Shadowed Rules

A network policy with shadowed rules is one in which at least one rule in the policy will never trigger because a rule that precedes it prevents the packet from being evaluated by the shadowed rule.

For example, consider these network objects and network rules in the "example" network policy:

object network 02-50 
range 10.10.10.2 10.10.10.50 
object network 02-100 
range 10.10.10.2 10.10.10.100

access-list example extended deny ip any4 object 02-50 
access-list example extended permit ip host 10.10.10.35 object 02-50 
access-list example extended permit ip any4 object 02-100

No traffic is evaluated by this rule,

access-list example extended permit ip host 10.10.10.35 object 02-50

because the previous rule,

access-list example extended deny ip any4 object 02-50

denies any ipv4 address from reaching any address in the range 10.10.10.2 - 10.10.10.50.