EDL message :"Downloaded file is not a text file. Using old copy for refresh"

EDL message :"Downloaded file is not a text file. Using old copy for refresh"

32930
Created On 03/12/19 18:02 PM - Last Modified 04/19/24 19:48 PM


Symptom


System Logs contain messages like: "Downloaded file is not a text file. Using old copy for refresh"
Note: EDL names are just for illustration.
system logs from CLI: 
2019/04/12 16:01:40 medium   general        general 0  EDL(EDL-not-text-extension-is-txt) Downloaded file is not a text file. 
2019/04/12 16:01:40 medium   general        general 0  EDL(EDL-not-text) Downloaded file is not a text file. 
2019/04/12 16:01:40 medium   general        general 0  EDL(EDL-empty) Downloaded file is not a text file.

WebGUI:
User-added image

Sometimes you may see those errors even during commit:
User-added image
 

Environment


  • PAN-OS
  • EDL configured

Cause


The system logs are not errors per se
They are "medium" severity messages that are printed, in the following conditions:
  • The downloaded file is NOT in text file format.
  • The text file is empty.
  • The server returns any other server response code other than 200OK.
Example: "HTTP/1.1 500 Internal Server Error"
By design HTML/HTTP error codes are not recorded and a generic  message is printed.

In essence, If the downloaded file is not text file, it logs that it is not a text file.
It doesn't save the output error response received from remote server.

Resolution


  1. Manually try accessing the EDL server and check contents.
  2. Run tcp dump on management interface and check the downloaded file (easier if it is http/non-encrypted).
  3. Rectify the source file format and ensure:
  • The list is not empty
  • The file format is text.
The below command can be used on a Linux system to verify the file type, for example:  
> file -b --mime-type "xxx.txt"
application/octet-stream
> file -b --mime-type "yyy.txt"
text/plain
The first file xxx.txt is "application/octet-stream", though it has .txt extension.
A plain text file should have the type as "text/plain".

If it is due to server-side errors, then you can contact the server administrator (in case of locally administered server
Use an alternate/ different EDL server.

Additional Information


You can set up your own EDL server using MineMeld:
https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld
https://live.paloaltonetworks.com/t5/MineMeld/ct-p/MineMeld
https://docs.paloaltonetworks.com/autofocus/autofocus-admin/autofocus-apps/minemeld

On wireshark pcaps you can verify the http header to see the file  format.
text file: 
HTTP/1.1 200 OK
Date: Fri, 12 Apr 2019 22:51:59 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Fri, 12 Apr 2019 22:39:01 GMT
ETag: "0-5865cf820f18a"
Accept-Ranges: bytes
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain

docx file: 
HTTP/1.1 200 OK
Date: Fri, 12 Apr 2019 22:52:37 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Fri, 12 Apr 2019 22:39:44 GMT
ETag: "2dc4-5865cfaaa9a0c"
Accept-Ranges: bytes
Content-Length: 11716
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/vnd.openxmlformats-officedocument.wordprocessingml.document

file with extension .txt but actual file is not text: 
HTTP/1.1 200 OK
Date: Fri, 12 Apr 2019 22:53:05 GMT
Server: Apache/2.4.29 (Ubuntu)
Last-Modified: Fri, 12 Apr 2019 22:39:23 GMT
ETag: "2dc4-5865cf96e60eb-gzip"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 9009
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000boJmCAI&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language