Management Articles

Featured Article
Details   Commit warning message The following warning displays during a commit if a block or allow list contains an entry using multiple wildcards: Warning: Nested wildcard(*) in URLs may severely impact performance. It is recommended to use a single wildcard to cover multiple tokens or a caret(^) to target a single token.       Reason of warning message   The asterisk (*) character is used as a wildcard token in the FQDN and path for custom URL filtering. The Palo Alto Networks firewall accepts multiple wildcard tokens in the field (ex. *.*.domain.com) and processes them appropriately.   However, as the number of wildcard tokens increases, the load on the system CPU increases exponentially (for example, *.*.*.domain.com, or just *.*.domain.com). Therefore, we recommend to avoid Nested asterisk(*)  for practical usage.     Below is Wildcard usage and its example   Wildcard character Usage Example "*" asterisk match with one or more subdomains The asterisk (*) wildcard does not respect the period (.) as a delimiter and will continue as a wildcard until a subdomain, domain or top level domain is matched.   sub1.*.*.com will match sub1.sub2.sub3.com and *.*.sub3.com will match sub1.sub2.sub3.com.  However, this should be avoided as a best practice as nested asterisks can create a performance impact on the device.     Instead, as a best practice you can use:  sub1.*.com or *.sub3.com.  This will match sub1.sub2.sub3.com    "^" caret match with only one subdomains. The caret (^) wildcard does respect the period (.) as a delimliter and will stop matching as a wildcard once a match has occurred.   sub1.^.^.com and  ^.^.sub3.com are able to match with sub1.sub2.sub3.com   Hence, ^.sub3.com and sub1.^.com are not able to match with sub1.sub2.sub3.com,   since "^" caret only matches with one subdomain.   If you'd like to replace "*" with "^", the following replacements are required:    x.*.net is partically covered by the following: x.^.net x.^.^.net x.^.^.^.net (continued...)   Nested carets has a practical limit of 9 carets for the same DP resource usage reason above.      Same limitation for Path This limitation is applied to the pattern matching on path after FQDN. (i.e. http://<FQDN>/<path>), though we don't throw the commit warning message above for path. Practical limit for nested asterisk in path is 2. But we highly recommend to use minimun number of asterisk for better DP utilization (CPU load/ Memory usage).   Side note: Currently we have limitation that asterisk and caret should not be used in the same configuration. As mentioned above, caret cannot be fully replaced with asterisk.  Therefore replacing nested asterisks to single asterisk is considered best solution for most of customers practically.  "1" for  nested asterisk in path and "9" for nested caret are practical number we suggest. Please consider to use lowest number as possible for better DP load (i.e. lower platform).    
View full article
sunright ‎10-23-2018 12:32 PM
15,364 Views
0 Replies
5 Likes
How to allow access to YouTube videos embedded in a website but block access to other YouTube videos.    Our use case is an administrator of the Palo Alto Networks next-generation firewall who wants to enable students/employees to watch YouTube videos embedded in their website but block access to all other YouTube videos. Here's how we do it!
View full article
sshibiraj ‎07-13-2018 07:42 AM
2,444 Views
0 Replies
1 Like
If there is a specific site that you would like to determine the URL category, please visit the test site in the article to test the URL. This article is a complete list of PAN-DB URL filtering categories.
View full article
‎05-10-2018 11:25 AM
194,373 Views
21 Replies
5 Likes
Details This document is designed to help verify if the DNS Sinkhole function is working properly through a Palo Alto Networks firewall. The following 2 scenarios are covered: Client Using External DNS Server Client Using Internal DNS Server   DNS Sinkhole Configuration For information on How to Configure DNS Sinkhole, please see: How to Configure DNS Sinkhole   Also, we have a Video Tutorial on How to Configure DNS Sinkhole: Video Tutorial: How to Configure DNS Sinkhole   Client Using External DNS Server Note: DNS Sinkhole IP must be in the path of the firewall and the client so you can see logs from it. For example, the Palo Alto Networks firewall sits between an infected client and the data center, but it does not see the internet. In this scenario, if DNS Sinkhole is configured with an internet IP, then the firewall will never see the infected client trying to reach its command & control server.   When the DNS sinkhole feature is configured on the Palo Alto Networks firewall and the client system is using an external DNS server, the DNS query from the client will go through the Palo Alto Networks firewall to the external DNS server (client and DNS server are in different subnets). As expected, the user should be able to see threat logs with the client IP address as a source. The user is trying to access a malicious website. The client system will send the DNS query to an external DNS server to get the IP address of the malicious website. The firewall will receive the DNS query directly from the client system. The  firewall will hijack the DNS query and will give a DNS sinkhole IP address to the client and should be able to see the threat logs with client IP address as a source. Client TCP/IP Properties Configuration Review the following config example:   Threat Logs When using an external DNS server, Threat logs show the Client IP address "192.168.27.192" as a source that is trying to access a malicious website:     Client Output When Using External DNS Server $ nslookup 79fe3m5f4nx8c1.pmr.cc Server:        195.130.131.4 Address:    195.130.131.4#53 Non-authoritative answer: Name:    79fe3m5f4nx8c1.pmr.cc Address: 72.5.65.111 The screenshot above shows a host machine 192.168.27.192 performing a DNS request for "79fe3m5f4nx8c1.pmr.cc" (a suspicious URL) and the response being 72.5.65.111. Thus showing that the DNS Sinkhole is working as desired.   Client Using Internal DNS Server If a client system is using an internal DNS server (client and DNS server are in the same subnet), the DNS query from the client will go to the internal DNS server. The internal DNS server will forward this query to an external DNS server, and threat logs with the internal DNS server IP address will be seen as a source.   Currently, the Palo Alto Networks firewall cannot identify which end client is trying to access a malicious website with the help of the threat logs, because all threat logs will have the internal DNS server IP address as a source. However, the firewall should be able to determine the end client IP address with the help of traffic logs.   Below is an example where the user is trying to access a malicious website. The client system will send the DNS query to an internal DNS server to acquire the IP address of the malicious website. Here, the internal DNS server will forward the DNS query to an external DNS server. The firewall will receive a DNS query from the internal DNS server.   The firewall will hijack the DNS query and give the DNS sinkhole IP address to the Internal DNS server. The internal DNS server will forward the response to the client system and the user should be able to see threat logs with Internal DNS server IP address as a source. However, Palo Alto Networks firewall should able to see client IP address in the traffic logs because client will try to access that website with DNS sinkhole IP address, as shown in the following screenshot:   Client TCP/IP Properties Configuration     Threat Logs In threat logs, the firewall shows only the internal DNS server IP address "10.50.240.101" as a source, because the client system is using the internal DNS server IP. Here the firewall is not able to determine which end client is trying to access that website.     Traffic Logs However, as soon as client get the IP address from DNS server, it will generate traffic towards the sinkhole IP address(72.5.65.111). Therefore, the firewall will show the end client IP address "192.168.27.192" in traffic logs, as shown below:     Client Output When Using Internal DNS Server $ nslookup 4cdf1kuvlgl5zpb9.pmr.cc Server:        192.168.27.189 Address:    192.168.27.189#53 Non-authoritative answer: Name:    4cdf1kuvlgl5zpb9.pmr.cc Address: 72.5.65.111 The screenshot above shows a host machine 192.168.27.192 performing a DNS request for 4cdf1kuvlgl5zpb9.pmr.cc (a suspicious URL) with the response of 72.5.65.111. This verifies that the DNS Sinkhole is working as desired.   See Also How to Deal with Conficker using DNS Sinkhole Where to get suspicious DNS query for testing DNS Sinkhole   For Video Tutorials on DNS Sinkhole, please see: Video Tutorial: How to Configure DNS Sinkhole Video Tutorial: How to Verify DNS Sinkhole   owner: sbabu
View full article
sbabu ‎04-03-2018 12:26 PM
64,624 Views
8 Replies
How to test if our URL Filtering service is properly enforcing an organization’s policies for malicious and benign URLs. Things can get a bit tricky for gray area categories, such as adult, as you generally don’t want to visit an adult site at work. You obviously don’t want to actually visit a malicious URL either.  We have test URLs for all categories that are 100% benign, and have been categorized to their respective categories for testing purposes. 
View full article
neg273 ‎02-08-2018 02:57 AM
20,060 Views
1 Reply
5 Likes
The below table shows the relative mapping between BrightCloud URL categories and PAN-DB URL categories.  As part of the PAN-DB license activation process, if existing URL filtering profiles are found, PAN-OS will automatically map those policies to use the new PAN-DB categories using the mapping below.  In the case of N:1 mappings, the most severe action will be used for the new PAN-DB category.   As always, please be sure to save your configuration before making any changes, and double-check that the URL profile is correct after the migration process.   For a list of PAN-DB categories and their descriptions, please reference: urlfiltering.paloaltonetworks.com/CategoryList.aspx   BrightCloud Category PAN-DB Category Abortion Abortion Abused Drugs Abused Drugs Adult and Pornography Adult Alcohol and Tobacco Alcohol and Tobacco Auctions Auctions Bot Nets Command and Control Business and Economy Business and Economy Cheating Questionable Computer and Internet Info Computer and Internet Info Computer and Internet Security Computer and Internet Info Confirmed SPAM Sources Malware Content Delivery Networks Content Delivery Networks Cult and Occult Religion Dating Dating Dead Sites Insufficient-Content / Parked Dynamically Generated Content N/A (no mapping as URL will be categorized based on the content) Educational Institutions Educational Institutions Entertainment and Arts Entertainment and Arts Fashion and Beauty Society Financial Services Financial Services Games Games Government Government Gross Questionable Hacking Hacking Hate and Racism Extremism Health and Medicine Health and Medicine Home and Garden Home and Garden Hunting and Fishing Hunting and Fishing Illegal Questionable/Copyright-Infringement Image and Video Search Search Engines Individual Stock Advice and Tools Stock advice and tools Internet Communications Internet Communications and Telephony Internet Portals Internet Portals Job Search Job Search Keyloggers and Monitoring Malware Kids Society Legal Legal Local Information Travel Malware Sites Malware Marijuana Abused Drugs Military Military Motor Vehicles Motor Vehicles News and Media News not-resolved Not-resolved Nudity Nudity Online-gambling Gambling Online Greeting cards Entertainment and Arts Online - music Music Online - personal-storage Online storage and backup Open HTTP Proxies Proxy Avoidance and Anonymizers Parked Domains Parked Pay to Surf Web Advertisements Peer to Peer Peer-to-peer Personal sites and Blogs Personal sites and blogs Philosophy and Political Advocacy Philosophy and Political Advocacy Phishing and Other Frauds Phishing Private IP Addresses Private IP Addresses Proxy Avoidance and Anonymizers Proxy Avoidance and Anonymizers Questionable Questionable Real Estate Real Estate Recreation and Hobbies Recreation and Hobbies Reference and Research Reference and Research Religion Religion Search Engines Search Engines Sex Education Sex Education Shareware and Freeware Shareware and Freware Shopping Shopping Social Networking Social Networking Society Society SPAM URLs Malware Sports Sports Spyware and Adware Malware Streaming Media Streaming Media Swimsuits & Intimate Apparel Swimsuits and Intimate Apparel Training and Tools Training and Tools Translation Translation Travel Travel Unconfirmed SPAM Sources Malware Unknown Unknown Violence Questionable Weapons Weapons Web Advertisements Web Advertisements Web based email Web-based Email Web Hosting Web Hosting   owner: dyang
View full article
dyang ‎01-10-2018 04:51 PM
190,559 Views
21 Replies
The YouTube safety mode setting helps screen out potentially objectionable content on YouTube.   The Safe Search Enforcement option is an option that can be enabled in a URL filtering profile. It is used to prevent users, who are searching the internet using one of the top three search providers: Google, Bing, or Yahoo, from viewing search results, unless the strict safe search option for the search provider is set in the browsers or user account. This option on the URL Filtering Profile will be valid for YouTube the same way it is valid for Google, Yahoo and Bing search providers.    Select the Safe Search Enforcement check box in the URL Filtering Profile (under Objects > Security Profiles > URL Filtering), as shown below:   Safe Search will be enforced whenever a user request matches a security policy rule, with the corresponding URL Filtering security profile attached.   Testing Safe Search Enforcement on YouTube Open YouTube in browser. Search for adult movies. This search will be SUCCESSFUL. The website will display a list of adult videos with thumbnails, but trying to open the videos will fail. If we try to open the adult the video, the firewall will present a block page requesting to change the safe search settings as shown below: An end user can change the safety settings for YouTube at the bottom of the webpage as shown below: Now test YouTube by searching for adult content. The results of the search are mostly filtered for adult content. There might be some videos that still needs to be filtered out. Report such videos to YouTube to make their filters accurate.   owner: ialkesov
View full article
ialeksov ‎11-15-2017 03:36 PM
17,976 Views
3 Replies
3 Likes
Details There is an option to allow users to verify/test the URL categorization used from the GUI under Objects > Security Profiles > URL Filtering Profile. This is handy to check while troubleshooting an issue or while configuring new URL's to determine what category needs to be allowed or blocked.   Depending on the URL filtering license that is activated, this link will open a web page to the BrightCloud or Palo Alto Networks website verification tool.   The URL's are as follows:   BrightCloud's URL Test Site: http://www.brightcloud.com/tools/url-ip-lookup.php   Palo Alto Networks URL Test site: https://urlfiltering.paloaltonetworks.com/   URL categorization can still be verified from the CLI with the following command below: admin@myNGFW> test url yahoo.com yahoo.com internet-portals (Base db) expires in 93000 seconds yahoo.com internet-portals (Cloud db) admin@myNGFW>   several test categories are available for pandb:   http://pandb.paloaltonetworks.com/test-malware http://pandb.paloaltonetworks.com/test-phishing ... http://pandb.paloaltonetworks.com/test-(replace with category)   For the category which contains space characters, replace space character with hyphen.  For example, for "Recreation and Hobbies" category, the link will be, http://pandb.paloaltonetworks.com/test-recreation-and-hobbies And it must be all lower case. Otherwise, 404 error is returned.
View full article
panagent ‎11-15-2017 12:35 PM
33,531 Views
6 Replies
1 Like
Symptoms A rule is in place to prevent SSL decryption of a specific URL based on FQDN, but when accessing the website in question, SSL decryption still occurs   Issue In order to determine if a connection needs to be decrypted or not, the firewall relies on the (CN) common name configured within the certificate and compares that to the security policy.   Resolution To fix this issue, the website's certificate needs to be examined to find the common name. To find the common name: Access the website with a browser Open the certificate details Look for the CN in the Subject section In cases where an FQDN is specified within the 'custom url category' and there is a CN mismatch, intended categorization will fail as there will not be an exact match. This can be accomplished by populating the object within the 'custom url category' with the URL contained within CN. In order for an exact category match to occur, the security policy must be created to match the CN specified within the cert as opposed to the FQDN utilized to access the site.   owner: bryan
View full article
bryan ‎11-10-2017 05:45 AM
4,604 Views
0 Replies
A new category has been added to URL Filtering. This new category will be “command-and-control” to further break out specifics from within the malware category. Check out this FAQ about the new category.
View full article
‎10-24-2017 09:37 AM
31,489 Views
19 Replies
6 Likes
This article introduces the steps to make sure that the command-and-control category is recognized by PAN-DB URL Filtering feature using the ' test url' command.
View full article
kkawachi ‎10-13-2017 06:25 AM
14,011 Views
9 Replies
Problem URLs in "URL" field of URL filtering logs does not include port number when accessed URLs are not port 80 or 443.     The corresponding logs sent to syslog server: Jul 18 13:30:04 Lab130-35-PA-3060 1,2017/07/18 13:30:03,010401000897,THREAT,url,1,2017/07/18 13:30:03,192.168.35.110,10.128.128.207,10.128.128.35,10.128.128.207,Trust-to-Untrust,,,web-browsing,vsys1,L3-Trust,L3-Untrust,ethernet1/6,ethernet1/3,test,2017/07/18 13:30:03,20381,1,16871,8888,21504,8888,0x408000,tcp,alert,10.128.128.207/,(9999),test8888,informational,client-to-server,3628,0x0,192.168.0.0-192.168.255.255,10.0.0.0-10.255.255.255,0,text/html,0,,,1,,,,,,,,0 Jul 18 13:30:06 Lab130-35-PA-3060 1,2017/07/18 13:30:05,010401000897,THREAT,url,1,2017/07/18 13:30:05,192.168.35.110,10.128.128.207,10.128.128.35,10.128.128.207,Trust-to-Untrust,,,web-browsing,vsys1,L3-Trust,L3-Untrust,ethernet1/6,ethernet1/3,test,2017/07/18 13:30:05,20388,1,16872,80,44827,80,0x408000,tcp,alert,10.128.128.207/,(9999),test8888,informational,client-to-server,3629,0x0,192.168.0.0-192.168.255.255,10.0.0.0-10.255.255.255,0,text/html,0,,,1,,,,,,,,0     Resolution After PAN-OS 7.0, this field's output has been changed. The port number is shown in the URL field when accessed URLs are not port 80 or 443.     The corresponding logs sent to syslog server also include port number in the field: Jul 18 13:50:37 Lab130-35-PA-3060 1,2017/07/18 13:50:36,010401000897,THREAT,url,1,2017/07/18 13:50:36,192.168.35.110,10.128.128.207,10.128.128.35,10.128.128.207,Trust-to-Untrust,,,web-browsing,vsys1,L3-Trust,L3-Untrust,ethernet1/6,ethernet1/3,test,2017/07/18 13:50:36,11,1,16968,80,46822,80,0x408000,tcp,alert,10.128.128.207/,(9999),test8888,informational,client-to-server,3631,0x0,192.168.0.0-192.168.255.255,10.0.0.0-10.255.255.255,0,text/html,0,,,1,,,,,,,,0,0,0,0,0,,Lab130-35-PA-3060, Jul 18 13:50:39 Lab130-35-PA-3060 1,2017/07/18 13:50:38,010401000897,THREAT,url,1,2017/07/18 13:50:38,192.168.35.110,10.128.128.207,10.128.128.35,10.128.128.207,Trust-to-Untrust,,,web-browsing,vsys1,L3-Trust,L3-Untrust,ethernet1/6,ethernet1/3,test,2017/07/18 13:50:38,21,1,16969,8888,55926,8888,0x508000,tcp,alert,10.128.128.207:8888/,(9999),test8888,informational,client-to-server,3632,0x0,192.168.0.0-192.168.255.255,10.0.0.0-10.255.255.255,0,text/html,0,,,1,,,,,,,,0,0,0,0,0,,Lab130-35-PA-3060,     Note: Filtering sites setting does not need a port number (Objects > Custom Objects > URL Category)
View full article
dyamada ‎07-27-2017 05:04 AM
4,302 Views
0 Replies
GOM VPN is an extension in the Chrome browser that enables blocked websites to be browsed through the firewall by encrypting the data inside the SSL connection.   In order for blocked websites to still be blocked, the GOM VPN SSL connection needs to be blocked through the firewall. There are two approaches to block GOM VPN. This article outlines both approaches.     Method 1 to block GOM VPN   Note: This approach requires URL filtering license and database on the firewall. To understand the behavior in case the license expires, please click here   The GOM VPN connection is categorized as "proxy-avoidance-and-anonymizers". Some of the hosts that GOM VPN tries to connect to are "b-7.gomcomm.com", "b-4.gomcomm.com", "b-9.gomcomm.com" etc. To check the category of the URL, the following websites can be used:   BrightCloud's URL Test site: http://www.brightcloud.com/tools/url-ip-lookup.php   Palo Alto Networks URL Test site: https://urlfiltering.paloaltonetworks.com/testasit e.aspx     Step 1. Set the action for "proxy-avoidance-and-anonymizers" to "block" in the URL filtering profile (Objects > Security Profiles > URL Filtering) as follows:       Step 2. Use this URL filtering profile in the security policy that allows the traffic to Internet.       Step 3. URL filtering logs depicting GOM connection being blocked:       Method 2 to block GOM VPN   Note: This approach can be used even if there is no URL filtering license on the firewall. (since predefined-categories would not be used)   Step 1. Since GOM VPN connection are made to hosts "*.gomcomm.com" and "gomcomm.com", these URLs can be used in custom URL category (Objects > Custom Objects > URL Category) as follows:       Step 2. When done, either use a URL filtering profile in the security policy and set the action of this custom category to "block" in URL filtering profile or, use this custom URL category directly in security policy with the action of security policy set to "deny".   Note:   You would get "No valid URL filtering license" warnings when this custom URL category is referred in URL filtering profile and there is no URL filtering license on the firewall. There would be no warning when this custom URL category is used directly in security policy even if there is no URL filtering license.
View full article
poagrawal ‎01-03-2017 03:00 AM
4,859 Views
0 Replies
A complete list of all available categories can be viewed in this article: Complete List of PAN-DB URL Filtering Categories   The most updated version of the PAN-DB category list can be found at the following location: https://urlfiltering.paloaltonetworks.com/   you will first need to log-in:   Once logged-in, you will be presented with the option to view a list of all available categories:     owner: jwebb
View full article
jwebb ‎12-13-2016 12:48 AM
24,247 Views
11 Replies
This article shows how to fix the problem of web browsing that fails with an error code SSL_ERROR_RX_RECORD_TOO_LONG. We'll use an example of facebook.com.   Cause Errror code: "SSL_ERROR_RX_RECORD_TOO_LONG" means the web server is sending non-secure (HTTP) data where secure (HTTPS) data is expected by the web browser.     Details Security policy on the firewall:  (refers to URL filtering profile facebook test)       URL Filtering profile on firewall: (social-networking category has action of continue)       With an action of continue on the URL category, the firewall will send a redirect message to the client to prompt users to click Continue to proceed to the web page, as follows:     This Continue redirect message sent by the firewall is an HTTP response:      Note: This redirect message shows the URL category and the security policy rule matched by this traffic.     When browsing to www.facebook.com, the browser makes a request for https://www.facebook.com, as below:   In this case, the firewall sending an HTTP redirect message for continue is treated as an invalid response by the browser and it shows an error, SSL_ERROR_RX_RECORD_TOO_LONG.     Solution Either of the two solutions offered can overcome this issue:   Enable outbound SSL decryption on the firewall. For more information on how to enable SSL decryption on firewall, please click here OR   Run the following command on the firewall. This will allow the SSL handshake to complete before sending an HTTP response page to the client. For more information about this command, please click here. # set deviceconfig setting ssl-decrypt url-proxy yes  
View full article
hagarwal ‎11-22-2016 10:20 AM
3,068 Views
0 Replies
Overview This document describes how to migrate the URL database from BrightCloud to PAN-DB on a High Availability (HA) pair of Palo Alto Networks devices.   Steps Suspend the Passive/Secondary device. Go to Device > High Availability > Operational commands  and suspend local device          Or from the CLI, execute the command below:         > request high-availability state suspend Run the following command on the Passive/Suspended device, if not already set: > set session tcp-reject-non-syn no Retrieve PAN-DB URL licenses from Device > Licenses tab. Activate the PAN-DB license on the suspended device (or Activate the Database from Device > License tab): > set system setting url-database paloaltonetworks Once activated, make the secondary device functional with the command below. However, this device will come up as "Non-functional" due to DB mismatch with the peer: > request high-availability state functional Note: When the device is showing as "Non-functional" after issuing the command above, all the interface will still be power down except for HA interface and that is expected. Suspend the Active/Primary device, this will make the secondary device functional. Note: While the device is in non-functional state, the sessions will not be synced. Since non-syn TCP is allowed, most of the existing TCP traffic will not be dropped Download and activate the PAN-DB license on this device (Steps 3 and 4) . Both devices are now using PAN-DB, once both devices are functional failover back to the original Primary/Active device. Revert back to original settings on secondary device:    > set session tcp-reject-non-syn yes   owner: kalavi
View full article
kalavi ‎09-14-2016 04:12 AM
35,965 Views
10 Replies
3 Likes
With content 602 Palo Alto Networks has introduced three new categories to the PAN-DB database. While these will show up in URL filtering profiles and will be configurable in security policy on any firewall running content 602 or higher, we will not start categorizing URLs under these categories until the end of August. This will give customers enough time to update to a  supported content version inclusive of the new categories by the time we start populating them in the cloud.   The new URL categories are as follows:   "Extremism" Websites promoting terrorism, racism, fascism or other extremist views discriminating people or groups of different ethnic backgrounds, religions or other beliefs. The default policy action for this category is “Allow".   "Copyright infringement" Websites and services that are dedicated to illegally serving videos, movies or other media for download, explicitly infringing copyright holders. The default policy action for this category is "Allow".   "Insufficient content" Websites and services that present test pages, no content, API access not intended for end-user display, or that require authentication without displaying any content that suggests a more specific categorization. The default policy action for this category is "Allow".   Please also find a FAQ on the introduction of these categories below:   Q: Why is Palo Alto Networks introducing these new categories? A: Palo Alto Networks is introducing these new URL categories to provide customers with enhanced visibility and more granular control over web content in their environment.   Q: How can sites be considered “Insufficient content”? A: Sites absent of content, or those with no useful content such as server test pages make it difficult to identify the intent or business of a site and categorize accordingly. To maximize accuracy across all PAN-DB categories, these sites will now be considered  “Insufficient content” instead.   Q: What is the recommended action on these categories? A: To minimize potential impact of these changes the new categories will all be released with a default action of “allow”.   “Extremism" contains sites with content primarily related to terrorism, racism, or other hate speech. For customers in many industries such as Education, we recommend a block action to prevent users from accessing this type of material. “Copyright Infringement” contains websites offering copyright protected material for download or streaming. Our recommendation is to prevent users from accessing these type of websites. We do not recommend blocking access to “Insufficient content” websites, but to still use strict Threat Prevention profiles for content inspection of malicious material that may be presented. Customers are encouraged to review these categories individually and decide what is appropriate for their environment.    Q: What content version will include these new URL categories? A: Content version 602 will include these new URL categories and will be published during the week of August 1st.   Q: What happens if I don’t update to the latest content? A: Palo Alto Networks will not categorize URLs using these new categories until the end of August. As long as content 602 or higher is installed, and customers have reviewed appropriate changes to default action, impact is nonexistent. If for some reason an unsupported content version remains installed once the categorizations are populated on the PAN-DB cloud, customers may see the following:   The URL filtering log file will show “any” as the identified category for URLs categorized with the new categories Customers may be unable to enforce policy against these URLs.   Q: What does it mean that Palo Alto Networks won’t categorize URLs with these new categories until August? A: Content update 602 will enable a firewall to apply policy to URLs categorized within these new categories. To accommodate customer adoption and afford time for implementation of any policies, we won’t begin categorizing URLs within these new categories until the end of August.   Q: What happens at the end of August? A: At the end of August Palo Alto Networks will begin using the categories added in content 602 to categorize new URL’s, and to migrate URL’s already in the PAN-DB database that match the new category definitions.    
View full article
maurisy ‎08-18-2016 08:38 AM
16,070 Views
2 Replies
1 Like
Overview The URL logs in the Palo Alto Networks devices are exported as a part of the threat logs. As a part of the threat logs they are shown in security information and event management (SIEM) solutions.   Details From the SIEM the threat logs can be filtered and reported on if needed. See the example below, if using Splunk as a SIEM and if looking at the logs using the filter: url dst_hostname="www.google.nl":   Shown below after the type of log - THREAT there is another token which represents the subtype: url:   If exporting one of those events in full it will show the following: Aug 5 14:56:46 Ilija-PA-VM-2.al.com 1,2014/08/05 14:56:46,007200001619,THREAT,url,1,2014/08/05 14:56:40,192.168.8.89,173.194.41.175,10.193.17.8,173.194.41.175,allow_all,,,ssl,vsys1,Trust-L3,Untrust-L3,ethernet1/2,ethernet1/1,forward to panorama and splunk,2014/08/05 14:56:46,196863,1,55143,443,52716,443,0x408000,tcp,alert,"www.google.nl/",(9999),search-engines,informational,client-to-server,67483,0x0,192.168.0.0-192.168.255.255,US,0,,0,,   This event is a Threat event, but the subtype is a URL. In the event above, see the parameter "url" just after the THREAT. Filtering in the SIEM solution based on this subtype will result in the URL logs being displayed. The action, rule, category and other associated information will also be displayed.     If a different representation is neede for a specific SIEM solution, the predefined tokens "$subtype|$type" can be used:   As an example we might use this output in the Custom Log Format (Under Device > Server Profiles > Syslog): <threat>CEF:0|Palo Alto Networks|PAN-OS|5.0|$subtype $threatid|$type|$number-of-severity|rt=$cef-formatted-receive_time deviceExternalId=$serial src=$src dst=$dst sourceTranslatedAddress=$natsrc destinationTranslatedAddress=$natdst cs1Label=Rule cs1=$rule suser=$srcuser duser=$dstuser app=$app cs3Label=Virtual System cs3=$vsys cs4Label=Source Zone cs4=$from cs5Label=Destination Zone cs5=$to deviceInboundInterface=$inbound_if deviceOutboundInterface=$outbound_if cs6Label=LogProfile cs6=$logset cn1Label=SessionID cn1=$sessionid cnt=$repeatcnt spt=$sport dpt=$dport sourceTranslatedPort=$natsport destinationTranslatedPort=$natdport flexString1Label=Flags flexString1=$flags proto=$proto act=$action msg=$misc cs2Label=URL Category cs2=$category flexString2Label=Direction flexString2=$direction externalId=$seqno requestContext=$contenttype</threat>     After that the URL logs can also have the custom fields that can be in a uniformed format for the SIEM administrator to create reports. With the usage of the above custom log formatting we get the following log in the SIEM:   Oct 10 14:24:00 CEF:0|Palo Alto Networks|PAN-OS|5.0|url (9999)|THREAT|1|rt=Oct 10 2014 12:24:00 GMT deviceExternalId=007200001618 src=172.16.100.89 dst=74.125.230.229 sourceTranslatedAddress=10.193.91.100 destinationTranslatedAddress=74.125.230.229 cs1Label=Rule cs1=allow_corp_services suser=al\iladmin duser= app=ssl cs3Label=Virtual System cs3=vsys1 cs4Label=Source Zone cs4=Trust_L3 cs5Label=Destination Zone cs5=Untrust_L3 deviceInboundInterface=ethernet1/2 deviceOutboundInterface=ethernet1/1 cs6Label=LogProfile cs6=Forward_to_PANORAMA_and_Splunk cn1Label=SessionID cn1=211699 cnt=1 spt=20949 dpt=443 sourceTranslatedPort=54006 destinationTranslatedPort=443 flexString1Label=Flags flexString1=0x408000 proto=tcp act=alert msg="clients1.google.com/" cs2Label=URL Category cs2=search-engines flexString2Label=Direction flexString2=client-to-server externalId=982843 requestContext=   owner: ialeksov
View full article
ialeksov ‎07-25-2016 05:09 PM
3,380 Views
0 Replies
Symptoms When you navigate to Device > Setup > Management > Logging and Reporting settings, there is no provision to set the log quota for URL filtering logs.   Diagnosis URL filtering log database is a part of the threat database. Solution Because URL filtering log database is a part of the threat database, you could modify the threat log storage quota, based on your requirements. This would modify the quota for both the threat and URL filtering logs.
View full article
rchougale ‎06-22-2016 03:45 PM
2,483 Views
5 Replies
Symptom BrightCloud is used for URL resolution and large amounts of Unknown are seen inside of the URL logs, which is causing issues with traffic. Test URL CLI commands response with not-resolved, For example: > test url <url>  <url> not-resolved (Cloud db) Cause There can be a number of reasons why this is happening.   Check the BrightCloud stats with the following CLI command: > debug device-server bc-url-db show-stats BC URL DB access counters: Total requests: 322 (77% unknown) DB file lookup hit: 72, miss 711, total 783 cache enabled: no   The example output above shows a large amount of unknown in the BrightCloud DB.   Resolution There are URL filtering and cache settings that can greatly affect and improve the URL filtering performance. The following commands enable cache and bloom filter. > debug device-server bc-url-db cache-enable yes > set system setting url-filtering-feature filter True > set system setting url-filtering-feature cache True At this point, it is important to restart the device server process. Restarting this process during non-peak hours is advisable. During the restart, the existing User-ID mapping will be temporarily cleared. > debug software restart device-server Once the service is restarted (wait approximately 3 minutes) verify that the options are enabled with the following command: > show system setting url-filtering-feature cfg.url-feature.basedb-cache: True cfg.url-feature.bloom-filter: True   Once the steps above are performed, performance should improve and the Unknown URL categories that appear should be reduced.   owner: jdelio
View full article
‎04-22-2016 08:54 AM
5,479 Views
0 Replies
1 Like
Overview This document has two sections. The first part describes the migration process from BrightCloud to PAN-DB if the managed device has Panorama pushed URL Profiles with BrightCloud categories. The latter part explains about migrating a high-availability pair. Note: For a multi-vsys environment, see BrightCloud to PAN-DB Migration with Panorama in Multi-Vsys Configuration.   Migration Process with Panorama Verify Dynamic URL is enabled on the device. > set cli config-output-format set > configure # show deviceconfig setting url If its configured then delete the setting by running the following command: # delete deviceconfig setting url dynamic-url # commit License the Palo Alto Networks device with PAN-DB license and activate the license on the device. Navigate to Device > Licenses Click Retrieve license keys from license server or Activate feature using auth code Download the URL DB initial seed file optimized for a specific region: Navigate to Device > Licenses Click Download under the Palo Alto Networks URL filtering Activate PAN-DB on device (click Device > Licenses). This should fail – commit will fail with error "Details:profiles -> url-filtering -> <Profile-name> -> license-expired Not available for PAN-DB", and local policy will be migrated to PAN-DB, while Panorama pushed policy remains BrightCloud.   Switch database on Panorama from BrightCloud to PAN-DB. Command to change DB on Panorama: > set system setting url-database paloaltonetworks Push Panorama configuration to the device with a commit operation. This should report as successful. However, the device will show BrightCloud from a licensing perspective, though URL objects will show PAN-DB categories. Additionally, if attempting to add a new URL filtering object, it will show PAN-DB categories, but BrightCloud settings. From the device, re-activate PAN-DB. Click Device > Licenses or from the CLI run the command: > set system setting url-database paloaltonetworks Deviceshould be fully migrated to PAN-DB. How to migrate a High-Availability Pair 1. Suspend the passive device. 2. Perform Steps 1 - 4 from the previous section and migrate the passive device to PAN-DB. 3. After confirming that the passive device is successfully migrated, bring the passive device functional. High-Availability will not be formed due to the URL filtering database mismatch. 4. Suspend the Active device.  Note: There will be a short downtime when migrating a high-availability pair from Brightcloud to PAN-DB as each device must be brought to  non-functional state in order to change the URL Filtering database. 5. Perform Steps 1 - 4 from the previous section and migrate the active device to PAN-DB. 6. After confirming that the active device is successfully migrated, bring the active device functional. High-Availability will come be formed as soon as the active device comes back up.   owner: kalavi
View full article
kalavi ‎04-20-2016 04:48 AM
28,163 Views
5 Replies
Looking for X-Forwarded-For for User-ID? It is Here!
View full article
pbalasunda ‎01-18-2016 07:12 AM
11,761 Views
4 Replies
1 Like
When you go to a site that is blocked with a URL filtering profile, you will see a blocked page that contains some basic helpful information about the web site, the user, the category, etc.   If the default response page for the block categories is used, the browser should show:   There is an option to create a custom page, or even better, to show an externally served page from an external resource. An iframe can be used within the defined html of the custom response page.   To do so, create a custom block response page under Device > Response Pages > URL Filtering and Category Match Block Page. You can use the predefined page, by exporting it from the same menu, as a starting point to create your own template.   The predefined html file looks like this:   <html> <head> <title>Web Page Blocked</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> <style> #content{border:3px solid#aaa;background-color:#fff;margin:40;padding:40;font-family:Tahoma,Helvetica,Arial,sans-serif;font-size:12px;}   h1{font-size:20px;font-weight:bold;color:#196390;}   b{font-weight:bold;color:#196390;} </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <h1>Web Page Blocked</h1> <p>Access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p> <p><b>User:</b> <user/> </p> <p><b>URL:</b> <url/> </p> <p><b>Category:</b> <category/> </p> </div> </body> </html>     In order to add any external content, use an iframe within the div tag and external content:   <html> <head> <title>Web Page Blocked</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE"> <style> #content{border:3px solid#aaa;background-color:#fff;margin:40;padding:40;font-family:Tahoma,Helvetica,Arial,sans-serif;font-size:12px;}   h1{font-size:20px;font-weight:bold;color:#196390;}   b{font-weight:bold;color:#196390;} </style> </head> <body bgcolor="#e7e8e9"> <div id="content"> <iframe src=" http://10.193.83.102 "></iframe> <h1>Web Page Blocked</h1> <p>Access to the web page you were trying to visit has been blocked in accordance with company policy. Please contact your system administrator if you believe this is in error.</p> <p><b>User:</b> <user/> </p> <p><b>URL:</b> <url/> </p> <p><b>Category:</b> <category/> </p> </div> </body> </html>   In the custom html file see the <iframe src=" http://10.193.83.102 "></iframe> tag. Import the created custom html that contains the iframe.     Now if you go to the browser and use the custom created response page you will see:   The same concept is also valid if used for continue pages.
View full article
ialeksov ‎12-18-2015 03:39 PM
5,813 Views
0 Replies
This week's Tips & Tricks looks at the Application Command Center, (ACC), which provides visibility into the network traffic passing through your firewall. The ACC is sometimes overlooked inside the WebGUI, but it is a very powerful tool to help you manage and see the traffic flowing through your network.   Note: I'll be showing you about the ACC on PAN-OS 5.0, 6.0 and 6.1. PAN-OS 7.0 changes the look and feel of the interface, which I will cover in a different segment of Tips & Tricks.   In order to learn more about the ACC, we'll explore the following areas: What is the Application Command Center (ACC)? Parts of the Application Command Center (ACC) and how to get more information from the ACC   What is the Application Command Center (ACC)? The Application Command Center (ACC) page visually depicts trends and a historic view of traffic on your network. It displays the overall risk level for all network traffic, the risk levels and number of threats detected for the most active and highest-risk applications on your network, and the number of threats detected from the busiest application categories and from all applications at each risk level. The ACC can be viewed for the past hour, day, week, month, or any custom-defined time frame. Risk levels (1=lowest to 5=highest) indicate the application’s relative security risk, based on criteria such as whether the application can share files, is prone to misuse, or tries to evade firewalls. Parts of the Application Command Center (ACC) and how to get more information from the ACC   We will start with the Dashboard tab:   ACC Risk Factor Inside the WebGUI, on the Dashboard tab, you'll see ACC Risk Factor. This information shows the risk factor over the last 60 minutes based upon information inside the ACC tab.   This is a general 'threat temperature' of the traffic. If you find it higher than normal, then you can use the main ACC to drill down and investigate what is causing the temperature to be higher than normal.   If you'd like to see this, and it is not being displayed on your Dashboard page, enable it from the Dashboard > Widgets > Application > ACC Risk Factor.   Top Applications You also will see the 'Top Applications' if you have enabled this widget. This widget displays the applications with the most sessions. The block size indicates the relative number of sessions (mouse-over the block to view the number), and the color indicates the security risk—from green (lowest) to red (highest). Click an application to view its application information, as well as a full breakdown where that application has been seen inside the ACC page.   This is a great way to see the applications in use at a glance. If you would like to see this, it can be enabled from the Dashboard > Widgets > Application > Top Applications.   Now let's move on to the ACC tab: On the ACC tab, you will see the following sections that make up the Application Command Center: Time/Sort By/Top (at the top of the window) Application  URL Filtering Threat Prevention Data Filtering HIP Matches   1. Time/Sort By/Top At the top of the window, you'll see the Time/Sort By/Top options. This controls the all the display options inside the ACC.   Time — You have options for the time that range from the last 15 minutes until the Last Calendar Month and even a Custom option. The default is Last Hour. Sort By — You can sort the charts in descending order by number of sessions, bytes, or threats. The default is by number of sessions. Top — You have an option for the 'Top' number to be displayed per section. This ranges from 5 up to 500. The Default is 25. Press the green arrow to make your selection take effect. Lastly, the green plus sign is a Set Filter option you can apply that allows you to filter bt Application, Source or Destination IP, Source or Destination User, Machine Name, HIP, Source or Destination Zone, Risk and URL Category. Note: There are 2 other parts of the ACC that I didn't document with a screen shot —t hey are as follows: Virtual System — If virtual systems are defined, you can select it from this drop down. Data Source (for Panorama only) — Select the Data Source that is used to generate the graphical display on traffic trends.The default Data Source for new installations is Panorama; Panorama uses the logs forwarded by the managed devices. To fetch and display an aggregated view of the data from the managed devices, you now have to switch the source from Panorama to Remote Device Data.  On an upgrade, the default data source is Remote Device Data. Adding a filter comes in handy if you are looking for specific traffic.   Note: You'll also see the same ACC Risk Factor in the upper right, as well as a set of 5 icons.   The icons are shortcuts to logs, in the following order: Traffic Log Threat Logs URL Filtering Log Data Filtering Log HIP Match Log These shortcuts come in handy when you would like to jump straight to the Threat logs, but do not want to click on Monitor > Threat logs.   2. Application   The first section you'll see is the Application section.   This section displays information organized according to the menu selection. Information includes the number of sessions, bytes transmitted and received, number of threats, application category, application subcategories, application technology, and risk level, as applicable. The following subcategories are available by using the drop-down on the right side: Applications High Risk Applications Categories Sub Categories Technology Risk This is the section where you can start to investigate questionable traffic as it passes through your network, in or out. By clicking on the Application name, or using the drop-down to look at the Application data differently.   For example, let's say that 'msrpc' traffic is high, and you want to know more about this traffic. Simply click on msrpc and you will see the following: Application Information — general information about the application, including its Name, Description, and all other information specifically for this application and how it communicates. Top Applications—shows session and bytes information Top Sources Top Destinations Top Source Countries Top Destination Countries Top Security Rules Top Ingress Zones Top Egress Zones URL Filtering Threat Prevention Data Filtering You can continue to click on each area to get more detailed information. Sometimes the information you need is only one click down—more involved investigations might take make more drill-downs to get the information you need.   3. URL Filtering Displays information organized according to the menu selection. Information includes the URL, URL category, repeat count (number of times access was attempted, as applicable). URL Categories URLs Blocked URL Categories Blocked URLs This is a great way to see what URL filtering categories are being used.   4. Threat Prevention Displays information organized according to the menu selection. Information includes threat ID, count (number of occurrences), number of sessions, and subtype (such as vulnerability), as applicable. The following sections are available: Threats Types Spyware Spyware Phone Home Spyware Download Vulnerabilities Viruses If you want to know about Threat Prevention, you'll really appreciate this section and the information it can show you.   5. Data Filtering Displays data from the data filtering policy that has been created. The following sections are available: Content/File Types Types File Names If you use data filtering, this comes in handy to quickly show how many files are created and the repeat count of each type.   6. HIP Matches This area displays Host Information Protocol information gathered from GlobalProtect. The following sections are available: • HIP Objects • HIP Profiles   If you're using HIP with GlobalProtect, then this area can prove very helpful.      I hope this Tips & Tricks article has helped you understand the Application Command Center better, as well as provide you with some insight into better ways to access and use the information in the ACC.   As always, we welcome all feedback and suggestions and we're happy to take requests for future Tips & Tricks —leave a  comment below.   Stay secure, Joe Delio  
View full article
‎10-30-2015 02:35 PM
24,316 Views
8 Replies
4 Likes
Overview The Palo Alto Networks firewall can block access to a URL if it is associated with an incorrect category. This may occur if the firewall's information is not up-to-date. Perform the following to verify if a URL is associated with an incorrect category: Clear the data plane's URL cache. Update the URL database. Test URLs   The purpose of this document is to describe how to test URLs with BrightCloud, PAN-DB, and directly from the CLI.   Details BrightCloud To test how the firewall has categorized the URL, use this command: > test url www.paloaltonetworks.com www.paloaltonetworks.com computer-and-internet-security (Base db) Compare this output with the output from the BrightCloud URL/IP Lookup page. Note: If the BrightCloud results are different, download an updated database using the UI on the Device > Dynamic Updates page. If the test url output matches the BrightCloud URL/IP Lookup page, then the data plane version of the Base BrightCloud Database has become corrupt, incomplete or incorrect. Clear the cached version from the data plane with the following command: > clear url-cache all The next attempt to resolve a base database URL will cause the data plane cache to re-populate from the base database present on the management plane. Note: Make sure that you have the most recent BrightCloud database update. If a URL(s) has been resolved Dynamically in the cloud and the category being resolved from the data plane cache is no longer correct, clear those entries from the Dynamic Management plane cache with the following command: > delete dynamic-url host name <url> In the next attempt to resolve this Dynamic URL, the firewall will resolve the category via the BrightCloud cloud, and the result will be cached on the data plane.   PAN-DB A subscription to the PAN-DB URL categorization database provides a few more commands that will help reveal and resolve differences. The URL database is stored on the management plane and URL resolutions are cached on the data plane. Test a URL. The following test commands provide results from the URL database in the management plane. This first command may be all that you need to verify that the URL database has the same information as the cloud: > test url www.paloaltonetworks.com   www.paloaltonetworks.com computer-and-internet-info (Base db) expires in 600 seconds www.paloaltonetworks.com computer-and-internet-info (Cloud db)   If the Base database has a different (and incorrect) result when compared to the Cloud database, then the database needs to be updated. This can be done on the web UI under Device > Dynamic Updates or from the CLI commands (described in the section below).   Compare the output above to what is known in the cloud with the following command: > test url-info-cloud  www.paloaltonetworks.com   BM: paloaltonetworks.com,9,5,computer-and-internet-info webmail.paloaltonetworks.com,1,5,web-based-email   The following command can reveal detailed information about a URL cached in the management plane: > test url-info-host  www.paloaltonetworks.com   Ancestors info: paloaltonetworks.com,1,5,computer-and-internet-info,,   BM: paloaltonetworks.com,1,5,computer-and-internet-info,,   Descendants info: webmail.paloaltonetworks.com,1,5,web-based-email,,   Clear the data plane cache. If the test url command reveals that the management plane and the cloud agree on the correct categorization, but the URL is being blocked because of an incorrect categorization, then clear out the data plane's cache of that URL with: > clear url-cache url <URL>   Alternatively, the entire cache can be cleared: > clear url-cache all   Update the PAN-DB URL Database from the CLI If the test url command revealed that the management plane has a different categorization than the cloud for a URL, then either the specific URL or the entire URL database needs to be updated. Again, updating the entire database can be done in the UI under Device > Dynamic Updates. Note: Dynamic Updates can, and should, be scheduled to ensure that the firewall has the latest info.   Follow these instructions to test the firewall for dynamic updates from the CLI: Download the latest PAN-DB URL Categorization database from the cloud using this command: > request url-filtering download paloaltonetworks region <Region> Display the status of the database download > request url-filtering download status vendor paloaltonetworks Note: The database is ready for use after it has been downloaded. You can try your connection again to the URL that was formerly blocked.   owner: jjosephs
View full article
panagent ‎09-15-2015 11:29 PM
15,996 Views
1 Reply
1 Like
Issue The URL block page does not work for web sites when the web browser has cache information before applying it.   Details If the user accesses a website before the URL block page is implemented, the URL block page will not be applied if the users web browsers cache already has the site to be blocked in its cache. For example, apply the URL filter block page for "streaming media" category and access to http://gyao.yahoo.co.jp/korean/ and http://gyao.yahoo.co.jp/ct/music/ .   > test url gyao.yahoo.co.jp/korean/ gyao.yahoo.co.jp streaming-media (Base db)   > test url gyao.yahoo.co.jp/ct/music/ gyao.yahoo.co.jp streaming-media (Base db)   Both are categorized as streaming-media as shown above, but block page does work for http://gyao.yahoo.co.jp/ct/music/   Look at the following HTTP request and response header for each site, see the difference on the response header provided by the web server. There is "Cache-Control" attribute and "Pragma: no-cache" on response, the server will not use web a cache object store on the client's browser. But there is no such cache-control for http://gyao.yahoo.co.jp/korean/, so the client browser will use cache rather than accessing to the site, hence the block page will not be supplied by Palo Alto Networks firewall.   ===================================================================== HTTP request and response header for http://gyao.yahoo.co.jp/korean/ ===================================================================== GET /korean/ HTTP/1.1 Host: gyao.yahoo.co.jp User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: ja,en-us;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Referer: http://gyao.yahoo.co.jp/korean/ Cookie: B=6rahmo59c29vd... Connection: keep-alive HTTP/1.1 200 OK Date: Tue, 21 Jan 2014 06:03:59 GMT P3P: policyref=" http://privacy.yahoo.co.jp/w3c/p3p.xml ", CP="..." Cache-Control: public Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Content-Encoding: gzip   ===================================================================== HTTP request and response header for http://gyao.yahoo.co.jp/ct/music/ ===================================================================== GET /ct/music/ HTTP/1.1 Host: gyao.yahoo.co.jp User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:26.0) Gecko/20100101 Firefox/26.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Cookie: B=6rahmo59c29vd... Connection: keep-alive HTTP/1.1 200 OK Date: Tue, 21 Jan 2014 06:04:02 GMT P3P: policyref=" http://privacy.yahoo.co.jp/w3c/p3p.xml ", CP="..." Cache-Control: public Expires: Mon, 26 Jul 1997 05:00:00 GMT Last-Modified: Tue, 21 Jan 2014 06:04:02 GMT Cache-Control: private, no-store, no-cache, must-revalidate Cache-Control: post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Transfer-Encoding: chunked Content-Type: text/html; charset=UTF-8 Content-Encoding: gzip   Workaround Clear the cache on the client browser cache, then block page will work as designed.   See the links below for examples on how to clear the cache on the designated browsers: Mozilla Firefox: How to clear the Firefox cache | Firefox Help Internet Explorer: https://kb.wisc.edu/page.php?id=15141   owner: kkondo
View full article
kkondo ‎09-09-2015 12:00 PM
5,175 Views
0 Replies
1 Like
Issue After loading and installing the PAN-DB license, the URL Database Version remains 0000.00.00.000. When attempting to download the PAN-DB seed database (Device > Licenses > PAN-DB URL Filtering), the "Download Now" link cannot be clicked.   Run the ' show url-cloud status' CLI comm and to display the URL database version for the device. Normally, the values for the device and cloud URL database version are close together. However, in this case, the URL database version - device shows a value of 0000.00.00.000: > show url-cloud status PAN-DB URL Filtering License : valid Current cloud server : s0200 Cloud connection : connected URL database version - device : 0000.00.00.000 URL database version - cloud : 2014.07.18.426 (last update time 2014/07/18 10:00:00) URL database status : good URL protocol version - device : pan/0.0.2 URL protocol version - cloud : pan/0.0.2 Protocol compatibility status : compatible   Causes The region setting for PAN-DB was not set correctly during the initial install.   Resolution Log into the device CLI and run the below command to select the region and download the PAN-DB seed database. > request url-filtering download paloaltonetworks region <region_name> > request url-filtering download status vendor paloaltonetworks   owner: pmak
View full article
pmak ‎09-08-2015 06:21 PM
4,916 Views
1 Reply
PAN-DB does have the ability to categorize IP addresses, though the Palo Alto Networks device purposely do so in a limited fashion.   There isn't always a 1:1 mapping between an IP address and an actual host. Given the possibility of differing content, the Palo Alto Networks device does not categorize, as it may affect policy. For those that are a 1:1 mapping, if there is enough content for the Palo Alto Networks device to determine what the category is, it will.  However, note that IP addresses can often change, which is why these do need to get refreshed from time to time. Additionally, some sites often deliver dynamic content, which also makes it more difficult for the Palo Alto Networks device to determine a category, which is sometimes why they remain unknown.   owner: kwens
View full article
‎09-08-2015 07:21 AM
80,050 Views
4 Replies
1 Like
Symptoms A website is partially loading but components of the website (images for example) aren't loaded The screenshot below shows that soundcloud.com partially loaded but not fully. Issue Websites contain information hosted at a different URLs, which can be classified with a category that isn't allowed by the URL filtering policy.   Resolution To resolve this issue, the domain on which the components are hosted on needs to be allowed by policy. Here is the procedure on how to find that information Open the URL logs to see which URL was accelased and blocked. On the screenshot above, a1.sndcdn.com was accessed and blocked (block-url), and the category for that URL is online-music. From there, two things can be done to resolve the issue: Change the URL policy to allow online-music Add the URL (a1.sndcdn.com in the example) to the allow list (white list) as below owner: kalavi
View full article
npare ‎09-07-2015 04:11 AM
4,186 Views
0 Replies
Symptoms Policies are in place to perform URL filtering on one of the virtual wire (vwire) interfaces that traffic goes through, but the firewall doesn't apply the policy.   Issue When traffic goes through more than one virtual wire interfaces, if one virtual wire interface has a URL filtering policy while other(s) don't, the URL filtering policy will not be applied.   Topology example: Ports 1-2 are configured as a virtual wire and a URL filtering policy is in place. Ports 3-4 are configured as a virtual wire and no URL filtering policy is configured. Workstations are connected to port 1 on the firewall, port 2 goes to an internal router which sends internet bound traffic to port 3 on the firewall which has port 4 connected to the internet. This means client connections will arrive via port 1, exit out port 2 to go to the router, the router will forward packets to port 3 on the firewall, and those packets exit out port 4 to go out on the internet.   Because ports 3-4 don't have a URL filtering policy configured, the URL policy configured on ports 1-2 will not be applied.   Workaround A workaround can be implemented to resolve the issue. Running the command set deviceconfig setting url dynamic-url yes will allow the URL category to persist through the different virtual wire interfaces and the URL filtering policy will be applied.   owner: dwhyte
View full article
npare ‎09-04-2015 11:23 AM
3,048 Views
1 Reply