Software Version Mismatch Cluster Members. Palo Alto Networks Alert Guide

This is a sample from our indeni alert guide for Palo Alto Networks Firewall.

Did you know?

As part of the normal operation of your Palo Alto Networks firewall, it updates the anti-virus, application identification and threat databases. In a cluster, this is done for each member separately on their own schedule. As a result, the databases may be different at certain times.

This, of itself, is not a problem. The problem can happen if one member updates regularly while the other doesn’t at all, as described in DOC-5592. One of the ways to identify this is happening, is to look at the High Availability widget in the firewall’s dashboard, as seen to the right. If you don’t have the widget, add it using the Widgets button.

Interestingly, there is an SNMP trap that is sent out when this issue occurs. However, it is extremely noisy and appears even when everything is OK, as you can see in the comments to the DOC linked to above.

At indeni, we believe alert fatigue is a real danger – as it causes you to ignore what really matters. Therefore, we’ve added the ability to be alerted when the discrepancy is running for more than 30 minutes, as described below.

This is how the alert would look like in indeni:

Description:

This device has software bundles at versions that differ from other members of the cluster. To ensure optimal operation of the cluster, as well as cluster synchronization and fail-over (if used), these must be the same.

Mismatching software versions:

  • app-version
    app-version is at version 489-2600 on this device while the other device is at 490-2616.
  • av-version
    av-version is at version 1502-1977 on this device while other device is at 1505-1980.
  • threat-version
    threat-version is at version 489-2600 on this device while other device is at 490-2616.

Manual Remediation Steps:

Acquire and update the software bundles to resolve this discrepancy. For more information, read DOC-5592. Note that indeni waits 30 minutes before alerting, to ensure the update on the second member really was not successful, rather than delayed (as discussed in the DOC).

How does this alert work?

indeni runs 100s of checks 24/7/365 of versions of different software and update packages to identify discrepancies.

Leave a Reply