I am fairly new to the Cisco FPR1150.

There is an access rule to downloads.dell.com on port 443.

Packet Trace shows Allow thru the entire process, yet the events shows port 443 is blocked even though there is a rule to allow.  On occasion to the Dell Servers there is an Allow to port 443, most is Blocked.

Interface: Ethernet1/11.601
VLAN ID:
Protocol: TCP
Source Type: IPv4
Source IP value: xxx.xx.xxx.103
Source Port: https
Source SPI:
Destination Type: IPv4
Destination IP value: 23.44.74.13
Destination port: https
Inline Tag:
Treat simulated packet as IPsec/SSL VPN decrypt: false
Bypass all security checks for simulated packet: false
Allow simulated packet to transmit from device: false
Select Device: WS-FW1
Run trace on all cluster members: false

Device details
Name: WS-FW1
ID: 2d6daf46-0817-11ef-aa7a-92348ed4d2f1
Type: Device

Phase 1
ID: 1
Type: ACCESS-LIST
Result: ALLOW
Config: Implicit Rule
Additional Information: Forward Flow based lookup yields rule: in id=0x1460befb67f0, priority=1, domain=permit, deny=false hits=5726417342, user_data=0x0, cs_id=0x0, l3_type=0x8 src mac=0000.0000.0000, mask=0000.0000.0000 dst mac=0000.0000.0000, mask=0100.0000.0000 input_ifc=VLAN0601, output_ifc=any
Elapsed Time: 20480 ns

Phase 2
ID: 2
Type: INPUT-ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information: Found next-hop xx.xx.xxx.30 using egress ifc OutsideATT(vrfid:0)
Elapsed Time: 20992 ns

Phase 3
ID: 3
Type: OBJECT_GROUP_SEARCH
Result: ALLOW
Config:
Additional Information: Source Object Group Match Count: 3 Destination Object Group Match Count: 2 Object Group Search: 6
Elapsed Time: 0 ns

Phase 4
ID: 4
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config: access-group CSM_FW_ACL_ globalaccess-list CSM_FW_ACL_ advanced permit tcp object-group WS_Dell_Hosts ifc OutsideATT object downloads.dell.com object-group HTTPS rule-id 268436483 access-list CSM_FW_ACL_ remark rule-id 268434484: ACCESS POLICY: WS - Mandatoryaccess-list CSM_FW_ACL_ remark rule-id 268434484: L7 RULE: ESXiHostsDNSaccess-list CSM_FW_ACL_ remark rule-id 268436483: ACCESS POLICY: WS - Mandatoryaccess-list CSM_FW_ACL_ remark rule-id 268436483: L7 RULE: DellHosts_to_Outboundobject-group network WS_Dell_Hosts(hitcnt=3302, id=4026531953) network-object object WS-DE2(hitcnt=419) network-object object WS-DE1(hitcnt=1035) network-object object WS-DE3(hitcnt=1848)object-group service HTTPS tcp port-object eq https
Additional Information: This packet will be sent to snort for additional processing where a verdict will be reached Forward Flow based lookup yields rule: in id=0x146082647bd0, priority=12, domain=permit, deny=false hits=205, user_data=0x1460a4dccb80, cs_id=0x0, use_real_addr, flags=0x0, protocol=6 src ip/id=240.0.0.113, mask=255.255.255.255, port=0, tag=any, ifc=any dst ip/id=240.0.0.37, mask=255.255.255.255, port=443, tag=any, ifc object-group id 19331, src nsg_id=none, dst nsg_id=none dscp=0x0, input_ifc=any, output_ifc=any
Elapsed Time: 512 ns

Phase 5
ID: 5
Type: CONN-SETTINGS
Result: ALLOW
Config: class-map class-default match anypolicy-map global_policy class class-default set connection advanced-options UM_STATIC_TCP_MAPservice-policy global_policy global
Additional Information: Forward Flow based lookup yields rule: in id=0x146088b61750, priority=7, domain=conn-set, deny=false hits=489858, user_data=0x146088b4bbf0, cs_id=0x0, use_real_addr, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, src nsg_id=none, dst nsg_id=none dscp=0x0, input_ifc=VLAN0601(vrfid:0), output_ifc=any
Elapsed Time: 512 ns

Phase 6
ID: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x1460babe7e60, priority=0, domain=nat-per-session, deny=false hits=25180916, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, src nsg_id=none, dst nsg_id=none dscp=0x0, input_ifc=any, output_ifc=any
Elapsed Time: 512 ns

Phase 7
ID: 7
Type: IP-OPTIONS
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x1460befc06d0, priority=0, domain=inspect-ip-options, deny=true hits=1244547, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any src nsg_id=none, dst nsg_id=none dscp=0x0, input_ifc=VLAN0601(vrfid:0), output_ifc=any
Elapsed Time: 512 ns

Phase 8
ID: 8
Type: FOVER
Subtype: standby-update
Result: ALLOW
Config:
Additional Information: Forward Flow based lookup yields rule: in id=0x1460811c2610, priority=20, domain=lu, deny=false hits=13233, user_data=0x0, cs_id=0x0, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any src nsg_id=none, dst nsg_id=none dscp=0x0, input_ifc=VLAN0601(vrfid:0), output_ifc=any
Elapsed Time: 33280 ns

Phase 9
ID: 9
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x1460babe7e60, priority=0, domain=nat-per-session, deny=false hits=25180918, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, src nsg_id=none, dst nsg_id=none dscp=0x0, input_ifc=any, output_ifc=any
Elapsed Time: 43520 ns

Phase 10
ID: 10
Type: IP-OPTIONS
Result: ALLOW
Config:
Additional Information: Reverse Flow based lookup yields rule: in id=0x1460be454310, priority=0, domain=inspect-ip-options, deny=true hits=14441571, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0 src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any src nsg_id=none, dst nsg_id=none dscp=0x0, input_ifc=OutsideATT(vrfid:0), output_ifc=any
Elapsed Time: 512 ns

Phase 11
ID: 11
Type: FLOW-CREATION
Result: ALLOW
Config:
Additional Information: New flow created with id 27931027, packet dispatched to next moduleModule information for forward flow ...snp_fp_inspect_ip_optionssnp_fp_tcp_normalizersnp_fp_tcp_proxysnp_fp_snortsnp_fp_tcp_proxysnp_fp_translatesnp_fp_tcp_normalizersnp_fp_adjacencysnp_fp_fragmentsnp_fp_tracer_dropsnp_ifc_statModule information for reverse flow ...snp_fp_inspect_ip_optionssnp_fp_tcp_normalizersnp_fp_translatesnp_fp_tcp_proxysnp_fp_snortsnp_fp_tcp_proxysnp_fp_tcp_normalizersnp_fp_adjacencysnp_fp_fragmentsnp_fp_tracer_dropsnp_ifc_stat
Elapsed Time: 19456 ns

Phase 12
ID: 12
Type: EXTERNAL-INSPECT
Result: ALLOW
Config:
Additional Information: Application: 'SNORT Inspect'
Elapsed Time: 48128 ns

Phase 13
ID: 13
Type: SNORT
Subtype: firewall
Result: ALLOW
Config: Network 0, Inspection 0, Detection 0, Rule ID 268436483
Additional Information: Starting rule matching, zone 1 -> 3, geo 0 -> 0, vlan 0, src sgt: 0, src sgt type: unknown, dst sgt: 0, dst sgt type: unknown, user 9999997, no url or host, no xffMatched rule ids 268436483 - Allow
Elapsed Time: 311274 ns

Phase 14
ID: 14
Type: SNORT
Subtype: appid
Result: ALLOW
Config:
Additional Information: service: (0), client: (0), payload: (0), misc: (0)
Elapsed Time: 14110 ns

Phase 15
ID: 15
Type: INPUT-ROUTE-LOOKUP-FROM-OUTPUT-ROUTE-LOOKUP
Subtype: Resolve Preferred Egress interface
Result: ALLOW
Config:
Additional Information: Found next-hop xx.xx.xxx.30 using egress ifc OutsideATT(vrfid:0)
Elapsed Time: 8704 ns

Phase 16
ID: 16
Type: ADJACENCY-LOOKUP
Subtype: Resolve Nexthop IP address to MAC
Result: ALLOW
Config:
Additional Information: Found adjacency entry for Next-hop xx.xx.xxx.30 on interface OutsideATTAdjacency :ActiveMAC address b463.6fa9.1411 hits 1580 reference 615
Elapsed Time: 2560 ns

Result
Input Interface: VLAN0601(vrfid:0)
Input Status: up
Input Line Status: up
Output Interface: OutsideATT(vrfid:0)
Output Status: up
Output Line Status: up
Action: allow
Time Taken: 525064 ns

------

----

Someone mentioned it is a URL Resolution.

Again, I am very new to this so any suggestions would be appreciated.