URL Filter Security Policy Structure

Hello all. New to PAN, and after reviewing the documentation on URL Filtering, I'm confused on the best practice deployment of the policy structure. Here's what I mean:

Let's say I want to break out the policies into multiple granular policies for cu

session_end_reason eq decrypt-error

I have a high number of sessions, for various webservers and clients, being closed due to decrypt-error. I've attempted to follow the tips from this document, but I'm still not clear on root cause: 

https://live.paloaltonetworks.com/t5/Configuration-A

Query regarding the default state of FPGA on PA-3060: What's the output of the command "debug dataplane fpga state" running on PAN-OS 9.1.7 or above?

Dear Community Members,

I hope someone will be able to help me out to confirm the default FPGA states on the PA-3060 appliance and supply some additional info on this matter?

As per the knowledgebase article (CAN THE CONTENT INSPECTION PERFORM ONLY I

Query regarding upgrade Path to 8.1.21-h1

I have a PA-500 device running on 8.1.20 currently .

From this version can we jump directly to 8.1.21-h1 Or we need to go via intermediate path ?(8.1.20 >8.1.21>8.1.21-h1)

Also not able to see any Palo Alto reference article about upgrade path , Is it