We have begun the process of globally allowing some applications for the entire enterprise. At this point, these are (fairly) innocuous applications which are largely dependent on web-browsing / ssl. Two questions: 1. When verifying if a dependent application is available, does the firewall check the policy from the top down or just rules below the one you're creating? 2. I think part of the issue I'm running into is something that is discussed here: Application Dependency Warnings with Allowed Enabler Application I have rules up around 20 - 30 that are my URL Filtering rules. So, certain user groups are allowed to certain URL categories via web-browsing (on "any" service). Now, down around rule 150 or so, I have a rule that says, "Globally Allowed Applications" - in here I have a few apps like 'ms-update' and 'flash'. However, once I pushed policy, I'm being told (for example) that: "Application 'flash' requires 'web-browsing' be allowed, but 'web-browsing' is denied in rule "Drop All". Technically 'web-browsing' is allowed above. I'm not really a fan of having to allow the applications (especially web-browsing or SSL) globally as this negates our URL filtering policy. Anyone else run into this?
... View more