topic Re: Adding URLs to an allow category caused some connections to be blocked in General Topics https://live.paloaltonetworks.com/t5/general-topics/adding-urls-to-an-allow-category-caused-some-connections-to-be/m-p/443766#M100255 <P>Yes there is return traffic, however only a handful of packets so it doesn't appear as if much information passed in these connections. The successful SSL connections pass many more bytes and packets. And the incomplete connections only start appearing when those extra URLs are added, and SSL ones start getting blocked. The policies did not change and while in a broken state I did a test policy match and that traffic should have hit our rule... but it just didn't. These particular clients are configured to reach out to a specific URL, the URLs that were added that broke it did not modify or orverlap with this URL. The added URLs were mostly shopping/sports sites.</P> Wed, 27 Oct 2021 13:19:09 GMT bafergel 2021-10-27T13:19:09Z Adding URLs to an allow category caused some connections to be blocked https://live.paloaltonetworks.com/t5/general-topics/adding-urls-to-an-allow-category-caused-some-connections-to-be/m-p/443565#M100236 <P>We added additional URLs to an existing custom url category and on our URL filtering profile, it is set to alert. These additional URLs are completely unrelated to the connection that started to fail. And as soon as we reverted those changes things began working just as they had before. We checked the URL filtering logs and nothing was being blocked on this connection. It wouldn't drop every connection either, so for example we have a client that was reaching out to a certain IP on the internet on 443. Some were blocked by the default block rule with an application on SSL and others were allowed with an application of incomplete on the rule the traffic should be hitting (they both had the destination of the same IP). But again once we removed those seeming unrelated URLs from the category everything was again allowed and registered as SSL.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bafergel_1-1635279938830.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37258iD90B4FC54FBA0953/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="bafergel_1-1635279938830.png" alt="bafergel_1-1635279938830.png" /></span></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="bafergel_2-1635279998851.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/37259iB75D90046E6324D9/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="bafergel_2-1635279998851.png" alt="bafergel_2-1635279998851.png" /></span></P><P>&nbsp;</P> Tue, 26 Oct 2021 20:27:40 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-urls-to-an-allow-category-caused-some-connections-to-be/m-p/443565#M100236 bafergel 2021-10-26T20:27:40Z Re: Adding URLs to an allow category caused some connections to be blocked https://live.paloaltonetworks.com/t5/general-topics/adding-urls-to-an-allow-category-caused-some-connections-to-be/m-p/443591#M100237 <P>“Incomplete “ session means traffic is not able to complete TCP 3 way handshake or may be there insufficient data transfer</P> Tue, 26 Oct 2021 21:15:13 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-urls-to-an-allow-category-caused-some-connections-to-be/m-p/443591#M100237 Dalidali 2021-10-26T21:15:13Z Re: Adding URLs to an allow category caused some connections to be blocked https://live.paloaltonetworks.com/t5/general-topics/adding-urls-to-an-allow-category-caused-some-connections-to-be/m-p/443660#M100243 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/176243">@bafergel</a>,</P> <P>Without knowing what you actually did and seeing exactly what you were trying to do this is going to be difficult to troubleshoot.&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/179358">@Dalidali</a>&nbsp;is correct in the fact that incomplete simply means that not enough traffic was passed for app-id to identify the application. When you look in the detailed log entry for the incomplete traffic are you actually recording return traffic?&nbsp;</P> Wed, 27 Oct 2021 01:45:57 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-urls-to-an-allow-category-caused-some-connections-to-be/m-p/443660#M100243 BPry 2021-10-27T01:45:57Z Re: Adding URLs to an allow category caused some connections to be blocked https://live.paloaltonetworks.com/t5/general-topics/adding-urls-to-an-allow-category-caused-some-connections-to-be/m-p/443766#M100255 <P>Yes there is return traffic, however only a handful of packets so it doesn't appear as if much information passed in these connections. The successful SSL connections pass many more bytes and packets. And the incomplete connections only start appearing when those extra URLs are added, and SSL ones start getting blocked. The policies did not change and while in a broken state I did a test policy match and that traffic should have hit our rule... but it just didn't. These particular clients are configured to reach out to a specific URL, the URLs that were added that broke it did not modify or orverlap with this URL. The added URLs were mostly shopping/sports sites.</P> Wed, 27 Oct 2021 13:19:09 GMT https://live.paloaltonetworks.com/t5/general-topics/adding-urls-to-an-allow-category-caused-some-connections-to-be/m-p/443766#M100255 bafergel 2021-10-27T13:19:09Z