Does the Dashboard screen show that your Firewall has downloaded the SmartFilter control list?
It might sound like a silly question, but the following section of your audit record:-
dest IP addr 126.96.36.199 did not match ((('category','fi'),),).
- would seem to suggest that the IP address cannot be found in the Banking/Finance category, and this is why the connection is not triggering your "Except Finance" rule. If the category database has not downloaded this would be one reason why.
However, performing an nslookup for www.wellsfargo.com, comes back with two completely different IP addresses:-
Addresses: 188.8.131.52, 184.108.40.206
yes, the database is correctly updated. In effect the SmartFilter on HTTP (not encripted connections) works fine!
I have the same problem if I specify one domain object on the endpoint destination field: the system nerver match the domain!