Application control policies best practice?

I think it would be better to day that for clarity firewall rules can deal with one port at a time, which is better than saying one filter at a time.

Assuming for a moment that you want to control Apps that use port 80 and 443 (HTTP and HTTPS) then the firewall rule should have Services of HTTP and HTTPS and all Filters that apply to them - which is both Web Filters and Application Filters.

If you also wanted to have Application Filters apply to traffic on other ports (NTP port 123 for example) then you could create a separate firewall rule for Services NTP and have a Application Filter selected that covers that NTP application.

You could put both those applications into a single application filter and have a single firewall rule for HTTP/HTTPS and NTP.  But that can be harder to manage later on.

Now lets talk about Block All again (please read what I wrote in Bob's link as well).

Lets say you have a firewall rule for NTP (port 123) traffic and a application filter that is rule 1 Application NTP allow for 1am to 5am, Rule 2 Application NTP Blocked, Default Block All.  That means NTP would be allowed in the middle of the night, and blocked during the day.  The Default Block (or for that matter Default Allow) never comes into effect unless there was other application traffic coming through on port 123 - highly unlikely.

Lets say you have a firewall rule for HTTP port traffic and a application filter that is rule 1 Application Bing Website allow, Default Block All. Now lets say some Bing traffic hits port 80 and both the Web Filter and Application Filter will have their rules applied.  Application Filter says "I'm not going to block this Bing traffic".  The Web Filter may say "traffic to search engines is blocked" or it could say it is allowed, and the traffic would be allowed or blocked appropriately according to that Web Filter rule.  The point is - the Application Filter of "Allow Bing, block everything else" didn't actually do anything (allow doesn't mean allow, it means that application filter will not block).  Now lets say that they go to google.com.  Here the application filter says "I know about google.com, its blocked due to Block All".  The Web Filter doesn't get a say (since web filter cannot override an application filter block).  Then the user goes to... lets say fox.com.  Its allowed because there is no application defined for it.  You will end up with a very inconsistent browsing experience because the Application "Block All" will tend to block some major sites that have applications defined but allow other sites that don't have applications defined.  In order to get any sort of reasonable browsing experience an application filter with Block All needs to have a large number of Apps allowed.

In conclusion:
- If you have a firewall rule for non-HTTP then you could use Application Filter default action Block All as an extra safety measure that almost always will never take place (unless multiple applications use the same port).
- If you have a firewall rule for HTTP traffic then an Application Filter default action Block All will mean you need to spend a lot of time manipulating the rule to add in all the things you want to allow, and probably deal with complaints that certain things don't work.  You'll need to spend more time watching logs and adjusting the rule, especially in the beginning.  I highly recommend against doing this unless you are trying to do something like a lockdown on a device.
- In both cases, an default action of Allow All will either make no practical difference, or be much easier to manage.

Just to clarify once more, my example of cnn above is incorrect. As long as I say denied on application filter, the webfilter in the next rule doesn't have an effect and vice versa as long as the default action is deny. 

They took out the default deny template for applications so there is that but I think I understand everything a lot better now. https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-issues-bugs/96234/impossible-to-select-deny-all-as-template-for-an-application-filter 

Edit: I don't use XG much other than beta testing so I sometimes don't understand simple things till they are pointed out.

Just to clarify once more, my example of cnn above is incorrect. As long as I say denied on application filter, the webfilter in the next rule doesn't have an effect and vice versa as long as the default action is deny. 

They took out the default deny template for applications so there is that but I think I understand everything a lot better now. https://community.sophos.com/products/xg-firewall/sophos-xg-beta-programs/sfos-v170-beta/f/sfos-v170-beta-issues-bugs/96234/impossible-to-select-deny-all-as-template-for-an-application-filter 

Edit: I don't use XG much other than beta testing so I sometimes don't understand simple things till they are pointed out.

Thanks for the replies, just one thing i can see how to create a blacklist.  I add a new app filter and use allow all as the template and then add the applications i want to block set as deny, but what template do i use to make a whitelist?  Deny all wont let me use it as a template.

As you can see there is a Deny all filter in the list

Have I got that right though? 

And I do get what you said, I need to put Deny rules first dont i?

Thanks again for your help i really appreciate it.

JK