Why Does The Passive Firewall Not Download the URL Filtering Update?
Question
I have Active / Passive firewalls with active license for URL filtering environment. However, Passive firewall cannot download the DB seed and do not have dynamic update for URL filtering DB.
Environment
- Palo Alto Networks Next Generation Firewall with URL filtering license
- Active/Passive HA environment
Answer
URL Filtering database will only be updated when firewall connects to the cloud.
Only MP backup cache will be updated every 4 hours from Active to Passive.
In an HA Active/Passive scenario with URL filtering license, only the Active firewall will connect to the PAN-DB cloud. When it does connect to the cloud, it will also update the URL Filtering database version number to indicate that it has synced with the latest version in the cloud.
If you want to know the status on the firewall, please check the URL-cloud status with following command.
> show url-cloud status
Additional Information
Additionally, the MP cache is backed up every 4 hours, as well as anytime the device is about to restart.
At this point, if the Passive device ever becomes Active, it at least will have a populated MP cache that's at most 4 hours out of sync with the original Active device.