graphenediscoverer4
Is there a place saying which app attempted to reach which URL ?
Nearly all connections made by apps are encrypted with TLS or an equivalent to it. A firewall cannot modern what the connections are doing without highly problematic TLS configuration based on loading a custom root, which is a massive security hole and doesn't even work with most apps anymore due to them not trusting non-system certificate authorities unless they explicitly opt into it like web browsers.
Monitoring and filtering connections based on IP address is entirely possible. That doesn't mean it can be done in a meaningful way. Apps being able to connect to their own server is enough for them to send data anywhere. A common misconception is that connections to third parties can be filtered client side, which isn't possible if they can connect to their own server. It's a normal practice to make these connections server side to make them more reliable and to avoid leaking API keys. Additionally, apps can do two-way communication with any party via DNS queries alone without ever making a direct connection, just querying DNS names to send data and receiving back data in the result. If an app is allowed to make arbitrary DNS queries, it can communicate with anyone.
If you want to monitor and filter connections, despite it not really working, you can use an app like RethinkDNS for this. It's entirely possible on GrapheneOS, but most people misunderstand many things about how networking functions and do not realize that they aren't blocking apps communicating with servers they think they are because they're permitting arbitrary DNS and aren't considering what the servers they're permitting do on their end.