diff --git a/src/tsg_action.cpp b/src/tsg_action.cpp
index 1a3ff3d..3617ce5 100644
--- a/src/tsg_action.cpp
+++ b/src/tsg_action.cpp
@@ -21,6 +21,7 @@
 #include "tsg_rule.h"
 #include "tsg_entry.h"
 #include "tsg_statistic.h"
+#include "tsg_send_log.h"
 #include "tsg_protocol_common.h"
 
 extern "C" int sendpacket_do_checksum(unsigned char *buf, int protocol, int len);
@@ -616,6 +617,11 @@ static unsigned char do_action_tamper(const struct streaminfo *a_stream, Maat_ru
 static unsigned char do_action_default_xxx(const struct streaminfo *a_stream, Maat_rule_t *p_result, struct compile_user_region *user_region, tsg_protocol_t protocol, const void *user_data)
 {
 	struct deny_user_region *deny_region=NULL;
+
+	if(user_region->session_para==NULL)
+	{
+		return STATE_DROPME|STATE_DROPPKT;
+	}
 	
 	switch(a_stream->type)
 	{
@@ -843,7 +849,7 @@ static unsigned char tsg_do_deny_action(const struct streaminfo *a_stream, struc
 			local_state=do_action_default_xxx(a_stream, p_result, user_region, protocol, user_data);
 			break;
 		case	TSG_METHOD_TYPE_APP_DROP:
-			if(user_region->deny->type!=TSG_DENY_TYPE_APP_DROP)
+			if((user_region->deny==NULL) || (user_region->deny->type!=TSG_DENY_TYPE_APP_DROP))
 			{
 				break;
 			}
@@ -896,7 +902,7 @@ unsigned char tsg_deny_application(const struct streaminfo *a_stream, Maat_rule_
 	dict=(struct app_id_dict *)Maat_plugin_get_EX_data(g_tsg_maat_feather, g_tsg_para.table_id[TABLE_APP_ID_DICT], (const char *)app_id_buff);
 	if(dict==NULL)
 	{
-		return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_GIVEME : APP_STATE_GIVEME);
+		return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_DROPPKT|PROT_STATE_DROPME: APP_STATE_DROPME|APP_STATE_DROPPKT);
 	}
 	
 	user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
@@ -937,7 +943,30 @@ unsigned char tsg_deal_deny_action(const struct streaminfo *a_stream, Maat_rule_
 	}
 
 	user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
-	state=tsg_do_deny_action(a_stream, user_region, p_result, protocol, type, user_data);
+	if(user_region==NULL)
+	{
+		return ((type==ACTION_RETURN_TYPE_PROT) ? PROT_STATE_DROPPKT|PROT_STATE_DROPME: APP_STATE_DROPME|APP_STATE_DROPPKT);
+	}
+
+	if(user_region->method_type==TSG_METHOD_TYPE_APP_DROP)
+	{
+		unsigned int app_id=0;
+		
+		if(protocol==PROTO_MAIL)
+		{
+			app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[PROTO_SMTP].name);
+		}
+		else
+		{
+			app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[protocol].name);
+		}
+		state=tsg_deny_application(a_stream, p_result, protocol, app_id, ACTION_RETURN_TYPE_APP, user_data);
+	}
+	else
+	{
+		state=tsg_do_deny_action(a_stream, user_region, p_result, protocol, type, user_data);
+	}
+	
 	security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
 
 	return state;
diff --git a/src/tsg_entry.cpp b/src/tsg_entry.cpp
index f69c06f..54719d2 100644
--- a/src/tsg_entry.cpp
+++ b/src/tsg_entry.cpp
@@ -362,6 +362,27 @@ static int is_dns_protocol(const struct streaminfo *a_stream)
 	return 0;
 }
 
+static int is_deny_application(Maat_rule_t *p_result)
+{
+	int ret=0;
+	struct compile_user_region *user_region=NULL;
+
+	user_region=(struct compile_user_region *)Maat_rule_get_ex_data(g_tsg_maat_feather, p_result, g_tsg_para.table_id[TABLE_SECURITY_COMPILE]);
+	if(user_region==NULL)
+	{
+		return 0;
+	}
+
+	if(user_region->method_type==TSG_METHOD_TYPE_APP_DROP)
+	{
+		ret=1;
+	}
+	
+	security_compile_free(g_tsg_para.table_id[TABLE_SECURITY_COMPILE], p_result, NULL, (MAAT_RULE_EX_DATA *)&user_region, 0, NULL);
+	
+	return ret;
+}
+
 int set_struct_project(const struct streaminfo *a_stream, int project_id, void *data)
 {
 	if(a_stream==NULL || project_id<0)
@@ -1572,11 +1593,6 @@ int scan_application_id_and_properties(const struct streaminfo *a_stream, struct
 		context->hited_para.hited_app_id=hited_app_id;
 		context->hited_para.after_n_packets=after_n_packets;
 	}
-
-	if(d_result!=NULL && d_result->action==TSG_ACTION_DENY)
-	{
-		copy_result_to_project(a_stream, context, d_result, NULL, context->proto, PULL_FW_RESULT, thread_seq);
-	}
 		
 	return hit_num;
 }
@@ -1584,9 +1600,8 @@ int scan_application_id_and_properties(const struct streaminfo *a_stream, struct
 static unsigned char master_deal_scan_result(const struct streaminfo *a_stream, struct master_context *context, struct Maat_rule_t *result, int hit_num, const void *a_packet)
 {
 	int ret=0;
+	Maat_rule_t *p_result=NULL;
 	unsigned char state=APP_STATE_GIVEME;	
-	struct identify_info tmp_identify_info;	
-	Maat_rule_t *p_result=NULL, app_result={0};
 	struct tcpall_context *tmp_tcpall_context=NULL;
 
 	p_result=tsg_policy_decision_criteria(result, hit_num);
@@ -1596,9 +1611,13 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
 		switch((unsigned char)p_result->action)
 		{
 			case	TSG_ACTION_DENY:
-				ret=tsg_pull_policy_result((struct streaminfo* )a_stream, PULL_FW_RESULT, &app_result, 1, &tmp_identify_info);
-				if(ret>0 && app_result.action==TSG_ACTION_DENY && app_result.config_id==p_result->config_id)
+				if(is_deny_application(p_result))
 				{
+					if(context->hited_para.hited_app_id==0)
+					{
+						context->hited_para.hited_app_id=tsg_l7_protocol_name2id(g_tsg_proto_name2id[context->proto].name);
+					}
+					
 					if(context->hited_para.after_n_packets>0)
 					{
 						ret=tsg_set_method_to_tcpall(a_stream, &tmp_tcpall_context, TSG_METHOD_TYPE_APP_DROP, a_stream->threadnum);
@@ -1606,6 +1625,8 @@ static unsigned char master_deal_scan_result(const struct streaminfo *a_stream,
 						{
 							tmp_tcpall_context->hited_para=context->hited_para;
 						}
+						
+						copy_result_to_project(a_stream, context, p_result, context->domain, context->proto, PULL_FW_RESULT, a_stream->threadnum);
 						state=APP_STATE_KILL_OTHER|APP_STATE_DROPME;
 						break;
 					}
diff --git a/src/tsg_entry.h b/src/tsg_entry.h
index f344ba9..abe3737 100644
--- a/src/tsg_entry.h
+++ b/src/tsg_entry.h
@@ -18,6 +18,7 @@
 #include "tsg_statistic.h"
 #include "tsg_leaky_bucket.h"
 #include "tsg_protocol_common.h"
+#include "tsg_send_log_internal.h"
 
 #if(__GNUC__ * 100 + __GNUC_MINOR__ * 10 + __GNUC_PATCHLEVEL__ >= 411)
 #define atomic_inc(x) __sync_add_and_fetch((x),1)
@@ -305,6 +306,7 @@ typedef	struct tsg_para
 
 extern g_tsg_para_t g_tsg_para;
 extern Maat_feather_t g_tsg_dynamic_maat_feather;
+extern id2field_t g_tsg_proto_name2id[PROTO_MAX];
 
 typedef enum tsg_statis_field_id
 {
diff --git a/src/tsg_rule.cpp b/src/tsg_rule.cpp
index ee5855b..5b0ec37 100644
--- a/src/tsg_rule.cpp
+++ b/src/tsg_rule.cpp
@@ -43,7 +43,8 @@ const struct _str2index method2index[TSG_METHOD_TYPE_MAX]={	{TSG_METHOD_TYPE_UNK
 													{TSG_METHOD_TYPE_RATE_LIMIT, 10, (char *)"rate_limit"}, 
                                                     {TSG_METHOD_TYPE_MIRRORED, 8, (char *)"mirrored"},
                                                     {TSG_METHOD_TYPE_TAMPER, 6, (char *)"tamper"},
-                                                    {TSG_METHOD_TYPE_DEFAULT, 7, (char *)"default"}
+                                                    {TSG_METHOD_TYPE_DEFAULT, 14, (char *)"default_policy"}, // policy id=0, default policy 
+                                                    {TSG_METHOD_TYPE_APP_DROP, 7, (char *)"default"}	 // use action of app_id_dict 
 	};
 
 
@@ -1077,6 +1078,8 @@ static struct compile_user_region *parse_deny_user_region(cJSON *deny_user_regio
 				break;
 			}
             break;
+		case	TSG_METHOD_TYPE_APP_DROP:
+			break;
 		case	TSG_METHOD_TYPE_RST:
 		case	TSG_METHOD_TYPE_RESET:
 			break;