How to Import the Intermediate CA on the Firewall
Palo Alto Networks firewall can block websites if they have untrusted certificates. Some websites use certificates signed by an intermediate CA. If an intermediate CA is not trusted on the Palo Alto Networks firewall, then it just drops the packets. To avoid this situation it is important to add an intermediate certificate on the firewall.
The firewall is configured to block SSL sites with untrusted certificates.
For example, the following site is signed by an intermediate certification, hence the firewall blocks it: www.studyisland.com
- Download intermediate certificate "DigiCert SHA2 High Assurance Server CA" in PEM format.
- Login to the firewall through the WebGUI
- Go to Device > Certificates > Import > Import "Intermediate Cert" "DigiCert SHA2 High Assurance Server CA"
- Click on the certificate and check "Trusted Root CA".