Unable to download updates PAN OS 4.1.9 because of self signed certificate on updates.paloaltonetworks.com ?

Reply
Highlighted
L1 Bithead

Unable to download updates PAN OS 4.1.9 because of self signed certificate on updates.paloaltonetworks.com ?

Since november we have not received any content updates from updates.paloaltonetworks.com. We changed the rules so every update server (including amazonws.com) was allowed.

Now the updates start, I see a succesful connection to updates.paloaltonetworks.com, but the job remains in download state at 0%.

When I check the ms.log it shows:

--2012-12-19 14:04:56--  https://updates.paloaltonetworks.com/Updates/UpdateService.asmx/CheckForSignatureUpdate

Resolving updates.paloaltonetworks.com... 199.167.52.13

Connecting to updates.paloaltonetworks.com|199.167.52.13|:443... connected.

WARNING: cannot verify updates.paloaltonetworks.com's certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287':

  Self-signed certificate encountered.

HTTP request sent, awaiting response... 200 OK

Length: 4149 (4.1K) [text/xml]

Saving to: `/tmp/.contentinfo.xml.tmp'

     0K                                                      100% 4.91M=0.001s

2012-12-19 14:04:58 (4.91 MB/s) - `/tmp/.contentinfo.xml.tmp' saved [4149/4149]

Does the warning about a self signed certficate prevent the updates from beig downloaded ?

The brightcloud URL update works fine.


Accepted Solutions
Highlighted
L4 Transporter

Re: Unable to download updates PAN OS 4.1.9 because of self signed certificate on updates.paloaltonetworks.com ?

The certificate verification messages should not cause an issue with connecting to the update server.  We recently moved to using CDN for the actual content downloads.  You should modify your policies controlling outbound traffic to downloads.paloaltonetworks.com in addition to updates.paloaltonetworks.com.

We are working on updating the paloalto-updates application signature to include all update related services.  No ETA at this point but it is actively being worked on.  Once that signature is current you can just allow that application to any destination in your security policies.

If you continue to have issues downloading I would suggest opening a support ticket so we can investigate further.

Thanks,

-- Kevin

View solution in original post


All Replies
Highlighted
L4 Transporter

Re: Unable to download updates PAN OS 4.1.9 because of self signed certificate on updates.paloaltonetworks.com ?

The certificate verification messages should not cause an issue with connecting to the update server.  We recently moved to using CDN for the actual content downloads.  You should modify your policies controlling outbound traffic to downloads.paloaltonetworks.com in addition to updates.paloaltonetworks.com.

We are working on updating the paloalto-updates application signature to include all update related services.  No ETA at this point but it is actively being worked on.  Once that signature is current you can just allow that application to any destination in your security policies.

If you continue to have issues downloading I would suggest opening a support ticket so we can investigate further.

Thanks,

-- Kevin

View solution in original post

Highlighted
L1 Bithead

Re: Unable to download updates PAN OS 4.1.9 because of self signed certificate on updates.paloaltonetworks.com ?

Adding the downloads.paloaltonetworks.com worked fine.

Thanks for your help.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!