In case anyone else runs into this, after speaking with Palo, this is a known issue engineers are working on that started with PAN-OS 10.2.8 and will manifest itself when decryption is active alongside the Inline Cloud URL Categorization engine.
Couple workarounds:
1 - Change your Content Cloud Setting service URL to the country directly you are in - in my case it was us.hawkeye.services-edge.paloaltonetworks.com.
2 - Use a custom URL list (in my case my whitelist) and add it the exception list under the URL categorization exception list for the inline inline function in your URL profile. (I guess putting your whitelist here is a best practice?)
3 - Turn off Inline Cloud Categorization completely
Oddly enough, despite this being related to the decryption engine in some way, putting the site in the decryption exclusion list didn't help where it has in the past which led me down the wrong path to begin with.
If you need to, refer to PAN-253468 if you end up speaking to an engineer at Palo as that is what this problem is logged under.
... View more
