Palo Alto Threat Content Update Process
Purpose
This runbook describes how Palo Alto Threat Content updates are detected, pinned, promoted across environments, and installed by automation.
Scope
Applies to Hub Infra firewalls managed by Terraform and Ansible in the hmcts/hub-terraform-infra repository.
This process applies to both CNP and SDS hub firewalls.
Prerequisites
- Access to hmcts/hub-terraform-infra
- Access to the Terraform pipeline used for Hub Infra firewall changes
- Access to pipeline logs for Terraform and Ansible stages
- Understanding of environment promotion order and CAB/change controls
High-Level Flow
- Detect latest Threat Content release from PAN-OS update feed.
- Propose or update pinned version in environment tfvars.
- Promote in stages:
sbox-intis applied right awaynonprodiis applied 1 week laterprod-intis applied 3 weeks afternonprodi
- Terraform apply triggers Ansible.
- Ansible validates target version and package, then installs if needed.
- Ansible skips install if current version already matches the pin.
Key Repository Components
Detection and promotion scripts
scripts/pan-threat-content/check_and_pr.pyscripts/pan-threat-content/rollout_promote.py
Environment pins
environments/hub_infra-sbox-int.tfvarsenvironments/hub_infra-nonprodi.tfvarsenvironments/hub_infra-prod-int.tfvars
Ansible install logic
components/modules/palo-alto/ansible/roles/palo/tasks/main.yml
Detailed Process
1. Detect latest available content
check_and_pr.pyqueries PAN-OS update information.- Latest version is selected by release timestamp, not only numeric ordering.
- A pull request is raised or updated with tfvars changes for the next environment in the rollout. Example ### 2. Pin target version in tfvars
pan_threat_content_versioncontrols the desired content package.- Example format:
9122-10145. - Pinning is environment-specific to support staged rollout.
3. Terraform apply and Ansible execution
Terraform runs remote Ansible tasks for firewall management.
When pinning is enabled, Ansible:
1. Reads update information and parses available versions and package files.
2. Confirms the pinned version is advertised.
3. Resolves package filename and appends .tgz.
4. Reads currently installed app-version from show system info.
5. Installs only when current version differs from the pin.
4. Install method used
- Direct
install version <explicit>is not used for this platform build. - Automation uses XML op install by package file:
<file>panupv2-all-contents-<version>.tgz</file>
CNP and SDS Operational Model
The same staged promotion model and operational checks apply to both CNP and SDS hub environments.
Use environment-specific tfvars and pipeline targets, but maintain the same controls: - Promote only after successful validation in the current stage. - Respect soak windows before downstream promotion. - Hold rollout when risk signals indicate elevated change risk.
PlatOps Inputs and Responsibilities
Required PlatOps inputs
- Approve and merge rollout pull requests for each environment stage.
- Confirm rollout timings are respected:
sbox-intis applied immediatelynonprodiis applied 1 week aftersbox-intprod-intis applied 3 weeks afternonprodi
- Decide go/no-go if threat intelligence or change risk requires a hold.
- Trigger or approve Terraform apply where operational controls require a manual gate.
Operational checks by PlatOps
- Confirm pipeline completed without Ansible validation or install errors.
- Review logs for:
- parsed available package files
- resolved
pan_threat_content_target_file - install payload and result status
- Verify post-change installed version on firewalls where required by policy.
When PlatOps intervention is required
- Pinned version is not advertised by firewall update feed.
- Package filename cannot be resolved to
.tgz. - Current app-version cannot be parsed from
show system infooutput. - PAN-OS API returns invalid XML or install command errors.
- Emergency rollback or rollout freeze is needed.
Failure Handling
- Do not promote to next environment until current stage is healthy.
- Keep current stable pin in downstream environments.
- Open an incident or ticket with:
- pipeline run link
- failing task name
- PAN-OS/API error payload
- affected environment and firewall IPs
- If needed, set or restore previous known-good
pan_threat_content_versionand re-apply.
Rollback Approach
- Update environment tfvars pin back to the last known-good version.
- Run Terraform apply to execute Ansible install for that pinned package.
- Validate version and health checks before resuming staged promotion.
Verification
- Confirm merged tfvars shows expected
pan_threat_content_versionfor target environment. - Confirm Terraform apply succeeded and Ansible tasks passed.
- Confirm logs show target package file resolved and install result success (or explicit skip due to matching installed version).
- Confirm firewall reported app-version matches pinned version after apply.
Notes
- Successful detection of a newer release does not imply immediate promotion to all environments.
- Staged rollout and soak windows are the primary risk controls.
- Keep this process aligned with CAB/change-management requirements.