In some instances, File Blocking profile rules are not following a top-down order of operations when applying actions.
Cause
Overlapping File Blocking Profile rules exist with different actions. The File Blocking Profile rulebase does not follow a normal "top-down" approach when applying rule actions. When a file is seen in a traffic flow matching a Security policy with a File Blocking Profile applied, it will be checked against the configured File Blocking policy. When there is a single match, action is taken accordingly. In the case of multiple matches, the highest precedence action will be used. The options to move rules up/down the list are used purely for organization and cosmetic reason.
Action Precedence
There are three actions that can be applied to File Blocking Profile rules. The order of precedence among the actions in PAN-OS 8.1 and above is as follows: