Remember, if you block users from accessing sites with expired certificates (even if this is just set in the “no-decrypt” section), you will get ( session_end_reason eq decrypt-cert-validation ) if the website has two chains of trust and one is expired. Browsers will allow the other chain to verify the certificate but Palo will block it.

Also, remember that if you are doing inbound decryption, the certificate on the Palo needs to match the web server. This means that if the web server has the full certificate chain in the certificate file, the certificate on the firewall used for decryption also needs to have the full certificate chain.

Another problem that can happen with inbound decryption is when the firewall sits between the Internet and an F5 Load Balancer. If the F5 load balancer does SSL termination, it may have a feature called “SSL session resumption” that allows a client and server to reuse previously negotiated SSL parameters. The Palo firewall does not support this. You must disable this feature on the F5 load balancer. Otherwise, some end user sessions will be decrypted fine while others will not.

In PAN-OS 10.0 you can run the following command to see what ciphers the logs are referring to

debug dataplane show ssl-decrypt bitmask-cipher 0x80000000

debug dataplane show ssl-decrypt bitmask-cipher 0x60f79980