https://live.paloaltonetworks.com/t5/general-topics/url-sync-to-peer-for-active-passive-cluster/m-p/42361#M31109 <HTML><HEAD></HEAD><BODY><P>Both appliances are licensed, but the management interfaces for both are on a locked down IT only network.</P><P>So the updates are occuring by another active interface, which isn't active on the passive appliance.</P><P></P><P>As there is no available peer sync, can I do this manually? And if not, what is the overall effect on URL checking performance</P><P>when the backup pair comes online and is so out of date on its local database that it has to use Dynamic lookup?</P></BODY></HTML> Tue, 11 Oct 2011 01:36:50 GMT KatanaNZ 2011-10-11T01:36:50Z https://live.paloaltonetworks.com/t5/general-topics/url-sync-to-peer-for-active-passive-cluster/m-p/42359#M31107 <HTML><HEAD></HEAD><BODY><P>Hi All,</P><P></P><P>So title says it all. I have a client with twin 4050's running in an active-passive cluster, that we have recently enabled</P><P>URL filtering on.</P><P></P><P>Annoyingly, there is no sync that we can see between the active and passive for the URL database, from initial activation,</P><P>through to the dynamic updates.</P><P></P><P>We have to bounce the pair to bring the passive as active, so it would detect its license, and download the database,</P><P>and then revert back to what we want as the primary system.</P><P></P><P>However it now appears that the active doesn't have a setting to sync its URL database with the passive to keep it current either.</P><P></P><P>Any idea's on if this is the case, and/or how to get around it.</P><P></P><P>We are not using Panorama for this client, but if we were in the future, would that resolve this issue?</P></BODY></HTML> Mon, 10 Oct 2011 22:08:03 GMT https://live.paloaltonetworks.com/t5/general-topics/url-sync-to-peer-for-active-passive-cluster/m-p/42359#M31107 KatanaNZ 2011-10-10T22:08:03Z https://live.paloaltonetworks.com/t5/general-topics/url-sync-to-peer-for-active-passive-cluster/m-p/42360#M31108 <HTML><HEAD></HEAD><BODY><P>There's no sync-to-peer option for url filtering. I assume that both units licensed individually for url filtering? Does the Passive's mgmt interface not have access to the updates server directly?</P></BODY></HTML> Mon, 10 Oct 2011 23:53:03 GMT https://live.paloaltonetworks.com/t5/general-topics/url-sync-to-peer-for-active-passive-cluster/m-p/42360#M31108 gswcowboy 2011-10-10T23:53:03Z https://live.paloaltonetworks.com/t5/general-topics/url-sync-to-peer-for-active-passive-cluster/m-p/42361#M31109 <HTML><HEAD></HEAD><BODY><P>Both appliances are licensed, but the management interfaces for both are on a locked down IT only network.</P><P>So the updates are occuring by another active interface, which isn't active on the passive appliance.</P><P></P><P>As there is no available peer sync, can I do this manually? And if not, what is the overall effect on URL checking performance</P><P>when the backup pair comes online and is so out of date on its local database that it has to use Dynamic lookup?</P></BODY></HTML> Tue, 11 Oct 2011 01:36:50 GMT https://live.paloaltonetworks.com/t5/general-topics/url-sync-to-peer-for-active-passive-cluster/m-p/42361#M31109 KatanaNZ 2011-10-11T01:36:50Z https://live.paloaltonetworks.com/t5/general-topics/url-sync-to-peer-for-active-passive-cluster/m-p/42362#M31110 <HTML><HEAD></HEAD><BODY><P>@KatanaNZ:</P><P></P><P>You cannot do a manual update of the Brightcloud DB.</P><P></P><P>If you cannot change the security policy to allow the management interface of your PA Network devices to request software, AV, URL and app/threat updates, then my suggestion would be that a URL db update would be advisable if you have an HA failover. You can do this easily via the command line:</P><P>request url-filtering upgrade brightcloud</P><P></P><P>Generally speaking I advise people to allow update traffic outbound from management interface to the Palo Alto Networks and Brightcloud update servers. The risk this represents to the network is typically lower than having to rely upon human intervention to update the device after an HA failover. </P><P></P><P>-Benjamin</P></BODY></HTML> Tue, 11 Oct 2011 02:21:25 GMT https://live.paloaltonetworks.com/t5/general-topics/url-sync-to-peer-for-active-passive-cluster/m-p/42362#M31110 bpappas 2011-10-11T02:21:25Z https://live.paloaltonetworks.com/t5/general-topics/url-sync-to-peer-for-active-passive-cluster/m-p/42363#M31111 <HTML><HEAD></HEAD><BODY><P>The IT Network, used for management of all critical systems, will not have any external access, neither inbound or outbound.</P><P></P><P>What I really need, is for the pairs to sync all data, not just parts of it.</P></BODY></HTML> Tue, 11 Oct 2011 02:59:46 GMT https://live.paloaltonetworks.com/t5/general-topics/url-sync-to-peer-for-active-passive-cluster/m-p/42363#M31111 KatanaNZ 2011-10-11T02:59:46Z https://live.paloaltonetworks.com/t5/general-topics/url-sync-to-peer-for-active-passive-cluster/m-p/42364#M31112 <HTML><HEAD></HEAD><BODY><P>@KatanaNZ:</P><P></P><P>in that case it would seem that you should file a feature request with your sales team. </P><P></P><P>And maybe a weekly failover and update URL database for the secondary unit would be something to add to your regularly scheduled change/maintenance window? Just an idea to keep things more in-sync than waiting for an outage to cause a failover.</P><P></P><P>-Benjamin</P></BODY></HTML> Tue, 11 Oct 2011 03:03:31 GMT https://live.paloaltonetworks.com/t5/general-topics/url-sync-to-peer-for-active-passive-cluster/m-p/42364#M31112 bpappas 2011-10-11T03:03:31Z