This is not exactly correct. Depending on your GW TLS inspection settings, you can block sites with untrusted certificates. GW is performing certificate validation here, so security risks are manageable. 

Also, GW own CA or GODaddy, the concerns are exactly the same.

You are correct of course, but in the context of OP's question (use a public CA certificate as opposed to internal self-signed in order to prevent SSL errors on the client side browser) I believe my statement stands.

Not really. Part of the procedure for outbound HTTPS Inspection is to distribute your GW CA root to the clients and set it as trusted. Hence, when done, all sites will be showing trusted on the client's end, as they are signed by the trusted root.

Sure - but neither OP nor myself are referring to the GW's CA certificate - their question relates to getting a CA signing certificate from a Public CA such as GoDaddy, Verisign etc. to get around the requirement of having to distributing the CA to the client.

If they were to allow that, the whole chain of trust collapses.

OK, I see your point, and I do agree with that. The way I read the original question was "can I use a third-party CA for outbound HTTPSi", and the answer is yes. 

Hello, 
i think the question is more ...
would a Public CA would grant you to run a SUB CA of their Root CA on your enviroment?

if you have a  SUB CA of example Verisign, you could act as a Verisign CA and create certificates as much as u like ... i bet those folks at Verisign will not like it that much!

🙂

Very true. Hence the best practice is to use your organization/AD CA, if you need to deploy trusted certs for HTTPSi.