08-17-2022 08:22 AM
Hello -
I have a question about versioning.
Some of my HA pairs have all zeros, some have a matching versions and some a mismatch of zeros and a version. Seems to be no rhyme or reason. How can I correct this?
For example:
fw(passive)> show url-cloud status
PAN-DB URL Filtering
License : valid
Cloud connection : not connected
URL database version - device : 0000.00.00.000
URL protocol version - device : pan/0.0.2
fw(active)> show url-cloud status
PAN-DB URL Filtering
License : valid
Current cloud server : serverlist3.urlcloud.paloaltonetworks.com
Cloud connection : connected
Cloud mode : public
URL database version - device : 20220817.20231
URL database version - cloud : 20220817.20231 ( last update time 2022/08/17 15:20:18 )
URL database status : good
URL protocol version - device : pan/2.0.0
URL protocol version - cloud : pan/2.0.0
Protocol compatibility status : compatible
How do I get the passive one updated?
08-17-2022 03:39 PM
Hello @RobertShawver
I have seen the same issue.
According to documentation, if a Firewall is in HA pair only Firewalls in these roles: active, active-primary, or active-secondary will have access to PAN-DB cloud (scroll to the last point):
The Firewall that is currently passive has the last version of the PAN-DB from the time it had active role.
For the Firewall that is currently version set to: 0000.00.00.000, could you try to make it active to see it will get updated? If this does not help, could you restart management and device-server process?
Kind Regards
Pavel
08-17-2022 03:39 PM
Hello @RobertShawver
I have seen the same issue.
According to documentation, if a Firewall is in HA pair only Firewalls in these roles: active, active-primary, or active-secondary will have access to PAN-DB cloud (scroll to the last point):
The Firewall that is currently passive has the last version of the PAN-DB from the time it had active role.
For the Firewall that is currently version set to: 0000.00.00.000, could you try to make it active to see it will get updated? If this does not help, could you restart management and device-server process?
Kind Regards
Pavel
08-18-2022 04:53 AM
Hey @PavelK
Yeah, I saw that documentation. Seems a bit silly, so I was hoping there was a way to do it via CLI. There doesn't appear to be one though. Thanks for looking though!
08-23-2022 03:15 AM
Hi @RobertShawver ,
As @PavelK mentioned this is likely expected behaviour in your case. As from PAN-OS 9.0 the firewalls will no longer download a seed database for URL filtering but will instead sync with the cloud.
Passive firewalls in particular will not connect to the cloud. The Passive firewall continues to sync up with the Active firewall to keep the URL DB cache updated. Only during failover, the firewall will connect the URL Cloud DB. The new version will then be reflected.
Best,
-Kiwi.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
