Firewall rules for palo alto to update the content (anti-virus,signature...

Reply
Highlighted
L2 Linker

Firewall rules for palo alto to update the content (anti-virus,signature...

Hi, anyone can advise how to configure the firewall rule for palo alto to update its contents? Thanks in advance. 

 

Highlighted
L7 Applicator

if you've upgraded to 9.1 or later, you can leverage the palo alto tag in an application filter to dynamically allow all connections needed by your firewalls.

using this filter in a security rule will allow outbound connections and if ever a new service is added, or an existing one is changed, the filter will account for these automatically

 

2020-09-01_13-00-06.jpg

 

2020-09-01_13-04-53.jpg

 

 

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Highlighted
L2 Linker

Thanks for the reply @reaper . But not only for application update, also for other update (anti-virus, IPS...). Out PA the management interface is connected to internal network , so how should create a firewall rule for PA update? I tried to create a rule to let management subnet outgoing traffic, but when click downloading under Dynamic update , it still shows failed. Can you please what firewall rules need for palo alto update? thanks

Highlighted
L7 Applicator

All of the services and updates are included in that application filter, the only exception is when your firewall is not using your internal DNS and needs to reach out to an internet DNS, in which case you need to also allow outbound DNS, and possibly ntp and ping to sync time and troubleshoot

 

2020-09-01_14-17-53.jpg

 

if you do not have access to the application filter TAG, you will need the following applications for basic services, more may be required depending on your deployment)

- paloalto-dns-security

- paloalto-updates

- paloalto-wildfire-cloud

 

 

 

 

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Highlighted
L2 Linker

Thanks @reaper . PA will use management IP or external IP address to download the updates? 

Highlighted
L7 Applicator

by default all connections come out of the management interface, but you can change the egress interface via service routes:

 

2020-09-01_14-32-23.jpg

 

 

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!