Troubleshoot Website Access Issues

Advanced URL Filtering

Troubleshoot Website Access Issues

Table of Contents
End-of-Life (EoL)

Troubleshoot Website Access Issues

Follow these steps troubleshoot issues related to accessing websites.
End users may encounter issues accessing a website for various reasons, including a missing URL filtering license, policy rule misconfiguration, PAN-DB connectivity issues, or miscategorization of a website. Use the following steps to diagnose and resolve issues with accessing a website.
It's possible the issue may not be URL Filtering related. The "What to do next" section that follows the steps in this task lists additional areas in which to focus your troubleshooting.
  1. Verify that you have an active Advanced URL Filtering or legacy URL filtering license.
    An active URL filtering license is needed for next-generation firewalls to accurately categorize websites and applications. If you don't have a URL filtering license, then the website access issue is unrelated to URL filtering.
    and look for the Advanced URL Filtering (or PAN-DB URL Filtering) license. An active license displays an expiration date later than the current date.
    Alternatively, use the
    request license info
    CLI command. If the license is active, the interface displays license information, including expiration status:
    Expired?: no
  2. The
    Cloud connection:
    field should show
    . Otherwise, any URL that doesn't exist in the management plane (MP) cache will be categorized as
    and may be blocked by the URL Filtering profile settings in your Security policy rules.
  3. Clear the MP and dataplane (DP) cache for the specific URL.
    Clearing the cache can be resource-intensive. Consider clearing the cache during a maintenance window.
    1. To clear the MP cache, use the
      delete url-database url <
      affected url
      CLI command.
    2. To clear the DP cache, use the
      clear url-cache url <
      affected url
      CLI command.
  4. Review the URL filtering logs to verify if the URL category that the website belongs to has been blocked.
    1. Select
      URL Filtering
    2. Search for the affected URL, and then select the most recent log entry.
    3. Review the Category and Action columns.
      Has the URL been categorized correctly? Verify its categories using Test A Site, Palo Alto Networks URL category lookup tool. If you still believe the categorization is incorrect, submit a change request.
      If the Action column displays
      , then note the name of the Security policy rule associated with the log entry.
  5. Review the Security policy rule and update it, if necessary.
    1. Select
      , and select the policy rule with the name you noted in the previous step.
    2. Verify that the Security policy rule allows access to the requested URL or its URL category.
      Look for one of two configurations:
      • URL Category as Match Criteria:
        Service/URL Category
        , one of the specified categories contains the requested URL. Under
        , the Action Setting is set to
      • URL Filtering Profile:
        , the Profile Setting is set to a URL Filtering profile that allows access to the requested URL.
If the above steps don't highlight or resolve the issue, additional troubleshooting might be required to further isolate the issue. Areas of focus should include:
  • Basic IP address connectivity
  • Routing configuration
  • DNS resolution
  • Proxy configuration
  • Upstream firewall or inspection devices in the packet path
For intermittent or complex issues, contact Palo Alto Networks support for further assistance.

Recommended For You