without seeing the certificate details, I can point out that there is an inherent issue with SSL decryption in that what you are doing technically is performing a Man-in-the-Middle attack, replacing the site's real certificate with one being supplied by the firewall. The first question is did you supply a certificate with resigning capabilities to the Palo Alto firewall for SSL decryption or are you using a self-signed certificate? In either case, the clients need to be able to trust the self-signed cert or the cert's provider as a trusted root CA to avoid errors. What's happening is the PA is regenerating a new cert to present to the end user's browsers which claims to be from the website, but the browser needs to be able to trust the entire chain of the cert so that someone else without authority didn't create a false certificate on behalf of the server. I'm not sure if that's making sense, but if there is a warning that there is a problem with the site's certificate, that is why. also there are varying levels of SSL certificates, the most trusted will change the address bar to green (depending on the browser). there isn't much you can do about that.
... View more