That is likely down to Certificate Pinning which is implemented on many services these days.  From the second link I posted: "Many mobile devices and enterprise SaaS cloud applications use mutual authentication or certificate pinning to validate the ...

"Known-Key" decryption is for services that you own/manage such as decryption of inbound sessions to your internal web servers.The firewall uses the uploaded private key from the server to decrypt and re-encrypt the session.  "Resign" is for decrypti...

You will most likely find that an FQDN object for such a large scale web service will not work for your use-case. That's not the intended use.  If you configure an FQDN Object such as facebook.com, the FTD device will do a DNS lookup for facebook.com...