topic Re: Cannot contact update server from public IP address interface in General Topics

Cannot contact update server from public IP address interface

jeremylo — Tue, 15 Jan 2019 08:56:48 GMT

After click "Check Now" in "Dynamic Updates". Show the error popup as below link

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkuCAC

The above KB not apply to my case. As I not allow my management interface to reach internet.

So I go to customize "Service Route Configuration", and set the Source Address of Service - "Palo Alto Networks Services" and "URL Updates" to be the internet facing interface which assigned a public IP address. Still now work. Although I'm not sure these 2 services is for Dynamic Updates or not.

SSH to CLI. I ping source interface public IP to host www.google.com. Result is unknown host. If change to ping the IP of www.google.com. Result is 100% lost. But webUI Traffic logs show ping allow.

That's weird since all internal users go to internet through that interface without problem. But ping source from it result in all packet lost.

Any possible reason cause this problem?

Re: Cannot contact update server from public IP address interface

Mick_Ball — Tue, 15 Jan 2019 13:45:36 GMT

"unknown host" would suggest that your DNS is not working correctly for your services.

Re: Cannot contact update server from public IP address interface

Mick_Ball — Tue, 15 Jan 2019 13:55:35 GMT

If you have your DNS set correctly in the services tab then try changing the service route to the same as your palo alto updates.

Re: Cannot contact update server from public IP address interface

Mick_Ball — Tue, 15 Jan 2019 13:57:19 GMT

To confirm: the correct service route is "Palo Alto Updates"

Re: Cannot contact update server from public IP address interface

jeremylo — Thu, 17 Jan 2019 06:52:44 GMT

Hello MickBall,

The PAN OS version is 8.0.7

Service Route has no "Palo Alto Updates".

Re: Cannot contact update server from public IP address interface

Mick_Ball — Thu, 17 Jan 2019 07:36:03 GMT

Yes, sorry the description changed in v8.

anyhows... seems like dns is not working. What is your dns address in services.

try setting it to 8.8.8.8 and changedns service route to the same as your palo alto updates.

not sure but you may need a dns policy to allow this out.

Re: Cannot contact update server from public IP address interface

jeremylo — Thu, 17 Jan 2019 08:02:59 GMT

I temporary change the service route config to "Use Management Interface for all". But still cannot ping outside.

The Management interface set as below:

IP Address: 192.168.123.123

Netmask: 255.255.255.0

Default Gateway: 192.168.123.254

Speed: auto-negotiate

MTU: 1500

Network Connectivity Services: HTTPS, Ping, SSH

Services set as below:

Primary DNS Server: 8.8.8.8

Secondary DNS Server: 8.8.4.4

Update Server: updates.paloaltonetworks.com

Security Policy set allow the source zone of management interface to destination zone internet facing interface

Monitor Traffic show source 192.168.123.123 to destination 8.8.8.8, application ping and dns are allow. Use the correct rule too.

Re: Cannot contact update server from public IP address interface

Mick_Ball — Thu, 17 Jan 2019 10:27:36 GMT

i have the following settings and it works.

custom service routes

DNS = internet interface/ip address

Updates = internet interface/ip address

it works without any additional polices because the default intranet policy is applied.

Re: Cannot contact update server from public IP address interface

gwesson — Thu, 17 Jan 2019 22:49:13 GMT

Are you applying NAT to that traffic?

If the source 192.168.123.123 is not getting the public NAT address of your interface, you won't be able to get a reply. You can test if it's got a NAT match with the CLI test command:

> test nat-policy-match protocol 6 source 192.168.123.123 destination 8.8.8.8 destination-port 443

Re: Cannot contact update server from public IP address interface

jeremylo — Fri, 18 Jan 2019 02:58:17 GMT

Manage to make it work. Require "DNS" and "Palo Alto Networks Services" set to use the outgoing interface. I didn't change "DNS" which was use "Use default" before.

Although I can successfully ping (contact) outside from the outgoing interface. I got another problem now. As my PA device has 2 outgoing interface (to 2 modem). The 1 which success is not my preference. The prefer 1 even cannot ping from outside non ping to outside. But I'm sure internal user can use it to access internet.

Re: Cannot contact update server from public IP address interface

Mick_Ball — Fri, 18 Jan 2019 10:26:33 GMT

well done Jezza, perhaps you could mark this as resolved and then log a new post for your new issue.

please include VR details and default gateways as this will help with diagnostics....