PAN-OS® 8.0 has the following change in default behavior
Perfect Forward Secrecy (PFS) Support with
SSL Inbound Inspection
Beginning in PAN-OS 8.0, firewalls use the
Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE) algorithm to perform
strict certificate checking. This means that if the firewall uses
an intermediate certificate, you must re-import the certificate
from your web server to the firewall after you upgrade to a PAN-OS
8.0 or later release and combine the server certificate with the
intermediate certificate (install a chained certificate); otherwise,
SSL Inbound Inspection sessions that use an intermediate certificate
Use the following procedure to install a chained
Open each certificate (.cer) file in
a plain-text editor.
Paste each certificate end-to-end with the Server Certificate
at the top with each signer included below.
Save the file as a text (.txt) or certificate (.cer) file
(the name of the file cannot contain blank spaces).
Import the combined (chained) certificate in to the firewall.