Use Case:
Sometimes users have requirement to create different URL categories for same domain or sub-domains to be used in different policies like DLP, URL Filtering, File Type control, etc. This could lead to the issue where policies might not work as expected and can impact user access to the domains.
Example: The below are the Custom URL categories configured for domain .abc.com for which parent category name is ABC
URL Categories:
URL Category Name | URL Retaining Parent Category |
Category A | |
Category B |
URL Filtering Policy:
Rule Order | Rule |
1 | Allow Category A |
2 | Explicit Block All |
Refer to the documentation Configuring Custom URL Categories for more details.
When URL Category B is created, the users who already have access to URL Category A will no longer be able to access .xyz.abc.com and FQDN efg.abc.com.
If user accesses efg.abc.com or any FQDNs with sub-domain .xyz.abc.com (like my.xyz.abc.com), those transactions will get block by URL filtering policy 'Explicit Block All'. The URL Category marked in Web Insight logs for these URLs will be the Parent Category ABC.
While if the user accesses any other FQDN of domain .abc.com like (my.abc.com), it will be Allowed and URL category 'Category A' will be marked for these transactions.
Cause:
This issue might occur as Zscaler provides precedence to the nearest exact match. When URL Category "Category B" is created consisting sub-domain .xyz.abc.com & FQDN efg.abc.com, these are now no longer part of Category A. The domains .xyz.abc.com & FQDN efg.abc.com are now part of Category B and Parent Category ABC.
If Category B is not used in URL filtering policy, then any transactions for .xyz.abc.com & FQDN efg.abc.com will be considered under Parent Category ABC and not under Category A.
