04-14-2020 07:39 AM - edited 04-14-2020 07:42 AM
Running configuration sync is not happening between HA peers(PA-5050). We tried manually from Passive firewall CLI by the command request high-availability sync-to-remote running-config but I are getting the error Server error: Failed to synchronize running configuration with HA peer; operation not allowed: URL Database mismatch.
I have restarted the management plane in passive but the result is same.
and the pandb are in same version by
Show system Info for checking url db on both firewalls.
url-db: paloaltonetworks
URL-filtering-version:20200414.20165
04-16-2020 04:57 AM
It is not working in 8.1.11 .I think this command is for PAN 9 version.
04-16-2020 05:15 AM - edited 04-16-2020 05:16 AM
Hi @NijithPN ,
This command is available in 7.1 PAN-OS also .... I'm sure it's available in PAN-OS 8 as well.
admin@Lab80-80-PA-2050> request url-filtering install
> database Install uploaded BrightCloud database
> pandb-database Install uploaded Pan DB database
> signed-database Install signed uploaded BrightCloud database
Please add more info ... are you getting any output when executing this cmd ?
Cheers,
-Kiwi.
04-16-2020 05:22 AM
"it is not working" doesn't really help much...
What is not working? Are you getting a specific message, is the cli throwing an error?
This command had been around for a while so if it's not working it would be useful to include any output you're seeing so we can help you
04-16-2020 06:40 AM - edited 04-16-2020 06:43 AM
by using the command request url-filtering install pandb-database iam getting this error
Server error : Image has not been uploaded. Upload and try again
04-16-2020 07:17 AM
Hi @NijithPN ,
Looks like the image isn't downloaded...
Have you tried downloading it (again) ? Note that the passive device might not have the connectivity in order to download.
> request url-filtering download paloaltonetworks region <region-name>
Could you check the output on both devices :
admin@PA-VM> show url-cloud status
Cheers,
-Kiwi.
01-01-2024 06:19 AM
I am using PA-460 in HA mode and am also getting the same error while trying to download the PAD-DB database. Also pandb is showing not connected. I have checked and nothing looks to be blocked. This error is on Standby Firewalls. My Active firewalls looks good.
>request url-filtering install pandb-database
Server error : Image has not been uploaded. Upload and try again
> show url-cloud status
PAN-DB URL Filtering
License : valid
libcurl resolver : threaded
Cloud connection : not connected
URL database version - device : 0000.00.00.000
URL protocol version - device : pan/0.0.2
05-29-2024 07:47 AM
Hi SaurabhB,
I have the same issues with a couple of paloalto pa-440 on HA active-passive.
Active firewall can updated PanDb without issues, passive firewall no.
My software version is 10.2.8-h3
do you have solved this problem?
Thank you again for your help
05-30-2024 05:01 AM
Hi SDBIT-Andrea
There is no resolution till now. show url-cloud status command still throws the same error - Cloud connection : not connected
request url-filtering install pandb-database command shows -
Server error : Image has not been uploaded. Upload and try again
07-29-2024 01:56 AM
Hi Everyone,
A passive device will always be NOT connected to the PAN DB URL cloud.
"Is the firewall in an HA configuration? Verify that the HA state of the firewalls is in the active, active-primary, or active-secondary state. Access to the PAN-DB cloud will be blocked if the firewall is in a different state. Run the following command on each firewall in the pair to see the state:"
There are 2 situations here:
1.If the passive firewall was at some point active, it will have a pandb url version installed (older but still has one)
2.If the passive firewall was never active it will show
show url-cloud status
PAN-DB URL Filtering
License : valid
Cloud connection : not connected
URL database version - device : 0000.00.00.000
URL protocol version - device : pan/0.0.2
If you are meeting scenario 1, a failover will make the firewall try and contact pan db url cloud and get the latest version (if no configuration change that affects whatever interface the firewall is using for contacting pan-db-url cloud
If you are meeting scenario 2, the same applies but with 1 caveat. If you have a security policy blocking "not-resolved" category on top of the security policies above a rule that allows mgmt/data plane interface that is used for this communication you will create an outage.
Follow this recommendation:
"To help ensure connectivity to PAN-DB cloud, create a dedicated Security policy rule that allows all Palo Alto Management Service traffic. This will avoid management traffic from being classified as
My first post here so hope this was useful.
Have a great day.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
