URL Sync to Peer for Active-Passive Cluster
cancel
Showing results for 
Search instead for 
Did you mean: 

URL Sync to Peer for Active-Passive Cluster

L3 Networker

Hi All,

So title says it all. I have a client with twin 4050's running in an active-passive cluster, that we have recently enabled

URL filtering on.

Annoyingly, there is no sync that we can see between the active and passive for the URL database, from initial activation,

through to the dynamic updates.

We have to bounce the pair to bring the passive as active, so it would detect its license, and download the database,

and then revert back to what we want as the primary system.

However it now appears that the active doesn't have a setting to sync its URL database with the passive to keep it current either.

Any idea's on if this is the case, and/or how to get around it.

We are not using Panorama for this client, but if we were in the future, would that resolve this issue?

5 REPLIES 5

L6 Presenter

There's no sync-to-peer option for url filtering. I assume that both units licensed individually for url filtering? Does the Passive's mgmt interface not have access to the updates server directly?

Both appliances are licensed, but the management interfaces for both are on a locked down IT only network.

So the updates are occuring by another active interface, which isn't active on the passive appliance.

As there is no available peer sync, can I do this manually? And if not, what is the overall effect on URL checking performance

when the backup pair comes online and is so out of date on its local database that it has to use Dynamic lookup?

@KatanaNZ:

You cannot do a manual update of the Brightcloud DB.

If you cannot change the security policy to allow the management interface of your PA Network devices to request software, AV, URL and app/threat updates, then my suggestion would be that a URL db update would be advisable if you have an HA failover. You can do this easily via the command line:

request url-filtering upgrade brightcloud

Generally speaking I advise people to allow update traffic outbound from management interface to the Palo Alto Networks and Brightcloud update servers. The risk this represents to the network is typically lower than having to rely upon human intervention to update the device after an HA failover.

-Benjamin

The IT Network, used for management of all critical systems, will not have any external access, neither inbound or outbound.

What I really need, is for the pairs to sync all data, not just parts of it.

@KatanaNZ:

in that case it would seem that you should file a feature request with your sales team.

And maybe a weekly failover and update URL database for the secondary unit would be something to add to your regularly scheduled change/maintenance window? Just an idea to keep things more in-sync than waiting for an outage to cause a failover.

-Benjamin

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!