https://live.paloaltonetworks.com/t5/general-topics/brightcloud-active-option-unavailable/m-p/66418#M39196 <P>Hi Tom,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Thanks for the reply.</P><P>I did a packet caputre on the firewall I found that CA of next hop is not trusted by palo alto.</P><P>In my scenario palo alto is behind the proxy server, during the connection palo alto doesnt trust the proxy.</P><P>&nbsp;</P><P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/618i449EDF13E2BC44B7/image-size/original?v=mpbl-1&amp;px=-1" alt="pcap.PNG" title="pcap.PNG" border="0" /></P><P>&nbsp;</P><P>And in the certificate trust list, import option is unavaiable.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/619i940FC244F50F8347/image-size/original?v=mpbl-1&amp;px=-1" alt="trustlist.PNG" title="trustlist.PNG" border="0" /></P><P>&nbsp;</P><P>kindly give some suggestions.</P><P>&nbsp;</P><P>&nbsp;</P><P>with regards,</P><P>Ram.</P> Mon, 12 Oct 2015 10:16:01 GMT Gururaj 2015-10-12T10:16:01Z https://live.paloaltonetworks.com/t5/general-topics/brightcloud-active-option-unavailable/m-p/66402#M39185 <P>Hi,</P><P>&nbsp;&nbsp;&nbsp;&nbsp; We couldn't activate brightcloud url filtering with our old database.</P><P>I have attached the screenshot for you reference, kindly look into it and help.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>with regards,</P><P>Ram</P><P>&nbsp;</P><P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/614iBCB7B8C1CD92A08B/image-size/original?v=mpbl-1&amp;px=-1" alt="PA_URL_license.png" title="PA_URL_license.png" border="0" /></P> Mon, 12 Oct 2015 07:32:30 GMT https://live.paloaltonetworks.com/t5/general-topics/brightcloud-active-option-unavailable/m-p/66402#M39185 Gururaj 2015-10-12T07:32:30Z https://live.paloaltonetworks.com/t5/general-topics/brightcloud-active-option-unavailable/m-p/66412#M39193 <P>Hi Ram</P> <P>&nbsp;</P> <P>It looks like the device is having trouble downloading the DB on both URL filtering, you may need to troubleshoot connectivity from your management interface towards the internet first before you'll be able to switch databases.</P> <P>&nbsp;</P> <P>You'll want to verify if DNS is being resolved</P> <PRE>&gt; ping host service.brightcloud.com &gt; ping host updates.paloaltonetworks.com</PRE> <P>Don't worry if you don't get ping replies, these services don't respond to ping, but it's an easy way to check if your firewall is able to resolve DNS for these hosts. If the IP is not resolcved, please verify your DNS settings.</P> <P>&nbsp;</P> <P>Next you can try a manual download</P> <PRE>&gt; request url-filtering upgrade brightcloud &gt; request url-filtering download status vendor brightcloud</PRE> <P>If this is still failing you may need to verify your traffic logs to see if the download is being blocked by a security policy</P> <P>&nbsp;</P> <P>Once the DB is downloaded you should be able to active the url filtering</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>hope this helps</P> <P>Tom</P> Mon, 12 Oct 2015 09:52:32 GMT https://live.paloaltonetworks.com/t5/general-topics/brightcloud-active-option-unavailable/m-p/66412#M39193 reaper 2015-10-12T09:52:32Z https://live.paloaltonetworks.com/t5/general-topics/brightcloud-active-option-unavailable/m-p/66418#M39196 <P>Hi Tom,</P><P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Thanks for the reply.</P><P>I did a packet caputre on the firewall I found that CA of next hop is not trusted by palo alto.</P><P>In my scenario palo alto is behind the proxy server, during the connection palo alto doesnt trust the proxy.</P><P>&nbsp;</P><P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/618i449EDF13E2BC44B7/image-size/original?v=mpbl-1&amp;px=-1" alt="pcap.PNG" title="pcap.PNG" border="0" /></P><P>&nbsp;</P><P>And in the certificate trust list, import option is unavaiable.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/619i940FC244F50F8347/image-size/original?v=mpbl-1&amp;px=-1" alt="trustlist.PNG" title="trustlist.PNG" border="0" /></P><P>&nbsp;</P><P>kindly give some suggestions.</P><P>&nbsp;</P><P>&nbsp;</P><P>with regards,</P><P>Ram.</P> Mon, 12 Oct 2015 10:16:01 GMT https://live.paloaltonetworks.com/t5/general-topics/brightcloud-active-option-unavailable/m-p/66418#M39196 Gururaj 2015-10-12T10:16:01Z https://live.paloaltonetworks.com/t5/general-topics/brightcloud-active-option-unavailable/m-p/66421#M39197 <P>Hi Ram</P> <P>&nbsp;</P> <P>you could try setting a service route for updates or bypassing the proxy entirely for management plane connections, the proxy may not be forwarding the crl/ocsp properly</P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/620i4E4F7BD58F95B238/image-size/original?v=mpbl-1&amp;px=-1" alt="2015-10-12_13-39-33.png" title="2015-10-12_13-39-33.png" border="0" /></P> <P>&nbsp;</P> Mon, 12 Oct 2015 11:41:56 GMT https://live.paloaltonetworks.com/t5/general-topics/brightcloud-active-option-unavailable/m-p/66421#M39197 reaper 2015-10-12T11:41:56Z