I am coming from a firewall world so I have the habit to end each of my policy sets with a "cleanup" rule, that blocks everything that has not been allowed through a previous rule.
Right now, I have no manual rules in my policies, there are only auto-rules. Now when I try to add my cleanup rule, it is always placed at the top of the rulebase and I can not seem to move the rule manually (the < and > keyboard shortcuts don't seem to work either).
Is this normal? Does this mean the auto-rules are always matched, no matter if I have a manual, more specific rule before the auto-rule?
Deny rules always appread before the allow rules. So if you e.g. allow myhost.com:80,443/abc/* and want to exclude myhost.com:80,443/abc/noaccesshere/* then this rule needs to appear before:
1.) Deny: myhost.com:80,443/abc/noaccesshere/*
2.) Allow: myhost.com:80,443/abc/*
But if you exclude everything for a ressource and want to allow something included in the deny ressource, the allow rule will be in the first position:
1.) Allow: myhost.com:80,443/tobeallowed/*
2.) Deny: myhost.com:80,443/*
If something is neither allowed nor denied will be denied by default - similar to the "cleanup" rule you describe.
Sry I can't help you with the autorulestuff, because I rarely use the, instead I prefer defining the rules my own, so that I always know what's happening (and in case I am doing sth. wrong I am cheating from examle autorules, e.g. with this citrix stuff ).
But I guess that they are alway on top to always keep them working, so that they might not be influenced by manual rules.
Well, you could approach your SE for an Enhancement Request (ER). I think you have identified how the SA works, you just think it could do it better.
From my perspective, you could (1) accept the fact that there is an implicit "deny all" at the end of the policies or (2) not use the automatic policies, creating all policies manually - and then have the freedom to move them anywhere you want in the list.