Thanks Fgj - it' ll be a real pain to take the router out of service, and even worse if it doesn' t solve the problem!
Faulty - 5.0.4 is OK on memory, and support did some tweaking on ttl and cache settings that helped. but still doesn' t solve the HTTPS
Bromont - I have tried deep scanning as well, and it causes constant certificate errors. But I have added the usual suspects (Facebook, Youtube, Ebay, Twitter....) to the URL filtering in the UTM profile, and have even put a Deny policy directly into the router with these sites for both HTTP and HTTPS services. Still gets past.