Panorama Administrator's Guide
    : Install Updates Automatically for Panorama without an Internet Connection
    Focus
    Download PDF
    Focus
    1. Home
    2. Panorama
    3. Panorama Administrator's Guide
    4. Set Up Panorama
    5. Install Content and Software Updates for Panorama
    6. Install Updates Automatically for Panorama without an Internet Connection
    Download PDF

    Panorama Administrator's Guide

    Install Updates Automatically for Panorama without an Internet Connection

    Table of Contents
    End-of-Life (EoL)

    Install Updates Automatically for Panorama without an Internet Connection

    Use an SCP server to download dynamic updates from an outer Panorama™ management server to firewalls, WildFire® appliances, and Log Collectors managed by an air-gapped Panorama.
    Automatically download dynamic updates to firewalls, Log Collectors, and WildFire® appliances in air-gapped networks where the Panorama™ management server, managed firewalls, Log Collectors, and WildFire appliances are not connected to the internet. To accomplish this, you must deploy an additional Panorama with internet access and an SCP server. After you deploy the Panorama with internet access, you configure the internet-connected Panorama to automatically download dynamic updates to the SCP server. From the SCP server, the air-gapped Panorama is configured to automatically download and install dynamic updates as per your dynamic updates schedule. Panorama generates a system log when the Panorama with internet access downloads dynamic updates to the SCP server or when the air-gapped Panorama downloads and installs dynamic updates from the SCP server.
    Only the following dynamic update schedules from an internet-connected Panorama to a Panorama without an internect connection are supported:
    Do not manipulate or change the dynamic update file name after you successfully download it to the SCP server. Panorama cannot download and install dynamic updates with altered file names. Additionally, for the automatic dynamic update to be successful, you must ensure that there is enough disk space on the SCP server, that the SCP server is running when a download is about to start, and that both Panoramas are powered on and not in the middle of a reboot.
    This example shows how to configuring the automatic content updates for Applications and Threats dynamic updates.
    1. Deploy an SCP server.
      Dynamic updates for managed firewalls, Log Collectors, and WildFire appliances downloads from the internet-connected Panorama. The air-gapped Panorama downloads the dynamic updates from the SCP server and then installs the updates on managed firewalls, WildFire appliances, and Log Collectors.
      When you create the folder directory for dynamic updates, it is a best practice to create a folder for each type of type of dynamic update. This is the burden of managing a large volume of dynamic updates and reduces the possibility of deleting dynamic updates that should not be deleted from the SCP server.
    2. Deploy the internet-connected Panorama.
      This Panorama communicates with the Palo Alto Networks update server and downloads the dynamic updates to the SCP server.
      1. Set up the Panorama management server.
      2. Perform the initial Panorama configuration.
    3. Deploy the Panorama without an internet connection.
      This Panorama communicates with the SCP server to download and install dynamic updates on managed firewalls, Log Collectors, and WildFire appliances.
      1. Set up the Panorama management server.
      2. Perform the initial Panorama configuration.
      3. Add your managed firewalls, Log Collectors, and WildFire appliances.
    4. Configure the internet-connected Panorama to download dynamic updates to your SCP server.
      1. Log in to the Panorama Web Interface.
      2. Create an SCP server profile.
        1. Select PanoramaServer ProfilesSCP and Add a new SCP server profile.
        2. Enter a descriptive Name for the SCP server profile.
        3. Enter the SCP Server IP address.
        4. Enter the Port.
        5. Enter the SCP server User Name.
        6. Enter the SCP server Password and Confirm Password.
        7. Click OK to save your changes.
      3. Create a dynamic updates schedule to regularly download dynamic updates to the SCP server.
        You must create a schedule for each type of dynamic update you intend to automatically download and install on managed firewalls, Log Collectors, and WildFire appliances.
        1. Select PanoramaDevice DeploymentDynamic Updates, select Schedules, and Add a dynamic updates schedule.
        2. Enter a descriptive Name for the dynamic updates schedule.
        3. For the Download Source, select Update Server.
        4. Select the dynamic update Type.
        5. Select the Recurrence to set the interval at which Panorama checks the Palo Alto Networks update server for new dynamic updates.
          To configure a more precise recurrence schedule, enter the number of minutes past the selected recurrence interval. If you have multiple dynamic updates scheduled to download using the same recurrence interval, stagger them to avoid overloading the Panorama and SCP server.
        6. For the Action, select Download And SCP.
        7. Select the SCP Profile you configured in the previous step.
        8. Enter the SCP Path for the dynamic updates type.
        9. (Optional) Enter the Threshold, in hours, for the dynamic updates. Panorama downloads only dynamic updates that are this number of hours old (or older)
        10. Click OK to save your changes.
      4. Commit your changes.
    5. Configure the air-gapped Panorama to download dynamic updates from the SCP server and then install the updates on your managed firewalls, Log Collectors, and WildFire appliances.
      1. Log in to the Panorama Web Interface.
      2. Create an SCP server profile.
        1. Select PanoramaServer ProfilesSCP and Add a new SCP server profile.
        2. Enter a descriptive Name for the SCP server profile.
        3. Enter the SCP Server IP address.
        4. Enter the Port.
        5. Enter the SCP server User Name.
        6. Enter the SCP server Password and Confirm Password.
        7. Click OK to save your changes.
      3. Create a dynamic updates schedule to regularly download and install dynamic updates from the SCP server.
        You must create a schedule for each type of dynamic update you intend to automatically download and install on managed firewalls, Log Collectors, and WildFire appliances.
        1. Select PanoramaDevice DeploymentDynamic Updates, select Schedules, and Add a dynamic updates schedule.
        2. Enter a descriptive Name for the dynamic updates schedule.
        3. For the Download Source, select SCP.
        4. Select the SCP Profile you configured in the previous step.
        5. Enter the SCP Path for the dynamic updates type.
        6. Select the dynamic update Type.
        7. Select the Recurrence to set the interval at which Panorama checks the Palo Alto Networks update server for new dynamic updates.
          To configure a more precise recurrence schedule, enter the number of minutes past the selected recurrence interval. If you have multiple dynamic updates scheduled to download using the same recurrence interval, stagger them to avoid overloading the Panorama and SCP server.
        8. For the Action, selectDownload or Download And Install.
          Only Download and Download and Install are supported when the Download Source is SCP.
          If you select Download, you must manually start the dynamic update install on your managed firewalls.
        9. Select the Devices on which to install the dynamic updates.
        10. (Optional) Enter the Threshold, in hours, for the dynamic updates. Panorama downloads only dynamic updates that are this number of hours old (or older)
        11. Click OK to save your changes.
      4. Commit your changes.

    © 2025 Palo Alto Networks, Inc. All rights reserved.