We have a couple of PA devices configured in HA mode. I just want to ask if it is normal that only the active firewall gets the URL filtering incremental updates. eg. FW-01 (active firewall) gets updated to version 2005.12.811 and FW-02 gets stuck to version 2005.12.000?
Hello Nelson A,
What is the PAN OS version running on your firewall...?
Have you seen any error/warning messages on SYSTEM logs..?
The Active device will not regularly sync the cache over to the Passive. Since the Passive device is not getting any traffic, it will also not do any cloud lookups on its own for URLs. Every 8 hrs or so, the Active device will make a backup of its MP cache, and that will get synced to the Passive device. If you use the CLI command on the Passive device to download a seed database, it will do that as well. So, basically when the Passive becomes active and do a URL lookup it will then update its version too.
This is correct. If you are in an Active/Passive mode, only the Active device will do cloud lookups. The Passive device will not do this unless it becomes active. As HULK mentioned, however, we do periodically backup the MP cache on the Active device and sync it to the Passive. When this happens, you should see the version number on the Passive device increment. There was a bug regarding the version number not updating, but that should be fixed with PAN-OS 6.0.1
Hope this helps,
Thank you for the prompt reply. I forgot to mention that we are using using PAN OS version 5.0.11, 5.0.8 and 5.0.6 and we don't have license for BrightCloud. But was this behavior still holds true for the PAN-DB updates? Another thing that I noticed is that URL DB versions does not show up in real time in Panorama > Managed Devices interface. But when checked at the FW Dashboard it is updated to the latest version available. All other updates version are synchronized in Panorama except for the URL filtering DB version. Thanks again for your help.
My explanation above was specific to PAN-DB. With BrightCloud, we do not sync anything - both the active and passive devices need to be setup to download BrightCloud updates.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!