Practice PCNSE Decryption and SSL Inspection questions with full explanations on every answer.
Start practicing
Decryption and SSL Inspection — choose a session length
Free · No account required
Click any question to see the full explanation and answer options, or start a focused practice session above.
An engineer is configuring SSL Forward Proxy decryption for internal users. The firewall must decrypt traffic to all external HTTPS sites except specific financial services domains that require end-to-end encryption. Which best practice should the engineer implement to achieve this?
2Which THREE statements are true regarding SSL Forward Proxy decryption on Palo Alto Networks firewalls?
3You are a network security engineer at a multinational corporation. The company has a main data center and three branch offices connected via MPLS. The firewall at the data center is a PA-5250 running PAN-OS 10.2. The firewall is configured for SSL Forward Proxy decryption of all outbound HTTPS traffic from internal users to the internet. Recently, users in Branch Office A report that they cannot access several external HTTPS websites, while users at other branches and the data center have no issues. The decryption policy for Branch Office A is identical to the others. You check the decryption statistics and see that for Branch Office A, the number of 'SSL handshake failures' is high. You also notice that the firewall's system log shows errors like 'peer certificate chain validation failure' for sessions from Branch Office A. The firewall has a forward trust certificate issued by an internal CA, and the internal CA certificate is installed on all clients. What is the most likely cause of this issue?
4A company is deploying SSL Forward Proxy decryption for outbound HTTPS traffic. They want to ensure that traffic to financial sites (e.g., *.bank.com) is not decrypted due to compliance requirements. Which method should be used to exclude this traffic from decryption?
5Which TWO of the following are valid considerations when designing an SSL Forward Proxy decryption deployment in a Palo Alto Networks firewall?
6Order the steps to configure a static route on a Palo Alto Networks firewall.
7Match each high availability (HA) term to its definition.
8A security administrator wants to minimize the performance impact of SSL decryption on the firewall. Which best practice should be applied?
9After enabling SSL Forward Proxy decryption, users report that they cannot access HTTPS websites and receive certificate errors. The firewall's decryption certificate is properly installed on client machines. What is the most likely cause?
10An organization is deploying SSL inbound proxy decryption (SSLi) to protect servers in a DMZ. Which consideration is critical for the firewall to properly decrypt inbound traffic destined to these servers?
11What is the primary purpose of SSL decryption in a Palo Alto Networks firewall?
12A company wants to decrypt traffic to productivity and collaboration sites but avoid decrypting traffic to financial and healthcare sites due to compliance. How should the SSL decryption policy be configured?
13During SSL decryption, the firewall logs show 'ssl_decrypt_unsupported_cipher' errors for several connections. What is the likely cause and solution?
14A user reports that after SSL decryption was enabled, certain web applications fail to load completely. What is the most likely reason?
15Which best practice should be followed for certificate management when deploying SSL Forward Proxy decryption in a large enterprise?
16A Palo Alto Networks firewall is configured for SSL Forward Proxy decryption. The security team wants to ensure that decrypted traffic is also inspected by an external DLP appliance. How should this be achieved?
17Which TWO conditions typically cause the firewall to bypass SSL decryption for a session? (Choose two.)
18Which THREE steps should be taken to troubleshoot an SSL decryption issue where users are unable to access specific HTTPS websites? (Choose three.)
19Which TWO types of traffic should typically be excluded from SSL decryption for compliance or operational reasons? (Choose two.)
20Based on the exhibit, what is the most likely cause for the majority of bypassed sessions?
21A user from subnet 10.0.1.0/24 accesses a website categorized as 'Finance'. Based on the exhibit, what will be the result?
22Based on the exhibit, what is the most likely action for the firewall to take on this session?
23A company uses SSL Forward Proxy decryption for user traffic. Recently, some users cannot access a specific HTTPS website that uses a self-signed certificate. The firewall's decryption policy is set to 'decrypt' and the action is 'forward proxy'. The firewall does not have the self-signed CA certificate installed. What is the most likely cause of the issue?
24Which TWO statements are true about TLS version 1.3 support in Palo Alto Networks decryption?
25A network administrator is troubleshooting decryption failures for HTTPS traffic to a financial website. The firewall is configured with SSL Forward Proxy decryption policy that applies to the 'financial-services' URL category. The firewall uses an internal CA certificate to sign generated certificates. Users report a certificate error in their browsers when accessing 'https://www.bankofalice.com'. The error says the certificate is not trusted, even though the internal CA certificate is installed on all client devices. The administrator checks the firewall logs and sees no decryption errors; the session is being decrypted successfully. The administrator also confirms that the decryption policy is active and the firewall is not bypassing decryption. What is the most likely cause of the certificate error?
26A company has deployed SSL Inbound Inspection to inspect HTTPS traffic to their internal web server hosting a custom application that requires mutual TLS authentication. The firewall is configured with a decryption policy that includes the server's certificate and the action 'decrypt'. The web server is configured to request client certificates. After implementation, users report that the application fails to authenticate them. The firewall logs show that SSL handshake with the client completes successfully, but the server never receives the client certificate during the handshake. The administrator has verified that the decryption policy is active and the server certificate is correctly imported. What is the most likely cause of this issue?
27Which TWO of the following are supported decryption scenarios on a Palo Alto Networks firewall?
28A network administrator observes that some SSL connections are failing to be decrypted. Based on the exhibit, what is the most likely reason for the majority of the failures?
29A multinational corporation uses Palo Alto Networks firewalls at its headquarters and five branch offices. SSL Forward Proxy decryption is enabled for all outbound HTTPS traffic. Recently, users in the finance department have reported that several banking and financial websites fail to load, displaying a certificate error in the browser. The errors occur only for these specific sites, while other HTTPS sites work fine. The firewall administrator has already added decryption exclusion rules for the affected domains, but the problem persists. The decryption policy is configured with a single rule that decrypts all ssl service traffic, and the exclusion rules are placed below this global decrypt rule. Which of the following is the best course of action to resolve the issue?
The Decryption and SSL Inspection domain covers the key concepts tested in this area of the PCNSE exam blueprint published by Palo Alto Networks. Courseiva provides free domain-focused practice, mock exams, missed-question review, and readiness tracking across all PCNSE domains — no account required.
The Courseiva PCNSE question bank contains 29 questions in the Decryption and SSL Inspection domain. Click any question to see the full explanation and answer breakdown.
Start with a 10-question focused session to identify your baseline accuracy in this domain. Read every explanation — even for questions you answer correctly — to understand the reasoning. Once you score consistently above 80%, move to a 20–30 question session to confirm depth before moving to the next domain.
Yes — the session launcher on this page draws questions exclusively from the Decryption and SSL Inspection domain. Choose 10, 20, 30, or 50 questions for a focused session, or click individual questions to review them one by one.
Save your results, see per-domain analytics, and get readiness scores — free, for every certification.
Sign Up FreeFree forever · Every certification included