Malicious URL Category is stuck in the firewall
16755
Created On 01/28/21 23:07 PM - Last Modified 09/04/25 19:19 PM
Symptom
- The Palo Alto Networks firewall reports a malicious category for an URL that is no longer categorized as malicious.
- The malicious categories can be in:
- malware
- command-and-control
- phishing
- The current benign URL category can be verified at https://urlfiltering.paloaltonetworks.com/
Environment
- Palo Alto Networks firewall
- PAN-OS < 9.0.10-h2, 9.1.6, 10.0.2
Cause
If any user behind the firewall browsed to the URL in question when it was incorrectly categorized, the malicious category may have become stuck in the firewall data-plane's URL Filtering cache.
Resolution
Upgrade to PAN-OS >= 9.0.10-h2, 9.1.6, 10.0.2. Upgrading will prevent new malicious categorization entries that are cleared to become stuck in the DP cache.
NOTE:
Before the upgrade can take place, the available workaround is to delete the entry from the URL Filtering cache. The steps and CLI commands needed to work around the issue are:
- Check if the URL resolves to Phishing in the firewall
> test url www.example.com
- Dump the cache
> show system setting url-cache all
- Find the entry in the DP cache
> grep dp-log dp_url_DB.log pattern 'example'
- Use the exact URI entry found to delete it from the DP and MP cache
> delete url-database url <found URI in Step 3 - Clear MP> > clear url-cache url <found URI in Step 3 - Clear DP>
(Note: You would need to run the above commands in the listed order as clearing the Data Plane (DP) entry before clearing the Management Plane (MP) entry could re-populate the entry to the DP from the MP)
- Test again
> test url www.example.com
Additional Information
Issue ID: PAN-152027