Best Practices for Application and Threat Content Updates
Learn the best practices for keeping application and threat content signatures up-to-date seamlessly.
The best practices to deploy content updates help to ensure seamless policy enforcement as new threat signatures and applications are introduced or modified in a content release. Because of the policy impact of new application and threat signatures, consider your network security and availability requirements as you apply best practices:
- An organization with a security-first posture prioritizes protection using the latest threat signatures over application availability. You’re primarily using the firewall for its threat prevention capabilities.
- A mission-critical network prioritizes application availability over protection using the latest threat signatures. Your network has zero tolerance for downtime. The firewall is deployed inline to enforce security policy and if you’re using App-ID in security policy, any change to content that affects App-ID could cause downtime.
You can take a mission-critical or security-first approach to deploying content updates, or you can apply a mix of both approaches to meet the needs of the business. Follow these best practices to most effectively absorb the new application and threat signatures that are delivered to the firewall in content updates:
- Always review Content Release Notes for the list of the newly-identified and modified applications and threat signatures that the content release introduces. Content Release Notes also describe how the update might impact existing security policy enforcement and provides recommendations on how you can modify your security policy to best leverage what’s new.To subscribe to get notifications for new content updates, visit the PaloAltoNetworks Support Portal , edit your profile, and select Subscribe to Content Update Emails. You can also review Content Release Notes for apps and threats on the Palo Alto Networks Support Portal or directly in the firewall web interface: select DeviceDynamic Updates and open the Release Note for a specific content version.The Notes section of Content Release Notes highlights future updates that Palo Alto Networks has identified as possibly significantly impacting coverage: for example, new App-IDs or decoders. Check for these future updates, so that you can account for any policy impact in advance of the release.
- Schedule content updates so that they download and install automatically and, based on your network security and availability requirements, set a threshold that determines the amount of time the firewall waits before installing the latest content:
- If you have a security-first posture, do not set a threshold to delay receiving the latest content update. Enable the firewall to download and install content updates as they are made available so that you are always equipped with the most up-to-date threat prevention signatures.
- If your network is mission-critical, schedule a 24-hour threshold for content updates. This 24-hour delay ensures that the firewall only installs content releases after they have been available and functioning correctly in customer environments for at least 24 hours.To mitigate any risk associated with enabling new applications and threat signatures, you can stagger the roll-out of new content. Provide the new content to locations with less business risk (fewer users in satellite offices) before deploying them to locations with more business risk (such as locations with critical applications). Confining the latest content updates to certain firewalls before deploying them across your network makes it easier to troubleshoot any issues that arise.Use Panorama to push staggered schedules to different firewalls or device groups.To schedule content updates, select DeviceDynamic Updates. Configure the Schedule for Applications and Threats updates, set the schedule Action to download-and-install, and set (optionally) the Threshold to 24 hours.
- Manage New App-IDs Introduced in Content Releases . Always review the new App-IDs that a content release introduces and assess the policy impact of the newly-identified applications. In mission-critical environments, you can wait to install new applications until after reviewing their policy impact . If you cannot modify security policy before installing the latest content update, you can disable new applications in the content update and review policy impact of these applications later.
- If yours is a mission-critical environment, test new applications and threat content in a dedicated staging environment before enabling them in your production environment. The easiest way to test new applications and threats is to use a test firewall to tap into production traffic. Install the latest content on the test firewall and monitor the firewall as it processes the traffic copied from your production environment. You can also use test clients and a test firewall or packet captures (PCAPs) to simulate production traffic. Using PCAPs works well to simulate traffic for diverse deployments where firewall security policy varies depending on location.