Is the policy matching rule evaluation listed somewhere? I read through the documentation, but can't find how it actually combines evaluations.
I presently have it set to an interface, with a vlan specified, and then a specific subnet of IPs.
However, it seems to match all traffic on that vlan, ignoring the specified IP subnet. I'd expect these to be evaluated with && not || - is that wrong?
FWIW - to answer my own question. This seems like it was somehow a bug caused by the 1.14 upgrade. I see now the documentation says it's explicitly an AND condition, which I didn't see before. I had to do a complete uninstall/reinstall of Zenarmor with 1.14 for other bugs, and suddenly the policies started matching correctly afterwards.