Problems with URL-DB (it's missing!)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Problems with URL-DB (it's missing!)

L2 Linker

Hi!

 

We've been having on going issues after an upgrade (since downgraded) with our standby firewall - when made live it only functioned at about 10% (i.e. most legitimate traffic was blocked for one reason or another). We fixed an issue with DNS resolution - apparently the domain string being present broke DNS resolution(!), but there remains an issue with URL filtering.

 

Specifically the URL database is at version 0000.00.00.000, and it doesn't successfully fetch anything from the cloud (which of course is disruptive as we have to make it live to get it to try). The cloud fetch is currently going through a proxy server - which we can see working not only for the active firewall (which successfully gets something) and for the standby (although it doesn't seem to get anything). One suggestion is to turn off the proxy - which is something we'll likely try when a suitable 'disruptive diagnostic' window can be arranged. 

 

And whilst this needs to be fixed, I was thinking that manually installing the url-db would be helpful, but I've tried :-

 

a) Via the Panorama GUI which doesn't like /any/ of the firewalls when trying to set up a schedule for "Download and install".

b) Via the command line command request url-filtering install. But that obviously requires a copy of the url-db.

 

Is there a supported way to get hold of this url database file? And is this a sensible idea?

 

[This has been logged with TAC]

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello @MikeMeredith

 

this looks like expected behavior. Passive Firewall does not connect to PAN-DB. Cold you please check this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCi1CAG?

 

If you make Firewall with missing PAN-DB active (Under assumption you have valid URL filtering license) and it still does not work, you might be hitting this issue: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNx4CAG

 

Lastly, "Download and Install" installs applications / threat signatures. This is unrelated to PAN-DB.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

Hello @MikeMeredith

 

this looks like expected behavior. Passive Firewall does not connect to PAN-DB. Cold you please check this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCi1CAG?

 

If you make Firewall with missing PAN-DB active (Under assumption you have valid URL filtering license) and it still does not work, you might be hitting this issue: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNx4CAG

 

Lastly, "Download and Install" installs applications / threat signatures. This is unrelated to PAN-DB.

 

Kind Regards

Pavel

Help the community: Like helpful comments and mark solutions.

L2 Linker

Hi!

 

Wanted to wait until this morning (after doing the relevant to make it work) :-

If you apply url filtering to outgoing web traffic from servers you might want to make sure you aren't blocking "not-resolved" because all traffic is resolved as "not-resolved" if you don't have a URL database downloaded. Which results in the URL database download being blocked 🙂


Allowing "not-resolved", and making the misbehaving firewall active resulted in the database being downloaded successfully before we had a chance to login to check. 

All is good again!

  • 1 accepted solution
  • 1207 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!