PAN-DB Connectivity

Reply
Highlighted
L0 Member

PAN-DB Connectivity

Hi,

 

We are faced with the connectivity issue when we tried to download the URL filtering DB from PAN-DB. As the firewall has an external interface to the internet, we have changed the service route for “Palo Alto Networks Services” to the external interface. However, we are not able to get connected to the PAN-DB.

 

We are able to ping to the PAN-DB URL. In addition, we are not seeing any traffic logs when we tried to do a download for the URL Filtering DB.

 

In addition, should we use service route of "URL Updates" or "Palo Alto Network Services" if we are to download / connect to the PAN-DB for the URL filtering?

 

Thks and Rgds

L2 Linker

Re: PAN-DB Connectivity

We are have our Service Route set to use the management interface.  We are on 8.0.x, not sure what version you are on. 

 

What do you see when you issue the show url-cloud status command?  Ours looks like this:

 

    

show url-cloud status

 

PAN-DB URL Filtering

License :                          valid                                   

Current cloud server :             s0100.urlcloud.paloaltonetworks.com     

Cloud connection :                 connected                               

Cloud mode :                       public                                  

URL database version - device :    20180815.40205                          

URL database version - cloud :     20180815.40205  ( last update time 2018/08/16 13:07:14 )

URL database status :              good                                    

URL protocol version - device :    pan/0.0.2                               

URL protocol version - cloud :     pan/0.0.2                               

Protocol compatibility status :    compatible       

 

You could try capturing some packets and doing some log review to troublesoot further (unless you have already done this with TAC).  The process goes something like this:

 

 Set up TCPDump PCAP to capture traffic from one CLI window 

     tcpdump filter "host xx.xx.xx.xx" (xx= ip of the external server hosting PAN-DB)

 

From a second CLI window;  Run a manual PAN-DB refresh via the CLI by "request url-filtering download paloaltonetworks region North-America"

 

Then export the PCAP file to your workstatoin

      scp export mgmt-pcap from mgmt.pcap to user@analyst_workstation_ip:./


Reviewed the PCAP using wireshark looking for possible communication errors (like tls version mismatch for example)

 

Lastly to view the local logs from the CLI, you can issue a command such as this:

    tail follow yes mp-log ms.log from one terminal window while re-issuing the

request url-filtering download paloaltonetworks region North-America command from a second window to see if the error message there will help pin point the issue.

 

Good luck!  Hope this helps.  -Lora

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!