Configuration for update server when static update server is used in Firewall
219002
Created On 03/23/21 01:41 AM - Last Modified 09/07/23 17:25 PM
Objective
Background:
- Dynamic Content Updates service is a subscription service that provides protection again newly seen threats.
- By default, the content update URL is provided under Device-> setup -> services-> update server has a fixed URL "updates.paloaltonetworks.com". The URL will resolve to different IP addresses as the update servers are located across different geographical locations for faster content delivery.
Summary of the Objective: Download the dynamic content from a fixed address
- Update Server should never use IP address- by doing so, SSL verification to our servers is disabled which exposes them to a man-in-the-middle attack.
- The article provides configuration guidelines for any Firewall or Panorama to use configuration under setup->service->update server. "staticupdates.paloaltonetworks.com"
NOTE: These changes are effective immediately.
Environment
- Any PAN-OS.
- Threat protection license.
- Any Firewall.
Procedure
Following are configuration steps based on the location of the Firewall or internal access restrictions.
- For the Firewalls or appliances that connect from outside mainland China and want to continue using the dynamic content server, use the URL "updates.paloaltonetworks.com"
-
On the Firewalls or appliances that connect from mainland China, modify the URL from "
staticupdates.paloaltonetworks.com" to "updates.paloaltonetworks.cn" -
On the Firewalls or appliances that have access to outbound traffic restricted by IP, Use the URL “us-static.updates.paloaltonetworks.com".
NOTE: Avoid using an IP address instead of a URL. Doing so will break the SSL/TLS SNI verification.
- If the Firewall needs to connect to the static update server using outbound Security Policy to limit the IP addresses available for updates, then implement the following change.
us-static.updates.paloaltonetworks.com - 35.186.202.45:443 (ipv4) , [2600:1901:0:669::]:443 (ipv6)
static.itpdownloads.paloaltonetworks.com - 34.120.74.244:443 (ipv4) , [2600:1901:0:5162::]:443 (ipv6)
(b) AND:
Allow the current IPv4 address 199.167.52.15:443 as this IPv4 address is valid until July 31st, 2021.
- If any connection issues are found, try the following:
- Continue utilizing "staticupdates.paloaltonetworks.com" until July 31st, 2021 as we will support this server for an easy transition.
- Allow IP address 199.167.52.15.
- Open a support case
Additional Information
- Install Content Updates document describes how to install content updates in detail.
- Content Delivery Network Infrastructure IP/FQDNs (including Static IP's)
- Steps are illustrated in the flow diagram below to help make correct choices.
Note: The CLI command to set update server is as below
> set cli config-output-format set
> configure
# set deviceconfig system update-server <update-server-name>
# commit
# exit