topic Re: Threat ID #9999' generated by PAN NGFW in Cortex XDR Discussions

Threat ID #9999' generated by PAN NGFW

LukasB — Mon, 07 Mar 2022 13:37:08 GMT

Hello,

I have turned off alerts on NGFW for Private URL, but I still get threat ID #9999.

Can somebody a little bit more explain what this threat ID means? I am trying to clean it up, but still get these alerts.

And it is not any kind of malicious traffic.

It is usually connected with some internal web-pages.

I can provide more info, if needed.

Lukas

Re: Threat ID #9999' generated by PAN NGFW

bbarmanroy — Tue, 08 Mar 2022 09:24:41 GMT

Hi @LukasB, the source of the alerts are from NGFW, as you've correctly stated. Threat ID 9999 refers to URL filtering (see here).

Here is a KB that explains the various categories for URL filtering: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5hCAC

You can look into the alert details to determine the URL, and take action from there (block etc.), which gets driven by your firewall configurations.

Re: Threat ID #9999' generated by PAN NGFW

LukasB — Fri, 11 Mar 2022 10:29:38 GMT

The thing is that these URL are benign. See screenshot. It creates an alert for a benign link under threat ID 9999, but according to the documentation -

9999— URL filtering log

I cannot understand, why I have a alert for a benign link.

On NGFW all URL categories are set for an alert, but in case that URL, etc,.. is benign, there is no need to create an alert in XDR, right?

Re: Threat ID #9999' generated by PAN NGFW

LukasB — Fri, 11 Mar 2022 10:31:31 GMT

another example - alert for an URL of drug store, but benign. can be seen that the URL is opened from Outlook.

Re: Threat ID #9999' generated by PAN NGFW

bbarmanroy — Mon, 21 Mar 2022 10:00:09 GMT

Hi @LukasB sorry I missed your earlier comments. Please @ whoever commented so that we get a notification as well. I hope you understand.

URL's do occasionally get recategorized for several reasons. If the URL is benign and you are confident of its category, you'll have to raise a URL recategorization request through the standard channels. Please refer to this link here: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/url-filtering/url-category-change.html

Hope this helps. Also, please note that this is a Cortex XDR forum, you should consider posting in the Panorama forums for better traction.

Re: Threat ID #9999' generated by PAN NGFW

phite_cpso — Wed, 31 May 2023 15:33:45 GMT

I know this is the Cortex XDR forum, but did you ever find a solution for this on your PANOS device? We are seeing the same behavior after some recent upgrades and enabling cloud inline categorization. Palo support referred me to this thread, but the issue is not that the URL category is wrong or blocked - the issue is that PANOS is issuing a flood of “high” severity events with inline categorization verdict of “cloud”, category of “any”, and action as “alert” on what appear to be entirely benign sites whose URL filtering category is explicitly allowed.

Re: Threat ID #9999' generated by PAN NGFW

TomYoung — Wed, 27 Aug 2025 02:15:55 GMT

This is an old thread, but I found it to be Credential Phishing Prevention. Check the Flags under the Detailed Logs.