Troubleshoot Website Access Issues

1. Verify that you have an active Advanced URL Filtering or legacy URL filtering license.

   An active URL filtering license is needed for next-generation firewalls to accurately categorize websites and applications. If you don't have a URL filtering license, then the website access issue is unrelated to URL filtering.

   Select DeviceLicenses and look for the Advanced URL Filtering (or PAN-DB URL Filtering) license. An active license displays an expiration date later than the current date.

   Alternatively, use the request license info CLI command. If the license is active, the interface displays license information, including expiration status: Expired?: no.
2. Verify the PAN-DB cloud connection status on your CLI.

   The Cloud connection: field should show connected. Otherwise, any URL that doesn't exist in the management plane (MP) cache will be categorized as not-resolved and may be blocked by the URL Filtering profile settings in your Security policy rules.
3. Clear the MP and dataplane (DP) cache for the specific URL.

   Clearing the cache can be resource-intensive. Consider clearing the cache during a maintenance window.

   1. To clear the MP cache, use the delete url-database url <affected url> CLI command.
   2. To clear the DP cache, use the clear url-cache url <affected url> CLI command.
4. Review the URL filtering logs to verify if the URL category that the website belongs to has been blocked.

   1. Select MonitorURL Filtering.
   2. Search for the affected URL, and then select the most recent log entry.
   3. Review the Category and Action columns.

      Has the URL been categorized correctly? Verify its categories using Test A Site, Palo Alto Networks URL category lookup tool. If you still believe the categorization is incorrect, submit a change request.

      If the Action column displays block-url, then note the name of the Security policy rule associated with the log entry.
5. Review the Security policy rule and update it, if necessary.

   1. Select PoliciesSecurity, and select the policy rule with the name you noted in the previous step.
   2. Verify that the Security policy rule allows access to the requested URL or its URL category.

      Look for one of two configurations:

      • URL Category as Match Criteria: Under Service/URL Category, one of the specified categories contains the requested URL. Under Actions, the Action Setting is set to Allow.
      • URL Filtering Profile: Under Actions, the Profile Setting is set to a URL Filtering profile that allows access to the requested URL.
6. Test your Security policy rules.