Hi Mihai,
thanks for your reply.
Just to clarify:
My custom app is defined only with a single IP address (e.g. 192.168.1.1) – no ports, no domains, no overlapping entries, and no duplicates. It’s a super basic app definition.
My main question is specifically about the policy matching behavior when using “Any” as the destination in combination with this app (single IP only):
Why does the rule not hit when the destination is set to “Any”,
but works fine when the destination is set to the specific site where the IP belongs?
I understand your point about custom app overlaps, but that’s not the case here.
Is this behavior (not matching with “Any” destination + custom app using single internal IP) expected in Cato?
If yes, is there an explanation from the policy engine perspective why this is required?
Thanks!
Best
GiuD.Nica
