PAN-DB Cloud Connectivity Issues
Focus
Focus

PAN-DB Cloud Connectivity Issues

Table of Contents
End-of-Life (EoL)

PAN-DB Cloud Connectivity Issues

After you verify your connection to the PAN-DB cloud, use this checklist to troubleshoot your cloud connectivity issues.
To help ensure connectivity to PAN-DB cloud, create a dedicated Security policy rule to allow all Palo Alto Management Service traffic. This will avoid management traffic from being classified as
not-resolved
and prevent the traffic from being blocked when routed through the dataplane.
To check connectivity between the firewall and the PAN-DB cloud:
show url-cloud status
If the cloud is accessible, the expected response is similar to the following:
The firewall initially queries the default PAN-DB cloud to determine the highest performing regional cloud server; this server is used for all PAN-DB queries, including the status check. If the best available server is not operational, it will fall back to the next best available option.
show url-cloud status
PAN-DB URL Filtering License : valid Current cloud server : serverlist.urlcloud.paloaltonetworks.com Cloud connection : connected Cloud mode : public URL database version - device : 20200624.20296 URL database version - cloud : 20200624.20296 ( last update time 2020/06/24 12:39:19 ) URL database status : good URL protocol version - device : pan/2.0.0 URL protocol version - cloud : pan/2.0.0 Protocol compatibility status : compatible
If none of the clouds are accessible, the expected response is similar to the following:
show url-cloud status
PAN-DB URL Filtering License : valid Cloud connection : not connected URL database version - device : 0000.00.00.000 URL protocol version - device : pan/0.0.2
Use the following checklist to identify and resolve connectivity issues:
  • Does the PAN-DB URL Filtering license field shows as invalid? Obtain and install a valid PAN-DB license.
  • Does your networks environment have a proxy server handling Internet traffic? You may need to add the following PAN-DB cloud servers to an allow list to enable PAN-DB connectivity and updates. The PAN-DB regional clouds currently include the following:
    • Default: s000new.urlcloud.paloaltonetworks.com
    • Server List Provider: serverlist.urlcloud.paloaltonetworks.com
    • Americas East: pandb2dlprod.urlcloud.paloaltonetworks.com
    • Americas West: pandb2pdx1prod.urlcloud.paloaltonetworks.com
    • EMEA: pandb2am1prod.urlcloud.paloaltonetworks.com
    • APAC: pandb2ty6prod.urlcloud.paloaltonetworks.com
  • Does the URL protocol version show as not compatible? Upgrade PAN-OS to the latest version.
  • Can you ping the PAN-DB cloud server from the firewall? Run the following command to check:
    ping source
    <ip-address>
    host serverlist.urlcloud.paloaltonetworks.com
    <
    For example, if your management interface IP address is 10.1.1.5, run the following command:
    ping source 10.1.1.5 host serverlist.urlcloud.paloaltonetworks.com
  • Is the firewall in an HA configuration? Verify that the HA state of the firewalls is in the active, active-primary, or active-secondary state. Access to the PAN-DB cloud will be blocked if the firewall is in a different state. Run the following command on each firewall in the pair to see the state:
    show high-availability state
If you still have problems with connectivity between the firewall and the PAN-DB cloud, contact Palo Alto Networks support.

Recommended For You