DotW: Ports used by the update server

DotW: Ports used by the update server

27130
Created On 09/25/18 19:03 PM - Last Modified 06/09/23 02:55 AM


Resolution


In this week's Discussion of the Week, we're taking a look at a pitfall new users might experience when performing maintenance tasks on their Palo Alto Networks firewall and trying to update license information or to retrieve firmware or content updates.

 

dotw user question

 

A couple of considerations when configuring and connecting the management interface to a network—certain services require an internet connection to function properly.

 

By default, any management-initiated operations originate from the management interface, which has its own routing configuration, independent of the dataplane.

 

To be able to reach, for example, updates.paloaltonetworks.com, the management interface of the firewall will need to take the same route any other network host takes to get to the internet. The firewall may need to be able to reach an internet-based DNS server (UDP/53) to resolve the hostname, and be allowed outbound SSL (TCP/443) to reach the server and fetch the license information or download a software image.

 

mgmt route

If the management interface is connected to an OOB (out of band) network, this could prevent the management interface from connecting out to the internet and retrieving necessary updates. To allow the management interface to still reach out for certain services, service routes can be configured to internally connect the management interface to the dataplane for certain outbound connections:

 

service route

service route

 

 

You can follow the original discussion here

Feel free to leave a comment below!

 

 

Regards,

Tom

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTjCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language