. Got a critical alert in system log as "content update job failed for user panorama" for 5 firewall gateway. If this still does not solve the issue related to commit failures please contact support.paloaltonetworks.com for assistance with further troubleshooting." In regards to the NAT situation, if you go to Panorama > Setup > interfaces and edit your management interface, there is an option to set the public IP of the Panorama. These updates equip the firewall with the very latest security features and threat intelligence. That seem to work in our case. Edit the Telemetry settings and Select All . I checked my network and also Policies/NAT, it all looks good. Click OK and Commit to save your changes. Forward Palo Alto Networks content update alerts to the right people. Resolution Delete the expired license key : > delete license key (press tab) Select old expired license key and delete it. Set the schedule of each update type by clicking the. exiting with 255; You will see that your Firewall's licenses are not updated and expired but licenses on the support portal are up to date. Palo Alto Networks frequently publishes updates that the firewall can use to enforce security policy, without requiring you to upgrade PAN-OS software or change the firewall configuration. From the GUI, retrieve new license again from Device-->Licenses Verify you are able to fetch license now and update your threat database. Please help us how to resolve and what is the reason to got the log. To enable the firewall to collect and share telemetry data with Palo Alto Networks: Select Device Setup Telemetry . You can perform this step via the WebGUI inside Device > Dynamic Updates please check network connectivity and try again". It's like IP that firewalls will be instructed to pull updates from. Please use the 'skip-content-validty-check' if you want to force the content in Error: This error start appearing after upgrading from 9.1.11-h3 to 10.0.8-h4, have another 220 PA's that did not get this error just one palo is getting it. Palo Alto Networks also frequently publishes updates to equip the firewall with the latest security features. There is likely an app which matches this traffic, but I can't recall what it is at the moment. We can create a message list with only this message number, and then only allow messages matching the message list to be sent to the syslog server. 07-23-2021 04:49 PM. Fails to download anything from Device > Dynamic Updates and/or GlobalProtect Client When I hit "check now" in Dynamic Updates, I get the following error message: "Failed to check upgrade info due to generic communication error. Device > Setup > Services window showing the update server details. Has someone get this issue " Failed to check content upgrade due to SSL connection error"? No network issues. when I upgrade cluster firewall palo alto (active-passive) first, Both firewall running firmware version 7.1.0 and I upgrade to 8.0.0 by the way take action upgrade passive firewall first from 7.1.0 to 8.0.0 then after require reboot by system. Repeat this step for each update you want to schedule. How to Fix the 'Image File Authentication Error' To fix this problem, simply click the Check Now link at the bottom left corner. panupv2-all-contents-XXX-YYYY is to be deployed/installed on managed firewalls with a Threat Prevention license, which includes both Application and Threat Signatures. If you schedule the updates to download during the same time interval, only the first download will succeed. "If you still run into commit failures even after upgrading to content update 708, please try reverting to content update 705 and then reinstall content version 708 again. Retrieving licenses is not helpful. Stagger the update schedules because the firewall can only download one update at a time. Failed to get the content version from the image filename during validity check. Set how frequently (the Recurrence ) the firewall checks with the Palo Alto Networks update server for new Applications and Threat content releases, and on what Day and Time . I saw task the message from passive firewall "auto-commit failure" what's wrong to upgrade? First let's create an access list entry: access-list inside-access-in extended permit ip host 10.10.10.10 host 8.8.8.8 log Now let's set up our logging. Resolution When I look at the TSF I found the following : I cannot download/get downloaded software or content. Panorama and Log collectors do not need the threat database; application-only database is sufficient. Attachments updates.paloaltonetworks.com - 199.167.52.141 , commit and test. No valid Threat prevention license. Set the Action for the firewall to take when it finds and retrieves a new content release. 3 5 Select the Schedule for Applications and Threat content updates. We re-download the app+threats package from the support portal, clear all the other packages except the one that was in use restart of the management plane re-import the package to the device and install. Solution 2 - Remove updates and redownload them Removing all the content updates and re-downloading them can also solve this issue. This will force the Palo Alto Firewall to connect to the update server and refresh the list of available software images: Environment Any Panorama Content Updates. The firewall can enforce policy based on the applications and threat signatures (and more) that content updates provide, without requiring you to update the firewall configuration. Failed to update content with following message: encfilesize is 53418544 No threat content update is applied. Schedule each content update.