if you've upgraded to 9.1 or later, you can leverage the palo alto tag in an application filter to dynamically allow all connections needed by your firewalls.
using this filter in a security rule will allow outbound connections and if ever a new service is added, or an existing one is changed, the filter will account for these automatically
Thanks for the reply @reaper . But not only for application update, also for other update (anti-virus, IPS...). Out PA the management interface is connected to internal network , so how should create a firewall rule for PA update? I tried to create a rule to let management subnet outgoing traffic, but when click downloading under Dynamic update , it still shows failed. Can you please what firewall rules need for palo alto update? thanks
All of the services and updates are included in that application filter, the only exception is when your firewall is not using your internal DNS and needs to reach out to an internet DNS, in which case you need to also allow outbound DNS, and possibly ntp and ping to sync time and troubleshoot
if you do not have access to the application filter TAG, you will need the following applications for basic services, more may be required depending on your deployment)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!