Focus

Panorama Administrator's Guide

Install Updates Automatically for Panorama without an Internet Connection

Table of Contents

Install Updates Automatically for Panorama without an Internet Connection

Use an SCP server to download dynamic updates from an outer Panorama™ management server to firewalls, WildFire^® appliances, and Log Collectors managed by an air-gapped Panorama.

Automatically download dynamic updates to firewalls, Log Collectors, and WildFire^® appliances in air-gapped networks where the Panorama™ management server, managed firewalls, Log Collectors, and WildFire appliances are not connected to the internet. To accomplish this, you must deploy an additional Panorama with internet access and an SCP server. After you deploy the Panorama with internet access, you configure the internet-connected Panorama to automatically download dynamic updates to the SCP server. From the SCP server, the air-gapped Panorama is configured to automatically download and install dynamic updates as per your dynamic updates schedule. Panorama generates a system log when the Panorama with internet access downloads dynamic updates to the SCP server or when the air-gapped Panorama downloads and installs dynamic updates from the SCP server.

Only the following dynamic update schedules from an internet-connected Panorama to a Panorama without an internect connection are supported:

Do not manipulate or change the dynamic update file name after you successfully download it to the SCP server. Panorama cannot download and install dynamic updates with altered file names. Additionally, for the automatic dynamic update to be successful, you must ensure that there is enough disk space on the SCP server, that the SCP server is running when a download is about to start, and that both Panoramas are powered on and not in the middle of a reboot.

This example shows how to configuring the automatic content updates for Applications and Threats dynamic updates.

Deploy an SCP server.

Dynamic updates for managed firewalls, Log Collectors, and WildFire appliances downloads from the internet-connected Panorama. The air-gapped Panorama downloads the dynamic updates from the SCP server and then installs the updates on managed firewalls, WildFire appliances, and Log Collectors.

When you create the folder directory for dynamic updates, it is a best practice to create a folder for each type of type of dynamic update. This is the burden of managing a large volume of dynamic updates and reduces the possibility of deleting dynamic updates that should not be deleted from the SCP server.

Deploy the internet-connected Panorama.

This Panorama communicates with the Palo Alto Networks update server and downloads the dynamic updates to the SCP server.

Set up the Panorama management server.

Set Up the M-Series Appliance

Set Up the Panorama Virtual Appliance

Perform the initial Panorama configuration.

Perform Initial Configuration of the M-Series Appliance

Perform Initial Configuration of the Panorama Virtual Appliance

Deploy the Panorama without an internet connection.

This Panorama communicates with the SCP server to download and install dynamic updates on managed firewalls, Log Collectors, and WildFire appliances.

Set up the Panorama management server.

Set Up the M-Series Appliance

Set Up the Panorama Virtual Appliance

Perform the initial Panorama configuration.

Perform Initial Configuration of the M-Series Appliance

Perform Initial Configuration of the Panorama Virtual Appliance

Add your managed firewalls, Log Collectors, and WildFire appliances.

Add a Firewall as a Managed Device

Configure a Managed Collector

Add Standalone WildFire Appliances to Manage with Panorama

Configure the internet-connected Panorama to download dynamic updates to your SCP server.

Create an SCP server profile.

Select

Panorama

Server Profiles

SCP

and

Add

a new SCP server profile.

Enter a descriptive

Name

for the SCP server profile.

Enter the SCP

Server

IP address.

Enter the

Port

Enter the SCP server

User Name

Enter the SCP server

Password

and

Confirm Password

Click

to save your changes.

Create a dynamic updates schedule to regularly download dynamic updates to the SCP server.

You must create a schedule for each type of dynamic update you intend to automatically download and install on managed firewalls, Log Collectors, and WildFire appliances.

Select

Panorama

Device Deployment

Dynamic Updates

, select

Schedules

, and

Add

a dynamic updates schedule.

Enter a descriptive

Name

for the dynamic updates schedule.

For the

Download Source

, select

Update Server

Select the dynamic update

Type

Select the

Recurrence

to set the interval at which Panorama checks the Palo Alto Networks update server for new dynamic updates.

To configure a more precise recurrence schedule, enter the number of minutes past the selected recurrence interval. If you have multiple dynamic updates scheduled to download using the same recurrence interval, stagger them to avoid overloading the Panorama and SCP server.

For the

Action

, select

Download And SCP

Select the

SCP Profile

you configured in the previous step.

Enter the

SCP Path

for the dynamic updates type.

(Optional) Enter the

Threshold

, in hours, for the dynamic updates. Panorama downloads only dynamic updates that are this number of hours old (or older)

Click

to save your changes.

Commit

your changes.

Configure the air-gapped Panorama to download dynamic updates from the SCP server and then install the updates on your managed firewalls, Log Collectors, and WildFire appliances.

Create an SCP server profile.

Select

Panorama

Server Profiles

SCP

and

Add

a new SCP server profile.

Enter a descriptive

Name

for the SCP server profile.

Enter the SCP

Server

IP address.

Enter the

Port

Enter the SCP server

User Name

Enter the SCP server

Password

and

Confirm Password

Click

to save your changes.

Create a dynamic updates schedule to regularly download and install dynamic updates from the SCP server.

You must create a schedule for each type of dynamic update you intend to automatically download and install on managed firewalls, Log Collectors, and WildFire appliances.

Select

Panorama

Device Deployment

Dynamic Updates

, select

Schedules

, and

Add

a dynamic updates schedule.

Enter a descriptive

Name

for the dynamic updates schedule.

For the

Download Source

, select

SCP

Select the

SCP Profile

you configured in the previous step.

Enter the

SCP Path

for the dynamic updates type.

Select the dynamic update

Type

Select the

Recurrence

to set the interval at which Panorama checks the Palo Alto Networks update server for new dynamic updates.

For the

Action

, select

Download

Download And Install

Only

Download

and

Download and Install

are supported when the

Download Source

SCP

If you select

Download

, you must manually start the dynamic update install on your managed firewalls.

Select the

Devices

on which to install the dynamic updates.

(Optional) Enter the

Threshold

, in hours, for the dynamic updates. Panorama downloads only dynamic updates that are this number of hours old (or older)

Click

to save your changes.

Commit

your changes.

Install Updates for Panorama When Not Internet-Connected

Migrate Panorama Logs to the New Log Format

Panorama Administrator's Guide

Install Updates Automatically for Panorama without an Internet Connection

Install Updates Automatically for Panorama without an Internet Connection

Recommended For You