Firewall not able to fetch the EDL address objects

Firewall not able to fetch the EDL address objects

20286
Created On 04/28/20 15:05 PM - Last Modified 06/24/20 02:20 AM


Symptom


  • Firewall able to ping the EDL (External Domain List) server
  • FW has service route configured for Palo Alto Networks Services to be eth1/1 and the edl-updates to be default
  • tcpdump on FW mgmt interface shows no attempt of FW to connect to EDL server
  • MS.log output displays the following
Error: pan_ebl_set_curl_proxy_info(pan_cfg_ebl.c:5930): failed to get proxy info
Error: ebl_fetch_url_from_remote_libcurl(pan_cfg_ebl.c:2450): EDL vsys1:Malicious_IPs_Minemeld 
curl_easy_perform failed, Err(35):SSL connect error

 

Environment


  • Palo Alto Firewall
  • PAN-OS 9.0and above.
  • EDL (External Domain List) configured.

Cause


Incorrectly set service route causes such issue.
  • If a service route is set for edl-updates, then that interface is used for fetching EDL list.
  • If not and if Palo Alto Networks Services has a service route set, then this is used for fetching the EDL list.
  • If both are not set, then MGT (management) interface will be used.

Resolution


Set explicitly the service route of your edl-update to be MGT (management) if you want FW to connect to the EDL server through mgmt interface.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000PPqZ&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail

Choose Language