Remember, if you block users from accessing sites with expired certificates (even if this is just set in the “no-decrypt” section), you will get ( session_end_reason eq decrypt-cert-validation ) if the website has two chains of trust and one is expired. Browsers will allow the other chain to verify the certificate but Palo will block it.

In PAN-OS 10.0 you can run the following command to see what ciphers the logs are referring to

debug dataplane show ssl-decrypt bitmask-cipher 0x80000000

debug dataplane show ssl-decrypt bitmask-cipher 0x60f79980