The PA may have detected a threat or a file type that you are blocking or QOS may be throttling the session (that is if you have QOS configured). To aid in isolating you can create a policy for these sessions and not add a profile to the policy. If the downloads are still stopping, you can call in to support to aid in troubleshooting this.
Can you confirm via Monitor->Traffic & Monitor->Threat whether discards/resets/drops, etc... are occurring during the time of the updates?
You could also manually launch a windows update from the client (Browser or Start->All Programs->Windows Update), then either filter the source IP of the client via the WebUI/Monitor Tab ( addr.src in x.x.x.x ) or via a session trace from CLI:
show session all filter source <ip>
(Keep pressing Up Arrow & Enter & verify session status ACTIVE, DISCARD, etc…)
You can also apply a similar filter to the URL filtering logs as well in the WebUI (Monitor->URL Filtering) as you may have a blocked category that happens to be hosting content (i.e., content-delivery-networks) that is being referenced/pulled from an external sites during update downloads.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!