Best Practices for Application and Threat Content Updates
The best practices to deploy content updates help to ensure seamless policy enforcement as new threat signatures and applications are introduced or modified in a content release. Because of the policy impact of new application and threat signatures, consider your network security and availability requirements as you apply best practices:
An organization with a security-first posture prioritizes protection using the latest threat signatures over application availability. You’re primarily using the firewall for its threat prevention capabilities. A mission-critical network prioritizes application availability over protection using the latest threat signatures. Your network has zero tolerance for downtime. The firewall is deployed inline to enforce security policy and if you’re using App-ID in security policy, any change to content that affects App-ID could cause downtime.
You can take a mission-critical or security-first approach to deploying content updates, or you can apply a mix of both approaches to meet the needs of the business. Follow these best practices to most effectively absorb the new application and threat signatures that are delivered to the firewall in content updates:
Always review Content Release Notes for the list of the newly-identified and modified applications and threat signatures that the content release introduces. Content Release Notes also describe how the update might impact existing security policy enforcement and provides recommendations on how you can modify your security policy to best leverage what’s new.
To subscribe to get notifications for new content updates, visit the Palo Alto Networks Support Portal, edit your profile, and select Subscribe to Content Update Emails. You can also review Content Release Notes for apps and threats on the Palo Alto Networks Support Portal or directly in the firewall web interface: select Device > Dynamic Updates and open the Release Note for a specific content version.
The Notes section of Content Release Notes highlights future updates that Palo Alto Networks has identified as possibly significantly impacting coverage: for example, new App-IDs or decoders. Check for these future updates, so that you can account for any policy impact in advance of the release.
Schedule content updates so that they download and install automatically and, based on your network security and availability requirements, set a threshold that determines the amount of time the firewall waits before installing the latest content: If you have a security-first posture, do not set a threshold to delay receiving the latest content update. Enable the firewall to download and install content updates as they are made available so that you are always equipped with the most up-to-date threat prevention signatures. If your network is mission-critical, schedule a 24-hour threshold for content updates. This 24-hour delay ensures that the firewall only installs content releases after they have been available and functioning correctly in customer environments for at least 24 hours.
To mitigate any risk associated with enabling new applications and threat signatures, you can stagger the roll-out of new content. Provide the new content to locations with less business risk (fewer users in satellite offices) before deploying them to locations with more business risk (such as locations with critical applications). Confining the latest content updates to certain firewalls before deploying them across your network makes it easier to troubleshoot any issues that arise.
Use Panorama to push staggered schedules to different firewalls or device groups.
To schedule content updates, select Device > Dynamic Updates. Configure the Schedule for Applications and Threats updates, set the schedule Action to download-and-install, and set (optionally) the Threshold to 24 hours.
Manage New App-IDs Introduced in Content Releases. Always review the new App-IDs that a content release introduces and assess the policy impact of the newly-identified applications. In mission-critical environments, you can wait to install new applications until after reviewing their policy impact. If you cannot modify security policy before installing the latest content update, you can disable new applications in the content update and review policy impact of these applications later. If yours is a mission-critical environment, test new applications and threat content in a dedicated staging environment before enabling them in your production environment. The easiest way to test new applications and threats is to use a test firewall to tap into production traffic. Install the latest content on the test firewall and monitor the firewall as it processes the traffic copied from your production environment. You can also use test clients and a test firewall or packet captures (PCAPs) to simulate production traffic. Using PCAPs works well to simulate traffic for diverse deployments where firewall security policy varies depending on location. The firewall generates system log entries to record content update downloads and installations. Forward those systems log entries to Panorama or a monitoring service, as a proactive notification to administrators that your security policy is now enforcing new and modified applications and threat signatures.
Here are examples of system log entries that record content update installations and downloads; the entries with the description Installed contents package… indicate a content update installation, and entries with the description Content version …. Downloaded… indicate a content update download.
To get notifications when content updates are installed and downloaded, configure log forwarding based on the type of external service you use for monitoring (syslog, SNMP, or email). If you're using a SIEM to elevate important network events to your attention, you can filter system log entries based on description to get only alerts for content updates (instead of alerts for all firewall system events).

Related Documentation