Configuration for update server when static update server is used in Firewall and Panorama

Configuration for update server when static update server is used in Firewall and Panorama

43886
Created On 03/23/21 01:41 AM - Last Modified 07/22/21 23:38 PM


Objective
  • Subscription Service for Dynamic Content Updates provides protection against newly seen threats. In a default setting the URL "updates.paloaltonetworks.com" is used to provide these updates. The dynamic updates come from update servers located across different geographical locations. This results in updates being received from different IP addresses.
  • When an organization wants to restrict the updates to only a single Known IP address, then "staticupdates.paloaltonetworks.com" can be used instead of dynamic selection of IP addresses from "updates.paloaltonetworks.com
  • Update Server should never use IP address - by doing so, SSL verification to our servers is disabled which exposes them to a man in the middle attack."
  • The article provides configuration guidelines for any Firewall or Panorama wanting to use "staticupdates.paloaltonetworks.com"


NOTE: These changes are effective immediately.


 



Environment
  • Any PAN-OS.
  • Threat protection license.
  • Any Firewall or Panorama.


Procedure
Following are configuration steps based on the location of the Firewall/Panorama or internal access restrictions. 
 
  1. For the Firewalls or appliances that connect from outside mainland China and want to continue using the dynamic content server, use the  URL "updates.paloaltonetworks.com" 
update server configuration
 
  1. On the Firewalls or appliances that connect from mainland China, modify the URL from "staticupdates.paloaltonetworks.com" to "updates.paloaltonetworks.cn"

  2. On the Firewalls or appliances that have access to outbound traffic restricted by IP, Use the URL  “us-static.updates.paloaltonetworks.com".

NOTE: Avoid using an IP address instead of a URL. Doing so will break the SSL/TLS SNI verification.

  1. If the Firewall needs to connect to the static update server using outbound Security Policy to limit the IP addresses available for updates, then implement the following change.
(a) Allow these IPv4 Or IPv6 addresses:
     35.186.202.45:443 and 34.120.74.244:443 
                       Or
     [2600:1901:0:669::]:443 and [2600:1901:0:5162::]:443

                        (b) AND:
                             Allow the current IPv4 address 199.167.52.15:443 as this IPv4 address is valid until July 31st, 2021.

  1.  If any connection issues are found, try the following:
  • Continue utilizing  "staticupdates.paloaltonetworks.com" until July 31st, 2021 as we will support this server for an easy transition. 
  • Allow IP address 199.167.52.15. 
  • Open a support case

 



Additional Information
flow-chart
 


 

 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001UtRCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language