CCNA Decryption and Monitoring Questions

66 questions · Decryption and Monitoring · All types, answers revealed

1
MCQeasy

A firewall is configured to decrypt SSH traffic. Which type of decryption must be enabled?

A.SSL Forward Proxy
B.Inbound Inspection
C.SSH Proxy
D.Decryption Mirror
AnswerC

SSH Proxy is designed to decrypt SSH traffic.

Why this answer

SSH traffic uses its own encryption protocol, not SSL/TLS. To decrypt SSH traffic, the firewall must act as a man-in-the-middle using an SSH proxy, which terminates the client's SSH connection and establishes a separate SSH session with the server, allowing inspection of the plaintext content. This is distinct from SSL decryption methods.

Exam trap

The trap here is that candidates confuse SSH decryption with SSL decryption and select 'SSL Forward Proxy' because they assume all encrypted traffic is handled by the same mechanism, but SSH uses a completely different protocol and requires a dedicated SSH proxy.

How to eliminate wrong answers

Option A is wrong because SSL Forward Proxy is designed to decrypt SSL/TLS traffic (HTTPS), not SSH traffic, which uses a different encryption protocol and port 22. Option B is wrong because Inbound Inspection is a general traffic inspection policy, not a specific decryption method; it does not inherently decrypt SSH or any encrypted protocol. Option D is wrong because Decryption Mirror is a passive monitoring feature that copies traffic to an external tool for analysis, but it does not perform active decryption of SSH sessions.

2
MCQmedium

A network administrator notices that some HTTPS sessions are not being decrypted by the firewall, even though the decryption policy rule is configured to decrypt traffic from a specific subnet. The firewall is in forward proxy mode. All other decryption rules work. What is the most likely cause?

A.The traffic is using TLS 1.3 which is not supported by the firewall.
B.The firewall's encryption algorithm settings do not match the server's cipher suite.
C.The SSL/TLS decryption profile has 'Block sessions with expired certificates' enabled.
D.A no-decrypt rule higher in the policy list matches the traffic before the decrypt rule.
AnswerD

Decryption policy rules are evaluated top-down; a preceding no-decrypt rule would prevent decryption.

Why this answer

In a forward proxy deployment, the firewall evaluates decryption policy rules in order from top to bottom. If a no-decrypt rule is placed higher in the policy list than the decrypt rule for the specific subnet, traffic matching that no-decrypt rule will bypass decryption entirely. This is the most likely cause because all other decryption rules work, indicating the decryption configuration itself is functional, but the order of rule evaluation prevents the intended rule from being applied.

Exam trap

The trap here is that candidates often assume the issue is with TLS version support or certificate validation, overlooking the fundamental rule-ordering logic in decryption policy that can cause a no-decrypt rule to preempt a decrypt rule.

How to eliminate wrong answers

Option A is wrong because Palo Alto Networks firewalls support TLS 1.3 decryption in forward proxy mode since PAN-OS 9.0, so TLS 1.3 is not a blocking factor. Option B is wrong because the firewall's encryption algorithm settings in the SSL/TLS decryption profile control which cipher suites the firewall offers to the server; if there is a mismatch, the firewall would typically fall back to a mutually supported cipher rather than skip decryption entirely. Option C is wrong because blocking sessions with expired certificates would cause the session to be terminated or blocked, not silently bypass decryption; the traffic would still be evaluated by the decryption rule.

3
MCQhard

An organization is using outbound SSL decryption with a forward proxy. They notice that mobile devices (iOS/Android) are having trouble connecting to many HTTPS sites after decryption is enabled. IT has installed the root CA certificate on all devices. What is the most likely reason?

A.The decryption profile does not allow TLS 1.3 connections.
B.The firewall's decryption certificate uses a weak key length.
C.The root CA certificate is not trusted by mobile OS due to certificate transparency or pinning.
D.The firewall is not configured to decrypt traffic from mobile devices.
AnswerC

Mobile devices enforce CT or certificate pinning, causing the intercepted certificate to be rejected.

Why this answer

Option C is correct because mobile operating systems (iOS and Android) implement certificate transparency (CT) requirements and certificate pinning for many HTTPS sites. Even if the root CA certificate is installed, the firewall's decryption certificate is not logged in public CT logs, causing the OS to reject the connection. Additionally, pinned certificates (e.g., for Google or Apple services) will fail validation when the firewall presents its own certificate instead of the original server certificate.

Exam trap

The trap here is that candidates assume installing the root CA certificate is sufficient for all devices, overlooking that mobile OSes enforce additional trust mechanisms like certificate transparency and pinning that are not bypassed by a locally installed root CA.

How to eliminate wrong answers

Option A is wrong because TLS 1.3 is fully supported by Palo Alto Networks decryption profiles, and disabling it would affect all clients, not just mobile devices. Option B is wrong because weak key length (e.g., 1024-bit RSA) would cause browser warnings but not outright connection failures on mobile devices; modern mobile OSes accept 2048-bit keys, which are standard. Option D is wrong because the firewall's decryption policy is based on source zones, IP addresses, or user groups, not device type; if mobile devices are in the same zone as other clients, they will be decrypted unless explicitly excluded.

4
MCQmedium

A company implements SSL Forward Proxy decryption. Users report that some internal applications fail to load after deployment. The firewall is configured with a CA-signed certificate for decryption. What is the most likely cause of the application failures?

A.The decryption policy uses 'No Decrypt' for the internal application's URL category.
B.The decryption policy is set to 'Decrypt' for all traffic, causing performance bottlenecks.
C.The firewall's CA certificate is not installed in the trusted root store on user endpoints.
D.The firewall is configured to decrypt traffic from the internal zone, but not the external zone.
AnswerC

Without trust, browsers show certificate errors and block the connection.

Why this answer

Option C is correct because SSL Forward Proxy decryption requires the firewall's CA certificate to be trusted by client endpoints. When the firewall generates a new certificate for the internal application's server, the client must trust the firewall's CA to avoid certificate validation errors. Without the CA in the trusted root store, browsers and applications will reject the connection, causing failures for internal applications that rely on SSL/TLS.

Exam trap

Palo Alto Networks often tests the misconception that decryption failures are caused by policy misconfigurations or performance issues, rather than the fundamental requirement of installing the firewall's CA certificate on all client devices.

How to eliminate wrong answers

Option A is wrong because if the decryption policy used 'No Decrypt' for the internal application's URL category, the traffic would bypass decryption entirely and should work normally, not fail. Option B is wrong because while performance bottlenecks can occur with heavy decryption, they would cause slowdowns or timeouts, not outright application failures due to certificate trust issues. Option D is wrong because decryption configuration for internal vs external zones does not directly cause application failures; the issue is the lack of trusted CA on endpoints, not the zone direction.

5
MCQmedium

An organization deploys SSL Forward Proxy decryption. They want to ensure that traffic to financial websites is not decrypted due to compliance requirements. Which decryption policy configuration should be used?

A.Create a decryption rule with action 'Decrypt' and destination zone 'Untrust'.
B.Create a decryption rule with action 'No Decrypt' for the URL category 'Financial Services'.
C.Create a decryption rule with action 'No Decrypt' for all traffic, then a rule above it to decrypt all other traffic.
D.Create a decryption rule with action 'Decrypt' for the URL category 'Financial Services'.
AnswerB

This skips decryption for finance sites.

Why this answer

SSL Forward Proxy decryption rules are evaluated in order, and the first matching rule determines the action. To exclude financial websites from decryption, you must create a rule with action 'No Decrypt' that matches the 'Financial Services' URL category. This ensures traffic to those sites is not decrypted, meeting compliance requirements.

Exam trap

The trap here is that candidates may think a 'Decrypt' rule with a specific category is needed to handle financial traffic, but the correct approach is to explicitly exclude it with 'No Decrypt' to comply with regulations.

How to eliminate wrong answers

Option A is wrong because a 'Decrypt' action with destination zone 'Untrust' would decrypt all outbound traffic, including financial websites, violating compliance. Option C is wrong because a 'No Decrypt' rule for all traffic would prevent decryption entirely, defeating the purpose of SSL Forward Proxy; the rule order would not allow selective decryption. Option D is wrong because a 'Decrypt' action for 'Financial Services' would explicitly decrypt financial traffic, which is the opposite of the compliance requirement.

6
MCQhard

A financial services firm deploys inbound SSL decryption to inspect all HTTPS traffic to their customer-facing web application. After enabling decryption, customers report that they are unable to connect to the web app and receive 'This site can’t provide a secure connection' errors. The firewall logs show no decryption errors, and traffic logs show the sessions are matched to the decryption rule but no decryption action is taken. The web app uses a wildcard certificate (*.example.com). The firewall's decryption certificate is imported from the server's private key. What is the most likely cause?

A.The firewall does not support wildcard certificates for inbound decryption.
B.The web server is not properly configured to handle decrypted traffic.
C.The decryption profile is set to 'Block sessions with untrusted certificates'.
D.The decryption rule is configured with the forward proxy method.
AnswerD

Inbound decryption must use 'SSL Inbound Inspection'; forward proxy is for outbound and mismatches cause handshake failures.

Why this answer

Option D is correct because inbound SSL decryption requires the 'SSL Inbound Inspection' method, not the forward proxy method. Forward proxy is used for outbound decryption where the firewall generates a certificate on the fly. For inbound decryption, the firewall must use the server's private key to decrypt traffic, which is configured via an SSL Inbound Inspection rule.

Since the rule is set to forward proxy, the firewall attempts to re-encrypt with its own certificate, causing a certificate mismatch and the 'secure connection' error.

Exam trap

The trap here is that candidates confuse the forward proxy method (used for outbound decryption) with the SSL Inbound Inspection method (required for inbound decryption), assuming any decryption rule will work for inbound traffic as long as a certificate is imported.

How to eliminate wrong answers

Option A is wrong because Palo Alto Networks firewalls do support wildcard certificates for inbound decryption; the issue is the decryption method, not the certificate type. Option B is wrong because the web server does not need special configuration for decrypted traffic—the firewall decrypts and re-encrypts transparently; the error is on the client side due to certificate mismatch. Option C is wrong because the decryption profile setting 'Block sessions with untrusted certificates' would block sessions and generate a decryption error in logs, but the logs show no decryption errors and the traffic is matched to the rule with no action taken, indicating the rule is misconfigured, not that the certificate is untrusted.

7
MCQmedium

Refer to the exhibit. A decryption policy has two rules. Traffic destined to a web server is not being decrypted. What is the most likely cause?

A.The 'strict' profile is misconfigured
B.The Decrypt-Web rule has a profile that blocks decryption
C.The Default-No-Decrypt rule is above Decrypt-Web and matches all traffic
D.The source is set to 'any' in the Decrypt-Web rule
AnswerC

Rules are evaluated top-down; the no-decrypt rule matches before the decrypt rule.

Why this answer

In Palo Alto Networks firewalls, decryption policy rules are evaluated in order from top to bottom, and the first matching rule is applied. If the 'Default-No-Decrypt' rule is placed above the 'Decrypt-Web' rule and matches all traffic (e.g., source/destination 'any'), then all traffic, including traffic to the web server, will match this rule first and will not be decrypted, preventing the 'Decrypt-Web' rule from ever being evaluated.

Exam trap

Palo Alto Networks often tests the concept of rule order in decryption policies, where candidates mistakenly focus on profile settings or source/destination fields instead of recognizing that a higher-priority 'no-decrypt' rule matching all traffic will override any lower-priority decrypt rule.

How to eliminate wrong answers

Option A is wrong because a 'strict' profile is related to SSL/TLS forward proxy settings (e.g., certificate validation, protocol version checks) and does not inherently block decryption; it only enforces security checks on decrypted traffic. Option B is wrong because a decryption profile does not block decryption itself; it controls actions like blocking sessions with expired certificates or unsupported cipher suites, but the rule's action (decrypt vs. no-decrypt) is set in the rule, not the profile. Option D is wrong because setting the source to 'any' in the 'Decrypt-Web' rule would actually broaden its match scope, not prevent decryption; the issue is rule order, not the source field.

8
MCQhard

Refer to the exhibit. A network administrator notices that SSL decryption performance has degraded. Based on the exhibit, which factor is most likely contributing to the performance issue?

A.The firewall has been running for too long without a reboot.
B.The session utilization is at 95%, nearing the capacity limit, but decryption sessions are only a small fraction.
C.The decryption policy matches (12000) are high relative to the number of SSL/TLS proxy sessions (5000), indicating many sessions are being decrypted but then possibly dropped or not fully processed.
D.The data plane CPU and memory are both high, indicating resource exhaustion.
AnswerC

A high number of decryption policy matches compared to actual proxy sessions suggests that many decrypted sessions are not being fully proxied, which can cause inefficiency and performance degradation.

Why this answer

The exhibit shows 12000 decryption policy matches but only 5000 SSL/TLS proxy sessions, indicating that many sessions matched the decryption policy but were not fully decrypted (e.g., due to unsupported ciphers or certificate issues), leading to wasted processing and degraded performance.

9
MCQmedium

A university uses a Palo Alto Networks firewall to protect its network. They have implemented SSL Forward Proxy decryption for all student traffic. Recently, the IT helpdesk has received complaints from students that some websites (e.g., online banking, healthcare portals) are not loading properly. The firewall logs show that these sites are being decrypted, and no threats are detected. The university's legal team has advised that decryption of financial and healthcare sites may violate regulations. The network team wants to quickly resolve the issue while ensuring compliance. What is the best course of action?

A.Modify the existing decrypt rule to decrypt all categories except those two.
B.Disable decryption entirely for all student traffic.
C.Create a security policy rule to allow traffic to those URL categories without inspection.
D.Create a decryption policy rule with action 'No Decrypt' for URL categories 'Financial Services' and 'Health and Medicine', placed above the existing decrypt rule.
AnswerD

This bypasses decryption for compliant categories.

Why this answer

Option D is correct because it creates a decryption policy rule with action 'No Decrypt' for the specific URL categories 'Financial Services' and 'Health and Medicine', placed above the existing decrypt rule. This ensures that traffic to these sensitive categories is excluded from SSL Forward Proxy decryption, resolving the loading issues caused by certificate pinning or regulatory violations, while still decrypting all other student traffic. The rule order is critical because Palo Alto Networks decryption policies are evaluated top-down, and the first match determines the action.

Exam trap

The trap here is that candidates confuse security policy rules with decryption policy rules, thinking that a security rule can bypass decryption, when in fact decryption is controlled exclusively by decryption policy rules with actions like 'Decrypt' or 'No Decrypt'.

How to eliminate wrong answers

Option A is wrong because modifying the existing decrypt rule to decrypt all categories except those two would require excluding the categories within the same rule, but the correct approach is to use a separate 'No Decrypt' rule above the decrypt rule to ensure proper precedence and avoid unintended decryption of sensitive traffic. Option B is wrong because disabling decryption entirely for all student traffic is an overreaction that would eliminate security visibility for all web traffic, not just the problematic categories, and would not align with the goal of maintaining decryption for other sites. Option C is wrong because creating a security policy rule to allow traffic without inspection does not address the decryption issue; security policies control firewall actions (allow/deny), not decryption decisions, and the traffic would still be decrypted by the existing decrypt rule unless a decryption policy explicitly excludes it.

10
MCQhard

A security engineer notices that HTTPS traffic to a critical business application is being decrypted and re-encrypted, causing performance issues. The application uses a certificate from a public CA. The engineer wants to minimize decryption overhead while still inspecting for threats. Which decryption policy configuration best achieves this?

A.Create a decryption policy rule with action 'Decrypt' and a custom URL category for the application.
B.Create a decryption policy rule with action 'No Decrypt' and disable certificate status check.
C.Create a decryption policy rule with action 'No Decrypt' and enable 'Forward Trust Certificate' and 'Forward Untrust Certificate' with certificate status check.
D.Create a decryption policy rule with action 'Decrypt' and source zone set to 'Untrust'.
AnswerC

This allows trusted certificates to pass without decryption, reducing overhead while still validating certificates.

Why this answer

Option C is correct because setting the action to 'No Decrypt' with a Forward Trust Certificate and Forward Untrust Certificate enabled, along with certificate status check, allows the firewall to validate the server certificate and forward the original encrypted traffic without decrypting it. This minimizes decryption overhead while still performing certificate inspection to detect threats like revoked or untrusted certificates, which is ideal for traffic from a public CA where decryption is not required for threat detection.

Exam trap

The trap here is that candidates often assume 'No Decrypt' means no inspection at all, but with certificate status check enabled, the firewall still validates the certificate chain and revocation status, providing security without decryption overhead.

How to eliminate wrong answers

Option A is wrong because 'Decrypt' action would force decryption and re-encryption, causing the exact performance issue the engineer wants to avoid, and a custom URL category does not reduce overhead. Option B is wrong because 'No Decrypt' with certificate status check disabled means the firewall will not inspect the certificate at all, missing potential threats like expired or revoked certificates. Option D is wrong because 'Decrypt' action with source zone 'Untrust' still decrypts all traffic from that zone, increasing overhead unnecessarily for a public CA application that does not require decryption.

11
MCQeasy

A security administrator needs to inspect traffic to a critical web server that uses HTTPS. The firewall is configured as a forward proxy for outbound traffic. Which decryption type should be used to decrypt the traffic inbound to the web server?

A.Inbound Inspection Decryption
B.Decryption Mirror
C.Outbound (Forward Proxy) Decryption
D.SSH Proxy
AnswerA

Inbound inspection is specifically designed to decrypt traffic entering the network and destined to internal servers.

Why this answer

Inbound Inspection Decryption is used to decrypt traffic destined to a protected server, such as a web server using HTTPS. In this scenario, the firewall acts as a reverse proxy, intercepting inbound connections to the server and decrypting them for inspection before re-encrypting and forwarding the traffic. This allows the security administrator to inspect the payload of HTTPS traffic without requiring client-side configuration.

Exam trap

The trap here is that candidates confuse 'forward proxy' (outbound) with 'reverse proxy' (inbound), leading them to select Outbound (Forward Proxy) Decryption even though the traffic is inbound to the server.

How to eliminate wrong answers

Option B (Decryption Mirror) is wrong because it is not a decryption method; it is a feature that copies traffic to a monitoring tool without decrypting it. Option C (Outbound (Forward Proxy) Decryption) is wrong because it is designed for decrypting traffic initiated by internal clients going to external servers, not inbound traffic to a web server. Option D (SSH Proxy) is wrong because it is used to proxy SSH connections, not to decrypt HTTPS traffic, and it does not apply to inbound web server inspection.

12
Multi-Selectmedium

Which TWO actions should be taken when configuring SSL Forward Proxy decryption? (Select exactly two.)

Select 2 answers
A.Import the server's private key
B.Import the server certificate
C.Enable SSH decryption
D.Generate or import a CA certificate for the firewall
E.Configure a decryption profile that allows self-signed certificates
AnswersD, E

The firewall needs a CA certificate to generate certificates on the fly for clients.

Why this answer

Option D is correct because SSL Forward Proxy decryption requires the firewall to act as a trusted intermediary. To do this, the firewall must generate or import a CA certificate that client browsers will trust, allowing it to dynamically generate and sign server certificates for decrypted sessions. Without this CA certificate, clients will receive untrusted certificate warnings, and decryption will fail.

Exam trap

Palo Alto Networks often tests the distinction between SSL Forward Proxy (outbound decryption) and SSL Inbound Inspection (inbound decryption), where candidates mistakenly think importing the server's private key or certificate is needed for Forward Proxy.

13
MCQhard

A firewall is experiencing high CPU utilization due to SSL decryption. The administrator wants to reduce the load without completely disabling decryption. Which action should be taken?

A.Use decryption mirroring to offload decryption to a dedicated appliance.
B.Change decryption policy to 'no-decrypt' for all traffic.
C.Enable SSL/TLS protocol settings to disable weak ciphers.
D.Create a decryption bypass for traffic to high-bandwidth sites with low security risk.
AnswerD

Selectively bypassing low-risk traffic reduces CPU load.

Why this answer

Option D is correct because creating a decryption bypass for traffic to high-bandwidth, low-risk sites reduces the CPU load from SSL decryption by exempting that traffic from decryption, while still allowing decryption for higher-risk traffic. This targeted approach maintains security posture without completely disabling decryption, aligning with best practices for managing decryption resources on Palo Alto Networks firewalls.

Exam trap

The trap here is that candidates often confuse decryption mirroring with offloading decryption, not realizing that mirroring only duplicates traffic for analysis and does not reduce the firewall's decryption workload.

How to eliminate wrong answers

Option A is wrong because decryption mirroring sends a copy of decrypted traffic to a monitoring appliance for analysis, but it does not offload the decryption itself; the firewall still performs the CPU-intensive SSL/TLS decryption. Option B is wrong because changing the decryption policy to 'no-decrypt' for all traffic completely disables decryption, which does not meet the requirement to reduce load without completely disabling decryption. Option C is wrong because disabling weak ciphers in SSL/TLS protocol settings improves security by preventing use of insecure algorithms, but it does not reduce CPU utilization from decryption; in fact, it may increase load by forcing negotiation of stronger ciphers that require more processing.

14
MCQeasy

A network administrator wants to monitor traffic that is not decrypted due to a 'No Decrypt' policy rule. Which log type would show that decryption was bypassed?

A.URL Filtering logs
B.Threat logs
C.Tunnel Inspection logs
D.Traffic logs
AnswerC

Tunnel Inspection logs record decryption decisions, including 'No Decrypt' actions.

Why this answer

Tunnel Inspection logs are specifically designed to record traffic that bypasses decryption due to a 'No Decrypt' policy rule. When a decryption policy is set to 'No Decrypt', the firewall does not inspect the encrypted payload, but Tunnel Inspection logs capture metadata about the bypassed session, including the reason for bypass. This allows administrators to monitor and audit traffic that was not decrypted, ensuring visibility into policy exceptions.

Exam trap

The trap here is that candidates often confuse Tunnel Inspection logs with Traffic logs, assuming that Traffic logs will show the bypass, but only Tunnel Inspection logs explicitly record the decryption bypass reason and session metadata.

How to eliminate wrong answers

Option A is wrong because URL Filtering logs track web requests and URL categories, not the decryption bypass status of encrypted traffic. Option B is wrong because Threat logs record detected threats (e.g., malware, exploits) in decrypted or inspected traffic, not the bypass of decryption itself. Option D is wrong because Traffic logs show basic session information (source, destination, ports) but do not specifically indicate whether decryption was bypassed or the reason for bypass.

15
MCQmedium

A hospital network uses a Palo Alto Networks firewall with outbound SSL decryption. The IT security team notices that during peak hours, the firewall CPU utilization spikes to 95% when decryption is enabled, causing latency for all users. They have already upgraded to maximum licensed throughput and added a dedicated decryption engine. However, the issue persists. The network has 10,000 endpoints and 500 Mbps throughput. The decryption policy includes rules to decrypt all traffic to critical medical cloud services (EHR, PACS) and social media sites. What should the administrator do first to reduce CPU load?

A.Create a more specific decryption policy to only decrypt necessary traffic.
B.Increase the decryption session timeout value.
C.Replace the firewall with a higher-end model.
D.Enable SSL acceleration hardware offloading.
AnswerA

Decrypting only critical medical cloud services reduces the number of sessions requiring decryption, lowering CPU usage.

Why this answer

The correct answer is A because the firewall is decrypting unnecessary traffic (social media sites) in addition to critical medical cloud services. By refining the decryption policy to exclude non-essential traffic, the administrator reduces the CPU load from SSL/TLS handshake and encryption processing, directly addressing the spike without requiring hardware changes. This aligns with Palo Alto Networks best practices of minimizing decryption scope to only traffic that requires inspection.

Exam trap

The trap here is that candidates often assume hardware upgrades or offloading features are the immediate fix, but the PCNSA exam emphasizes that policy optimization (decrypting only what is necessary) is the first step before considering hardware changes.

How to eliminate wrong answers

Option B is wrong because increasing the decryption session timeout value does not reduce CPU utilization; it only keeps idle sessions open longer, potentially increasing resource consumption. Option C is wrong because the administrator has already upgraded to maximum licensed throughput and added a dedicated decryption engine, indicating the hardware is not the bottleneck; replacing the firewall would be a costly and unnecessary step without first optimizing the policy. Option D is wrong because SSL acceleration hardware offloading is typically already enabled on Palo Alto Networks firewalls that support it, and the issue persists despite having a dedicated decryption engine, meaning the problem is policy scope, not offloading capability.

16
MCQmedium

A company uses SSL Forward Proxy decryption. The firewall's decryption certificate expires. What immediate impact does this have on traffic?

A.The firewall logs a critical system alert.
B.Users receive certificate warnings when accessing HTTPS sites.
C.Decryption stops working and all SSL traffic is blocked.
D.The firewall automatically renews the certificate from the CA.
AnswerB

The expired cert causes browser warnings.

Why this answer

When the firewall's SSL Forward Proxy decryption certificate expires, the firewall can no longer present a valid certificate to clients during the SSL/TLS handshake. Browsers and applications will detect the expired certificate and display certificate warnings or errors to users, but the firewall may still attempt to decrypt traffic using the expired certificate, causing trust failures. This is the immediate impact because the firewall does not block traffic by default; it continues to proxy the connection, but the client rejects the invalid certificate.

Exam trap

The trap here is that candidates assume decryption stops or traffic is blocked, but Palo Alto Networks firewalls continue to proxy traffic with the expired certificate, causing client-side warnings rather than a firewall-enforced block.

How to eliminate wrong answers

Option A is wrong because a certificate expiration typically generates a system alert or log entry, but the question asks for the immediate impact on traffic, not the logging behavior. Option C is wrong because decryption does not stop; the firewall continues to intercept and re-encrypt traffic using the expired certificate, and SSL traffic is not blocked unless a specific policy action (e.g., 'block if certificate invalid') is configured. Option D is wrong because the firewall does not automatically renew certificates from a CA; certificate renewal is a manual or automated process managed by the administrator, not an automatic firewall function.

17
MCQmedium

A company wants to ensure that decryption policies are applied based on the user identity. The firewall is integrated with Active Directory. Which decryption policy matching criteria should be used?

A.Source user
B.URL category
C.Source zone
D.Source IP address
AnswerA

Source user matches authenticated usernames.

Why this answer

Source user allows matching based on user identity from AD.

18
MCQeasy

Which monitoring tool in Palo Alto Networks firewall provides real-time visibility into decryption statistics, such as the number of sessions decrypted and certificate errors?

A.Dashboard
B.Policy Optimizer
C.Log Viewer
D.Reports
AnswerA

The Dashboard includes decryption widgets for real-time monitoring.

Why this answer

The Dashboard in Palo Alto Networks firewall provides real-time visibility into decryption statistics, including the number of sessions decrypted, certificate errors, and decryption failures. This is accessible via the 'Decryption' widget on the Dashboard, which aggregates live data from the decryption engine without requiring log queries or report generation.

Exam trap

The trap here is that candidates often confuse the Dashboard's real-time widgets with the Log Viewer's detailed but historical decryption logs, assuming that any monitoring of decryption must come from logs rather than the live summary view.

How to eliminate wrong answers

Option B (Policy Optimizer) is wrong because it is designed to analyze and recommend security policy rule changes based on traffic patterns, not to display real-time decryption statistics. Option C (Log Viewer) is wrong because it shows historical log entries (e.g., traffic, threat, or decryption logs) but does not provide a real-time aggregated view of decryption metrics like session counts or certificate errors. Option D (Reports) is wrong because it generates scheduled or on-demand historical reports from log data, not live decryption statistics.

19
MCQhard

Refer to the exhibit. A network engineer observes a high number of SSL handshake failures. Which action is most likely to reduce these failures?

A.Disable decryption for traffic using unsupported ciphers.
B.Reissue the forward untrust certificate with a stronger key size.
C.Increase the certificate cache size to accommodate more certificates.
D.Ensure the forward trust certificate is trusted by internal clients.
AnswerD

If clients do not trust the forward trust certificate, SSL handshakes will fail. This is a common cause of handshake failures.

Why this answer

The majority of failures are SSL handshake failures (2000 out of 3000). A common reason is that the forward trust certificate is not trusted by clients, causing the client to reject the connection during the handshake.

20
Multi-Selecteasy

Which TWO of the following are types of decryption supported by Palo Alto Networks firewalls? (Choose two.)

Select 2 answers
A.SSH Proxy
B.SSL Forward Proxy
C.SSL Inbound Inspection
D.TLS 1.3 Decryption
E.SSL Reverse Proxy
AnswersB, C

Used for outbound decryption.

Why this answer

SSL Forward Proxy is correct because it allows the firewall to decrypt outbound SSL/TLS traffic from internal clients to external servers, enabling inspection of encrypted content for threats and data filtering. This is a core decryption feature in Palo Alto Networks firewalls, distinct from inbound inspection.

Exam trap

The trap here is that candidates may confuse 'SSL Reverse Proxy' with 'SSL Inbound Inspection' or think 'TLS 1.3 Decryption' is a separate feature, when Palo Alto Networks only defines two decryption types: SSL Forward Proxy and SSL Inbound Inspection.

21
MCQmedium

Refer to the exhibit. A security analyst wants to ensure that all HTTPS traffic from internal users to the internet is decrypted for inspection. However, traffic from the 'corp-users' group is being blocked instead of decrypted. Which configuration change should be made?

A.Add a new rule above rule 1 to decrypt corp-users traffic.
B.Move rule 2 above rule 1.
C.Change rule 4 to 'allow' instead of 'block'.
D.Change rule 2 to use 'any' for source user.
AnswerB

Currently rule 1 (no-decrypt) is first and matches all internal to external traffic, so traffic from corp-users matches rule 1 and is not decrypted. Then rule 4 blocks undecrypted traffic. Moving rule 2 above rule 1 ensures that corp-users traffic matches the decrypt rule first.

Why this answer

The policy is evaluated top-down. Rule 1 (no-decrypt) matches all internal to external traffic, so even corp-users hit rule 1 first. Then rule 4 blocks any undecrypted traffic.

Moving rule 2 above rule 1 ensures that corp-users HTTPS traffic is decrypted first.

22
MCQmedium

Refer to the exhibit. An administrator notices that some HTTPS sessions are not being decrypted. Which configuration change would address the most common cause of decryption failures shown?

A.Enable 'allow expired certificates' in the SSL decryption profile.
B.Configure a forward trust certificate that is valid and trusted.
C.Increase the session timeout for decryption.
D.Enable support for SSLv3 in the decryption profile.
AnswerA

The warning indicates an expired server certificate. Enabling 'allow expired certificates' will permit decryption even if the server certificate is expired.

Why this answer

The log shows a warning about an expired server certificate causing decryption failure. By enabling 'allow expired certificates' in the decryption profile, the firewall will continue to decrypt traffic even if the server certificate is expired.

23
MCQeasy

A security administrator wants to inspect decrypted traffic for threats. What is the minimum set of features required?

A.SSL Decryption and Threat Prevention
B.Threat Prevention only
C.SSL Decryption only
D.SSL Decryption and URL Filtering
AnswerA

Both are needed: decryption to see the content, threat prevention to detect threats.

Why this answer

To inspect decrypted traffic for threats, you must first decrypt the traffic using SSL Decryption, which terminates the SSL/TLS session and allows the firewall to examine the plaintext payload. Then, Threat Prevention (which includes IPS, antivirus, and anti-spyware signatures) can analyze that decrypted content for malicious patterns. Without SSL Decryption, Threat Prevention only sees encrypted traffic and cannot inspect the payload; without Threat Prevention, SSL Decryption alone provides no threat detection.

Therefore, both features are required.

Exam trap

The trap here is that candidates often think SSL Decryption alone is sufficient for security, forgetting that decryption is just an enabler and not a security feature itself, or they assume URL Filtering can inspect content, which it cannot.

How to eliminate wrong answers

Option B is wrong because Threat Prevention alone cannot inspect encrypted traffic — it requires decrypted payloads to apply signatures, so it would miss threats in HTTPS sessions. Option C is wrong because SSL Decryption only decrypts traffic but does not perform any threat inspection; it merely makes the content visible but takes no action on threats. Option D is wrong because URL Filtering categorizes and controls access based on URLs, not threat inspection; it does not analyze decrypted content for malware or exploits, so it cannot replace Threat Prevention.

24
MCQmedium

A network administrator wants to monitor HTTPS traffic without decrypting it, but still wants to identify the applications being used. Which feature can be used to identify HTTPS applications without decryption?

A.SSL Decryption Mirror
B.App-ID with SSL protocol detection
C.SSL Forward Proxy
D.URL Filtering
AnswerB

App-ID can often identify applications in encrypted traffic without decryption.

Why this answer

App-ID with SSL protocol detection allows the firewall to identify HTTPS applications by inspecting the Server Name Indication (SNI) field in the TLS handshake and the certificate common name, without decrypting the traffic. This enables application identification while preserving encryption, meeting the requirement to monitor HTTPS traffic without decryption.

Exam trap

The trap here is that candidates often confuse SSL Forward Proxy (which requires decryption) with SSL protocol detection (which does not), or assume URL Filtering alone can identify applications within encrypted traffic, but it only identifies the destination URL, not the application itself.

How to eliminate wrong answers

Option A is wrong because SSL Decryption Mirror is not a standard feature; it likely confuses with SSL Forward Proxy decryption or traffic mirroring, which still requires decryption to inspect content. Option C is wrong because SSL Forward Proxy is a decryption method that terminates and re-encrypts HTTPS traffic, requiring decryption to inspect the payload, which violates the 'without decrypting it' requirement. Option D is wrong because URL Filtering relies on URL categories and can identify destinations, but it cannot identify the specific application (e.g., Facebook vs.

YouTube) within HTTPS traffic without decryption or additional metadata.

25
MCQmedium

A decryption policy is configured to decrypt traffic to a specific external server. The admin notices that the traffic is not being decrypted. What is the first step in troubleshooting?

A.Verify that the decryption certificate is valid
B.Disable the SSL/TLS service profile
C.Check the traffic log to see if the policy is matched
D.Ensure that the server's certificate is imported
AnswerC

Traffic log shows whether the decryption policy was applied to the session.

Why this answer

The first step in troubleshooting a decryption policy that is not decrypting traffic is to check the traffic log to confirm whether the policy is actually being matched. If the traffic does not match the decryption rule, no decryption will occur regardless of certificate validity or other settings. This aligns with the systematic troubleshooting approach of verifying policy application before investigating deeper configuration issues.

Exam trap

The trap here is that candidates often jump to certificate issues (A or D) because SSL/TLS decryption heavily involves certificates, but the most fundamental check is whether the policy is even being triggered — a classic 'policy before crypto' troubleshooting principle.

How to eliminate wrong answers

Option A is wrong because verifying the decryption certificate is a secondary step; if the policy is not matched, the certificate is never used. Option B is wrong because disabling the SSL/TLS service profile would break decryption entirely, not help diagnose why an existing policy is not being applied. Option D is wrong because importing the server's certificate is not required for outbound decryption (forward proxy) — the firewall generates its own certificate for the client, and the server's certificate is validated but not imported.

26
MCQhard

During troubleshooting, a firewall shows a large number of SSL decryption failures with error 'certificate_unknown'. The firewall is configured for forward proxy decryption. What is the most likely cause?

A.The client does not trust the firewall's CA certificate.
B.The server certificate is expired.
C.The firewall cannot reach the CRL or OCSP responder to validate the server certificate.
D.The decryption policy has an incorrect source zone.
AnswerC

This is a common cause of 'certificate_unknown' errors.

Why this answer

In forward proxy decryption, the firewall must validate the server certificate against a Certificate Revocation List (CRL) or via OCSP to ensure it hasn't been revoked. A 'certificate_unknown' error specifically indicates that the firewall cannot determine the revocation status of the server certificate, often because it cannot reach the CRL distribution point or OCSP responder. This is distinct from a certificate that is simply expired or untrusted by the client.

Exam trap

Palo Alto Networks often tests the distinction between client-side trust issues (option A) and server-side validation failures (option C), leading candidates to incorrectly assume the client must trust the firewall's CA when the error actually stems from the firewall's inability to verify the server certificate's revocation status.

How to eliminate wrong answers

Option A is wrong because the client trusting the firewall's CA certificate is required for the client to accept the decrypted connection, but a 'certificate_unknown' error occurs during the firewall's validation of the server certificate, not during client-side trust checks. Option B is wrong because an expired server certificate would produce a different error, such as 'certificate_expired' or 'certificate_not_yet_valid', not 'certificate_unknown'. Option D is wrong because an incorrect source zone in the decryption policy would cause traffic to bypass decryption or be dropped, not generate a specific SSL decryption failure with the 'certificate_unknown' error.

27
Multi-Selecteasy

An administrator is troubleshooting decryption-related connectivity issues. Which two log types should be examined to gather information about decryption actions and errors?

Select 2 answers
A.System logs
B.URL Filtering logs
C.Decryption logs
D.Threat logs
E.Traffic logs
AnswersC, E

Decryption logs offer detailed information such as decryption reason, cipher, and certificate details.

Why this answer

Decryption logs are specifically designed to record details about SSL/TLS decryption actions, including handshake failures, certificate validation errors, and decryption policy matches. When troubleshooting connectivity issues related to decryption, these logs provide the most direct insight into why a session might be blocked or failing due to decryption errors.

Exam trap

Palo Alto Networks often tests the distinction between Traffic logs (which show the result of decryption, such as a deny action) and Decryption logs (which show the decryption process itself), leading candidates to mistakenly choose Traffic logs as the primary source for decryption errors.

28
MCQeasy

A company uses forward proxy decryption. A user cannot access an HTTPS site. The decryption policy is configured with the default SSL/TLS service profile. What is the most likely issue?

A.The decryption policy is set to no-decrypt
B.The firewall's certificate is not trusted by the client
C.The certificate revocation check fails
D.The server certificate is self-signed
AnswerB

The firewall presents its own certificate to the client; if the client does not trust the CA that issued the firewall's certificate, the client will show a warning and may block access.

Why this answer

When forward proxy decryption is used, the firewall generates a new certificate on-the-fly to sign the decrypted traffic. If the firewall's certificate is not trusted by the client (i.e., not installed in the client's trusted root certificate store), the browser will display a certificate warning and block access to the HTTPS site. The default SSL/TLS service profile uses the firewall's own CA certificate, which must be distributed to all clients for seamless decryption.

Exam trap

Palo Alto Networks often tests the distinction between server certificate issues (like self-signed or expired) and the firewall's own certificate trust, leading candidates to incorrectly focus on the server certificate rather than the client's trust of the firewall's CA.

How to eliminate wrong answers

Option A is wrong because if the decryption policy were set to no-decrypt, the firewall would simply pass the traffic without inspection, and the user would be able to access the HTTPS site normally (assuming no other blocks). Option C is wrong because a certificate revocation check failure would typically result in a warning or block only if the firewall is configured to enforce revocation, but the question states the decryption policy uses the default SSL/TLS service profile, which does not enable revocation checking by default. Option D is wrong because a self-signed server certificate would cause a warning in the client's browser regardless of decryption, but the question specifically describes a scenario where forward proxy decryption is enabled, and the issue is that the firewall's own certificate is not trusted by the client, not the server's certificate.

29
MCQhard

A firewall is configured with decryption and a custom SSL/TLS service profile that has 'Block Expired Certificates' enabled. After renewing a server certificate, some users are unable to access the site. The server certificate is correctly installed. What could be the issue?

A.The renewal caused a private key mismatch
B.The client's system clock is not synchronized
C.The decryption policy still points to the old certificate
D.The firewall's system clock is not synchronized
AnswerD

If the firewall's clock is ahead, it may see the new certificate as not yet valid (since valid_from is in the future) and block it if the profile blocks invalid certificates.

Why this answer

When 'Block Expired Certificates' is enabled in a custom SSL/TLS service profile, the firewall checks the validity period of the server certificate against its own system clock. If the firewall's clock is not synchronized (e.g., via NTP) and is set to a time outside the new certificate's validity window, the firewall will incorrectly treat the valid renewed certificate as expired and block the connection. This explains why users cannot access the site despite the server certificate being correctly installed.

Exam trap

The trap here is that candidates often assume the client's clock is the culprit (Option B) or that the decryption policy needs updating (Option C), but the firewall's own clock is the critical factor when 'Block Expired Certificates' is enabled.

How to eliminate wrong answers

Option A is wrong because a private key mismatch would cause the SSL/TLS handshake to fail with a different error (e.g., 'decryption failed' or 'certificate unknown'), not a block specifically tied to certificate expiry. Option B is wrong because the client's system clock is irrelevant to the firewall's 'Block Expired Certificates' check; the firewall evaluates the certificate against its own clock, not the client's. Option C is wrong because the decryption policy references the service profile (which contains the 'Block Expired Certificates' setting), not the server certificate itself; the renewed certificate is correctly installed on the server, so the policy does not 'point' to an old certificate.

30
MCQhard

A company uses SSL Forward Proxy decryption. After implementing, they notice that some internal applications that use client certificate authentication are failing. What is the most likely cause?

A.The SSL/TLS service profile does not allow self-signed certificates
B.The firewall is not configured to forward client certificates
C.The decryption profile's 'Block Unsupported Modes' is enabled
D.The decryption policy is set to 'decrypt' but not 'proxy'
AnswerB

Client certificate forwarding is required for applications that authenticate with client certificates.

Why this answer

SSL Forward Proxy decryption intercepts and re-encrypts traffic, which strips the original client certificate from the TLS handshake. For internal applications that require client certificate authentication, the firewall must be explicitly configured to forward the client certificate to the destination server. Without this forwarding, the server never receives the certificate, causing authentication failures.

Exam trap

Palo Alto Networks often tests the misconception that enabling decryption alone handles all TLS features, when in fact client certificate forwarding requires an explicit configuration step that many candidates overlook.

How to eliminate wrong answers

Option A is wrong because the issue is not about self-signed certificates; client certificate authentication typically uses certificates issued by an internal CA, and the SSL/TLS service profile does not block self-signed certificates by default. Option C is wrong because 'Block Unsupported Modes' prevents connections using unsupported TLS versions or cipher suites, not client certificate forwarding. Option D is wrong because the decryption policy must be set to 'decrypt' for SSL Forward Proxy to function; 'proxy' is not a valid action in the decryption policy.

31
MCQhard

A company has a decryption policy that decrypts all outbound SSL traffic. Recently, users accessing a partner website receive a certificate warning. The partner uses a self-signed certificate. The firewall is configured with a CA-signed certificate for decryption. Which action should the firewall take?

A.The firewall will present the server's self-signed certificate to the client, causing a warning.
B.The firewall will block the connection and generate an alert.
C.The firewall will decrypt the traffic using its own certificate and re-encrypt with the partner's certificate.
D.The firewall will automatically trust the self-signed certificate and pass traffic without decryption.
AnswerA

Since the certificate is untrusted, the firewall displays a warning to the client.

Why this answer

When a firewall is configured for SSL decryption with a CA-signed certificate, it acts as a man-in-the-middle. For outbound traffic to a server using a self-signed certificate, the firewall cannot validate the server's certificate against a trusted CA. It will present the server's self-signed certificate to the client, which the client's browser does not trust, causing a certificate warning.

Exam trap

The trap here is that candidates assume the firewall will use its own CA-signed certificate for all decrypted sessions, but in outbound decryption, the firewall presents the server's certificate to the client when the server certificate is untrusted.

How to eliminate wrong answers

Option B is wrong because the firewall does not block the connection by default; it proceeds with decryption using the server's certificate, leading to a warning. Option C is wrong because the firewall cannot re-encrypt with the partner's certificate; it uses its own CA-signed certificate for the client side, not the server's certificate. Option D is wrong because the firewall does not automatically trust self-signed certificates; it still attempts decryption and presents the server's certificate to the client.

32
MCQhard

During a security audit, it is discovered that some internal hosts are using TLS 1.0, which is deprecated. The firewall is configured to decrypt SSL traffic. How can the administrator use the firewall to detect and report these connections without breaking them?

A.Configure a decryption policy rule with action 'Decrypt' and enable 'TLS Version Check' with action 'alert'.
B.Configure a decryption policy rule with action 'No Decrypt' for TLS 1.0 traffic.
C.Use a Security policy rule to block TLS 1.0 traffic.
D.Configure a decryption policy rule with action 'Decrypt' and enable 'TLS Version Check' with action 'block'.
AnswerA

Alert logs the violation without blocking.

Why this answer

Option A is correct because the firewall can decrypt TLS 1.0 traffic (action 'Decrypt') while using the 'TLS Version Check' feature set to 'alert' to detect and log the deprecated protocol without disrupting the connection. This allows the administrator to identify hosts using TLS 1.0 for reporting and remediation, while maintaining business continuity.

Exam trap

The trap here is that candidates may confuse 'TLS Version Check' with a blocking action, assuming that detection requires blocking, or they may incorrectly think that 'No Decrypt' can still detect the TLS version, when in fact decryption must occur to inspect the handshake for version information.

How to eliminate wrong answers

Option B is wrong because setting action 'No Decrypt' for TLS 1.0 traffic would prevent the firewall from inspecting the encrypted content, but it would not actively detect or report the TLS version; the firewall would simply bypass decryption without generating an alert. Option C is wrong because using a Security policy rule to block TLS 1.0 traffic would break the connections, which contradicts the requirement to detect and report without breaking them. Option D is wrong because enabling 'TLS Version Check' with action 'block' would drop the TLS 1.0 connections, violating the requirement to not break them.

33
MCQmedium

Refer to the exhibit. A user in the trust zone accesses a banking site (category: financial-services). What action will the firewall take on this HTTPS session?

A.Error due to rule conflict
B.Block
C.No Decrypt (bypass decryption)
D.Decrypt
AnswerC

Rule1 matches financial-services and action is no-decrypt.

Why this answer

The firewall is configured with a decryption policy that matches the banking site (financial-services category) and has the action set to 'No Decrypt'. This action explicitly bypasses SSL/TLS decryption for the session, allowing the HTTPS traffic to pass through without inspection. The user in the trust zone accessing the site will therefore have the session proceed without decryption.

Exam trap

The trap here is that candidates often assume any HTTPS session must be decrypted for inspection, but the 'No Decrypt' action explicitly bypasses decryption while still allowing the session through, which is a common configuration for regulated or sensitive traffic categories.

How to eliminate wrong answers

Option A is wrong because there is no rule conflict; the decryption policy explicitly defines a 'No Decrypt' action for the financial-services category, which is a valid and unambiguous configuration. Option B is wrong because the decryption policy does not block the session; 'No Decrypt' allows the traffic to pass without decryption, whereas a block would require a security rule with a deny action. Option D is wrong because the decryption policy action is 'No Decrypt', not 'Decrypt'; the firewall will not perform SSL/TLS decryption on this session.

34
Multi-Selectmedium

Which THREE of the following are valid actions for a decryption policy rule? (Choose three.)

Select 3 answers
A.No Decrypt
B.Forward Untrust Certificate
C.Block
D.Forward
E.Decrypt
AnswersA, B, E

Bypasses decryption.

Why this answer

Option A is correct because 'No Decrypt' is a valid action in a decryption policy rule that explicitly excludes traffic from decryption, often used for traffic that cannot be decrypted (e.g., certificate pinning) or should not be inspected for compliance reasons. This action ensures the firewall forwards the traffic without attempting SSL/TLS interception.

Exam trap

Palo Alto Networks often tests the distinction between decryption policy actions and security policy actions, so the trap here is confusing 'Block' (a security rule action) with decryption rule actions, or assuming 'Forward' is a decryption action when it is actually a default behavior for non-decrypted traffic.

35
Multi-Selecteasy

Which TWO logs are most useful for troubleshooting SSL decryption issues? (Select exactly two.)

Select 2 answers
A.GlobalProtect log
B.System log
C.Threat log
D.Traffic log
E.URL Filtering log
AnswersB, D

System logs include certificate validation errors and profile changes.

Why this answer

The System log (B) records decryption-related events, such as certificate validation failures, handshake errors, and unsupported cipher suites, which are critical for diagnosing SSL decryption issues. The Traffic log (D) shows whether traffic was decrypted or bypassed, including the 'Decrypted' flag and details about the SSL/TLS handshake, allowing you to verify decryption policy application.

Exam trap

The trap here is that candidates often confuse the Threat log (which shows post-decryption threats) with logs that diagnose the decryption process itself, or mistakenly think GlobalProtect logs are relevant because SSL decryption is sometimes used in VPN environments.

36
Multi-Selecthard

A firewall administrator is configuring SSL decryption for internal users. Which THREE components are required for forward proxy decryption to function properly? (Choose three.)

Select 3 answers
A.The server's private key
B.The firewall's root CA certificate deployed to client browsers
C.A security policy rule allowing decrypted traffic
D.A decryption policy rule with action 'decrypt'
E.A CA certificate installed on the firewall
AnswersB, D, E

Clients must trust the firewall's CA to avoid certificate warnings.

Why this answer

In forward proxy decryption, the firewall acts as a trusted intermediary by generating a certificate for each HTTPS site the user visits, signed by the firewall's own root CA. For this to work without browser security warnings, the firewall's root CA certificate must be deployed to every client browser's trusted root store. This allows the browser to trust the firewall's dynamically generated server certificates, enabling seamless decryption and inspection of outbound SSL/TLS traffic.

Exam trap

The trap here is confusing forward proxy decryption (which requires the firewall's own CA certificate and its deployment to clients) with inbound/SSL termination decryption (which requires the server's private key), leading candidates to incorrectly select Option A.

37
MCQmedium

An admin notices that decryption is failing for some sites with error 'SSL Handshake Failed' in the traffic log. The decryption policy uses a custom SSL/TLS service profile with 'Allow Self-Signed Certificates' enabled. The firewall's certificate was issued by an internal CA. What should the admin check first?

A.The firewall's certificate is expired
B.The decryption policy's action is set to 'decrypt'
C.The server certificate chain is invalid
D.The client is using an outdated browser
AnswerC

An invalid or incomplete server certificate chain is a common cause of SSL handshake failure.

Why this answer

Option C is correct because the error 'SSL Handshake Failed' typically indicates a problem with the server certificate chain, such as an intermediate CA certificate missing or an untrusted root. Even with 'Allow Self-Signed Certificates' enabled, the firewall must validate the entire certificate chain for forward decryption; if the chain is invalid or incomplete, the handshake fails. The admin should first verify that the server's certificate chain is complete and trusted by the firewall's certificate store.

Exam trap

The trap here is that candidates assume enabling 'Allow Self-Signed Certificates' bypasses all certificate validation, but in reality, the firewall still validates the full certificate chain, and a broken chain causes the handshake to fail.

How to eliminate wrong answers

Option A is wrong because an expired firewall certificate would cause a different error (e.g., 'certificate expired') or a warning to the client, not a generic 'SSL Handshake Failed' in the traffic log. Option B is wrong because the decryption policy's action being set to 'decrypt' is necessary for decryption to occur, but the error is about the SSL handshake itself, not the policy action; if the action were not 'decrypt', no decryption attempt would happen. Option D is wrong because an outdated browser would cause client-side errors (e.g., unsupported cipher or protocol), not a server-side handshake failure logged by the firewall.

38
MCQeasy

An administrator sees the above traffic log entries. What can be concluded about the traffic to 192.168.1.1?

A.The traffic was decrypted because it matched a decryption policy.
B.The traffic was decrypted because the application is SSL.
C.The traffic was not decrypted because it matched a no-decrypt policy.
D.The traffic was not decrypted because the destination is external.
AnswerA

The 'Decrypted: yes' field indicates decryption was applied.

Why this answer

The traffic log entries indicate that the session to 192.168.1.1 was decrypted, as shown by the decryption flag or action field (e.g., 'decrypt'). This occurs when the traffic matches a decryption policy configured on the firewall, typically for SSL/TLS inspection. The destination being internal (192.168.1.1) and the application being SSL are not sufficient conditions for decryption; a matching decryption rule is required.

Exam trap

Palo Alto Networks often tests the misconception that SSL application traffic is automatically decrypted, but in reality, decryption requires an explicit policy rule; the trap here is confusing application identification with policy enforcement.

How to eliminate wrong answers

Option B is wrong because the application being SSL does not automatically cause decryption; decryption only occurs if a decryption policy explicitly matches the traffic. Option C is wrong because the traffic was decrypted, as indicated by the log, so it could not have matched a no-decrypt policy. Option D is wrong because the destination is internal (192.168.1.1 is a private IP), not external, and even if it were external, decryption depends on policy, not destination type.

39
MCQmedium

Refer to the exhibit. An administrator notices a high number of decryption failures. What is the most likely cause?

A.The SSL session cache size is too small.
B.The firewall's certificate is not trusted by client devices.
C.SSL Forward Proxy is not enabled.
D.Non-HTTP traffic is being decrypted.
AnswerB

Certificate validation failures indicate that clients cannot verify the firewall's certificate.

Why this answer

When the firewall's certificate is not trusted by client devices, clients will reject the SSL handshake, resulting in decryption failures. This is a common issue in SSL Forward Proxy deployments where the firewall generates a certificate for each session, and clients must trust the firewall's CA certificate. Without this trust, clients display certificate warnings or fail to connect, leading to a high number of decryption failures.

Exam trap

Palo Alto Networks often tests the distinction between decryption failures caused by untrusted certificates versus configuration issues like cache size or protocol mismatches, trapping candidates who confuse performance problems with trust-related handshake failures.

How to eliminate wrong answers

Option A is wrong because the SSL session cache size affects performance and renegotiation overhead, not the number of decryption failures; a small cache would cause more full handshakes but not failures. Option C is wrong because SSL Forward Proxy must be enabled for decryption to occur; if it were not enabled, there would be no decryption at all, not a high number of failures. Option D is wrong because non-HTTP traffic being decrypted would cause errors or performance issues, but the firewall typically only attempts decryption on allowed ports (e.g., 443), and this would not be the primary cause of a high failure count.

40
MCQhard

A security team wants to inspect traffic to and from a critical application server. They configure an inbound decryption rule to decrypt traffic destined to the server's IP address. After deploying, they find that traffic is not being decrypted. What is the first step to troubleshoot?

A.Confirm that the decryption profile is set to 'decrypt' and that the forward proxy option is enabled.
B.Check the decryption policy rule order and ensure it is before any no-decrypt rules.
C.Verify that the server's certificate is installed on the firewall.
D.Ensure that the firewall has a valid certificate for inbound inspection.
AnswerB

Rule order is the first thing to check; a higher-priority no-decrypt rule would cause the traffic to bypass decryption.

Why this answer

Option B is correct because in Palo Alto Networks firewalls, decryption policy rules are evaluated in order from top to bottom, and the first matching rule is applied. If a 'no-decrypt' rule appears before the inbound decryption rule, traffic matching the server's IP will be handled by the no-decrypt rule and will not be decrypted. Therefore, verifying rule order is the first troubleshooting step.

Exam trap

Palo Alto Networks often tests the misconception that certificate issues are the primary cause of decryption failures, but in Palo Alto environments, rule order and policy evaluation are the most common first-step troubleshooting focus.

How to eliminate wrong answers

Option A is wrong because the decryption profile's 'decrypt' setting and forward proxy option are relevant for outbound SSL Forward Proxy decryption, not for inbound SSL Inbound Inspection, which uses a different configuration (the server's certificate). Option C is wrong because the server's certificate is not installed on the firewall for inbound inspection; instead, the firewall uses a copy of the server's private key and certificate (or a CA-signed certificate) to re-encrypt traffic, but the server's certificate is already on the server itself. Option D is wrong because the firewall does not need a 'valid certificate for inbound inspection' in the sense of a separate certificate; it needs the server's private key and certificate (or a certificate signed by a trusted CA) to perform SSL Inbound Inspection, but this is not the first troubleshooting step.

41
MCQhard

A firewall administrator notices that traffic from an internal user is being decrypted, but the user's browser shows a certificate warning. The firewall uses a CA certificate issued by the company's internal PKI. What is the most likely reason for the browser warning?

A.The decryption policy has the action 'decrypt' but no certificate profile.
B.The firewall's root CA certificate is not installed in the user's browser trusted root store.
C.The user's browser does not support TLS 1.2.
D.The server certificate is revoked.
AnswerB

This is the most common cause of browser certificate warnings in forward proxy scenarios.

Why this answer

Option B is correct because the browser warning indicates that the firewall's decrypted traffic is being signed with a certificate that the browser does not trust. When a firewall performs SSL/TLS decryption using a CA certificate from the company's internal PKI, the browser will only trust the decrypted connections if the root CA certificate of that PKI is installed in the browser's trusted root certificate store. Without this trust anchor, the browser cannot validate the certificate chain presented by the firewall, resulting in a certificate warning.

Exam trap

The trap here is that candidates often confuse a missing trusted root CA certificate with a server certificate revocation or a decryption policy misconfiguration, failing to recognize that the browser warning specifically indicates a trust chain issue rather than a revocation or policy error.

How to eliminate wrong answers

Option A is wrong because a decryption policy with the action 'decrypt' but no certificate profile would cause the firewall to fail to decrypt traffic entirely, not produce a browser certificate warning after decryption. Option C is wrong because TLS 1.2 support is unrelated to certificate trust warnings; if the browser did not support TLS 1.2, the connection would fail or fall back to an older version, not show a certificate warning. Option D is wrong because server certificate revocation would cause a different error (e.g., CRL or OCSP failure) and is not related to the firewall's own CA certificate not being trusted by the browser.

42
Multi-Selecteasy

A security analyst is troubleshooting a decryption issue. Which TWO logs are most useful for identifying decryption failures? (Choose two.)

Select 2 answers
A.Config Logs
B.Traffic Logs
C.System Logs
D.Threat Logs
E.Decryption Logs
AnswersB, E

Traffic logs indicate whether a session was decrypted.

Why this answer

Traffic Logs (B) are most useful because they record the result of decryption actions, including whether decryption was applied and if it succeeded or failed, with specific error codes. Decryption Logs (E) are dedicated logs that capture detailed decryption events, such as handshake failures, certificate errors, or unsupported cipher suites, making them essential for troubleshooting decryption failures.

Exam trap

Palo Alto Networks often tests the distinction between Traffic Logs (which show the outcome) and Decryption Logs (which show the reason), leading candidates to mistakenly choose System Logs or Config Logs because they assume decryption issues are system-wide or configuration-related.

43
MCQeasy

A firewall is configured for inbound inspection decryption. Which certificate must be installed on the firewall for this to work?

A.The client's certificate.
B.The server's certificate and private key.
C.A trusted CA certificate from the enterprise PKI.
D.The firewall's own self-signed certificate.
AnswerB

Inbound inspection needs the server's private key to decrypt traffic.

Why this answer

Inbound inspection decryption requires the firewall to act as a TLS proxy, intercepting and decrypting traffic destined for a protected server. To do this, the firewall must possess the server's certificate and its corresponding private key, allowing it to terminate the TLS connection from the client and re-encrypt traffic to the server. Without the private key, the firewall cannot decrypt the session.

Exam trap

The trap here is that candidates confuse inbound inspection decryption with SSL forward proxy decryption, where the firewall uses its own certificate or a CA-signed certificate, leading them to incorrectly choose Option C or D.

How to eliminate wrong answers

Option A is wrong because the client's certificate is used for client authentication (e.g., mutual TLS), not for inbound decryption; the firewall does not need the client's private key. Option C is wrong because a trusted CA certificate from the enterprise PKI is used to validate server certificates or to sign decryption certificates, but it does not provide the private key needed to decrypt traffic. Option D is wrong because the firewall's own self-signed certificate would not be trusted by clients for the server's domain, causing TLS handshake failures; it is typically used for forward proxy decryption, not inbound inspection.

44
Multi-Selecthard

A security analyst needs to monitor decryption performance and identify sessions that are bypassing decryption due to policy or technical reasons. Which two monitoring tools or methods can provide this insight?

Select 2 answers
A.Decryption logs with filter 'decryption action not equal to decrypt'
B.System logs with filter 'decryption bypass'
C.ACC (Application Command Center) > Decryption Overview
D.Traffic logs with filter 'action equals decrypt' and 'reason equals bypass'
E.Packet capture on the decryption port
AnswersA, C

Decryption logs can be filtered to show sessions where decryption was not performed, including bypass reasons.

Why this answer

Option A is correct because decryption logs with a filter for 'decryption action not equal to decrypt' will show sessions that were not decrypted, including those bypassed due to policy (e.g., excluded URLs) or technical reasons (e.g., unsupported cipher suites). Option C is correct because the ACC > Decryption Overview provides a dashboard that visualizes decryption performance metrics, such as the number of sessions bypassed, decrypted, or failed, giving the analyst a high-level view of bypass activity.

Exam trap

The trap here is that candidates may confuse traffic logs with decryption logs, or assume that system logs contain decryption session details, when in fact decryption-specific logs and the ACC Decryption Overview are the correct sources for monitoring bypass activity.

45
Multi-Selectmedium

During SSL decryption, which three factors can cause the firewall to fail to decrypt a session or to bypass decryption?

Select 3 answers
A.The decryption rule has a schedule that is not currently active.
B.The SSH protocol is being used instead of SSL/TLS.
C.The firewall's decryption hardware accelerator is faulty.
D.The server certificate is signed by a CA not trusted by the firewall.
E.The session uses a cipher that is not listed in the decryption profile's allowed ciphers.
AnswersA, D, E

A rule with a schedule that is out of window will not match, so decryption will not apply.

Why this answer

Option A is correct because a decryption rule with a schedule that is not currently active will not apply, causing the firewall to bypass decryption for the matching traffic. The firewall checks the schedule before attempting decryption, and if the schedule is inactive, the rule is effectively disabled, leading to a bypass.

Exam trap

The trap here is that candidates may think a faulty hardware accelerator (Option C) directly causes decryption failure, but Palo Alto Networks firewalls fall back to software decryption if hardware acceleration fails, so it does not result in a bypass or failure to decrypt.

46
MCQmedium

A company wants to decrypt all SSL/TLS traffic from internal users except traffic to financial sites. The firewall is placed as a forward proxy. Which policy configuration ensures that traffic to financial sites is not decrypted?

A.Create a decryption policy and use the 'exclude cache' option for financial sites.
B.Create a security policy that allows financial sites without decryption; then create a decryption policy with action 'no-decrypt' for those sites.
C.Create a decryption policy with action 'decrypt' and a source zone of internal; then create a decryption exemption for financial URLs.
D.Create a decryption policy with action 'no-decrypt' for traffic to financial sites, and a catch-all decryption policy with action 'decrypt' for all other traffic.
AnswerD

This ensures financial traffic is not decrypted while all other traffic is decrypted.

Why this answer

Option D is correct because it uses a specific 'no-decrypt' action in a decryption policy for financial sites, which explicitly excludes them from SSL/TLS decryption. A catch-all policy with 'decrypt' then ensures all other internal user traffic is decrypted. This approach directly aligns with the forward proxy requirement to decrypt all traffic except the specified financial sites.

Exam trap

The trap here is that candidates often confuse security policies with decryption policies, or mistakenly think that a 'decrypt' action with an exemption list is equivalent to a 'no-decrypt' policy, when in fact Palo Alto Networks requires a separate decryption policy with the 'no-decrypt' action for explicit exclusion.

How to eliminate wrong answers

Option A is wrong because the 'exclude cache' option is used to prevent caching of decrypted content, not to exclude traffic from decryption; it does not affect whether decryption occurs. Option B is wrong because a security policy alone cannot control decryption; decryption is governed by decryption policies, not security policies, and the order of policy evaluation requires a decryption policy to specify 'no-decrypt'. Option C is wrong because a decryption exemption is not a valid configuration in Palo Alto Networks firewalls; the correct method is to use a decryption policy with action 'no-decrypt'.

47
Multi-Selecthard

Which TWO of the following are best practices for configuring SSL Forward Proxy decryption? (Choose two.)

Select 2 answers
A.Use a self-signed certificate for decryption.
B.Decrypt all internal traffic including server-to-server.
C.Exclude traffic to financial and healthcare sites from decryption.
D.Decrypt all outbound traffic regardless of destination.
E.Install the firewall's CA certificate on all client devices.
AnswersC, E

Compliance requirements often prohibit decryption of sensitive sites.

Why this answer

Options B and D are correct. Option A is wrong because CA-signed certs are recommended for trust. Option C is wrong because decrypting internal traffic can cause issues; best practice is to exclude internal traffic.

Option E is wrong because decrypting all traffic is not recommended; use selective decryption.

48
MCQeasy

Refer to the exhibit. The firewall raises a certificate expiry warning for the decryption CA. Which action is required?

A.Renew the decryption CA certificate before expiry
B.Ignore the warning as it is only informational
C.Import a new server certificate
D.Disable decryption until renewal
AnswerA

The CA certificate must be valid for decryption to work; it should be renewed.

Why this answer

The decryption CA certificate is used by the firewall to generate and sign internal server certificates for SSL decryption. When it expires, the firewall can no longer create new decryption certificates, causing SSL decryption to fail for new sessions. Renewing the decryption CA certificate before expiry ensures uninterrupted decryption and avoids certificate validation errors for clients.

Exam trap

Palo Alto Networks often tests the distinction between the decryption CA certificate (which must be renewed) and server certificates (which are imported for specific sites), leading candidates to mistakenly choose importing a new server certificate.

How to eliminate wrong answers

Option B is wrong because the certificate expiry warning is not merely informational; an expired decryption CA will break SSL decryption functionality, leading to service disruption. Option C is wrong because importing a new server certificate addresses individual server certificates, not the decryption CA certificate that signs them; the CA certificate must be renewed independently. Option D is wrong because disabling decryption until renewal is unnecessary and overly disruptive; the correct action is to proactively renew the CA certificate while the current one is still valid.

49
MCQhard

Refer to the exhibit. An administrator configures decryption for HTTPS traffic from internal users. However, traffic using TLS 1.3 is not being decrypted. Which change should be made to decrypt TLS 1.3 traffic?

A.Change the min-version to 'tls1-3'.
B.Add a new rule for TLS 1.3 traffic.
C.Change the 'ssl-protocol-settings' max-version to 'tls1-3'.
D.Enable 'decrypt-unknown-protocol' to capture all traffic.
AnswerC

The profile currently restricts max version to TLS 1.2. To decrypt TLS 1.3, the max version must be set to tls1-3.

Why this answer

The decryption profile specifies max-version as tls1-2, which prevents decryption of TLS 1.3 traffic. Updating the max-version to tls1-3 allows decryption of TLS 1.3 sessions.

50
MCQeasy

A company wants to decrypt all SSL traffic from internal users to external websites. They have deployed a Palo Alto Networks firewall in forward proxy mode and installed a trusted root CA certificate on all endpoints. Users, however, are complaining about certificate errors when accessing HTTPS sites. Which configuration step is most likely missing?

A.The decryption profile is set to block sessions with untrusted certificates.
B.The firewall is performing inbound inspection instead of forward proxy.
C.The firewall's decryption certificate is not signed by the installed root CA.
D.No decryption profile is attached to the decryption rule.
AnswerC

The firewall's decryption certificate must be signed by the root CA installed on endpoints; otherwise, errors occur.

Why this answer

Option C is correct because in forward proxy decryption, the firewall generates a decryption certificate that must be signed by the trusted root CA installed on the endpoints. If the decryption certificate is self-signed or signed by a different CA, the browser will not trust it, causing certificate errors. The root CA certificate must be installed on all endpoints to establish a chain of trust for the firewall-generated certificates.

Exam trap

The trap here is that candidates often confuse the need for a decryption profile (Option D) with the fundamental requirement of a trusted root CA certificate, or they mistakenly think blocking untrusted certificates (Option A) is the cause of errors rather than a consequence of missing trust.

How to eliminate wrong answers

Option A is wrong because blocking sessions with untrusted certificates would prevent access entirely, not cause certificate errors; the complaint is about errors, not blocked access. Option B is wrong because inbound inspection is used for decrypting traffic destined to internal servers, not for outbound SSL traffic from internal users to external websites, which requires forward proxy mode. Option D is wrong because even without a decryption profile attached, the decryption rule would still apply default decryption settings; the missing step is the certificate trust chain, not the profile attachment.

51
MCQhard

A large enterprise uses Palo Alto Networks firewalls with SSL Forward Proxy to inspect all HTTPS traffic (port 443) from internal users. Recently, users have reported slow web browsing and intermittent failures when accessing certain financial and healthcare websites. The firewall's dataplane CPU consistently reaches 85-95% during business hours. The decryption policy is configured with a single rule that decrypts all outbound HTTPS traffic using the default SSL Forward Proxy settings. The firewall is a PA-5250 with ample license capacity. What should the administrator do to resolve the performance issues while maintaining security posture?

A.Increase the maximum number of concurrent SSL sessions allowed.
B.Disable decryption for high-bandwidth websites such as video streaming services.
C.Implement decryption exclusion rules for financial and healthcare websites.
D.Enable hardware acceleration for SSL decryption.
AnswerC

Excluding problematic sites reduces decryption overhead while maintaining security on most traffic.

Why this answer

Option C is correct because financial and healthcare websites often use certificate pinning or require specific cipher suites that may not be compatible with the firewall's default SSL Forward Proxy settings. By excluding these sites from decryption, the administrator reduces the decryption load on the dataplane CPU and avoids breaking connectivity to sensitive sites, while still decrypting the majority of HTTPS traffic to maintain security posture.

Exam trap

The trap here is that candidates may assume hardware acceleration (Option D) is a magic fix for all performance issues, but in reality, the PA-5250 already has it enabled, and the bottleneck is the CPU's capacity to handle the cryptographic operations, not the acceleration feature itself.

How to eliminate wrong answers

Option A is wrong because increasing the maximum number of concurrent SSL sessions would increase the CPU load, not reduce it, as the firewall would attempt to handle more simultaneous decryption operations, worsening the high CPU issue. Option B is wrong because disabling decryption for high-bandwidth websites like video streaming services would reduce CPU load but would also bypass security inspection for a large volume of traffic, weakening the security posture and potentially allowing threats to hide in encrypted streams. Option D is wrong because the PA-5250 already has hardware acceleration for SSL decryption enabled by default; the issue is not a lack of hardware support but rather the CPU being overwhelmed by the sheer volume of decryption operations, and enabling it again would have no effect.

52
MCQhard

A company has a Palo Alto firewall with both inbound and outbound decryption. The security team notices that some traffic to a specific internal server is being double-decrypted: first by inbound decryption when the client is internal, and second by outbound decryption when the server initiates connections to external resources. This causes performance issues and certificate warnings. The firewall policy has separate rules for inbound and outbound decryption, and all internal traffic passes through the firewall. How should the administrator resolve this?

A.Create a decryption exclusion rule for traffic between internal clients and the internal server.
B.Ensure that the inbound decryption rule only applies to traffic from external sources, not internal.
C.Disable outbound decryption for the subnet of the internal server.
D.Use a no-decrypt rule for traffic from the internal server's IP to the internet.
AnswerB

By restricting the source zone to Untrust, internal clients will not be subject to inbound decryption, eliminating double decryption.

Why this answer

The core issue is that inbound decryption is incorrectly applied to traffic from internal clients to the internal server, causing double decryption when the server subsequently initiates outbound connections. By ensuring the inbound decryption rule only applies to traffic from external sources (i.e., source zone is untrust), internal-to-internal traffic bypasses inbound decryption, eliminating the double-decryption loop. This aligns with best practices where inbound decryption is scoped to traffic originating outside the network.

Exam trap

The trap here is that candidates may focus on excluding specific traffic (options A, C, D) rather than correcting the zone-based scope of the inbound decryption rule, which is the fundamental cause of the double-decryption problem.

How to eliminate wrong answers

Option A is wrong because a decryption exclusion rule would prevent decryption of traffic between internal clients and the internal server, but it does not address the root cause—the inbound decryption rule incorrectly matching internal traffic—and may still allow the server's outbound decryption to cause certificate warnings. Option C is wrong because disabling outbound decryption for the internal server's subnet would prevent legitimate decryption of the server's outbound traffic to external resources, potentially breaking security inspection for that traffic. Option D is wrong because a no-decrypt rule for the internal server's IP to the internet only stops outbound decryption for that server, but does not fix the inbound decryption misapplication that causes the initial double-decryption when internal clients connect to the server.

53
MCQeasy

An administrator wants to view logs related to decryption failures. Which log type should they use?

A.Traffic logs
B.Threat logs
C.URL Filtering logs
D.System logs
AnswerA

Traffic logs include fields for decryption status and failure reason.

Why this answer

Traffic logs capture all session-level events, including decryption failures, because they record the action taken by the firewall (e.g., 'decrypt', 'no-decrypt', or 'decrypt-error'). When decryption fails due to issues like certificate validation errors, unsupported cipher suites, or handshake failures, the firewall logs the session as a traffic log entry with a specific reason code. This makes Traffic logs the correct source for troubleshooting decryption failures.

Exam trap

The trap here is that candidates confuse 'decryption failures' with 'threat events' and select Threat logs, not realizing that decryption errors are session-level actions logged in Traffic logs, not security threat detections.

How to eliminate wrong answers

Option B (Threat logs) is wrong because threat logs record malware, exploits, and vulnerability events, not decryption failures. Option C (URL Filtering logs) is wrong because URL filtering logs track website categorization and access decisions, not the cryptographic handshake or certificate errors. Option D (System logs) is wrong because system logs capture administrative events, system health, and configuration changes, not per-session decryption errors.

54
MCQhard

Refer to the exhibit. An administrator notices a large number of decryption sessions. What is a valid conclusion based on the output?

A.The firewall is rejecting many sessions due to certificate errors.
B.There are a few sessions failing due to TLS version mismatch.
C.The decryption policy is not being hit because of low policy hits.
D.The current decryption session count is at its peak.
AnswerB

5 TLS version failures indicate some issues.

Why this answer

The exhibit shows decryption sessions with a 'TLS version mismatch' error, which indicates that the firewall is failing to establish a decryption session because the client and server are attempting to use different TLS versions (e.g., TLS 1.0 vs. TLS 1.2). This is a specific failure reason logged in the decryption session table, and the large number of such sessions confirms that many are failing due to this mismatch, not due to certificate errors or policy issues.

Exam trap

Palo Alto Networks often tests the ability to distinguish between different decryption failure reasons (TLS version mismatch vs. certificate errors vs. cipher mismatch), and the trap here is that candidates may assume any decryption failure is due to certificate issues, ignoring the specific error message in the output.

How to eliminate wrong answers

Option A is wrong because certificate errors would be logged as 'certificate validation failure' or 'certificate revoked' in the decryption session log, not as 'TLS version mismatch'. Option C is wrong because the decryption policy is being hit (sessions are being decrypted), as evidenced by the large number of decryption sessions; low policy hits would show few or no decryption sessions. Option D is wrong because the output does not provide any historical or peak data; the current session count could be high but there is no baseline to determine if it is at its peak.

55
MCQmedium

An administrator runs the command and sees the above output. What is the most likely cause of the large number of handshake failures?

A.The firewall's CRL server is unreachable.
B.The server is using an unsupported cipher suite.
C.The decryption policy is not matching the traffic.
D.The firewall's certificate is not trusted by clients.
AnswerB

Cipher mismatches commonly cause handshake failures.

Why this answer

The output shows a large number of handshake failures, which typically occur during the SSL/TLS handshake when the client and server cannot agree on a common cipher suite. If the server only supports weak or outdated ciphers that the firewall's decryption policy does not allow, or if the firewall's SSL forward proxy engine does not support the server's chosen cipher, the handshake will fail. This is the most likely cause because cipher suite mismatch is a common source of handshake failures in decryption environments.

Exam trap

The trap here is that candidates often confuse handshake failures with certificate validation issues, but handshake failures specifically indicate a failure in the initial negotiation phase (e.g., cipher mismatch or protocol version incompatibility), not a trust or CRL problem.

How to eliminate wrong answers

Option A is wrong because an unreachable CRL server would cause certificate validation failures, not handshake failures; handshake failures occur before certificate validation in the SSL/TLS handshake. Option C is wrong because if the decryption policy is not matching the traffic, the firewall would simply not decrypt it (passing it through), which would not generate handshake failures. Option D is wrong because if the firewall's certificate is not trusted by clients, clients would generate certificate warnings or errors, but the handshake itself would complete; the failure would occur at the client's trust validation step, not during the handshake.

56
MCQhard

An organization uses inbound inspection decryption for their public-facing web servers. They have imported the server's certificate and private key into the firewall. However, some clients report 'untrusted certificate' warnings. What is the most likely cause?

A.The server's certificate is using an unsupported cipher
B.The decryption profile's 'Unsupported Modes' is set to 'Block'
C.The decryption policy is not matching the traffic
D.The firewall is not configured with the root CA certificate
AnswerD

Without the full chain, the firewall sends only the server certificate, which browsers may not trust.

Why this answer

When a firewall performs inbound inspection decryption, it re-encrypts traffic using the server's certificate. If the firewall does not have the root CA certificate that issued the server's certificate, the firewall cannot present a complete certificate chain to clients. Clients then see the certificate as untrusted because the issuing CA is not recognized, even though the server's certificate and private key are correctly imported.

Exam trap

Palo Alto Networks often tests the distinction between importing the server certificate (for re-encryption) and importing the root CA certificate (for chain completeness), leading candidates to assume the server certificate alone is sufficient for trust.

How to eliminate wrong answers

Option A is wrong because unsupported ciphers would cause a decryption failure or connection drop, not an 'untrusted certificate' warning; the warning is a client-side trust issue, not a cipher mismatch. Option B is wrong because the 'Unsupported Modes' setting in the decryption profile controls how the firewall handles traffic that cannot be decrypted (e.g., block or allow), not the trust status of a successfully decrypted and re-encrypted certificate. Option C is wrong because if the decryption policy were not matching the traffic, the firewall would not perform decryption at all, and clients would connect directly to the server without seeing any firewall-generated certificate; the 'untrusted certificate' warning specifically indicates the firewall is intercepting and re-encrypting, but the certificate chain is incomplete.

57
MCQmedium

After enabling SSL decryption, users report that some websites fail to load. The firewall logs show 'decryption error' for these sites. Which decryption profile setting should the administrator check first?

A.Block sessions with expired certificates
B.Block sessions with certificate status unknown
C.Block sessions with unsupported cipher suites
D.Block sessions with untrusted issuers
AnswerD

If enabled, sessions with certificates from untrusted CAs will be blocked, causing 'decryption error'.

Why this answer

When SSL decryption is enabled, the firewall acts as a man-in-the-middle and must re-sign the server's certificate with its own CA. If the server's certificate is issued by an untrusted CA (i.e., not in the firewall's trusted CA list), the firewall cannot verify the chain of trust and will block the session if the 'Block sessions with untrusted issuers' option is enabled. This is the most common cause of 'decryption error' logs for sites that previously worked without decryption.

Exam trap

The trap here is that candidates often confuse 'untrusted issuer' with 'expired certificate' or 'certificate status unknown', but the 'decryption error' log specifically points to a chain-of-trust validation failure, which is directly controlled by the 'Block sessions with untrusted issuers' setting.

How to eliminate wrong answers

Option A is wrong because expired certificates cause a different error (e.g., 'certificate expired') and are handled by a separate profile setting; the question specifies 'decryption error' logs, not expiration errors. Option B is wrong because 'certificate status unknown' refers to OCSP/CRL verification failures, which are less common and typically produce a distinct log message; the default behavior is to allow sessions with unknown status unless explicitly blocked. Option C is wrong because unsupported cipher suites would cause a handshake failure before decryption even begins, and the firewall would log a 'handshake failure' or 'no shared cipher' error, not a generic 'decryption error'.

58
Multi-Selectmedium

Which TWO actions can be performed in a decryption policy? (Choose two.)

Select 2 answers
A.App-ID
B.Allow
C.No-decrypt
D.Block
E.Decrypt
AnswersC, E

'No-decrypt' tells the firewall not to decrypt the matching traffic.

Why this answer

Option C (No-decrypt) is correct because a decryption policy rule can be configured with a 'No-decrypt' action to explicitly bypass decryption for specified traffic, such as traffic to sites that cannot be decrypted (e.g., financial or healthcare sites) or to reduce processing overhead. This action allows the firewall to forward the traffic without attempting SSL/TLS interception, which is essential for compliance and performance reasons.

Exam trap

The trap here is that candidates confuse security policy actions (like Allow and Block) with decryption policy actions, forgetting that decryption policy only supports Decrypt, No-decrypt, and Block, and that 'Allow' is not a valid decryption action.

59
Multi-Selectmedium

Which THREE factors should be considered when deciding which traffic to decrypt? (Select exactly three.)

Select 3 answers
A.Privacy regulations
B.The cost of SSL certificates
C.Performance impact of decryption
D.User productivity
E.Compliance requirements
AnswersA, C, E

Privacy laws may prohibit decryption of sensitive personal data.

Why this answer

Option A is correct because privacy regulations such as GDPR, HIPAA, or PCI DSS often restrict the decryption of traffic containing personally identifiable information (PII) or protected health information (PHI). Decrypting such traffic without proper safeguards can lead to legal penalties and data breach exposure. Palo Alto Networks firewalls can apply decryption policies that exclude traffic to specific URL categories or IP ranges to remain compliant with these regulations.

Exam trap

Palo Alto Networks often tests the misconception that cost or user productivity are primary factors in decryption decisions, when in reality the exam focuses on privacy regulations, performance impact, and compliance requirements as the three key considerations.

60
MCQhard

A user at IP 10.0.0.10 is accessing a server at 192.168.1.5. According to the decryption policy, what will happen to the traffic?

A.The traffic will be decrypted using the default profile.
B.The traffic will not be decrypted because of the no-decrypt rule.
C.The traffic will be decrypted using the inbound profile.
D.The traffic will be blocked because no security rule allows it.
AnswerB

Rule 2 matches the traffic exactly and sets no-decrypt.

Why this answer

The decryption policy contains a no-decrypt rule that matches traffic from source IP 10.0.0.10 to destination IP 192.168.1.5. Since the no-decrypt rule explicitly excludes this traffic from decryption, the firewall will forward the traffic without applying any decryption profile. This is the correct behavior because no-decrypt rules take precedence over decrypt rules for matching traffic.

Exam trap

Palo Alto Networks often tests the misconception that decryption policy can block traffic or that a no-decrypt rule still applies a profile; the trap here is confusing decryption policy actions (decrypt/no-decrypt) with security policy actions (allow/deny).

How to eliminate wrong answers

Option A is wrong because the default profile is only applied when a decrypt rule matches and no specific profile is assigned; a no-decrypt rule prevents any decryption from occurring. Option C is wrong because the inbound profile is used only when a decrypt rule with an inbound decryption profile matches; a no-decrypt rule overrides any profile assignment. Option D is wrong because decryption policy does not block traffic; it only determines whether decryption is applied, and security rules handle blocking independently.

61
MCQmedium

Refer to the exhibit. A firewall log shows a decryption failure for a session. What is the most probable cause?

A.The firewall's system time is ahead of the certificate's validity start
B.The server's certificate is expired
C.The decryption profile rejects self-signed certificates
D.The client's system time is behind
AnswerA

The certificate's valid-from date is in the future relative to the firewall's clock.

Why this answer

When the firewall's system time is ahead of the certificate's validity start (the 'not before' date), the firewall considers the certificate as not yet valid. During SSL/TLS decryption, the firewall validates the server certificate's time constraints against its own system clock. If the firewall's clock is ahead, the certificate appears to be from the future, causing a decryption failure even though the server and client clocks may be correct.

Exam trap

Palo Alto Networks often tests the distinction between certificate expiry (notAfter) and certificate not-yet-valid (notBefore), where candidates mistakenly assume any decryption failure is due to an expired certificate rather than a clock skew issue.

How to eliminate wrong answers

Option B is wrong because an expired server certificate (past the 'not after' date) would also cause a decryption failure, but the scenario specifically describes the firewall's time being ahead, which points to the 'not before' issue, not expiry. Option C is wrong because the question does not mention a decryption profile rejecting self-signed certificates; the log shows a decryption failure, not a policy-based rejection. Option D is wrong because the client's system time is irrelevant to the firewall's decryption process; the firewall uses its own system clock to validate certificate validity, not the client's clock.

62
Multi-Selecteasy

Which TWO actions are recommended for monitoring decrypted traffic on a Palo Alto Networks firewall?

Select 2 answers
A.Disable decryption during peak hours.
B.Create an ACC filter for decrypted sessions.
C.Use the 'decryption' log type.
D.Enable logging on decryption policies.
E.Export decrypted traffic to a log collector.
AnswersB, D

ACC allows visual monitoring of decrypted traffic patterns.

Why this answer

Option B is correct because the ACC (Application Command Center) filter for decrypted sessions allows you to visualize and monitor decrypted traffic in real time, providing insights into applications, threats, and URLs within those sessions. Option D is correct because enabling logging on decryption policies ensures that decrypted session details are recorded in the decryption log, which is essential for auditing and troubleshooting decrypted traffic.

Exam trap

The trap here is that candidates may confuse the 'decryption' log type with a real log category, but Palo Alto Networks does not have a separate decryption log type; decryption events are logged under the traffic log when logging is enabled on the decryption policy.

63
MCQhard

A mid-sized enterprise has deployed a Palo Alto Networks firewall with SSL Forward Proxy decryption for outbound traffic. The firewall uses a CA-signed certificate from a public CA, and the certificate is installed on all corporate-managed endpoints. Recently, the security team noticed that a few users are unable to access a specific external SaaS application (app.example.com) over HTTPS. Other users can access it without issues. The firewall logs show that for these users, the session is being decrypted and no threat is detected. The application uses a valid certificate from a public CA. The affected users are in the same IP subnet and use the same browser version. Which is the most likely cause?

A.The decryption policy is set to 'No Decrypt' for the affected users' source IP range.
B.The firewall is performing SSH proxy instead of SSL decryption for those users.
C.The firewall's CA certificate is not installed or trusted on the affected users' endpoints.
D.The SaaS application's certificate has expired for those users due to time zone differences.
AnswerC

Without trust, the browser rejects the decrypted connection.

Why this answer

Option C is correct because SSL Forward Proxy decryption requires the firewall to generate a new certificate on-the-fly for the destination server, signed by the firewall's own CA certificate. If the CA certificate is not trusted on the affected users' endpoints, the browser will display a certificate warning or block the connection entirely, even though the decryption policy is applied and no threats are detected. Since other users in the same subnet can access the application, the issue is isolated to the trust store on the affected machines, not the network or decryption policy.

Exam trap

The trap here is that candidates may assume the decryption policy is misconfigured or that the server certificate is invalid, but the key detail is that the firewall logs show decryption is occurring and no threats are detected, pointing to a client-side trust issue rather than a policy or server problem.

How to eliminate wrong answers

Option A is wrong because if the decryption policy were set to 'No Decrypt' for the affected users' source IP range, the firewall logs would show the session as not decrypted, but the logs explicitly state the session is being decrypted. Option B is wrong because SSH proxy is a separate feature for decrypting SSH traffic, not HTTPS; the firewall would not perform SSH proxy for HTTPS traffic, and the logs would indicate a different protocol. Option D is wrong because the application uses a valid certificate from a public CA, and time zone differences do not cause certificate expiration; certificate validity is based on UTC time, and the firewall would report an expired certificate in the logs if that were the case.

64
MCQeasy

A Palo Alto firewall administrator wants to monitor SSL decryption efficiency. Which log type provides the most detailed information about decryption actions and reasons for not decrypting?

A.System logs
B.Decryption logs
C.Traffic logs
D.Threat logs
AnswerB

Decryption logs provide comprehensive data including decryption reason, certificate info, and cipher details.

Why this answer

Decryption logs are specifically designed to record detailed information about SSL decryption actions, including whether traffic was decrypted, not decrypted, or bypassed, along with the exact reason (e.g., unsupported cipher, certificate mismatch, excluded category). This granularity is essential for monitoring decryption efficiency and troubleshooting decryption policies.

Exam trap

The trap here is that candidates may confuse Traffic logs (which show a decryption flag) with Decryption logs (which provide the detailed reason), leading them to choose Traffic logs as the most detailed source when Decryption logs are the correct answer.

How to eliminate wrong answers

Option A is wrong because System logs capture system-level events (e.g., reboots, HA state changes, license expiration) and do not contain per-session decryption decisions or reasons for not decrypting. Option C is wrong because Traffic logs record session metadata (source/destination IP, ports, application, bytes) and may indicate if decryption was applied via a flag, but they lack the specific reason codes for why decryption was skipped or failed. Option D is wrong because Threat logs focus on detected threats (e.g., malware, exploits, spyware) and do not provide decryption-specific actions or exclusion reasons.

65
MCQmedium

A company has a decryption policy that decrypts all traffic except for traffic to financial sites. However, users report that some financial sites are still being decrypted. What should the admin check first?

A.The decryption policy rule order
B.The firewall's system logs
C.The certificate revocation status
D.The SSL/TLS service profile settings
AnswerA

Rules are evaluated top-down; a decrypt rule above the no-decrypt rule will match first.

Why this answer

The decryption policy is evaluated in order from top to bottom, and the first matching rule is applied. If a rule that decrypts traffic is placed above the rule that excludes financial sites, traffic to those sites will be decrypted before reaching the exclusion rule. The admin should check the rule order to ensure the financial site exclusion rule is positioned above any decrypting rules.

Exam trap

The trap here is that candidates often assume the issue is with certificates or logs, overlooking the fundamental first-match policy evaluation order that directly causes the described behavior.

How to eliminate wrong answers

Option B is wrong because system logs record events after policy enforcement, but they do not affect the policy order; the issue is a misconfiguration in the policy sequence, not a logging deficiency. Option C is wrong because certificate revocation status (CRL/OCSP) is checked during SSL/TLS handshake validation, not for determining which traffic to decrypt; it is unrelated to policy rule ordering. Option D is wrong because SSL/TLS service profile settings define cipher suites and protocol versions for decryption, not the traffic matching logic that determines which sites are decrypted or excluded.

66
MCQmedium

A university uses a Palo Alto firewall for outbound SSL decryption. The IT helpdesk receives complaints that students cannot access certain educational resource websites (e.g., online libraries, research databases) after decryption was enabled. The firewall logs show 'decryption failure' for these sites with reason 'certificate validation failure'. The decryption profile is set to 'Block sessions with expired certificates' and 'Block sessions with untrusted issuers'. The helpdesk verifies that the root CA certificate is installed on all endpoints. The issue is intermittent and only affects a few sites. What should the administrator do?

A.Update the firewall's certificate revocation list (CRL).
B.Add the websites to a decryption policy exception rule.
C.Disable blocking for untrusted issuers in the decryption profile.
D.Use a decryption profile that allows sessions with certificate status unknown.
AnswerD

Intermittent validation failures often stem from unreachable CRL/OCSP; allowing unknown status lets the firewall decrypt the session.

Why this answer

The correct answer is D because the 'decryption failure' with 'certificate validation failure' and 'certificate status unknown' indicates that the firewall cannot determine the revocation status of the site's certificate (e.g., no CRL or OCSP responder reachable). The current decryption profile blocks sessions with expired certificates and untrusted issuers, but it does not explicitly block sessions with 'certificate status unknown'. By using a decryption profile that allows sessions with certificate status unknown, the firewall will permit the SSL handshake to proceed even when revocation checking fails, resolving the intermittent access issues for those specific educational sites.

Exam trap

The trap here is that candidates confuse 'certificate status unknown' with 'untrusted issuer' or 'expired certificate', leading them to choose options that disable broader security controls (like untrusted issuer blocking) instead of the specific setting that addresses the revocation check failure.

How to eliminate wrong answers

Option A is wrong because updating the CRL would not help if the certificate's revocation status is 'unknown' (i.e., the CRL or OCSP responder is unreachable or the certificate is not listed); the issue is not a stale CRL but a failure to obtain any revocation status. Option B is wrong because adding the websites to a decryption policy exception rule would bypass decryption entirely, which is an overreaction and would defeat the purpose of outbound SSL decryption for security monitoring; the issue is specific to certificate validation, not a need to exclude the sites from decryption. Option C is wrong because disabling blocking for untrusted issuers would allow sessions with certificates from untrusted CAs, but the logs indicate 'certificate validation failure' with 'certificate status unknown', not that the issuer is untrusted; this would weaken security unnecessarily and not address the root cause.

Ready to test yourself?

Try a timed practice session using only Decryption and Monitoring questions.