If you are only using custom categories or the allow/block list, you can do this without having a URL filtering license. The "test url" CLI command queries the cloud and the on-device database for a URL category, which means that you must have a URL filtering license in order to use that command. So for Brinkman's case where he's only using the custom category, this CLI command is not applicable.
Brinkman, when you created your custom category, did you also attach it to a URL filtering object and attach that to your security policy? From your description, it sounds like there's no URL filtering profile that's getting applied with the block.
You can use a URL filtering profile, but you can only use the allow/block list and custom category portion of a profile - you cannot use any of the categories that are provided to you without a URL filtering license.
Since you know what websites you want to specifically allow, you can just add those specific IP's to an Address Group. Then change your first security rule and add that new address group to the list of destinations instead of the any option.
The problem with that is I have 8-10 sites that each use between 40-50 IP addresses and can have new ones added as the load increases on them, so I would have a situation where everything could work one day and then the next I would start to see random blocks because they added a new server that isn't in my IP list.
URL filtering enabled : True
You can remove the profile altogether or adjust URL filters accordingly
URL filtering matches in following order.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!