Pages don't load with WCF and App Control enabled on the same policy. How to structure?
I have a Fortigate 600C running 5.6.4 with a policy for a "Restricted Users" Active Directory group. The policy is basically as follows:
Internal > WAN -
Source: LAN, WLAN, "Restricted Users"
Web Filter: Custom_Restricted
App Control: Custom_Limited
I have several other policies with varying levels of restriction for different user groups. My problem is with Facebook specifically, but potentially other sites. Social media is blocked by both the WCF policy and App Control policy. If a user under this policy tries to go to Facebook the page times out. I've found that if I disable App Control, everything works fine and the "Web Page Blocked' page loads up like it should. I've found posts and documents stating that there are problems with Proxy-based WCF and flow-based App Control on the same policy, and it would seem that's my problem.
Obviously I don't want to disable App Control, and I've seen suggestions to create separate policies for WCF and App Control, but if I create two policies from Internal > WAN with the same source and destination, won't the traffic just hit the first rule and ignore the next one? Am I understanding the way it works incorrectly? My understanding is that it looks at the rules from the top-down, and the first rule it finds that applies to the traffic it stops there. So if I put my WCF policy above the App Control policy, the App Control never gets applied, right?