A certificate to be used for Forward Trust on the Palo Alto Networks device, where it is one of the following:
A self-signed/self-generated certificate with which the box for Certificate Authority has been checked. Note: If using a self-signed/self-generated certificate it will be necessary to import this certificate into the client machine's certificate store to avoid unwanted browser certificate errors.
An intermediate CA certificate installed on the Palo Alto Networks device which was generated by an organization's internal CA.
A certificate to be used for Forward Untrust, which is a self-sign/self-generated certificate with which the box for Certificate Authority has been checked. This certificate is NOT to be trusted by any client that receives it.
If using dynamic URL filtering with BrightCloud, be sure to enable dynamic URL filtering on all URL filtering profiles as well as dynamic URL filtering globally. From the configure mode on the CLI of the device, enter the following command:
# set deviceconfig setting url dynamic-url yes
The above command will work only if the firewall is licensed for BrightCloud URL Filtering. It does not work for PAN-DB URL filtering.
To enable the Palo Alto Networks device's ability to inject URL filtering response pages within an HTTPS session with the following configuration command. This command works with either BrightCloud or PAN-DB URL filter:
# set deviceconfig setting ssl-decrypt url-proxy yes
Note: Both the commands above are only available through the CLI.
Successful completion of the setup allows the firewall to serve a URL filtering response to client machines within an HTTPS session triggered by the URL Filtering policy.
Caveats with Continue and Override Today's websites server content comes from many sources, if serving a URL Response Page for an action of type Continue or Override, it is possible that some content on the page may not be rendered properly. This will happen if the content is coming from a site that is in a category for which the action is set to Block, Continue or Override. The firewall will not present the Continue and Override page for each embedded link.
Note: After you replace the certificate to renew expiration date, restart Dataplane or the device. It removes the expired certificate cache in the Dataplane.