No url filtering is configured, but show session can see url filtering enable

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

No url filtering is configured, but show session can see url filtering enable

L2 Linker

 Hello 

 

In pan-os 8.1.x, url filtering enable is not configured, but show session can see url filtering enable;

ZhouYu_0-1652194931859.png

policy:

ZhouYu_1-1652194968420.png

Other versions tested pan-os 10.1.x, url filtering fales:

ZhouYu_2-1652195110783.png

 

4 REPLIES 4

Hi @ZhouYu ,

 

"show running security-policy" will not list if any security profile is applied on the rule. The "category" in this output is refering to custom URL category used as matching criteria.

 

Can you please run and provide the output
> configure
# show rulebase security rules test1

 

Cyber Elite
Cyber Elite

@ZhouYu 

 

Do this 

 

> set cli config-output-format set

> configure

 

#show rulebase security rules Mahesh
set rulebase security rules Mahesh to Internal_EXT
set rulebase security rules Mahesh from Internal_INT
set rulebase security rules Mahesh source [ 10.36.121.85 10.36.121.183 ]
set rulebase security rules Mahesh destination any
set rulebase security rules Mahesh source-user coc\mparmar2
set rulebase security rules Mahesh category any
set rulebase security rules Mahesh application any
set rulebase security rules Mahesh service any
set rulebase security rules Mahesh action allow
set rulebase security rules Mahesh profile-setting profiles virus Base
set rulebase security rules Mahesh profile-setting profiles spyware DNS_Security
set rulebase security rules Mahesh profile-setting profiles vulnerability Base
set rulebase security rules Mahesh profile-setting profiles wildfire-analysis Base
set rulebase security rules Mahesh profile-setting profiles url-filtering Base
set rulebase security rules Mahesh log-setting Azure
set rulebase security rules Mahesh source-hip any
set rulebase security rules Mahesh destination-hip any

 

Regards

 

MP

Help the community: Like helpful comments and mark solutions.

ZhouYu_0-1652323625554.png

 

Hello 

I open case today;

=================

According to your captures, we can see below information while running the global counter.

url_db_request -------------- Number os URL database request
url_request_timeout -------------- The url category request is timeout
url_request_pkt_drop -------------- The number of packets get dropped because of waiting for url category request

As per the resolution in KB below, please adjust the value of timeout.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClyeCAC#:~:text=By%20defau....

Moreover, as this PA-5250 appliance subscribes to the license of ‘PAN-DB URL Filtering’, the mechanism of Palo Alto Firewall for layer 7 traffic is always enable the URL filtering to inspect the packets, this is function as designed.

Thanks and please feel free to contact us if you need assistance.

  • 1783 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!