12-19-2012 05:11 AM
Since november we have not received any content updates from updates.paloaltonetworks.com. We changed the rules so every update server (including amazonws.com) was allowed.
Now the updates start, I see a succesful connection to updates.paloaltonetworks.com, but the job remains in download state at 0%.
When I check the ms.log it shows:
--2012-12-19 14:04:56-- https://updates.paloaltonetworks.com/Updates/UpdateService.asmx/CheckForSignatureUpdate
Resolving updates.paloaltonetworks.com... 199.167.52.13
Connecting to updates.paloaltonetworks.com|199.167.52.13|:443... connected.
WARNING: cannot verify updates.paloaltonetworks.com's certificate, issued by `/C=US/ST=Arizona/L=Scottsdale/O=GoDaddy.com, Inc./OU=http://certificates.godaddy.com/repository/CN=Go Daddy Secure Certification Authority/serialNumber=07969287':
Self-signed certificate encountered.
HTTP request sent, awaiting response... 200 OK
Length: 4149 (4.1K) [text/xml]
Saving to: `/tmp/.contentinfo.xml.tmp'
0K 100% 4.91M=0.001s
2012-12-19 14:04:58 (4.91 MB/s) - `/tmp/.contentinfo.xml.tmp' saved [4149/4149]
Does the warning about a self signed certficate prevent the updates from beig downloaded ?
The brightcloud URL update works fine.
12-19-2012 07:59 AM
The certificate verification messages should not cause an issue with connecting to the update server. We recently moved to using CDN for the actual content downloads. You should modify your policies controlling outbound traffic to downloads.paloaltonetworks.com in addition to updates.paloaltonetworks.com.
We are working on updating the paloalto-updates application signature to include all update related services. No ETA at this point but it is actively being worked on. Once that signature is current you can just allow that application to any destination in your security policies.
If you continue to have issues downloading I would suggest opening a support ticket so we can investigate further.
Thanks,
-- Kevin
12-19-2012 07:59 AM
The certificate verification messages should not cause an issue with connecting to the update server. We recently moved to using CDN for the actual content downloads. You should modify your policies controlling outbound traffic to downloads.paloaltonetworks.com in addition to updates.paloaltonetworks.com.
We are working on updating the paloalto-updates application signature to include all update related services. No ETA at this point but it is actively being worked on. Once that signature is current you can just allow that application to any destination in your security policies.
If you continue to have issues downloading I would suggest opening a support ticket so we can investigate further.
Thanks,
-- Kevin
12-19-2012 11:57 PM
Adding the downloads.paloaltonetworks.com worked fine.
Thanks for your help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
