Advanced URL Filtering
Troubleshoot Website Access Issues
Table of Contents
Troubleshoot Website Access Issues
Follow these steps troubleshoot issues related to accessing websites.
Where can I use this? | What do I need? |
---|---|
|
Note: Legacy URL filtering licenses are
discontinued, but active legacy licenses are still
supported.
|
End users may encounter issues accessing a website for various reasons, including a
missing URL filtering license, policy rule misconfiguration, PAN-DB connectivity
issues, or miscategorization of a website. Use the following steps to diagnose and
resolve issues with accessing a website.
It's possible the issue may not be URL Filtering related.
The "What to do next" section that follows the steps in this task lists additional
areas in which to focus your troubleshooting.
- Verify that you have an active Advanced URL Filtering or legacy URL filtering license.An active URL filtering license is needed for next-generation firewalls to accurately categorize websites and applications. If you don't have a URL filtering license, then the website access issue is unrelated to URL filtering.Select DeviceLicenses and look for the Advanced URL Filtering (or PAN-DB URL Filtering) license. An active license displays an expiration date later than the current date.Alternatively, use the request license info CLI command. If the license is active, the interface displays license information, including expiration status: Expired?: no.Verify the PAN-DB cloud connection status on your CLI.The Cloud connection: field should show connected. Otherwise, any URL that doesn't exist in the management plane (MP) cache will be categorized as not-resolved and may be blocked by the URL Filtering profile settings in your Security policy rules.Clear the MP and dataplane (DP) cache for the specific URL.Clearing the cache can be resource-intensive. Consider clearing the cache during a maintenance window.
- To clear the MP cache, use the delete url-database url <affected url> CLI command.To clear the DP cache, use the clear url-cache url <affected url> CLI command.Review the URL filtering logs to verify if the URL category that the website belongs to has been blocked.
- Select MonitorURL Filtering.Search for the affected URL, and then select the most recent log entry.Review the Category and Action columns.Has the URL been categorized correctly? Verify its categories using Test A Site, Palo Alto Networks URL category lookup tool. If you still believe the categorization is incorrect, submit a change request.If the Action column displays block-url, then note the name of the Security policy rule associated with the log entry.Review the Security policy rule and update it, if necessary.
- Select PoliciesSecurity, and select the policy rule with the name you noted in the previous step.Verify that the Security policy rule allows access to the requested URL or its URL category.Look for one of two configurations:
- URL Category as Match Criteria: Under Service/URL Category, one of the specified categories contains the requested URL. Under Actions, the Action Setting is set to Allow.
- URL Filtering Profile: Under Actions, the Profile Setting is set to a URL Filtering profile that allows access to the requested URL.
Test your Security policy rules.If the above steps don't highlight or resolve the issue, additional troubleshooting might be required to further isolate the issue. Areas of focus should include:- Basic IP address connectivity
- Routing configuration
- DNS resolution
- Proxy configuration
- Upstream firewall or inspection devices in the packet path
For intermittent or complex issues, contact Palo Alto Networks support for further assistance.