04-24-2019 01:51 AM
Hi All,
Hoping an answer can be provided to this multi vsys Palo Alto I am deploying.
I enabled the operational status of one of the virtual firewalls I am providing making it fully internet facing with Globalprotect operating on the outside interface. This is operating without issue.
When I enabled this VSYS to an operational status I had to make changes to the inside routing to get all the BGP sessions established - it was left in a test state by a predecessor - but this is all working well.
What seems to have happened is the software and dynamic updates have stopped updating. I have checked from CLI and from the MGT interface I have internet connectivity and it is routing via the working VSYS without issue. I have also confirmed that from CLI I can see the MGT interface from the internal and it routes as expected.
I can see the traffic going out to internet but the update times out and the log shows as application incomplete.
I have tried to set the update to use the VSYS outside address as the update path through the Service Route Configuration but this produces the same result. In the Service Route Configuration I have the option of Palo Alto Network Services (no Palo Alto Updates option) which I used.
Any ideas? The rule and NAT are there and being used, routing seems to be correct. Things like NTP and DNS are not reporting an issue.
Regards
Adrian
04-24-2019 03:10 AM
Do you have "Verify Update Server Identity" enabled and are you doing ssldecrypt?
you could try replacing the updates server with staticupdates.paloaltonetworks.com in case you're having issues connecting to the cloud instance
04-24-2019 03:10 AM
Do you have "Verify Update Server Identity" enabled and are you doing ssldecrypt?
you could try replacing the updates server with staticupdates.paloaltonetworks.com in case you're having issues connecting to the cloud instance
04-24-2019 03:19 AM
I have verify Update Server Identity and currently not doing ssldecrypt.
Strangely, staticupdates.paloaltonetworks.com works. Any idea why the original would stop after making the new Vsys live? It originally went through a test Vsys and route before I made the change but this was 2 weeks ago.
Regards
Adrian
04-24-2019 04:56 AM
the original update server is cloud-based so the IP tends to skip around
there may be a routing/peering issue with the ip you're trying to reach via your new route
04-24-2019 07:29 AM
Thanks. I have escalated to our support people. All internet traffic works except to these particluar cloud servers. Hopefully they can help.
Regards
Adrian
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
