SSL Decryption will not work or take effect under the following scenarios:
Limitations
Forward proxy decryption does not work with mutual authentication
The server expects user certificate to be presented during handshake, and the Palo Alto Networks firewall does not have access to the user's private key and certificate
The content cannot be decrypted when unsupported protocols or ciphers are used
TLS 1.2 cannot be decrypted before PAN-OS 6.0 and TLS 1.3 cannot be decrypted before PAN-OS 10.0.
Before PAN-OS 6.0 the TLS 1.2 sessions were downgraded to TLS 1.1
The following cipher suites are not supported for decryption: AES128-GCM-SHA256 Note: AES128-GCM-SHA256 is supported in PAN-OS 7.1 and above.
Firewalls do not decrypt sessions where Diffie-Hellman key exchange is used for Forward Proxy Decryption in PAN-OS 7.1 and earlier releases
Recommendations
If there is an enterprise CA in place, use it, since it is trusted
Enable SSL Decryption for a small group of users or a single subnet
Always use URL categories to decrypt selective content, such as social-networking.
In some countries, certain connections cannot be decrypted due to the law, so use URL categories to exclude sensitive categories.