Saturday, December 5, 2015

How to activate subscriptions & updates manually Palo Alto PANOS

Here's your issues;

 1: the firewall has no  internet access so you can't activate the unit

2: dynamic updates have to be pulled down and updated manually


I will show you how to tackle items#1 and #2 it's actually quite simple.

1st you need to login to support@paloalto and goto your assets via the  device button

https://support.paloaltonetworks.com/SupportAccount/AccountDevices



Now you can download the individuals keys;




Once you have the files, you will upload them into the security-appliance. The individual files are a hash of some type,  so don't modify or edit the files.


These files once upload and activated will allow the assigned feature by  going to Device > license ( manual upload ) and activation via the commit . Do each license item one by one.
When this option has completed, you can now push the  update package via the Device > Dynamic Updates

The step is broken down into 2 unique functions.

1st you upload the update files into the unit using the Upload option





2nd you install that file using the Install From File option which is to the right of the upload 







The unit will now have the activation and the fresh updates if you continually push updates manually. You can confirm the license installed from the device license tab and the status from the dashboard


I could go on and on with  many differences, but PAN-OS has always been weaker with network features & overall thru-put  with higher latency,  but it is light-years ahead of the pack in pure firewall UTM threat detection, and applications controls.


  I know of no way to manually push the URL seed file and be careful of  dynamic file  updates names. Any files with a "(1)"  or any other number  would be rejected. So try to keep the same named as listed on  the support page.


Imho, you want to conduct updates during low peak usage. Also don't forget to commit all changes after uploads and before install from file. If you conduct these methods, you will have hit-less updates.

For AV definition, I found that it's best not to skip a number sequence but YMMV, but it seems AV updates that manually push execute quicker when you follow the sequences.



e.g

If xxx-0001 is installed and active, install xxx-0002 for the next AV update and don't try to jump to xxx-0003.



And it should be obvious, but read the "release" note to get the following 1> number of new signatures in the updates and 2> minimum  PAN-OS version that's required.







Any  factory default resets will wipe out all license and  updates. So keep this in mind if you execute a debug system maintenance-mode . Also a reset and re-importing a configuration will NOT re-install the license on a appliance. You will have to have internet access and/or manual re-install licenses and updates.

A request license info from  the cli will list all license and expirations




Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
         o 
        /  \

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)