https://community.cisco.com/t5/network-security/bug-with-analyzer/m-p/5242735#M1118535 <P>From what I can see in your screenshots it appears the shadowing rule is actually the #1 Allow-Standard-Outbound. Since it has "any" in the destination networks, Rule #2 and most subsequent rules will be shadowed</P> <P>The policy analyzer is pretty new and I have found it can give misleading or downright incorrect results.</P> Thu, 02 Jan 2025 14:10:52 GMT Marvin Rhoads 2025-01-02T14:10:52Z https://community.cisco.com/t5/network-security/bug-with-analyzer/m-p/5242474#M1118514 <P>So I am working on getting our firepower for our company setup. So far got things set up for the most part. Now I am just getting connectivity over site-to-site and make sure I can access servers and services throughout. I was adding rules for our XDR and MDR to make sure they dont get blocked and also the streaming service we use to access the desktops. However when I was adding more rules the analyzer keeps saying that all my rules under are "Shadowing". Saying that none of the rules are going to be hit because the proceeding rule matches. However I doubt see how this is true.&nbsp;</P><P>The rule its matching on is the Geo-Block rule. We as a company have no reason to access or use anything outside North America. So I have it hard blocking any geo locations seen below:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot 2025-01-01 094257.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/236843iC1BF4AFBF80DBBD0/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2025-01-01 094257.png" alt="Screenshot 2025-01-01 094257.png" /></span></P><P>&nbsp;</P><P>in the Geo-Block-All every country is selected but USA and Canada.</P><P>The analyzer says this otherwise says that it matches the preceding rule. But what I notice in the defenseorchestrator it shows any for the destination network? So I dont know if this is the bug or I am doing something wrong?<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot 2025-01-01 094446.png" style="width: 999px;"><img src="https://community.cisco.com/t5/image/serverpage/image-id/236844iE1AAC8EA73793C04/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2025-01-01 094446.png" alt="Screenshot 2025-01-01 094446.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P> Wed, 01 Jan 2025 14:45:45 GMT https://community.cisco.com/t5/network-security/bug-with-analyzer/m-p/5242474#M1118514 rtarson98 2025-01-01T14:45:45Z https://community.cisco.com/t5/network-security/bug-with-analyzer/m-p/5242735#M1118535 <P>From what I can see in your screenshots it appears the shadowing rule is actually the #1 Allow-Standard-Outbound. Since it has "any" in the destination networks, Rule #2 and most subsequent rules will be shadowed</P> <P>The policy analyzer is pretty new and I have found it can give misleading or downright incorrect results.</P> Thu, 02 Jan 2025 14:10:52 GMT https://community.cisco.com/t5/network-security/bug-with-analyzer/m-p/5242735#M1118535 Marvin Rhoads 2025-01-02T14:10:52Z