HTTPS Bypass (with Site Category) not working for Servers with Self-Signed Certificate
To match HTTPS bypass against a URL or category, the system needs to extract it from encrypted data. This is why the first connection is Inspected.
If there is nothing in Site Category, then traffic can be matched on SYN packet, or the connection to the site destination object, without doing Inspection. This is normal behavior.
When a Site Category is defined, it forces the connection to be Decrypted because the system must see the URL in order to categorize it, or to decide if it matches a custom application.
You can not use a Site Category for an internal website or server that has no valid certificate, or that is signed by an internal certificate authority.