I am unable to contact updates.paloaltonetworks.com or staticupdates.paloaltonetworks.com
Based on the following articles I should be able to ping the two addresses as part of my testing.
I was unable to hit either address from any of my internal or external networks in the past 12 hours. This includes ping to the static address 188.8.131.52
I confirmed I could reach other sites successfully and use DNS to resolve but could not get a response from the two URLs listed above.
I have set the "Palo Alto Updates" service route to use the management interface on the device and it was my understanding that the management interface traffic is not effected by ACL & NAT policies like other interfaces, is that correct?
That is not correct, you need NAT and security polices for the traffic from the management interface. If you look at the traffic logs, I bet they are getting denied or blocked.
Also dont decyrpt the traffic or filter it as it can break the ssession.
Hope that helps.
None of the update servers will respond to ping. I couldn't find anything in any of the documents you've referenced that say it would, so it may just be a misinterpretation.
As long as your DNS resolves correctly it should reach the server. So if you ping it from the firewall's CLI you won't get a reply but you will see the address resolve:
> ping host updates.paloaltonetworks.com PING updates.inap.gslb.paloaltonetworks.com (184.108.40.206) 56(84) bytes of data. ^C --- updates.inap.gslb.paloaltonetworks.com ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2014ms
This shows DNS is resolving, which is what you're looking for.
If you do a "request system software check" or "request content upgrade check" from the CLI but you don't get a response, make sure that your management interface traffic is going through a NAT device if it doesn't hit the firewall's dataplane interfaces. If it does hit the dataplane, make sure you've got a rule that will NAT and allow the traffic.
Try this: uncheck 'Verify Update Server Identity' on the Device -> Setup -> Services tab, commit and check if it works.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!