https://live.paloaltonetworks.com/t5/general-topics/security-policy-order-not-working/m-p/107328#M44877 <P>Is this a web applicaion and do you use SSL decyrption? If you are not using SSL decyption and are attempting to block two app-ids it's pretty common for this to not actually work.&nbsp;</P> Thu, 25 Aug 2016 15:27:32 GMT BPry 2016-08-25T15:27:32Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-order-not-working/m-p/106984#M44854 <P>I have a policy from trust to untrust any any allowed. I have cloned this policy and put on top of this with &nbsp;address -test and deny 2 applications. This address is an ip for eg. 192.168.1.26 which is reserved in dhcp. But I can see apps being access via any any policy. Should the address be blocked using block policy.</P> Thu, 25 Aug 2016 03:53:35 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-order-not-working/m-p/106984#M44854 inderjit21 2016-08-25T03:53:35Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-order-not-working/m-p/107023#M44856 <P>Hi,</P><P>&nbsp;</P><P>Most likely not all conditions were met in the 1st policy, so traffic passed through&nbsp;the any any.</P><P>Did you check detailed logs from any any to see why it didn't&nbsp;match 1st policy ( sorce&nbsp;ip, destination , postrs,&nbsp;)?</P><P>&nbsp;</P><P>Thx,</P><P>Myky</P> Thu, 25 Aug 2016 06:18:51 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-order-not-working/m-p/107023#M44856 TranceforLife 2016-08-25T06:18:51Z https://live.paloaltonetworks.com/t5/general-topics/security-policy-order-not-working/m-p/107328#M44877 <P>Is this a web applicaion and do you use SSL decyrption? If you are not using SSL decyption and are attempting to block two app-ids it's pretty common for this to not actually work.&nbsp;</P> Thu, 25 Aug 2016 15:27:32 GMT https://live.paloaltonetworks.com/t5/general-topics/security-policy-order-not-working/m-p/107328#M44877 BPry 2016-08-25T15:27:32Z