Apparently, if you leave that blank, it doesn't apply to any users or networks, nor is there any pop-up dialog box saying "you've created a new rule that doesn't actually do anything.''
Overall, Barracuda turned in the lowest application identification score because it didn't have the ability to match as many applications as we were testing for. For example, the NG Firewall didn't have signatures for generic webmail applications or tools such as Lotus Notes, Outlook Web Access or SharePoint.
Some of the application categories the NG Firewall did have didn't make a lot of sense to us. For example, to block YouTube, you have to block "social networking," which does work — but it blocks more than just YouTube.
And when a category was successfully identified, the NG Firewall didn't always successfully block it. For example, Microsoft and Apple software updates showed up in the logs when we added a rule, but the NG Firewall wasn't able to successfully block them.
The demand for next-generation firewalls may be focused on application identification, but we believe that there are other ways to "widen the tuple" to help network managers classify and control traffic. For example, we found that all four of the products we tested let us add user or group information to policies.
We were interested in other ideas so we went looking for reputation-based policies, rate-based policies, and geography-based policies. For example, a network manager might want to block some applications, such as outbound FTP, to or from particular geographic areas (if you're willing to trust that GeoIP databases have a low error rate, which isn't necessarily true).
Fortinet's FortiGate lets you write rules that refer to geography rather than just IP addresses. But more often, these features were not integrated into the firewall rule base. Check Point and SonicWall, for example, both allow the network manager to control traffic based on both IP reputation and geography, but did not fully integrate this feature into the firewall rule base; FortiGate has a slick rate-based policy feature designed to avoid denial-of-service attacks, but didn't integrate it into their firewall rule base.
It's a little early in the world of next-generation firewalls to say what else should go into firewall rule bases beyond application and user identification, but our testing showed that engineers are thinking about different options in this area.