PA URL FILTERING UPDATES force to update the HA peer

Reply
Highlighted
L4 Transporter

PA URL FILTERING UPDATES force to update the HA peer

Hi, i have 2 palo alto 2050 in HA (active/passive). The active HA has intenet acces in order to take the palo lato updates but the passive PA doesnt have access to internet. The problem is that the active PA has a URL version updated but the passive has a version very old. what should i do??? there is any way to send this URL updates from Pa active to passive or i sould give internet access to the passive device???

thanks

Highlighted
L3 Networker

Re: PA URL FILTERING UPDATES force to update the HA peer

It looks like there is no way at the moment. There was an old discussion about this topicRe: URL Sync to Peer for Active-Passive Cluster.

You should open a feature request with your SE for this.

Highlighted
L7 Applicator

Re: PA URL FILTERING UPDATES force to update the HA peer

There is an option when you setup the dynamic updates to choose "sync to peer" on your primary device.  This is designed for the situation you have.

Using this option the download occurs on the primary and is copied and applied to the secondary via HA sync process.

Is Content Database Sync Recommended in an HA Environment?

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Highlighted
L4 Transporter

Re: PA URL FILTERING UPDATES force to update the HA peer

i updated the PAN-DB and now they have the same version??????? how can i know if im using brighcloud db or PANDB???? which are the main diferent between these DB? any is better than another?

Highlighted
L6 Presenter

Re: PA URL FILTERING UPDATES force to update the HA peer

Hi Cos,

There are multiple ways to determine which DB is used.

1. "Show system Info:

If "url-filtering-version is in "Year-Month-Day" Format than its PAN-DB. Check following output.

admin@65-PA-500> show system info

hostname: 65-PA-500

ip-address: 10.66.18.65

netmask: 255.255.254.0

default-gateway: 10.66.18.1

url-filtering-version: 2014.07.18.810

If not its Brightcloud.

2. Device > License > Check if PANDB is active or Bright cloud.

PANDB is better than Bright cloud, because PAlo Alto Managers PANDB. We have better control and integration with the product. Read following thread for more info.

Re: URL Filtering - PANDB vs. Brightcloud

Regards,

Hardik Shah

Highlighted
L5 Sessionator

Re: PA URL FILTERING UPDATES force to update the HA peer

Hi Cos,

There is actually slightly different behavior between BrightCloud and PAN-DB when it comes to HA Active/Passive.  Given that you are using PAN-DB, I will start with that first.

In an HA Active/Passive scenario with PAN-DB, only the Active device will connect to the PAN-DB cloud.  When it does connect to the cloud, it will also update the database version number to indicate that it has synced with the latest version in the cloud.  Additionally, the MP cache is backed up every 4 hours, as well as anytime the device is about to restart.  Anytime a backup is generated, that is synced to the Passive device.  Once this happens, the backup is then loaded into the MP cache of the Passive device, which also updates the Passive device's URL filtering database version number.  This is probably what triggered the scenario in which you saw the Passive device get updated (you can verify this by looking at the Monitor-->System Logs).  At this point, if the Passive device ever becomes Active, it at least will have a populated MP cache that's at most 4 hours out of sync with the original Active device.

For BrightCloud, the behavior is different in that the MP cache does not get backed up or synced across to the Passive device.  Instead, the Passive device to download the latest BrightCloud database when it flips over to Active.

Hope this helps,

Doris

Highlighted
L2 Linker

Re: PA URL FILTERING UPDATES force to update the HA peer

Thanks for the detailed information. Unfortunately the behaviour on my two PA-500 devices is different.

In an HA Active/Passive scenario with PAN-DB, only the Active device will connect to the PAN-DB cloud. When it does connect to the cloud, it will also update the database version number to indicate that it has synced with the latest version in the cloud.  Additionally, the MP cache is backed up every 4 hours, as well as anytime the device is about to restart.  Anytime a backup is generated, that is synced to the Passive device.  Once this happens, the backup is then loaded into the MP cache of the Passive device, which also updates the Passive device's URL filtering database version number.  This is probably what triggered the scenario in which you saw the Passive device get updated (you can verify this by looking at the Monitor-->System Logs).  At this point, if the Passive device ever becomes Active, it at least will have a populated MP cache that's at most 4 hours out of sync with the original Active device. 

The active device backs up its cache every 4 hours and the synced is working. The log on the passive device shows "Received callback from peer for completion of handle url_sync; file /opt/pancfg/opt/pan/content/pan/panurldb.bin.ha." and "Update URL was completed for passive peer.". But the version number on the passive device is not updated. Any idea how I can force this or where I can get more detailed logs?

Highlighted
L2 Linker

Re: PA URL FILTERING UPDATES force to update the HA peer

The problem still exists. Can somebody help me?

Highlighted
L3 Networker

Re: PA URL FILTERING UPDATES force to update the HA peer

I take it that you have sync to peer checked and have commited the configuration?

I also run active/passive and what I do is use the management interface for all updates. Since the management network has access to the internet, both PAN's will get updates weather they are active or passive.

Highlighted
L2 Linker

Re: PA URL FILTERING UPDATES force to update the HA peer

Thanks for you reply. To be honest I don't know where I can find the option sync to peer for PAN-DB url updates. I rather think there is no sync-to-peer option for url filtering. Besides that, your screenshots refers to the antivirus update.

Updating the active device is fine. The problem is our passive device. The management interface has access to internet but refering the statement of "dyang" only the active device connects to the PAN-DB cloud. The sync to the passive device fails and this is what I want to solve.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!