Compare this output with the output from the BrightCloud URL/IP Lookup page. Note: If the BrightCloud results are different, download an updated database using the UI on the Device > Dynamic Updates page. If the test url output matches the BrightCloud URL/IP Lookup page, then the data plane version of the Base BrightCloud Database has become corrupt, incomplete or incorrect.
Clear the cached version from the data plane with the following command: > clear url-cache all
The next attempt to resolve a base database URL will cause the data plane cache to re-populate from the base database present on the management plane. Note: Make sure that you have the most recent BrightCloud database update.
If a URL(s) has been resolved Dynamically in the cloud and the category being resolved from the data plane cache is no longer correct, clear those entries from the Dynamic Management plane cache with the following command: > delete dynamic-url host name <url>
In the next attempt to resolve this Dynamic URL, the firewall will resolve the category via the BrightCloud cloud, and the result will be cached on the data plane.
A subscription to the PAN-DB URL categorization database provides a few more commands that will help reveal and resolve differences. The URL database is stored on the management plane and URL resolutions are cached on the data plane.
Test a URL.
The following test commands provide results from the URL database in the management plane. This first command may be all that you need to verify that the URL database has the same information as the cloud:
> test url www.paloaltonetworks.com
www.paloaltonetworks.com computer-and-internet-info (Base db) expires in 600 seconds
If the Base database has a different (and incorrect) result when compared to the Cloud database, then the database needs to be updated. This can be done on the web UI under Device > Dynamic Updates or from the CLI commands (described in the section below).
Compare the output above to what is known in the cloud with the following command:
If the test url command reveals that the management plane and the cloud agree on the correct categorization, but the URL is being blocked because of an incorrect categorization, then clear out the data plane's cache of that URL with:
> clear url-cache url <URL>
Alternatively, the entire cache can be cleared:
> clear url-cache all
Update the PAN-DB URL Database from the CLI
If the test url command revealed that the management plane has a different categorization than the cloud for a URL, then either the specific URL or the entire URL database needs to be updated. Again, updating the entire database can be done in the UI under Device > Dynamic Updates.
Note: Dynamic Updates can, and should, be scheduled to ensure that the firewall has the latest info.
Follow these instructions to test the firewall for dynamic updates from the CLI:
Download the latest PAN-DB URL Categorization database from the cloud using this command: > request url-filtering download paloaltonetworks region <Region>
Display the status of the database download > request url-filtering download status vendor paloaltonetworks Note: The database is ready for use after it has been downloaded. You can try your connection again to the URL that was formerly blocked.