SSL decryption was turned on for one of the inside servers. Although it looks good, but some of the logs are rather strange.
There are sessions like these:
Basically Action - Allow, Rule is hitting correct one (the one permitting the traffic), but Type is Deny and Session End Reason is policy-deny. That looks false to me and it seems that traffic is permitted indeed. Can check more with captures, etc., but has anyone seen such an effect?