How to test connectivity to updates.paloaltonetworks.com from the CLI?

How to test connectivity to updates.paloaltonetworks.com from the CLI?

1319
Created On 01/21/26 00:40 AM - Last Modified 03/06/26 20:52 PM


Objective


  • To verify that the firewall’s management plane can successfully reach the Palo Alto Networks Update Server via HTTPS.
  • Successful connectivity ensures the firewall can download the software, dynamic updates (Antivirus, Apps & Threats), and WildFire signatures.

Environment


  • Next-Gen Firewalls or Panorama
  • Supported PAN-OS

Procedure


  1. Log in to the firewall CLI via SSH.
  2. Enter the following command to test the HTTPS connection to the update cloud:
test http-server protocol HTTPS address updates.paloaltonetworks.com

 

  1. Analyze the Results:
    1. Success: If the output displays Connection to: https://updates.paloaltonetworks.com:443 succeeded,the firewall has reachability and can perform the SSL handshake.
    2. Failure: If the command returns a timeout or connection refused, proceed to verify DNS settings and Security Rules for the Management Interface.
  2. If you need to test the connection on a specific port, you can add the port argument:
test http-server port 443 protocol HTTPS address updates.paloaltonetworks.com

 

Additional Information


  • The command is used when the firewall is failing to download updates. It is more effective than a standard ping for several reasons:
    1. Bypasses ICMP Restrictions: Many networks block ping (ICMP), but allow HTTPS (Port 443). If a ping fails, this command helps determine if the actual web service is still reachable.
    2. Verifies SSL Handshake: It confirms that the firewall can negotiate a secure connection, ensuring there are no certificate or protocol version mismatches.
    3. Tests Management Connectivity: It specifically tests the path from the Management Interface (or whichever Service Route is configured for updates) to the internet.
  • Service Routes: By default, this traffic goes out of the Management (MGT) interface. If your environment uses a data port for updates, ensure the Service Route is configured correctly under Device > Setup > Services.
  • DNS Dependency: This command relies on the firewall's ability to resolve FQDNs. If the test fails immediately, check DNS resolution using: ping host updates.paloaltonetworks.com
  • Common Ports: This command defaults to port 443.
  • Ensure that the perimeter firewall (if this unit is behind another one) allows traffic from the MGT IP to the internet on port 443.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000wkLfKAI&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail