Schedule for Dynamic Updates on Panorama does Not Override Configured Schedule on Managed Device

Symptom

The dynamic update schedule configuration ( Device > Dynamic Updates ) pushed from Panorama to the managed Palo Alto Networks firewall does not show up on the firewall. Instead, the managed device maintains the locally configured schedule for dynamic updates.

Dynamic updates scheduled time is locally configured on the managed device.

A screen shot of a computer AI-generated content may be incorrect.

Schedule for dynamic updates is configured on Panorama for the managed device.

A screenshot of a computer AI-generated content may be incorrect.

The configuration is pushed to the managed device.
The dynamic updates scheduled time "Wednesday at 01.02 (download only)" locally on managed firewall will take preference over the one pushed from panorama.

Environment

Any Panorama.
Palo Alto Firewall.
PAN-OS 7.1 and above.

Cause

Locally defined dynamic updates setting on a managed Palo Alto Networks firewall take preference over the Panorama pushed setting.

Resolution

Set the schedule time on the managed firewall for dynamic updates to None using GUI: Device > Dynamic Update > Schedule (on appropriate content) > Select the dropdown button Recurrence to None .
Commit to the firewall.
Push the Dynamic updates scheduled time configured on Panorama again. This schedule time will now be updated.

Additional Information

CLI command to set the update schedule on the firewall to None is listed below.

    > configure
    
    # delete deviceconfig system update-schedule
    
    # commit force
    
    # exit