All sites registering as "unknown"

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

All sites registering as "unknown"

L1 Bithead

Came in today with users screaming that they were getting blocked on all websites.  Finally extracted enough information from them that the category was coming up as “unknown” for all sites…even Google.  Decided it had to be an issue in the URL filtering…updated to latest Brightcloud…no change.

Thought URL cache or dynamic URL cache might be the issue.  SSH-ed into the firewall and issued a clear url-cache all.  That fixed it.  Seems that the URL cache was corrupted.  BTW…I am running 5.0.3 on my PA.

Just thought I would pass that bit of information around in case you encounter that issue, too.

Has anyone else seen this before?

Not Inigo Montoya...you are safe, with or without 6 fingers.
34 REPLIES 34

L5 Sessionator

Hi everyone,

Just a minor update - we're still investigating the root cause of the issue and why it seems to have only affected PAN-OS 5.0.x and not PAN-OS 4.1.x customers (if you're using PAN-OS 4.1 and see this issue, please let us know).  In the meantime, it appears that the key to restoring functionality is to restart the device server - you should not need to clear your entire cache.

More updates as they come.

Thanks,

Doris

L1 Bithead

one of our PAN is using 4.1.9 ....only affected on 1 single domain  detected as unknown Smiley Happy

Not applicable

We are seeing this as well at 5.0.3, clearing the URL cache hasn't fixed anything so we are opening a ticket. We are on Brightcloud 4059, so we are up to date on that.

Hi bmellem,

As mentioned before, please restart your device server in order to resolve this issue. 

Thanks,

Doris

This happened to us today, running 5.0.2. Resetting the cache fixed it. I would like to know the cause when found..

L1 Bithead

below are commands support gave me when I called in with the same issue running 5.0.3.

clear url-cache all

delete dynamic-url host all

debug software restart device-server

configure

set deviceconfig setting url dynamic-url yes

commit

Hi everyone,

The issue stems from a fix we made with content release 363, which was released to address a larger issue regarding how URL categories are saved in PAN-OS.  At the moment, it appears that the bug is limited to the 5.0 codebase.

For those of you who encounter the issue, please follow the steps recommended to re-initiate your device server:

1.  Make sure the latest content is installed ( > release 363)

2.  clear url-cache all

3.  delete dynamic-url host all

4.  debug software restart device-server

5.  configure

6.  set deviceconfig setting url dynamic-url yes

7.  commit

The above steps will help ensure that the list of URL categories are properly initialized in the device server and will prevent further crashes during URL lookups. 

I'd like to thank everyone for their help and patience in resolving this issue.

Thanks,

Doris

Doris,

Some kind of an "this is what we're doing to ensure this doesn't happen again" explanation would be much appreciated... otherwise, what are we as customers expected to do? Only do content updates once a week?

L2 Linker

This is still an issue with us. I verified and entered all commands given by Doris previously. Now not all sites are showing 'unknown'. but sites that I can verify are categorized correctly in Brightcloud are still showing as unknown.  We are running 5.0.2 and are on 364 of the content release.

In addition to the aforementioned problem, we are also seeing a high number of 'not-resolved' sites. Please respond..

cloughr: Just for the record, make sure you contact the support directly at support@paloaltonetworks.com (or whoever you have a supportcontract with) or by phone since this is just a community forum.

But also please return with whatever the support said or helped you with in case there are new findings in this case.

If you're getting category "not-resolved", that usually indicates an issue communicating with the server itself.  As mikand mentioned, please contact Palo Alto Networks Support directly to better troubleshoot and resolve your issue.

I contacted support at the time of posting my original message. The rep spent an hour looking at logs, re-running the commands recommended here, and left me with, "I will research and get back to you". I received one email since, asking for the version of the content release, even though we covered that during the hour session (it's up to date). Bottom line- I have two problems that are not resolved, #1- sites show as 'unknown' even though brightcloud correctly categorizes them; #2- sites show as 'not-resolved' even though brightcloud correctly categorizes them. Prior to last week, this wasn't a problem. I have had to make my environment less secure by allowing these categories. If possible, I would like to escalate case #00126530. I do not have time to waste on someone poking around our firewall making guesses..

Try to disable url cache completely

And then restart device server again

L1 Bithead

Was called by a senior engineer this afternoon.  The issue will be resolved on 5.0.4 due out the 2nd week of April.  No details on actual cause, but at least a date on the new PanOS release.  Since my initial issue, it has not repeated on my PA-500.

Not Inigo Montoya...you are safe, with or without 6 fingers.
  • 14143 Views
  • 34 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!