Regarding 1 : thanks for your confirmation Sir. So after any accept action ( meaning either from a sub-policy rule with accept, or from the sub-policy Cleanup rule with an accept ) , if there's another order layer configured. The inspection proceeds to the next ordered layer ... or only if it hit a Cleanup with Accept action?

Well, the action on the main rule is actually "inline layer", not accept. 
Clean-up rule in the inline layer only applies to what's matched to the main rule.
Inspection for traffic that DOES NOT match the main rule always continue, regardless of the said inline layer clean rule settings.

You can take it as a sub-routine with initial conditions. Of the conditions are not matched, you go to the next sub-routine.

OK , so the statement from within the Checkpoint documentation mentioned in the topic start called ""no more rulebase checking is done", actually means no more checking is done within that layer ? And also implies a next ordered layer is being checked against ... , correct ? 

Sorry for asking so thoroughly, but is't crucial info to understand 🙂

The statement is correct, regardless of inline layer logic, actually. If we can match the first packet to a drop rule, no further matching effort is done.

It is different for accept action. You need to consider the logic of Unified policy, which assumes that the rule match may not be fully done based on a first packet, and might require application and/or content inspection decision, which require data flow to start.

OK, so to resume :

Whenever there's a hit on rule with a drop action, it's final. 

Whenever there's an accept, the layers below are checked against also ( if they contain a drop, it's over and out, if they contain an accept it goes further down the next ordered layers etc...  )

No, it is even more interesting for accept action 🙂

Imagine you have a layer with the main rule

Rule 1.4 is the cleanup for the section. 

With the first package, if we cannot guess at once that it is either 1.1 or 1.3 (depends on application), all rules 1.1 to 1.4 will be conditionally matched. As at least one of them saying "Accept", we let traffic through, because we cannot make a final match on the first packet for most of it.

Now, when the data start flowing, we can make a final match. If I am trying to upload an Excel file, it will be blocked by 1.2. If it is a regular web, we will not change final match, which is 1.4. IF we suddenly detect video service, we will re-match to 1.3.

Did I confuse you yet?

 That inline layer example actually makes perfect sense. When I mentioned 'the layers below', I had only ordered layers in mind. As you mentioned for further analysis to be possible ( after first packet ) there has to be an accept somewhere to continue investigation. 🙂

Got it. Thx.

Depending on how your layered policy is built, the layered policy match may be different.

The order is:

1. Anti-spoofing
2. HTTPS Inspection
3. Network Security, Application Control/URLF, Content Inspection (one line if they are used together, if layered, then after Network Security)
4. IPS/Anti-Bot
5. AVI
6. Threat Extraction(Emulation

For anything below 3, action on the Network Security Rule should be Accept.

Thank you for your explanation. This helped.

I fully understand the matching and "possible match" scenarios. We have a client that has an inline layer and does use Application and URL filtering in this layer. I generally works well. Now that we created a viable inline layer the client would like to change the cleanup rule to Drop from Accept. How will this impact the "possible match" scenario? My understanding is that there would be a possible match on 1.3 (example above) but the initial handshake would be 1.4 (accept). What if this is a drop; does the match drop the traffic even though there is a "possible match"? Does this type of behavior mean that you would never use Application and URL filtering in an Inline Layer if you wanted a Cleanup rule to be drop?