How to schedule PAN-OS Dynamic Updates

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey guys welcome to mb tech talker my name's matt in this video i'm going to show you how to correctly schedule dynamic updates to ensure you always have the latest content packages downloaded to your firewalls i will show you how to do all of this using vmware series next generation firewalls using vmware workstation hopefully you enjoy the video if you do please like comment and consider subscribing to my channel so once you have your firewall license the next step is to make sure you have connectivity to the palo alto networks content delivery network which will allow the file to periodically check for content updates if you don't have a schedule configured no new signature vulnerabilities malicious domains all global tech files will be loaded into the firewall okay so you can see i'm already logged into the firewall let's check some basic settings first of all let's review the panos version that i'm running in my lab as you can see i've upgraded from 8.1 to panos 9.16 which is the preferred vm series release at the time of recording if you're not sure how to upgrade your firewall please check out my panos upgrade lab video the link's in the description and i'll put a card up above right we need to check the services tab and in order to do that we need to go to device setup and services and then click on the little cog you can see we have the update server already defines dns and ntp is configured okay so let's take a little further let's confirm we have connectivity to the update server by ssh into the firewall or if you prefer you can use the virtual console within vmware workstation i'm going to use putty so let's connect to the firewalls management interface and log in and once logged in i'm going to issue the ping host updates dot palo alto networks dot com and then everything is working we should have connectivity out to the internet via the management interface and get a response back from the server which we do so that's all working so we can control see out there and then exit out of the console so the next step is to click on dynamic updates and let's take a look at the the layout so we've got five sections that include antivirus applications and threats global tech client that's vpn global tech data file and wildfire so each section has a column with specific information like the content version the file name the release date if it's been previously downloaded or downloaded now and in the actions column you can download install and revert and then the release notes links open a new page and gives you the opportunity to review the new release information down here there's a check now button this will contact the palo alto networks update server to check to see if there are any new contents available so let's click that now so now that's downloaded we can see that there's some new content available so looking at wildfire at 1356 today so 12th of the 3rd 2021 we've got new content that can be downloaded and installed so we could download this um we could um sync it to the head shape here and once it's downloaded then we'll we'll have the option to install and that's the same for anything in here um so periodically um you can you can manually click the check now um or alternatively we set up the schedules and that's what we're going to do next okay so before moving on to the dynamic update schedules i want to recommend visiting the customer support portal website and subscribing to the content update emails so that you can get an understanding of how updates may impact your existing policies so just log into the support portal edit your preferences choose which notification you want to receive and it's done and you'll get periodic updates in your emails with all new content that's going to be released by palo alto okay so let's go through configuring the schedules based on palo alto's network's best practices let's make sure time schedules are varied around the hour to avoid downloading and installing conflicts between the update types let's start with antivirus these updates include new and updated antivirus signatures including signatures discovered by wildfire don't forget you must have a threat prevention subscription to get these updates and new antivirus signatures are published daily so we will configure a new schedule to download install every day at 1 am so daily time 0 1 0 0 download install and sync to appear and then click okay okay so moving on to application and threats which includes new and updated application and threat signatures again this update is only available if you have a threat prevention subscription new application and threat updates are published weekly so i'm gonna configure the schedule to download and uninstall every wednesday at five past one in the morning this means that the latest content update always includes the application and threat signatures released in the previous versions you can make your own decisions on how often you want to check for content updates this is how often i would set in a production environment so click on the none again and we're going to do reoccurrence weekly and then i'm going to choose wednesday and then five past one in the morning action set to download and install so you'll notice in the application threat schedule some extra options i'm going to set the threshold value to 12 hours which suits a mission critical network approach this determines the amount of time the firewall waits before installing the latest content so in a security first network a schedule of six hours would be fine so moving on to the allow extra time to review new apps id feature i should point out that new and updated threat signatures are released and bundled together as one package which in previous panos releases it meant we had to install threat and newly modified applications at the same time meaning you had two choices either delaying content update installations until you assess its impact to the application which is the mission critical approach or take the security first approach where you would install application threat updates as they're made available you prioritize the latest reputation protection over a possible impact to application availability that being said in panos 9.1 we now have the option to use the allow extra time to review new app ids feature which allows us to install content updates that include new app ids on a separate schedule for those that don't if a business uses a mission critical approach it gives the organization extra time to review how new app ids impact security policy enforcement and make any necessary policy updates i'm not going to set anything in in here i'm happy with that just uh if you've got a ha here and you're you're running active passive or active actors then you can sync that over so you're going to click that and we're going to click ok so let's move on to wildfire next as these are signature based content updates so let's go into the schedule and um the because we're running panos 9.1 the best best schedule we could use in 9.1 would be check every minute and then download and install and then synchronize with the h-shape here and then click ok however i'm going to point out that there's a new feature in panos version 10 where wildfire can be configured for real-time protection which means malware and antivirus signatures created as a result of the analysis performed by wildfire public cloud can be accessed as soon as they're generated but please remember that without the wildfire subscription you must wait 24 to 48 hours for the wildfire signatures to roll into the application and threats update okay so now we're moving on to globalprotect so the first one is globaltech clientlistvpn these updates contain updated application signatures to enable client list vpn access to common web applications from the global protect portal you must have a global text subscription to receive these updates in addition you must create a schedule for these updates before global tech client vpn will function so let's create a schedule to check every hour at 15 minutes past the hour so click on the nut on none and then we're gonna go hourly and then we're gonna do 15 minutes past the hour and set the action to download and install and then click ok moving on to the last schedule which is for the global protect data file so these updates contain vendor-specific information for defining and evaluating host information profile aka hip which is the data returned back from the global protect app you must have a global tech gateway subscription in order to receive these updates so for this last schedule let's check for updates every hour and 30 minutes past um the hour and set to download and install so we're going to click on this one and we're going to do hourly and we're going to do 30 minutes past the hour and then the action is going to be downloaded install and then we can click ok so once you're happy with your schedules don't forget to hit the commit button and post your changes to the file okay so that's the end of lab nice and simple i hope you like the video and you find it useful please leave any comments below and i'll see you in the next one okay guys that's it for today's video thanks for watching over the next coming weeks i will be uploading more videos where i will be sharing more content about palo alto firewall features and technologies and how to configure them if you like this video i'm sure you know what to do by now but just in case you don't please hit that like button below and share with your friends and be sure to hit that subscribe button and the bell to get notified every single time i post a new video if you have any ideas or video content you want me to create please put them in the comments below as i would love to hear your feedback on any aspect of my channel please keep watching and i will see you in the next video thanks [Music]

Info

Channel: MB Tech Talker

Views: 118

Rating: undefined out of 5

Keywords: PAN-OS upgrade lab, palo alto firewall, palo alto networks, vmware workstation, palo alto firewall tutorial, palo alto ngfw, palo alto firewall configuration, paloalto firewall, pan os upgrade steps, pan os upgrade ha, pan-os upgrade HA, PAN, Pan os upgrade lab, palo alto, PAN-OS Dynamic Updates, palo alto content update, palo alto firewall tutorial for beginners, setup palo alto firewall basic configuration, PAN-0S 9.1

Id: QAvIGeDOjmM

Channel Id: undefined

Length: 12min 12sec (732 seconds)

Published: Sat Mar 13 2021