01-20-2020 12:37 AM
There is a new Customer Advisory "Content Delivery Network Infrastructure Update".
We use AppID "paloalto-updates" to allow download of updates. Does this need to be adapted?
The firewall devices are configured to use update server "updates.paloaltonetworks.com". Does this need to be adapted?
Unfortunately the Customer Advisory does not elaborate on this.
01-21-2020 11:27 AM
Hello,
If you are using URL filtering to download your PAN updates, then yes you should update the PAN to allow that URL. If you are letting your PAN hit anything on the internet and just using app-id to filter, then probably (BTW I dont recommend this method).
I know its a bit vague, however I would say have a policy that allows the PAN to go and get updates, but only from the Palo Alto URL's and specify app-ids. This is very narrow/specific policy and will allow your PAN to get updates.
Regards,
01-21-2020 12:28 PM
I think @Anon1 was asking about the following value where normally updates.paloaltonetworks.com is configured:
01-22-2020 01:58 AM
Thanks for all your answers. Yes, I meant the "Update Server" setting on the firewall devices.
@OtakarKlier : Do you mean to create a custom URL category object with the *.paloaltonetworks.com URLs and attach it to the firewall rule with the paloalto-updates appid? Isn´t this redundant? I assume the paloalto-updates appid does exactly this (allow access only to the relevant resources for the update service.)
01-22-2020 06:48 AM
Hello,
Exactly, a custom URL category with the update URL's.
Regards,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
