We do TLS decrypt with "block sessions from untrusted issuers" enabled. In previous major releases of PAN-OS (e.g. 4,.1.x, 5.0.x, and 6.0.x), the block page that would appear when a certificate wasn't trusted would list the certificate issuer and certificate common name. In 7.0.x, those fields are blank, which can make troubleshooting a bit of a pain. For whatever reason, support was told by PAN engineering that they aren't going to fix it in 7.0.x. It led to an interesting conversation with support: Me: "You're telling me that I need to move to the 7.1.x branch, but in the same breath you are telling me that 7.0.8 is the version that PAN recommends." Support: "Yes."
... View more