Testing URL from the CLI Returns expires in 0 seconds""
Symptom
There are several commands that can be used for testing URL categories for PAN-DB on the Palo Alto Networks devices. The > test url <url> is the most common one. The output of this command will return information that a URL is seen as not-resolved in the Base DB and will "expire in 0 seconds". This is not a problem and it does not mean that the PAN-DB is not working as expected.
Environment
- Any Firewall
Resolution
When problems with accessing URLs occurs, the firewall administrators will test the URL from the Palo Alto Networks device.
The test is usually performed with the > test url <url> operational command from the CLI, as shown in the example below:
> test url yahoo.com yahoo.com not-resolved (Base db) expires in 0 seconds yahoo.com internet-portals (Cloud db)
The URL "expires in 0 seconds" output is not a reason for an alarm. This message informs the administrator that this URL was not resolved by the PAN-DB base, and needs to be sent to the cloud.
In the next output line, the cloud returns the category as "internet-portals".
There is a misconception that the command, > test url <url> will populate the cache in the PAN-URL-DB (which is the behavior if BrightCloud URL DB is in use), and a second execution of the command should return the "internet-portals" as a category that is known in the Base DB. This will not happen for PAN-DB, because the command is a test command and until a real user (that is behind the firewall) does not request the URL, the category will stay the same "not-resolved", and the value for the entry in the Base DB will be 0 seconds.
When checking the data plane (DP) information for the same URL, even here the URL "expires in 0 seconds" will occur as shown below:
> show running url yahoo.com yahoo.com internet-portals expires in 0 seconds
If a user requests a connection to yahoo.com, the test command will give a value that is different than 0 seconds for the expiration timeout.
> test url yahoo.com yahoo.com internet-portals (Base db) expires in 93000 seconds yahoo.com internet-portals (Cloud db)
The DP information is also different:
> show running url yahoo.com yahoo.com internet-portals expires in 92985 seconds
The information in the > test url <url> will return the same value for the expiration timeout on each consecutive execution; it should NOT be used as a reference for how long the entry will stay on the DP.
The command " > show running url <url>", will give the correct information and will decrement in time, as shown in the examples below:
> test url yahoo.com yahoo.com internet-portals (Base db) expires in 93000 seconds yahoo.com internet-portals (Cloud db) > show running url yahoo.com yahoo.com internet-portals expires in 92398 seconds