SSL (https) is not only used to keep traffic secure from sniffing / routing errors on the internet but also a way for malware (spyware, virus and stuff) to avoid being detected by an antivirus engine (until it reaches the victim) since the traffic is encrypted when it passes the firewall. When you enable forward decryption the PAN unit will act as a man in the middle attack by decrypting the ssl-session, investigate the traffic (be able to find out which app is used, scan for vulns, scan for virus, scan for spyware etc) and then encrypt it again and send it to the client (if the policy says to allow the traffic). In order to do this in silence the client must have the ca.crt which the PAN unit will use to encrypt the ssl between itself and the client (otherwise the client will get an error that the cert is issued by a ca which is not trusted). If you want to protect your net you can enable forward decryption for all outbound traffic (NOTE: do NOT enable it for the PAN unit itself otherwise the managementplane will become instable 😃 which means that ssl stuff that cannot deal with a custom ca.crt will simply be blocked (that is block traffic that you cannot inspect but this depends on the usage of the PAN unit and company policy surrounding the nets involved). The downside is that this MITM attack doesnt work if the client already have stored the cert which the server will use (since the certs will no longer match). This is the case for windowsupdate for example which means that you need to setup a "app: ms-update" + destination of windowsupdate servers as "no decrypt" rule before your "forward decrypt" rule in SSL Decryption settings. Example: rule1: from trust to untrust source: any destination: *.windowsupdate.com (etc) app: ms-update action: nodecrypt rule2: from trust to untrust source: any destination: any app: any action: forward decrypt In the above case you must decide if you want to allow traffic from windowsupdate servers to be unscanned (but allowed for the client) or block this traffic all together (by simply just delete/disable "rule1" above).
... View more