diff --git a/go/firewallsso/base.go b/go/firewallsso/base.go
index 20f10ea4db49..ecd6dcd9baab 100644
--- a/go/firewallsso/base.go
+++ b/go/firewallsso/base.go
@@ -263,7 +263,7 @@ func ExecuteStart(ctx context.Context, fw FirewallSSOInt, info map[string]string
 	if !fw.CheckStatus(ctx, info) {
 		return false, nil
 	}
-	log.LoggerWContext(ctx).Info("Processing SSO Start")
+
 	if !fw.MatchesRole(ctx, info) {
 		log.LoggerWContext(ctx).Debug(fmt.Sprintf("Not sending SSO for user device %s since it doesn't match the role", info["role"]))
 		return false, nil
@@ -273,7 +273,7 @@ func ExecuteStart(ctx context.Context, fw FirewallSSOInt, info map[string]string
 		log.LoggerWContext(ctx).Debug(fmt.Sprintf("Not sending SSO for IP %s since it doesn't match any configured network", info["ip"]))
 		return false, nil
 	}
-
+	log.LoggerWContext(ctx).Info("Processing SSO Start")
 	// We change the username with the way it is expected given the format of this firewall
 	info["username"] = fw.FormatUsername(ctx, info)
 
@@ -291,13 +291,12 @@ func ExecuteStart(ctx context.Context, fw FirewallSSOInt, info map[string]string
 // Makes sure to call FirewallSSO.Start and to validate the network if necessary
 func ExecuteStop(ctx context.Context, fw FirewallSSOInt, info map[string]string) (bool, error) {
 	ctx = log.AddToLogContext(ctx, "firewall-id", fw.GetFirewallSSO(ctx).PfconfigHashNS)
-	log.LoggerWContext(ctx).Info("Processing SSO Stop")
 
 	if !fw.MatchesNetwork(ctx, info) {
 		log.LoggerWContext(ctx).Debug(fmt.Sprintf("Not sending SSO for IP %s since it doesn't match any configured network", info["ip"]))
 		return false, nil
 	}
-
+	log.LoggerWContext(ctx).Info("Processing SSO Stop")
 	// We change the username with the way it is expected given the format of this firewall
 	info["username"] = fw.FormatUsername(ctx, info)
 
diff --git a/lib/pfconfig/namespaces/config/Firewall_SSO.pm b/lib/pfconfig/namespaces/config/Firewall_SSO.pm
index eded14f6cfa4..9128d13c6749 100644
--- a/lib/pfconfig/namespaces/config/Firewall_SSO.pm
+++ b/lib/pfconfig/namespaces/config/Firewall_SSO.pm
@@ -18,7 +18,6 @@ use strict;
 use warnings;
 
 use pfconfig::namespaces::config;
-use pfconfig::objects::NetAddr::IP;
 use pf::file_paths qw($firewall_sso_config_file);
 
 use base 'pfconfig::namespaces::config';
@@ -34,7 +33,7 @@ sub build_child {
     my %tmp_cfg = %{ $self->{cfg} };
     while ( my ($key, $item) = each %tmp_cfg ) {
         $self->cleanup_after_read( $key, $item);
-        $item->{networks} = [map { pfconfig::objects::NetAddr::IP->new($_) // () } @{$item->{networks}}];
+        $item->{networks} = [map { { cidr => $_ } } @{$item->{networks}}];
     }
 
     $self->roleReverseLookup(\%tmp_cfg, 'firewall_sso', qw(categories));