SHA256 forward decryption on Palo Alto Networks Firewall PanOS 5.0.15


ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

L3 Networker

SHA256 forward decryption on Palo Alto Networks Firewall PanOS 5.0.15

I have a private subordinate CA signed using sha256.  This is my forward decryption certificate.  The trust anchor is also sha256.

With forward decryption enabled on my PanOS5.0.15 device, the certificates generated by the firewall are signed using sha1, even when the websites real certificate is signed using sha256.

The current changes made by Google to Chrome mean that the certificate indicator now has a warning because the sites certificate isn't using SHA256.   In the future, Chrome will block access to such sites.

Does PanOS 5.0.15 have a setting that will let me resolve this issue?


L3 Networker

HI EdwinD

Not sure if you already have an answer, if not, here you go -

Unfortunately, no.

This is supported only starting 6.1 as described in release notes -

Configurable Key Size for SSL Forward Proxy Server Certificates The firewall now supports both 2048-bit RSA keys (with SHA-256 hashing) and 1024-bit RSA keys (with SHA-1 hashing) for generating the certificates it uses to establish the SSL Forward Proxy session between itself and the client. This is an extension of the 2048-bit key support that was already available with SSL decryption. In previous releases, 2048-bit keys were supported in SSL Inbound Inspection sessions as well as in SSL Forward Proxy sessions between the firewall and the destination server. As part of the extended support for 2048-bit keys, the firewall will now by default dynamically choose the key size to use to establish SSL Forward Proxy sessions with clients, based on the key size used by the destination server. You can optionally configure a static key size for SSL Forward Proxy sessions between the firewall and clients regardless of the key size used by the destination server.

You can configure the setting under,


  deviceconfig {

    setting {

      ssl-decrypt {

        fwd-proxy-server-cert-key-size {0 | 1024 | 2048};





Device -> Setup -> Session -> Forward Proxy Server Certificate Settings

Hope this answers your query.

Thank You.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!