topic Upgrade Logs in General Topics

Upgrade Logs

mk245v — Wed, 11 Sep 2019 06:55:31 GMT

I am trying to capture all the logs related to any upgrade and downgrade. I understand the firewalls download the firmware from updates.paloaltonetworks.com. This then points to the nearest PA Server to download the code from the CND infrastructure.

My requirement is to have a log generated indicating the "EXACT" URL the firewall/panorama would use to download the request code.

How can I accomplish this?

Re: Upgrade Logs

BatD — Wed, 11 Sep 2019 07:22:16 GMT

@mk245v By default, the firewall will use “updates.paloaltonetworks.com” for software updates and licensing. You are right that this will point to nearest server, but it is done by resolving the URL to the nearest server IP. The actual URL will not change.

Re: Upgrade Logs

mk245v — Wed, 11 Sep 2019 08:19:53 GMT

Thanks but i would want a log to be generated something on the lines

"Downloading http://nearest.paserver.cdn.com/8.0/8.1.2.gz"

Re: Upgrade Logs

BatD — Wed, 11 Sep 2019 09:25:54 GMT

@mk245v Sorry, did not quite get what you are trying to do. I will not ask why do you need it, but it is interesting question and it can be done.

As the traffic to the update servers is encrypted, normally in your logs you only see https traffic to “updates.paloaltonetworks.com”. To log what is happening in the session, including the detailed URL information, you need to enable SSL decryption on the traffic from the firewall to the update servers.

Some of the Palo Alto update services are excluded from decryption, however updates.paloaltonetworks.com is not. You will need to disable “Verify Update Server Identity” and ensure that your decryption certificate is also “Trusted Root CA Certificate”

I tested it on my lab device and it works ok. You do not see the exact file name in the URL logs, but this is how the application works. I could capture the full session to the updates server, including the URL the firewall connects to, etc .

Re: Upgrade Logs

MP18 — Wed, 11 Sep 2019 16:38:34 GMT

Can you please share the traffic info on the updates server conenction?

Re: Upgrade Logs

mk245v — Thu, 12 Sep 2019 01:41:30 GMT

Let me be specific. We manage about 100(ish) firewalls via Panorama. These are in different geographies. Hence we do not use the code from Panorama and depend on the nearest code for the firewalls to download. I am writing a shell/python script that will corelate these downloads for some custom reporting to my mgmt. Hence the need of the "specific" URL. I need to work within some limitations and not allowed to modify much.

Re: Upgrade Logs

BatD — Thu, 12 Sep 2019 06:27:50 GMT

@mk245v If you want something that specific and you trying to reverse engineer it, maybe the best will be to address your local Palo Alto SE, who may be able to give you more inside information of how the upgrade process works.

My guess is that Palo Aro are probably using AWS to host the update with technologies like CloudFront to manage the content delivery, so the download IPs and the file paths will be constantly changing.