Normally, the access control policy determines if network connections should be allowed or blocked. However, if you enable the SSL decryption policy, encrypted connections are first sent through the SSL decryption policy to determine if they should be decrypted or blocked. Any connections that were not blocked, whether or not decrypted, then go through the access control policy for a final allow/block decision.
Note: You must enable the SSL decryption policy in order to implement active authentication rules in the identity policy. If you enable SSL decryption to enable identity policies, but do not otherwise want to implement SSL decryption, select Do Not Decrypt for the default action in the SSL Decryption page and do not create additional SSL decryption rules. The identity policy automatically generates whatever rules it needs.
The following topics explain encrypted traffic flow management and decryption in more detail.