If a URL category is included in the Decryption Rules, when the traffic for a website matching that URL category hits for the first time on the device, even if that website is excluded from Decryption using SSL-Exclude-Certificate settings, the firewall will not skip decryption based on SNI (Server Name Indication) included in Client Hello Packet.
The firewall still does a forward proxy for the connection, and sends a list of Supported Cipher Suites to the server.
If the server accepts the Client Hello proposed by the firewall, and sends a Server Hello / Certificate, the firewall then inspects the Server Certificate for the Common name and matches it against the configured SSL Exclude Certificate Settings. If it matches, then Server address and TCP port are added to the exclude cache for the particular rule they match. This exclude cache is then used for future connections matching the same parameters and will cause the firewall to even skip the proxy.
In case the server does not support the Cipher Suites send (overwritten) by the firewall, the Server might send an SSL error message or just send a TCP RST to the connection.
If the firewall is sending cipher suites that are unsupported by the Server, even after including the certificate in the SSL-Exclude-Certificate settings, then perform the following steps to resolve this issue.
Inside Objects > URL Category, click Add to create a new custom URL Category - ex ExcludeSSLdescryption, then add the URLs inside this category that you do not want decrypted.
Inside Policies > Decryption, Create a No-Decrypt rule above the SSL decryption rule which is being used for decrypting the rest of the traffic. Place the newly created URL Category - ExcludeSSLdescryption in the URL Category. This way, the traffic for the URL Category will be excluded from the decryption policy.