How URL Filtering Works

URL filtering works by checking websites users want to access against custom URL lists or categories, the dataplane, the management plane, and finally PAN-DB.
PAN-DB—the URL Filtering cloud database—classifies websites based on site content, features, and safety. A URL can have up to four URL categories, including risk categories (high, medium, and low) that indicate the likelihood that the site will expose you to threats. As PAN-DB categorizes sites, firewalls with URL Filtering enabled can leverage that knowledge in real-time to enforce security policy.
When a user accesses a URL that’s not cached, the firewall checks PAN-DB for the site’s category and saves it. As the firewall saves new entries, it removes URLs that users have not accessed recently so that it accurately reflects the traffic in your network.
When the firewall checks PAN-DB for a URL, it also looks for critical updates, such as URLs that previously qualified as benign but are now malicious. Every 30 minutes, the firewall checks PAN-DB for such updates.
If you believe PAN-DB has incorrectly categorized a site, you can submit a URL category change request in your browser through Test A Site or directly from the firewall logs.
Did you know?
Technically, the firewall caches URLs on both the management plane and the dataplane:
  • PAN-OS 9.0 and later releases do not download PAN-DB seed databases. Instead, upon activation of the URL filtering license, the firewall populates the cache as URL queries are made.
  • The management plane holds more URLs and communicates directly with PAN-DB. When the firewall cannot find a URL’s category in the cache and performs a lookup in PAN-DB, it caches the retrieved category information in the management plane. The management plane passes that information along to the dataplane, which also caches it and uses it to enforce policy.
  • The dataplane holds fewer URLs and receives information from the management plane. After the firewall checks URL category exception lists and custom URL categories for a URL, the next place it looks is the dataplane. Only if the firewall cannot find the URL categorized in the dataplane does it check the management plane and, if the category information is not there, PAN-DB.

Recommended For You