When the Palo Alto Networks device is configured to decrypt outbound traffic, iOS devices are unable to connect to the iTunes and App Store directly from their applications, even if the certificate used for decryption has been imported into the device and works for regular browsing.
The error returned on the iPhone or iPad is "Cannot connect to the iTunes Store."
Cause
The App Store and iTunes application expect the server certificate to be signed by Apple and close the connection if signed by a different CA.
Resolution
Configure a custom URL Category that contains all known FQDNs related to the iTunes and App Store (wildcards can be used).
Note: For iOS 8 and later, also add "*.mzstatic.com" to the above list.
Add a Decryption policy to bypass decryption based on the customer URL category just created.
Note: While "itunes.apple.com" and "*.itunes.apple.com" should be enough to catch all iTunes and App Store related sites others have been reported. The list might be incomplete and/or change over time.