Certificates on Palo alto - Types to be installed

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Certificates on Palo alto - Types to be installed

L1 Bithead

Dear memebers,


We are going to use palo alto vm series firewall on Azure and like to take your advice on the type of certificates to be installed. The firewalls will be public facing front end by Azure application gateway.


The FW will be protecting a web site running on the background.  If my understanding is correct, I need 2 types of certificates.


  • One from Certificates from a trusted third-party CA (Go dady/Verisign) - This is for web site
  • Obtain a Certificate from an External CA - This will be from Palo alto itself for  SSL/TLS decryption 


plz advice if my understanding is correct.


Cyber Elite
Cyber Elite

you don't need the second ssl certificate as that is only required for outbound proxy inspection (and it needs to be from an internal PKI or selfsigned instead of a public one)


for inbound inspection, you need to have the server certificate (and preferably the CA/root and intermediate, to complete the certificate path)


you can use the server certificate on the firewall (WITH private key) to look inside the flow

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 1 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!