Use the centralized deployment capability on Panorama to qualify new content updates or software updates on select devices before you perform the update on all managed devices.
Depending on which subscriptions are active on each device, the content updates can include the latest application update/application and threat signature updates, antivirus signatures, WildFire updates, and GlobalProtect data file updates. The software updates that you can manage from Panorama include: PAN-OS, SSL VPN client, and GlobalProtect client.
Deploy Content and Software Updates on Managed Devices
• Schedule each dynamic update.
Repeat this step for each update you want to schedule.
Based on the subscriptions you have purchased, you might need to install Antivirus updates, Applications or Applications and Threats updates and WildFire updates, GlobalProtect Data File, and BrightCloud URL Filtering database updates.
Only Apps and Threats can be installed on Log Collectors. Devices support Apps, Threats, Antivirus, WildFire, and BrightCloud URL Filtering updates. If the scheduled update fails, a system log is generated; if the scheduled update succeeds, a configuration log is generated.
As a best practice, be sure to stagger the updates that you schedule because Panorama can only download one update at a time. If you schedule the updates to download during the same time interval, only the first download will succeed.
1. Select Panorama > Device Deployment > Dynamic Updates. 2. Click Schedules > Add to set the schedule of each update type.
3. Add a Name to describe the schedule.
4. Select the Type of update, and specify how often you want the updates to occur by selecting a Recurrence value. The available values vary by content type (WildFire updates are available Every 15 minutes, Every 30 minutes or Every Hour whereas all other content types can be scheduled for Daily or Weekly update).
5. Specify the Time and (or, minutes past the hour in the case of WildFire), if applicable depending on the Recurrence value you selected, Day of the week that you want the updates to occur. Panorama timezone is used for the
download/installation.
6. Specify whether you want the system to Download And Install the update (best practice) and select the Devices/ Log Collectors on which the update will be installed or select Download Only, and the content is downloaded to Panorama.
7. Click OK to save the schedule settings.
8. Click Commit to save the settings to the running configuration.
• (Only if you are not scheduling dynamic updates) Deploy dynamic updates on-demand.
A warning displays, if you request a manual update either when an existing schedule has started or is scheduled to start within 5 minutes.
1. Select Panorama > Device Deployment > Dynamic Updates. 2. Check for the latest updates. Click Check Now (located in the
lower left-hand corner of the window) to check for the latest updates. The link in the Action column indicates whether an update is available. If a version is available, the Download link displays; for the BrightCloud URL Filtering database, the link displays as Upgrade.
3. Click Download to download a selected version. After successful download, the link in the Action column changes from Download to Install.
4. Click Install and select the devices on which you want to install the update. When the installation completes, a check mark displays in the Currently Installed column.
• Deploy software updates.
For a managed collector, use the image that corresponds to platform name m; for a managed device find the image that corresponds to the hardware model, for example, 5000.
This example shows how to install a PAN-OS software update. The SSL VPN client (Panorama > Device Deployment > SSL VPN Client) and the GlobalProtect client (Panorama
> Device Deployment > GlobalProtect Client) use the same mechanism. However, you do not install the software on the firewall, instead you activate it on the firewall so that it can be downloaded onto client systems.
1. Select Panorama > Device Deployment > Software.
2. Check for the latest updates. Click Check Now (located in the lower left-hand corner of the window) to check for the latest updates. The link in the Action column indicates whether an update is available.
3. Review the File Name and click Download. Verify that the software versions that you download match the firewall models deployed on your network. After successful download, the link in the Action column changes from Download to Install. 4. Click Install and select the devices on which you want to install
the software version. The result of the installation attempt displays on-screen.
If you have devices configured in HA, clear the Group HA Peers check box and upgrade one HA peer at a time.
You can download a maximum of five versions of software per category to Panorama. After five versions, when a new download is initiated, the oldest image is automatically deleted. To configure the maximum number of images, see How do I modify the maximum number of images that can be downloaded?
Deploy Content and Software Updates on Managed Devices (Continued)
• Verify the software and content update version running on each managed device.
1. Select Panorama > Managed Devices.
2. Locate the device(s) and review the content and software versions on the table.
• Verify the software and content update version running on each managed collector.
The applications and threat database is used to retrieve metadata for processing reports that are initiated from Panorama or the managed devices.
If the content databases are not installed on the log collector, the complete dataset required for the report might not be available and can result in incomplete or inaccurate display of information.
1. To verify the version on a managed collector, you must access the CLI of the managed collector. See Log in to the CLI.
2. Enter the command show system info The following details must display:
sw-version: 5.1.0-b10 app-version: 366-1738
app-release-date: 2013/03/29 15:46:03 av-version: 1168-1550
av-release-date: 2013/04/21 14:31:27 threat-version: 366-1738
threat-release-date: 2013/03/29 15:46:03 Deploy Content and Software Updates on Managed Devices (Continued)