topic Re: Palo Alto - Dynamic Updates in General Topics

Palo Alto - Dynamic Updates

kev91234 — Thu, 18 Apr 2019 10:34:12 GMT

Hi I'm new to Palo Alto alto. but my company have several diffrent versions of Palo alto firewalls, some with direct support via palo alto PA-3050 where i have access to download the Dynaic updates directly. Plus some that we have support through a reseller that they need to download the updates and send to us as the firewalls don't have access to the internet.

I wanted to know if the Anitirus and threat protection uptades that i can download from PA directly registerd against the PA-3050 can be used on a PA-820 and a PA-220 or do i have to get the reseller to download then and pass them to me every time.

Re: Palo Alto - Dynamic Updates

reaper — Thu, 18 Apr 2019 11:12:54 GMT

Are the devices that have no internet set up like that intentionally (for security), as _all_ devices (with a valid license) are able to download updates directly from us

If the management interface needs to be OOB for security reasons, but there are dataplane interfaces connected to the internet, you can set up service routes so they are able to download updates without the mgmt interface needing to be connected

That said, the installer packages are identical among all firewall models, so you only need to download them once and can be installed on all firewalls with one limmitation: the licenses need to match the package

Re: Palo Alto - Dynamic Updates

kev91234 — Thu, 18 Apr 2019 11:45:12 GMT

@reaper wrote:
Are the devices that have no internet set up like that intentionally (for security), as _all_ devices (with a valid license) are able to download updates directly from us

If the management interface needs to be OOB for security reasons, but there are dataplane interfaces connected to the internet, you can set up service routes so they are able to download updates without the mgmt interface needing to be connected

That said, the installer packages are identical among all firewall models, so you only need to download them once and can be installed on all firewalls with one limmitation: the licenses need to match the package

Hi @reaper thank you that is a great help yes we have the management OOB, i was wondering if We were to allow the updates for Anitvirus and and Application and threats . How would i go about creating rules to protect access through that service route. Or is the fact of creating the service group only allow traffic from the firewall out to palo alto networks only for the updates and all other traffic is dropped.

Re: Palo Alto - Dynamic Updates

reaper — Thu, 18 Apr 2019 12:11:46 GMT

check out the link under 'service route' 🙂

the service route grabs a specific service and pushes it down the backplane to the dataplane, there it is sent out the interface it is set to, following the routing table on the dataplane

ie. -if the service route is connected to the external interface, connections will go directly to the default gateway onto the internet

-if the service route is connected on the LAN interface, the session will look for the appropriate route, go through the firewall and will be fully inspected before egressing out to the internet (this is the preferred method)

This can be configured for each individual (dns, ntp, updates, wildfire, software, ...) service the management plane needs, so only the ones you truly need will go out onto the internet

Re: Palo Alto - Dynamic Updates

jeremy.larsen — Thu, 18 Apr 2019 14:38:14 GMT

Alternative solution,

Purchase Panorama and push everything from it. This way your firewalls don't need any internet connection what-so-ever. You can automate all updates centrally from Panorama.