Threat ID -9999 is blocking some sites.

Threat ID -9999 is blocking some sites.

41249
Created On 07/30/20 16:56 PM - Last Modified 08/20/21 02:31 AM


Symptom


  • When the "URL filtering Profile" is enabled, access to a particular URL is denied with the following error message in the browser  "This site can't be reached."
User-added image
  • If the response page option is enabled you will see the following page.
Web Page Blocked
  • Traffic logs show end session reason "threat."
End session reason threat
  • Exported/Forwarded URL logs show Threat/Content Name: (-9999) 
Exported URL logs

 


Environment


  • Palo Alto Firewalls
  • PAN OS 8.1.0  and later versions 
  • PAN OS 9.1.0 and later versions 
  • PAN OS 10.0.0 


Cause


  • The Threat ID -9999  is triggered when the actions configured for a particular URL category are: block, continue,  block-url or block-override. When the security policy enforces the action defined in the URL filtering profile, an event is generated and logged in the forwarded/exported version of the URL filtering log. In the example below, we've tested changing the action for the URL category web-advertisements. 
Url actions


Resolution


  1. If the traffic is being blocked, is necessary to identify the URL category detected by the firewall and change the action in the URL filtering profile. A detailed log view of an event in the traffic log will help. 
  2. Open the detailed log view by clicking the magnifying glass icon at the very left of the threat log entry. You should see a panel underneath with correlated log entries. Check the URL category.
Traffic logs session detail
  1. This can also be confirmed by checking the URL filtering log and identifying the URL category with actions block, block-continue or block-override. We tested with 3 different actions for the category "web-advertisements"
URL category in URL log     
  1. If the logs are exported or forwarded, the same can also be identified in the exported/forwarded URL filtering log
URL logs
  1. Once the category being blocked is identified, one need to change the action in the URL filter profile to Allow or Alert (which also generates a log entry)
Url filtering actions


Additional Information


 


 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008V23CAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language