Url Filtering Doesnt Works (not-resolved)

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Url Filtering Doesnt Works (not-resolved)

We faced with problem in URL filtering. While trying to open any site PA returns blocked mesage and url category : unknown.

This is the output from CLI :

 

test url nasa.gov

nasa.gov not-resolved (Base db) expires in 0 seconds
nasa.gov government (Cloud db)

 

The same output for any site.Resolving works.

ping host nasa.gov
PING nasa.gov (52.0.14.116) 56(84) bytes of data.

I have already redownload URL DB.The same result.

what could be the problem?

 

Highlighted
L6 Presenter

Hi,

 

Things to check:

 

1) Licences 

2) reachability: > show url-cloud status

3) active or not: > show system setting url-database

 

https://www.paloaltonetworks.com/documentation/60/pan-os/pan-os/url-filtering/troubleshoot-url-filte...

Highlighted
Community Team Member

Can you do 'show url-cloud status' and confirm it is connected ?

 

If not then you might be missing the seed file.

 

You can download it again using :

request url-filtering download paloaltonetworks region <value>

 

Make sure you are allowed to download it ... I've seen cases where pan-db application was hitting a deny rule preventing you from downloading the seed file.

 

I hope this helps,

-Kim.

Highlighted
L1 Bithead

there is the output from show url-cloud status

 

License : valid
Current cloud server : s0100.urlcloud.paloaltonetworks.com
Cloud connection : connected
Cloud mode : public
URL database version - device : 2016.06.28.417
URL database version - cloud : 2016.06.28.417 ( last update time 2016/06/29 12:59:10 )
URL database status : good
URL protocol version - device : pan/0.0.2
URL protocol version - cloud : pan/0.0.2
Protocol compatibility status : compatible

Highlighted
L6 Presenter

Hi,

 

Please try to clear the cash:

 

> clear url-cache all

 

and send the following command output:

 

> show system resources follow

 

monitor for some time and see your CPU% utilisation

Highlighted
L1 Bithead

hi,

there is the output from show system resources follow

 

Cpu(s): 7.1%us, 6.2%sy, 0.0%ni, 82.7%id, 1.0%wa, 0.0%hi, 3.0%si, 0.0%st
Mem: 4056352k total, 3830540k used, 225812k free, 26868k buffers
Swap: 2097080k total, 127940k used, 1969140k free, 2551712k cached

PID USER PR NI VIRT    RES SHR  S %CPU %MEM TIME COMMAND

2511 root 20 0  1851m 1.7g 1.7g S 24.2     43.3 9528:21 pan_task
2514 root 20 0  1779m 1.7g 1.7g S 16.9     43.3 6195:36 pan_task
2515 root 20 0  1779m 1.7g 1.7g S 16.3     43.3 6124:06 pan_task
2516 root 20 0  1779m 1.7g 1.7g S 16.3     43.3 6175:45 pan_task
2517 root 20 0  1779m 1.7g 1.7g R 15.9     43.3 6108:28 pan_task
2512 root 20 0  1779m 1.7g 1.7g S 12.6     43.3 4588:40 pan_task
2513 root 20 0  1779m 1.7g 1.7g S 8.0        43.3 3367:40 pan_task
2509 root 20 0  2321m 1.7g 1.7g S 3.3        44.2 1758:36 pan_comm 

Highlighted
L6 Presenter

Hi hi,

 

CPU looks ok.

 

Honestly don't have much experience with PAN-DB . Found another good article :

 

https://live.paloaltonetworks.com/t5/Management-Articles/Testing-URL-from-the-CLI-Returns-quot-expir...

 

This might help you

Highlighted
Cyber Elite

Does your management port have an active internet accessable connection at all. It could be that you need to put in service routes to actually get this feature to work properly if you have already verified that your policy set isn't blocking the PA from resolving the address. If you are funneling out service requests from the outside interface you may not actually be allowing the interface a DNS connection. 

Highlighted
L5 Sessionator

what is the service route for palo alto updates, DNS?

Is the management traffic going through palo alto data interface? If yes try to create a policy on top to allow the traffic from management ip and alos check if you have proper nat rule.

 

Check if you are able to resolve domain to ip or not.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!