Overview
This document explains how to perform updates when the management interface does not have a public IP address and the untrust interface gets an IP from a DHCP client. If the management interface does not have internet access configure a service route to perform dynamic updates and software upgrades. When the device is in the initial stages the management interface does not have access to the internet. Also, one of the interfaces is configured as a DHCP client.
To configure service routes and perform upgrades, configure a loopback interface in a trust zone. Only static IP addresses can be used for service routes.
Once the loopback interface is configured, configure a service route pointing to the loopback interface. Go to Device > Services > Service Route Configuration.
After performing a commit go to Device > Software/DynamicUpdates > Check now. The Palo Alto Networks firewall should now be able to communicate to the update server, updates.paloaltonetworks.com.
Logs should be visible under traffic logs.
Note: There must be an appropriate security policy and source-nat policy enabled.