When the Palo Alto Networks device is configured to decrypt SSL traffic going to external sites it functions as a forward proxy. In this scenario the Palo Alto Networks device intercepts the client SSL request and generates a certificate on the fly for the site the client was visiting. The resulting secure connection is between the client's computer and the firewall.
To complete the process, the Palo Alto Networks device then initiates another secure channel to the actual server. This process is referred to as a “man in the middle” with the Palo Alto Networks device sitting in the middle of the two secure connections.
There are a few key points to be aware of when implementing the forward SSL Proxy:
The validity date on the Palo Alto Networks firewall generated certificate is taken from the validity date on the real server certificate.
The issuing authority of the Palo Alto Networks generated certificate is the Palo Alto Networks device. If the device certificate is not part of an existing hierarchy or is not added to a client's browser cache, then the client will receive a warning message when browsing to the secure site.
If the actual certificate has been issued by an authority not trusted by the Palo Alto Networks firewall then the decryption certificate will be issued using a second untrusted CA key. This ensures that the user is warned if there are subsequent man in the middle attacks occurring.