I created an inline policy on R80.20. I did it by going through the logs to see which access control rule was used for each app control rule. Then I created layers and pasted all of the app control rules into appropriate layers assigned to each access rule per the action column. I left entire the app control policy in place and pushed this policy out, and everything broke. In the logs, I saw a lot of CP Early Drop. A lot of the logs were the remote users trying to get DNS, but I know that more than only that traffic broke. I restored an old policy to get it back up.
I’m not sure what I did wrong. The CP Early Drop indicates the packets had no way out of the new policy. I was sure to set each layer to implicit allow, and remove the default clean up rule that is added to each layer. One possibility was that it was failing because I didn’t add a specific allow rule at the bottom of each layer. However, I have not been able to replicate that as a problem in my lab. Does anyone have any ideas?