Traffic Logs Show URL Category as Any For URL Specific Security Policy
14856
Created On 06/11/20 09:17 AM - Last Modified 06/16/20 12:06 PM
Question
Why do the Traffic Logs show the URL Category as "Any" for a URL specific Security Policy, when the application is either "incomplete" or "ssl"?
Answer
When security policies are first looked up for a new session, layer 7 data is not taken into account, so a URL specific Security Policy can still be matched.
An "incomplete" application means that either the three-way TCP handshake did not complete or the three-way TCP handshake did complete but there was no data after the handshake to identify the application. Therefore, we do not yet have the data to identify the URL or the URL Category, and thus the URL Category appears as "Any".
An "ssl" application means we have had enough traffic to pass through the Firewall to identify the session as SSL. If the URL Category is showed as "Any", then it could be because the Server Name Indication (SNI) field is empty and the traffic is not decrypted, so the Firewall doesn't have the needed information to figure out the URL and URL Category.