To configure SSL Forward Proxy, two types of certificates can be used:

Enterprise CA-signed certificates: These certificates are issued by a Certificate Authority (CA) within the organization, ensuring trust within the enterprise environment.

Self-Signed certificates: These are generated and signed by the firewall itself. While easier to deploy, they may not be trusted by external clients unless explicitly added to their trust stores.

Both types of certificates allow the firewall to decrypt and inspect SSL/TLS traffic, ensuring that malicious traffic can be detected and blocked even when encrypted.

References: Palo Alto Networks SSL Decryption documentation.