Palo Alto SSL Forward Proxy Connection Reset

Setting up a Palo Alto firewall I ran into a roadblock when attempting to configure SSL Decryption on outbound requests from clients.

Before attempting SSL decryption, clients sitting behind the Palo Alto were able to reach HTTP and HTTPS websites after configuring a Security Policy on the firewall  that permitted the application categories web-browsing and ssl.

Following documentation and watching this video helped me learn how to configure SSL Decryption using a Forward Proxy. Unfortunately I made a mistake.  See my first Security Policy was named “Permit HTTP and HTTPS” and was configured to permit web-browsing and ssl application category traffic.

When I ran show session all I discovered traffic associated with a client machine was getting dropped due to matching the new (as of PAN-OS 6.1) Interzone Security Policy that is configured by default to drop traffic.

So, make sure Security Policy #1 is named Untrusted to Trusted with source and destination zones, User may be user or known-user. Do not specify any application categories.