My issue is that the firewall log for rule 18 says "Accepted"
I can agree that apps can only be detected and classified ONLY after allowing the connection to be initiated.
Does this mean that the unified policy is misleading? Yes
Does this mean that this traffic is passed through the next firewall rules? I don't know
My customer is asking me to advise on how to build the ruleset considering that his rules are "avoided". I would agree that if there is an explicit drop, i would much appreciate not seeing any kind of log saying it was allowed as this creates confusion. Especially If the Firewall is claiming my rule 18 matched this traffic -
The only supposition i have is that because it's somehow fragmented it cannot be inspected... but still it is accepted and on a rule with Coinhive.
The other perculiar thing is that on the same rule i have both this example https traffic and SMTP traffic.