PA-500 Url Filtering

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

PA-500 Url Filtering

L1 Bithead


i have another problem with policies...


I used AD to filter people which can access the appropriate site. 


And I have rule in order:

1. Allow facebook (when I give access to whole facebook application)

2. Allow Youtube (when I use url filtering)


In my opinion when user who is in group allow_facebook and allow_youtube and want to open the facebook site are using first rule and can open the site?


But in my network this user use second rule and he has information about blocked site....


I don't know what I do wrong..


L4 Transporter

check from CLI that said user is really in allow_facebook group if the rule is not applying to him.

L4 Transporter

Is the rule/application it specifically for Facebook-BASE

Does that first rule allow the traffic for another user?

in otherwords can another user from the approved 'AD OU' group get to the site


you want to determine is it a user issue or a security policy issue


When you look in the logs afterward - filter by user name and see which policy that traffic is hitting


L4 Transporter



could you verify this counter

show counter global filter | match url_request_pkt_drop


you obtain something like this

url_request_pkt_drop    334056   10 drop   url   pktproc  


if you have some drop packet it's du to the  waiting time for url categorisation  request


to resolve this

modify this parameter

set deviceconfig setting ctd url-wait-timeout 

and define a value greater than 5 and less than 60


by default panos use a value of 5 s and  the PA-500 is to light to process the categorisation and takeover the limit of 5s

you and increase the capacity of the PA-500 but increase the acceptable time to resolve the query




you can find more info


  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!