Which THREE are valid methods to decrypt SSL/TLS traffic on a Palo Alto Networks firewall? (Choose three.)
Decrypts SSH traffic for inspection.
Why this answer
SSH Proxy is a valid method for decrypting SSL/TLS traffic on a Palo Alto Networks firewall because it allows the firewall to act as a man-in-the-middle for SSH connections, decrypting the SSH tunnel to inspect the encapsulated traffic. This is distinct from SSL/TLS decryption but is grouped under the same decryption feature set for inspecting encrypted protocols.
Exam trap
The trap here is that candidates may confuse Decryption Mirror (a monitoring tool) with a decryption method, or mistakenly think IPsec Decryption applies to SSL/TLS, when in fact IPsec operates at a different layer and is not used for SSL/TLS traffic inspection.