Install an internal CA on client machines

To decrypt outbound traffic, the Firewall Threat Defenseact sas a man-in-the-middle, first decrypting traffic (and subjecting it to deep inspection if you choose), then re-encrypting the traffic with a different internal CA. When the encrypted traffic is returned to the client, the client must trust the CA, or users see errors in their browser.

For example, the error might be:

www.example.com uses an invalid security certificate. The certificate is not trusted because 
the issuer certificate is unknown

To avoid this, import the internal CA on your client machines (typically using network policies). For more information, consult a resource such as:

Windows: Distribute Certificates to Client Computers by Using Group Policy
macOS: Use a third party tools that is equivalent to Windows Group Policy Object (GPO). Consult the documentation provided with your system for more information.