https://live.paloaltonetworks.com/t5/general-topics/pa-500-url-filtering/m-p/67214#M39468 <P>Hello&nbsp;</P> <P>&nbsp;</P> <P>could you verify this counter</P> <P><SPAN>show counter global filter | match url_request_pkt_drop</SPAN></P> <P>&nbsp;</P> <P>you obtain something like this</P> <P><SPAN>url_request_pkt_drop&nbsp;&nbsp;&nbsp; 334056 &nbsp; 10 drop&nbsp;&nbsp; url&nbsp;&nbsp; pktproc&nbsp;&nbsp;</SPAN></P> <P><SPAN>and&nbsp;</SPAN></P> <P><SPAN>if you have some drop packet it's du to the&nbsp;</SPAN><SPAN>&nbsp;waiting time for url categorisation &nbsp;request</SPAN></P> <P>&nbsp;</P> <P>to resolve this</P> <P>modify this parameter</P> <P><SPAN> set deviceconfig setting ctd url-wait-timeout&nbsp;</SPAN></P> <P>and define a value greater than 5 and less than 60</P> <P>&nbsp;</P> <P>by default panos use a value of 5 s and &nbsp;the PA-500 is to light to process the categorisation and takeover the limit of 5s</P> <P>you and increase the capacity of the PA-500 but increase the acceptable time to resolve the query</P> <P>&nbsp;</P> <P>regard's</P> <P>&nbsp;</P> <P>you can find more info&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/What-is-the-Cause-of-Packets-Dropped-Due-to-URL-Look-Up-Failure/ta-p/59703" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/What-is-the-Cause-of-Packets-Dropped-Due-to-URL-Look-Up-Failure/ta-p/59703</A></P> <P>&nbsp;</P> Fri, 23 Oct 2015 15:31:30 GMT Gregoux 2015-10-23T15:31:30Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-url-filtering/m-p/67068#M39413 <P>Hello,</P> <P>i have another problem with policies...</P> <P>&nbsp;</P> <P>I used AD to filter people which can access the appropriate site.&nbsp;</P> <P>&nbsp;</P> <P>And I have rule in order:</P> <P>1. Allow facebook (when I give access to whole facebook application)</P> <P>2. Allow Youtube (when I use url filtering)</P> <P>&nbsp;</P> <P>In my opinion when user who is in group allow_facebook and allow_youtube and want to open the facebook site are using first rule and can open the site?</P> <P>&nbsp;</P> <P>But in my network this user use second rule and he has information about blocked site....</P> <P>&nbsp;</P> <P>I don't know what I do wrong..</P> Thu, 22 Oct 2015 06:18:54 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-url-filtering/m-p/67068#M39413 ITBT 2015-10-22T06:18:54Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-url-filtering/m-p/67070#M39414 <P>check from CLI that said user is really in allow_facebook group if the rule is not applying to him.</P> Thu, 22 Oct 2015 08:59:25 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-url-filtering/m-p/67070#M39414 cpainchaud 2015-10-22T08:59:25Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-url-filtering/m-p/67124#M39429 <P>Is the rule/application it specifically for Facebook-BASE</P> <P>Does that first rule allow the traffic for another user?</P> <P>in otherwords can another user from the approved 'AD OU' group get to the site</P> <P>&nbsp;</P> <P>you want to determine is it a user issue or a security policy issue</P> <P>&nbsp;</P> <P>When you look in the logs afterward - filter by user name and see which policy that traffic is hitting</P> <P>&nbsp;</P> Thu, 22 Oct 2015 14:07:57 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-url-filtering/m-p/67124#M39429 DarinSutton 2015-10-22T14:07:57Z https://live.paloaltonetworks.com/t5/general-topics/pa-500-url-filtering/m-p/67214#M39468 <P>Hello&nbsp;</P> <P>&nbsp;</P> <P>could you verify this counter</P> <P><SPAN>show counter global filter | match url_request_pkt_drop</SPAN></P> <P>&nbsp;</P> <P>you obtain something like this</P> <P><SPAN>url_request_pkt_drop&nbsp;&nbsp;&nbsp; 334056 &nbsp; 10 drop&nbsp;&nbsp; url&nbsp;&nbsp; pktproc&nbsp;&nbsp;</SPAN></P> <P><SPAN>and&nbsp;</SPAN></P> <P><SPAN>if you have some drop packet it's du to the&nbsp;</SPAN><SPAN>&nbsp;waiting time for url categorisation &nbsp;request</SPAN></P> <P>&nbsp;</P> <P>to resolve this</P> <P>modify this parameter</P> <P><SPAN> set deviceconfig setting ctd url-wait-timeout&nbsp;</SPAN></P> <P>and define a value greater than 5 and less than 60</P> <P>&nbsp;</P> <P>by default panos use a value of 5 s and &nbsp;the PA-500 is to light to process the categorisation and takeover the limit of 5s</P> <P>you and increase the capacity of the PA-500 but increase the acceptable time to resolve the query</P> <P>&nbsp;</P> <P>regard's</P> <P>&nbsp;</P> <P>you can find more info&nbsp;</P> <P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/What-is-the-Cause-of-Packets-Dropped-Due-to-URL-Look-Up-Failure/ta-p/59703" target="_blank">https://live.paloaltonetworks.com/t5/Management-Articles/What-is-the-Cause-of-Packets-Dropped-Due-to-URL-Look-Up-Failure/ta-p/59703</A></P> <P>&nbsp;</P> Fri, 23 Oct 2015 15:31:30 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-500-url-filtering/m-p/67214#M39468 Gregoux 2015-10-23T15:31:30Z