Focus

Advanced URL Filtering

Troubleshoot Website Access Issues

Table of Contents

Troubleshoot Website Access Issues

Follow these steps troubleshoot issues related to accessing websites.

End users may encounter issues accessing a website for various reasons, including a missing URL filtering license, policy rule misconfiguration, PAN-DB connectivity issues, or miscategorization of a website. Use the following steps to diagnose and resolve issues with accessing a website.

It's possible the issue may not be URL Filtering related. The "What to do next" section that follows the steps in this task lists additional areas in which to focus your troubleshooting.

Verify that you have an active Advanced URL Filtering or legacy URL filtering license.

An active URL filtering license is needed for next-generation firewalls to accurately categorize websites and applications. If you don't have a URL filtering license, then the website access issue is unrelated to URL filtering.

Select

Device

Licenses

and look for the Advanced URL Filtering (or PAN-DB URL Filtering) license. An active license displays an expiration date later than the current date.

Alternatively, use the

request license info

CLI command. If the license is active, the interface displays license information, including expiration status:

Expired?: no

Verify the PAN-DB cloud connection status on your CLI.

The

Cloud connection:

field should show

connected

. Otherwise, any URL that doesn't exist in the management plane (MP) cache will be categorized as

not-resolved

and may be blocked by the URL Filtering profile settings in your Security policy rules.

Clear the MP and dataplane (DP) cache for the specific URL.

Clearing the cache can be resource-intensive. Consider clearing the cache during a maintenance window.

To clear the MP cache, use the

delete url-database url <affected url>

CLI command.

To clear the DP cache, use the

clear url-cache url <affected url>

CLI command.

Review the URL filtering logs to verify if the URL category that the website belongs to has been blocked.

Select

Monitor

URL Filtering

Search for the affected URL, and then select the most recent log entry.

Review the Category and Action columns.

Has the URL been categorized correctly? Verify its categories using Test A Site, Palo Alto Networks URL category lookup tool. If you still believe the categorization is incorrect, submit a change request.

If the Action column displays

block-url

, then note the name of the Security policy rule associated with the log entry.

Review the Security policy rule and update it, if necessary.

Select

Policies

Security

, and select the policy rule with the name you noted in the previous step.

Verify that the Security policy rule allows access to the requested URL or its URL category.

Look for one of two configurations:

URL Category as Match Criteria:
Under

Service/URL Category

, one of the specified categories contains the requested URL. Under

Actions

, the Action Setting is set to

Allow

URL Filtering Profile:
Under

Actions

, the Profile Setting is set to a URL Filtering profile that allows access to the requested URL.

Test your Security policy rules.

If the above steps don't highlight or resolve the issue, additional troubleshooting might be required to further isolate the issue. Areas of focus should include:

Basic IP address connectivity

Routing configuration

DNS resolution

Proxy configuration

Upstream firewall or inspection devices in the packet path

For intermittent or complex issues, contact Palo Alto Networks support for further assistance.