
- This is what triggers the generation of the log entry regarding the content validation check being skipped by user Panorama in the System log.
Resolution
This is a normal and expected behavior when panorama is configured to install content packages on firewalls.