Sophos Firewall web proxy and DPI modes perform certificate validation when decrypting HTTPS. DPI mode with Maximum Compatibility disables all certificate checks, which means a user could access an insecure site but think it is secure.
Sophos Firewall 19.0 introduced a new feature called FCI (Forward Certificate Invalidity) which changes the behavior of Maximum Compatibility when visiting insecure sites. The HTTPS decryption will be done with a special "Sophos SSL Untrusted CA" that will deliberately cause browsers to display a warning.
The most common reason for an FCI warning is missing Intermediate certificates.
Read this KB about blocking missing intermediate certificates, FCI warnings, and how to install the certificates to resolve the error.support.sophos.com/.../KB-000044776