01-25-2021 01:02 AM
i concur with @BPry : you don't need to have dependencies in the same rule. I do want to zoom in on your last paragraph to hopefull ylft some more of the condfusion surrounding this topic:
"If it is possible to seperate depends on Apps in a rule before as the target App with this dependencies, like my setup. Then is it that the prove that not first rule matches!"
for every session the rulebase will actually evaluate the security rulebase multiple times:
1. when a SYN packet comes in, only the 6-tuple is available (srcIP,srcZone,dstIP,dstZone,dstPort,Proto) so the apps in rules will be ignored to find a matching rule
2. when the initial app is detected, the rulebase will again be evaluated to see if a rule is found that matches the app (this is where web-browsing, ssl etc are detected as we're only 4-6 packets into a session)
3. as the session passes more packets, the 'app' will start to transmit more payload that can be identified as something more specific, so this could be one of the app-base applications, so the firewall checks if that app matches a rule
4. with even more payload being transferred, an even more specific app can be detected. This is where the apps live that are dependent on a more generic 'parent' app, because it takes so many packets before it can be properly identified. At this stage another rulebase evaluation takes place, so this app can actually sit in a different rule than the above 'parents'
hope this helps
