https://live.paloaltonetworks.com/t5/general-topics/show-system-setting-ssl-decrypt-certificate-no-inbound-cert/m-p/237660#M68093 <P>There are two types of SSL decryption policies - inbound decryption and Forward Proxy decryption.&nbsp; It sounds like you have a policy that matched on an inbound decryption policy.&nbsp; This is useful if you are hosting a server (e.g. in a DMZ) and have both the public and private certificates for that SSL/TLS server loaded onto the firewall, and you wish to do an inbound decryption inspection of the traffic.</P><P>&nbsp;</P><P>If you have users trying to visit a website on the internet, you want a forward proxy decryption policy.</P><P>&nbsp;</P><P>Does that help?</P><P>&nbsp;</P> Mon, 29 Oct 2018 17:49:09 GMT JW6224 2018-10-29T17:49:09Z https://live.paloaltonetworks.com/t5/general-topics/show-system-setting-ssl-decrypt-certificate-no-inbound-cert/m-p/237651#M68091 <P>show system setting ssl-decrypt certificate</P><P>&nbsp;</P><P>Certificates for Global</P><P>SSL Decryption CERT</P><P>global trusted<BR />ssl-decryption x509 certificate<BR />version 2<BR />cert algorithm 4<BR />valid 171204224608Z -- 221204225608Z<BR />cert pki 1<BR />subject: NGFW-2<BR />issuer: Root CA 2<BR />serial number(19)<BR />4f 00 00 00 2b e2 bd d9 f7 cb fa 0b 9a 00 01 00 O...+... ........<BR />00 00 2b ..+<BR />rsa key size 2048 bits siglen 512 bytes<BR />basic constraints extension CA 1<BR />also serves as untrusted certificate</P><P>&nbsp;</P><P><FONT color="#FF6600">NO INBOUND CERT</FONT></P><P>&nbsp;</P><P>Need to know what does no&nbsp; inbound cert mean here?</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 29 Oct 2018 17:43:09 GMT https://live.paloaltonetworks.com/t5/general-topics/show-system-setting-ssl-decrypt-certificate-no-inbound-cert/m-p/237651#M68091 MP18 2018-10-29T17:43:09Z https://live.paloaltonetworks.com/t5/general-topics/show-system-setting-ssl-decrypt-certificate-no-inbound-cert/m-p/237660#M68093 <P>There are two types of SSL decryption policies - inbound decryption and Forward Proxy decryption.&nbsp; It sounds like you have a policy that matched on an inbound decryption policy.&nbsp; This is useful if you are hosting a server (e.g. in a DMZ) and have both the public and private certificates for that SSL/TLS server loaded onto the firewall, and you wish to do an inbound decryption inspection of the traffic.</P><P>&nbsp;</P><P>If you have users trying to visit a website on the internet, you want a forward proxy decryption policy.</P><P>&nbsp;</P><P>Does that help?</P><P>&nbsp;</P> Mon, 29 Oct 2018 17:49:09 GMT https://live.paloaltonetworks.com/t5/general-topics/show-system-setting-ssl-decrypt-certificate-no-inbound-cert/m-p/237660#M68093 JW6224 2018-10-29T17:49:09Z https://live.paloaltonetworks.com/t5/general-topics/show-system-setting-ssl-decrypt-certificate-no-inbound-cert/m-p/237661#M68094 <P>We are using SSL forward Proxy</P><P>Seems that info is for the No Inbound Cer================No inbound SSL decrypt?</P> Mon, 29 Oct 2018 17:53:49 GMT https://live.paloaltonetworks.com/t5/general-topics/show-system-setting-ssl-decrypt-certificate-no-inbound-cert/m-p/237661#M68094 MP18 2018-10-29T17:53:49Z