SSLO make malfunction when configure SNI Block and IP intercept condition.

SSLO security policy rules are nested and evaluated top-down. So basically, like any firewall rule, once a match is made, no further rule processing is done.

It's also important to understand that some rule conditions require server-side validation. In this case, the URL category conditions require SSLO to reach out to the server to evaluate the server certificate. The Pinners rule includes a category lookup. If you have some traffic that would break becuase of this server side "look", for example when the server requires mutual TLS (mTLS) authentication, you need to move your layer 3 and layer 4 rules above any rules that do category lookup.