How to troubleshoot the connection failure to PAN-DB cloud server
2239
Created On 06/12/25 15:40 PM - Last Modified 06/12/25 21:19 PM
Objective
- Find the reason behind the connection loss between the firewall and the PAN-DB cloud server.
- Retrieve the connection between the firewall and the PAN-DB cloud server
Environment
- Next Generation Firewall
- PAN-DB
Procedure
- Check the connection status between the firewall and the PAN-DB cloud server. Run the command:
> show url-cloud statusExample output:
> show url-cloud status PAN-DB URL Filtering License : valid libcurl resolver : threaded Current cloud server : serverlist2.urlcloud.paloaltonetworks.com Cloud connection : connected Cloud mode : public URL database version - device : 20250612.20232 URL database version - cloud : 20250612.20232 ( last update time 2025/06/12 08:27:33 ) URL database status : good URL protocol version - device : pan/2.0.0 URL protocol version - cloud : pan/2.0.0 Protocol compatibility status : compatibleIn certain scenarios, you might get the following output:
> show url-cloud status PAN-DB URL Filtering License : valid libcurl resolver : threaded Cloud connection : not connected URL database version - device : 20250411.20086 URL database version - cloud : 20250411.20086 ( last update time 2025/04/10 22:42:48 ) URL database status : good URL protocol version - device : pan/2.0.0 URL protocol version - cloud : pan/2.0.0 Protocol compatibility status : compatible - Check the DNS resolution of the PAN-DB server hostname and the TCP connection status between the firewall and the PAN-DB cloud server:
- Check the service route to the PAN-DB cloud server; it is the same as configured for "URL Updates".
- If the default is used, that means it is the management interface, and no need to add the parameter "source" to the command in 2.b
- If it is configured to be a dataplane interface, then add the IP address of that interface as the source of the ping.
- Use the ping command to check the network reachability to the PAN-DB cloud server and to resolve the IP address of its FQDN found in the command in step 1:
- For the default or management service route to "URL Updates", use the command:
ping host serverlist2.urlcloud.paloaltonetworks.com - For dataplane interface service route to "URL Updates", use the command:
ping source <IP address of the dataplane interface configured as service route to URL Updates> host serverlist2.urlcloud.paloaltonetworks.com - Check the netstat using the resolved IP address:
Ensure that no device between the firewall interface configured as a service route to the URL Updates and the PAN-DB cloud server is blocking port 443. If a Palo Alto Networks firewall is blocking the connection, ensure that the Security Policy allowing the connection explicitly permits the 'pan-db-cloud' App-ID.show netstat numeric-hosts yes numeric-ports yes | match <IP address of the PAN-DB cloud server>
- For the default or management service route to "URL Updates", use the command:
- Check the service route to the PAN-DB cloud server; it is the same as configured for "URL Updates".
- Ensure the URL-filtering license is valid: Refer to How to Install and Activate PAN-DB for URL Filtering.
- Ensure the URL protocol version shows as compatible; if not, upgrade PAN-OS to the latest preferred version.
Additional Information
IMPORTANT NOTE:
- If you restart the device-server using the command "debug software restart process device-server," you'll need to perform a "commit force" for the firewall to reconnect to the PAN-DB cloud server.
- In some cases, restarting the device-server followed by a commit force can be used to attempt a reconnection to the PAN-DB Cloud server. However, this process can be disruptive, so it is recommended to use this approach with caution and preferably during a maintenance window.
- Access to the PAN-DB cloud will be blocked if the firewall is not a standalone or in an active state. Refer to PAN-DB Cloud connectivity issues for more information.