Palo Alto: url Filtering Updates Delayed by Days

Updates in url filtering may be delayed by days in application to sessions

Updates to url categorization and blocks do not immediately apply to all urls being filtered.  The local cache on the Palo Alto firewall keeps the categorization and action for a url for the time period specified in the cache option.

By default this is set to one week.

The url cache can take time to refresh depending on the frequency of the specific url affected by the update.  If the url was recently cached then it would be several days before the new categorization was refreshed.

Resolution:

Change the cache period in the url filtering options box.  In general this should be set to the same time period as the update cycle.  The one week update cycle matches the one week cache time.  When more frequent updates are retrieved the cache period should be lowered to match.

This may also be lowered even with longer update cycles to prevent delays in application of updates.

Lowering the cache hold will increase the number of requests out of the Palo Alto to get updated information on a url.  In some high volume situations this may not be desirable.

Option Location:

 Device Tab — Setup Menu — Content ID tab — URL filtering options box

Originally Posted November 24, 2013
Last Revised on November 24, 2013