It is not clearly described in documentation and I could not find a complete topic related to it. How does application:any, service:application-default behaves when apply to a “Deny” rule? Presumably it will block the application if application is detected on a default port, but normally deny rules do not have recognised application, because of not enough packets to detect the application. How will application be detected? Also how will “application-default” rule behave (regarding if deny or allow) in the following cases of a traffic with AppID: Incomplete Insufficient-data unknown, apps with ports “tcp/dynamic” or “udp/dynamic” (e.g. torrent) apps with port not defined (e.g. icmp)
... View more