The firewall is running 9.1.4 (5250). The mgmt interface does not have general internet access so service routes have been configured for the following to use the external interface (internet connected):
Palo Alto Networks Services
Policy is created to allow outbound traffic to the internet sourced from the external IP (NAT in place as well).
NTP is working
NTP synched to 1.us.pool.ntp.org
NTP server: 0.us.pool.ntp.org
NTP server: 1.us.pool.ntp.org
Support check is good
Click the contact link at right.
May 30, 2021
24 x 7 phone support; advanced replacement hardware service
but URL DB is not being updated
PAN-DB URL Filtering
License : valid
Cloud connection : not connected
URL database version - device : 0000.00.00.000
URL protocol version - device : pan/0.0.2
Hi @jlieberman ,
You need to download the initial seed file for the PAN-DB.I believe you are missing the second step from this document
When URL filtering is enabled firewall will evaluate the URL that is passing through it, as you can imagine the are so many urls that FW cannot store information for all of them. That is why it will contact Palo Alto cloud and ask for evaluation, when reply is received the firewall will cache it and if it needs to check the category for the same url it will use the cached value instead of asking the cloud again (saving time and resources). The initial seed file is basically pre-build cache file with most visited address for given region. So in order to enable the engine it needs to have this initial cache file. As mentioned the seed file contains of trending address for given region, and Palo Alto is updating this information periodically, that is why fw will periodically download newer version of this file.
It is recommended to select the relevant region for which your firewall is located, this will ensure that more of the urls that you need to evaluate are already in the cache
@AlexanderAstardzhiev Thank you for the prompt reply but that seed file is a thing of the past and no longer used in PANOS 9.0 and later.
The below commands do not work on OS 9.0.x but will work on prior OS versions and will fix the Pan-DB 0000.00.00.000 issue:
> request url-filtering download paloaltonetworks region <region_name> > request url-filtering download status vendor paloaltonetworks
Thanks @jlieberman ,
I was not aware of this change, I will have it in mind.
The only other reason I have experience is if the firewall is in active-passive HA and the secondary member is not able to connect to the cloud via the service route as it doesn't have running routing engine.
Have you tried to confirm to run some captures to confirm bi-directional connectivity to the cloud?
First check with capture that you see DNS requests and replies. Based on the DNS reply run capture with returned cloud ip and check what traffic is generated. Most probably it will be SSL but at least you can confirm that you have basic TCP connectivity.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!