Testing URL from the CLI Returns expires in 0 seconds""

Overview

There are several commands that can be used for testing URL categories for PAN-DB on the Palo Alto Networks devices. The > test url <url> is the most common one. The output of this command will return information that a URL is seen as not-resolved in the Base DB and will "expire in 0 seconds". This is not a problem and it does not mean that the PAN-DB is not working as expected.

Details

When problems with accessing URLs occurs, the firewall administrators will test the URL from the Palo Alto Networks device.

The test is usually performed with the > test url <url> operational command from the CLI, as shown in the example below:

> test url yahoo.com

yahoo.com not-resolved (Base db) expires in 0 seconds

yahoo.com internet-portals (Cloud db)

The URL "expires in 0 seconds" output is not a reason for an alarm. This message informs the administrator that this URL was not resolved by the PAN-DB base, and needs to be sent to the cloud.

In the next output line, the cloud returns the category as "internet-portals".

There is a misconception that the command,  > test url <url> will populate the cache in the PAN-URL-DB (which is the behavior if BrightCloud URL DB is in use), and a second execution of the command should return the "internet-portals" as a category that is known in the Base DB. This will not happen for PAN-DB, because the command is a test command and until a real user (that is behind the firewall) does not request the URL, the category will stay the same "not-resolved", and the value for the entry in the Base DB will be 0 seconds.

When checking the data plane (DP) information for the same URL, even here the URL "expires in 0 seconds" will occur as shown below:

> show running url yahoo.com

yahoo.com internet-portals expires in 0 seconds

If a user requests a connection to yahoo.com, the test command will give a value that is different than 0 seconds for the expiration timeout.

> test url yahoo.com

yahoo.com internet-portals (Base db) expires in 93000 seconds

yahoo.com internet-portals (Cloud db)

The DP information is also different:

> show running url yahoo.com

yahoo.com internet-portals expires in 92985 seconds

The information in the  > test url <url> will return the same value for the expiration timeout on each consecutive execution, it should NOT be used as a reference for how long the entry will stay on the DP.

The command " > show running url <url>", will give the correct information and will decrement in time, as shown in the examples below:

> test url yahoo.com

yahoo.com internet-portals (Base db) expires in 93000 seconds

yahoo.com internet-portals (Cloud db)

> show running url yahoo.com

yahoo.com internet-portals expires in 92398 seconds

owner: ialeksov