Palo Alto - Dynamic Updates

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo Alto - Dynamic Updates

L1 Bithead

Hi I'm new to Palo Alto alto. but my company have several diffrent versions of Palo alto firewalls, some with direct support via palo alto PA-3050 where i have access to download the Dynaic updates directly. Plus some that we have support through a reseller that they need to download the updates and send to us as the firewalls don't have access to the internet.

 

I wanted to know if the Anitirus and threat protection uptades that i can download from PA directly registerd against the PA-3050 can be used on a PA-820 and a PA-220 or do i have to get the reseller to download then and pass them to me every time.

 

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Are the devices that have no internet set up like that intentionally (for security), as _all_ devices (with a valid license) are able to download updates directly from us

 

If the management interface needs to be OOB for security reasons, but there are dataplane interfaces connected to the internet, you can set up service routes so they are able to download updates without the mgmt interface needing to be connected

 

That said, the installer packages are identical among all firewall models, so you only need to download them once and can be installed on all firewalls with one limmitation: the licenses need to match the package

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Are the devices that have no internet set up like that intentionally (for security), as _all_ devices (with a valid license) are able to download updates directly from us

 

If the management interface needs to be OOB for security reasons, but there are dataplane interfaces connected to the internet, you can set up service routes so they are able to download updates without the mgmt interface needing to be connected

 

That said, the installer packages are identical among all firewall models, so you only need to download them once and can be installed on all firewalls with one limmitation: the licenses need to match the package

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization


@reaper wrote:

Are the devices that have no internet set up like that intentionally (for security), as _all_ devices (with a valid license) are able to download updates directly from us

 

If the management interface needs to be OOB for security reasons, but there are dataplane interfaces connected to the internet, you can set up service routes so they are able to download updates without the mgmt interface needing to be connected

 

That said, the installer packages are identical among all firewall models, so you only need to download them once and can be installed on all firewalls with one limmitation: the licenses need to match the package

 

Hi @reaper   thank you that is a great help yes we have the management OOB, i was wondering if We were to allow the updates for Anitvirus and and Application and threats . How would i go about creating rules to protect access through that service route. Or is the fact of creating the service group only allow traffic from the firewall out to palo alto networks only for the updates and all other traffic is dropped.


 

check out the link under 'service route' 🙂

 

the service route grabs a specific service and pushes it down the backplane to the dataplane, there it is sent out the interface it is set to, following the routing table on the dataplane

ie. -if the service route is connected to the external interface, connections will go directly to the default gateway onto the internet

     -if the service route is connected on the LAN interface, the session will look for the appropriate route, go through the firewall and will be fully inspected before egressing out to the internet (this is the preferred method)

 

This can be configured for each individual (dns, ntp, updates, wildfire, software, ...) service the management plane needs, so only the ones you truly need will go out onto the internet 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Alternative solution,

 

Purchase Panorama and push everything from it.  This way your firewalls don't need any internet connection what-so-ever.  You can automate all updates centrally from Panorama.

  • 1 accepted solution
  • 3769 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!