Unable to push dynamic updates from Panorama to managed firewalls

• Unable to push dynamic updates from Panorama to managed firewalls,
• Config push to firewalls work without any issues.
• The error message seen is as follows

Error message: Failed to upload image. Device msg:'Failed to download <File> Download error: Couldn't connect to server.

• PAN-OS 8.0 or later
• Panorama behind a NAT device
• Panorama has a public IP configured
• Firewalls configured to use Panorama public IP

• Port 3978 is used for communication between Panorama and Managed Firewalls. This port is used for Device management and Device Log collection.
• TCP port 28443 is used for managed devices to retrieve software and content updates from Panorama.
• Panorama communicates its management private IP address to the managed devices on an encrypted connection over port 3978.
• This IP will be used by the devices on port 28443 to connect to Panorama in order to fetch the dynamic updates. Since the firewalls are not able to reach Panorama using this IP address due to NAT, the deployment fails.

1. From PAN-OS 8.0.8 and later, execute the below command on Panorama to share the FQDN (that resolves to its public IP) to the managed devices.

 > set dlsrvr server <fqdn>​

2.  Make sure to open TCP port 28443 or configure app-id "paloalto-updates" in the security policy on any intermediate devices/security group between the firewall and Panorama.

• This FQDN must be resolvable from the managed devices. 
• To display the current value of this setting, run the "show dlsrvr server" command.
• If you stop deploying a NAT device between Panorama and firewalls, delete the value by running the "delete dlsrvr server" command.

​​​​