URL Filtering Version

cancel
Showing results for 
Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

URL Filtering Version

L4 Transporter

Hello -

I have a question about versioning.

 

Some of my HA pairs have all zeros, some have a matching versions and some a mismatch of zeros and a version. Seems to be no rhyme or reason.  How can I correct this?

 

For example:

fw(passive)> show url-cloud status

PAN-DB URL Filtering
License : valid
Cloud connection : not connected
URL database version - device : 0000.00.00.000
URL protocol version - device : pan/0.0.2

 

fw(active)> show url-cloud status

PAN-DB URL Filtering
License : valid
Current cloud server : serverlist3.urlcloud.paloaltonetworks.com
Cloud connection : connected
Cloud mode : public
URL database version - device : 20220817.20231
URL database version - cloud : 20220817.20231 ( last update time 2022/08/17 15:20:18 )
URL database status : good
URL protocol version - device : pan/2.0.0
URL protocol version - cloud : pan/2.0.0
Protocol compatibility status : compatible

 

How do I get the passive one updated?

 

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

Hello @RobertShawver

 

I have seen the same issue.

 

According to documentation, if a Firewall is in HA pair only Firewalls in these roles:  active, active-primary, or active-secondary will have access to PAN-DB cloud (scroll to the last point):

 

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/troubleshoot-url-filtering/...

 

The Firewall that is currently passive has the last version of the PAN-DB from the time it had active role.

 

For the Firewall that is currently version set to: 0000.00.00.000, could you try to make it active to see it will get updated? If this does not help, could you restart management and device-server process?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello @RobertShawver

 

I have seen the same issue.

 

According to documentation, if a Firewall is in HA pair only Firewalls in these roles:  active, active-primary, or active-secondary will have access to PAN-DB cloud (scroll to the last point):

 

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/troubleshoot-url-filtering/...

 

The Firewall that is currently passive has the last version of the PAN-DB from the time it had active role.

 

For the Firewall that is currently version set to: 0000.00.00.000, could you try to make it active to see it will get updated? If this does not help, could you restart management and device-server process?

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

Hey @PavelK 

Yeah, I saw that documentation. Seems a bit silly, so I was hoping there was a way to do it via CLI.  There doesn't appear to be one though.  Thanks for looking though!

Community Team Member

Hi @RobertShawver ,

 

As @PavelK mentioned this is likely expected behaviour in your case.  As from PAN-OS 9.0 the firewalls will no longer download a seed database for URL filtering but will instead sync with the cloud. 

 

Passive firewalls in particular will not connect to the cloud. The Passive firewall continues to sync up with the Active firewall to keep the URL DB cache updated. Only during failover, the firewall will connect the URL Cloud DB. The new version will then be reflected. 

 

Best,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Don't forget to hit that Like button if a post is helpful to you!
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!