Security policy match fails due to incorrect URL category classification.

• Security policy is configured with URL category match.
• The traffic does not match the intended policy due to incorrect URL categorization.

Example:

• Testing the URL "https://urlfiltering.paloaltonetworks.com/test-command-and-control"
• This URL is tested under "Test a site", 
• The expected URL category match is "command-and-control".
• The reported URL category is when viewed in the URL filtering logs is "computer and internet info"

• PaloAlto firewall
• Any PAN OS
• No Decryption

• Since decryption is not enabled, the Firewall does not have the complete visibility of the entire URL.
• Only the SNI field can be checked without decryption enabled. This only has the main URL. In this case "https://urlfiltering.paloaltonetworks.com"
• Since only partial URL is sent for categorization to the URL test site, the verdict received is "computer and internet info".

1. Enable Decryption.
2. When decryption is enabled, the Firewall has the visibility of the entire URL which is sent to the Test Site.
3. The test site correctly classifies the URL as "command-and-control"

If decryption is configured and still the reported URL category is incorrect, Follow steps documented at "How to Change an Incorrect PAN-DB URL Categorization".