How does the PAN-DB URL lookup work when it matches an expired URL on MP/DP?
Environment
Palo Alto Firewalls
Supported PAN-OS
URL Filtering
Answer
The URL lookup on the Palo Alto Networks firewall is performed for its first match in the following order.
Custom URL categories
External dynamic lists (EDLs)
Predefined URL categories
Each URL in DP (data plane) and MP (management plane) has its own expiration period assigned by the PAN-DB core. This expiration period cannot be changed by administrator.
URL Query in DP
If the URL look-up matches an expired URL in DP:
The DP cache responds with the expired category and the firewall uses it for its traffic.
The DP sends a request to MP to request categorization of the URL.
Once it gets response from MP the URL gets updated synchronously in DP.
URL Query in MP
If the URL check on the MP determines that the URL has expired:
MP cache responds to DP with the expired category.
The MP sends a request to the cloud to request categorization of the URL.
Once it gets response from the cloud, MP will update its own cache and also send updated response to DP.
To test a URL category in DP, use the following command:
> show running url <url>
To test a URL category in MP, use the following command:
> test url <url>
For example:
> show running url google.com google.com search-engines expires in 70377 seconds
> test url google.com google.com search-engines (Base db) expires in 69000 seconds google.com search-engines (Cloud db)