Palo Alto Networks Knowledgebase: DotW: URL Filtering Updates Force Updating the HA Peer

DotW: URL Filtering Updates Force Updating the HA Peer

Created On 02/08/19 00:00 AM - Last Updated 02/08/19 00:00 AM
Device Management Initial Configuration Installation QoS Zone and DoS Protection


For this week's "Discussion of the Week", I will be highlighting the following thread:

PA URL FILTERING UPDATES force to update the HA peer


In this discussion, user 'COS' is asking why the passive HA member's PAN-DB URL filtering update does not show a newer update version.


Many users offer their assistance and Steven Puluka contributed the following link to the discussion:

Is Content Database Sync Recommended in an HA Environment?


In the document referenced above, it does not recommend the "sync to peer" feature in case there is an update that is released that causes issues. If the "sync to peer" feature is chosen then both HA members will get the problematic update. The document referenced recommends to stagger the updates so that only one member has the latest update in the event you need to switch members, if there is a problem with an update.


User 'dyang' updated the discussion with the following response:


"In an HA Active/Passive scenario with PAN-DB, only the active device will connect to the PAN-DB cloud. When it does connect to the cloud, it will also update the database version number to indicate that it has synced with the latest version in the cloud. Additionally, the MP cache is backed up every four hours, as well as anytime the device is about to restart or anytime a backup is generated that is synced to the passive device. Once this happens, the backup is then loaded into the MP cache of the passive device, which also updates the passive device's URL filtering database version number (go to Monitor > System Logs to verify). At this point, if the passive device becomes active, it will have a populated MP cache that is at most four hours out of sync with the original active device."


If a customer calls support for this issue, they will get the same information as 'dyang' wrote above.


The discussion also states that "Update to PAN-OS 6.1.3 fixed that problem." After further research, I was unable to confirm if this has happened yet by looking at the release notes for 6.1.3 and 6.1.4.


Thanks for reading.


Joe Delio

  • Print
  • Copy Link

Choose Language