Firewall rules for palo alto to update the content (anti-virus,signature...

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Firewall rules for palo alto to update the content (anti-virus,signature...

L2 Linker

Hi, anyone can advise how to configure the firewall rule for palo alto to update its contents? Thanks in advance. 



Accepted Solutions

Nice, I'll give it a try with this filter.


Thanks for the recommendation!

View solution in original post


Cyber Elite
Cyber Elite

if you've upgraded to 9.1 or later, you can leverage the palo alto tag in an application filter to dynamically allow all connections needed by your firewalls.

using this filter in a security rule will allow outbound connections and if ever a new service is added, or an existing one is changed, the filter will account for these automatically







Tom Piens
PANgurus - (co)managed services and consultancy

Thanks for the reply @reaper . But not only for application update, also for other update (anti-virus, IPS...). Out PA the management interface is connected to internal network , so how should create a firewall rule for PA update? I tried to create a rule to let management subnet outgoing traffic, but when click downloading under Dynamic update , it still shows failed. Can you please what firewall rules need for palo alto update? thanks

All of the services and updates are included in that application filter, the only exception is when your firewall is not using your internal DNS and needs to reach out to an internet DNS, in which case you need to also allow outbound DNS, and possibly ntp and ping to sync time and troubleshoot




if you do not have access to the application filter TAG, you will need the following applications for basic services, more may be required depending on your deployment)

- paloalto-dns-security

- paloalto-updates

- paloalto-wildfire-cloud





Tom Piens
PANgurus - (co)managed services and consultancy

Thanks @reaper . PA will use management IP or external IP address to download the updates? 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!