Good Day

Have you encountered that the FACEBOOK SUB application bypass your POLICY.

Here is the Scenario.

Under Application control, I ONLY allow facebook POST  and DENY ALL OTHER FEATURES like (facebook comment, like, video, message etc)

then my policy is NOT WORKING 100%, you can comment, like, message etc 

How to SOLVE this kind of ISSUE??

Attached Screenshot for your reference 

SG135w (SFOS 16.05.0 RC-1)


Thank you



  • In reply to lferrara:

    Hi Sir

    Good Day


    Upon testing this configurations

    micro app discovery is ON

    Decrpyt and Scan Https is TICKED

    This is not working 100%.. it works only by is not consistent, if the other 135 is succesful then i try to mirror it to another 135 appliance it is not working .. i already load those config from working appliacne to new appliacne .. same config but diff app but it doesnt work.. 

     i tested it in two diff 135 and 210 appliance in 210 it doesnt work

    if we try to load BLOCK GENERALLY UNWANTED APPS under Application filter .. application logs appeared - live logs.

    but if we tried to load our own template which is to block facebook like,comments, update status.. NO live logs under log viewer

  • In reply to Proudmore:

    Having two boxes with the same configuration and different behavior is problematic.  Either the configuration isn't exactly the same, or there is some other issue.

    Question:  Does rebooting the non-working box resolve the problem?  Does it work for a while and then stop working?  When it is not working, is it only Facebook video, or is it all application control that is not working?

    There is a known but uncommon issue where all application control will stop working on a box, restarting certain services (or the whole box) fixes it.  Full resolution of this issue will be in v17.


    This is a long shot, but can you go into the application filter policy for facebook, do a minor edit (like description) and then save.  Does it now start working?  If so there may have been an import problem.




    That being said:

    There were some changes to microapps in 16.05 MR4.  Since then, you do not need to have the console microapp-discovery turned on.  For all customers, normal operation is to have this option turned off.

  • In reply to Michael Dunn:

    Hi Sir Michael Dunn,

    I already saved the working config under 135 and load it again to another 135 appliance - results - not working - after rebooting - not working

    I already tested it in 210 appliance but sadly it is not working....

    Yes under MR4 i already turned it ON the microapp discovery..

    I tested it in 3  diff appliances, sometimes it works it blocks fb chat, comment, status upload BUT not VIDEO

    then when i tested it to another appliance with the same config under LAN to WAN it doesnt work.... i have only one FW rule. undef FW rule - decryt scan https and app control w/c is fb limited feautures

    Thank you

  • In reply to Proudmore:

    Have you tried editing and saving the application control policy, or better yet creating a new fresh one?

    When you say you saved the working config and load it again, are you doing backup and restore, or XML export and import?  Or using SFM?  Or something else?

    Under MR4, please go into the console and type.  This won't make any difference to your current problem, but it may save you headaches in the future.  This flag is used to force on certain things for demo purposes, and as of MR4 should be off.
    system application_classification microapp-discovery off

    I do not know if I or anyone else can help you with "not working".  You will need to post a lot more information about your configuration and logs if you expect the community to diagnose your specific issue.