I would like to know if application control has precedence over Web filter. Consider the following scenario:
Policy with web filter which blocks www.facebook.com & also application control sensor which blocks Facebook. Will there be a disclaimer from Web filter or the application control will simply block the packets?
What if the url wasn't categorized to begin with ( yes or in the wrong category ) ? ( assuming no manual or static entries where include the web-filter )?
We know in the flow or life of the packet, it has to look at layer3 route, policy, and security profile to determine what we inspect, but if you had app-control and url filtering and use a mask url, I think app-control would be the final trump.
The Fortigate Documents about traffic flow indicate that Webfilter acts before Applifilter...but this in only truth in firewall mode, if you use the Fortigate in explicit proxy mode the applifilter goes first.
I Opened a ticket to the support and after show them i was completely right, i suggested to modify the Official Documentation but i think they are not going to to that.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.