04-18-2019 03:34 AM
Hi I'm new to Palo Alto alto. but my company have several diffrent versions of Palo alto firewalls, some with direct support via palo alto PA-3050 where i have access to download the Dynaic updates directly. Plus some that we have support through a reseller that they need to download the updates and send to us as the firewalls don't have access to the internet.
I wanted to know if the Anitirus and threat protection uptades that i can download from PA directly registerd against the PA-3050 can be used on a PA-820 and a PA-220 or do i have to get the reseller to download then and pass them to me every time.
04-18-2019 04:12 AM
Are the devices that have no internet set up like that intentionally (for security), as _all_ devices (with a valid license) are able to download updates directly from us
If the management interface needs to be OOB for security reasons, but there are dataplane interfaces connected to the internet, you can set up service routes so they are able to download updates without the mgmt interface needing to be connected
That said, the installer packages are identical among all firewall models, so you only need to download them once and can be installed on all firewalls with one limmitation: the licenses need to match the package
04-18-2019 04:12 AM
Are the devices that have no internet set up like that intentionally (for security), as _all_ devices (with a valid license) are able to download updates directly from us
If the management interface needs to be OOB for security reasons, but there are dataplane interfaces connected to the internet, you can set up service routes so they are able to download updates without the mgmt interface needing to be connected
That said, the installer packages are identical among all firewall models, so you only need to download them once and can be installed on all firewalls with one limmitation: the licenses need to match the package
04-18-2019 04:45 AM
@reaper wrote:Are the devices that have no internet set up like that intentionally (for security), as _all_ devices (with a valid license) are able to download updates directly from us
If the management interface needs to be OOB for security reasons, but there are dataplane interfaces connected to the internet, you can set up service routes so they are able to download updates without the mgmt interface needing to be connected
That said, the installer packages are identical among all firewall models, so you only need to download them once and can be installed on all firewalls with one limmitation: the licenses need to match the package
Hi @reaper thank you that is a great help yes we have the management OOB, i was wondering if We were to allow the updates for Anitvirus and and Application and threats . How would i go about creating rules to protect access through that service route. Or is the fact of creating the service group only allow traffic from the firewall out to palo alto networks only for the updates and all other traffic is dropped.
04-18-2019 05:11 AM
check out the link under 'service route' 🙂
the service route grabs a specific service and pushes it down the backplane to the dataplane, there it is sent out the interface it is set to, following the routing table on the dataplane
ie. -if the service route is connected to the external interface, connections will go directly to the default gateway onto the internet
-if the service route is connected on the LAN interface, the session will look for the appropriate route, go through the firewall and will be fully inspected before egressing out to the internet (this is the preferred method)
This can be configured for each individual (dns, ntp, updates, wildfire, software, ...) service the management plane needs, so only the ones you truly need will go out onto the internet
04-18-2019 07:37 AM - edited 04-18-2019 07:38 AM
Alternative solution,
Purchase Panorama and push everything from it. This way your firewalls don't need any internet connection what-so-ever. You can automate all updates centrally from Panorama.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
