Symptoms
Download of Brightcloud update failed with the following error
>tail follow yes mp-log pan_bc_download.log
Jul 19 01:55:28 ip 64.87.3.54 message RT time 0.079
Jul 19 01:55:28 ip 94.236.25.159 message RT time 0.120
Jul 19 01:55:35 Best IP for service.brightcloud.com is 64.87.3.54
Jul 19 01:55:37 Connected to Brightcloud update server service.brightcloud.com
Jul 19 01:55:45 Cannot receive data from 'service.brightcloud.com:80' to download BrightCloud URL database
Jul 19 01:55:45 Error downloading latest URL database
Jul 19 08:51:25 Error: dtMessageTime(bcnet.cpp:249): failed connect to 94.236.25.159 on 80
Jul 19 08:51:30 Error: dtMessageTime(bcnet.cpp:249): failed connect to 208.87.136.156 on 80
Jul 19 08:51:35 Error: dtMessageTime(bcnet.cpp:249): failed connect to 64.87.3.54 on 80
Jul 19 08:51:35 Best IP for service.brightcloud.com is 0.0.0.0
Jul 19 08:51:37 Error: Brightcloud update server 'service.brightcloud.com' is down!
Jul 19 08:51:37 Error downloading latest URL database
Issue
- Pinging the update server from the firewall worked.
- Service routes are configured to use the Trust zone, and rules are in place to allow traffic outbound on ports 80 and 443.
- Connectivity was confirmed by doing a telnet to the update servers on ports 80 and 443.
- Sessions were still being discarded.
Running the command show global counters showed that those connections matched a rule for captive portal traffic
Resolution
Since the firewall can't authenticate to the captive portal, a new captive-portal policy was added to allow the firewall access to the update servers directly, without going through captive portal.
owner: apasupulati