How to check the dataplane's URL cache

How to check the dataplane's URL cache

7022
Created On 12/03/21 21:38 PM - Last Modified 09/30/24 20:29 PM


Objective


  • To check the dataplane's URL cache.
  • This is used during troubleshooting URL filtering issues when a URL category not resolved.

Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • URL filtering

Procedure


  1.  Since this cache is stored in memory and not in disk, first you need to create a print-out of the URLs list:
admin@firewall> show running url-cache all  >> Output into file: dp_url_DB.log
  1. Output the above info to a file example dp_url_DB.log and then, run the following command to see the full print-out:
admin@firewall> less mp-log dp_url_DB.log
  1. Or, run the following command to see a specific URL:
admin@firewall> grep pattern <URL> mp-log dp_url_DB.log

Note: This is just a print-out and not the actual cache file, if there are changes in the cache (like adding or removing a URL from it) you need to generate the print-out again in order to see the changes.

Additional Information


The firewall caches URLs on both the management plane and the dataplane:

  • PAN-OS 9.0 and later releases do not download PAN-DB seed databases. Instead, upon activation of the URL filtering license, the firewall populates the cache as URL queries are made.
  • The management plane holds more URLs and communicates directly with PAN-DB. When the firewall cannot find a URL’s category in the cache and performs a lookup in PAN-DB, it caches the retrieved category information in the management plane. The management plane passes that information along to the dataplane, which also caches it and uses it to enforce policy.
  • The dataplane holds fewer URLs and receives information from the management plane. After the firewall checks URL Category exception lists (custom URL categories and external dynamic lists) for a URL, the next place it looks is the dataplane.
  • When the firewall cannot find the URL categorized in the dataplane does it check the management plane and, if the category information is not in management plane as well, it will check the PAN-DB.
  • If the Internet connectivity is not available or an active URL filtering license, no queries are made to PAN-DB.
  • Refer How Advanced URL Filtering Works for more details.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004MTnCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language