Malicious URL Category is stuck in the firewall

Malicious URL Category is stuck in the firewall

2314
Created On 01/28/21 23:07 PM - Last Modified 03/16/21 18:31 PM


Symptom
  • The Palo Alto Networks firewall reports a malicious category for an URL that is no longer categorized as malicious.
  • The malicious categories can be in:
    • malware
    • command-and-control
    • phishing
  • The current benign URL category can be verified at https://urlfiltering.paloaltonetworks.com/


Environment
  • Palo Alto Networks firewall
  • PAN-OS < 9.0.10-h2, 9.1.6, 10.0.2


Cause
If any user behind the firewall browsed to the URL in question when it was incorrectly categorized, the malicious category may have become stuck in the firewall data-plane's URL Filtering cache.

Resolution
Upgrade to PAN-OS >= 9.0.10-h2, 9.1.6, 10.0.2. Upgrading will prevent new malicious categorization entries that are cleared to become stuck in the DP cache.

NOTE:
Before the upgrade can take place, the available workaround is to delete the entry from the URL Filtering cache. The steps and CLI commands needed to work around the issue are:
  1.  Check if the URL resolves to Phishing in the firewall
> test url www.example.com
 
  1. Dump the cache
> show system setting url-cache all
 
  1. Find the entry in the DP cache
> grep dp-log dp_url_DB.log pattern 'example'
 
  1. Use the exact URI entry found to delete it from the DP and MP cache
> clear url-cache url <found URI in Step 3>
> delete url-database url <found URI in Step 3>
 
  1. Test again
> test url www.example.com


Additional Information
Issue ID: PAN-152027

Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HCgjCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language