What are the IP addresses when you want to limit the IPs available for updates for static update server is used

What are the IP addresses when you want to limit the IPs available for updates for static update server is used

Created On 03/23/21 15:55 PM - Last Modified 09/22/22 17:19 PM


How does the update process work? Why we need additional IP addresses when you choose to allow the firewall to connect to only static updates using an outbound security policy?

  • All PAN-OS
  • Threat protection license
  • Firewall or Panorama 

If you choose to allow the firewall to connect only to the static updates using an outbound Security policy rule that limits the IP addresses available for updates, then you must implement the following change in your security policy:
  • Allow these IPv4 Or IPv6 addresses:
    • and 
    • Or [2600:1901:0:669::]:443 and [2600:1901:0:5162::]:443
Why we need to set the two IPs, as the update process is a two-step process as defined below.
  • The appliance "phones home" to determine if there is an available update.
  • If there is an available update, a URL is provided that directs the appliance to download the content update.
In the case of Static Updates, because the content is hosted in the same place as our infrastructure, only one IP address is required. However, with the new solution, there are now four IP addresses that need to allow:
  • There is one IP address for the first step to obtaining metadata and another IP address for the actual content location to download. The download process is hosted by a separate backend server, which requires you to use a different IP address.
  • If you would like to choose IPv6 addressing, you can choose IPv4, IPv6, or both sets of IP addresses based on their requirements.
  • These IPs need to be allowed through your Firewall if data ports are used to download the content. 

Additional Information

Question 2: 
What security controls are in place for this solution?

Here is a description of the security controls for our new updated static updates solution:

  • All traffic passes through our Palo Alto Networks managed firewalls. 
  • Access to the updates environment is limited to the IT infrastructure team.
  • All downloaded content uses signed URLs, and the IT infrastructure team manages the keys. 
  • All of our content packages are signed for integrity-checking purposes.
  • All of the services are SOC2 Type 2 compliant.


Note: Please check this article for more information on static update configuration.  

  • Print
  • Copy Link