Unable to get PA-500 online

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to get PA-500 online

L2 Linker

Hi folks,

We recently acquired a PA-500 and are having some issues getting it online. The guys we bought it from, aren't available for installation for about 3 weeks - and we can't wait that long.
Our plan is to at least get the VPN going (our previous VPN gave out last week, so it's somewhat important to get this up and running asap).

What we've done so far is to follow the Quick Start and set up according to the "Option C Layer 3 Deployment".

Heading over to Network-Interfaces I see our trusted and untrusted port in a green "link state" - apparently that's a little decieving, since I'm getting:

"Failed to check upgrade info due to generic communication error. Please check network connectivity and try again"
when clicking "Check Now" under Device-Software.

Have I started out wrong, or have I just missed something?

Most likely I've left out key details, if so, ask away, and you shall recieve :smileysilly:

Appreciate any help I get!

Thanks Smiley Happy

Martin

1 accepted solution

Accepted Solutions

Hello,

Why the default gateway is empty.? Either you should have connectivity to update server through the management interface else you have to select your data-plane interface to reach.

For example: if your untrust ( ISP) facing interface is ethernet-1/5.

Service-route-2.JPG.jpg

Next, try to reach your DNS server:

PAN> ping host 4.2.2.2 -------- once you are able to reach successfully, then try to reach Palo Alto update server.

PAN> ping host updates.paloaltonetworks.com

Thanks

View solution in original post

7 REPLIES 7

L7 Applicator

Hello Martin,

The PAN firewall will try toget updates through it's management interface  ( by default).So, we need to verify below mentioned parameters. I have seen above mentioned error, commonly due to DNS issue.

1. Management interface configured with correct IP and gateway.

2. DNS server address configured correctly, because it will try to communicate with a DNS server to resolve updates.paloaltonetworks.com.

Service-route.JPG.jpg

3. Verify the DNS functionality, please try to ping PAN> ping host google.com

4. Before you will click into "check now" button,  please open CLI of that firewall and apply below mentioned command.

> tail follow yes mp-log ms.log   >>>>>>>>>>>>> it will show the reason for failure.

Thanks

L7 Applicator

Hello Martin,

Could you please also update us, if you have a dedicated management interface connected to an another L-3 device or you are trying to reach update server through data-plane service route...?

Service-route-1.JPG.jpg

Thanks

Hello HULK,

Thanks for replying.

1. This is currently default - 192.168.1.1, but the gateway is empty..
2. Had these set to our own DNS servers, changed to 4.2.2.2 and 8.8.8.8
3.

Hello,
Yeah, it's set to "use management interface for all".

Hello,

Why the default gateway is empty.? Either you should have connectivity to update server through the management interface else you have to select your data-plane interface to reach.

For example: if your untrust ( ISP) facing interface is ethernet-1/5.

Service-route-2.JPG.jpg

Next, try to reach your DNS server:

PAN> ping host 4.2.2.2 -------- once you are able to reach successfully, then try to reach Palo Alto update server.

PAN> ping host updates.paloaltonetworks.com

Thanks

Hi,

Beats me. It was defaulted like this - anyway it was successful :smileygrin:

Thank you very much for your assistance Smiley Happy


BR
Martin

Thanks Martin. Smiley Happy

  • 1 accepted solution
  • 4395 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!