Palo Alto Networks Knowledgebase: How to Handle a URL Miscategorization

How to Handle a URL Miscategorization

6026
Created On 02/07/19 23:43 PM - Last Updated 02/07/19 23:44 PM
URL Filtering
Resolution

Overview

The Palo Alto Networks firewall can block access to a URL if it is associated with an incorrect category. This may occur if the firewall's information is not up-to-date.

Perform the following to verify if a URL is associated with an incorrect category:

  1. Clear the data plane's URL cache.
  2. Update the URL database.
  3. Test URLs

 

The purpose of this document is to describe how to test URLs with BrightCloud, PAN-DB, and directly from the CLI.

 

Details

BrightCloud

  1. To test how the firewall has categorized the URL, use this command:
    > test url www.paloaltonetworks.com

    www.paloaltonetworks.com computer-and-internet-security (Base db)
  2. Compare this output with the output from the BrightCloud URL/IP Lookup page.
    Note: If the BrightCloud results are different, download an updated database using the UI on the Device > Dynamic Updates page.
    If the test url output matches the BrightCloud URL/IP Lookup page, then the data plane version of the Base BrightCloud Database has become corrupt, incomplete or incorrect.
  3. Clear the cached version from the data plane with the following command:
    > clear url-cache all
  4. The next attempt to resolve a base database URL will cause the data plane cache to re-populate from the base database present on the management plane.
    Note: Make sure that you have the most recent BrightCloud database update.
  5. If a URL(s) has been resolved Dynamically in the cloud and the category being resolved from the data plane cache is no longer correct, clear those entries from the Dynamic Management plane cache with the following command:
    > delete dynamic-url host name <url>

In the next attempt to resolve this Dynamic URL, the firewall will resolve the category via the BrightCloud cloud, and the result will be cached on the data plane.

 

PAN-DB

A subscription to the PAN-DB URL categorization database provides a few more commands that will help reveal and resolve differences. The URL database is stored on the management plane and URL resolutions are cached on the data plane.

  1. Test a URL.

The following test commands provide results from the URL database in the management plane. This first command may be all that you need to verify that the URL database has the same information as the cloud:

> test url www.paloaltonetworks.com

 

www.paloaltonetworks.com computer-and-internet-info (Base db) expires in 600 seconds

www.paloaltonetworks.com computer-and-internet-info (Cloud db)

 

If the Base database has a different (and incorrect) result when compared to the Cloud database, then the database needs to be updated. This can be done on the web UI under Device > Dynamic Updates or from the CLI commands (described in the section below).

 

Compare the output above to what is known in the cloud with the following command:

> test url-info-cloud  www.paloaltonetworks.com

 

BM:

paloaltonetworks.com,9,5,computer-and-internet-info

webmail.paloaltonetworks.com,1,5,web-based-email

 

The following command can reveal detailed information about a URL cached in the management plane:

> test url-info-host  www.paloaltonetworks.com

 

Ancestors info:

paloaltonetworks.com,1,5,computer-and-internet-info,,

 

BM:

paloaltonetworks.com,1,5,computer-and-internet-info,,

 

Descendants info:

webmail.paloaltonetworks.com,1,5,web-based-email,,

 

  1. Clear the data plane cache.

If the test url command reveals that the management plane and the cloud agree on the correct categorization, but the URL is being blocked because of an incorrect categorization, then clear out the data plane's cache of that URL with:

> clear url-cache url <URL>

 

Alternatively, the entire cache can be cleared:

> clear url-cache all

 

Update the PAN-DB URL Database from the CLI

If the test url command revealed that the management plane has a different categorization than the cloud for a URL, then either the specific URL or the entire URL database needs to be updated. Again, updating the entire database can be done in the UI under Device > Dynamic Updates.

Note: Dynamic Updates can, and should, be scheduled to ensure that the firewall has the latest info.

 

Follow these instructions to test the firewall for dynamic updates from the CLI:

  1. Download the latest PAN-DB URL Categorization database from the cloud using this command:
    > request url-filtering download paloaltonetworks region <Region>
  2. Display the status of the database download
    > request url-filtering download status vendor paloaltonetworks
    Note: The database is ready for use after it has been downloaded. You can try your connection again to the URL that was formerly blocked.

 

owner: jjosephs



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Clu3CAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language