>
    Troubleshoot Website Access Issues
    Focus
    Download PDF
    Focus
    1. Home
    2. Advanced URL Filtering
    3. Troubleshooting
    4. Troubleshoot Website Access Issues
    Download PDF
    Advanced URL Filtering

    Troubleshoot Website Access Issues

    Table of Contents

    Troubleshoot Website Access Issues

    Follow these steps troubleshoot issues related to accessing websites.
    Where can I use this?
    What do I need?
    • NGFW (PAN-OS or Panorama Managed)
    Note:
    Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
    End users may encounter issues accessing a website for various reasons, including a missing URL filtering license, policy rule misconfiguration, PAN-DB connectivity issues, or miscategorization of a website. Use the following steps to diagnose and resolve issues with accessing a website.
    It's possible the issue may not be URL Filtering related. The "What to do next" section that follows the steps in this task lists additional areas in which to focus your troubleshooting.
    1. Verify that you have an active Advanced URL Filtering or legacy URL filtering license.
      An active URL filtering license is needed for next-generation firewalls to accurately categorize websites and applications. If you don't have a URL filtering license, then the website access issue is unrelated to URL filtering.
      Select
      Device
      Licenses
       and look for the Advanced URL Filtering (or PAN-DB URL Filtering) license. An active license displays an expiration date later than the current date.
      Alternatively, use the
      request license info
       CLI command. If the license is active, the interface displays license information, including expiration status:
      Expired?: no
      .
    2. The
      Cloud connection:
       field should show
      connected
      . Otherwise, any URL that doesn't exist in the management plane (MP) cache will be categorized as
      not-resolved
       and may be blocked by the URL Filtering profile settings in your Security policy rules.
    3. Clear the MP and dataplane (DP) cache for the specific URL.
      Clearing the cache can be resource-intensive. Consider clearing the cache during a maintenance window.
      1. To clear the MP cache, use the
        delete url-database url <
        affected url
        >
         CLI command.
      2. To clear the DP cache, use the
        clear url-cache url <
        affected url
        >
         CLI command.
    4. Review the URL filtering logs to verify if the URL category that the website belongs to has been blocked.
      1. Select
        Monitor
        URL Filtering
        .
      2. Search for the affected URL, and then select the most recent log entry.
      3. Review the Category and Action columns.
        Has the URL been categorized correctly? Verify its categories using Test A Site, Palo Alto Networks URL category lookup tool. If you still believe the categorization is incorrect, submit a change request.
        If the Action column displays
        block-url
        , then note the name of the Security policy rule associated with the log entry.
    5. Review the Security policy rule and update it, if necessary.
      1. Select
        Policies
        Security
        , and select the policy rule with the name you noted in the previous step.
      2. Verify that the Security policy rule allows access to the requested URL or its URL category.
        Look for one of two configurations:
        • URL Category as Match Criteria:
           Under
          Service/URL Category
          , one of the specified categories contains the requested URL. Under
          Actions
          , the Action Setting is set to
          Allow
          .
        • URL Filtering Profile:
           Under
          Actions
          , the Profile Setting is set to a URL Filtering profile that allows access to the requested URL.
    If the above steps don't highlight or resolve the issue, additional troubleshooting might be required to further isolate the issue. Areas of focus should include:
    • Basic IP address connectivity
    • Routing configuration
    • DNS resolution
    • Proxy configuration
    • Upstream firewall or inspection devices in the packet path
    For intermittent or complex issues, contact Palo Alto Networks support for further assistance.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.