PA-220 not reaching Palo Alto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-220 not reaching Palo Alto

L1 Bithead

Our company was recently sold off and their IT department erased our firewalls leaving them reset back the to manufacturer’s configuration. I’ve built it back as much as possible, but I’m missing something. I’ve worked with other firewall devices, but PA is proving challenging. How do I configure it to connect to serverlist.paloaltonetworks.com, serverlist.urlcloud.paloaltonetworks.com, & updates.paloaltonetworks.com?

 

These are messages displayed in the Dashboard | System Logs section

Time                           Description    

12/20 10:30:36            CURL ERROR: Could not resolve host: s0000.urlcloud.paloaltonetworks.com

12/20 10:27:45            Cloud is not ready, There was no update from the cloud in the last 159425 minutes.

12/20 10:22:45            Cloud is not ready, There was no update from the cloud in the last 159420 minutes.

12/20 10:20:41            Connection to Update server closed: updates.paloaltonetworks.com, source: 10.200.245.11

12/20 10:20:36            CURL ERROR: Could not resolve host: serverlist.urlcloud.paloaltonetworks.com

12/20 10:20:36            CLOUD ELECTION: cannot elect a cloud

12/20 10:19:27            CURL ERROR: Could not resolve host: serverlist.urlcloud.paloaltonetworks.com

12/20 10:19:27            CLOUD ELECTION: cannot elect a cloud

12/20 10:18:18            CURL ERROR: Could not resolve host: serverlist.urlcloud.paloaltonetworks.com

12/20 10:18:18            CLOUD ELECTION: cannot elect a cloud

12/20 10:17:09            CURL ERROR: Could not resolve host: serverlist.urlcloud.paloaltonetworks.com

12/20 10:17:09            CLOUD ELECTION: cannot elect a cloud

12/20 10:16:01            Failed to open connection with the cloud after 50700 consecutive tries.

PAN-DB cloud list loading failed (ERROR: Couldn't resolve host name).

 

These are the details in the Dashboard | General Information section. We run on a 10 net.

Model:  PA-220

Software Version        9.0.11

GlobalProtect Agent   0.0.0

Application Version    8450-6909 (08/26/21)

Threat Version            8450-6909 (08/26/21)

Antivirus Version        3825-4336 (08/31/21)

WildFire Version        589870-593058 (08/31/21)

URL Filtering Version            20210831.20351

GlobalProtect Clientless VPN Version           90-212 (01/07/21)

Time                            Mon Dec 20 10:25:58 2021

Uptime                        372 days, 8:11:41

Device Certificate Status        None

Thank you,
JD Stewart, Information Technology Specialist
Tel:+1.208.782.2837
JD.Stewart@BinghamAgServices.com
8 REPLIES 8

L1 Bithead

I tried to run the "Check Now" function under Device > Software, but all I get it..."Failed to check upgrade info due to generic communication error. Please check network connectivity and try again." Our internet connection is running through the FW, so this is confusing. 

Thank you,
JD Stewart, Information Technology Specialist
Tel:+1.208.782.2837
JD.Stewart@BinghamAgServices.com

Cyber Elite
Cyber Elite

Hello,

I understand your freustration but we are here to help/assist! So what these updates use is what is known as service routes. By default, they are configured to user the MGMT interface tosend out and get these updates. I'm guessing the MGMT interface is setup on the network? Now make sure the service routes are set to use the MGMT interface,

Device->Setup->Services-> service route configuration. Here it will most likely be set to use Management Interface for all (this is  good).

Now assuming you can browse the internet from behind the PAN, make sure there is a policy to allow traffic from the MGMT interface out to the internet and make sure its not being decrypted or scanned. Also always set the logging to be at session end. This will make sure that the traffic will show up in the logs.

 

I know this is a lot to take in, however we are here to help with any and all questions you might have.

 

Check out the free training as well: https://live.paloaltonetworks.com/t5/education-services/ct-p/Education_Services

 

Cheers!

Cyber Elite
Cyber Elite

Hello,

Also not sure how far you have gotten in your rebuild. However here is a link to an article that goes through a zero day config. Its pretty secure so it could be more trouble then its worth at this point.

 

https://live.paloaltonetworks.com/t5/general-articles/secure-day-one-configuration-not-for-the-faint...

Also make sure to use secure DNS. Here is a video about it and why it should be used:

https://youtu.be/ROIAYSEbTuo

 

Regards,

 

 

Regards,

Cyber Elite
Cyber Elite

Hello,

Just remembered that since it got wiped, you'll need to get the licenses first after setting up the service routes.

Regards,

AutoFocus Device License
Date Issued: August 16, 2018
Date Expires: February 01, 2021 (EXPIRED)
Description: AutoFocus Device License

GlobalProtect Gateway
Date Issued: August 16, 2018
Date Expires: March 31, 2021 (EXPIRED)
Description: GlobalProtect Gateway License

Premium
Date Issued: March 31, 2021
Date Expires: February 01, 2022
Description: 24 x 7 phone support; advanced replacement hardware service

Threat Prevention
Date Issued: March 31, 2021
Date Expires: February 01, 2022
Description: Threat Prevention

Logging Service
Date Issued: February 23, 2021
Date Expires: February 01, 2022
Description: Device Logging Service
Log Storage TB: 3

DNS Security
Date Issued: February 14, 2019
Date Expires: March 31, 2021 (EXPIRED)
Description: Palo Alto Networks DNS Security License

PAN-DB URL Filtering
Date Issued: March 31, 2021
Date Expires: February 01, 2022
Description: Palo Alto Networks URL Filtering License
Active: Yes

SD WAN
Date Issued: December 18, 2019
Date Expires: March 31, 2021 (EXPIRED)
Description: License to enable SD WAN feature

WildFire License
Date Issued: March 31, 2021
Date Expires: February 01, 2022
Description: WildFire signature feed, integrated WildFire logs, WildFire API

Thank you,
JD Stewart, Information Technology Specialist
Tel:+1.208.782.2837
JD.Stewart@BinghamAgServices.com

Hey Otto, 

I'm still trying to learn my way around this device, which means I'm not sure where to go to find out where/if/how the traffic is going through the MGMT interface. I've spent hours looking for instructional videos to get the thing setup properly, but have found little. Port 2 connects to port 4 of our switch, port 3 connects to our ISP, and the MGMT interface connects to port 5 on the same switch.

 

Those switch interface configs are:

interface GigabitEthernet1/0/4
description PA-220 FW1 Eth0/2
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/5
description PA-220 FW1 Mgmt interface
switchport mode access
switchport nonegotiate
spanning-tree portfast

Thank you,
JD Stewart, Information Technology Specialist
Tel:+1.208.782.2837
JD.Stewart@BinghamAgServices.com

Cyber Elite
Cyber Elite

Hello,

I would check and make sure those switch ports are on different vlans. e.g. one for external (untrust) and one for internal (trust). Looks like you have the core licenses still valid so you should be able to get to the internet from the management interface. Apply the AntiVirus update and install it first, then threat, URL, dns, wildfire, etc.

 

Hope this helps.

 

Cyber Elite
Cyber Elite

Hello,

Also make sure port 2 on your PAN is also setup as a trunk port.

 

Regards,

  • 7306 Views
  • 8 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!