We're using dynamic URL filtering (ie the "cloud" database") within our URL-filtering profiles. Within PAN-OS 4.1 there is now the option to match on URL category within security policies, but no checkbox there to use the Dynamic Filtering. So, if I try and access a URL thats not in the local database, does the firewall still go and query the cloud for that policy?
I think the dynamic filtering is a global option in order to if you want to "leak" to the cloud which urls your clients are browsing to or not (along with to get a better hitrate since the downloadable db of url-categories are just the top1000 or similar per category).
But I could agree that it might be a nice feature to be able to do this both on global but also at security rule level - the question here will then be, which setting will be the judging one? Will the global setting overrule the local security rule setting or would the local security rule setting overrule the global setting?
You may have noticed it already, but the aforementioned bug was addressed in the 4.1.3 release, which is now generally available. If you are using URL categories as part of your match criteria and would like to enable dynamic lookups as part of that process, you can use the following CLI command to do so:
set devconfig setting url dynamic-url yes
Hope this helps,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!