Follow these steps troubleshoot issues related to accessing websites.
End users may encounter issues accessing a website for various reasons, including a
missing URL filtering license, policy rule misconfiguration, PAN-DB connectivity
issues, or miscategorization of a website. Use the following steps to diagnose and
resolve issues with accessing a website.
It's possible the issue may not be URL Filtering related.
The "What to do next" section that follows the steps in this task lists additional
areas in which to focus your troubleshooting.
Verify that you have an active Advanced URL Filtering or legacy URL filtering
An active URL filtering license is needed for
next-generation firewalls to accurately categorize websites and
applications. If you don't have a URL filtering license, then the website
access issue is unrelated to URL filtering.
and look for the Advanced URL Filtering (or PAN-DB URL
Filtering) license. An active license displays an expiration date later than
the current date.
Alternatively, use the
request license info
command. If the license is active, the interface displays license
information, including expiration status:
. Otherwise, any URL that doesn't
exist in the management plane (MP) cache will be categorized as
and may be blocked by the URL
Filtering profile settings in your Security policy rules.
Clear the MP and dataplane (DP) cache for the specific URL.
Clearing the cache can be
resource-intensive. Consider clearing the cache during a maintenance
To clear the MP cache, use the
delete url-database url
To clear the DP cache, use the
clear url-cache url
Review the URL filtering logs to verify if the URL category that the website
belongs to has been blocked.
Search for the affected URL, and then select the most recent log
Review the Category and Action columns.
Has the URL been categorized correctly? Verify its categories using
Test A Site, Palo Alto
Networks URL category lookup tool. If you still believe the
categorization is incorrect, submit a change
If the Action column displays
then note the name of the Security policy rule associated with the
Review the Security policy rule and update it, if necessary.
, and select the policy rule with the name you noted in
the previous step.
Verify that the Security policy rule allows access to the requested URL
or its URL category.
Look for one of two configurations:
URL Category as Match Criteria:
, one of the
specified categories contains the requested URL. Under
, the Action Setting is
URL Filtering Profile:
, the Profile Setting is
set to a URL Filtering profile that allows access to the