diff --git a/pkg/netpol/eval/check.go b/pkg/netpol/eval/check.go
index 43af0cc7..5c138f31 100644
--- a/pkg/netpol/eval/check.go
+++ b/pkg/netpol/eval/check.go
@@ -618,9 +618,10 @@ func (pe *PolicyEngine) getXgressDefaultConns(src, dst k8s.Peer, isIngress bool)
 			}
 		}
 	}
-	if res.IsEmpty() { // banp rules didn't capture xgress conn between src and dst, return system-default: allow-all
-		res.AllowedConns = common.MakeConnectionSet(true)
-		res.AllowedConns.AddCommonImplyingRule(systemDefaultRule, isIngress)
-	}
+	// if banp rules didn't capture xgress conn between src and dst, return system-default: allow-all;
+	// if banp rule captured xgress conn, only DeniedConns should be impacted by banp rule,
+	// whenever AllowedConns should anyway be system-default: allow-all
+	res.AllowedConns = common.MakeConnectionSet(true)
+	res.AllowedConns.AddCommonImplyingRule(systemDefaultRule, isIngress)
 	return res, nil
 }