Just to be abundantly clear, the only time that traffic is automatically decrypted by the firewall is if the traffic terminates on the firewall. So in the example of a GlobalProtect Portal/Gateway, that traffic will be decrypted automatically without anything being configured by you as the admin.
In the event that you have a device setup in your WAN/untrust zone outside of the above examples, it won't be automatically decrypted by the firewall unless you setup a decryption policy. For example if I hand a VPN concentrator off of a firewall and just place it in a WAN/untrust zone, the firewall won't automatically start decrypting that traffic.
That might add a bit of confusion as this isn't a common deployment that folks do, but it's important to have that distinction present.
... View more