Palo Alto Software/Threat/AntiVirus Update Policy

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Palo Alto Software/Threat/AntiVirus Update Policy

Not applicable


I am having an internet facing firewall which needs to be kept updated with the Threat/AV software.

I have configured the service route to use the correct interface for updates. However, it still cant check and download the required updates. As its evident I need to have a policy in place to allow the above traffic. I know what source to use, but can some one shed light on the destination address? Should I use "Any" with application as paloalto-updates?

Many thanks.


L4 Transporter

Please check what you have configured in this plase


I have IP of my untrust interfece in CRL status field.

Please log by SSH and check that you can ping from managemet interface any internet site.

As I remember to get updates after first run of my PA device I have to do check for upates few time...



L5 Sessionator


Fro me two things:

     - Or you want to use Management interface for updating your palo and this traffic go through the palo himself then,  you need to create policy allowing taffic from management ip to dns named object "" and pan-update app on Https

     - Or you enable the palo update from your outside interface and in this case just keep in ming to allow traffic from your outside zone to outside zone (Traffic denied automatically as soon as you create a deny all policy).

Hope Help


Not applicable

Thanks for your response slv and VinceM.

I am using an outside interface for update in my case. While writing the policy I have the source as my outside interface (public IP) and destination as ANY, and applications as paloalto-updates, ssl and couple of other paloalto applications.

My question is do I have keep the destination address in policy as "ANY". I understand the IP for updates changes frequently and the actual updates are hosted at akamai servers, IP of which changes every time as well.


The short answer is that if yet set an address you'll have to frequently change it  Using the FDQN name accessed might be more helpful.

You can keep the FDQN the same as that doesn't change but the IP address would need to changed on a regular basis. Since the FDQN is common to both the firewall and the update program the addresses for the policy and the updates will be the same. While I haven't done this for the updates, I've used this approach successfully with other hosts that tended to shift their IP addresses.

Not applicable

Thanks SMF.

I didnt knew I can add FQDN as destination. To add that I had to create an object, thats where it gives the option of FQDN, and then added that object as destination.

Now I am able to check the updates, however downloading the updates is being denied. I assume the IP of which is not covered under the update URL.

Can you help in what subnet /URL should I include to get the download working as well.

I have allowed SSL applicaion in the policy.


  • 5 replies
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!