12-20-2021 08:43 AM - edited 12-20-2021 09:54 AM
Our company was recently sold off and their IT department erased our firewalls leaving them reset back the to manufacturer’s configuration. I’ve built it back as much as possible, but I’m missing something. I’ve worked with other firewall devices, but PA is proving challenging. How do I configure it to connect to serverlist.paloaltonetworks.com, serverlist.urlcloud.paloaltonetworks.com, & updates.paloaltonetworks.com?
These are messages displayed in the Dashboard | System Logs section
Time Description
12/20 10:30:36 CURL ERROR: Could not resolve host: s0000.urlcloud.paloaltonetworks.com
12/20 10:27:45 Cloud is not ready, There was no update from the cloud in the last 159425 minutes.
12/20 10:22:45 Cloud is not ready, There was no update from the cloud in the last 159420 minutes.
12/20 10:20:41 Connection to Update server closed: updates.paloaltonetworks.com, source: 10.200.245.11
12/20 10:20:36 CURL ERROR: Could not resolve host: serverlist.urlcloud.paloaltonetworks.com
12/20 10:20:36 CLOUD ELECTION: cannot elect a cloud
12/20 10:19:27 CURL ERROR: Could not resolve host: serverlist.urlcloud.paloaltonetworks.com
12/20 10:19:27 CLOUD ELECTION: cannot elect a cloud
12/20 10:18:18 CURL ERROR: Could not resolve host: serverlist.urlcloud.paloaltonetworks.com
12/20 10:18:18 CLOUD ELECTION: cannot elect a cloud
12/20 10:17:09 CURL ERROR: Could not resolve host: serverlist.urlcloud.paloaltonetworks.com
12/20 10:17:09 CLOUD ELECTION: cannot elect a cloud
12/20 10:16:01 Failed to open connection with the cloud after 50700 consecutive tries.
PAN-DB cloud list loading failed (ERROR: Couldn't resolve host name).
These are the details in the Dashboard | General Information section. We run on a 10 net.
Model: PA-220
Software Version 9.0.11
GlobalProtect Agent 0.0.0
Application Version 8450-6909 (08/26/21)
Threat Version 8450-6909 (08/26/21)
Antivirus Version 3825-4336 (08/31/21)
WildFire Version 589870-593058 (08/31/21)
URL Filtering Version 20210831.20351
GlobalProtect Clientless VPN Version 90-212 (01/07/21)
Time Mon Dec 20 10:25:58 2021
Uptime 372 days, 8:11:41
Device Certificate Status None
12-20-2021 11:22 AM
I tried to run the "Check Now" function under Device > Software, but all I get it..."Failed to check upgrade info due to generic communication error. Please check network connectivity and try again." Our internet connection is running through the FW, so this is confusing.
12-20-2021 01:04 PM
Hello,
I understand your freustration but we are here to help/assist! So what these updates use is what is known as service routes. By default, they are configured to user the MGMT interface tosend out and get these updates. I'm guessing the MGMT interface is setup on the network? Now make sure the service routes are set to use the MGMT interface,
Device->Setup->Services-> service route configuration. Here it will most likely be set to use Management Interface for all (this is good).
Now assuming you can browse the internet from behind the PAN, make sure there is a policy to allow traffic from the MGMT interface out to the internet and make sure its not being decrypted or scanned. Also always set the logging to be at session end. This will make sure that the traffic will show up in the logs.
I know this is a lot to take in, however we are here to help with any and all questions you might have.
Check out the free training as well: https://live.paloaltonetworks.com/t5/education-services/ct-p/Education_Services
Cheers!
12-20-2021 01:18 PM
Hello,
Also not sure how far you have gotten in your rebuild. However here is a link to an article that goes through a zero day config. Its pretty secure so it could be more trouble then its worth at this point.
Also make sure to use secure DNS. Here is a video about it and why it should be used:
Regards,
Regards,
12-20-2021 02:12 PM
Hello,
Just remembered that since it got wiped, you'll need to get the licenses first after setting up the service routes.
Regards,
12-20-2021 02:17 PM
AutoFocus Device License
Date Issued: August 16, 2018
Date Expires: February 01, 2021 (EXPIRED)
Description: AutoFocus Device License
GlobalProtect Gateway
Date Issued: August 16, 2018
Date Expires: March 31, 2021 (EXPIRED)
Description: GlobalProtect Gateway License
Premium
Date Issued: March 31, 2021
Date Expires: February 01, 2022
Description: 24 x 7 phone support; advanced replacement hardware service
Threat Prevention
Date Issued: March 31, 2021
Date Expires: February 01, 2022
Description: Threat Prevention
Logging Service
Date Issued: February 23, 2021
Date Expires: February 01, 2022
Description: Device Logging Service
Log Storage TB: 3
DNS Security
Date Issued: February 14, 2019
Date Expires: March 31, 2021 (EXPIRED)
Description: Palo Alto Networks DNS Security License
PAN-DB URL Filtering
Date Issued: March 31, 2021
Date Expires: February 01, 2022
Description: Palo Alto Networks URL Filtering License
Active: Yes
SD WAN
Date Issued: December 18, 2019
Date Expires: March 31, 2021 (EXPIRED)
Description: License to enable SD WAN feature
WildFire License
Date Issued: March 31, 2021
Date Expires: February 01, 2022
Description: WildFire signature feed, integrated WildFire logs, WildFire API
12-20-2021 03:14 PM
Hey Otto,
I'm still trying to learn my way around this device, which means I'm not sure where to go to find out where/if/how the traffic is going through the MGMT interface. I've spent hours looking for instructional videos to get the thing setup properly, but have found little. Port 2 connects to port 4 of our switch, port 3 connects to our ISP, and the MGMT interface connects to port 5 on the same switch.
Those switch interface configs are:
interface GigabitEthernet1/0/4
description PA-220 FW1 Eth0/2
switchport mode trunk
switchport nonegotiate
!
interface GigabitEthernet1/0/5
description PA-220 FW1 Mgmt interface
switchport mode access
switchport nonegotiate
spanning-tree portfast
12-20-2021 03:33 PM
Hello,
I would check and make sure those switch ports are on different vlans. e.g. one for external (untrust) and one for internal (trust). Looks like you have the core licenses still valid so you should be able to get to the internet from the management interface. Apply the AntiVirus update and install it first, then threat, URL, dns, wildfire, etc.
Hope this helps.
12-20-2021 03:36 PM
Hello,
Also make sure port 2 on your PAN is also setup as a trunk port.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
