When pushing the Dynamic Updates from Panorama, the target device does not show in the Devices list
23575
Created On 03/22/19 15:47 PM - Last Modified 01/08/20 01:25 AM
Symptom
- When pushing the Dynamic Updates from Panorama, the target device does not show up in the Devices list.
Environment
- Firewall in an Out-of-Band environment which does not have access to Internet.
- Threat Prevention license was downloaded and manually uploaded to Firewall.
Cause
- This is because Panorama doesn't have the Threat Prevention licenses loaded for the devices it's managing.
- To be able to deploy the Dynamic Updates from Panorama to Firewall devices, Panorama should have valid Threat Prevention licenses installed for the devices it's managing.
- Internet access is required from panorama to fetch managed devices license status
- Panorama contacts the license server and sends the serial number of each managed Palo Alto Networks devices. The license server responds with the licenses for each device.
Resolution
- Make sure the Panorama is configured with the update server.
Update Server: updates.paloaltonetworks.com- Get internet access for the Panorama via the management interface: This could require setting a default route and creating a security policy on the upstream firewall to allow access to updates.paloaltonetworks.com.
- Go to Panorama > Device Deployment > Licenses.
- Select Refresh. This will bring up the "Refresh License Deployment" window. Select the device that is not reflecting the correct license status and refresh it.
NOTE: If Panorama does not have access to internet it will not be able to retrieve the License keys and you will not be able to manually upload them.