How to Perform Updates when Management Interface does not have Public IP and Untrust Interface is configured as DHCP client.

How to Perform Updates when Management Interface does not have Public IP and Untrust Interface is configured as DHCP client.

90434
Created On 09/26/18 13:48 PM - Last Modified 06/15/23 21:34 PM


Environment


  • Palo Alto Firewall.
  • PAN-OS 8.1 and above.
  • Management address configured as private IP address
  • Untrust Interface configured as DHCP Client.

Resolution


Overview

This document explains how to perform updates when the management interface does not have a public IP address and the untrust interface gets an IP from a DHCP client. If the management interface does not have internet access configure a service route to perform dynamic updates and software upgrades. When the device is in the initial stages the management interface does not have access to the internet. Also, one of the interfaces is configured as a DHCP client.
 

DHCP client.PNG

 

 

To configure service routes and perform upgrades, configure a loopback interface in a trust zone. Only static IP addresses can be used for service routes.

loopback.PNG

 

 

Once the loopback interface is configured, configure a service route pointing to the loopback interface. Go to Device > Services > Service Route Configuration.

service-route.PNG


After performing a commit go to Device > Software/DynamicUpdates > Check now. The Palo Alto Networks firewall should now be able to communicate to the update server, updates.paloaltonetworks.com.

Logs should be visible under traffic logs.

trafficlog.PNG

 

Note: There must be an appropriate security policy and source-nat policy enabled.

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clp3CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language