A multinational corporation uses Palo Alto Networks firewalls at its headquarters and five branch offices. SSL Forward Proxy decryption is enabled for all outbound HTTPS traffic. Recently, users in the finance department have reported that several banking and financial websites fail to load, displaying a certificate error in the browser. The errors occur only for these specific sites, while other HTTPS sites work fine. The firewall administrator has already added decryption exclusion rules for the affected domains, but the problem persists. The decryption policy is configured with a single rule that decrypts all ssl service traffic, and the exclusion rules are placed below this global decrypt rule. Which of the following is the best course of action to resolve the issue?
Correct: In a decryption policy, rules are evaluated top-down. Exclusion rules must appear before more general decrypt rules to take effect.
Why this answer
The exclusion rules must be placed above the global decrypt rule because decryption policy rules are evaluated in order from top to bottom. If the global decrypt rule is above, it will match first and attempt decryption, causing certificate errors. Moving the exclusions above ensures they are evaluated before the decrypt rule.