04-02-2020 09:58 AM
Hi there,
I have strange problem where
according to this article
or / and this article
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQvCAK
I should be able to ssh to my PAN-OS 9.0.x and execute commands
however, neither commands work.
request url-filtering download paloaltonetworks region <region_name>
request url-filtering download status vendor paloaltonetworks
the only available option for me after download is status , there is no option for me to select paloaltonetworks.
However, under license it shows just fine, and show url-cloud status shows just fine too.
> show url-cloud status
PAN-DB URL Filtering
License : valid
Current cloud server : serverlist.urlcloud.paloaltonetworks.com
Cloud connection : connected
Cloud mode : public
URL database version - device : 20200402.20254
URL database version - cloud : 20200402.20254 ( last update time 2020/04/02 17:52:28 )
URL database status : good
URL protocol version - device : pan/2.0.0
URL protocol version - cloud : pan/2.0.0
Protocol compatibility status : compatible
There has been a security incident where the URL was categories as malware, yet the url is being allowed through the firewall as it continues to show as stock-advice-and-tools
My question to the community is.
How do I request seed database download, because clearly the commands have changed or something got corrupted.
Please note, the same thing happened on both firewalls that belong to two different clients running two different verion of software
one is 9.0.6 and one 9.0.5
Look forward hearing from you,
Kind Regards
04-02-2020 11:04 PM
looks like those commands were deprecated
try this one:
> request url-filtering upgrade
if you check the url that was changed, was there already 'steady' traffic to it before it was recategorized? you may have had the url categorized in cache and steady connections refreshing that cache
04-03-2020 10:49 AM
So I go request url-filtering upgrade and the only option after that is brightcloud.
It doesn't list paloaltonetworks as an option
as far as the URL , no steady traffic. it was a phishing link that once clicked once at approx 13.00 and then I clicked on it later myself at 17 to see if it took affect.
The link continues to work, and firewall is not blocking known malicious link and I can't trigger pan-db download in any way that I can on pan os 8.1 or 7.1
two firewalls in version 9.0.x are affected only.
04-03-2020 11:31 AM
There have been further findings...
When I conduct
test url-info-cloud "247fxtradeoption.com"
BM:
247fxtradeoption.com,9,5,stock-advice-and-tools,low-risk
247fxtradeoption.com/4ee3f0492290c6f29384ec280a7bd715?usq=bwfyay5hbwvybhluy2tay2fzywnjb3vudgfudhmuawu=,9,6,malware
so it appears that they categorised exact URL as Malware but not the main domain.
yet, each time you click on the link in the phishing email it seems to generate unique BASE64 like looking string !
Each time I look at the firewall logs, it shows only 247fxtradeoption.com/ that is it.
Yet, the browser shows the long string that is different each time you click on it (very smart by the way)
Lastly,
According to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNx4CAG
Additional Information
The below commands do not work on OS 9.0.x but will work on prior OS versions:
request url-filtering download paloaltonetworks region <region_name> >
request url-filtering download status vendor paloaltonetworks
04-03-2020 12:18 PM
I truly believe there are a lot of PAN 9.0.x instances that provide sense of security but their URL filtering is actually somehow broken.
My personal experience based on two firewalls that exhibit the same characteristics tells me there is something that has gone wrong with the license.
Although the command show url-cloud status shows VALID,
PAN-DB URL Filtering
License : valid
Current cloud server : serverlist.urlcloud.paloaltonetworks.com
Cloud connection : connected
Cloud mode : public
URL database version - device : 20200403.20289
URL database version - cloud : 20200403.20289 ( last update time 2020/04/03 20:12:17 )
URL database status : good
URL protocol version - device : pan/2.0.0
URL protocol version - cloud : pan/2.0.0
Protocol compatibility status : compatible
and show system info shows things such as:
url-db: paloaltonetworks
wildfire-version: 442082-444992
wildfire-release-date: 2020/04/03 20:10:57 IST
url-filtering-version: 20200403.20289
global-protect-datafile-version: unknown
global-protect-datafile-release-date: unknown
global-protect-clientless-vpn-version: 0
global-protect-clientless-vpn-release-date:
logdb-version: 9.0.10
vm_series: vm_series-1.0.9
platform-family: vm
vpn-disable-mode: off
multi-vsys: off
operational-mode: normal
when you try to test the URL against local database you get:
test url-info-host "247fxtradeoption.com"
247fxtradeoption.com: Doesn't exist in the URL DB
and then,
When you try to play with database e.g revert you get:
> request url-filtering revert
Server error : Not licensed
I log this to support.
However, I encourage everybody who is on version 9.0.5 or 9.0.6 to check if their PAN behaves as it should when it comes to URLs...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
