Unable To Fetch External Dynamic Lists (EDL) Due To A Timeout Or Connection Error
74894
Created On 06/03/20 01:47 AM - Last Modified 07/02/20 18:17 PM
Symptom
- Firewall may fail to update or fetch External Dynamic Lists (EDL) due to a timeout/connection problem:
- "Test Source URL" is successful for the EDL object.
GUI: Objects > External Dynamic Lists:
Environment
- Palo Alto Firewall.
- Any PAN-OS
- External Dynamic List is configured and associated with a rule/policy on the firewall.
Cause
- Service route for "External Dynamic Lists" is set to "Use default"; however service route for "Palo Alto Networks Services" is customized to use a physical source interface. External Dynamic Lists are considered a "Palo Alto Networks Services" service.
GUI: Device > Setup > Services > Service Route Configuration > Customize:
- This wouldn't be a problem if a policy/rule exists that would allow traffic from the source interface/IP to the EDL destination. However, in this case, the traffic is being denied:
GUI: Monitor > Traffic:
Resolution
Traffic from this source either needs to be allowed via a security policy or the service route needs to be changed to "Use default." If the latter solution is implemented, this traffic will not show up in the traffic logs (management plane traffic is not logged.)