I am trying to capture all the logs related to any upgrade and downgrade. I understand the firewalls download the firmware from updates.paloaltonetworks.com. This then points to the nearest PA Server to download the code from the CND infrastructure.
My requirement is to have a log generated indicating the "EXACT" URL the firewall/panorama would use to download the request code.
How can I accomplish this?
@mk245v By default, the firewall will use “updates.paloaltonetworks.com” for software updates and licensing. You are right that this will point to nearest server, but it is done by resolving the URL to the nearest server IP. The actual URL will not change.
@mk245v Sorry, did not quite get what you are trying to do. I will not ask why do you need it, but it is interesting question and it can be done.
As the traffic to the update servers is encrypted, normally in your logs you only see https traffic to “updates.paloaltonetworks.com”. To log what is happening in the session, including the detailed URL information, you need to enable SSL decryption on the traffic from the firewall to the update servers.
Some of the Palo Alto update services are excluded from decryption, however updates.paloaltonetworks.com is not. You will need to disable “Verify Update Server Identity” and ensure that your decryption certificate is also “Trusted Root CA Certificate”
I tested it on my lab device and it works ok. You do not see the exact file name in the URL logs, but this is how the application works. I could capture the full session to the updates server, including the URL the firewall connects to, etc .
Let me be specific. We manage about 100(ish) firewalls via Panorama. These are in different geographies. Hence we do not use the code from Panorama and depend on the nearest code for the firewalls to download. I am writing a shell/python script that will corelate these downloads for some custom reporting to my mgmt. Hence the need of the "specific" URL. I need to work within some limitations and not allowed to modify much.
@mk245v If you want something that specific and you trying to reverse engineer it, maybe the best will be to address your local Palo Alto SE, who may be able to give you more inside information of how the upgrade process works.
My guess is that Palo Aro are probably using AWS to host the update with technologies like CloudFront to manage the content delivery, so the download IPs and the file paths will be constantly changing.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The Live Community thanks you for your participation!