DPI-SSL Client: "Common Name Exclusions" not working or cannot browse some websites

When using DPI-SSL Client we would like to exclude some websites from using this feature.
Mostly we are using the "Common Name Exclusions" but in some scenarios it may not work.

We can follow this KB as well when the Client DPI-SSL in enabled and we have problems with browsing some websites.

If in the diag.html site we are using SSLv3.0 (or a different one) and some webservers are using another version like TLSv1.0, the exclusions may not work properly (the sites will still use the SonicWall DPI certificate instead of their certificate).

The problem is that some webservers are using different SSL versions and it is not possible to use all the versions on SonicWall at the same time. We can change the SSL version in https://sonicwall-IP/diag.html in DPI-SSL section.

In the workaround, the https://examinations.ie will be used as the example. When using SSLv3.0 the "Common Name Exclusions" are not working properly and if we use the TLSv1.0 the page is not loading.

1. Enable DPI-SSL Client on SonicWall and browse to https://examinations.ie.
   
   Here we see that the DPI-SSL is working fine and the website is using the SonicWall Certificate.
   
   
2. To exclude the website, we normally use the "Common Name Exclusions" in DPI-SSL Client configuration
   
   
3. To exclude in this scenario, we need to create the FQDN object in Network | Address Objects and use Inclusion / Exclusion in the DPI Configuration.
   
   
   As we can see here, the DNS resolves the FQDN IP address. Now we can use this as an Inclusion / Exclusion in the DPI-SSL Client configuration.
   
   How to Configure Client DPI-SSL (Video Tutorial and KB Article)