When URL Category is 'any' traffic is getting allowed

• URL Category set to any hitting incorrect rule or getting incorrectly allowed
• Traffic logs shows traffic allowed and session end-reason other than threat

• PAN-OS
• URL Category configured on Security Policy Rules

• URL category any is allowed by design because its a category implicitly defined before the category is identified. This choice has been done by design because if you have configured URL Category match criteria in any of the Rules and there is not a default allow rule all traffic which category is not yet identified will be dropped.
• If session is logged at start category can be  'any' as its just logging initial data after the 3-way handshake. This means that we need to be concerned about is session type 'end', from traffic log point of view.
• If identified app-id is ssl category can be 'any' it means that session ended right after the ssl handshake finished. In this case if there is concern about policy matching session needs to be decrypted. If not decrypted app-id can remain ssl , thus firewall has no capability of inspecting http traffic to match right URL category.
• If identified app-id is incomplete, transaction is incomplete, we do not have meaningful data to analyse so category will be 'any'
• HTTP2 parent session URL category is 'any'. This can be identified as http2 connection id being 0. For HTTP2 which has connection session and stream session, inside HTTP2 there are multiple streams. In the firewall we treat each stream session as dedicated sessions. 

• Filter out traffic which is start log session
• Filter out traffic which application is ssl, incomplete, insufficient
• Filter out traffic which is ssl and not decrypted
• Filter out http2 parent sessions

Following filter is good reference to check relevant traffic:

( subtype eq 'end' ) and ( app neq 'ssl' ) and ( flags has proxy ) and ( http2_connection neq '0' )

Why is Traffic matching incorrect security policy based on custom url category ?