Warning: vsys1 decryption: forward decrypt untrust cert is not configured, forward decrypt trust cert will be used instead.

Warning: vsys1 decryption: forward decrypt untrust cert is not configured, forward decrypt trust cert will be used instead.

5880
Created On 02/18/22 03:54 AM - Last Modified 12/14/23 03:21 AM


Symptom


  • During Commit, "forward decrypt untrust cert is not configured" is displayed

vsys1
Warning: vsys1 decryption: forward decrypt untrust cert is not configured, forward decrypt trust cert will be used instead.
(Module: device)

Environment


  • Palo Alto Firewalls
  • PAN-OS 9.1 and above
  • SSL forward proxy decryption.

Cause


  • "Forward Untrust Certificate" is not configured on the Firewall
  • In such a case, firewall will use the certificate which is marked as "Forward Trust Certificate".
CertificateForward.PNG
 

Resolution


  1. Import/generate a certificate on firewall and mark is as Forward Untrust Certificate:
GUI: Device > Certificate Management > Certificates > Generate:
Forward_untrust.PNG
  1. As a best practice, it's recommended to have a separate Forward Untrust Certificate on the firewall.
  2. The firewall presents this certificate to clients during decryption if the site the client is attempting to connect to has a certificate that is signed by a CA that the firewall does not trust.
  3. This is to let the client know that the website in question is not trusted or safe. 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NGkCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail