Configuration for update server when static update server is used in Firewall

Configuration for update server when static update server is used in Firewall

261019
Created On 03/23/21 01:41 AM - Last Modified 10/29/25 12:51 PM


Objective



Background:

  • Dynamic Content Updates A subscription service delivers timely updates that offer comprehensive protection across the threat landscape, safeguarding you from legacy and evolving threats. 
  • By default, the content update URL is provided under Device-> setup -> services-> update server has a fixed URL  "updates.paloaltonetworks.com".  The URL will resolve to different IP addresses as the update servers are located across different geographical locations for faster content delivery.


Summary of the Objective: Download the dynamic content from a fixed address

  • Update Server configuration must be hostname-based. Connecting via IP address circumvents SSL/TLS certificate validation, rendering the connection vulnerable to MITM attacks.
  • The article provides configuration guidelines for any Firewall or Panorama to use configuration under setup->service->update server. "staticupdates.paloaltonetworks.com"

NOTE: These changes are effective immediately.


 

Environment


  • Any PAN-OS.
  • Threat protection license.
  • Any Firewall.

Procedure


Following are configuration steps based on the location of the Firewall or internal access restrictions. 
 
  1. For the Firewalls or appliances that connect from outside mainland China and want to continue using the dynamic content server, use the  URL "updates.paloaltonetworks.com" 
update server configuration
 

  1. On the Firewalls or appliances that connect from mainland China, modify the URL from "staticupdates.paloaltonetworks.com" to "updates.paloaltonetworks.cn"

  2. On the Firewalls or appliances that have access to outbound traffic restricted by IP, Use the URL  “us-static.updates.paloaltonetworks.com".

NOTE: Avoid using an IP address instead of a URL. Doing so will break the SSL/TLS SNI verification.

  1. If the Firewall needs to connect to the static update server using outbound Security Policy to limit the IP addresses available for updates, then implement the following change.
          (a)  Allow these IPv4 Or IPv6 addresses
             us-static.updates.paloaltonetworks.com - 35.186.202.45:443 (ipv4) , [2600:1901:0:669::]:443 (ipv6)
             static.itpdownloads.paloaltonetworks.com - 34.120.74.244:443 (ipv4) , [2600:1901:0:5162::]:443 (ipv6)
        (b) AND:
            Allow the current IPv4 address 199.167.52.15:443 as this IPv4 address is valid until July 31st, 2021.                  
  1.  If any connection issues are found, try the following:
  • Continue utilizing  "staticupdates.paloaltonetworks.com" until July 31st, 2021 as we will support this server for an easy transition. 
  • Allow IP address 199.167.52.15. 
  • Open a support case

 

Additional Information


flow chart
 

Note: The CLI command to set update server is as below 
> set cli config-output-format set
> configure
# set deviceconfig system update-server <update-server-name>
# commit
# exit

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000001UtRCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language