https://live.paloaltonetworks.com/t5/general-topics/wrong-traffic-matching-rule/m-p/1236543#M125017 <P>Hi this maybe a simple or dumb question, but I have a rule shown below that has specific sources defined. I thought the rule would only match on those host listed in the source, but when looking at the logs, I can see other source IP's are matching on this rule. Can anyone explain why the other source IP's that are not listed in this rule match this rule?</P> <P>&nbsp;</P> <P>this is the rule</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="palo-rule.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68977iA4F403A36EA85AE4/image-size/medium?v=v2&amp;px=400" role="button" title="palo-rule.jpg" alt="palo-rule.jpg" /></span></P> <P>When looking at the logs I am seeing IP's other than the listed source match on this rule.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="palo-logs.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68978i52CC916E07ED4A8B/image-size/medium?v=v2&amp;px=400" role="button" title="palo-logs.jpg" alt="palo-logs.jpg" /></span></P> <P> </P> Sat, 23 Aug 2025 19:25:23 GMT E.Hinkle 2025-08-23T19:25:23Z https://live.paloaltonetworks.com/t5/general-topics/wrong-traffic-matching-rule/m-p/1236543#M125017 <P>Hi this maybe a simple or dumb question, but I have a rule shown below that has specific sources defined. I thought the rule would only match on those host listed in the source, but when looking at the logs, I can see other source IP's are matching on this rule. Can anyone explain why the other source IP's that are not listed in this rule match this rule?</P> <P>&nbsp;</P> <P>this is the rule</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="palo-rule.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68977iA4F403A36EA85AE4/image-size/medium?v=v2&amp;px=400" role="button" title="palo-rule.jpg" alt="palo-rule.jpg" /></span></P> <P>When looking at the logs I am seeing IP's other than the listed source match on this rule.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="palo-logs.jpg" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/68978i52CC916E07ED4A8B/image-size/medium?v=v2&amp;px=400" role="button" title="palo-logs.jpg" alt="palo-logs.jpg" /></span></P> <P> </P> Sat, 23 Aug 2025 19:25:23 GMT https://live.paloaltonetworks.com/t5/general-topics/wrong-traffic-matching-rule/m-p/1236543#M125017 E.Hinkle 2025-08-23T19:25:23Z https://live.paloaltonetworks.com/t5/general-topics/wrong-traffic-matching-rule/m-p/1236565#M125019 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/684046813">@E.Hinkle</a>&nbsp;,</P> <P>&nbsp;</P> <P>If you click into the Security Policy and review the Source tab, can you confirm whether the entries are address objects or IP entries? It looks like at least one of them (ip-10.35.5.71) may be an object.&nbsp;<BR /><BR />Please check the object definition and see if the object was created with a CIDR/netmask instead of it being a single host/32 which would explain why you're seeing other 10.35.5.x IPs in the traffic log.&nbsp;</P> <P>&nbsp;</P> <P>Id also review the modified tab to see when it was last modified.&nbsp;</P> Mon, 25 Aug 2025 00:56:18 GMT https://live.paloaltonetworks.com/t5/general-topics/wrong-traffic-matching-rule/m-p/1236565#M125019 JayGolf 2025-08-25T00:56:18Z