Symptom
When you have a whitelist and categories themselves are blocked, several web pages do not appear to load “correctly” when viewed by users. Images or certain parts of the page are missing or do not properly appear.
Cause
The symptom may occur due to fact that the Palo Alto Networks firewall does a string match on the URL list (in the white/ block list). Images are often hosted on other servers and the web pages request those images by calling the url , which may not be in the whitelist.
Note: When viewing the source of the page, the URLs that are embedded in the webpage (initially requested) can be seen distinctly.
When the client issues the ‘get request’, the web page also expects the client to issue get requests for the other http// references that the page source contains. To show the entire page, all the urls are requested, including the actual URL in the address bar and the embedded urls for the images.
In the URL filtering profile, you can uncheck the “Log Container page only” box. Now, when one of these sites is requested, the URL filtering log will show all the URLs (including sub urls and image urls that the client requests in order to completely load the actual main URL requested).
Since the URL allow list does not include the URLs of the images, the page loads but the images will be denied because the URLs associated with them are not part of the URL allow list /whitelist. However, it is difficult to keep adding the image URLs and other style-related sub-URLs, as often these are totally different from the main URL that was first requested.
There is an implicit wildcard for when you do a www.domain.com* so you will see URLs such as "www.domain.com/suburl/abc/eg.html" or "www.Domain.com/suburl-image.php" all be allowed when domain.com is allowed in the whitelist. However, oftentimes the URL for images and styles is most often something else entirely. For example, "https://serveraddress.com/nl/image1.jpg".
owner: sjamaluddin