I saw it was released, then retracted. What's the story?
At this time Palo Alto doesn't have a method to roll back dynamic updates from Panorama. This is the reason that they published content 730 to push the good content.
We updated the report for content 729 at this link https://live.paloaltonetworks.com/t5/Customer-Advisories/Incident-Report-Traffic-Disruption-with-Con...
Technical Summary and Root Cause Analysis
Content version 729 included a new threat signature that invoked certain processing engines available in PAN-OS 8.0. Threat signatures carry a "Minimum PAN-OS Version" element that dictates the software versions on which these signatures are activated. We found that the signature that caused the traffic disruption issues was incorrectly activated on PAN-OS 7.1 and it should only be activated on PAN-OS 8.0. When PAN-OS 7.1 encountered a high rate of incoming packets due to heavy load or fragmentation, the presence of this activated threat signature caused a packet buffer overflow, which caused application identification to be suspended and resulted in the firewalls dropping the affected sessions.
We are conducting a rigorous and comprehensive review of our content update QA processes and implementing longer-term corrective actions. As described in the timeline of events above, this traffic disruption issue has been resolved with the release of content version 730, which removed the threat signature that caused the affected firewalls to drop legitimate application traffic.
To prevent future issues during our content update release process, we have taken the following corrective actions:
Software development process changes are now in place to monitor all signature updates that initiate specific capabilities and code paths within PAN-OS.
Automated monitoring of variables and counters within PAN-OS, which help indicate issues with traffic processing such as buffer resources and traffic drops, are now integrated into our verification process.
Our Global Customer Support team is implementing new tools and processes to streamline internal and external communications related to content issues.
With Indeni would an alert trigger if content update 729 remained when say 80% of the other firewalls were rolled back to 728 or would it only trigger an alert if it remained at 729 and most of them were at 730. (newer number vs not the majority)