Reaching through Palo Alto firewall

Currently reading
Reaching through Palo Alto firewall

DS218play, DS220+, DS224+, DS720 , RS3618XS, SA3400
Operating system
  1. Linux
  2. Windows
Mobile operating system
  1. Android
Last edited:
We have a Palo Alto Networks firewall at work, not sure which version, and we are having trouble getting our HA cluster connected to Synology at all.

What we want is 1 rule for our HA cluster to download DSM and packages updates from. Which is for both.

But our network department is having a hardtime getting it to work. We recently updated from DSM 6 to 7 and to do that we had them use a allow all rule and lots of * etc
Which ofcourse is not ideal. We want access to just one outside url.

They have set it up like that but for some reason our CMS HA cluster cannot access the outside world and seemingly nothing gets blocked.

Anybody here has experience with palo alto in combination with synology?
Upvote 0
How is the PAN FW configured to allow access to Synology sites from the cluster? It's been a while since I looked at specific cluster implementation methods, but in the past I've seen the clusters sharing virtual IP which the [currently] primary device will use, though still having a 'physical' IP too. Various ways of doing this HSRP. VRRP, monitored circuits. Could the PAN FW be blocking requests from a shared VIP?

The PAN FW presumably uses URL and anti-malware filtering, there's definitely nothing logged for Synology URLs from any LAN device? Otherwise, are you sure the requests are reaching the PAN FW?
Upvote 0
To my knowledge the PAN FW is configured to allow the active and passive ip + cluster ip through to whatever we set as external url.

I have scheduled a session with one of our network people this thursday to troubleshoot this issue. I have been searching the big web for a answer and could not find anything related to PAN FW but i did find a lead on a Sophos FW which said the same as you said. I also was thinking in the same direction, somehow its been being blocked by a default rule which stops urls by catching words as update or download.

Hopefully after thursday i'll know more. But if anybody has any hints or tips i'll welcome those as well.
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to! is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads