In every Security policy, the 1st layer must have its implicit "cleanup rule" set to "drop" and for the 2nd ordered layer the "implicit cleanup" rule must be set to "accept".
These are the defaults when creating policies & layers, Every layer has the "implicit cleanup rule" in its properties.
Implied rules you can modify implied_rules.def-file on the management-server.
Implied rules are "attached" during install policy, to the relevant context. The implied rules that are selected to appear "first", are added to the first ordered layer in the policy.
The implied rules that are selected to appear "before last" or "last", are added to all the layers.