Decryption Changes

PAN-OS® 8.0 has the following change in default behavior for decryption:
Perfect Forward Secrecy (PFS) Support with SSL Inbound Inspection
Beginning in PAN-OS 8.0, firewalls use the Elliptic-Curve Diffie-Hellman Ephemeral (ECDHE) algorithm to perform strict certificate checking. This means that if the firewall uses an intermediate certificate, you must re-import the certificate from your web server to the firewall after you upgrade to a PAN-OS 8.0 or later release and combine the server certificate with the intermediate certificate (install a chained certificate); otherwise, SSL Inbound Inspection sessions that use an intermediate certificate will fail.
Use the following procedure to install a chained certificate:
  1. Open each certificate (.cer) file in a plain-text editor.
  2. Paste each certificate end-to-end with the Server Certificate at the top with each signer included below.
  3. Save the file as a text (.txt) or certificate (.cer) file (the name of the file cannot contain blank spaces).
  4. Import the combined (chained) certificate in to the firewall.

Related Documentation