Cannot contact update server from public IP address interface

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Cannot contact update server from public IP address interface

L3 Networker

After click "Check Now" in "Dynamic Updates". Show the error popup as below link

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClkuCAC

 

The above KB not apply to my case. As I not allow my management interface to reach internet.

So I go to customize "Service Route Configuration", and set the Source Address of Service - "Palo Alto Networks Services" and "URL Updates" to be the internet facing interface which assigned a public IP address. Still now work. Although I'm not sure these 2 services is for Dynamic Updates or not.

 

SSH to CLI. I ping source interface public IP to host www.google.com. Result is unknown host. If change to ping the IP of www.google.com. Result is 100% lost. But webUI Traffic logs show ping allow.

That's weird since all internal users go to internet through that interface without problem. But ping source from it result in all packet lost.

 

Any possible reason cause this problem?

1 accepted solution

Accepted Solutions

L7 Applicator

If you have your DNS set correctly in the services tab then try changing the service route to the same as your palo alto updates.

View solution in original post

10 REPLIES 10

L7 Applicator

"unknown host"   would suggest that your DNS is not working correctly for your services.

L7 Applicator

If you have your DNS set correctly in the services tab then try changing the service route to the same as your palo alto updates.

L7 Applicator

To confirm: the correct service route is "Palo Alto Updates"

Hello MickBall,

The PAN OS version is 8.0.7

Service Route has no "Palo Alto Updates".

Yes, sorry the description changed in v8.

 

anyhows... seems like dns is not working. What is your dns address in services.

 

try setting it to 8.8.8.8 and changedns service route to the same as your palo alto updates.

 

not sure but you may need a dns policy to allow this out.

I temporary change the service route config to "Use Management Interface for all". But still cannot ping outside.

 

The Management interface set as below:

IP Address: 192.168.123.123

Netmask: 255.255.255.0

Default Gateway: 192.168.123.254

Speed: auto-negotiate

MTU: 1500

Network Connectivity Services: HTTPS, Ping, SSH

 

Services set as below:

Primary DNS Server: 8.8.8.8

Secondary DNS Server: 8.8.4.4

Update Server: updates.paloaltonetworks.com

 

Security Policy set allow the source zone of management interface to destination zone internet facing interface

Monitor Traffic show source 192.168.123.123 to destination 8.8.8.8, application ping and dns are allow. Use the correct rule too.

i have the following settings and it works.

 

custom service routes

 

DNS = internet interface/ip address

Updates = internet interface/ip address

 

it works without any additional polices because the default intranet policy is applied.

 

serviceroutes.png

Are you applying NAT to that traffic?

 

If the source 192.168.123.123 is not getting the public NAT address of your interface, you won't be able to get a reply. You can test if it's got a NAT match with the CLI test command:

 

> test nat-policy-match protocol 6 source 192.168.123.123 destination 8.8.8.8 destination-port 443

Manage to make it work. Require "DNS" and "Palo Alto Networks Services" set to use the outgoing interface. I didn't change "DNS" which was use "Use default" before.

Although I can successfully ping (contact) outside from the outgoing interface. I got another problem now. As my PA device has 2 outgoing interface (to 2 modem). The 1 which success is not my preference. The prefer 1 even cannot ping from outside non ping to outside. But I'm sure internal user can use it to access internet.

well done Jezza, perhaps you could mark this as resolved and then log a new post for your new issue.

 

please include VR details and default gateways as this will help with diagnostics....

  • 1 accepted solution
  • 13918 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!