SSL decryption on PA incase the SSL termintated on WAF


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L0 Member

SSL decryption on PA incase the SSL termintated on WAF

We have a website hosted behind WAF and Firewall (Palo Alto). The WAF already has the server valid SSL Certificate from public CA. Do we need to install SSL certificate (decryption ) on PA Firewall also for inbound traffic to make it more secure ? 

Tags (1)
Cyber Elite



If you want to do Inbound SSL decryption for traffic coming from Internet to the server then yes you need to Import the certificate to the

PA with its private keys for SSL decryption to work.


Then you need Decryption policy on the PA for traffic coming from Internet to the server Public IP address.



L0 Member

Thank you for your answer , i'm asking if it will be more secure if we install same ssl certificate on PA and WAF for inbound traffic destined to published server .

Cyber Elite


If you aren't attempting to decrypt the traffic as described by @MP18, there would be no reason to install the certificate on the PAN firewalls. You only need the certificate installed on the PAN if you were doing inbound decryption.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!