It shouldn't be too difficult and you have a couple of options.
1. If you are already using the Microsoft CA and the certificates generated by this are trusted by your users, create a new certificate on this server for the Firewall to use, export it and import it into the Firewall using the Maintenance -> Certificate/Key Management screen, placing it in the "Firewall Certificates" section. You may also need to export the Microsoft CA certificate and import it into the Firewall's "Certificate Authorities" tab on the same GUI screen.
Once the certs have been imported, you should then be able to edit your SSL rules and select the new certficate for the Firewall to use when decrypting and re-encrypting traffic. Because the certificate has been signed by a CA the users already trust, the notification message should disappear.
2. Export the Firewall's "Default_SSL_Cert" and import it into your user's browsers - either by providing instructions to perform it manually or deploying it automatically via group policy or Active Directory.
Either method should address your situation.
first many thanks for your quick response
really I tried this soultions before but the first one didn't work and where can I put the certificate in SSL rule, I didn't find any tab can I use the cerfificate on it.
about the second solution our policy can't allow it because we have alot of users that will make load in our network and Active directory.
if you have any document can show me by steps please send it to me.
Sorry I've never actually done this myself, so I don't have a document.
In the actual SSL rule you have the means of selecting the certificate to be used, and it is here you will find the "Default_SSL_CA" being used by the Firewall.
Once you have uploaded a trusted certificate to the Firewall's certificate store, you should then be able to use this certificate instead of the default.
If you don't have the means of being able to deploy the certificate from a central resource then your only other option is to provide intructions to the users so that they can import the certificate manually into their certificate store.
Unfortunately this is the one handicap of using SSL rules, because the Firewall has to break the SSL connection in order to be able to inspect the content, bit with the original certificate now "used", as such, it needs to use a fresh certificate to perform the re-encryption.
I may be wrong, but the field I think you should be using is the one below "Local CA used to sign server cert:".
If that doesn't work then I'd recommend that you give McAfee support a try.
Many thanks for you effort and already as I told before no more certificate in Local CA location just only The defualt certificate.
Really I appreciate your serious support and I will try to send to McAfee support.