Firewall establishes a connection with PAN-DB Cloud while URL Filtering license is not activated

• The next generation firewall establishes a connection with the PAN-DB cloud while the URL Filtering license is not activated.
• The show url-cloud status command shows that the URL Filtering License is "valid".

  > show url-cloud status
  
  PAN-DB URL Filtering
  License : valid

• If the firewall is able to establish the connection, it actually downloads the PAN-DB database even if there's no URL filtering license.

  > 2023/08/13 05:33:41 info     url-fil        upgrade 0  PAN-DB was upgraded to version 20230813.20189.

• If the firewall cannot establish the connection, which can happen when the connection is blocked or if the firewall itself is air-gapped, the following error would be generated in the system logs. The message may vary depending on the PAN-OS version.

  PAN-DB cloud list loading failed (ERROR:Couldn't resolve host name)

  CURL ERROR: OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to s0000.urlcloud.paloaltonetworks.com:443

  CLOUD ELECTION: cannot elect a cloud

• Those system log messages generate a lot of noise and also might fill up the log storage if they are forwarded to a third party storage system.

• All Next-Generation Firewall models
• PAN-OS 10.0 or later
• Advanced Threat Prevention (ATP) and/or Advanced WildFire (AWF) licenses are activated

When the Advanced Threat Prevention (ATP) and/or the Advanced WildFire (AWF) licenses are activated, they trigger the connection to the PAN-DB cloud even if the URL Filtering license is not activated.

If there is a security device that blocks the connection between the firewall and the PAN-DB cloud servers, it is recommended to allow the traffic for the following FQDN's:

• s0000.urlcloud.paloaltonetworks.com
• serverlist.urlcloud.paloaltonetworks.com
• serverlist2.urlcloud.paloaltonetworks.com
• serverlist3.urlcloud.paloaltonetworks.com

If the connection is blocked by another Palo Alto Networks firewall, the App-ID "pan-db-cloud" can be used in a Security Policy to allow the connection.

Palo Alto Networks added a knob in the newer release of PAN-OS versions to provide an option to disable the PAN-DB connection, especially for an air-gapped environment. Please find the tracking number (PAN-266843) in the release note to see which PAN-OS version has the fix.

Please refer to the following KB that describes how to apply the fix.
Traffic latency observed on Air gapped firewall with Advanced Threat Protection, Advanced Wildfire or Advanced URL filtering enabled.