Palo Alto Networks firewall can block websites if they have untrusted certificates. Some websites use certificates signed by an intermediate CA. If an intermediate CA is not trusted on the Palo Alto Networks firewall, then it just drops the packets. To avoid this situation it is important to add an intermediate certificate on the firewall.
The firewall is configured to block SSL sites with untrusted certificates.
For example, the following site is signed by an intermediate certification, hence the firewall blocks it: www.studyisland.com
Download intermediate certificate "DigiCert SHA2 High Assurance Server CA" in PEM format.
Login to the firewall through the WebGUI
Go to Device > Certificates > Import > Import "Intermediate Cert" "DigiCert SHA2 High Assurance Server CA"
Click on the certificate and check "Trusted Root CA".