So @vsys_remo and @jvalentine, in betwen my other priorities I have been researching this issue with my limited knowledge and understanding. I have discovered that in 60% of the cases the destination IP Address allowed that shows "any" for URL Category in the logs has been also been allowed sometimes with the correct URL Category showing.  I'm not sure why this is and am at a loss to explain the remaining 40% that never show the correct URL Category. At this point I am willing to accept this behavior but will continue to monitor. Thanks for your time on this.     ... View more

Sorry for the delay in responding but I've been tied up with other things. Also I will not be able to work on this for the next week. When I can get back to this I will look at some of the things you've mentioned. However in regard to your comment: "What is likely happening is that the firewall allows the TCP/80 traffic, even identifies it as web-browsing, and then it attempts to match that traffic with your permit rules.  If it matches, great.  If not, it stops.  The trick question is, how should the firewall log the traffic?  Should it log the traffic as being denied (when some portion went through?)" I would think that if the firewall is going to log this traffic as allowed because it got part way through the process, it should also have a denied entry when it determines that something about the rule (in my case the URL Category) prevents it.  It seems like this isn't happening and maybe that's just the way it works, however I find this confusing. Thanks very much for your insight. ... View more

I didn't realize that you could create a URL Filtering profile without a license.  Not sure I would like getting that warning (I assume I would continue to get this on subsequent commits). Again, just to be clear, I do get my URL Category showing up in the logs (I just filtered those out in my previous images).  Here's another look at the logs without the filtering and an example of "any" circled.   Also, my main goal here is to be able to confidentally tell upper management that no traffic is being allowed to a destination that is not in my URL Category.   ... View more

Thanks @vsys_remo attaching more screenshots. And to be clear, the Custom URL Category is showing up for most of the log entries, I'm just confused about why it's not showing up for some.     ... View more

You are correct @vsys_remo I only mentioned the licensing issue becuase @jvalentine mentioned creating a URL Filtering Profile and I believe I can't do that without a license. ... View more

Thanks for the reply. Unfortunately we don't have a URL Filtering license as we have another solution for that function.   ... View more

Thanks for the response. We log at session end. Looking at the traffic this morning it seems that everything went back to "normal" after a content update this past Friday, so your theory about app-id not having enough info seems to hold water. Thanks again for responding. ... View more