Threat ID -9999 is blocking some sites.
37397
Created On 07/30/20 16:56 PM - Last Modified 08/20/21 02:31 AM
Symptom
- When the "URL filtering Profile" is enabled, access to a particular URL is denied with the following error message in the browser "This site can't be reached."
- If the response page option is enabled you will see the following page.
- Traffic logs show end session reason "threat."
- Exported/Forwarded URL logs show Threat/Content Name: (-9999)
Environment
- Palo Alto Firewalls
- PAN OS 8.1.0 and later versions
- PAN OS 9.1.0 and later versions
- PAN OS 10.0.0
Cause
- The Threat ID -9999 is triggered when the actions configured for a particular URL category are: block, continue, block-url or block-override. When the security policy enforces the action defined in the URL filtering profile, an event is generated and logged in the forwarded/exported version of the URL filtering log. In the example below, we've tested changing the action for the URL category web-advertisements.
Resolution
- If the traffic is being blocked, is necessary to identify the URL category detected by the firewall and change the action in the URL filtering profile. A detailed log view of an event in the traffic log will help.
- Open the detailed log view by clicking the magnifying glass icon at the very left of the threat log entry. You should see a panel underneath with correlated log entries. Check the URL category.
- This can also be confirmed by checking the URL filtering log and identifying the URL category with actions block, block-continue or block-override. We tested with 3 different actions for the category "web-advertisements"
- If the logs are exported or forwarded, the same can also be identified in the exported/forwarded URL filtering log
- Once the category being blocked is identified, one need to change the action in the URL filter profile to Allow or Alert (which also generates a log entry)
Additional Information