Why Does the PAN-DB Version Not Update on the Passive Firewall?
42457
Created On 02/01/21 05:09 AM - Last Modified 09/14/21 04:01 AM
Question
After upgrade PAN-OS to 9.0 or later, why doesn't PAN-DB version update on the Passive firewall?
Environment
- All firewalls running on PAN-OS 9.0.x or later
- Using PAN-DB URL filtering feature
- Active/Passive HA environment
Answer
When the firewall connects to the PAN-DB cloud, it will update the database version number to indicate that it has synced with the latest version in the cloud.
In an HA Active/Passive scenario with PAN-DB, only the Active device will connect to the PAN-DB cloud.
When the Firewalls in HA are upgraded to versions above 9.0, Passive firewall in particular, the connection to the Cloud is not made by the Passive firewall.
Since the firewalls do not download any URL seed files any more, the PAN-DB version on the Passive firewall will show as 0000.00.00.000 immediately after the upgrade.
The below sequence of logs are expected.
2021/09/09 06:39:01 info ha state-c 0 HA Group 3: Moved from state Active to state Suspended 2021/09/09 06:49:51 info general general 0 Installed panos software version 9.1.4 2021/09/09 06:50:10 info url-fil upgrade 0 PAN-DB was upgraded to version 20210908.20313.<< Firewall is rebooted >>
2021/09/09 06:56:10 info url-fil upgrade 0 PAN-DB was upgraded to version 0000.00.00.000. 2021/09/09 06:56:10 info url-fil url-eng 0 PAN-DB engine is starting... 2021/09/09 06:56:10 info url-fil url-eng 0 PAN-DB engine started. 2021/09/09 06:56:10 medium url-fil url-dow 0 PAN-DB cloud list loading failed (ERROR:Couldn't connect to server).The Passive firewall continues to sync up with the Active firewall to keep the URL DB cache updated.
If there is a failover and the firewall becomes Active, the Firewall will then connect the URL Cloud DB and start filling up the cache.
The new version will then be reflected.
2021/09/09 07:01:06 info ha state-c 0 HA Group 3: Moved from state Initial to state Passive 2021/09/09 07:13:23 high ha state-c 0 HA Group 3: Moved from state Passive to state Active 2021/09/09 07:13:31 info url-fil upgrade 0 PAN-DB was upgraded to version 20210908.20319.
Additional Information
For your reference:
How URL Filtering Works
NOTE:
This is an expected behavior. PAN-DB is the URL Filtering cloud database, the firewall does not have URL category data-base, it has only URL cache which stores recently accessed URLs with URL categories.
Note: PAN-OS 9.0 and later releases do not download PAN-DB seed databases.