url-cloud status is disconnected on the Firewall

5665

Created On 04/11/25 06:12 AM - Last Modified 06/06/25 01:17 AM

Allow List

Management Interface

URL Filtering

11.2

10.2

10.1

11.1

PAN-OS

Next-Generation Firewall

Symptom

url-cloud status is disconnected when using the management interface as the source
Scenario:
- In this case, the management plane traffic is routed back to the data plane interface in order to reach to the Internet. (Mgmt interface -> LAN -> WAN -> Internet)
- Permitted IP list has a set of IP's configured to restrict access to the management interface
- The security policies are defined correctly, but the url-cloud stays in "not connected" state

FW> show url-cloud status

PAN-DB URL Filtering
License : valid
libcurl resolver : threaded
Cloud connection : not connected
URL database version - device : 20250411.20086
URL database version - cloud : 20250411.20086 ( last update time 2025/04/10 22:42:48 )
URL database status : good
URL protocol version - device : pan/2.0.0
URL protocol version - cloud : pan/2.0.0
Protocol compatibility status : compatible

Environment

Firewall
PAN-OS 10.2.x, 11.1.x, 11.2.x

Cause

The snippet below is a tcpdump taken at the management interface. It shows the firewall is able to successfully reach the server "serverlist2.urlcloud.paloaltonetworks.com".
After the exchange of Client Hello and Server Hello, the server sends a Certificate Request to the firewall.
Here the size of the firewall certificate exceeds the default MTU of 1500 bytes, fragmentation is needed and the LAN interface negotiates with the management interface for fragmentation as highlighted in the given packet capture snippet.
Hence the LAN IP is not added in the permitted IP list, the connection fails.

Resolution

Add LAN IP to the permitted IP address under the management interface (Device -> Setup -> Interfaces -> Management Interface Settings -> Permitted IP Address), and then check the cloud-url status.