Unable To Fetch External Dynamic Lists (EDL) Due To A Timeout Or Connection Error

Unable To Fetch External Dynamic Lists (EDL) Due To A Timeout Or Connection Error

57146
Created On 06/03/20 01:47 AM - Last Modified 07/02/20 18:17 PM


Symptom


  • Firewall may fail to update or fetch External Dynamic Lists (EDL) due to a timeout/connection problem:
EDL refresh job
 
EDL timeout error
  • "Test Source URL" is successful for the EDL object.
GUI: Objects > External Dynamic Lists:
Test URL source

Environment


  • Palo Alto Firewall.
  • Any PAN-OS
  • External Dynamic List is configured and associated with a rule/policy on the firewall.

Cause


  • Service route for "External Dynamic Lists" is set to "Use default"; however service route for "Palo Alto Networks Services" is customized to use a physical source interface. External Dynamic Lists are considered a "Palo Alto Networks Services" service.
GUI: Device > Setup > Services > Service Route Configuration > Customize:
 
User-added image
  • This wouldn't be a problem if a policy/rule exists that would allow traffic from the source interface/IP to the EDL destination. However, in this case, the traffic is being denied:
GUI: Monitor > Traffic:
 
policy deny

Resolution


Traffic from this source either needs to be allowed via a security policy or the service route needs to be changed to "Use default." If the latter solution is implemented, this traffic will not show up in the traffic logs (management plane traffic is not logged.)

User-added image


User-added image
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g0000008UH2CAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language