Cato EmployeeWorking with a number of customers on this topic, I've been asked if the SafeTLS policy can be used to add rules to an existing TLS inspection policy and the answer is very much yes. If you're a customer that has not started your TLS inspection journey, then the approach above will give you a great starting point to build on.
If however, you are a customer that's started with TLS inspection, but maybe your TLS inspection report is highlighting there is room for improvement, then why not run the TLS Wizard and add to what you already have in place? Remember, you can always add source users or groups to the suggested rules if you want to test with a smaller subset of users first.
Another tip I've used with customers is to analyse the Events section under the "home" tab to get a sense of the percentage of TLS transactions that are inspected (represented as a 1 below) and bypassed (represented as a 0 below). You can also see the TLS rule names that are most commonly hit, which will highlight any potential rule ordering issues etc.