After click "Check Now" in "Dynamic Updates". Show the error popup as below link
The above KB not apply to my case. As I not allow my management interface to reach internet.
So I go to customize "Service Route Configuration", and set the Source Address of Service - "Palo Alto Networks Services" and "URL Updates" to be the internet facing interface which assigned a public IP address. Still now work. Although I'm not sure these 2 services is for Dynamic Updates or not.
That's weird since all internal users go to internet through that interface without problem. But ping source from it result in all packet lost.
Any possible reason cause this problem?
Solved! Go to Solution.
Yes, sorry the description changed in v8.
anyhows... seems like dns is not working. What is your dns address in services.
try setting it to 220.127.116.11 and changedns service route to the same as your palo alto updates.
not sure but you may need a dns policy to allow this out.
I temporary change the service route config to "Use Management Interface for all". But still cannot ping outside.
The Management interface set as below:
IP Address: 192.168.123.123
Default Gateway: 192.168.123.254
Network Connectivity Services: HTTPS, Ping, SSH
Services set as below:
Primary DNS Server: 18.104.22.168
Secondary DNS Server: 22.214.171.124
Update Server: updates.paloaltonetworks.com
Security Policy set allow the source zone of management interface to destination zone internet facing interface
Monitor Traffic show source 192.168.123.123 to destination 126.96.36.199, application ping and dns are allow. Use the correct rule too.
i have the following settings and it works.
custom service routes
DNS = internet interface/ip address
Updates = internet interface/ip address
it works without any additional polices because the default intranet policy is applied.
Are you applying NAT to that traffic?
If the source 192.168.123.123 is not getting the public NAT address of your interface, you won't be able to get a reply. You can test if it's got a NAT match with the CLI test command:
> test nat-policy-match protocol 6 source 192.168.123.123 destination 188.8.131.52 destination-port 443
Manage to make it work. Require "DNS" and "Palo Alto Networks Services" set to use the outgoing interface. I didn't change "DNS" which was use "Use default" before.
Although I can successfully ping (contact) outside from the outgoing interface. I got another problem now. As my PA device has 2 outgoing interface (to 2 modem). The 1 which success is not my preference. The prefer 1 even cannot ping from outside non ping to outside. But I'm sure internal user can use it to access internet.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!