EDL message :"Downloaded file is not a text file. Using old copy for refresh"

EDL message :"Downloaded file is not a text file. Using old copy for refresh"

17536
Created On 03/12/19 18:02 PM - Last Modified 04/15/19 06:58 AM


Symptom
System Logs contain messages like: "Downloaded file is not a text file. Using old copy for refresh"
Note: EDL names are just for illustration.
system logs from CLI:
2019/04/12 16:01:40 medium   general        general 0  EDL(EDL-not-text-extension-is-txt) Downloaded file is not a text file. 
2019/04/12 16:01:40 medium   general        general 0  EDL(EDL-not-text) Downloaded file is not a text file. 
2019/04/12 16:01:40 medium   general        general 0  EDL(EDL-empty) Downloaded file is not a text file.

WebGUI:
User-added image

Sometimes you may see those errors even during commit:
User-added image
 


Environment
  • PAN-OS
  • EDL configured


Cause
The system logs are not errors per se
They are "medium" severity messages that are printed, in the following conditions:
  • The downloaded file is NOT in text file format.
  • The text file is empty.
  • The server returns any other server response code other than 200OK.
Example: "HTTP/1.1 500 Internal Server Error"
By design HTML/HTTP error codes are not recorded and a generic  message is printed.

In essence, If the downloaded file is not text file, it logs that it is not a text file.
It doesn't save the output error response received from remote server.


Resolution
Manually try accessing the EDL server and check contents.
You can run tcp dump on management interface and check the downloaded file(easier if it is http/non-encrypted)
Rectify the source file format and ensure:
  • The list is not empty
  • The file format is text.
If it is due to server side errors, then you can contact the server administrator(in case of locally administered server
Use an alternate/ different EDL server.


Additional Information
You can set up your own EDL server using MineMeld:
https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld
https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld
https://docs.paloaltonetworks.com/autofocus/autofocus-admin/autofocus-apps/minemeld

On wireshark pcaps you can verify the http header to see the file  format.
text file:
HTTP/1.1 200 OK
Date: Fri, 12 Apr 2019 22:51:59 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Fri, 12 Apr 2019 22:39:01 GMT
ETag: "0-5865cf820f18a"
Accept-Ranges: bytes
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain

docx file:
HTTP/1.1 200 OK
Date: Fri, 12 Apr 2019 22:52:37 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Fri, 12 Apr 2019 22:39:44 GMT
ETag: "2dc4-5865cfaaa9a0c"
Accept-Ranges: bytes
Content-Length: 11716
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document

file with extension .txt but actual file is not text:
HTTP/1.1 200 OK
Date: Fri, 12 Apr 2019 22:53:05 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Fri, 12 Apr 2019 22:39:23 GMT
ETag: "2dc4-5865cf96e60eb-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 9009
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain


 


Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boJmCAI&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments