After reading the NGFW Policy Order of Operations guide here, https://www.cisco.com/c/dam/en/us/td/docs/security/firepower/Self-Help/NGFW_Policy_Order_of_Operations.pdf
I am even more confused about how the firepower device processes rules. According to this guide, if I want to block all port 443, but allow access to google drive, I would need to put a rule blocking 443 before the rule allowing google drive. This is on page 5 of the linked guide.
Could someone please explain how a setup like that would allow google drive while simultaneously blocking all 443 traffic? If the block for port 443 comes before the application detection rule for google drive, the application detection rule would never be able to identify a google drive connection, because it would be blocked at the very first packet.
I think I understand the order of operations, but I'm trying to figure out if there is a discrepancy in the guide I'm reading, since it it proposing to make a 443 blacklist ACE in the ACP before the application detection ACE for allowing google drive.
It would seem to me that such a configuration would not properly allow google drive to work, since all 443 traffic would be blocked prior to the google drive allow - e.g. the application detection would not be able to do it's job because the 443 block ACE is preventing any packets from getting through. However the cisco published guide is clearly stating this is the preferred way to set up such a configuration.
Assuming you were in some ultra-high security environment where you were doing zero trust and whitelisting, blocking 443 at the top of the ACL would render any application detection useless, correct?