https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/346222#M86477 <P>if you've upgraded to 9.1 or later, you can leverage the palo alto tag in an application filter to dynamically allow all connections needed by your firewalls.</P><P>using this filter in a security rule will allow outbound connections and if ever a new service is added, or an existing one is changed, the filter will account for these automatically</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-09-01_13-00-06.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27579iA8B70FC495635D16/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2020-09-01_13-00-06.jpg" alt="2020-09-01_13-00-06.jpg" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-09-01_13-04-53.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27580iB10B6CD29DC1AD63/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2020-09-01_13-04-53.jpg" alt="2020-09-01_13-04-53.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 01 Sep 2020 11:07:29 GMT reaper 2020-09-01T11:07:29Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/346185#M86467 <P>Hi, anyone can advise how to configure the firewall rule for palo alto to update its contents? Thanks in advance.&nbsp;</P><P>&nbsp;</P> Tue, 01 Sep 2020 06:24:09 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/346185#M86467 herman2018 2020-09-01T06:24:09Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/346222#M86477 <P>if you've upgraded to 9.1 or later, you can leverage the palo alto tag in an application filter to dynamically allow all connections needed by your firewalls.</P><P>using this filter in a security rule will allow outbound connections and if ever a new service is added, or an existing one is changed, the filter will account for these automatically</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-09-01_13-00-06.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27579iA8B70FC495635D16/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2020-09-01_13-00-06.jpg" alt="2020-09-01_13-00-06.jpg" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-09-01_13-04-53.jpg" style="width: 999px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27580iB10B6CD29DC1AD63/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2020-09-01_13-04-53.jpg" alt="2020-09-01_13-04-53.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 01 Sep 2020 11:07:29 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/346222#M86477 reaper 2020-09-01T11:07:29Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/346237#M86484 <P>Thanks for the reply&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;. But not only for application update, also for other update (anti-virus, IPS...). Out PA the management interface is connected to internal network , so how should create a firewall rule for PA update? I tried to create a rule to let management subnet outgoing traffic, but when click downloading under Dynamic update , it still shows failed. Can you please what firewall rules need for palo alto update? thanks</P> Tue, 01 Sep 2020 12:12:54 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/346237#M86484 herman2018 2020-09-01T12:12:54Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/346241#M86486 <P>All of the services and updates are included in that application filter, the only exception is when your firewall is not using your internal DNS and needs to reach out to an internet DNS, in which case you need to also allow outbound DNS, and possibly ntp and ping to sync time and troubleshoot</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-09-01_14-17-53.jpg" style="width: 827px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27582i6845F3FB6417FA11/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2020-09-01_14-17-53.jpg" alt="2020-09-01_14-17-53.jpg" /></span></P><P>&nbsp;</P><P>if you do not have access to the application filter TAG, you will need the following applications for basic services, more may be required depending on your deployment)</P><P>- paloalto-dns-security</P><P>- paloalto-updates</P><P>- paloalto-wildfire-cloud</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 01 Sep 2020 12:25:07 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/346241#M86486 reaper 2020-09-01T12:25:07Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/346243#M86488 <P>Thanks&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/7608">@reaper</a>&nbsp;. PA will use management IP or external IP address to download the updates?&nbsp;</P> Tue, 01 Sep 2020 12:29:19 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/346243#M86488 herman2018 2020-09-01T12:29:19Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/346245#M86489 <P>by default all connections come out of the management interface, but you can change the egress interface via service routes:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2020-09-01_14-32-23.jpg" style="width: 970px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/27583iA77F2256100CF682/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="2020-09-01_14-32-23.jpg" alt="2020-09-01_14-32-23.jpg" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Tue, 01 Sep 2020 12:37:13 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/346245#M86489 reaper 2020-09-01T12:37:13Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/389418#M90620 <P>Nice, I'll give it a try with this filter.</P><P>&nbsp;</P><P>Thanks for the recommendation!</P> Fri, 05 Mar 2021 15:37:03 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/389418#M90620 AlexandroDelAngel 2021-03-05T15:37:03Z https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/389425#M90621 <P>Do you think it would be ok if I lock it down to destination FQDN Object&nbsp;updates.paloaltonetworks.com ?</P><P>&nbsp;</P><P>Regards,</P> Fri, 05 Mar 2021 15:40:39 GMT https://live.paloaltonetworks.com/t5/general-topics/firewall-rules-for-palo-alto-to-update-the-content-anti-virus/m-p/389425#M90621 AlexandroDelAngel 2021-03-05T15:40:39Z