This issue applies when the following configuration combinations are used:
- URL Filtering Whitelist policy - Websites are explicitly allowed and all non-allowed websites are blocked via the Clean Up rule.
- Categorize HTTPS websites - SSL/HTTPS Inspection is not being used for outbound connections.
- Added SNI information to connection logs when connection is matched on rule with "Extended Log"
- Website categorization mode is set to Hold - Requests are blocked until categorization of the website is completed. Improved enforcement of first connection when URL Filtering setting is 'Hold' mode. ( Hold mode granularity )
When a request to a website is made, the Security Gateway holds the "Unknown" traffic. The traffic is sent to the RAD (Resource Advisor) daemon to verify the CN (Common Name) of the website. Before the response from RAD is returned, the policy is enforced on the "Unknown" traffic and is dropped on a Clean Up rule. The IP address of the website is entered into the cache table, but the connection has already been dropped by the policy. The second connection attempt to the same IP address is successful because the IP address has been entered into the cache table and CN has been verified.