Expected Behavior of Risk Categories and other Multi Categories: What displays in the Category column under URL Filtering Log

After PAN-OS 9.0, you may see risk categories appear in the category column instead of the actual category under the URL filtering log. 

PAN-OS 9.0 and later

This is expected behavior when you set the same action for both categories, which are on URL Category List. For example, you set all categories to alert, and there is no priority among the predefined categories. The matched category could be any of the URL categories contained in the URL category list. To make the URL Multi-category list visible :

- Hoover over the right side of any column with your mouse
- Select 'Columns' from the pop-up window
- Check the "URL Category List" checkbox

When a URL has multi-category that are set to different actions, the strictest URL filtering profile action is chosen and logged. From the most strict to the least strict actions are as follows: block, override, continue, alert, and allow.

Example: Example.com has categories of "Entertainment and Arts" (you configured for "allow") ,"Social Networking" (you configured for "block", and "Low Risk" (configured for "allow". The firewall would take the most restrictive action on this traffic from the category list, which would be "block".

If you are seeing risk categories in the category column and you want to avoid this behavior, you are able to change the action of the risk category to allow in the URL filtering profile. Note: It is recommended to make to 'URL category list' column visible versus changing the risk level category action to 'allow' as this is not best practice (more on recommended actions for risk levels categories here). 

Risk level categories: See the 'Security-Focused URL Categories' of the following article: https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-basics/url-categories?otp=risk-categories#risk-categories