Access a specific site fails with certificate error when SSL forward proxy is enabled

• The user's traffic is subject to SSL decryption by SSL forward proxy. 
• A specific site is inaccessible when the traffic is subject to SSL decryption and the browser displays following error.

• The following error logs is displayed in the decryption logs

• Prisma Access Mobile Users
• Prisma Access Remote Networks
• Palo Alto Strata next generation firewall (NGFW) running PanOS 10.0 or above

• This is caused due to invalid root CA or intermediate CA certificate supplied by the site in question.
• The SSL Forward proxy has a SSL decryption profile associated which has "Block sessions with untrusted issuers" checked.
• This option will cause the SSL forward proxy to check if the issue is trusted or no. 
• If the issuer is not in trusted CA list or the trusted CA is not supplied, the access will be blocked.
• If the site is accessed from another client without SSL inspection, The certificate supplied by the server can be checked. 
• For this site, there was no root CA supplied by the server. 

1. This is not an issue with the Prisma Access or the Palo Alto NGFW.
2. Contact the site admin and request them to fix the server issue and supply a valid CA certificate.
3. If the site is trusted anyways, there are 2 options available. 
4. Create a custom URL category for this site only and bypass it from SSL forward proxy. 
5. Alternatively, Create a custom URL category for this site only and another SSL decryption profile with the has "Block sessions with untrusted issuers" unchecked.

Exclude a Server from Decryption for Technical Reasons

• For additional details, Perform a packet capture on the client machine when the site is accessed without SSL forward proxy and with SSL forward proxy.
• The captures without the SSL forward proxy would show the server hello and the certificate returned to validate what is being returned from the server.