This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Unable to contact updates.paloaltonetworks.com or staticupdates.paloaltonetworks.com

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Unable to contact updates.paloaltonetworks.com or staticupdates.paloaltonetworks.com

FarzanaMustafa
L4 Transporter

‎10-11-2018 02:46 PM

Hello,

 

I am unable to contact updates.paloaltonetworks.com or staticupdates.paloaltonetworks.com

 

Based on the following articles I should be able to ping the two addresses as part of my testing.

 

https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/license-the-vm-serie...

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZCCA0

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClJECA0  

 

I was unable to hit either address from any of my internal or external networks in the past 12 hours. This includes ping to the static address 199.167.52.15

 

I confirmed I could reach other sites successfully and use DNS to resolve but could not get a response from the two URLs listed above.

 

I have set the "Palo Alto Updates" service route to use the management interface on the device and it was my understanding that the management interface traffic is not effected by ACL & NAT policies like other interfaces, is that correct?

0 Likes Likes
3 REPLIES 3

OtakarKlier
Cyber Elite
Cyber Elite

‎10-11-2018 02:54 PM - edited ‎10-11-2018 02:56 PM

Hello,

That is not correct, you need NAT and security polices for the traffic from the management interface. If you look at the traffic logs, I bet they are getting denied or blocked.

 

Also dont decyrpt the traffic or filter it as it can break the ssession.

 

Hope that helps.

gwesson
L7 Applicator

‎10-11-2018 02:55 PM

None of the update servers will respond to ping. I couldn't find anything in any of the documents you've referenced that say it would, so it may just be a misinterpretation.

 

As long as your DNS resolves correctly it should reach the server. So if you ping it from the firewall's CLI you won't get a reply but you will see the address resolve:

 

 

> ping host updates.paloaltonetworks.com
PING updates.inap.gslb.paloaltonetworks.com (199.167.52.141) 56(84) bytes of data.
^C
--- updates.inap.gslb.paloaltonetworks.com ping statistics ---
3 packets transmitted, 0 received, 100% packet loss, time 2014ms

This shows DNS is resolving, which is what you're looking for. 

 

 

If you do a "request system software check" or "request content upgrade check" from the CLI but you don't get a response, make sure that your management interface traffic is going through a NAT device if it doesn't hit the firewall's dataplane interfaces. If it does hit the dataplane, make sure you've got a rule that will NAT and allow the traffic.

AnalysisMan
L3 Networker

‎10-11-2018 05:02 PM

Try this: uncheck 'Verify Update Server Identity' on the Device -> Setup -> Services tab, commit and check if it works.

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.
0 Likes Likes
  • 10990 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks