URL filtering decisions are made when a session is created through the Palo Alto Networks firewall (a session matches a security rule with a URL filtering profile).
Here's what happens in a typical web-browsing session with URL filtering on a blocked URL:
TCP 3-way handshake completes.
Client then sends HTTP GET. The Palo Alto Networks firewall identifies traffic as web-browsing, the traffic matches an 'allow' rule and forwards the HTTP GET to the web server.
At the same time, the firewall compares the URL in the HTTP GET request to the URL DB, the URL cache, and if necessary, performs a dynamic lookup against the PAN-DB or BrightCloud.
If the URL is on the block list, the Palo Alto Networks firewall serves a URL block page to the web client. The firewall also sends an RST to the Web Server to close the session and stop the server from sending the requested web content.
The firewall lets the initial HTTP GET request through, which is expected behavior. After the firewall performs a URL lookup against the PAN-DB/Brightcloud database (local, cache, and dynamic), it makes a URL decision to either allow or block the server’s response to the HTTP GET request.
Additional Information
This document only applies to sites that do not comply with HTTPS.