This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Traffic hits policy with URL Category even though the traffic is not for that URL

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Traffic hits policy with URL Category even though the traffic is not for that URL

jwill2
L2 Linker

‎08-13-2025 10:34 AM

We have several policies that permit traffic to 80/443 with no specific destination address, but with a URL category set for a specific URL.  For example, we have a post-rule for VPN users to access our internal Splunk server via the URL.

 

The issue I'm seeing is that I am trying to connect to another device using https://ipaddress and the traffic is hitting our Splunk URL rule.

 

This is not the only URL Category rule we have.  I've also seen traffic hit a pre-rule we have using a URL Category.

 

Has anyone experienced this?  Is there a good solution?

0 Likes Likes
3 REPLIES 3

reaper
Cyber Elite
Cyber Elite

‎08-18-2025 02:26 AM

are the log entires you are seeing actual proper traffic (ssl/web-browsing,.. app-id, normal session end etc) or are these incomplete app-id sessions?

 

 

these types of rules need to accept all web traffic in order for the firewall to be able to determine the url category (seen in the SNI of http GET typically) which means that at least 4 to 5 packets need to flow through that rule before it is able to determine if it should keep this session (category match) or release this session (no category match, security rule lookup for better match)

 

what happens if this is a 'rogue' session that is either broken (e.g. server stops responding) or 'abnormal' (url category not found before session already ended by server/client, early RST,.....) that the session dies before it can match a different more accurate rule so the log entry is written with the last rule that session hit before ending

 

rules with only URL category have a high catch rate for bad or broken sessions so there will be lots of logs that mysteriously seem to hit this rule

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

jwill2
L2 Linker

‎08-18-2025 07:23 AM

Looking at the traffic log, the traffic is showing as incomplete and aged out.  I will have to try to replicate it and pull a packet capture to get more information

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to jwill2

‎08-22-2025 01:54 AM

sounds like what i described, and expected behavior

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 367 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks