Does the PA firwall need to have a trusted certificate for the controller?
Is that why PAN still shows in a DOWN state.
(Aruba-local) #show pan state
Palo Alto Networks Servers Connection State[PA5050demo]
Firewall State
###.##.###.###:443 DOWN[03/06/18 15:49:15]