As I thought the other document explained, this is expected behavior.  You must distribute the UTM root certificate to your client devices to fix the problem.

To display a block message, UTM must impersonate the destination server.  For HTTP sites, this can be done because HTTP does not validate the responding system.   When the site is HTTPS, UTM has to get past the server authentication test before it can display the block message.  If the root certificate is on the client desktop, the block message displays.   If not, the browser displays a warning.   Most browsers give you the option to proceed anyway.  I believe that Edge will not allow you to proceed past the warning.

Firefox is difficult because it does not use the system certificate store, but uses a per-user store instead.   At one point I thought they were going to change this, but I don't use Firefox anymore so I do not know if it was ever done.

If you are having certificate warnings on allowed sites, the problem is different.   IF you have decrypt-and-scan enabled, some connections will fail because UTM and the remote site cannot negotiate a shared ciphersuite.   The workaround is to bypass https inspection for any such sites.

You may benefit from reading the other material in the WiKi section, and the "Web Filtering Lessons Learned" document which is pinned to the top of the webfiltering forum.   This part of the product works extremely well.  I don't understand what other information you need. 

As I thought the other document explained, this is expected behavior.  You must distribute the UTM root certificate to your client devices to fix the problem.

To display a block message, UTM must impersonate the destination server.  For HTTP sites, this can be done because HTTP does not validate the responding system.   When the site is HTTPS, UTM has to get past the server authentication test before it can display the block message.  If the root certificate is on the client desktop, the block message displays.   If not, the browser displays a warning.   Most browsers give you the option to proceed anyway.  I believe that Edge will not allow you to proceed past the warning.

Firefox is difficult because it does not use the system certificate store, but uses a per-user store instead.   At one point I thought they were going to change this, but I don't use Firefox anymore so I do not know if it was ever done.

If you are having certificate warnings on allowed sites, the problem is different.   IF you have decrypt-and-scan enabled, some connections will fail because UTM and the remote site cannot negotiate a shared ciphersuite.   The workaround is to bypass https inspection for any such sites.

You may benefit from reading the other material in the WiKi section, and the "Web Filtering Lessons Learned" document which is pinned to the top of the webfiltering forum.   This part of the product works extremely well.  I don't understand what other information you need.