DROP_UPDATE on Minemeld

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DROP_UPDATE on Minemeld

L2 Linker

Hello Community,

 

the logs on my Minemeld shows the below error for all that IPs that catch, could you please advice how to get ride of this problem?

Thanks in advance

 

DROP_UPDATE.png

5 REPLIES 5

L7 Applicator

Hi @hamza-zidane,

that's not a problem per-se, but it means that the inbound filters in the node inboundfeedhc are dropping some indicators.

Could you share your config? Or the config of inboundfeedhc node?

 

Thanks,

luigi

Hello lmori,

 

Please find the requested file config in the attachement,

I want to share with you also this finding,the test ("Source URL is accessible" when testing in the GUI) is OKi,

 

TEST SOURCE URL.png

 

But the test from FW CLI is not successful

Test From FW CLI.png

Thanks in advance for your support!

 

BEst Regards

Hi @hamza-zidane,

the DROP_UPDATE is generated because the node *inboundfeedlc* receives an UPDATE for an indicator with confidence level 100, that is confidence level high. *inboundfeedlc* instead is based on a prototype (stdlib.feedLCGreen) that selects only indicators with confidence < 50. *inboundfeedhc* instead is baed on feedHCGreen that selects only indicators with confidence level high and accepts the indicators ACCEPT_UPDATE

 

You should check ms.log file for additional details about the PAN-OS error in pulling the EDL.

 

 

Hello Imori,

 

Thanks for your quick feedback,

I have checked the logs on FW, and made a quick check on internet for what it might be the root cause for this error,

but unfortuntally i could't find something helpful.

I have put the below error message and hope you could take a look and help 

 

2018-07-02 12:13:44.404 +0100 EDL FREE EDL Refresh timer job (0x2c3d0400, 2096)
2018-07-02 12:15:00.508 +0100 Checking to purge appstatdb logtype
2018-07-02 12:18:45.148 +0100 EDL entry(0x1a46000, 0x270ac000, 0x935a000 vsys2/EDL_SPAM, 0, 1 ip) Entry not referenced by a rule
2018-07-02 12:18:45.149 +0100 Error: pan_ebl_set_curl_proxy_info(pan_cfg_ebl.c:5329): failed to get proxy info
2018-07-02 12:18:55.150 +0100 Error: ebl_fetch_url_from_remote_libcurl(pan_cfg_ebl.c:1787): curl_easy_perform failed, Err(28):Timeout was reac
hed
2018-07-02 12:18:55.150 +0100 EDL entry(0x1a46000, 0x2c11d800, 0x935a000 vsys1/SPAM_IPs, 1, 1 ip) calling /bin/sed -e 's/^M$//g' /opt/pancfg/m
gmt/devices/localhost.localdomain/vsys1_SPAM_IPs.ebl.tmpxx 2>/dev/null > /opt/pancfg/mgmt/devices/localhost.localdomain/vsys1_SPAM_IPs.ebl.tmp
2018-07-02 12:18:55.157 +0100 Error: ebl_verify_fetched_copy(pan_cfg_ebl.c:2286): EDL entry(0x1a46000, 0x2c11d800, 0x935a000 vsys1/SPAM_IPs, 1
, 1 ip) No valid entries found. Timeout was reached
2018-07-02 12:18:55.182 +0100 Error: ebl_update_local_file(pan_cfg_ebl.c:2718): EDL entry(0x1a46000, 0x2c11d800, 0x935a000 vsys1/SPAM_IPs, 1,
1 ip) Unable to fetch external dynamic list. Timeout was reached. Using old copy for refresh.

 

Have you configured a proxy for EDL on PAN-OS? Could it be that the proxy is not reachable?

  • 4741 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!