SSL decryption policies are applied right after traffic is steered to Netskope. By default, all traffic steered to Netskope will be decrypted, then further analyzed via Real-time Protection policies. In addition, all policies are disabled and you must enable them from the list view.
If there is any traffic that you would like to leave encrypted, such as anonymous guest traffic and private financial / medical traffic, you can specify them in a SSL Decryption policy. Note that traffic left encrypted will not be further analyzed by Netskope.