PAN-DB URL Filtering Updates

Reply
L0 Member

PAN-DB URL Filtering Updates

Hi,

We have a couple of PA devices configured in HA mode. I just want  to ask if it is normal that only the active firewall gets the URL filtering incremental updates. eg. FW-01 (active firewall) gets updated to version 2005.12.811 and FW-02 gets stuck to version 2005.12.000?

Thanks,

Nelson

L7 Applicator

Re: PAN-DB URL Filtering Updates

Hello Nelson A,

What is the PAN OS version running on your firewall...?

Have you seen any error/warning messages on SYSTEM logs..?

Which Devices in an HA Pair Can Connect to the PAN-DB Cloud?

The Active device will not regularly sync the cache over to the Passive. Since the Passive device is not getting any traffic, it will also not do any cloud lookups on its own for URLs. Every 8 hrs or so, the Active device will make a backup of its MP cache, and that will get synced to the Passive device. If you use the CLI command on the Passive device to download a seed database, it will do that as well. So, basically when the Passive becomes active and do a URL lookup it will then update its version too.

Thanks

L5 Sessionator

Re: PAN-DB URL Filtering Updates

This is correct.  If you are in an Active/Passive mode, only the Active device will do cloud lookups.  The Passive device will not do this unless it becomes active.  As HULK mentioned, however, we do periodically backup the MP cache on the Active device and sync it to the Passive.  When this happens, you should see the version number on the Passive device increment.  There was a bug regarding the version number not updating, but that should be fixed with PAN-OS 6.0.1

Hope this helps,

Doris

L0 Member

Re: PAN-DB URL Filtering Updates

Hi all,

Thank you for the prompt reply. I forgot to mention that we are using using PAN OS version 5.0.11, 5.0.8 and 5.0.6 and we don't have license for BrightCloud. But was this behavior still holds true for the PAN-DB updates? Another thing that I noticed is that URL DB versions does not show up in real time in Panorama > Managed Devices interface. But when checked at the FW Dashboard it is updated to the latest version available. All other updates version are synchronized in Panorama except for the URL filtering DB version. Thanks again for your help.

Nelson

L5 Sessionator

Re: PAN-DB URL Filtering Updates

Hi Nelson,

My explanation above was specific to PAN-DB.  With BrightCloud, we do not sync anything - both the active and passive devices need to be setup to download BrightCloud updates.

--Doris

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!