Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
07-21-2014 01:44 AM
Hi, i have 2 palo alto 2050 in HA (active/passive). The active HA has intenet acces in order to take the palo lato updates but the passive PA doesnt have access to internet. The problem is that the active PA has a URL version updated but the passive has a version very old. what should i do??? there is any way to send this URL updates from Pa active to passive or i sould give internet access to the passive device???
thanks
07-21-2014 02:33 AM
It looks like there is no way at the moment. There was an old discussion about this topicRe: URL Sync to Peer for Active-Passive Cluster.
You should open a feature request with your SE for this.
07-21-2014 02:51 AM
There is an option when you setup the dynamic updates to choose "sync to peer" on your primary device. This is designed for the situation you have.
Using this option the download occurs on the primary and is copied and applied to the secondary via HA sync process.
Is Content Database Sync Recommended in an HA Environment?
07-21-2014 03:33 AM
i updated the PAN-DB and now they have the same version??????? how can i know if im using brighcloud db or PANDB???? which are the main diferent between these DB? any is better than another?
07-21-2014 05:30 AM
Hi Cos,
There are multiple ways to determine which DB is used.
1. "Show system Info:
If "url-filtering-version is in "Year-Month-Day" Format than its PAN-DB. Check following output.
admin@65-PA-500> show system info
hostname: 65-PA-500
ip-address: 10.66.18.65
netmask: 255.255.254.0
default-gateway: 10.66.18.1
url-filtering-version: 2014.07.18.810
If not its Brightcloud.
2. Device > License > Check if PANDB is active or Bright cloud.
PANDB is better than Bright cloud, because PAlo Alto Managers PANDB. We have better control and integration with the product. Read following thread for more info.
Re: URL Filtering - PANDB vs. Brightcloud
Regards,
Hardik Shah
07-21-2014 06:08 PM
Hi Cos,
There is actually slightly different behavior between BrightCloud and PAN-DB when it comes to HA Active/Passive. Given that you are using PAN-DB, I will start with that first.
In an HA Active/Passive scenario with PAN-DB, only the Active device will connect to the PAN-DB cloud. When it does connect to the cloud, it will also update the database version number to indicate that it has synced with the latest version in the cloud. Additionally, the MP cache is backed up every 4 hours, as well as anytime the device is about to restart. Anytime a backup is generated, that is synced to the Passive device. Once this happens, the backup is then loaded into the MP cache of the Passive device, which also updates the Passive device's URL filtering database version number. This is probably what triggered the scenario in which you saw the Passive device get updated (you can verify this by looking at the Monitor-->System Logs). At this point, if the Passive device ever becomes Active, it at least will have a populated MP cache that's at most 4 hours out of sync with the original Active device.
For BrightCloud, the behavior is different in that the MP cache does not get backed up or synced across to the Passive device. Instead, the Passive device to download the latest BrightCloud database when it flips over to Active.
Hope this helps,
Doris
10-06-2014 04:27 AM
Thanks for the detailed information. Unfortunately the behaviour on my two PA-500 devices is different.
In an HA Active/Passive scenario with PAN-DB, only the Active device will connect to the PAN-DB cloud. When it does connect to the cloud, it will also update the database version number to indicate that it has synced with the latest version in the cloud. Additionally, the MP cache is backed up every 4 hours, as well as anytime the device is about to restart. Anytime a backup is generated, that is synced to the Passive device. Once this happens, the backup is then loaded into the MP cache of the Passive device, which also updates the Passive device's URL filtering database version number. This is probably what triggered the scenario in which you saw the Passive device get updated (you can verify this by looking at the Monitor-->System Logs). At this point, if the Passive device ever becomes Active, it at least will have a populated MP cache that's at most 4 hours out of sync with the original Active device.
The active device backs up its cache every 4 hours and the synced is working. The log on the passive device shows "Received callback from peer for completion of handle url_sync; file /opt/pancfg/opt/pan/content/pan/panurldb.bin.ha." and "Update URL was completed for passive peer.". But the version number on the passive device is not updated. Any idea how I can force this or where I can get more detailed logs?
01-08-2015 03:24 AM
The problem still exists. Can somebody help me?
01-09-2015 02:04 PM
I take it that you have sync to peer checked and have commited the configuration?
I also run active/passive and what I do is use the management interface for all updates. Since the management network has access to the internet, both PAN's will get updates weather they are active or passive.
01-19-2015 05:55 AM
Thanks for you reply. To be honest I don't know where I can find the option sync to peer for PAN-DB url updates. I rather think there is no sync-to-peer option for url filtering. Besides that, your screenshots refers to the antivirus update.
Updating the active device is fine. The problem is our passive device. The management interface has access to internet but refering the statement of "dyang" only the active device connects to the PAN-DB cloud. The sync to the passive device fails and this is what I want to solve.
01-22-2015 03:50 PM
I would say open a support case if the passive device is not getting updated. Sorry we couldnt help more.
01-31-2015 01:10 AM
It's ok I'll open a support case.
05-13-2015 01:16 AM
Update to PAN-OS 6.1.3 fixed that problem.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
