Why is Traffic not matching the correct security policy based on custom URL category or App-ID?

• NGFW
• Any PAN-OS

1. Initial firewall security policy lookup based on six-tuple key
2. Application identification
3. If application is SSL and has a matching decryption policy
   1. Decrypt traffic
   2. Application identification using decrypted packets
4. Security policy lookup using all match criteria
5. Content inspection
6. Forwarding/Egress

• As the initial security policy lookup only matches on the six-tuple key it will not reflect any other match criteria such as application or URL category.
• Traffic is not erroneously allowed by this initial match: only TCP/SSL handshakes are allowed to this point
• Traffic will be allowed or denied only after the final security policy lookup is made using all match criteria

Common causes include an 'incomplete' App-ID or an SSL handshake failure.
This is the same logic behind why logs generated using "Log at session start" can match the incorrect security policy.


Six-tuple match criteria: 

• Source and destination addresses: IP addresses from the IP packet. 
• Source and destination ports:  Port numbers from TCP/UDP protocol headers. 
• Protocol: The IP protocol number from the IP header is used to derive the flow key . 
• Security zone: This field is derived from the ingress interface at which a packet arrives.