https://live.paloaltonetworks.com/t5/general-topics/commit-error-vsys1-decryption-forward-decrypt-untrust-cert-is/m-p/6976#M5143 <HTML><HEAD></HEAD><BODY><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Here is a doc which explains on how the different Decryptions (Inbound, outbound, forward proxy) is done on the firewall and general guidlines on how to configure it</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"> <A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="1412" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-1412" style="font-style: inherit; font-family: inherit; color: #006595;">https://live.paloaltonetworks.com/docs/DOC-1412</A></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Here are few other useful docs for SSL decryption</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-2008">https://live.paloaltonetworks.com/docs/DOC-2008</A></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-2006">https://live.paloaltonetworks.com/docs/DOC-2006</A></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Hope this helps.</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Thanks<BR />Numan</P></BODY></HTML> Tue, 27 Aug 2013 23:07:25 GMT mbutt 2013-08-27T23:07:25Z https://live.paloaltonetworks.com/t5/general-topics/commit-error-vsys1-decryption-forward-decrypt-untrust-cert-is/m-p/6973#M5140 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>This commit error: "Warning: vsys1 decryption: forward decrypt untrust cert is not configured, forward decrypt trust cert will be used instead." Means, that i must generate "Forward untrust certificate" or what?</P></BODY></HTML> Tue, 27 Aug 2013 13:52:06 GMT https://live.paloaltonetworks.com/t5/general-topics/commit-error-vsys1-decryption-forward-decrypt-untrust-cert-is/m-p/6973#M5140 Interface 2013-08-27T13:52:06Z https://live.paloaltonetworks.com/t5/general-topics/commit-error-vsys1-decryption-forward-decrypt-untrust-cert-is/m-p/6974#M5141 <HTML><HEAD></HEAD><BODY><P><IMG alt="cert.PNG.png" class="jive-image" src="https://live.paloaltonetworks.com/legacyfs/online/7920_cert.PNG.png" style="width: 620px; height: 35px;" /></P><P>Yes, you need to generate/import a CA cert on the PA and designate it as "Forward untrust cert" if you configure outbound SSL proxy as shown in the screenshot.</P></BODY></HTML> Tue, 27 Aug 2013 13:54:46 GMT https://live.paloaltonetworks.com/t5/general-topics/commit-error-vsys1-decryption-forward-decrypt-untrust-cert-is/m-p/6974#M5141 goku123 2013-08-27T13:54:46Z https://live.paloaltonetworks.com/t5/general-topics/commit-error-vsys1-decryption-forward-decrypt-untrust-cert-is/m-p/6975#M5142 <HTML><HEAD></HEAD><BODY><P>Good Morning,</P><P>Its recommended that the users are presented with a forward untrust certificate, if the server certificate of the web site that the user browses for isnt part of the Trusted CA certificates in the firewall. This is to let the customer know that the website in question is not trusted or safe. Usually the PANFW has most of the CA certificates under its list, and for the ones that are not present, the PANFW considers them as being unsafe.</P><P></P><P>When configured with the forwared untrust certificate, the user can come to know that the website in question not a safe website</P></BODY></HTML> Tue, 27 Aug 2013 13:56:36 GMT https://live.paloaltonetworks.com/t5/general-topics/commit-error-vsys1-decryption-forward-decrypt-untrust-cert-is/m-p/6975#M5142 kprakash 2013-08-27T13:56:36Z https://live.paloaltonetworks.com/t5/general-topics/commit-error-vsys1-decryption-forward-decrypt-untrust-cert-is/m-p/6976#M5143 <HTML><HEAD></HEAD><BODY><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Here is a doc which explains on how the different Decryptions (Inbound, outbound, forward proxy) is done on the firewall and general guidlines on how to configure it</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"> <A _jive_internal="true" data-containerid="2027" data-containertype="14" data-objectid="1412" data-objecttype="102" href="https://live.paloaltonetworks.com/docs/DOC-1412" style="font-style: inherit; font-family: inherit; color: #006595;">https://live.paloaltonetworks.com/docs/DOC-1412</A></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Here are few other useful docs for SSL decryption</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-2008">https://live.paloaltonetworks.com/docs/DOC-2008</A></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"><A _jive_internal="true" href="https://live.paloaltonetworks.com/docs/DOC-2006">https://live.paloaltonetworks.com/docs/DOC-2006</A></P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Hope this helps.</P><P style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;">Thanks<BR />Numan</P></BODY></HTML> Tue, 27 Aug 2013 23:07:25 GMT https://live.paloaltonetworks.com/t5/general-topics/commit-error-vsys1-decryption-forward-decrypt-untrust-cert-is/m-p/6976#M5143 mbutt 2013-08-27T23:07:25Z