Firewall establishes a connection with PAN-DB Cloud while URL Filtering license is not activated

• The next generation firewall establishes a connection with the PAN-DB cloud while the URL Filtering license is not activated.
• The show url-cloud status command shows that the URL Filtering License is "valid".

  > show url-cloud status
  
  PAN-DB URL Filtering
  License : valid

• If the firewall is able to establish the connection, it actually downloads the PAN-DB database even if there's no URL filtering license.

  > 2023/08/13 05:33:41 info     url-fil        upgrade 0  PAN-DB was upgraded to version 20230813.20189.

• If the firewall cannot establish the connection, which can happen when the connection is blocked or if the firewall itself is air-gapped, the following error would be generated in the system logs. The message may vary depending on the PAN-OS version.

  PAN-DB cloud list loading failed (ERROR:Couldn't resolve host name)

  CURL ERROR: OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to s0000.urlcloud.paloaltonetworks.com:443

  CLOUD ELECTION: cannot elect a cloud

• Those system log messages generate a lot of noise and also might fill up the log storage if they are forwarded to a third party storage system.

• All Next-Generation Firewall models
• PAN-OS 10.0 or later
• Advanced Threat Prevention (ATP) and/or Advanced WildFire (AWF) licenses are activated

When the Advanced Threat Prevention (ATP) and/or the Advanced WildFire (AWF) licenses are activated, they trigger the connection to the PAN-DB cloud even if the URL Filtering license is not activated.

If there is a security device that blocks the connection between the firewall and the PAN-DB cloud servers, it is recommended to allow the traffic for the following FQDN's:

• s0000.urlcloud.paloaltonetworks.com
• serverlist.urlcloud.paloaltonetworks.com
• serverlist2.urlcloud.paloaltonetworks.com
• serverlist3.urlcloud.paloaltonetworks.com

If the connection is blocked by another Palo Alto Networks firewall, the App-ID "pan-db-cloud" can be used in a Security Policy to allow the connection.

Palo Alto Networks is planning to add a knob in a future release of PAN-OS version to provide an option to disable the PAN-DB connection, especially for an air-gapped environment. Please keep the tracking number (PAN-266843) for reference, look for it in the release note when a new PAN-OS version is released.