What are the IP addresses when you want to limit the IPs available for updates for static update server is used

How does the update process work? Why we need additional IP addresses when you choose to allow the firewall to connect to only static updates using an outbound security policy?

• All PAN-OS
• Threat protection license
• Firewall or Panorama 

• Allow these IPv4 Or IPv6 addresses:
  • 35.186.202.45:443 and 34.120.74.244:443 
  • Or [2600:1901:0:669::]:443 and [2600:1901:0:5162::]:443

• The appliance "phones home" to determine if there is an available update.
• If there is an available update, a URL is provided that directs the appliance to download the content update.

• There is one IP address for the first step to obtaining metadata and another IP address for the actual content location to download. The download process is hosted by a separate backend server, which requires you to use a different IP address.
• If you would like to choose IPv6 addressing, you can choose IPv4, IPv6, or both sets of IP addresses based on their requirements.
• These IPs need to be allowed through your Firewall if data ports are used to download the content. 

Question 2: 
What security controls are in place for this solution?

Answer:
Here is a description of the security controls for our new updated static updates solution:

• All traffic passes through our Palo Alto Networks managed firewalls. 
• Access to the updates environment is limited to the IT infrastructure team.
• All downloaded content uses signed URLs, and the IT infrastructure team manages the keys. 
• All of our content packages are signed for integrity-checking purposes.
• All of the services are SOC2 Type 2 compliant.

Note: Please check this article for more information on static update configuration.