Why are Commits failing after installing content Apps & Threats 8669 or 8670?

• PAN-OS
• Content Apps and Threats 8669 or 8670

What Happened?

On January 26, 2023, (PST) we discovered an issue with content (Applications and Threats) versions 8669 and 8670. This issue can cause configuration commit tasks to fail on VM and hardware firewalls if you restart certain internal processes using a debug command in CLI, or if these processes were restarted after a crash. This issue does not occur during regular FW operations. The issue is fixed in the content update version 8671 and higher. 
 

How Did This Happen?

The problem was caused by an error in the IP Geolocation data, which is a part of the content update package. Customers might be impacted regardless of whether they are using a IP Geolocation feature (e.g. Country objects in the Security Policy). Restarting certain internal processes can cause them to fail to start and lead to configuration commit failures.
 

Customer Impact

The issue was observed only in troubleshooting operations that included executing debug commands on the FW to restart the process. No problem occurred during normal FW operations.
 

Remediation Actions

1. If you have not yet installed content update 8669 or 8670, we recommend skipping these two versions and installing the content update 8671 or higher.
2. If you already installed one of the impacted content versions, we recommend updating to the latest version.
3. If you are already impacted by the issue that caused configuration commit fails on the devices running content version 8669 or 8670, reboot the firewall and install content update version 8671 or higher.
    

Actions Taken by Palo Alto Networks

1. Customer support teams were provided with the recommendations on fault isolation and recovering device functionality.
2. The fix was released in the content update 8671
3. QA testing routines were updated to avoid similar problems.