Tips & Tricks: How to Get Updates From the Internet Without Internet Access

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Community Team Member

update-no-internet-access_paloaltonetworks.jpg

 

Special shoutout to Cyber Elite @reaper for his contribution to this blog! 

 

This scenario might sound familiar to you: You've just set up your new firewall in your datacenter and you're doing your due diligence — configuring your management interface, setting up the appropriate DNS and adding NTP servers for good measure — to ensure the system runs on standardized time. Now, you need to download the latest PAN-OS image and content packages. But alas, the internet connection fails. The management interface is located on an out-of-band network and has no direct access to the internet.

 

You might try your trusty "black ops" USB stick, find an evasive way around the network restrictions with some creative cabling, or simply unrack the whole thing and drag it back to your desk to continue the prep from there. But there's an easier way! 

 

Avoid all that mess with Service RoutesThis cool feature makes certain services use a dataplane interface (instead of the management interface). DP interfaces are connected to the update/remediation/guest network or even directly to the internet and aren't blocked by the out-of-band network limitations.

 

Typically, any service used by the management plane will use the dedicated management port and its own default gateway to reach a resource. For example, a DNS lookup to resolve the updates server and the connection to retrieve the content packages. The dataplane interfaces and Virtual Router never come into play for any connections made by the system.

 

Device > Setup > InterfacesDevice > Setup > Interfaces

 

 

A service route will direct the selected service over a dataplane interface of your choosing. 

 

Under the Device tab > Setup > Services > Service Route Configuration you can opt to customize the service routes and then pick any service you need and change it to a different source. 

 

Device > Setup > Services > Service Route ConfigurationDevice > Setup > Services > Service Route Configuration

 

 

 

You can even change the default source for a destination IP address rather than a specific service.

 

Device > Setup > Services > Service Route Configuration > DestinationDevice > Setup > Services > Service Route Configuration > Destination

 

 

NOTE: If you're using a dataplane interface instead of the management interface, don't forget to configure the necessary security policies and NAT rules!

 

With this cool little trick up your sleeve that black-ops USB stick or shady evasion techniques mentioned earlier should be a thing of the past 🙂.

 

Are you using service routes in your setup?

Feel free to share your questions, comments and ideas in the section below.

 

Thank you for taking time to read this blog.

Don't forget to hit the Like (thumbs up) button and to Subscribe to the LIVEcommunity Blog area.

 

Kiwi out!

  • 3388 Views
  • 0 comments
  • 4 Likes
Register or Sign-in
Labels
Top Liked Authors