I read the KB - let me try and expand on what is written
here are the general rules
- policies are applied in the following order - network/service/application
- all applied policies of the same type are applied at the same time / for example if we have 5 policies on the service level all are activated and inspect at the same time
- if a block is encountered all inspection is stopped and the stream/connection is blocked - so if the block occurs at the network level there will be no inspection done at the service or application level, blocked at the service it never gets to the application level
exclusions
If an exclusion is configured the inspection engine will evaluate exceptions first.
If the frame is not excluded based on the policy, inspection will resume