The first rule that matches the connection (based on rulebase order) is the one that generally applies.
However, some services/applications can NOT be identified on the first packet (i.e. the TCP SYN).
Consider the following example:
Let's assume we are making an HTTP connection (port 80) to a given website.
The first packet does not contain enough information to determine which of these rules will ultimately apply as:
- No files have been transferred yet
- We don't know what website you are accessing until the HTTP Host header is seen
In this context, all three rules are potential matches.
Since at least one of them has an Accept action, we allow the traffic until we have enough to properly classify the connection.
If we do not receive enough information before the connection ultimately terminates (e.g. TCP FIN/FIN-ACK), you get the CPNotEnoughDataForRuleMatch message.
In your case, I'm guessing the first rule that "potentially matches" the relevant traffic includes either:
- Something that is NOT a TCP/UDP Service Object
- Contains the tracking "Detailed" or "Extended" (these logs activate App Control)
- Uses Content Awareness (less likely, but possible)
Rules with these characteristics cannot be matched on the first packet.