© Palo Alto Networks, Inc.
PAN-OS 6.1 Administrator’s Guide • 423
Troubleshoot URL Filtering
The following table describes procedures that you can use to resolve issues based on the output of the show
url-cloud status command, how to ping the URL cloud servers, and what to check if the firewall is in a High
Availability (HA) configuration.
URLs Classified as Not-Resolved
The following table describes procedures you can use to resolve issues where some or all of the URLs being
identified by PAN-DB are classified as Not-resolved:
Troubleshoot Cloud Connectivity Issues
• PAN-DB URL Filtering license field shows invalid—Obtain and install a valid PAN-DB license.
• URL database status is out of date—Download a new seed database by running the following command:
admin@pa-200> request url-filtering download paloaltonetworks region <region>
• URL protocol version shows not compatible—Upgrade PAN-OS to the latest version.
• Attempt to ping the PAN-DB cloud server from the firewall by running the following command:
admin@pa-200> ping source <ip-address> host s0000.urlcloud.paloaltonetworks.com
For example, if your management interface IP address is 10.1.1.5, run the following command:
admin@pa-200> ping source 10.1.1.5 host s0000.urlcloud.paloaltonetworks.com
• If the firewall is in an HA configuration, verify that the HA state of the devices supports connectivity to the cloud
systems. You can determine the HA state by running the following command:
admin@pa-200> show high-availability state
Connection to the cloud will be blocked if the firewall is not in one of the following states:
If the problem persists, contact Palo Alto Networks support.
Troubleshoot URLs Classified as Not-Resolved
1. Check the PAN-DB cloud connection by running the following command:
admin@PA-200> show url-cloud status
The Cloud connection: field should show connected. If you see anything other than connected, any URL that do
not exist in the management plane cache will be categorized as not-resolved. To resolve this issue, see PAN-DB
Cloud Connectivity Issues.
2. If the cloud connection status shows connected, check the current utilization of the firewall. If the firewall’s
performance is spiking, URL requests may be dropped (may not reach the management plane), and will be
categorized as not-resolved.
To view system resources, run the following command and view the %CPU and %MEM columns:
admin@PA-200> show system resources
You can also view system resources from the firewall’s web interfaces by clicking the
3. If the problem persist, contact Palo Alto Networks support.
Copyright © 2007-2015 Palo Alto Networks