Palo Alto Networks Knowledgebase: Large Amounts of Unknown URL Categories in Logs with BrightCloud
Large Amounts of Unknown URL Categories in Logs with BrightCloud
Created On 02/07/19 23:48 PM - Last Updated 02/07/19 23:48 PM
BrightCloud is used for URL resolution and large amounts of Unknown are seen inside of the URL logs, which is causing issues with traffic.
Test URL CLI commands response with not-resolved, For example: > test url <url> <url> not-resolved (Cloud db)
There can be a number of reasons why this is happening.
Check the BrightCloud stats with the following CLI command:
> debug device-server bc-url-db show-stats
BC URL DB access counters:
Total requests: 322 (77% unknown)
DB file lookup hit: 72, miss 711, total 783
cache enabled: no
The example output above shows a large amount of unknown in the BrightCloud DB.
There are URL filtering and cache settings that can greatly affect and improve the URL filtering performance.
The following commands enable cache and bloom filter. > debug device-server bc-url-db cache-enable yes > set system setting url-filtering-feature filter True > set system setting url-filtering-feature cache True
At this point, it is important to restart the device server process. Restarting this process during non-peak hours is advisable. During the restart, the existing User-ID mapping will be temporarily cleared. > debug software restart device-server
Once the service is restarted (wait approximately 3 minutes) verify that the options are enabled with the following command: > show system setting url-filtering-feature cfg.url-feature.basedb-cache: True cfg.url-feature.bloom-filter: True
Once the steps above are performed, performance should improve and the Unknown URL categories that appear should be reduced.