Details
The URL lookup on the Palo Alto Networks firewall is performed for its first match in the following order starting from left to right:
Block List > Allow List > Custom Categories > DP Cache > MP Cache > Cloud Systems
Each URL in DP (data plane) and MP (management plane) has its own expiration period assigned by the PAN-DB core. This expiration period cannot be changed by administrator.
URL Query in DP
If the URL look-up matches an expired URL in DP:
- The DP cache responds with the expired category and the firewall uses it for its traffic.
- The DP sends a request to MP to request categorization of the URL.
- Once it gets response from MP the URL gets updated synchronously in DP.
URL Query in MP
If the URL check on the MP determines that the URL has expired:
- MP cache responds to DP with the expired category.
- The MP sends a request to the cloud to request categorization of the URL.
- Once it gets response from the cloud, MP will update its own cache and also send updated response to DP.
To test a URL category in DP, use the following command:
> show running url <url>
To test a URL category in MP, use the following command:
> test url <url>
For example:
> show running url google.com
google.com search-engines expires in 70377 seconds
> test url google.com
google.com search-engines (Base db) expires in 69000 seconds
google.com search-engines (Cloud db)
See Also
URL Filtering (PAN-DB)
URL Filtering Database Lookup Flow for BrightCloud
owner: dreputi