The hotspot-shield application has dependencies on both the web-browsing and ssl applications. As the session transitions between applications it could match different policies, which could in turn apply a different set of security profiles. If the traffic flow from this particular client was legitimate web-browsing instead of hotspot-shield, which security policy would it hit? Does that policy have URL filtering applied? It is possible that the first few packets after the TCP handshake hit a different policy which has URL filtering enabled. Shortly after the URL is sent by the client and is logged, the application transitions to the hotspot-shield application and it's associated security policy. If you can reproduce this URL log behavior on a test machine a good test would be to create a security policy for that source IP for web-browsing and ssl without any profiles enabled. If creating that test policy stops the logs from generating for that particular client then the scenario I describe above is the likely cause and would be expected behavior.
... View more