@Jonathanct Do you have log at session start enabled? That would explain the logs showing up on your allow rule. I would recommend disabling log at session start. The initially allowed traffic is for allow rules. When processing traffic, the firewall assumes that the application is set to 'any' until the firewall can determine what they are and processes the traffic under the first security rule that matches L2 - L4 with any application. This is show in the "FW Session setup/Slowpath" in the Day in the Life of a Packet diagram under 'Firewall security policy lookup'. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0 In your example of the allow rule with URL category defined and the action is set to "Allow', the firewall will match all sessions from L2 to L4 to that rule until the application can be defined. Once the application is defined, the firewall will rematch against the policy to determine if there is a rule to allow that traffic. In this example, that would still be the URL category rule since the rule is setup with any application on any service. Once the URL category is defined, the firewall will rematch against the security policy again to find the first rule to match the new information. If your rule was set to block, the traffic would be initially allowed on another security rule until the URL category was determined 5-9 packets later. Then on the rematch the firewall will show that the traffic was dropped on your URL Category rule.
... View more