Yes, thank you for the pic. Could you please also put some light on this? 

It depends. You asked about the order of different blade enforcement.

When the packet comes to your GW, it is being inspected before forwarding. The first action is anti-spoofing. Then, and even before it is filtered through the security policy, TLS inspection policy is applied, if the feature is enabled on your GW.

The next step is your Security policy in combination with Application Control, URL filtering, and Content Inspection if they are used. If the result is Accept action, the next step is Threat Prevention: AV, IPS, and anything else you have in your Threat Prevention Policy.

The whole logic is linear, without loops.

@_Val_ Thanks for the details. 
For me it is not so much clear because, as of Order of OSI layer, TLS inspection should be done at L4 and L1 (because of TCP and HTTPS). I thought that it could be Linear, first Source and Destination and then Port and then application. I am kinda not getting into details. Where can i find resource which tells me exact behavior step by step? thanks. 

Two noteworthy items are missing from that diagram: VPN decisions (like flagging a packet for encryption to a given VPN peer) and NAT.

My memory is VPN decisions are made between antispoofing and HTTPS inspection. This is before any address translation can happen, and it affects which addresses you need to include in a firewall's encryption domain.

NAT rule matching is done with the firewall policy matching, but decisions aren't actually applied until later (after the Threat Emulation/Extraction part of this diagram). All rules should be written based on how the traffic will look when it arrives at the firewall.

The question was, in which order the policies are being enforced. 

VPN description is happening on inbound before FW filtering, but the decision to do VPN is also part of FW filtering, together with NAT.

I keep saying that it is pointless trying to put everything in a single diagram.  If the question is, in which order policy is applied, the answer is above. If you want to how a connection can be modified (decrypted/NAT-ed/encrypted) as part of the traffic handling by your security gateway, it is a completely different story, much deeper, with a lot of information you need to know before you understand the answer. 

Sure, but generally people ask what order things happen in because they want to know something deeper like how rules should be written. The details of VPN domain matching and NAT affect how VPN domains and rules are written, so they are often relevant for the question behind the question.