topic Re: SCP Dynamic updates in Panorama Discussions

SCP Dynamic updates

MarcoMancini — Sun, 22 Dec 2024 09:17:35 GMT

Hi Community,

Our setup follows the steps outlined in the Palo Alto article: Install Updates Automatically for Panorama Without an Internet Connection.

Here’s the issue:

The Panorama with an internet connection successfully downloads updates and uploads them to the SCP server.
The Panorama without an internet connection pulls updates from the SCP server.
The application and threats update fails validation and is not pushed to the managed firewall.
The Antivirus and Wildfire updates are successfully pushed to the managed firewall.

From the logs, I see that after downloading the update, Panorama tries to reach the update server configured under Panorama → Setup → Services → Update Server on port 443 for validating the update. Of course, this fails since there is no internet connection anymore and it looks like something odd.

I set the SCP server as the update server, but how is it supposed to listen on port 443? I even tried forcing the SCP URL with :22 (e.g., scp.url:22), but it didn’t resolve the issue.

Has anyone encountered a similar issue, or could someone clarify how to properly configure the update server in this case? I tried to raise a TAC case but we are running in circle without a solution

Any suggestions would be greatly appreciated!

Re: SCP Dynamic updates

ozheng — Tue, 31 Dec 2024 07:34:58 GMT

Hello @MarcoMancini

I would advise to work it with a TAC engineer.

I mean in the TAC case you would share the TSF from the inner and the outer panorama, so the TAC engineer can review the configuration and the data.

Olivier

Re: SCP Dynamic updates

MarcoMancini — Tue, 31 Dec 2024 08:14:51 GMT

Hi @ozheng
Thanks for your suggestion. I opened a TAC case two weeks ago, but progress has been slow, so I posted here for additional input.

TAC recommended manually uploading the latest content update to the air-gapped Panorama. While this is feasible, it’s not currently possible due to the time-intensive approval process for importing external files. Honestly, I don’t fully understand the point of the manual upload in this situation.

I also suspect the issue might be with the SCP server, as I’ve read Panorama can have compatibility issues with Windows-based SCP servers in some discussions (and we have a windows SCP server). This could potentially affect the checksum, but I’m speculating since TAC support hasn’t been very helpful so far.

Marco

Re: SCP Dynamic updates

ozheng — Thu, 02 Jan 2025 01:11:40 GMT

Hello @MarcoMancini

Sorry I could not update on the post directly.

Olivier