Best Practice policy 7.1

Thanks for the reply. I do have a rule (34) that is configured for web-browsing and ssl (general-browsing app group) above my tuning rules.

I guess implementing the the best practice outlined in the 7.1 guide would never be complete then. I mean if app id doest work correctly then how would you get rid of the tuning (catch all) rules. 

I'm not really saying that App-ID doesn't work, but things sometimes get messed up depending on the website you are visiting and what not; I wouldn't say that you should really worry about it to much as the four pages of logs that I have are all going to one address that is an add network, so clearly if it started to get blocked I wouldn't care. 

What applicaitons are actually breaking when you take out the TUNING rules and just run with the Allow ssl and web-browsing rule? Nothing should really break because of it, generally the only time that I run into an issue is when some web-dev decides to use port 85 or some other random site on a production webserver. If you start running into a lot of issues try running a PCAP and see what is actually being sent, you shouldn't really be having any issues with the SSL and Web-Browsing app-ids even when you don't do any decryption. 

This is what my user rules look like; as you can see I am using ssl and web-browsing as the applicaiton with application-default as the service. I have yet to run into any issues except for a few crappy websites put out by small organizations that use weird ports. We do not recieve any issues with these users at all about not being able to access anything. Run without your TUNING rules and see what brakes, I'm guessing not much and you can create rules for the cases where you actually need access to those websites. 

Hello Experts

Just want to ask something silly, if user browse www.4shared.com and in policy I only allow SSL, Web-browsing application on application-default then it will work? Because if PA identify deeper applicaiton running on Web-browsing then it will be block as its not allow in policy? Please answer 

If you allow SSL and Web-Browsing on the default ports then 4shared will be allowed since it only uses the default ports. 

Hi,

That doesn't seem correct.

Allowing SSL and web-browsing using application defaults won't allow access to http://www.4shared.com.

The application will be identified as 4shared and will be denied by policy if you haven't allowed this application :

Session           22777

        c2s flow:

                source:      192.168.0.28 [lab-100]

                dst:         199.101.134.234

                proto:       6

                sport:       61604           dport:      80

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        s2c flow:

                source:      199.101.134.234 [untrust]

                dst:         172.16.31.170

                proto:       6

                sport:       80              dport:      24526

                state:       INIT            type:       FLOW

                src user:    unknown

                dst user:    unknown

        start time                           : Tue Nov  8 21:55:22 2016

        timeout                              : 90 sec

        total byte count(c2s)                : 5242

        total byte count(s2c)                : 66

        layer7 packet count(c2s)             : 11

        layer7 packet count(s2c)             : 1

        vsys                                 : vsys1

        application                          : 4shared 

        rule                                 : interwebs-1

        session to be logged at end          : True

        session in session ager              : False

        session updated by HA peer           : False

        address/port translation             : source

        nat-rule                             : NaT to interwebs(vsys1)

        layer7 processing                    : completed

        URL filtering enabled                : True

        URL category                         : online-personal-storage

        session via syn-cookies              : False

        session terminated on host           : False

        session traverses tunnel             : False

        captive portal session               : False

        ingress interface                    : ethernet1/2

        egress interface                     : ethernet1/1

        session QoS rule                     : N/A (class 4)

        tracker stage firewall               : l7 proc

        end-reason                           : policy-deny

Cheers,

-Kim.

My appologize, kiwi is correct my logs hadn't updated when I ran a quick test of it 

@BPry then how come your internet browsing is working with allow only SSL/Web-browsing application, as you post the screen shot of your policies

I want simpler approach to policy mgmt. I am experimenting with just have one rule that allows all risk 1-4 apps. Above that I block all risk 5 apps. Then above that just have individual allow/block rules for stuff that needs "special" consideration ie smtp for allowed senders/svrs, dns to specific safe dns, blocking risk 1-4 apps that we have no use for etc.