During the course of a URL lookup, the Palo Alto Networks device first checks the DP (Data Plane) cache. If there is a miss, a check is performed on the MP (Management Plane), which may also result in a cloud lookup. By default, the DP will wait 5 seconds for an answer from the MP (this value is configurable). During this time, if the client sends a reset, the packet will be dropped and the url_request_pkt_drop counter will increment if there is a DP miss. If an answer is received from the MP during the 5 second window, the device will apply a policy according to the category returned. If an answer is not received, the device will assign the category, "not-resolved", and apply a policy accordingly.
Note: This behavior is the same for both BrightCloud and PAN-DB.
To view the packet drops reported by the counter, run the following CLI command:
> show counter global filter | match url_request_pkt_drop
url_request_pkt_drop 334056 0 drop url pktproc The number of packets get dropped because of waiting for url category request
The DP waits for the URL query result to come back from the MP. This duration is called the "url-wait-timeout" under the CTD (Content and Threat Detection) setting. Use the following CLI command in configuration mode to change the timeout value (range of 1 to 60 seconds):
# set deviceconfig setting ctd url-wait-timeout
owner: gcapuno