Hi
Please do not confuse firewall and IDP policies. In IDP, even if traffic matches a rule
(and even if action is drop), it goes further.
See the reference given above, "When traffic matches multiple rules, the
most severe IP action of all matched rules is applied." This is written about IP actions
but the same is true about usual IDP actions. It processes all rules and then
takes the most severe action.
Only if the rule is set to "terminal", IDP processing will stop on it (if src-dst-app match).