https://live.paloaltonetworks.com/t5/advanced-threat-prevention/firewall-is-allowing-certain-packets-through-different-policy-in/m-p/450229#M1400 <P>Thank you for posting question&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/165087">@tamilvanan</a></P><P>&nbsp;</P><P>Since your EDL type is URL, I would recommend to check URL logs instead of Traffic logs.</P><P>&nbsp;</P><P>Coming back to your question, could you please elaborate how you applied EDL? Did you add the block URL EDL directly under: Security Policy Rule &gt; Service/URL Category or did you add under:&nbsp;Security Policy Rule &gt; Profile Setting &gt; URL Filtering / Group Profile?</P><P>&nbsp;</P><P>If you applied it directly under&nbsp;Service/URL Category, then match against URL, will be blocked directly under security policy and you should see it in the Traffic log as being blocked. If you see this as allowed in the log, could you check more details under: Detailed Log View?</P><P>&nbsp;</P><P>If you have applied it under:&nbsp;URL Filtering / Group Profile, then in Traffic log, you should see the result of policy being evaluated against 6 tuple. If the result is allow, then you will see this traffic being allowed in Traffic log, but as a subject of L7 processing under URL filtering in&nbsp;URL Filtering / Group Profile, the result in URL log will be block-url if there is a match.</P><P>&nbsp;</P><P>Kind Regards</P><P>Pavel</P> Mon, 29 Nov 2021 23:37:23 GMT PavelK 2021-11-29T23:37:23Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/firewall-is-allowing-certain-packets-through-different-policy-in/m-p/450089#M1398 <P>Hi Team,</P><P>&nbsp;</P><P>We had configured an EDL today with URL list and created an security policy and applied it for an specific source IP address.</P><P>&nbsp;</P><P>We had tried to access an URL in the EDL list and the website is not loading on the PC.</P><P>&nbsp;</P><P>When checking the Traffic logs with source and destination IP some traffic is being blocked through desired policy. But some traffic is being allowed.</P><P>&nbsp;</P><P>Is this an expected behaviour when comes to URL based blocking as the firewall will allow TCP handshake and the initial SSL/TLS handshake</P> Mon, 29 Nov 2021 17:12:56 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/firewall-is-allowing-certain-packets-through-different-policy-in/m-p/450089#M1398 tamilvanan 2021-11-29T17:12:56Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/firewall-is-allowing-certain-packets-through-different-policy-in/m-p/450229#M1400 <P>Thank you for posting question&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/165087">@tamilvanan</a></P><P>&nbsp;</P><P>Since your EDL type is URL, I would recommend to check URL logs instead of Traffic logs.</P><P>&nbsp;</P><P>Coming back to your question, could you please elaborate how you applied EDL? Did you add the block URL EDL directly under: Security Policy Rule &gt; Service/URL Category or did you add under:&nbsp;Security Policy Rule &gt; Profile Setting &gt; URL Filtering / Group Profile?</P><P>&nbsp;</P><P>If you applied it directly under&nbsp;Service/URL Category, then match against URL, will be blocked directly under security policy and you should see it in the Traffic log as being blocked. If you see this as allowed in the log, could you check more details under: Detailed Log View?</P><P>&nbsp;</P><P>If you have applied it under:&nbsp;URL Filtering / Group Profile, then in Traffic log, you should see the result of policy being evaluated against 6 tuple. If the result is allow, then you will see this traffic being allowed in Traffic log, but as a subject of L7 processing under URL filtering in&nbsp;URL Filtering / Group Profile, the result in URL log will be block-url if there is a match.</P><P>&nbsp;</P><P>Kind Regards</P><P>Pavel</P> Mon, 29 Nov 2021 23:37:23 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/firewall-is-allowing-certain-packets-through-different-policy-in/m-p/450229#M1400 PavelK 2021-11-29T23:37:23Z https://live.paloaltonetworks.com/t5/advanced-threat-prevention/firewall-is-allowing-certain-packets-through-different-policy-in/m-p/452673#M1411 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/192693">@PavelK</a>&nbsp;.</P><P>&nbsp;</P><P>Thanks for your inputs.</P><P>&nbsp;</P><P>I am going through the documentations and my understanding from those documentations is that the firewall handles HTTP and HTTPS traffic differently.</P><P>&nbsp;</P><P>For HTTP traffic the firewall allow till the GET packet to identify the HTTP website the user is trying to access and blocks the HTTP site. So the initial packets will be allowed.</P><P>&nbsp;</P><P>Same for HTTPS site the firewall will allow the traffic of TCP handshake , SSL/TLS handshake and then once the firewall get the Certificate it will look into the CN name of the certificate and will block that session. So we will see few packets going out to the websites when we filter on traffic log using the website IP address.</P><P>&nbsp;</P><P>This is my understanding</P> Sat, 11 Dec 2021 09:51:57 GMT https://live.paloaltonetworks.com/t5/advanced-threat-prevention/firewall-is-allowing-certain-packets-through-different-policy-in/m-p/452673#M1411 tamilvanan 2021-12-11T09:51:57Z