Beginning with PAN-OS 10.2.1, you can enable
Wildcard
Top Down Match Mode
so that if a packet with an IP address
matches prefixes in Security policy rules that have overlapping
wildcard masks, the firewall chooses the first fully matching rule
in top-down order (instead of choosing the matching rule with the
longest prefix in a wildcard mask).
Wildcard Top Down
Match Mode
means more than one rule has the potential
to be enforced on different packets (not just the rule with the longest
matching prefix). Place your more specific rules toward the top
of the list. For example, you can allow a smaller range of matching
addresses (a longer wildcard mask) to access certain applications,
and also, in a subsequent rule allow a larger range of IP addresses
(a shorter wildcard mask) to access a different (more generic) set
of applications.