Server certificate verification ensures users connect to legitimate servers, protects sensitive data, and mitigates the risk of attacks like meddler-in-the-middle (MITM) and phishing. However, certificate verification can block business-critical websites and applications that fail authentication due to certificate issues such as an incomplete certificate chain. Workarounds consume time and result in security gaps.

PAN-OS® 12.1 introduces the Bypass Server Certificate Verification setting to decryption profiles for SSL Forward Proxy. When enabled, your Next-Generation Firewall (NGFW) ignores certificate issues and completes the TLS handshake by presenting a Forward Trust certificate. This allows the session to be decrypted without disruption, ensuring the availability of critical services.

Bypassing server certificate verification may introduce risks, such as regulatory noncompliance or connection vulnerabilities. It is a temporary solution that enables you to gradually address underlying certificate issues. Decryption logs help you identify servers requiring attention by recording if certificate validation was bypassed for a session.