When you apply the policy it doesn't apply to existing cached connections (you have to wait for the cache to expire). Typically you can expect to wait 10 minutes from when you apply the policy to it coming into force. If it is a small environment it is sometimes easier to reboot the MX.
... View more