Many customers need to configure Palo Alto firewalls with a SSL Forward Proxy decryption policy to decrypt and inspect SSL/TLS traffic from internal users to the web.
Within the manuals, the primary document for setting this up on PANOS 6, including self-signed CA certificate generation, is here:
There is limited SSH and SSHv2 decryption. The firewall is able to distinguish whether the SSH traffic is being routed normally or if it is using SSH tunneling (port forwarding). Content and threat inspections are not performed on SSH tunnels; however, if SSH tunnels are identified by the firewall, the SSH tunneled traffic can be blocked and restricted according to configured security policies.