A company has a decryption policy that decrypts all traffic except for traffic to financial sites. However, users report that some financial sites are still being decrypted. What should the admin check first?
Rules are evaluated top-down; a decrypt rule above the no-decrypt rule will match first.
Why this answer
The decryption policy is evaluated in order from top to bottom, and the first matching rule is applied. If a rule that decrypts traffic is placed above the rule that excludes financial sites, traffic to those sites will be decrypted before reaching the exclusion rule. The admin should check the rule order to ensure the financial site exclusion rule is positioned above any decrypting rules.
Exam trap
The trap here is that candidates often assume the issue is with certificates or logs, overlooking the fundamental first-match policy evaluation order that directly causes the described behavior.
How to eliminate wrong answers
Option B is wrong because system logs record events after policy enforcement, but they do not affect the policy order; the issue is a misconfiguration in the policy sequence, not a logging deficiency. Option C is wrong because certificate revocation status (CRL/OCSP) is checked during SSL/TLS handshake validation, not for determining which traffic to decrypt; it is unrelated to policy rule ordering. Option D is wrong because SSL/TLS service profile settings define cipher suites and protocol versions for decryption, not the traffic matching logic that determines which sites are decrypted or excluded.