I am seeing a pattern where I observe an http_category in my pan:traffic logs where log_subtype=end but there is no dest_hostname or URL. Is it possible that Palo is classifying based on IP address? We are not decrypting SSL traffic in this instance and I see no other corresponding logs for the same traffic (pan:threat).
could you provide a screenshot?
sessions toward an IP address that have url filtering enabled will also be checked against the url database
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The LIVEcommunity thanks you for your participation!