Suggestions for how to enable SSL decryption to enable additional protection

The key things to think about...

1. You only get TLS decryption (and hence inspection)  if you have a rule in the TLS rules that causes a decryption to occur. If control falls off the end of the TLS inspection rules (due to not finding a match) no inspection occurs. So you can have a lower rule that causes everything to be inspected and then have exceptions above, or you can have rules that cause inspection only in specific cases. This may seem to be counter-intuitive to the way falling off the end of the Firewalls rules works, but it is consistent if you think about it: falling off the end of the Firewall rules means you haven't gotten permission to flow where you want, so you don't flow, while falling off the end of the TLS rules says you haven't gotten "permission" to be decrypted so you don't get decrypted.

2. You'll want to set up DHCP static addresses for the devices that you want to single out (either for inspection or exemption from inspection). Lately, I've been then setting up these devices (with static IP addresses) as Clientless users, which gives each one a name and you can do some displays more conveniently by User than trying to remember IP addresses. (And can use Users in rules.)

3. Do your TP Link AP's not support multiple SSIDs so you can set up VLANs? Sophos brand APs can be managed directly from the firewall -- or better from Sophos Central -- but you don't need Sophos APs to have the Sophos work with VLANs. In fact, if you do have Sophos APs and use Sophos Central, you end up setting up VLANs (Guest, etc) on the AP from Sophos Central and then going into the firewall and also setting up the same VLANs and put the VLANs into an appropriate Zone and go from there.

4. Not familiar with the directory structure you show. The bottom line is you want to have the firewall's CA certificate installed on your devices. For example, email the certificate to your iPhone and tap it in the iPhone's email and it will prompt you to install it on the iPhone or HomePod, AppleTV, etc. You also have to -- on the iPhone -- click a switch to set it to trust the CA certificate after it's installed. Just installing it doesn't do the trick.

5. [Added point] So in the end, set up my AppleTV is a Clientless User and exempt it from TLS decryption and add a User-based Traffic Shaping to it to guarantee bandwidth. (I have very few apps on the AppleTV, and certainly no no-name apps that might not have some level of trust.) Traffic shaping is a little confusing: you set up the parameters in one set of tabs, but have to do specific things on Firewall rules to actually have them take effect -- and each kind of Traffic Shaping (application, user, rule) has different Traffic Shaping policies and different ways of enabling them.

6. You will get extra protection. However, you will also then encounter weird things where certain websites won't work. Whenever you have issues, like your AppleTV doesn't play Amazon Prime videos or whatever, you need to look at the TLS logs and see what server's being TLS decrypted that breaks things. Other sites can include banks, etc. There's an exception list under Web > URL Groups > Local TLS exceptions (or did I make that one?) where you can add sites that break.

Also, you may be disappointed at what percentage of the TLS traffic is actually decrypted. Lots of TLS traffic is in the managed exception list and doesn't get decrypted. For example, all Apple sites risk breaking if decrypted. So you need to look at TLS decryption as good when you get it and not feel like you'll ever get a high percentage of it decrypted.

About the last part: The important part about decryption is the trust factor. Who do you trust? A apple signed website (official CDN of Apple) or the "unknown website with Apple content". 

Basically TLS Decryption is an important factor for unknown TLS content. You do not basically start to decrypt everything like Microsoft Content or Apple content. Same for IoT Content like a Playstation or something. As you have no possibilities to implement this, it is up to the vendor (like Sony) to protect those devices. 

But if you have a windows / mac client browsing on unknown websites in Safari etc. you want to look into this traffic to actually be able to block or warn this traffic. 

Exactly. If you're going to do business with *.apple.com and *.iCloud.com you won't be able to TLS decrypt. First because the transactions will fail if you try, and second because if you're syncing your stuff, say, to iCloud, you do have to trust that Apple is doing a good job of security. Similarly, you may have to trust some Amazon servers if you want to watch Amazon Prime. And maybe the same for your bank.

I went into this naively, assuming I'd be able to have TLS decryption on 90% of TLS traffic, and as we've discussed, maybe it's actually 50% or even 20% at times. Which feels disappointing but it's still considerably more secure than no TLS decryption at all.

Ultimately the web filtering does three things:
1 - stops you from going to categories of websites
2 - stops you from downloading certain filetypes
3 - does virus scanning

So what happens with or without https decryption

1 - this will be based on domain name only and not path.  But for sites like microsoft, apple it is unlikely you will do any category blocks

2 - this could be an issue.  If you want to block all executables, including from ms/apple, then you would need to https decrypt that traffic.  But be aware that blocking executables from ms/apple might mean you don't get software updates.

3 - It important to a/v scan the websites you do not trust.  You will have to trust that sites on the exception list have robust anti-malware and that you cannot download a virus from ms/apple/etc.

Be aware that any HTTP decryption increases CPU resources.  Not just because it is decrypting and re-encrypting, but because you are going to be doing a lot more A/V scanning and other things.