We use a URL filtering profile to limit outbound traffic. Occasionally known good traffic will fail because an IP address, instead of the FQDN of the URL, is presented. The traffic is blocked because the URL (IP address) is in the "Unknown" URL category. What could be the cause of this random failure?
The firewall identifies the Fully Qualified Domain Name (FQDN) from the Server Name Indication (SNI) in the client hello or from the Common Name (CN) in the server hello.
In your scenario, the firewall is detecting the SNI or CN as the IP, and the category detected is marked as private IP/Unknown.
You can test the category using the following URL: https://urlfiltering.paloaltonetworks.com/query/
To better understand what is happening and why the firewall is interpreting the IP instead of the URL/FQDN, you may conduct a packet capture. This will help you analyze the network traffic and identify any issues affecting the firewall's interpretation.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!