Malicious URL Category is stuck in the firewall

Malicious URL Category is stuck in the firewall

Created On 01/28/21 23:07 PM - Last Modified 03/16/21 18:31 PM

  • The Palo Alto Networks firewall reports a malicious category for an URL that is no longer categorized as malicious.
  • The malicious categories can be in:
    • malware
    • command-and-control
    • phishing
  • The current benign URL category can be verified at

  • Palo Alto Networks firewall
  • PAN-OS < 9.0.10-h2, 9.1.6, 10.0.2

If any user behind the firewall browsed to the URL in question when it was incorrectly categorized, the malicious category may have become stuck in the firewall data-plane's URL Filtering cache.

Upgrade to PAN-OS >= 9.0.10-h2, 9.1.6, 10.0.2. Upgrading will prevent new malicious categorization entries that are cleared to become stuck in the DP cache.

Before the upgrade can take place, the available workaround is to delete the entry from the URL Filtering cache. The steps and CLI commands needed to work around the issue are:
  1.  Check if the URL resolves to Phishing in the firewall
> test url
  1. Dump the cache
> show system setting url-cache all
  1. Find the entry in the DP cache
> grep dp-log dp_url_DB.log pattern 'example'
  1. Use the exact URI entry found to delete it from the DP and MP cache
> clear url-cache url <found URI in Step 3>
> delete url-database url <found URI in Step 3>
  1. Test again
> test url

Additional Information
Issue ID: PAN-152027

  • Print
  • Copy Link

Choose Language