The reason I need to seperate the profiles into two different rules is because we are forwarding the logs to our Central Log Manager(QRadar). I set the first rule for just URL Filtering Profile on 80/443, and to "Alert" on allowed sites(I set to "Alert" so I can keep a log in Palo Alto of all the allowed sites). On this rule, I do NOT forward logs to QRadar. If I do, all of the allowed sites show up as "offenses" because they are set to "Alert" in PaloAlto. I then set up a second rule below this first to run the AV, Spyware, etc. profiles on 80/443. This rule does forward logs to QRadar. BUT, I've been noticing all traffic on 80/443 skips over this second rule after it hits the first rule. I'm not sure if there's any other way to do what I need...
... View more