Unable to contact updates.paloaltonetworks.com or staticupdates.paloaltonetworks.com

Reply
Highlighted
L4 Transporter

Unable to contact updates.paloaltonetworks.com or staticupdates.paloaltonetworks.com

Hello,

 

I am unable to contact updates.paloaltonetworks.com or staticupdates.paloaltonetworks.com

 

Based on the following articles I should be able to ping the two addresses as part of my testing.

 

https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/license-the-vm-serie...

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZCCA0

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJECA0  

 

I was unable to hit either address from any of my internal or external networks in the past 12 hours. This includes ping to the static address 199.167.52.15

 

I confirmed I could reach other sites successfully and use DNS to resolve but could not get a response from the two URLs listed above.

 

I have set the "Palo Alto Updates" service route to use the management interface on the device and it was my understanding that the management interface traffic is not effected by ACL & NAT policies like other interfaces, is that correct?

Highlighted
Cyber Elite

Hello,

That is not correct, you need NAT and security polices for the traffic from the management interface. If you look at the traffic logs, I bet they are getting denied or blocked.

 

Also dont decyrpt the traffic or filter it as it can break the ssession.

 

Hope that helps.

Highlighted
L7 Applicator

None of the update servers will respond to ping. I couldn't find anything in any of the documents you've referenced that say it would, so it may just be a misinterpretation.

 

As long as your DNS resolves correctly it should reach the server. So if you ping it from the firewall's CLI you won't get a reply but you will see the address resolve:

 

 

> ping host updates.paloaltonetworks.com
PING updates.inap.gslb.paloaltonetworks.com (199.167.52.141) 56(84) bytes of data.
^C
--- updates.inap.gslb.paloaltonetworks.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2014ms

This shows DNS is resolving, which is what you're looking for. 

 

 

If you do a "request system software check" or "request content upgrade check" from the CLI but you don't get a response, make sure that your management interface traffic is going through a NAT device if it doesn't hit the firewall's dataplane interfaces. If it does hit the dataplane, make sure you've got a rule that will NAT and allow the traffic.

Highlighted
L3 Networker

Try this: uncheck 'Verify Update Server Identity' on the Device -> Setup -> Services tab, commit and check if it works.

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!