So…. You want to scan an encrypted packet, which by design and definition is useless noise without decryption, and you also want to be effective against TLS 1.3 where you don’t even have the crutch to lean on of seeing what name is on the certificate that is being used?
If that was possible, encryption would be worse than useless, and to be clear there are conspiracy theorists that claim this.
There is no alternative from a firewall perspective to installing your own root key on every company computer in order to MITM yourself to decrypt packets. For PFSense/OPNSense, this is done via Squid. If that isn’t suitable for you, you can find cheaper options than Palo, but you’re going to be paying someone money.
A better approach is to invest in an anti-malware solution that lets you do the inspection and filtering on every computer. The computer has to decrypt the packets, after all, and you can directly match DNS requests to sockets.