Policy is configured to block traffic with source address 'CN,' yet policy never matches for traffic sourcing from CN region.
A custom object named 'CN' under Objects > Regions was created.
This causes the idmanager mapping to associate 'CN' with the custom region object instead of the predefined CN country address block.
To confirm association with custom region object, run the following command:
>debug device-server dump idmgr type vsys-region all
Type: 35 Last id: 1025
Reset the idmanager mapping for the region objects to clear this association, then run a force commit with the following commands:
To confirm that the old mapping is no longer there, run the following command again and make sure the region object no longer shows in the output.