I have a question regarding Application and URL filtering blade.
After we define specific rules for the traffic/sites that we know must go to the internet and place the rule for blocking known malicious applications per categories, unknown traffic is left per ports 80 and 443 (we dont have an info on apps inside that initiate connection), so it comes down to identify if traffic is legitimate. And if we somehow manage to do it and as a end result we have a list of internal hosts that communicate to outside/internet IPs with legitimate traffic, would it be the right approach to create rule for example:
Name: Allow HTTP/HTTPS out.
Source: Create Group and place hosts we have identified,
Services: tcp https, tcp http,
Application/Sites: Any Recognized (block rule with blacklist categories will be placed above this one)
And after all said and done at the end rule that will be any to internet drop?
Give me your advice guys?