Zscaler Internet Access (ZIA) policies, including SSL Inspection, are evaluated using a top-down, first-match logic. The policy engine processes rules in their listed order, starting from rule number 1. When a traffic flow matches the criteria of a rule, that rule's action is applied, and the evaluation process stops for that flow; no subsequent rules are considered. To create an exception, the more specific rule (e.g., bypassing a specific URL category) must be placed at a higher order than the more general, catch-all rule (e.g., "inspect all"). This ensures the exception is processed first.

A. The policies are compatible and designed to be used together to create granular control by defining exceptions to general rules.

C. Placing the generic "inspect all" rule first would cause it to match all traffic, so the more specific exception rule would never be evaluated.

D. Policy order is critical in Zscaler's first-match evaluation logic; only the first matching policy is applied, not all of them.

1. Zscaler Help Portal

"Configuring SSL Inspection Policy": "The ZIA Admin Portal enforces policy rule order. The service evaluates rules in ascending order

from 1 to n... As soon as the service finds a policy rule that matches the traffic

it applies that rule and stops processing any other rules." This document explicitly details the first-match

top-down processing order.

2. Zscaler Help Portal

"Recommended SSL Inspection Policy": Under the section "Creating the SSL Inspection Rule

" the best practice states: "Zscaler recommends that you create SSL inspection rules for traffic that you want to exempt from inspection first. Then

create a final rule that inspects all other traffic." This directly validates placing the exception (bypass) rule before the general (inspect all) rule.