Configuration for update server when static update server is used in Firewall and Panorama
- Dynamic Content Updates service is a subscription service that provides protection again newly seen threats.
- By default, the content update URL is provided under Device-> setup -> services-> update server has a fixed URL "updates.paloaltonetworks.com". The URL will resolve to different IP addresses as the update servers are located across different geographical locations for faster content delivery.
- If an organization wants to restrict the updates to only a single Known IP address they can use a fixed URL "staticupdates.paloaltonetworks.com" can be used in place of updates.paloaltonetworks.com".
- Update Server should never use IP address- by doing so, SSL verification to our servers is disabled which exposes them to a man-in-the-middle attack.
- The article provides configuration guidelines for any Firewall or Panorama wanting to use "staticupdates.paloaltonetworks.com"
NOTE: These changes are effective immediately.
- Any PAN-OS.
- Threat protection license.
- Any Firewall or Panorama.
- For the Firewalls or appliances that connect from outside mainland China and want to continue using the dynamic content server, use the URL "updates.paloaltonetworks.com"
On the Firewalls or appliances that connect from mainland China, modify the URL from "
staticupdates.paloaltonetworks.com" to "updates.paloaltonetworks.cn"
On the Firewalls or appliances that have access to outbound traffic restricted by IP, Use the URL “us-static.updates.paloaltonetworks.com".
NOTE: Avoid using an IP address instead of a URL. Doing so will break the SSL/TLS SNI verification.
- If the Firewall needs to connect to the static update server using outbound Security Policy to limit the IP addresses available for updates, then implement the following change.
us-static.updates.paloaltonetworks.com - 22.214.171.124:443 (ipv4) , [2600:1901:0:669::]:443 (ipv6)
static.itpdownloads.paloaltonetworks.com - 126.96.36.199:443 (ipv4) , [2600:1901:0:5162::]:443 (ipv6)
Allow the current IPv4 address 188.8.131.52:443 as this IPv4 address is valid until July 31st, 2021.
- If any connection issues are found, try the following:
- Continue utilizing "staticupdates.paloaltonetworks.com" until July 31st, 2021 as we will support this server for an easy transition.
- Allow IP address 184.108.40.206.
- Open a support case
- Install Content Updates document describes how to install content updates in detail.
- The article What are the additional IP address when you chose to connect only to static updates provides information about the additional addresses used for a content update.
- Steps are illustrated in the flow diagram below to help make correct choices.