Palo Alto Networks Knowledgebase: Unable to download PAN-OS Images when the firewall is behind another security device

Unable to download PAN-OS Images when the firewall is behind another security device

2019
Created On 02/07/19 23:40 PM - Last Updated 02/07/19 23:41 PM
Resolution

Issue

You are able to click 'Check now' on the software page under Device > Software. However, when you click 'download' to download a new software image, nothing happens, or you get an error about timeout.

We are assuming the topology looks similar to this:

 

Trust/DMZ > Palo Alto Networks firewall > Firewall/Proxy > Internet

 

Cause

The issue may be occurring because updates.paloaltonetworks.com are being forwarded to Content Delivery Networks (CDN) such as a23-4-1-166.deploy.static.akamaitechnologies.com. Although CDN IPs are typically dynamic as well, with servers that host content and respond based on lowest latency.

 

Resolution

On the other security device that is in front of the Palo Alto Networks device, traffic from the Palo Alto Networks firewall needs to be allowed to access downloads.paloaltonetworks.com as well as the CDN category if the device (Firewall/Proxy) has the capability to do that. 

 

 

 



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClvfCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language