https://community.checkpoint.com/t5/Firewall-and-Security-Management/Two-Layers-Order-rule-issues/m-p/84781#M11277 When it was matching on a different rule (before you added the specific rule) what rule did it match on?<BR />Note that evaluation against the rulebase is a continual process and if the stream looks like a different app later on, and a different, earlier rule matches, it will apply instead.<BR />This is by design. Mon, 11 May 2020 01:59:33 GMT PhoneBoy 2020-05-11T01:59:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Two-Layers-Order-rule-issues/m-p/84773#M11276 <P>Hi Checkmaters.</P><P><BR />I had a very strange problem. I have a firewall policy with two layers, one for firewall rules and other for app control and url filtering. (layer.jpeg)</P><P>The CleanUp rule in the second layer is Accept. (cleanup_accept.jpeg)</P><P>A specific traffic was being accepted in the cleanup rule, but it was intermittent, sometimes working, sometimes not. (cleanup_accept_log.jpeg).</P><P>In a desperate attempt to solve the problem, I created a specific rule in the top of the second layer to deal with this traffic. For my surprise, the problem was solved, the traffic worked perfectly. (specific_rule.jpeg and specific_rule_log.jpeg)</P><P><SPAN class="tlid-translation translation"><SPAN class="">What happened?</SPAN> <SPAN class="">I have no idea!</SPAN> <SPAN class="">Has anyone had this problem?</SPAN> <SPAN class="">Do you have any idea why this happened?</SPAN></SPAN></P><P>Thank you!</P><P>PS: version R80.30, take 111.</P><P>&nbsp;</P> Sun, 10 May 2020 23:51:28 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Two-Layers-Order-rule-issues/m-p/84773#M11276 carlosgeib 2020-05-10T23:51:28Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Two-Layers-Order-rule-issues/m-p/84781#M11277 When it was matching on a different rule (before you added the specific rule) what rule did it match on?<BR />Note that evaluation against the rulebase is a continual process and if the stream looks like a different app later on, and a different, earlier rule matches, it will apply instead.<BR />This is by design. Mon, 11 May 2020 01:59:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Two-Layers-Order-rule-issues/m-p/84781#M11277 PhoneBoy 2020-05-11T01:59:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Two-Layers-Order-rule-issues/m-p/84802#M11278 <P>It was matching in the CleanUp Rule, whose action is Accept.</P><P>There was no policy change that could impact.</P> Mon, 11 May 2020 07:28:45 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Two-Layers-Order-rule-issues/m-p/84802#M11278 carlosgeib 2020-05-11T07:28:45Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Two-Layers-Order-rule-issues/m-p/84834#M11279 The policy didn't change but the traffic stream clearly did in how it was identified.<BR />I'm also not clear from your explanation either what rule it was supposed to match or what rule was matching instead when things stopped working. Mon, 11 May 2020 13:16:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Two-Layers-Order-rule-issues/m-p/84834#M11279 PhoneBoy 2020-05-11T13:16:44Z