Url Filtering Doesnt Works (not-resolved)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Url Filtering Doesnt Works (not-resolved)

L1 Bithead

We faced with problem in URL filtering. While trying to open any site PA returns blocked mesage and url category : unknown.

This is the output from CLI :

 

test url nasa.gov

nasa.gov not-resolved (Base db) expires in 0 seconds
nasa.gov government (Cloud db)

 

The same output for any site.Resolving works.

ping host nasa.gov
PING nasa.gov (52.0.14.116) 56(84) bytes of data.

I have already redownload URL DB.The same result.

what could be the problem?

 

8 REPLIES 8

L6 Presenter

Hi,

 

Things to check:

 

1) Licences 

2) reachability: > show url-cloud status

3) active or not: > show system setting url-database

 

https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/url-filtering/troubleshoot-url-filte...

Community Team Member

Can you do 'show url-cloud status' and confirm it is connected ?

 

If not then you might be missing the seed file.

 

You can download it again using :

request url-filtering download paloaltonetworks region <value>

 

Make sure you are allowed to download it ... I've seen cases where pan-db application was hitting a deny rule preventing you from downloading the seed file.

 

I hope this helps,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

there is the output from show url-cloud status

 

License : valid
Current cloud server : s0100.urlcloud.paloaltonetworks.com
Cloud connection : connected
Cloud mode : public
URL database version - device : 2016.06.28.417
URL database version - cloud : 2016.06.28.417 ( last update time 2016/06/29 12:59:10 )
URL database status : good
URL protocol version - device : pan/0.0.2
URL protocol version - cloud : pan/0.0.2
Protocol compatibility status : compatible

Hi,

 

Please try to clear the cash:

 

> clear url-cache all

 

and send the following command output:

 

> show system resources follow

 

monitor for some time and see your CPU% utilisation

hi,

there is the output from show system resources follow

 

Cpu(s): 7.1%us, 6.2%sy, 0.0%ni, 82.7%id, 1.0%wa, 0.0%hi, 3.0%si, 0.0%st
Mem: 4056352k total, 3830540k used, 225812k free, 26868k buffers
Swap: 2097080k total, 127940k used, 1969140k free, 2551712k cached

PID USER PR NI VIRT    RES SHR  S %CPU %MEM TIME COMMAND

2511 root 20 0  1851m 1.7g 1.7g S 24.2     43.3 9528:21 pan_task
2514 root 20 0  1779m 1.7g 1.7g S 16.9     43.3 6195:36 pan_task
2515 root 20 0  1779m 1.7g 1.7g S 16.3     43.3 6124:06 pan_task
2516 root 20 0  1779m 1.7g 1.7g S 16.3     43.3 6175:45 pan_task
2517 root 20 0  1779m 1.7g 1.7g R 15.9     43.3 6108:28 pan_task
2512 root 20 0  1779m 1.7g 1.7g S 12.6     43.3 4588:40 pan_task
2513 root 20 0  1779m 1.7g 1.7g S 8.0        43.3 3367:40 pan_task
2509 root 20 0  2321m 1.7g 1.7g S 3.3        44.2 1758:36 pan_comm 

Hi hi,

 

CPU looks ok.

 

Honestly don't have much experience with PAN-DB . Found another good article :

 

https://live.paloaltonetworks.com/t5/Management-Articles/Testing-URL-from-the-CLI-Returns-quot-expir...

 

This might help you

Cyber Elite
Cyber Elite

Does your management port have an active internet accessable connection at all. It could be that you need to put in service routes to actually get this feature to work properly if you have already verified that your policy set isn't blocking the PA from resolving the address. If you are funneling out service requests from the outside interface you may not actually be allowing the interface a DNS connection. 

L5 Sessionator

what is the service route for palo alto updates, DNS?

Is the management traffic going through palo alto data interface? If yes try to create a policy on top to allow the traffic from management ip and alos check if you have proper nat rule.

 

Check if you are able to resolve domain to ip or not.

  • 4664 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!