PAN-DB—the URL Filtering cloud database—classifies websites based
on site content, features, and safety. A URL can have up to four
URL categories, including risk categories (high,
medium, and low) that indicate the likelihood that the site will
expose you to threats. As PAN-DB categorizes sites, firewalls with
URL Filtering enabled can leverage that knowledge in real-time to enforce
When you first activate your license on the firewall, PAN-DB
delivers a set of commonly accessed URLs and their categories to
the firewall. Then, when a user accesses a URL that’s not cached,
the firewall checks PAN-DB for the site’s category and saves it.
As the firewall saves new entries, it removes URLs that users have
not accessed recently so that it accurately reflects the traffic
in your network.
When the firewall checks PAN-DB for a URL, it also looks for
critical updates, such as URLs that previously qualified as benign
but are now malicious. Every 30 minutes, the firewall checks PAN-DB
for such updates.
firewall caches URLs on both the management plane and the dataplane:
The management plane holds more URLs and communicates directly
with PAN-DB. When the firewall cannot find a URL’s category in the cache
and performs a lookup in PAN-DB, it caches the retrieved category
information in the management plane. The management plane passes
that information along to the dataplane, which also caches it and
uses it to enforce policy.
The dataplane holds fewer URLs and receives information from
the management plane. After the firewall checks URL category exception lists and custom URL categories for
a URL, the next place it looks is the dataplane. Only if the firewall
cannot find the URL categorized in the dataplane does it check the
management plane and, if the category information is not there,