What is a Shadow Rule?
When committing a configuration, a warning may appear that one rule "shadows" another rule.
Rule 'rule1' shadows 'rule2'
Configuration committed successfully
A shadow rule warning generally indicates a more broad rule matching the criteria is configured above a more specific rule.
See this example:
No traffic will ever match the second rule, which specifically allows web-browsing, because all applications have already been allowed by the first rule.
The shadow rule can also appear if there are unresolved FQDNs. If FQDN objects are configured make sure they are resolved from CLI by using this command:
>request system fqdn show