Panorama Config Push Fails after bootstrapping VM-Series Firewall with Panorama-Based Software Firewall License Management

• Bootstrap is completed with old content version.
• Configuration pushed from Panorama is fails with validation error due to newer URL category, for example, 'artificial-intelligence' URL category used in the URL filtering profile.

Details:
. Validation Error:
. profiles -> url-filtering -> <url_filtering_profile_name> -> credential-enforcement -> block 'artificial-intelligence' is not a valid reference
. profiles -> url-filtering -> <url_filtering_profile_name> -> credential-enforcement -> block is invalid
. Commit failed

• On firewall's configd.log (less mp-log configd.log), "No valid Threat prevention license" message is displayed.

-0700 Error: _pan_mgmtop_content_upgrade_install_file(pan_ops_content.c:6100): Command /usr/local/bin/md_batch -s -p 10 -o/tmp/.xml_string.140500741478144.1119577751 content_install /usr/local/bin/paninstaller.sh -r -tcontent -f/opt/pancfg/mgmt/content-images/panupv2-all-contents-8768-8354 -d/opt/pancfg/mgmt/content-images -o/opt/pancfg/mgmt/updates/curcontent -n/opt/pancfg/mgmt/updates/newcontent return failure, sys_rc=-256, with the following message:encfilesize is 83306576
No threat content update is applied. No valid Threat prevention license.
exiting with 255
...
-0700 Error:  pan_schema_verify_set_constraints(pan_schema_verify.c:327): 'artificial-intelligence' is not a valid reference near line 0
-0700 Error:  _pan_schema_verify_node(pan_schema_obj.c:7726): is invalid , node: alert near line 5243
-0700 Error:  pan_cfg_verify_ex(pan_cfg_commit_handler.c:2996): invalid configuration. Schema verification failed.

• Panorama running PAN OS 10.2.x.
• VM-Series firewall bootstrap method is basic configuration.
• License deployment through Panorama-based Software Firewall License Plugin.
• VM-FLEX Licensing Type.

• When using Panorama-Based Software Firewall License Plugin to deploy license, the firewall license is deployed after bootstrap is complete.
• Since the threat prevention license is not yet updated (bootstrap process in progress), the content version is not updated.
• Due to this configuration push fails when newer categories in the content not available.

1. Use the setting "Automatically push content when software device registers to Panorama" option.
2. This has been introduced since PAN OS 10.2 to update content version.
3. Enabling this ensures that content version is updated after bootstrap is complete, firewall has valid license and before Panorama config push.
4. To configure Panorama to automatically push the latest dynamic content updates to VM-Series and CN-Series firewalls on first connection, follow these steps,
   1. Select Panorama > Templates and click the template stack that contains the VM-Series and CN-Series firewall configuration.
   2. Check (enable) Automatically push content when software device registers to Panorama.
   3. Click OK.

This method requires existing template stack for VM-Series firewall.

• Use Panorama-Based Software Firewall License Management
• Bootstrap the VM-Series firewall