From the Experts: URL filtering implementation and troubleshooting

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

From the Experts: URL filtering implementation and troubleshooting

I just wanted to check with anyone that can answer, that when the URL license expires, the whole feature is disabled in PanOS 8.0.1. It used to be different, the URL filtering would still work, but there were no more updates of the database.

 

Thanks!

3 REPLIES 3

L1 Bithead
one of my customer also has the same issue . when two days later than license expired , whole URL profile doesnt work. all web surfing are ok to pass through.

 

@Mauricio_Subieta and @DannyDai

As you probably know, Palo Alto offers two types of URL filtering solutions, PAN-DB and BrightCloud.

   

With PAN-DB:

  • If the license expires for PAN-DB, URL filtering is not enforced:
  • URL categories that are currently in the cache will be used to either block or allow content based on your configuration. Using cached results is a security risk because the categorization information might be stale.
  • URLs that are not in the cache will be categorized as not-resolved and will be allowed.

I personally always recommend to customers PAN-DB instead of BrightCloud. The reason is because PAN-DB has tight integration with WildFire, in order to update URL categories such as: Malware, Phishing, and Hacking. If you are on BrightCloud, you don’t get the benefit of this integration to feed this categories from WildFire.


With BrightCloud:

  • If you are using the BrightCloud database, you can configure the action to take if the URL filtering license expires:
  • Block— Blocks access to all web sites. Upon license expiration, all URLs are blocked, not just the URL categories previously set to block.
  • Allow — Allows access to all web sites. Upon license expiration, all URLs are allowed, not just the URL categories set to allow.

I hope this helps.

 

i think the default use is PAN-DB rather than brightcloud.

 

the experiment shows that if there is no url record on data plane  this url would be allowed. when url license expired Managment plane replication to data plane was disabled . so after the cache on data plane went away , ALL urls check would be disabled / and be allowed to pass the firewall.

 

that is what i saw.

 

you can use CLI command to check

 

show running url xxxxxxx  (for data plane)

test url xxxxxxx (for managment plane)

 

 

 

 

 

  • 3389 Views
  • 3 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!