@CPATT -- So yeah it's definitely a decryption problem, like you mentioned. You've already shown that this traffic should be matching a global decryption exclusion. One thing I'd be curious about is the URL that was seen in the URL logs the same as what's in the exclusion?
From your screenshot there are a couple of things going on that might be worth investigating. First, why is the firewall trying to decrypt it? You'd need to confirm the URL on the exclusion matches the traffic. If it does that might need to be a TAC ticket. You can also try adding the URL to your own "no decrypt" rule and see if that solves your issue. The cert also shows untrusted. Palo has created a nice little easter egg in their decryption process. The firewall needs to have the root and intermediate cert authorities on the firewall in order to successfully decrypt SSL traffic. The fact that the error is saying the cert is untrusted, to me, means the firewall doesn't have this certs full chain hence why it's throwing the error. This error shouldn't be happening though.
You have 2 options, manually add it to a no decrypt, see if it solves your issue. If it does move on? Or if it doesn't or you want further answers you'll need a support case. You could also try making sure the full cert chain (Root & Intermediate) are loaded on the firewall as see if that solves the issue?
