PAN-OS Upgrade Guide
    : Install Content Updates Automatically for Panorama without an Internet Connection
    Focus
    Download PDF
    Focus
    1. Home
    2. PAN-OS
    3. PAN-OS Upgrade Guide
    4. Upgrade Panorama
    5. Install Content Updates and Software Upgrades for Panorama
    6. Install Content Updates Automatically for Panorama without an Internet Connection
    Download PDF

    PAN-OS Upgrade Guide

    Install Content Updates Automatically for Panorama without an Internet Connection

    Table of Contents

    Install Content Updates Automatically for Panorama without an Internet Connection

    Use an SCP server to download content updates from an outer Panorama™ management server to firewalls, WildFire® appliances, and Log Collectors managed by an air-gapped Panorama.
    Automatically download content updates to firewalls, Log Collectors, and WildFire® appliances in air-gapped networks where the Panorama™ management server, managed firewalls, Log Collectors, and WildFire appliances are not connected to the internet. To accomplish this, you must deploy an additional Panorama with internet access and an SCP server. After you deploy the Panorama with internet access, you configure the internet-connected Panorama to automatically download content updates to the SCP server. From the SCP server, the air-gapped Panorama is configured to automatically download and install content updates as per your content updates schedule. Panorama generates a system log when the Panorama with internet access downloads content updates to the SCP server or when the air-gapped Panorama downloads and installs content updates from the SCP server.
    Only the following content update schedules from an internet-connected Panorama to a Panorama without an internect connection are supported:
    Do not manipulate or change the content update file name after you successfully download it to the SCP server. Panorama cannot download and install content updates with altered file names. Additionally, for the automatic content update to be successful, you must ensure that there is enough disk space on the SCP server, that the SCP server is running when a download is about to start, and that both Panoramas are powered on and not in the middle of a reboot.
    This example shows how to configuring the automatic content updates for Applications and Threats content updates.
    1. Deploy an SCP server.
      Content updates for managed firewalls, Log Collectors, and WildFire appliances downloads from the internet-connected Panorama. The air-gapped Panorama downloads the content updates from the SCP server and then installs the updates on managed firewalls, WildFire appliances, and Log Collectors.
      When you create the folder directory for content updates, it is a best practice to create a folder for each type of type of content update. This is the burden of managing a large volume of content updates and reduces the possibility of deleting content updates that should not be deleted from the SCP server.
    2. Deploy the internet-connected Panorama.
      This Panorama communicates with the Palo Alto Networks update server and downloads the content updates to the SCP server.
      1. Set up the Panorama management server.
      2. Perform the initial Panorama configuration.
    3. Deploy the Panorama without an internet connection.
      This Panorama communicates with the SCP server to download and install content updates on managed firewalls, Log Collectors, and WildFire appliances.
      1. Set up the Panorama management server.
      2. Perform the initial Panorama configuration.
      3. Add your managed firewalls, Log Collectors, and WildFire appliances.
    4. Configure the internet-connected Panorama to download content updates to your SCP server.
      1. Log in to the Panorama Web Interface.
      2. Create an SCP server profile.
        1. Select PanoramaServer ProfilesSCP and Add a new SCP server profile.
        2. Enter a descriptive Name for the SCP server profile.
        3. Enter the SCP Server IP address.
        4. Enter the Port.
        5. Enter the SCP server User Name.
        6. Enter the SCP server Password and Confirm Password.
        7. Click OK to save your changes.
      3. Create a content updates schedule to regularly download content updates to the SCP server.
        You must create a schedule for each type of content update you intend to automatically download and install on managed firewalls, Log Collectors, and WildFire appliances.
        1. Select PanoramaDevice DeploymentDynamic Updates, select Schedules, and Add a content updates schedule.
        2. Enter a descriptive Name for the content updates schedule.
        3. For the Download Source, select Update Server.
        4. Select the content update Type.
        5. Select the Recurrence to set the interval at which Panorama checks the Palo Alto Networks update server for new content updates.
          To configure a more precise recurrence schedule, enter the number of minutes past the selected recurrence interval. If you have multiple content updates scheduled to download using the same recurrence interval, stagger them to avoid overloading the Panorama and SCP server.
        6. For the Action, select Download And SCP.
        7. Select the SCP Profile you configured in the previous step.
        8. Enter the SCP Path for the content updates type.
        9. (Optional) Enter the Threshold, in hours, for the content updates. Panorama downloads only content updates that are this number of hours old (or older)
        10. Click OK to save your changes.
      4. Commit your changes.
    5. Configure the air-gapped Panorama to download content updates from the SCP server and then install the updates on your managed firewalls, Log Collectors, and WildFire appliances.
      1. Log in to the Panorama Web Interface.
      2. Create an SCP server profile.
        1. Select PanoramaServer ProfilesSCP and Add a new SCP server profile.
        2. Enter a descriptive Name for the SCP server profile.
        3. Enter the SCP Server IP address.
        4. Enter the Port.
        5. Enter the SCP server User Name.
        6. Enter the SCP server Password and Confirm Password.
        7. Click OK to save your changes.
      3. Create a content updates schedule to regularly download and install content updates from the SCP server.
        You must create a schedule for each type of content update you intend to automatically download and install on managed firewalls, Log Collectors, and WildFire appliances.
        1. Select PanoramaDevice DeploymentDynamic Updates, select Schedules, and Add a content updates schedule.
        2. Enter a descriptive Name for the content updates schedule.
        3. For the Download Source, select SCP.
        4. Select the SCP Profile you configured in the previous step.
        5. Enter the SCP Path for the content updates type.
        6. Select the content update Type.
        7. Select the Recurrence to set the interval at which Panorama checks the Palo Alto Networks update server for new content updates.
          To configure a more precise recurrence schedule, enter the number of minutes past the selected recurrence interval. If you have multiple content updates scheduled to download using the same recurrence interval, stagger them to avoid overloading the Panorama and SCP server.
        8. For the Action, select Download or Download And Install.
          Only Download and Download and Install are supported when the Download Source is SCP.
          If you select Download, you must manually start the content update install on your managed firewalls.
        9. Select the Devices on which to install the content updates.
        10. (Optional) Enter the Threshold, in hours, for the content updates. Panorama downloads only content updates that are this number of hours old (or older)
        11. Click OK to save your changes.
      4. Commit your changes.

    © 2024 Palo Alto Networks, Inc. All rights reserved.