Application Filter - blocking policy questions

Question

Ok unless I am missing something, you: Create an Application Filter, set it to Block. But in the GUI overview it shows default action is Allow. You have to edit the policy to see it's set to block. Poor design and visually confusing. Create a Firewall Filter, set it to Allow and choose the Application Filter that is set to Block. Poor design and visually confusing. 
 Logging is even worse, with Firewall Logs showing the rule as allowed (which technically it is), but then you have to view the Application Filter logs to see the actual block. Audit nightmare. 
 Is this really the way? I've never seen a policy and logging engine this badly implemented.

LuCar Toni · Answer

From a technical perspective, you do not have much chances in that term: You can check the TLS Handshake and try to figure out, what it is, you can try to figure out what DNS query is fetched, you can try to check the destination IP. Afterwards its impossible to find the session. 
 What you could try is Sophos DNS for IoT, as we integrated a own blocklist there. https://news.sophos.com/en-us/2023/11/23/introducing-sophos-dns-protection/ 
 It is a demo right now and can be integrated. 
 About your points: Try to use the detailed view: 
 
 It will showcase you all modules working.

Application Filter - blocking policy questions

Top Replies