topic Re: Application layer showing "Missing cleanup rule - Unmatched traffic will be accepted and no in Firewall and Security Management

Application layer showing "Missing cleanup rule - Unmatched traffic will be accepted and not logged"

breadwinner — Mon, 01 Dec 2025 09:20:03 GMT

A VSX-based R81.20 security gateway has an Application layer with a couple of rules. There is no 'Any' to 'Any' drop rule like the last rule in the Security layer. At the bottom of the Application layer, it shows "Missing cleanup rule - Unmatched traffic will be accepted and not logged". Please refer to the attachment.

Since the statement reads there will be "no logging" for the allowed unmatched traffic, I am a bit concerned.

Is it advisable to add an 'Any' to 'Any' drop rule at the bottom of the Application layer OR is there a different way to deal with it?

Re: Application layer showing "Missing cleanup rule - Unmatched traffic will be accepted and no

_Val_ — Mon, 01 Dec 2025 11:12:23 GMT

It really depends on your needs. I don't believe you need all discovered applications to be logged. However, it is a good practice to include an explicit Application Layer cleanup rule for visibility. It can be the "No Logs" rule if that is what you want.

Re: Application layer showing "Missing cleanup rule - Unmatched traffic will be accepted and no

the_rock — Mon, 01 Dec 2025 11:58:28 GMT

See if this doc I made while ago helps. Gist of it really this...traffic has to be accepted on every ORDERED layer, otherwise, it wont work. So, its totally normal if that layer is last to have any any accept, otherwise, if its any any drop, nothing will work. Ok, let me rephrase that, it would work, but you would need to allow literally exactly same things as on network layer.

Plus, when it comes to app layer, CP also recommended blacklist, rather than whitelist approach.