the HTTPS Inspection Exceptions should work well to achieve this. I tested with FW 5.5 without issues, in a HTTPS service's Protocol Parameters tab set inspection&decryption to Yes, select your own exception set, and use this service in the access rule. Note that you may need to add the full FQDNs to exceptions for some sites, for example when I have exception for example.com but I access www.example.com it's decrypted. So in this case I'd need to also add exception for www.example.com.
>By the way, how to know that the NGFW is really decrypting the SSL traffic in both Client Protection and Server Protection?
If you see in the browser that the client protection CA you selected has signed the SSL certificate, the connection is decrypted. A simple test to see does decryption work, is to enable URL logging in the HTTPS service. The HTTP request is inside the SSL tunnel so without decryption the URL couldn't be logged by firewall.