Major sites such as docs.google.com getting blocked with URL category 'not-resolved'
2322
Created On 04/26/24 18:55 PM - Last Modified 07/16/24 04:07 AM
Symptom
- Significant sites are blocked, with URL categories showing as 'not-resolved'
- Traffic logs show multiple Google Docs domains blocked due to the URL category 'not-resolved'
- Connectivity to PAN-DB is successful.
admin@cpe-14-98-vm-lma> show url-cloud status PAN-DB URL Filtering License : valid Current cloud server : serverlist.urlcloud.paloaltonetworks.com Cloud connection : connected Cloud mode : public URL database version - device : 20200624.20296 URL database version - cloud : 20200624.20296 ( last update time 2020/06/24 12:39:19 ) URL database status : good URL protocol version - device : pan/2.0.0 URL protocol version - cloud : pan/2.0.0 Protocol compatibility status : compatible
Environment
- Prisma Access
- PAN-OS 10.2.4
- URL Filtering
- PAN-DB Cloud
Cause
- A frequent version change on the parent domain triggers the removal of the domain tree, which will remove the domain from the URL cache, leading to a not-resolved URL category.
- Running the CLI command below shows that the version of the domain changes frequently.
admin@cpe-14-98-vm-lma> show running url-info docs.google.com
docs.google.com, phm 1, ttl 0, flags 0x3, version 227
admin@cpe-14-98-vm-lma> show running url-info docs.google.com
docs.google.com, phm 1, ttl 287, flags 0x3, version 18
admin@cpe-14-98-vm-lma> show running url-info docs.google.com
docs.google.com, phm 1, ttl 279, flags 0x3, version 19,
Resolution
Workaround:
- Create a custom URL category
- Configure a custom URL category with the not-resolved parent domain (i.e., docs.google.com)
- Set the action to alert so you can monitor and not block docs.google.com transactions.
- Click Ok
- Apply the custom URL category to the security policy as shown in How to Create Custom URL Categories
- Commit changes