I have attached a screenshot of the both rules.

But what is your question ? This rule does not make sense to me, as you allow something, and in next rule, allow all ?

I can see neither evernote nor faceboog here...

We are trying to monitor the application usage for your users and my intention was to create only one rule (the second in the picture) and I have created both rule for the following test

- If we gain access to “evernote” or “gmail”, the rule 1 of layer “Application” log correctly field “Application Control”
- If we gain access to another “Application Control” (Like Facebook), the rule 2 of layer “Application” does not log the field “Application Control”.

Look into https://sc1.checkpoint.com/documents/R80.10/WebAdminGuides/EN/CP_R80.10_NexGenSecurityGateway_Guide/... on how to do this! As long as no services and applications are added to the column, rule will not match, also see sk73220 ATRG: Application Control for details of matching.

I'm going to read sk73220 ATRG again, maybe I forgot something.

Precision: the rule 2 match for others applications (Those not specified in the rule 1), but the logs related to this rule 2  haven't got the information related to "Application Control"

You can ask TAC and let them explain it to you 8)

Set the Track for Rule 2 to be Detailed Log as otherwise it is not necessary for App Control to be active for this rule to be enforced otherwise.

I have tried set the track for rule 2 to be Detailed Log and the result is the same: this rule match but I still haven't got the information related to "Application Control"

are you look at logs with blade: Application Control?

Yes!

Show us the rules you are trying to hit and the exact log you are actually hitting.