Step 1: Configure the HTTPS proxy-service as depicted below:
The main point to note here is that detect protocol is enabled, which is not the default for a TCP Tunnel service.
Step 2. Add a rule in Web-Access layer for the website to be bypassed:
The main points to note here are that the combined-source object for the website must include both its hostname and its IP address, as resolved from the client network which would be attempting to browse the website. In the depicted example, https://www.mozilla.org resolved to 18.104.22.168 on the test network.
The Action is a 'Disable SSL Detection' object, matching All Tunneled Traffic.
Step 3. Add an SSL Interception layer:
Here, SSL Interception has been enabled for all traffic.
Step 4. Blocking the URL category in an SSL Access Layer
Here, a server certificate category object has been added, for the content-filter category which the bypassed website belongs to (but which will otherwise be blocked).
Note also that the blocking action for the URL category must be Force Deny.
The above only deals with the specific use-case scenario where HTTPS variants of a URL category are to be blocked in policy, and some individual HTTPS URLs need to be exempted. If HTTP variants of the same content-filter category also need to be blocked, and HTTP variants of the same indidual URLs also need to be exempted, relevant policy layers and rules would need to be added to take this into account. Please refer to 000012492 for more details.