Who Me Too'd this topic

On PA5050 running 7.1.5, in the monitor:traffic logs section,  traffic that matches interzone default rule shows up as matching the first rule in the list.  The first rule is configured like so:

source zone: any, source address: any, user: any, destination zone: any, destination address: any, application: I picked one that is not in-use e.g. 'docstoc-base'.  That is, the rule is configured to match on any source/dest/user and to match a specific application.

When I apply this rule, traffic flows as expected: firewall rules lower in the list are applied to allow desirable traffic, and undesireable traffic is denied by interzone-default rule at bottom.  

However, the traffic logs show traffic being dropped by that first rule instead of interzone-default. 

I opened a support case because I expected to see 'interzone-default' rule (it is set for log-at-session-end) in the log when traffic is blocked because it does not match an explicit allow rule higher up in the list.  I was told that this is expected behavior because traffic is matched 'left-to-right' and then 'top-to-bottom' (per this article: https://live.paloaltonetworks.com/t5/Management-Articles/quot-Not-applicable-quot-in-Traffic-Logs/ta...).  That is, app-id settings are not applied until after to/from/ zone/address is evaluated.  However, this doesn't make sense to me because if it were true:

• You wouldn't be able to create a rule blocking an application without to/from zone/address criteria
• If you did create an application blocking rule, your to/from zone/address criteria to the left of it would be evaluated first, and then the firewall wouldn't ever evaluate the application rule.
• I should not be able to pass any traffic past rule 1 (it should block everything, by left-to-right logic mentioned above) because I have it configured for from:any to:any, but yet, I can pass traffic as expected and rules below rule 1 are evaluated as expected.

I feel like I must be misunderstanding something, can anyone educate me on this?