10-10-2011 03:08 PM
So title says it all. I have a client with twin 4050's running in an active-passive cluster, that we have recently enabled
URL filtering on.
Annoyingly, there is no sync that we can see between the active and passive for the URL database, from initial activation,
through to the dynamic updates.
We have to bounce the pair to bring the passive as active, so it would detect its license, and download the database,
and then revert back to what we want as the primary system.
However it now appears that the active doesn't have a setting to sync its URL database with the passive to keep it current either.
Any idea's on if this is the case, and/or how to get around it.
We are not using Panorama for this client, but if we were in the future, would that resolve this issue?
10-10-2011 04:53 PM
There's no sync-to-peer option for url filtering. I assume that both units licensed individually for url filtering? Does the Passive's mgmt interface not have access to the updates server directly?
10-10-2011 06:36 PM
Both appliances are licensed, but the management interfaces for both are on a locked down IT only network.
So the updates are occuring by another active interface, which isn't active on the passive appliance.
As there is no available peer sync, can I do this manually? And if not, what is the overall effect on URL checking performance
when the backup pair comes online and is so out of date on its local database that it has to use Dynamic lookup?
10-10-2011 07:21 PM
You cannot do a manual update of the Brightcloud DB.
If you cannot change the security policy to allow the management interface of your PA Network devices to request software, AV, URL and app/threat updates, then my suggestion would be that a URL db update would be advisable if you have an HA failover. You can do this easily via the command line:
request url-filtering upgrade brightcloud
Generally speaking I advise people to allow update traffic outbound from management interface to the Palo Alto Networks and Brightcloud update servers. The risk this represents to the network is typically lower than having to rely upon human intervention to update the device after an HA failover.
10-10-2011 07:59 PM
The IT Network, used for management of all critical systems, will not have any external access, neither inbound or outbound.
What I really need, is for the pairs to sync all data, not just parts of it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!