From what i see the servers have both chains. PaloAlto behavior is one of the following: 1 - It checks if any expired on the server and block no matter if one is good. 2 - It only check the first one(expired) and doesn't even check the second one. I agree with you that it should be fixed but looks like its more a code change then a certificate chain issue. The article that you posted previously shows that clearly on option 2. Someone was able to reboot firewall just to validate if its not a cache or something like?
... View more