How to Verify URL Categorization: Data Plane and Management Plane Differences

How to Verify URL Categorization: Data Plane and Management Plane Differences

24258
Created On 09/26/18 19:16 PM - Last Modified 05/31/23 21:49 PM


Resolution


Overview

When utilizing the Dynamic URL filtering feature of a Palo Alto Networks device it is important to understand the differences between management plane and data plane URL categorization.  Both play an important role in allowing the device to properly perform URL filtering.

 

Details

Make sure dynamic url setting is enabled on device by using below command:

> configure

# show deviceconfig setting url

url {

  dynamic-url yes;

}

[edit]

 

If the above command displays nothing, then enable it using the following command and commit:

# set deviceconfig setting url dynamic-url yes

# commit

 

The following command can be used to test URL categorization as it relates to the management plane only:

> test url www.paloaltonetworks.com

www.paloaltonetworks.com computer-and-internet-security (Base db)

The output shows the management plane is able to identify www.paloaltonetworks.com using the Base database.  This is the on-disk URL database.

 

Perform the test again with www.example.com. The management plane is unable to find a categorization for www.example.com, therefore it performs a cloud lookup for categorization. In this example, BrightCloud returns a category of “shopping”.

> test url www.example.com

www.example.com shopping (Cloud db)

 

A subsequent lookup for the same URL has now placed www.example.com in the Dynamic database on the Palo Alto Networks device:

> test url www.example.com

www.example.com shopping (Dynamic db)

 

This Dynamic database entry is now available to the dataplane of the device.  If the dataplane is unable to categorize a session which includes an HTTP request for www.example.com it will refer to the Dynamic database on the management plane.

 

To confirm how the data plane will categorize a URL request in a session it is necessary to use the following command:

  • PAN-OS 5.0, 6.0
    > debug dataplane test url-resolve-path <URL>
  • PAN-OS 4.1
    > test url-resolve-path <URL>

 

First, start by testing www.paloaltonetworks.com.

> debug dataplane test url-resolve-path www.paloaltonetworks.com

DP0:

URL www.paloaltonetworks.com, category is not-resolved, a request was sent successfully to the host

DP1:

URL www.paloaltonetworks.com, category is not-resolved, a request was sent successfully to the host

 

Both data planes (DP0 & DP1) have no categorization for www.paloaltonetworks.com.  Due to the fact that neither have processed a session (traffic traversing the firewall) containing an HTTP request for www.paloaltonetworks.comt is necessary for the data plane to request categorization from the management plane.  We can see that this has been done in the message “…a request was sent successfully to the host”.

 

An additional means by which we can determine a successful request was successfully sent (from DP to MP) and received (from MP to DP) is by checking the global counters:

> show counter global filter delta yes | match url_db

url_db_request                                    2        0 info      url       pktproc   Number of URL database requesturl_db_reply                               2        0 info      url       pktproc   Number of URL reply

 

Two successful requests have been sent (one for each DP) and received two successful replies (one for each DP).  A subsequent execution of  > test url-resolve-path www.paloaltonetworks.com (PAN-OS 4.1) or > debug dataplane test url-resolve-path www.paloaltonetworks.com (PAN-OS 5.0, 6.0) indicates that both data planes have now successfully categorized this URL and future request will not be sent to the management plane for categorization, but instead processed locally on DP0 and DP1.

 

> debug dataplane test url-resolve-path www.paloaltonetworks.com

DP0:

URL www.paloaltonetworks.com, category computer-and-internet-security

DP1:

URL www.paloaltonetworks.com, category computer-and-internet-security

 

Test the URL our management plane learned from the Cloud db, and then store in its local Dynamic db.

> debug dataplane test url-resolve-path www.example.com

DP0:

URL www.example.com, category is not-resolved, a request was sent successfully to the host

DP1:

URL www.example.com, category is not-resolved, a request was sent successfully to the host

 

The DP has no categorization therefore it places a request to the management plane.

> show counter global filter delta yes | match url_db

url_db_request                                    2        0 info      url       pktproc   Number of URL database requesturl_db_reply                               2        0 info      url       pktproc   Number of URL reply

 

A successful request and reply are shown in the global counters.  The following command and output shows that both dataplanes have the correct categorization for www.example.com.

> debug dataplane test url-resolve-path www.example.com

DP0:

URL www.example.com, category kids

DP1:

URL www.example.com, category kids

admin@lab-88-PA5020>

 

owner: bvandivier
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm3rCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language