So one thing you would really want to verify here is if the user is actually getting a firewall block page. If the firewall is generating a block page then I would think that the decryption profile for the decryption policy would actually have the option checked or something is missreading the configuration.
There are some browsers, safari being the most prevelent I get reports for, that simply won't allow a user to bypass the certificate warning regardless of the traffic being decrypted.
I wouldn't expect to see a policy-deny as the session end reason for traffic that has been denied due to the decryption profile, that should end with SER 'decrypt-cert-validation' and the user should get the proper response page from the firewall unless you've disabled it.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!