A firewall is configured to decrypt SSH traffic. Which type of decryption must be enabled?
SSH Proxy is designed to decrypt SSH traffic.
Why this answer
SSH traffic uses its own encryption protocol, not SSL/TLS. To decrypt SSH traffic, the firewall must act as a man-in-the-middle using an SSH proxy, which terminates the client's SSH connection and establishes a separate SSH session with the server, allowing inspection of the plaintext content. This is distinct from SSL decryption methods.
Exam trap
The trap here is that candidates confuse SSH decryption with SSL decryption and select 'SSL Forward Proxy' because they assume all encrypted traffic is handled by the same mechanism, but SSH uses a completely different protocol and requires a dedicated SSH proxy.
How to eliminate wrong answers
Option A is wrong because SSL Forward Proxy is designed to decrypt SSL/TLS traffic (HTTPS), not SSH traffic, which uses a different encryption protocol and port 22. Option B is wrong because Inbound Inspection is a general traffic inspection policy, not a specific decryption method; it does not inherently decrypt SSH or any encrypted protocol. Option D is wrong because Decryption Mirror is a passive monitoring feature that copies traffic to an external tool for analysis, but it does not perform active decryption of SSH sessions.