https://live.paloaltonetworks.com/t5/next-generation-firewall/traffic-hits-policy-with-url-category-even-though-the-traffic-is/m-p/1236153#M6212 <P>are the log entires you are seeing actual proper traffic (ssl/web-browsing,.. app-id, normal session end etc) or are these incomplete app-id sessions?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>these types of rules need to accept all web traffic in order for the firewall to be able to determine the url category (seen in the SNI of http GET typically) which means that at least 4 to 5 packets need to flow through that rule before it is able to determine if it should keep this session (category match) or release this session (no category match, security rule lookup for better match)</P> <P>&nbsp;</P> <P>what happens if this is a 'rogue' session that is either broken (e.g. server stops responding) or 'abnormal' (url category not found before session already ended by server/client, early RST,.....) that the session dies before it can match a different more accurate rule so the log entry is written with the last rule that session hit before ending</P> <P>&nbsp;</P> <P>rules with only URL category have a high catch rate for bad or broken sessions so there will be lots of logs that mysteriously seem to hit this rule</P> Mon, 18 Aug 2025 09:26:52 GMT reaper 2025-08-18T09:26:52Z https://live.paloaltonetworks.com/t5/next-generation-firewall/traffic-hits-policy-with-url-category-even-though-the-traffic-is/m-p/1235959#M6194 <P>We have several policies that permit traffic to 80/443 with no specific destination address, but with a URL category set for a specific URL.&nbsp; For example, we have a post-rule for VPN users to access our internal Splunk server via the URL.</P> <P>&nbsp;</P> <P>The issue I'm seeing is that I am trying to connect to another device using <A href="https://ipaddress" target="_blank">https://ipaddress </A>and the traffic is hitting our Splunk URL rule.</P> <P>&nbsp;</P> <P>This is not the only URL Category rule we have.&nbsp; I've also seen traffic hit a pre-rule we have using a URL Category.</P> <P>&nbsp;</P> <P>Has anyone experienced this?&nbsp; Is there a good solution?</P> Wed, 13 Aug 2025 17:34:20 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/traffic-hits-policy-with-url-category-even-though-the-traffic-is/m-p/1235959#M6194 jwill2 2025-08-13T17:34:20Z https://live.paloaltonetworks.com/t5/next-generation-firewall/traffic-hits-policy-with-url-category-even-though-the-traffic-is/m-p/1236153#M6212 <P>are the log entires you are seeing actual proper traffic (ssl/web-browsing,.. app-id, normal session end etc) or are these incomplete app-id sessions?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>these types of rules need to accept all web traffic in order for the firewall to be able to determine the url category (seen in the SNI of http GET typically) which means that at least 4 to 5 packets need to flow through that rule before it is able to determine if it should keep this session (category match) or release this session (no category match, security rule lookup for better match)</P> <P>&nbsp;</P> <P>what happens if this is a 'rogue' session that is either broken (e.g. server stops responding) or 'abnormal' (url category not found before session already ended by server/client, early RST,.....) that the session dies before it can match a different more accurate rule so the log entry is written with the last rule that session hit before ending</P> <P>&nbsp;</P> <P>rules with only URL category have a high catch rate for bad or broken sessions so there will be lots of logs that mysteriously seem to hit this rule</P> Mon, 18 Aug 2025 09:26:52 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/traffic-hits-policy-with-url-category-even-though-the-traffic-is/m-p/1236153#M6212 reaper 2025-08-18T09:26:52Z https://live.paloaltonetworks.com/t5/next-generation-firewall/traffic-hits-policy-with-url-category-even-though-the-traffic-is/m-p/1236172#M6215 <P>Looking at the traffic log, the traffic is showing as incomplete and aged out.&nbsp; I will have to try to replicate it and pull a packet capture to get more information</P> Mon, 18 Aug 2025 14:23:06 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/traffic-hits-policy-with-url-category-even-though-the-traffic-is/m-p/1236172#M6215 jwill2 2025-08-18T14:23:06Z https://live.paloaltonetworks.com/t5/next-generation-firewall/traffic-hits-policy-with-url-category-even-though-the-traffic-is/m-p/1236504#M6235 <P>sounds like what i described, and expected behavior</P> Fri, 22 Aug 2025 08:54:59 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/traffic-hits-policy-with-url-category-even-though-the-traffic-is/m-p/1236504#M6235 reaper 2025-08-22T08:54:59Z