there's a longer writeup about how it works in the admin/product guide, but in short: when you do HTTPS decryption the firewall acts as man-in-the-middle TLS proxy, and presents its own certificate to users when they open https pages. The firewall creates this certificate with the Client Protection Certificate Authority that you have imported into or created in SMC and defined in firewall properties. The users machine must trust the Client Protection Certificate Authority or otherwise they get warnings about untrusted certificate each time.
To avoid the warnings, you need to import the CA to client machines. Firefox has its own certificate store, other browsers like IE and Chrome generally use the Windows certificate store. In a managed environment the CA can usually be imported with group policy automatically.