topic Re: Unable to download updates PAN OS 4.1.9 because of self signed certificate on updates.paloaltonetworks.com ? in General Topics https://live.paloaltonetworks.com/t5/general-topics/unable-to-download-updates-pan-os-4-1-9-because-of-self-signed/m-p/21676#M15835 <HTML><HEAD></HEAD><BODY><P>The certificate verification messages should not cause an issue with connecting to the update server.&nbsp; We recently moved to using CDN for the actual content downloads.&nbsp; You should modify your policies controlling outbound traffic to downloads.paloaltonetworks.com in addition to updates.paloaltonetworks.com.</P><P></P><P>We are working on updating the paloalto-updates application signature to include all update related services.&nbsp; No ETA at this point but it is actively being worked on.&nbsp; Once that signature is current you can just allow that application to any destination in your security policies.</P><P></P><P>If you continue to have issues downloading I would suggest opening a support ticket so we can investigate further.</P><P></P><P>Thanks,</P><P>-- Kevin</P></BODY></HTML> Wed, 19 Dec 2012 15:59:17 GMT kfindlen 2012-12-19T15:59:17Z Unable to download updates PAN OS 4.1.9 because of self signed certificate on updates.paloaltonetworks.com ? https://live.paloaltonetworks.com/t5/general-topics/unable-to-download-updates-pan-os-4-1-9-because-of-self-signed/m-p/21675#M15834 <HTML><HEAD></HEAD><BODY><P>Since november we have not received any content updates from updates.paloaltonetworks.com. We changed the rules so every update server (including amazonws.com) was allowed.</P><P></P><P>Now the updates start, I see a succesful connection to updates.paloaltonetworks.com, but the job remains in download state at 0%.</P><P></P><P>When I check the ms.log it shows:</P><P></P><P><SPAN>--2012-12-19 14:04:56--&nbsp; </SPAN><A class="jive-link-external-small" href="https://updates.paloaltonetworks.com/Updates/UpdateService.asmx/CheckForSignatureUpdate">https://updates.paloaltonetworks.com/Updates/UpdateService.asmx/CheckForSignatureUpdate</A></P><P>Resolving updates.paloaltonetworks.com... 199.167.52.13</P><P>Connecting to updates.paloaltonetworks.com|199.167.52.13|:443... connected.</P><P><SPAN>WARNING: cannot verify updates.paloaltonetworks.com's certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=</SPAN><A class="jive-link-external-small" href="http://certificates.godaddy.com/repository/CN=Go">http://certificates.godaddy.com/repository/CN=Go</A><SPAN> Daddy Secure Certification Authority/serialNumber=07969287':</SPAN></P><P>&nbsp; Self-signed certificate encountered.</P><P>HTTP request sent, awaiting response... 200 OK</P><P>Length: 4149 (4.1K) [text/xml]</P><P>Saving to: `/tmp/.contentinfo.xml.tmp'</P><P></P><P>&nbsp;&nbsp;&nbsp;&nbsp; 0K&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 100% 4.91M=0.001s</P><P></P><P>2012-12-19 14:04:58 (4.91 MB/s) - `/tmp/.contentinfo.xml.tmp' saved [4149/4149]</P><P></P><P></P><P></P><P>Does the warning about a self signed certficate prevent the updates from beig downloaded ?</P><P></P><P>The brightcloud URL update works fine.</P></BODY></HTML> Wed, 19 Dec 2012 13:11:46 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-download-updates-pan-os-4-1-9-because-of-self-signed/m-p/21675#M15834 seniornwb 2012-12-19T13:11:46Z Re: Unable to download updates PAN OS 4.1.9 because of self signed certificate on updates.paloaltonetworks.com ? https://live.paloaltonetworks.com/t5/general-topics/unable-to-download-updates-pan-os-4-1-9-because-of-self-signed/m-p/21676#M15835 <HTML><HEAD></HEAD><BODY><P>The certificate verification messages should not cause an issue with connecting to the update server.&nbsp; We recently moved to using CDN for the actual content downloads.&nbsp; You should modify your policies controlling outbound traffic to downloads.paloaltonetworks.com in addition to updates.paloaltonetworks.com.</P><P></P><P>We are working on updating the paloalto-updates application signature to include all update related services.&nbsp; No ETA at this point but it is actively being worked on.&nbsp; Once that signature is current you can just allow that application to any destination in your security policies.</P><P></P><P>If you continue to have issues downloading I would suggest opening a support ticket so we can investigate further.</P><P></P><P>Thanks,</P><P>-- Kevin</P></BODY></HTML> Wed, 19 Dec 2012 15:59:17 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-download-updates-pan-os-4-1-9-because-of-self-signed/m-p/21676#M15835 kfindlen 2012-12-19T15:59:17Z Re: Unable to download updates PAN OS 4.1.9 because of self signed certificate on updates.paloaltonetworks.com ? https://live.paloaltonetworks.com/t5/general-topics/unable-to-download-updates-pan-os-4-1-9-because-of-self-signed/m-p/21677#M15836 <HTML><HEAD></HEAD><BODY><P>Adding the downloads.paloaltonetworks.com worked fine.</P><P></P><P>Thanks for your help.</P></BODY></HTML> Thu, 20 Dec 2012 07:57:06 GMT https://live.paloaltonetworks.com/t5/general-topics/unable-to-download-updates-pan-os-4-1-9-because-of-self-signed/m-p/21677#M15836 seniornwb 2012-12-20T07:57:06Z