How the firewalls rules works ?

What you're describing seems correct. So somehow you may be thinking you've done something that you haven't. Could you provide screen captures to show your firewall rules, the FQDN, etc? Obviously black out if any serial numbers or other sensitive information appear -- or crop the capture down.

another example:

1. custom domain

2. included in rule #7:

3. notification from LogViewer - this IP is a host from 1e100.net domain:

The inconsistency you have highlighted in the Log (accepted, denied within seconds) are both applications of Rule 9, so there could be other things going on there. And the success isn't routed to the WAN (no outgoing Port 2 and no NAT). Note that the application of rule 7, in the third line works and goes out to your gateway (Port 2) and is NAT'd, as you'd expect.

I'll have to admit that the Log can be confusing to me. For example, note that the two highlighted entries do not have a destination Port. Which still confuses me because I think we sometimes see the same packet coming in from the LAN -- with no destination port yet -- and then a separate  entry where it's going out to the WAN.

Your Destination Networks in Rule 7 looks huge, and I imagine wildcards to thousands of hosts. It's possible that there's a bug when you have many FQDNs in a rule. Have you tried it with a simplified, just TestSites?

Also, you've double-checked that Rule 7, below where we can see, doesn't have any exceptions or matching of users? I'm pretty sure that the Security stuff that's below would register under Logs other than Firewall: IPS, etc. And the LAN and WAN zones are not modified and include only the ports and options that they do by default?

Again, you really want to create minimal rules and test out one feature at a time. Don't do anything with Users until the rest of the rule is working. Don't have dozens of Destination networks until a single destination works.

Also, do you have earlier rules that allow DNS and other utility packets to get out? If DNS can't get out, I'm not sure what happens to your wildcards. (The firewall won't see FQDNs, it's just looking at packets and has to do reverse lookups to go from IP addresses to FQDNs. (Or cache forward lookups, I guess.) Can you do reverse lookups and get the correct results? (I.e. some of your destinations might not be set up correctly in DNS, so the FQDNs you thing are matching aren't actually matching.) Also, is the appliance going to the same DNS as your computers?

The inconsistency you have highlighted in the Log (accepted, denied within seconds) are both applications of Rule 9, so there could be other things going on there. And the success isn't routed to the WAN (no outgoing Port 2 and no NAT). Note that the application of rule 7, in the third line works and goes out to your gateway (Port 2) and is NAT'd, as you'd expect.

I'll have to admit that the Log can be confusing to me. For example, note that the two highlighted entries do not have a destination Port. Which still confuses me because I think we sometimes see the same packet coming in from the LAN -- with no destination port yet -- and then a separate  entry where it's going out to the WAN.

Your Destination Networks in Rule 7 looks huge, and I imagine wildcards to thousands of hosts. It's possible that there's a bug when you have many FQDNs in a rule. Have you tried it with a simplified, just TestSites?

Also, you've double-checked that Rule 7, below where we can see, doesn't have any exceptions or matching of users? I'm pretty sure that the Security stuff that's below would register under Logs other than Firewall: IPS, etc. And the LAN and WAN zones are not modified and include only the ports and options that they do by default?

Again, you really want to create minimal rules and test out one feature at a time. Don't do anything with Users until the rest of the rule is working. Don't have dozens of Destination networks until a single destination works.

Also, do you have earlier rules that allow DNS and other utility packets to get out? If DNS can't get out, I'm not sure what happens to your wildcards. (The firewall won't see FQDNs, it's just looking at packets and has to do reverse lookups to go from IP addresses to FQDNs. (Or cache forward lookups, I guess.) Can you do reverse lookups and get the correct results? (I.e. some of your destinations might not be set up correctly in DNS, so the FQDNs you thing are matching aren't actually matching.) Also, is the appliance going to the same DNS as your computers?