https://live.paloaltonetworks.com/t5/general-topics/decryption-profile/m-p/1232077#M124615 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;</P> <P>Thanks for response.&nbsp; I am running 11.1.x code</P> <P>&nbsp;</P> <P>Seems that the need for customers to import missing CA's is common, from what I gather.&nbsp; As you mention, I'd prefer not having to make decryption exceptions.&nbsp; I also didn't want to be in the business of having to upload trusted root CAs and maintaining that list.&nbsp; &nbsp;I was starting to wonder if a lot of customers leave these checkboxes unchecked in their decryption profiles</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 18 Jun 2025 20:09:08 GMT securehops 2025-06-18T20:09:08Z https://live.paloaltonetworks.com/t5/general-topics/decryption-profile/m-p/1231846#M124581 <P>I modified existing decryption rules to add a decryption profile to each of them.&nbsp; In the profile, I have "<SPAN>Block sessions with untrusted issuers" checked.&nbsp; &nbsp;I'm finding sites with well-known trusted certificates are being blocked due to this.&nbsp; My understanding is Palo has a very limited certificate store.</SPAN></P> <P>&nbsp;</P> <P><SPAN>What's the best/most common way to handle this?&nbsp;&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 16 Jun 2025 18:37:02 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-profile/m-p/1231846#M124581 securehops 2025-06-16T18:37:02Z https://live.paloaltonetworks.com/t5/general-topics/decryption-profile/m-p/1231898#M124584 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167427">@securehops</a>&nbsp;,</P> <P>&nbsp;</P> <P>I believe there are several steps you can try to improve the situation:</P> <P>&nbsp;</P> <P>Ensure that your firewall's PAN-OS version is reasonably current so you have an updated CA list (<SPAN class="citation-22">PAN firewalls </SPAN><SPAN class="citation-22">update their default trusted CA store primarily with major PAN-OS software releases</SPAN>).</P> <P>Importing missing CAs over creating decryption exclusions (Use decryption exclusions only as a last resort for sites that genuinely break decryption or for specific business/regulatory reasons.)</P> <P>Consider automating the CA trust store management with tools like pan-chainguard for a more proactive approach:&nbsp;</P> <P><A href="https://pan.dev/panos/docs/pan-chainguard/" target="_blank">https://pan.dev/panos/docs/pan-chainguard/</A></P> <P>&nbsp;</P> <P>Hope this helps,</P> <P>Kim.</P> Tue, 17 Jun 2025 07:02:31 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-profile/m-p/1231898#M124584 kiwi 2025-06-17T07:02:31Z https://live.paloaltonetworks.com/t5/general-topics/decryption-profile/m-p/1232077#M124615 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/11943">@kiwi</a>&nbsp;</P> <P>Thanks for response.&nbsp; I am running 11.1.x code</P> <P>&nbsp;</P> <P>Seems that the need for customers to import missing CA's is common, from what I gather.&nbsp; As you mention, I'd prefer not having to make decryption exceptions.&nbsp; I also didn't want to be in the business of having to upload trusted root CAs and maintaining that list.&nbsp; &nbsp;I was starting to wonder if a lot of customers leave these checkboxes unchecked in their decryption profiles</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 18 Jun 2025 20:09:08 GMT https://live.paloaltonetworks.com/t5/general-topics/decryption-profile/m-p/1232077#M124615 securehops 2025-06-18T20:09:08Z