PAN-OS ® New Features Guide
    : Automatic Content Updates Through Offline Panorama
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS ® New Features Guide
    4. Panorama Features
    5. Automatic Content Updates Through Offline Panorama
    Download PDF

    PAN-OS ® New Features Guide

    Automatic Content Updates Through Offline Panorama

    Table of Contents
    End-of-Life (EoL)

    Automatic Content Updates Through Offline Panorama

    Use an SCP server to download content updates from an outer Panorama™ management server to firewalls, WildFire® appliances, and Log Collectors managed by an air-gapped Panorama.
    PAN-OS® 10.0 enables you to automatically download content updates to firewalls, Log Collectors, and WildFire® appliances in air-gapped networks where the Panorama™ management server and the managed firewalls, Log Collectors, and WildFire appliances are not connected to the internet. To accomplish this, you must deploy an additional Panorama with internet access and an SCP server. After you deploy the Panorama with internet access, you configure the internet-connected Panorama to automatically download content updates to the SCP server. From the SCP server, the air-gapped Panorama is configured to automatically download and install dynamic updates as per your dynamic updates schedule. Panorama generates a system log when the Panorama with internet access downloads dynamic updates to the SCP server or when the air-gapped Panorama downloads and installs dynamic updates from the SCP server.
    Do not manipulate or change the dynamic update file name after you successfully download it to the SCP server. Panorama cannot download and install dynamic updates with altered file names. Additionally, for the automatic content update to be successful, you must ensure that there is enough disk space on the SCP server, that the SCP server is running when a download is about to start, and that both Panoramas are powered on and not in the middle of a reboot.
    This example shows how to configuring the automatic content updates for Applications and Threats dynamic updates.
    1. Deploy an SCP server.
      Dynamic updates for managed firewalls, Log Collectors, and WildFire appliances downloads from the internet-connected Panorama. The air-gapped Panorama downloads the dynamic updates from the SCP server and then installs the updates on managed firewalls, WildFire appliances, and Log Collectors.
      When you create the folder directory for dynamic updates, it is a best practice to create a folder for each type of type of dynamic update. This is the burden of managing a large volume of dynamic updates and reduces the possibility of deleting dynamic updates that should not be deleted from the SCP server.
    2. Set up the Panorama with internet access.
      This Panorama communicates with the Palo Alto Networks update server and downloads the dynamic updates to the SCP server.
      1. Set Up Panorama.
      2. Log in to the Panorama web interface.
      3. Create an SCP server profile.
        1. Select PanoramaServer ProfilesSCP and Add a new SCP server profile.
        2. Enter a descriptive Name for the SCP server profile.
        3. Enter the SCP Server IP address.
        4. Enter the Port.
        5. Enter the SCP server User Name.
        6. Enter the SCP server Password and Confirm Password.
        7. Click OK to save your changes.
      4. Create a dynamic update schedule to regularly download content updates to the SCP server.
        You must create a schedule for each type of dynamic update you intend to automatically download and install on managed firewalls, Log Collectors, and WildFire appliances.
      5. Commit your changes.
    3. Set up the air-gapped Panorama.
      This Panorama communicates with the SCP server to download the dynamic updates and then installs the updates on managed firewalls, Log Collectors, and WildFire appliances.
    4. Configure the air-gapped Panorama to download dynamic updates from the SCP server and then install the updates on your managed firewalls, Log Collectors, and WildFire appliances.
      1. Log in to the Panorama web interface.
      2. Create an SCP server profile.
        1. Select PanoramaServer ProfilesSCP and Add a new SCP server profile.
        2. Enter a descriptive Name for the SCP server profile.
        3. Enter the SCP Server IP address.
        4. Enter the Port.
        5. Enter the SCP server User Name.
        6. Enter the SCP server Password and Confirm Password.
        7. Click OK to save your changes.
      3. Create a dynamic update schedule to regularly download content updates from the SCP server.
        You must create a schedule for each type of dynamic update you intend to automatically download and install on managed firewalls, Log Collectors, and WildFire appliances.
      4. Commit your changes.

    © 2024 Palo Alto Networks, Inc. All rights reserved.