Decryption certificate must be installed as trusted into the system. The whole point of TLS is behind this statement.
If anyone was able to decrypt connections to a bank without the installation of a root ca - imagine when a person sits in the airport cafe's wifi network - this would be the end of the known electronic society.
So either they installed the decryption certificate into your system (for example by management solution, at the factory etc) or they do *not* decrypt at all.
One wa to check that is to click on the padlock in your browser address bar when you are on facebook.com
for example - the site certificate was signed by fortigate? if so - root ca is your system somewhere.
If not - they do not decrypt.