Best Practices for Deploying Content Updates

If you own Palo Alto Networks Next-Generation Firewalls and manage software updates, including Dynamic Updates, learn best practices and recommendations to ensure smooth deployment of weekly content from Palo Alto Networks.

Question: How do I apply best practices based on the size or nature of my organization?

Scenario 1: I have mission critical applications but no staging or test environment

We recommend that you use the "Threshold" capability to have a delayed rollout of Content Updates. To do this, configure each firewall to download and install Content Releases automatically with a delayed timer.

This can be configured under Device-> Dynamic Updates -> Application and Threat Updates -> Schedule

We recommend a value of 24 hours or more if you have mission critical applications in your environment.

In case you cannot delay the content install by 24 hours or more we recommend that you use a staggered approach to installing content on locations that have fewer users. You can install content automatically on less critical locations and/or environments with fewer users, but you should use the "threshold" option for other locations that have more users or have more critical applications or IT infrastructure.

Scenario 2: I have mission critical applications and I have the resources to create a dedicated staging or test environment

You would like to test the impact of the modified and new App-ID’s on your network extensively before installing the Content Release and making security rule updates in your production environment. Follow these steps.

As a first step, of course, study the Release Notes to understand the changes.

The second step is to see the impact of these changes on your network traffic. To do this, you need a staging environment where you can test the changes without affecting production traffic. There are two options to create a staging environment.

Option 1: Use test clients to simulate production traffic in your staging environment

The staging environment must at least contain all critical applications so that you can run the new Content Release and understand the impact on those critical applications. To do this, set up the environment, perform tests and analyze the results as follows.

Set up the environment

Set up a test firewall (this can be hardware or virtual firewall). This must mimic the configuration of your production firewall. To do this, export the configuration on your production firewall, and import it on your test firewall. Follow the backup and restore functionality described under Manage Configuration Backups in the PAN-OS Administrator’s Guide.
Set up test clients (these can also be physical clients or virtual machines). These must mimic the configuration of your actual clients. Install the necessary operating system and applications that your clients use. Alternatively, you can use existing clients in your lab or development environments.

Route all the test clients’ network traffic through the test firewall.

Capture the traffic pattern using a custom report as shown in the screenshot below. This report captures the number of sessions for each application under each security rule. In this report, we have limited our view to the test clients’ traffic using a subnet filter on the address source. Run the report and save the results. For more information on how to set up, run and save reports, consult the Manage Reporting section in the PAN-OS Administrator’s Guide.

Now install the new Content Release on the test firewall. If needed, make any changes in your security rules based on the recommendations in the Release Notes.

Once again route all the test clients’ network traffic through the test firewall. Run the custom report again.

Analyze the results

Compare the custom report before and after installing the new Content Release. If the traffic pattern is the same, you have completed this step successfully. Refer to the section below titled “Installing and configuring the new Content Release in your production environment”.

If the traffic patterns are different, you have some work to do. Refer to the Release Notes for the new Content Release once again. Using the information on the Release Notes and the logs on the test firewall, figure out why the traffic patterns are different. For example, the new App-IDs are now classifying traffic differently, so do you need to insert new security rules containing the new App-IDs and allow that traffic? You may need to make changes to the security rules on your test firewall a few times and rerun the tests until one of the following happens:

Either the traffic pattern matches the pattern before the new Content Release was installed, or
You are satisfied that the changed traffic pattern is what you want.

An example of the latter scenario is that you decide to block consumer Office 365 traffic after installing the new Content Release.

Option 2: Use packet captures (PCAPs) to simulate production traffic in your staging environment

This option is suitable for diverse deployments where firewall policy varies by location. Due to diverse traffic profiles, it is difficult to configure a few clients to mimic the entire set of applications in use across the organization. Follow these steps.

Set up the environment

At each important location, take packet captures (PCAPs) during peak hours. If you want to take packet captures on the Palo Alto Networks next-generation firewall, consult the section Take Packet Captures in the PAN-OS Administrator’s Guide.
Set up the test firewall to mimic your production firewall configuration as described in the previous section. Since the firewall configuration at each location might be different, you can use different security zones on the test firewall to represent the firewall configuration at each location. For more information, refer to Segment Your Network Using Interfaces and Zones in the PAN-OS Administrator’s Guide.

Test as described under Option 1, with the difference that the traffic must be sent to the firewall using PCAPs instead of using the test clients. Create custom reports to capture the traffic pattern, again as described under Option 1.

Analyze the results

Again, follow the steps described under Option 1.

Now that you have tested the traffic in a test environment and are satisfied with the results, you are ready to deploy the new Content Release in your production environment.

Scenario 3: You have a small number of App-ID policies, and a small organization

You probably do not need an extensive preparation or testing phase. We recommend the following:

Study the Release Notes to understand the changes.
Before installing a content release, review the policy impact for new App-IDs and stage any necessary policy updates. This enables you to assess the treatment an application receives both before and after the new content is installed and then prepare any related policy updates to take effect at the same time that the Content Release is installed. To do this, use the feature called Policy Impact Review for New Content Releases, which was introduced in PAN-OS 7.0. This feature includes the capability to modify existing security policies using pending App-IDs. Pending App-IDs are application signatures contained in a downloaded Content Release (prior to installing the new content). Follow the PAN-OS Administrator’s Guide to use this feature: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/app-id/manage-new-app-ids-introduced-in-content-releases

Question: How do I know what’s in each Content Release?

There are 3 ways to view what’s in each Content Release.

1. Get notified via email

Visit https://support.paloaltonetworks.com
Sign In or Sign Up
Click your username > Edit Profile
Check the box next to Subscribe to Content Update Emails. See Figure 1 below.
You will now receive emails whenever new Content Updates are released.

2. Read the Release Notes on the Support Portal

Visit the Content Release (Dynamic Updates) Release Notes on the Palo Alto Networks Support Portal: https://support.paloaltonetworks.com/Updates/DynamicUpdates/
Sign In or Sign Up
Click Release Notes for the Content Release version you need, as shown in Figure 2 below.

3. Read the Release Notes on your PAN-OS management interface

Log in to your PAN-OS management interface.
Go to Device > Dynamic Updates.
Click Release Notes under Documentation as shown in Figure 3 below.

Question: I see the Release Notes. How do I make sense of them?

Release Notes are organized into the following sections.

Notes

This section includes general notes about the release, for example, the types of App-IDs introduced in this Content Release.

In addition, it also lists changes that may impact your existing policies, for example, new URL filtering categories. For such changes, it provides recommended policy modifications to take advantage of the changes.

New Applications (n)

What is a new Application? This section shows the new App-IDs introduced in this Content Release, ‘n’ being the number of new App-IDs.The column Depends On may need some explanation, and the best way to explain it is to use an example. The new App-ID slack-file-transfer depends on the existing App-ID slack . This means the App-ID slack must be enabled for the new App-ID to work. This information can be helpful in troubleshooting if the new App-ID is not working for some reason.The column Previously Identified As shows how the application was identified before this Content Release. Lets take another example here. For instance, before this content release any traffic for 8x8 was identified as a mix of web-browsing, ssl,rtmpt,sip,jabber and rtmp .
What does this mean for you? Staying with the last example, with the new content update the traffic will be identified as 8x8 instead of web-browsing, ssl and so on. And if you do not have a security rule for 8x8 , this traffic may get blocked based on your Default Deny rule. So add the new App-ID for 8x8 to your security rules to avoid any disruption for this application traffic. PAN-OS 7.0 introduced the "Content Update Control" feature to help customers manage new App-IDs. More details on this feature can be found at: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/app-id/manage-new-app-ids-introduced-in-content-releases

Modified Applications (n)

What is a modified application? A modified application is an App-ID signature that has been improved for accuracy. Such a change can be done for many reasons such as functionality change, a new version, or enhanced coverage across different platforms.
What does it mean for you? The consequences depend on your use case for the application and the extent of the modification. In many cases, the modification has no impact on network traffic because the changes impact other versions of the application, operating environments that are not in use, or application functions that have not been deployed widely. If the modified App-ID introduced significant coverage improvements, the application may be recognized as a different App-ID when compared to the previous content release. In the majority of such cases, application coverage is improved by separating application traffic out from the parent application of the modified App-ID. An example of this is with the SOAP application shown in the modified applications section of Figure 4. The parent application of SOAP, or the application it “Depends On,” is web-browsing, which is the App-ID to which most SOAP traffic was attributed prior to content version 545. As a result, the SOAP App-ID should be evaluated against web-browsing policies that impact critical services in the network. Use the same process when a critical application is modified by a content update. In many cases, this policy update process can be greatly simplified by using application groups that permit the updating of many security rules with a single configuration change.

Modified Decoders (n)

What is a new decoder? Decoders are common infrastructure elements that are used for App-ID based traffic classification as well as for threat signature matching. This section shows the decoders that have been modified in this Content Release, ‘n’ being the number of modified decoders.
What does this mean for you? This information is informational. Often App-IDs get changed because a change was required in an IPS signature, because App-ID and IPS signatures share a common infrastructure.

Question: How do I get early visibility into upcoming Content Releases, so that I can plan better?

In collaboration with our customers, we have adopted a policy of early notification for Content Release updates that may require a change to your security policy. This may happen when an App-ID’s dependencies change, or when a signature enhancement results in a significant change in coverage. Such updates are necessary to keep pace with the fast-changing applications and application functions.

To give you an insider peek into our processes, we hold a weekly internal review where any significant App-ID changes are scrutinized to determine if they meet the above criteria for early notification. If the answer is yes, we describe the upcoming change in two fora – the Release Notes and the Palo Alto Networks Live Community. For exceptionally significant changes, we also add placeholder App-IDs and decoders 4 weeks in advance of the actual change. This allows you to add these placeholders in your security rules ahead of the change.

Notes section of the release Notes

The Notes section of the Release Notes mentions such future updates. We also provide guidance about the action required on your firewall configuration. Here is an example of such an early notification, included for Content Release 597, on Jul 8, 2016. Since we considered this an exceptionally significant change, we not only described the upcoming change but also included placeholder App-IDs and decoders.

This content update includes the placeholder App-IDs ("office365-enterprise-access" & "office365-consumer-access") and placeholder decode context "http-req-ms-subdomain" for pattern match under custom application signatures. As of this update, these App-IDs and the decode context are strictly provided as a placeholder to aid policy migration, and will not affect any existing App-ID policies.

Palo Alto Networks strongly encourages customers to follow the FAQ on the Palo Alto Networks community at https://live.paloaltonetworks.com/t5/Management-Articles/FAQ-Office-365-Access-Control/ta-p/94949 to learn more about this change and its impact on existing firewall policies.

The week of August 29th, 2016, Palo Alto Networks plans to functionally enable these App-IDs and the decode context, intended to augment existing Office 365 App-ID capabilities, by providing access control for Microsoft Office 365.

Palo Alto Networks Live Community

The Palo Alto Networks Live Community contains frequently asked questions, videos and articles with use case examples. This helps you understand the configuration changes that might be required on your Palo Alto Networks next-generation firewall. Here is an example of one such notification:

Since the Live Community is interactive, it allows you to post comments and ask questions of other customers and Palo Alto Networks employees.

Question: What if things still go wrong?

You followed the best practices, but due to an error, or something that was overlooked, or incorrect analysis of the staging environment test results, production traffic gets allowed or blocked in unintended ways.

In such an unlikely event, especially if business-critical traffic is being blocked and time is of the essence, go to the PAN-OS management interface, and navigate to Device > Dynamic Updates > Revert, as shown in the screenshot below. Clicking the Revert link will revert to the previously installed version.

References

Technical documentation
Palo Alto Networks Support Portal
Palo Alto Networks Live Community