Questions about Network-policies

I got a question about network-devive-policies.
I Have configured a private tunnel for
My Application runs on → so i added a allow policy for dest-ip with the according user an a block rule for with no user.
I Also added a block rule for the whole network at the end of the ruleset.

access to works and will be allowed - log show the policy-id and the action “allow”
access to e.g. will be blocked - log show the policy-id and the action “allow”
and - this is actually my problem- access to is allowed BUT the log will show the action allow but no policy-id for this rule

Does anyone has an idea?