I realize this has been solved, but this KB article might be useful to others having a similar problem understanding the packet flow sequence in PANOS: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
As stated before, if your rule action is Deny, the additional security policy for URL filtering won't make a difference. For our default URL blocking rules, we actually have an Allow action with the URL policy doing all the denying. We do this because it's the only way to get URL filtering logs, and give end users those nice block messages with an explanation and directions for opening a ticket.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!