We are have our Service Route set to use the management interface. We are on 8.0.x, not sure what version you are on. What do you see when you issue the show url-cloud status command? Ours looks like this: show url-cloud status PAN-DB URL Filtering License : valid Current cloud server : s0100.urlcloud.paloaltonetworks.com Cloud connection : connected Cloud mode : public URL database version - device : 20180815.40205 URL database version - cloud : 20180815.40205 ( last update time 2018/08/16 13:07:14 ) URL database status : good URL protocol version - device : pan/0.0.2 URL protocol version - cloud : pan/0.0.2 Protocol compatibility status : compatible You could try capturing some packets and doing some log review to troublesoot further (unless you have already done this with TAC). The process goes something like this: Set up TCPDump PCAP to capture traffic from one CLI window tcpdump filter "host xx.xx.xx.xx" (xx= ip of the external server hosting PAN-DB) From a second CLI window; Run a manual PAN-DB refresh via the CLI by " request url-filtering download paloaltonetworks region North-America " Then export the PCAP file to your workstatoin scp export mgmt-pcap from mgmt.pcap to user@analyst_workstation_ip:./ Reviewed the PCAP using wireshark looking for possible communication errors (like tls version mismatch for example) Lastly to view the local logs from the CLI, you can issue a command such as this: tail follow yes mp-log ms.log from one terminal window while re-issuing the request url-filtering download paloaltonetworks region North-America command from a second window to see if the error message there will help pin point the issue. Good luck! Hope this helps. -Lora
... View more