Yeah, but how it normally works is it just decrypts, scans, then re-encrypts and passes it on. If I start digging that deep it takes up a crapload of storage space to log it all and that gets expensive fast. The basic logs are already at 60GB a month, adding those extra features can easily triple it, and the Ministry wants me to keep my logs for a year at a time to upload and submit to their usage pools so they can track metrics and usage to blah blah blah blah. So I only turn on in-depth logging if I get asked to track somebody specifically, or if I am finding too many flags coming from a specific account and even then I need to get permission first (I don't like acting unilaterally even if I am the whole department). But yes Palo Alto gives a lot of tools to keep people and data safe.I assume that using the MITM proxy as you do in your company, you'd be able to see the unencrypted TCP/IP data through the HTTPS connection, then, if desired, take the time to piece together the HTML/JSON/JS bits and retrieve the data sent to a client workstation (unless your firewall can give you a direct preview)? That is pretty dang cool.
A side note from today's analysis is a lot of traffic poking around from Kazakhstan, which is weird AF wouldn't normally add them on the list of places to watch out for, it's all getting dropped but it certainly made me do a double-take when I checked it over coffee this morning.