Palo Alto Networks Knowledgebase: PAN-OS 8.0: PAN-DB Five-Minute Update for Malware and Phishing

PAN-OS 8.0: PAN-DB Five-Minute Update for Malware and Phishing

Created On 07/18/19 19:26 PM - Last Updated 07/18/19 20:11 PM

This article highlights a new capability or feature introduced in PAN-OS 8.0. If you’d like to learn more about this topic or PAN-OS 8.0 in-general, you’ll also want to check out our world-class Technical Documentation.


With this PAN-OS update we enhanced PAN-DB so that it provides better coverage associated with the phishing and malware categories. We introduce this change to match the WildFire 5-minute dynamic updates. This equals a whopping 288 updates per day!


In doing so we remove the gap between identification of malicious websites and hosts via WildFire, and coverage for PAN-DB customers.


We also provide a more granular cache expiration to avoid excessive trie update operations on our devices.


Details :


  • URL cache expiration time updates per risk level :
    • High risk
      • Categories
        • Dynamic DNS
        • Content delivery networks
        • Web hosting
        • Malware
        • Phishing
        • Parked
      •  Expiration time set to five minutes, including all parent and children
    • Medium risk
      • URLs with malware or phishing activity observed in the past 180 days
      • Newly added domains and hosts
        • Domains and hosts that have been added in the last 180 days
      • Categories
        • Hacking
        • Personal sites and blogs
        • Peer-to-peer
        • Shareware-and-freeware
      • Expiration time set to 30 minutes, including all parents and children
    • Low risk
      • Expiration time set to one day
  • M-500 :
    • Will check for PAN-DB updates to malware and phishing every five minutes
    • Cache expiration entries will match those used in the cloud
  • Compatibility
    • Devices running releases prior to PAN-OS 8.0 will use appropriate cache expiration timers
      • One day for Alexa top million
      • 30 minutes for everything else, including malware and phishing
    •  Older PAN-OS releases will be able to take advantage of the new phishing feed
  • Cache timeouts are based on first lookup when no entry exists
    • Does not get refreshed with subsequent accesses to domains
  • New cache expiration timers will be applied automatically after upgrading to PAN-OS 8.0
  • Previous cache expiration timers will be applied after downgrade

Below is a list of possible command you might need should you want to debug this new feature :


show url-cloud status

show system setting ctd url-block-cache

show system setting url-database

show system setting url-cache statistics

show system setting url-cache all

show system setting url-filtering-feature

debug device-server set url <basic|cloud|ha|match|rfs|stat|all>

debug device-server set url_trie <basic|stat|all>

debug device-server unset url <basic|all>

debug device-server test url-category <1-16383>

debug device-server test dynamic-url cloud <yes|no> unknown-only <yes|no> async <yes|no>

debug device-server test url-update-server

debug device-server reset url dynamic-url-timeout <1-43200>

debug device-server reset url dynamic-url-size <10-1000000>

debug device-server pan-url-db db-info

debug device-server pan-url-db db-perf

debug device-server pan-url-db show-stats

debug device-server pan-url-db cloud-reelect

debug device-server pan-url-db db-backup back-duration <5-480> back-threshold <3-30>

debug device-server dump dynamic-url database start-from <1-1000000> category <value>

debug device-server dump dynamic-url statistics

debug device-server dump pan-url-db statistics

debug device-server dump com url

debug dataplane test url-resolve-path <value>

debug dataplane test url-bloom <value>

debug dataplane test url-cache-resolve-path max-per-sec <1-65535>

debug dataplane show url-cache statistics

debug dataplane reset ctd url-block-cache lockout

debug dataplane packet-diag set log feature module url

debug dataplane packet-diag set log feature ctd url

debug dataplane packet-diag set log feature ctd urlcat

debug dataplane packet-diag set log feature url_trie <basic|stat|all>

set system setting url-database <value>

set system setting url-filtering-feature cache <True|False>

set system setting url-filtering-feature filter <True|False>

request url-filtering save url-database

request url-filtering install pandb-database

request url-filtering install signed-database

request url-filtering install database major-version <1-65535> minor-version <0-65535> md5 <value>

request url-filtering update url <value>

request url-filtering download status vendor paloaltonetworks

request url-filtering download paloaltonetworks region <value>

test url <value>

test url-info-host <value>

test url-info-cloud <value>

test url-wpc <value>


Cheers !


  • Print
  • Copy Link

Choose Language