Firewall rules for palo alto to update the content (anti-virus,signature...

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Firewall rules for palo alto to update the content (anti-virus,signature...

L2 Linker

Hi, anyone can advise how to configure the firewall rule for palo alto to update its contents? Thanks in advance. 

 

1 accepted solution

Accepted Solutions

Nice, I'll give it a try with this filter.

 

Thanks for the recommendation!

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

if you've upgraded to 9.1 or later, you can leverage the palo alto tag in an application filter to dynamically allow all connections needed by your firewalls.

using this filter in a security rule will allow outbound connections and if ever a new service is added, or an existing one is changed, the filter will account for these automatically

 

2020-09-01_13-00-06.jpg

 

2020-09-01_13-04-53.jpg

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks for the reply @reaper . But not only for application update, also for other update (anti-virus, IPS...). Out PA the management interface is connected to internal network , so how should create a firewall rule for PA update? I tried to create a rule to let management subnet outgoing traffic, but when click downloading under Dynamic update , it still shows failed. Can you please what firewall rules need for palo alto update? thanks

All of the services and updates are included in that application filter, the only exception is when your firewall is not using your internal DNS and needs to reach out to an internet DNS, in which case you need to also allow outbound DNS, and possibly ntp and ping to sync time and troubleshoot

 

2020-09-01_14-17-53.jpg

 

if you do not have access to the application filter TAG, you will need the following applications for basic services, more may be required depending on your deployment)

- paloalto-dns-security

- paloalto-updates

- paloalto-wildfire-cloud

 

 

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks @reaper . PA will use management IP or external IP address to download the updates? 

by default all connections come out of the management interface, but you can change the egress interface via service routes:

 

2020-09-01_14-32-23.jpg

 

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Nice, I'll give it a try with this filter.

 

Thanks for the recommendation!

Do you think it would be ok if I lock it down to destination FQDN Object updates.paloaltonetworks.com ?

 

Regards,

  • 1 accepted solution
  • 11235 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!