topic Palo Alto Software/Threat/AntiVirus Update Policy in General Topics

Palo Alto Software/Threat/AntiVirus Update Policy

DCN — Fri, 25 Oct 2013 10:53:32 GMT

Hi,

I am having an internet facing firewall which needs to be kept updated with the Threat/AV software.

I have configured the service route to use the correct interface for updates. However, it still cant check and download the required updates. As its evident I need to have a policy in place to allow the above traffic. I know what source to use, but can some one shed light on the destination address? Should I use "Any" with application as paloalto-updates?

Many thanks.

Re: Palo Alto Software/Threat/AntiVirus Update Policy

_slv_ — Fri, 25 Oct 2013 15:15:43 GMT

Please check what you have configured in this plase

I have IP of my untrust interfece in CRL status field.

Please log by SSH and check that you can ping from managemet interface any internet site.

As I remember to get updates after first run of my PA device I have to do check for upates few time...

Regards

Slawek

Re: Palo Alto Software/Threat/AntiVirus Update Policy

VinceM — Sun, 27 Oct 2013 15:34:56 GMT

HI,

Fro me two things:

- Or you want to use Management interface for updating your palo and this traffic go through the palo himself then, you need to create policy allowing taffic from management ip to dns named object " updates.paloaltonetworks.com" and pan-update app on Https

- Or you enable the palo update from your outside interface and in this case just keep in ming to allow traffic from your outside zone to outside zone (Traffic denied automatically as soon as you create a deny all policy).

Hope Help

Re: Palo Alto Software/Threat/AntiVirus Update Policy

DCN — Mon, 28 Oct 2013 14:21:44 GMT

Thanks for your response slv and VinceM.

I am using an outside interface for update in my case. While writing the policy I have the source as my outside interface (public IP) and destination as ANY, and applications as paloalto-updates, ssl and couple of other paloalto applications.

My question is do I have keep the destination address in policy as "ANY". I understand the IP for updates changes frequently and the actual updates are hosted at akamai servers, IP of which changes every time as well.

Regards,

Re: Palo Alto Software/Threat/AntiVirus Update Policy

SMF — Mon, 28 Oct 2013 16:06:20 GMT

The short answer is that if yet set an address you'll have to frequently change it Using the FDQN name accessed might be more helpful.

You can keep the FDQN the same as that doesn't change but the IP address would need to changed on a regular basis. Since the FDQN is common to both the firewall and the update program the addresses for the policy and the updates will be the same. While I haven't done this for the updates, I've used this approach successfully with other hosts that tended to shift their IP addresses.

Re: Palo Alto Software/Threat/AntiVirus Update Policy

DCN — Tue, 29 Oct 2013 09:49:56 GMT

Thanks SMF.

I didnt knew I can add FQDN as destination. To add that I had to create an object, thats where it gives the option of FQDN, and then added that object as destination.

Now I am able to check the updates, however downloading the updates is being denied. I assume the IP of which is not covered under the update URL.

Can you help in what subnet /URL should I include to get the download working as well.

I have allowed SSL applicaion in the policy.

Regards