Palo Alto Networks Knowledgebase: Unable to download PAN-OS Images when the firewall is behind another security device
Unable to download PAN-OS Images when the firewall is behind another security device
Created On 02/07/19 23:40 PM - Last Updated 02/07/19 23:41 PM
You are able to click 'Check now' on the software page under Device > Software. However, when you click 'download' to download a new software image, nothing happens, or you get an error about timeout.
We are assuming the topology looks similar to this:
Trust/DMZ > Palo Alto Networks firewall > Firewall/Proxy > Internet
The issue may be occurring because updates.paloaltonetworks.com are being forwarded to Content Delivery Networks (CDN) such as a23-4-1-166.deploy.static.akamaitechnologies.com. Although CDN IPs are typically dynamic as well, with servers that host content and respond based on lowest latency.
On the other security device that is in front of the Palo Alto Networks device, traffic from the Palo Alto Networks firewall needs to be allowed to access downloads.paloaltonetworks.com as well as the CDN category if the device (Firewall/Proxy) has the capability to do that.