Re: 6.2.1 - SSL certificate-inspection and Subject Alternative Names (no deep inspection)
Yes it does look for SNI. I ran into an issue with the default certificate-inspection profile assigned to a policy in proxy-mode: SSL negotiation failure because SNI does not match CN. Looking at the certificate for the website in question, I can see that the CN is listed in SNI, but it's the last entry.
You can resolve by using flow-based inspection. Also, you can edit the certificate-inspection profile on the CLI:
config firewall ssl-ssh-profile
set inspect-all certificate-inspection
set sni-server-cert-check disable
I found that disabling sni-server-cert-check on full-tunnel SSL VPN policies resolved the issue without having to switch to flow-based inspection.