08-28-2021 10:50 AM
I would REALLY like to find a way to automate offline dynamic updates. I’ve been trying to script the process with a bat file and plink. I can get it to login with SSH but nothing after that. I found a post, link below, on here from about 5 years ago, that suggests what I’m trying to do may not be possible. Hopefully something has changed.
Manually updating all our Paloaltos is taking up a lot of my time, there has to be better way. I’m very limited on software that’s approved to be installed on our network. ANY suggestions or help is welcome.
Thanks!
09-04-2021 07:47 AM - edited 09-16-2021 09:57 AM
The NGFW supports automating almost everything through the API. Here is a process to script uploading and installing dynamic updates -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLfrCAG.
Using the API Browser (see the link on the bottom of the above URL), you can figure out how to modify the script for software updates.
What's not mentioned in the docs is enabling API access -> https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api....
@Bad_GoatSorry! Not meaning to be a smart alec. I probably should have mentioned this solution first as long as you don't mind working on the scripts. Otherwise, the Panorama method will be easier.
08-28-2021 01:34 PM
Hello there
I have a question for you.. Why wouldn't you take advantage of the Schedule option to update your Dynamic Updates.
Look at the screen capture
The other option (as I do not know how many FWs you have) is an investment in Panorama, will helps to be a central mgmt appliance to manage/update/log all traffic/reports from your FWs.
08-28-2021 04:00 PM
Wait, can I schedule updates from a local SCP server or the like? Our FWs are on isolated networks that can't reach the internet. I'm going to feel really dumb if I've been manually uploading updates for over a year now....I'm off of work until next Wednesday, but now i really want to go dig around in the schedule settings.
I'll look into Panorama. But my employer is super slow about approving new software and spending money.
09-03-2021 12:22 PM - edited 09-04-2021 07:09 AM
This would save you lots of time, but requires 2 Panoramas -> https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/set-up-panorama/install-content-and-s....
I wonder if you could do similar things on the NGFW? [Edit.] It looks like you cannot specify an SCP Server Profile or Dynamic Update source on the NGFW.
[Edit2.] Or you could manually update the files to 1 Panorama if all files have to be checked in to an air gap environment. The Panorama would dynamically push them out to the firewalls. You could even use an SCP server if that helps you automate the upload.
09-04-2021 07:37 AM
THanks everyone. Sounds like scripting is really limited, and manual uploads and installs are my future for awhile. I'll look into the Panorama more.
09-04-2021 07:47 AM - edited 09-16-2021 09:57 AM
The NGFW supports automating almost everything through the API. Here is a process to script uploading and installing dynamic updates -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PLfrCAG.
Using the API Browser (see the link on the bottom of the above URL), you can figure out how to modify the script for software updates.
What's not mentioned in the docs is enabling API access -> https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-panorama-api/get-started-with-the-pan-os-xml-api....
@Bad_GoatSorry! Not meaning to be a smart alec. I probably should have mentioned this solution first as long as you don't mind working on the scripts. Otherwise, the Panorama method will be easier.
09-16-2021 10:00 AM
Thanks @TomYoung I think that will get me going in the right direction. Right now there are only windows machines on the network, but this gives me something to move forward with!
09-16-2021 12:27 PM
You're welcome @Bad_Goat !
You could look into WSL2, cURL for Windows, or others. If you are going to go down the automation path a long way, I would learn Python with the requests module. There are so many automation options out there, it can be hard to pick the one best for you.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
