Why does URL Filtering Profile with a custom URL Category assigned require the same custom URL category assigned in a security rule to work?

Hi all,

Pardon me for the lengthy title.

Here is the layout of what I am working with:

😅

• I am currently running PAN-3020 on PAN-OS 9.0.13
• I do not have a URL filtering licence 
• I do not yet do decryption (long story).
• Security rules are any/any for testing this.  

I have been tinkering with custom URL categories and filtering profiles. I have got what I intended to work.

However, I am confused by the behaviour of the firewall and further lost amongst content all over the internet, especially when it comes to URL filtering without a licence. Was hoping someone could help clarify it out for me?

===========
Scenario 1

Security policy rule A:

• Rule with an action of allow
• URL filtering profile assigned which also allows a good custom URL category

Security policy rule B:

• Rule with an action of allow
• URL filtering profile assigned which blocks a bad custom URL category

No traffic will match security policy rules A or B. The only time traffic match either of these two rules is when I specify a URL category under the Service/URL Category tab for security policy rule A.

Scenario 2

Security policy rule A:

• Rule with an action of allow
• Custom URL category assigned to "services/URL Category" tab (found within the security policy rule),
• URL filtering profile assigned that allows a good custom URL cateogry

Security policy rule B =

• Rule with an action of allow
• Assigned URL filtering profile that blocks a bad custom URL category

URL traffic not matching any URLs specified rule A is now blocked.

===========

What I can't get my head around is why isn't it enough to simply use a security rule and a relative filtering profile that references the good custom URL category?
Why when I don't specify the URL category, no traffic matches even though the filtering profile is there?

Apologies for my ignorance. 

Martins