How to set up the threshold time for application/threat content updates based on security-first or mission-critical first

How to set up the threshold time for application/threat content updates based on security-first or mission-critical first

21563
Created On 10/16/20 17:53 PM - Last Modified 08/11/25 18:29 PM


Objective


When a new application and threat signatures are delivered in a single content update package, it is possible to have an application that is new or can match one of your custom applications, and a new threat signature may match benign traffic.  The article covers the best strategy to reduce possible False-Positives in the network. 
 

Environment


  • Palo Alto Firewall.
  • Any PAN-OS
  • Content Updates.

Procedure


Application and Threat updates can be installed at different times although they have been delivered on the same package. Organizations can be classified as "security-first" or "mission-critical". 
There are some common practices that should be applied as follows.

  • Review content release notes for the new app and threat. Use at GUI: Device >Dynamic Updates > (select a threat version) and click on Release Notes
  • Release notes provide information on the newly-identified and modified application and threat signatures. This may impact existing security policies. 
  • Review the recommendations for modifying your security policy to take the best advantage of new protection. 
  • Go to the customer support Portal and subscribe to content update emails.


The security-first organization will prioritize protection over applications, the first priority is attack defense. 

  • If possible, stagger the roll-out of new content. If you have a Firewall in a location that has fewer users or less business risk, install the new content at that location and monitor. 
  • Check the new threat signature that can affect the connectivity, such as authentication, brute force signature. 
  • You can schedule the content updates "download and install" with a threshold up to six to twelve hours before the content is installed.
  • Install 911 contents as fast as possible. 

threshold for mission critical

The mission-critical organization will prioritize application availability over protection using the latest threat signatures. This network downtime is zero, if you are using a security policy based on APP-ID then any change in App-ID can affect the policy and cause downtime.

  • Once you identify the App-IDs, Create a security policy rule to allow the mission-critical App-IDs such as authentication, updates, application updates. Refer Manage New and Modified App-IDs.
  • Create an application filter in critical categories for new App-IDs. Use this application filter in your security policy rule with the appropriate action.
  • You can schedule the content updates "download and install" automatically with a threshold up to 24 to 48 hours before the content is installed.
                 
  threshold for mission critical
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HBDbCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language