02-24-2023 06:16 AM
Hi!
We've been having on going issues after an upgrade (since downgraded) with our standby firewall - when made live it only functioned at about 10% (i.e. most legitimate traffic was blocked for one reason or another). We fixed an issue with DNS resolution - apparently the domain string being present broke DNS resolution(!), but there remains an issue with URL filtering.
Specifically the URL database is at version 0000.00.00.000, and it doesn't successfully fetch anything from the cloud (which of course is disruptive as we have to make it live to get it to try). The cloud fetch is currently going through a proxy server - which we can see working not only for the active firewall (which successfully gets something) and for the standby (although it doesn't seem to get anything). One suggestion is to turn off the proxy - which is something we'll likely try when a suitable 'disruptive diagnostic' window can be arranged.
And whilst this needs to be fixed, I was thinking that manually installing the url-db would be helpful, but I've tried :-
a) Via the Panorama GUI which doesn't like /any/ of the firewalls when trying to set up a schedule for "Download and install".
b) Via the command line command request url-filtering install. But that obviously requires a copy of the url-db.
Is there a supported way to get hold of this url database file? And is this a sensible idea?
[This has been logged with TAC]
02-24-2023 01:01 PM
Hello @MikeMeredith
this looks like expected behavior. Passive Firewall does not connect to PAN-DB. Cold you please check this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCi1CAG?
If you make Firewall with missing PAN-DB active (Under assumption you have valid URL filtering license) and it still does not work, you might be hitting this issue: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNx4CAG
Lastly, "Download and Install" installs applications / threat signatures. This is unrelated to PAN-DB.
Kind Regards
Pavel
02-24-2023 01:01 PM
Hello @MikeMeredith
this looks like expected behavior. Passive Firewall does not connect to PAN-DB. Cold you please check this KB: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCi1CAG?
If you make Firewall with missing PAN-DB active (Under assumption you have valid URL filtering license) and it still does not work, you might be hitting this issue: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNx4CAG
Lastly, "Download and Install" installs applications / threat signatures. This is unrelated to PAN-DB.
Kind Regards
Pavel
02-28-2023 01:19 AM
Hi!
Wanted to wait until this morning (after doing the relevant to make it work) :-
If you apply url filtering to outgoing web traffic from servers you might want to make sure you aren't blocking "not-resolved" because all traffic is resolved as "not-resolved" if you don't have a URL database downloaded. Which results in the URL database download being blocked 🙂
Allowing "not-resolved", and making the misbehaving firewall active resulted in the database being downloaded successfully before we had a chance to login to check.
All is good again!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
