Saturday, October 22, 2011

Troubleshooting Dynamic Updates on Palo Alto Firewalls

The following are troubleshooting steps to take when installing a Palo Alto Firewall in Virtual Wire mode or doing an initial configuration behind the existing firewalls and the dynamic updates for Threat Protection, AntiVirus and URL Filtering are not pulling down updates.
After verifying that the device is licensed and registered for updates, it is time to verify that there is not a connectivity issue:
All of these are done from the command line, so either connect via SSH or via a console cable.

PAN updates
First thing to check is the connection from the Management interface to the Palo Alto Networks update site.
ping host updates.paloaltonetworks.com
This will show the basic connectivity is in place. Updates.paloaltonetworks.com will respond to ping if the path is good.
If that fails, another test is to see there are routing issues
traceroute host updates.paloaltonetworks.com
If this does not reach the first hop, verify that the management interface is configured with the correct default gateway.
After determining that base level connectivity exists for updates, the next step is to verify that it is possible to connect to the service port for udpates.
telnet port 443 host updates.paloaltonetworks.com
If this is good, then it is possible to manually request updates. If not it will be necessary to verify or update the configuration for the current firewalls.
Anti-Virus
request anti-virus upgrade download latest
or if in an High Availability pair
request anti-virus upgrade download latest sync-to-peer
Applications and content
request content upgrade download latest
or if in an High Availability pair
request content upgrade download latest sync-to-peer

If the firewall is licensed for the BrightCloud URL filtering updates, the testing is slightly different since the updates come from a different site and service port.
Start by verifying the basic connectivity
ping host service.brightcloud.com
Verify that the traffic is routing properly
traceroute host service.brightcloud.com
Verify that it is possible to connect to port 80 on service.brightcloud.com
telnet port 80 host service.brightcloud.com
If this is good, then it is possible to manually request updates. If not it will be necessary to verify or update the configuration for the current firewalls.
URL filtering
request an update of the URL Filtering database
request url-filtering upgrade brightcloud
verify that the download is in progress
request url-filtering download status
if there is still an issue the following should appear
{data time} Error: dtMessageTime(bcnet.cpp:256): failed connect to 64.87.3.54 on 80
When the download begins successfully, the following should appear\
{data time} URL database download: 90% done
When successful a message similar to the following will appear
369745418 total bytes 16.90 secs -79112.66 kB/S

Hopefully someone will find this useful
Be safe out there
James