Firewall cannot connect to updates.paloaltonetworks.com to get dynamic updates
25619
Created On 01/30/22 08:21 AM - Last Modified 10/23/24 23:10 PM
Symptom
- Firewall is configured with Primary DNS, or both Primary and Secondary DNS
- Firewall is allowed to access to Internet from management interface
- Firewall is allowed to access to the DNS servers configured
- Firewall fails to refresh dynamic updates list, i.e. Device > Dynamic Updates > Check Now
- Firewall fails to ping to any FQDN (unknown host)
- Packet capture (tcpdump) on management interface does not capture any packets to DNS server (while performing Ping or Check Now)
- Test output from CLI
admin@PA-VM> ping host updates.paloaltonetworks.com
ping: unknown host updates.paloaltonetworks.com
admin@PA-VM> request resolve address updates.paloaltonetworks.com
34.96.84.34
2600:1901:0:f4f2::
Environment
- Any Palo Alto Networks firewall
- PAN-OS versions prior to 11.1.0
Cause
The use of a /32 prefix for DNS servers was not allowed in earlier versions of PAN-OS.
Resolution
The issue is resolved in PAN-OS 11.1.0 and later versions. For PAN-OS versions earlier than 11.1.0, where DNS resolution fails if the DNS server(s) are entered as X.X.X.X/32, please follow these workaround steps:
- On WebUI, go to Device > Setup > Services
- Remove subnet mask from Primary DNS entry, i.e. 8.8.8.8/32 --> 8.8.8.8
- Repeat the same for the Secondary DNS entry
- Click OK, then Commit changes
Expected output after commit:
admin@Lab48-70-PA-VM> ping host updates.paloaltonetworks.com
PING updates.gcp.gslb.paloaltonetworks.com (34.96.84.34) 56(84) bytes of data.
64 bytes from 34.84.96.34.bc.googleusercontent.com (34.96.84.34): icmp_seq=1 ttl=57 time=2.17 ms
^C
--- updates.gcp.gslb.paloaltonetworks.com ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 2.173/2.173/2.173/0.000 ms
admin@Lab48-70-PA-VM> request resolve address updates.paloaltonetworks.com
34.96.84.34
2600:1901:0:f4f2::