Users sometimes change the content update URL to static to prevent back-end failures. But this practice doesn’t prevent failures, and because of security posture and rules, should only be used on a specific address. This document offers a recommended updates server configuration.
- update server configuration is set properly
- updates are failing on the firewall
Resolution : To receive content updates from the closest server to the Palo Alto Networks device in the Content Delivery Network (CDN) infrastructure:
NOTE: To test the connectivity of the firewall to our update servers, admin can use staticupdates.paloaltonetworks.com (for troubleshooting purposes only.) If connectivity is successful here, but unsuccessful using updates.paloaltonetworks.com, then please open a TAC support case so that we can investigate further with our devops team.