topic Re: Problems with URL-DB (it's missing!) in Next-Generation Firewall Discussions

Problems with URL-DB (it's missing!)

MikeMeredith — Fri, 24 Feb 2023 14:16:44 GMT

Hi!

We've been having on going issues after an upgrade (since downgraded) with our standby firewall - when made live it only functioned at about 10% (i.e. most legitimate traffic was blocked for one reason or another). We fixed an issue with DNS resolution - apparently the domain string being present broke DNS resolution(!), but there remains an issue with URL filtering.

Specifically the URL database is at version 0000.00.00.000, and it doesn't successfully fetch anything from the cloud (which of course is disruptive as we have to make it live to get it to try). The cloud fetch is currently going through a proxy server - which we can see working not only for the active firewall (which successfully gets something) and for the standby (although it doesn't seem to get anything). One suggestion is to turn off the proxy - which is something we'll likely try when a suitable 'disruptive diagnostic' window can be arranged.

And whilst this needs to be fixed, I was thinking that manually installing the url-db would be helpful, but I've tried :-

a) Via the Panorama GUI which doesn't like /any/ of the firewalls when trying to set up a schedule for "Download and install".

b) Via the command line command request url-filtering install. But that obviously requires a copy of the url-db.

Is there a supported way to get hold of this url database file? And is this a sensible idea?

[This has been logged with TAC]

Re: Problems with URL-DB (it's missing!)

PavelK — Fri, 24 Feb 2023 21:01:30 GMT

Hello @MikeMeredith

this looks like expected behavior. Passive Firewall does not connect to PAN-DB. Cold you please check this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCi1CAG?

If you make Firewall with missing PAN-DB active (Under assumption you have valid URL filtering license) and it still does not work, you might be hitting this issue: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNx4CAG

Lastly, "Download and Install" installs applications / threat signatures. This is unrelated to PAN-DB.

Kind Regards

Pavel

Re: Problems with URL-DB (it's missing!)

MikeMeredith — Tue, 28 Feb 2023 09:19:46 GMT

Hi!

Wanted to wait until this morning (after doing the relevant to make it work) :-

If you apply url filtering to outgoing web traffic from servers you might want to make sure you aren't blocking "not-resolved" because all traffic is resolved as "not-resolved" if you don't have a URL database downloaded. Which results in the URL database download being blocked 🙂

Allowing "not-resolved", and making the misbehaving firewall active resulted in the database being downloaded successfully before we had a chance to login to check.

All is good again!