URLs Classified as Not-Resolved
Focus
Focus
Advanced URL Filtering

URLs Classified as Not-Resolved

Table of Contents

URLs Classified as Not-Resolved

Follow these steps to troubleshoot URLs classified as not-resolved. Not-resolved designation typically signals PAN-DB cloud connectivity issues.
Where can I use this?
What do I need?
  • NGFW (PAN-OS or Panorama Managed)
Note:
Legacy URL filtering licenses are discontinued, but active legacy licenses are still supported.
URLs are classified as
not-resolved
if your firewall cannot connect to the PAN-DB URL filtering cloud service to perform lookups, or if PAN-DB takes too long to respond to URL queries. The cloud connection status and URL classification does not apply to expired subscription licenses or unlicensed users. For a detailed explanation of the URL categorization process, see How URL Filtering Works.
Use the following workflow to troubleshoot why some or all of the URLs being identified by PAN-DB are classified as Not-resolved:
  1. Check the PAN-DB cloud connection by running the
    show url-cloud status
    CLI command.
    The
    Cloud connection:
    field should show
    connected
    . If you see anything other than
    connected
    , then any URL that does not exist in the management plane cache will be categorized as
    not-resolved
    . To resolve this issue, see PAN-DB Cloud Connectivity Issues.
  2. If the cloud connection status shows
    connected
    , check the current utilization of the firewall.
    If firewall utilization is spiking, URL requests may be dropped (may not reach the management plane) and will be categorized as
    not-resolved
    .
    To view system resources, run the
    show system resources
    CLI command. Then, view the
    %CPU
    and
    %MEM
    columns.
    You can also view system resources on the System Resources widget on the
    Dashboard
    in the web interface.
  3. Consider increasing the
    Category lookup timeout (sec)
    value.
    Increasing the category lookup timeout value improves the likelihood that the URL category gets resolved and reduces the frequency of
    not-resolved
    URLs in logs.
    1. Select
      Device
      Setup
      Content-ID
      and edit the URL Filtering settings.
    2. Click
      OK
      and
      Commit
      your changes.
      You can also update the value using the
      set deviceconfig setting ctd url-wait-timeout
      CLI command.
  4. If the problem persists, contact Palo Alto Networks support.

Recommended For You