Resolve Issues with Shadowed Rules
This is how CDO displays the rules described in the "example" network policy above:
The rule on line 1 is marked with a shadow warning badge 
because it's shadowing another rule in the policy. The rule on line 2 is marked as being shadowed 
by another rule in the policy. The action for the rule on line 2 is grayed-out because it's entirely shadowed by another rule in the policy. CDO is able to tell you which rule in the policy shadows the rule in line 2.
The rule on line 3 can only be triggered some of the time. This is a partially shadowed rule. Network traffic from any IPv4 address trying to reach an IP address in the range 10.10.10.2-10.10.10.50 would never be evaluated because it would have already been denied by the first rule. However, any IPv4 address attempting to reach an address in the range 10.10.10.51-10.10.10.100 would be evaluated by the last rule and would be permitted.
Caution | CDO does not apply a shadow warning badge |
Procedure
Step 1 | Select the shadowed rule in the policy. In the example above, that means clicking on line 2. | ||
Step 2 | In the rule details pane, look for the Shadowed By area. In this example, the Shadowed By area for the rule in line 2 shows that it is being shadowed by the rule in line 1: 
| ||
Step 3 | Review the shadowing rule. Is it too broad? Review the shadowed rule. Do you really need it? Edit the shadowing rule or delete the shadowed rule.
CDO also displays the number of ACEs derived from a single rule in a network policy and displays that information in the network policy details pane. Here is an example of that listing: 
| ||
Step 4 | Determine which devices use the policy by looking in the Devices area of the network policy details pane. | ||
Step 5 | Open the Inventory page and Deploy Changes back to the devices affected by the policy change. |