PAN-DB seed download PAN-OS version 9.0

Reply
Highlighted
L1 Bithead

PAN-DB seed download PAN-OS version 9.0

Hi there,

I have strange problem where

according to this article 

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering/troubleshoot-url-filtering/p...

or / and this article

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClQvCAK

 

I should be able to ssh to my PAN-OS 9.0.x and execute commands 

however, neither commands work.

request url-filtering download paloaltonetworks region <region_name>

request url-filtering download status vendor paloaltonetworks

 

the only available option for me after download is status , there is no option for me to select paloaltonetworks.

However, under license it shows just fine, and show url-cloud status shows just fine too.

> show url-cloud status

 

PAN-DB URL Filtering

License :                          valid                                   

Current cloud server :             serverlist.urlcloud.paloaltonetworks.com

Cloud connection :                 connected                               

Cloud mode :                       public                                  

URL database version - device :    20200402.20254                          

URL database version - cloud :     20200402.20254  ( last update time 2020/04/02 17:52:28 )

URL database status :              good                                    

URL protocol version - device :    pan/2.0.0                               

URL protocol version - cloud :     pan/2.0.0                               

Protocol compatibility status :    compatible             

 

 

There has been a security incident where the URL was categories as malware, yet the url is being allowed through the firewall as it continues to show as stock-advice-and-tools

 

My question to the community is.

How do I request seed database download, because clearly the commands have changed or something got corrupted.


Please note, the same thing happened on both firewalls that belong to two different clients running two different verion of software

one is 9.0.6 and one 9.0.5 

 

Look forward hearing from you,

Kind Regards

 

 

Highlighted
L7 Applicator

looks like those commands were deprecated

try this one:

> request url-filtering upgrade

if you check the url that was changed, was there already 'steady' traffic to it before it was recategorized? you may have had the url categorized in cache and steady connections refreshing that cache

Tom Piens - PANgurus.com
Find my book at amazon.com/dp/1789956374
Highlighted
L1 Bithead

So I go request url-filtering upgrade and the only option after that is brightcloud.

It doesn't list paloaltonetworks as an option 

 

as far as the URL , no steady traffic. it was a phishing link that once clicked once at approx 13.00 and then I clicked on it later myself at 17 to see if it took affect.

 

The link continues to work, and firewall is not blocking known malicious link and I can't trigger pan-db download in any way that I can on pan os 8.1 or 7.1  

two firewalls in version 9.0.x are affected only. 

 

Tags (1)
Highlighted
L1 Bithead

There have been further findings...

When I conduct 

 

test url-info-cloud "247fxtradeoption.com"

 

BM:

247fxtradeoption.com,9,5,stock-advice-and-tools,low-risk

247fxtradeoption.com/4ee3f0492290c6f29384ec280a7bd715?usq=bwfyay5hbwvybhluy2tay2fzywnjb3vudgfudhmuawu=,9,6,malware

so it appears that they categorised exact URL as Malware but not the main domain.

 

yet, each time you click on the link in the phishing email it seems to generate unique BASE64 like looking string !

Each time I look at the firewall logs, it shows only 247fxtradeoption.com/ that is it.
Yet, the browser shows the long string that is different each time you click on it (very smart by the way)

 

 

Lastly,

According to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNx4CAG

Additional Information
The below commands do not work on OS 9.0.x but will work on prior OS versions:

request url-filtering download paloaltonetworks region <region_name> >

request url-filtering download status vendor paloaltonetworks

Highlighted
L1 Bithead

I truly believe there are a lot of PAN 9.0.x instances that provide sense of security but their URL filtering is actually somehow broken.

My personal experience based on two firewalls that exhibit the same characteristics tells me there is something that has gone wrong with the license.

 

Although the command show url-cloud status shows VALID, 

 

PAN-DB URL Filtering

License :                          valid                                   

Current cloud server :             serverlist.urlcloud.paloaltonetworks.com

Cloud connection :                 connected                               

Cloud mode :                       public                                  

URL database version - device :    20200403.20289                          

URL database version - cloud :     20200403.20289  ( last update time 2020/04/03 20:12:17 )

URL database status :              good                                    

URL protocol version - device :    pan/2.0.0                               

URL protocol version - cloud :     pan/2.0.0                               

Protocol compatibility status :    compatible         

 

and show system info shows things such as: 

 

url-db: paloaltonetworks

wildfire-version: 442082-444992

wildfire-release-date: 2020/04/03 20:10:57 IST

url-filtering-version: 20200403.20289

global-protect-datafile-version: unknown

global-protect-datafile-release-date: unknown

global-protect-clientless-vpn-version: 0

global-protect-clientless-vpn-release-date:

logdb-version: 9.0.10

vm_series: vm_series-1.0.9

platform-family: vm

vpn-disable-mode: off

multi-vsys: off

operational-mode: normal

 

 

 

when you try to test the URL against local database you get: 

test url-info-host "247fxtradeoption.com"

247fxtradeoption.com: Doesn't exist in the URL DB

 

and then, 

 

When you try to play with database e.g revert you get:

 

> request url-filtering revert

 

Server error : Not licensed

 

 

I log this to support. 

However, I encourage everybody who is on version 9.0.5 or 9.0.6 to check if their PAN behaves as it should when it comes to URLs... 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!