Palo Alto Updates Issue on Multi VSYS system

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto Updates Issue on Multi VSYS system

L3 Networker

Hi All,

 

Hoping an answer can be provided to this multi vsys Palo Alto I am deploying.

 

I enabled the operational status of one of the virtual firewalls I am providing making it fully internet facing with Globalprotect operating on the outside interface. This is operating without issue.

 

When I enabled this VSYS to an operational status I had to make changes to the inside routing to get all the BGP sessions established - it was left in a test state by a predecessor - but this is all working well.

 

What seems to have happened is the software and dynamic updates have stopped updating. I have checked from CLI and from the MGT interface I have internet connectivity and it is routing via the working VSYS without issue. I have also confirmed that from CLI I can see the MGT interface from the internal and it routes as expected.

 

I can see the traffic going out to internet but the update times out and the log shows as application incomplete.

 

I have tried to set the update to use the VSYS outside address as the update path through the Service Route Configuration but this produces the same result. In the Service Route Configuration I have the option of Palo Alto Network Services (no Palo Alto Updates option) which I used.

 

Any ideas? The rule and NAT are there and being used, routing seems to be correct. Things like NTP and DNS are not reporting an issue.

 

Regards

 

Adrian

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Do you have "Verify Update Server Identity" enabled and are you doing ssldecrypt?

 

you could try replacing the updates server with staticupdates.paloaltonetworks.com in case you're having issues connecting to the cloud instance

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Do you have "Verify Update Server Identity" enabled and are you doing ssldecrypt?

 

you could try replacing the updates server with staticupdates.paloaltonetworks.com in case you're having issues connecting to the cloud instance

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

I have verify Update Server Identity and currently not doing ssldecrypt.

 

Strangely, staticupdates.paloaltonetworks.com works. Any idea why the original would stop after making the new Vsys live? It originally went through a test Vsys and route before I made the change but this was 2 weeks ago.

 

Regards

 

Adrian

the original update server is cloud-based so the IP tends to skip around

there may be a routing/peering issue with the ip you're trying to reach via your new route

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks. I have escalated to our support people. All internet traffic works except to these particluar cloud servers. Hopefully they can help.

 

Regards

 

Adrian

  • 1 accepted solution
  • 3965 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!