Questions about Network-policies

Hello,
I got a question about network-devive-policies.
I Have configured a private tunnel for 192.168.4.0/24.
My Application runs on 192.168.4.4 → so i added a allow policy for dest-ip 192.168.4.4 with the according user an a block rule for 192.168.4.4 with no user.
I Also added a block rule for the whole network at the end of the ruleset.

Now:
access to 192.168.4.4 works and will be allowed - log show the policy-id and the action “allow”
access to e.g. 192.168.4.200 will be blocked - log show the policy-id and the action “allow”
and - this is actually my problem- access to 192.168.4.1 is allowed BUT the log will show the action allow but no policy-id for this rule

Does anyone has an idea?

Regards