Customer has a defined an App Segment (RDP Access) as a subnet (172.21.0.0/24) for RDP traffic (tcp port 3389). The app segment allows ICMP. There is an access policy allowing users access to this app segment.
One of the servers in that subnet also hosts another service, for example, on port 4000. User creates an app segment for that server (172.21.0.7) and that port (tcp port 4000). The app segment allows ICMP. There is no access policy allowing access to this app segment yet.
Also, there is no discovery/allow all access policy.
As soon as that server specific app segment was created, new connections to 172.21.0.7 via RDP are unsuccessful. They no longer match the RDP Access app segment.
For some reason, the host specific App Segment, for an app listening on a totally different port is bypassing the App Segment that should be matching.
A more specific App Segment/Access Policy defined on the same port being bypassed makes sense. This does not. Hosts can offer multiple applications and need different App Segments assigned.
Is this a bug or have I missed some logic somewhere?