Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?
An engineer must configure a new SSL decryption deployment.
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?
A . There must be a certificate with both the Forward Trust option and Forward Untrust option selected.
B. A Decryption profile must be attached to the Security policy that the traffic matches.
C. A Decryption profile must be attached to the Decryption policy that the traffic matches.
D. There must be a certificate with only the Forward Trust option selected.
Answer: D
Explanation:
A certificate with only the Forward Trust option selected is required for SSL Forward Proxy decryption, which is the most common type of SSL decryption deployment1. A certificate with both the Forward Trust and Forward Untrust options selected is required for SSL Inbound Inspection decryption, which is less common2. A Decryption profile is not required before any traffic that matches an SSL decryption rule is decrypted, but it is recommended to apply one to control how the firewall handles traffic that cannot be decrypted3.
References:
1: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/decryption/decryption-concepts/ssl-forward-proxy
2: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/decryption/decryption-concepts/ssl-inbound-inspection
3: https://docs.paloaltonetworks.com/best-practices/10-1/decryption-best-practices/decryption-best-practices/deploy-ssl-decryption-using-best-practices
Latest PCNSE Dumps Valid Version with 280 Q&As
Latest And Valid Q&A | Instant Download | Once Fail, Full Refund