My mistake - the rule is configured to DROP but this was not clear in the first picture. I corrected.

Yet the logs say Rule 18, descriptions says Accepted. Protection says Dropped.

Why is it accepted by the policy when the action on the rule is Drop?

The main thing is that it is dropped by IPS - i would start from there ...

My issue is that the firewall log for rule 18 says "Accepted"

I can agree that apps can only be detected and classified ONLY after allowing the connection to be initiated.

Does this mean that the unified policy is misleading? Yes

Does this mean that this traffic is passed through the next firewall rules? I don't know

My customer is asking me to advise on how to build the ruleset considering that his rules are "avoided". I would agree that if there is an explicit drop, i would much appreciate not seeing any kind of log saying it was allowed as this creates confusion. Especially If the Firewall is claiming my rule 18 matched this traffic - 

The only supposition i have is that because it's somehow fragmented it cannot be inspected... but still it is accepted and on a rule with Coinhive. 

The other perculiar thing is that on the same rule i have both this example https traffic and SMTP traffic.

I would involve TAC - although i would suggest that an Accept here just means that this rule did not match, as then it would drop the packet instead. The message is from IPS, so that is the key here !

Hi,

Is this for any specific traffic?

Please run zdebug and fw monitor for more troubleshooting

Exactly the same suggestion was given by TAC. After reading the SKs i can see that setting this protection to Detect makes it be bypassed by other IPS protections.

However my issue is with the log stating Accept. Is this passed to the next rule or simply allowed? 

1. I am updating with more information. I have tested this signature on different setup, everything works. This means that the app "Coinhive" itself has no issue. 

2. The rule on this particular SMS/vSEC Gateway has been deleted, policy installed. Re-created, policy installed again. The result is similar:

1.  Traffic is dropped as intended: ;[cpu_3];[fw4_0];fw_log_drop_ex: Packet proto=6 10.10.202.44:50534 -> 86.105.182.5:443 dropped by fw_send_log_drop Reason: Rulebase drop - on layer "Network" rule 18;      
2. There is no log of this happening. Looked historically and things went bad on the 3rd of March when i have the last Application Control log working for this: 
3. The bogus logs for SMTP Bypass and Accepted HTTPS dropped by Inspection were there all along.
4.  Example (rule numbe changes as i moved it around): 
5. For the SMTP bypass support claims it is sourced by sk120964. However i cannot get my head around why would this SMTP bypass log trail around my rule 18 every single time i create or delete it. Why doesn't it pop on rule 10 or 11 or 50? 
6. For HTTPS with Accept message and Dropped Description there is no explanation yet. I have checked and inspection settings according to SK66576 & SK114529 , that have been brought into discussion earlier are set to Drop and Log. 
7. There is no proper Inspection Setting Log and regarding this or i don;t yet know where i would see inspection setting logs, as they seem more part of the firewall rather than IPS starting R80.

Unrelated Note: The new interface for Check Mates makes editing a complicated mess. It was much better before. Hope it was worth it. I just noticed while trying to make this post. You can't even paste pictures anymore. Let alone "quote" text.

Makes me think it now looks awfully aligned with the new Support Interface. Not everything is supposed to be a feed, sometimes i would like to be able to track my cases by just scrolling down, not having replies in my SR's arranged by "relevance" and "likes". Somebody actually hired some PR/Marketing guys to keep shifting interfaces around?!