Traffic latency observed on Air gapped firewall with Advanced Threat Protection, Advanced Wildfire or Advanced URL filtering enabled.

Traffic latency observed on Air gapped firewall with Advanced Threat Protection, Advanced Wildfire or Advanced URL filtering enabled.

897
Created On 01/31/26 01:56 AM - Last Modified 03/03/26 19:57 PM


Symptom


  • Air gapped firewall is enabled with one of Advanced Threat Protection, Advanced Wildfire or Advanced URL filtering.
  • Latency and timeouts are seen for the traffic passing through the firewall.
  • The firewall attempts to connect to the PAN-DB cloud, even when URL filtering is not configured.
  • Failure messages are seen in system logs are seen as below.
Failed to send update request to cloud(Error(35):SSL connect error or CURL ERROR: Failed to connect... 
Connection timed out.

Environment


  • Air-gapped or restricted-connectivity network environments.
  • PAN-OS versions 10.1.x, 10.2.x, 11.1.x, 11.2.x

Cause


  • Certain security licenses, specifically Advanced Threat Prevention (ATP), Advanced WildFire (AWF) or Advanced URL filtering. implicitly enable PAN-DB URL cloud connectivity.
  • These features require the PAN-DB URL category as part of internal mechanism.
  • The PAN-DB URL connection is attempted even in the absence of an active URL Filtering or Advanced URL Filtering (AURL) license.
  • Additionally, URL lookups can be triggered if security or decryption policies reference a URL category or a URL filtering profile.
  • Inline cloud analysis enabled in security profiles and non-file-based DLP inspections will also activate these lookups.
  • Since the cloud connectivity cannot be established, the  URL categorization experiences processing delays and latency when cloud lookups timeout or cannot be completed.

Resolution


  1. Enable PAN-DB "offline-mode" setting to completely stop PAN-DB cloud connection attempts.
  2. Enabling this stops cloud connection attempts, eliminates related cloud connection failures in the system log, and enables a "fast-response" (with a "not-resolved" URL category) to avoid URL lookup timeouts and traffic latency.
  3. The configuration can be enabled under operational mode or configuration mode.

    CLI Operational Mode:

    1. To Enable: debug device-server pan-url-db offline-mode on (This command survives a reboot).
    2. To Disable (Default): debug device-server pan-url-db offline-mode off
    3. To Verify: debug device-server pan-url-db offline-mode show

    CLI Configuration Mode:

    1. To Enable: set deviceconfig setting pan-url-db offline-mode yes

    The commands are available in the following versions.

    • PAN-OS 10.2.18+: CLI Operational mode only (Visible).
    • PAN-OS 11.1.14+: CLI Operational mode only (Visible).
    • PAN-OS 11.2.11+: CLI Operational mode only (Visible).
    • PAN-OS 12.1.2: CLI Operational mode only (Visible with auto-complete).
    • PAN-OS 12.1.3+: CLI Operational and Configuration modes (Hidden, no auto-complete).

    Additional Information


    • Starting PAN-OS 12.1.2+ a new "hidden" operational command is available to identify the installed licenses or configurations forcing connection to URL cloud.
    • This command requires typing the full command manually.
    • Command: test url-enablement-reason vsys <vsys>
    admin@Lab40-255-PA-VM> test url-enablement-reason vsys vsys1
URL filtering not enabled on DP
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1Ki000000sYFDKA2&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail