SSL decryption on PA incase the SSL termintated on WAF

Showing results for 
Search instead for 
Did you mean: 

SSL decryption on PA incase the SSL termintated on WAF

L0 Member

We have a website hosted behind WAF and Firewall (Palo Alto). The WAF already has the server valid SSL Certificate from public CA. Do we need to install SSL certificate (decryption ) on PA Firewall also for inbound traffic to make it more secure ? 


Cyber Elite
Cyber Elite



If you want to do Inbound SSL decryption for traffic coming from Internet to the server then yes you need to Import the certificate to the

PA with its private keys for SSL decryption to work.


Then you need Decryption policy on the PA for traffic coming from Internet to the server Public IP address.




Thank you for your answer , i'm asking if it will be more secure if we install same ssl certificate on PA and WAF for inbound traffic destined to published server .


If you aren't attempting to decrypt the traffic as described by @MP18, there would be no reason to install the certificate on the PAN firewalls. You only need the certificate installed on the PAN if you were doing inbound decryption.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!