Troubleshoot URL Filtering
The following topics provide troubleshooting guidelines for diagnosing and resolving common URL filtering problems.
Problems Activating PAN-DB
Use the following workflow to troubleshoot PAN-DB activation issues.
Troubleshoot PAN-DB Activation Issues
Access the PAN-OS CLI.
Verify whether PAN-DB has been activated by running the following command: show system setting url-database If the response is paloaltonetworks , PAN-DB is the active vendor.
Verify that the firewall has a valid PAN-DB license by running the following command: request license info You should see the license entry Feature: PAN_DB URL Filtering . If the license is not installed, you will need to obtain and install a license. See Configure URL Filtering.
After installing the license, download a new PAN-DB seed database by running the following command: request url-filtering download paloaltonetworks region <region>
Check the download status by running the following command: request url-filtering download status vendor paloaltonetworks If the message is different from PAN-DB download: Finished successfully , stop here; there may be a problem connecting to the cloud. Attempt to solve the connectivity issue by performing basic network troubleshooting between the firewall and the Internet. For more information, see PAN-DB Cloud Connectivity Issues. If the message is PAN-DB download: Finished successfully , the firewall successfully downloaded the URL seed database. Try to enable PAN-DB again by running the following command: admin@PA-200> set system setting url-database paloaltonetworks
If the problems persists, contact Palo Alto Networks Customer Support.
PAN-DB Cloud Connectivity Issues
To check connectivity between the firewall and the PAN-DB cloud:
show url-cloud status
If the cloud is accessible, the expected response is similar to the following:
show url-cloud status
PAN-DB URL Filtering
License : valid
Current cloud server : s0000.urlcloud.paloaltonetworks.com
Cloud connection : connected
URL database version - device : 2013.11.18.000
URL database version - cloud : 2013.11.18.000 ( last update time 2013/11/19
13:20:51 )
URL database status : good
URL protocol version - device : pan/0.0.2
URL protocol version - cloud : pan/0.0.2
Protocol compatibility status : compatible
If the cloud is not accessible, the expected response is similar to the following:
show url-cloud status
PAN-DB URL Filtering
License : valid
Cloud connection : not connected
URL database version - device : 2013.11.18.000
URL database version - cloud : 2013.11.18.000 ( last update time 2013/11/19
13:20:51 )
URL database status : good
URL protocol version - device : pan/0.0.2
URL protocol version - cloud : pan/0.0.2
Protocol compatibility status : compatible
Use the following checklist to identify and resolve connectivity issues:
Does the PAN-DB URL Filtering license field shows as invalid? Obtain and install a valid PAN-DB license. Does the URL database status show as out of date? Download a new seed database by running the following command:
request url-filtering download paloaltonetworks region <region>
Does the URL protocol version show as not compatible? Upgrade PAN-OS to the latest version. Can you ping the PAN-DB cloud server from the firewall? Run the following command to check:
ping source <ip-address> host s0000.urlcloud.paloaltonetworks.com
For example, if your management interface IP address is 10.1.1.5, run the following command:
ping source 10.1.1.5 host s0000.urlcloud.paloaltonetworks.com
Is the firewall in an HA configuration? Verify that the HA state of the firewalls is in the active, active-primary, or active-secondary state. Access to the PAN-DB cloud will be blocked if the firewall is in a different state. Run the following command on each firewall in the pair to see the state:
show high-availability state
If you still have problems with connectivity between the firewall and the PAN-DB cloud, contact Palo Alto Networks support.
URLs Classified as Not-Resolved
Use the following workflow to troubleshoot why some or all of the URLs being identified by PAN-DB are classified as Not-resolved:
Troubleshoot URLs Classified as Not-Resolved
Check the PAN-DB cloud connection by running the following command: show url-cloud status The Cloud connection: field should show connected . If you see anything other than connected , any URL that do not exist in the management plane cache will be categorized as not-resolved . To resolve this issue, see PAN-DB Cloud Connectivity Issues.
If the cloud connection status shows connected , check the current utilization of the firewall. If firewall utilization is spiking, URL requests may be dropped (may not reach the management plane), and will be categorized as not-resolved . To view system resources, run the following command and view the %CPU and %MEM columns: show system resources You can also view system resources on the System Resources widget on the Dashboard in the web interface.
If the problem persist, contact Palo Alto Networks support.
Incorrect Categorization
Sometimes you may come across a URL that you believe is categorized incorrectly. Use the following workflow to determine the URL categorization for a site and request a category change, if appropriate.
Troubleshoot Incorrect Categorization Issues
Verify the category in the dataplane by running the following command: show running url <URL> For example, to view the category for the Palo Alto Networks website, run the following command: show running url paloaltonetworks.com If the URL stored in the dataplane cache has the correct category (computer-and-internet-info in this example), then the categorization is correct and no further action is required. If the category is not correct, continue to the next step.
Verify if the category in the management plane by running the command: test url-info-host <URL> For example: test url-info-host paloaltonetworks.com If the URL stored in the management plane cache has the correct category, remove the URL from the dataplane cache by running the following command: clear url-cache url <URL> The next time the firewall requests the category for this URL, the request will be forwarded to the management plane. This will resolve the issue and no further action is required. If this does not solve the issue, go to the next step to check the URL category on the cloud systems.
Verify the category in the cloud by running the following command: test url-info-cloud <URL>
If the URL stored in the cloud has the correct category, remove the URL from the dataplane and the management plane caches. Run the following command to delete a URL from the dataplane cache: clear url-cache url <URL> Run the following command to delete a URL from the management plane cache: delete url-database url <URL> The next time the firewall queries for the category of the given URL, the request will be forwarded to the management plane and then to the cloud. This should resolve the category lookup issue. If problems persist, see the next step to submit a categorization change request.
To submit a change request from the web interface, go to the URL log and select the log entry for the URL you would like to have changed.
Click the Request Categorization change link and follow instructions. You can also request a category change from the Palo Alto Networks Test A Site website by searching for the URL and then clicking the Request Change icon. To view a list of all available categories with descriptions of each category, refer to https://urlfiltering.paloaltonetworks.com/CategoryList.aspx. If your change request is approved, you will receive an email notification. You then have two options to ensure that the URL category is updated on the firewall: Wait until the URL in the cache expires and the next time the URL is accessed by a user, the new categorization update will be put in the cache. Run the following command to force an update in the cache: request url-filtering update url <URL>
URL Database Out of Date
If you have observed through the syslog or the CLI that PAN-DB is out-of-date, it means that the connection from the firewall to the PAN-DB cloud is blocked. This usually occurs when the URL database on the firewall is too old (version difference is more than three months) and the cloud cannot update the firewall automatically. In order to resolve this issue, you must re-download an initial seed database (this operation is not blocked). This will result in an automatic re-activation of PAN-DB.
To manually update the database, perform one of the following steps:
From the web interface, select Device > Licenses and in the PAN-DB URL Filtering section click the Re-Download link. From the CLI, run the following command:
request url-filtering download paloaltonetworks region <region_name>
Re-downloading the seed database causes the URL cache in the management plane and dataplane to be purged. The management plane cache will then be re-populated with the contents of the new seed database.

Related Documentation