SSL inbound inspection fails, error: “Server and Firewall's certificate mismatch”
195
Created On 01/01/26 08:49 AM - Last Modified 02/04/26 20:57 PM
Symptom
- SSL Inbound inspection rule configured.
- The HTTPS servers referenced by the rule become inaccessible to clients.
- The logs are seen in when using the following filtes.
- Traffic logs: ( action eq 'allow' ) and ( subtype eq 'deny' ) and (session_end_reason eq decrypt-error)
- Decryption logs: ( error eq 'Server and Firewall\'s certificate mismatch' )
Environment
-
Palo Alto Networks firewall
- Supported PAN-OS
- SSL Inbound Inspection
Cause
- During SSL Inbound Inspection, the firewall acts as a gatekeeper to ensure the encrypted traffic matches its security configuration:
- When a server sends a ServerHello message, the firewall captures the certificate's MD5 fingerprint.
- It compares this fingerprint against the one stored in your local SSL Inbound Inspection rule.
- If the fingerprints do not match, the firewall immediately kills the session and logs the error: Server and Firewall's certificate mismatch.
- Th error is usually caused by one of three things:
- Configuration Error: The security rule is linked to the wrong certificate or an invalid key-certificate pair.
- Outdated Information: The backend server recently renewed or rotated its certificate, but the firewall hasn't been updated with the new version.
- Intermediary Interference: A device between the firewall and the server (like a load balancer or proxy) is presenting its own certificate instead of the one the firewall expects.
Resolution
- Identify the exact certificate currently presented by the backend HTTPS server (including any load balancer or proxy that may terminate TLS).
- On the firewall, import the same server certificate and its matching private key used by the backend HTTPS server.
- Update the SSL Inbound Inspection rule to reference that exact certificate/key pair.
- Commit changes and re-test access.