CCNA Decryption Ssl Questions

29 questions · Decryption Ssl topic · All types, answers revealed

1
MCQhard

A multinational corporation uses Palo Alto Networks firewalls at its headquarters and five branch offices. SSL Forward Proxy decryption is enabled for all outbound HTTPS traffic. Recently, users in the finance department have reported that several banking and financial websites fail to load, displaying a certificate error in the browser. The errors occur only for these specific sites, while other HTTPS sites work fine. The firewall administrator has already added decryption exclusion rules for the affected domains, but the problem persists. The decryption policy is configured with a single rule that decrypts all ssl service traffic, and the exclusion rules are placed below this global decrypt rule. Which of the following is the best course of action to resolve the issue?

A.Create a decryption profile that excludes the failing domains
B.Disable SSL decryption for all traffic
C.Reorder the decryption policy rules so that the exclusion rules are above the global decrypt rule
D.Replace the firewall's internal CA certificate with a publicly trusted certificate
AnswerC

Correct: In a decryption policy, rules are evaluated top-down. Exclusion rules must appear before more general decrypt rules to take effect.

Why this answer

The exclusion rules must be placed above the global decrypt rule because decryption policy rules are evaluated in order from top to bottom. If the global decrypt rule is above, it will match first and attempt decryption, causing certificate errors. Moving the exclusions above ensures they are evaluated before the decrypt rule.

2
Multi-Selecteasy

Which TWO of the following are supported decryption scenarios on a Palo Alto Networks firewall?

Select 2 answers
A.Decryption Broker
B.SSL Forward Proxy
C.SSL Termination
D.SSH Proxy
E.SSL Inbound Inspection
AnswersB, E

Correct: SSL Forward Proxy decrypts outbound traffic from internal clients to external servers.

Why this answer

SSL Forward Proxy and SSL Inbound Inspection are the two primary decryption scenarios. SSH Proxy is not a decryption scenario; it is a separate proxy feature. Decryption Broker is not a Palo Alto feature.

SSL Termination is not a standalone scenario; it is part of inbound inspection.

3
MCQmedium

A network administrator observes that some SSL connections are failing to be decrypted. Based on the exhibit, what is the most likely reason for the majority of the failures?

A.The firewall's certificate is not trusted by clients
B.No decryption policy rule matches the traffic
C.The client and server negotiate an unsupported cipher
D.The decryption profile is misconfigured
AnswerB

The statistics show 20 failures due to policy not matched, which is the highest cause.

Why this answer

The highest count under Failed Handshakes is "Decryption policy not matched" with 20 failures, indicating that no decryption policy rule matches the traffic for those connections. The other causes have lower counts.

4
Multi-Selectmedium

Which TWO conditions typically cause the firewall to bypass SSL decryption for a session? (Choose two.)

Select 2 answers
A.The firewall detects that the session is already decrypted (e.g., by another device).
B.The client and server negotiate a cipher suite not supported by the firewall.
C.The certificate presented by the server is not valid (e.g., expired, untrusted).
D.The traffic matches a 'no-decrypt' rule in the decryption policy.
E.The decrypted data exceeds a certain size threshold.
AnswersB, C

If the cipher is unsupported, the firewall cannot decrypt.

Why this answer

Option B is correct because if the client and server negotiate a cipher suite that the firewall does not support, the firewall cannot decrypt the session. The firewall must be able to inspect the SSL/TLS handshake and match the cipher suite to its supported list; if the cipher suite is unsupported (e.g., TLS 1.3-only ciphers on an older firewall), decryption fails and the session is bypassed. Option C is correct because when the server presents an invalid certificate (expired, untrusted, or mismatched), the firewall cannot complete the SSL handshake with the client, so it bypasses decryption to avoid breaking the session.

Exam trap

The trap here is that candidates often confuse policy-based 'no-decrypt' rules (which are intentional exclusions) with technical conditions that force a bypass, or they mistakenly think that invalid certificates always cause decryption to fail when in fact the firewall can be configured to still decrypt with a warning or to bypass based on policy.

5
Multi-Selecthard

Which TWO of the following are valid considerations when designing an SSL Forward Proxy decryption deployment in a Palo Alto Networks firewall?

Select 2 answers
A.Decryption is applied globally to all traffic; selective decryption is not possible.
B.The firewall can decrypt all TLS sessions regardless of client certificate authentication.
C.When deploying SSL Forward Proxy, the firewall must generate a certificate for each decrypted session to re-encrypt traffic to the client.
D.Traffic using Server Name Indication (SNI) in TLS must be decrypted at the firewall or it will be dropped.
E.The firewall uses a decryption policy to determine which traffic to decrypt.
AnswersC, E

The firewall acts as a proxy, generating a certificate signed by a trusted CA to re-encrypt traffic to the client.

Why this answer

In an SSL Forward Proxy deployment, the firewall acts as a man-in-the-middle: it terminates the client's TLS connection, inspects the decrypted traffic, and then initiates a new TLS connection to the server. To re-encrypt the traffic back to the client, the firewall must dynamically generate a certificate for each session, signed by a trusted CA certificate installed on the client devices. This ensures the client sees a valid certificate chain and does not generate a certificate warning.

Exam trap

The trap here is that candidates often assume SSL Forward Proxy can decrypt all TLS traffic, including sessions with client certificate authentication, but the firewall cannot possess the client's private key and thus must skip decryption for such sessions.

6
MCQeasy

A security administrator wants to minimize the performance impact of SSL decryption on the firewall. Which best practice should be applied?

A.Configure decryption settings per interface to distribute load.
B.Disable SSL decryption entirely to avoid performance issues.
C.Create decryption exclusion rules for traffic that is known to be low-risk and high-volume.
D.Enable decryption on all traffic to ensure complete visibility.
AnswerC

Reduces decryption overhead while maintaining security for risky traffic.

Why this answer

Option C is correct because creating decryption exclusion rules for low-risk, high-volume traffic (e.g., software updates, video streaming, or trusted CDN traffic) reduces the firewall's decryption workload, minimizing performance impact while still allowing decryption of sensitive or risky traffic. This aligns with Palo Alto Networks best practices to balance security and performance by excluding traffic that does not require inspection.

Exam trap

The trap here is that candidates may think distributing decryption per interface (Option A) is a valid load-balancing technique, but Palo Alto Networks firewalls do not support interface-level decryption configuration, and the correct approach is to use exclusion rules to selectively bypass decryption for low-risk traffic.

How to eliminate wrong answers

Option A is wrong because decryption settings are not configured per interface to distribute load; SSL decryption is applied globally via decryption policies, and load distribution is handled by the firewall's hardware architecture, not interface-level settings. Option B is wrong because disabling SSL decryption entirely eliminates visibility into encrypted threats, which defeats the purpose of a security firewall and is not a best practice for minimizing performance impact while maintaining security. Option D is wrong because enabling decryption on all traffic would cause unnecessary performance degradation and latency, especially for high-volume, low-risk traffic that does not require inspection, violating the principle of selective decryption.

7
Multi-Selecteasy

Which TWO types of traffic should typically be excluded from SSL decryption for compliance or operational reasons? (Choose two.)

Select 2 answers
A.Traffic to social media websites.
B.Traffic between internal data center servers.
C.Traffic to healthcare portals and electronic medical records.
D.Traffic to financial services websites (e.g., banking, investment).
E.Traffic to external email services (e.g., Gmail).
AnswersC, D

HIPAA and other regulations may restrict decryption.

Why this answer

Options A and C are correct because financial and healthcare traffic often have regulatory compliance requirements. Option B is wrong because social media is typically low-risk. Option D is wrong because bank traffic is often financial.

Option E is wrong because internal corporate traffic can be decrypted.

8
MCQhard

During SSL decryption, the firewall logs show 'ssl_decrypt_unsupported_cipher' errors for several connections. What is the likely cause and solution?

A.The firewall's SSL/TLS service profile does not include the cipher suites used by the client or server.
B.The firewall does not support decryption of that traffic.
C.The decryption certificate is not trusted by the client.
D.The decryption rule is not matching the traffic.
AnswerA

The cipher is unsupported; adding it to the profile resolves the issue.

Why this answer

The 'ssl_decrypt_unsupported_cipher' error indicates that the firewall's SSL/TLS proxy cannot negotiate a common cipher suite with the client or server during the decryption handshake. This occurs when the cipher suites configured in the firewall's SSL/TLS service profile do not include the ciphers offered by the client or required by the server. The solution is to update the service profile to include the necessary cipher suites, such as those based on AES-GCM or CHACHA20-POLY1305, ensuring compatibility.

Exam trap

The trap here is that candidates often confuse cipher suite mismatch with certificate trust issues or rule misconfiguration, but the specific error message 'ssl_decrypt_unsupported_cipher' directly points to the cipher suite list in the SSL/TLS service profile.

How to eliminate wrong answers

Option B is wrong because the firewall does support decryption of that traffic; the error is specifically about cipher mismatch, not a lack of decryption capability. Option C is wrong because a certificate trust issue would generate errors like 'certificate validation failed' or 'untrusted issuer', not 'unsupported cipher'. Option D is wrong because if the decryption rule were not matching, the traffic would bypass decryption entirely, and no SSL decryption error would be logged.

9
MCQeasy

A network administrator is troubleshooting decryption failures for HTTPS traffic to a financial website. The firewall is configured with SSL Forward Proxy decryption policy that applies to the 'financial-services' URL category. The firewall uses an internal CA certificate to sign generated certificates. Users report a certificate error in their browsers when accessing 'https://www.bankofalice.com'. The error says the certificate is not trusted, even though the internal CA certificate is installed on all client devices. The administrator checks the firewall logs and sees no decryption errors; the session is being decrypted successfully. The administrator also confirms that the decryption policy is active and the firewall is not bypassing decryption. What is the most likely cause of the certificate error?

A.The website uses Certificate Pinning which causes the browser to reject the firewall's certificate.
B.The firewall's decryption certificate does not have the correct subject name for the website.
C.The firewall's decryption certificate is expired.
D.The decryption policy is configured to 'no-decrypt' for that traffic.
AnswerA

Certificate pinning causes the browser to expect a specific certificate hash; even a validly signed certificate from the firewall will be rejected.

Why this answer

Option A is correct because certificate pinning (HTTP Public Key Pinning or HPKP) causes the browser to reject any certificate that does not match the pinned public key, even if the firewall's certificate is signed by a trusted internal CA. Since the firewall generates a new certificate on-the-fly with its own key pair, the browser detects the mismatch and displays a certificate error, despite successful decryption at the firewall.

Exam trap

The trap here is that candidates often assume a certificate error means a CA trust issue or expired certificate, but the key clue is that the internal CA is installed and decryption succeeds—pointing to a pinning or key mismatch scenario that bypasses normal certificate validation.

How to eliminate wrong answers

Option B is wrong because the firewall's SSL Forward Proxy decryption automatically generates a certificate with the correct subject name (CN/SAN) matching the target website's hostname, so a subject name mismatch would cause a different error (e.g., name mismatch) and would likely be logged as a decryption error. Option C is wrong because if the decryption certificate were expired, the firewall would typically fail to generate a valid certificate or log a decryption error, and the browser would show an expiration error rather than an untrusted certificate error. Option D is wrong because the administrator confirmed the decryption policy is active and not bypassing decryption, and a 'no-decrypt' action would result in no decryption at all, not a certificate error from a generated certificate.

10
MCQmedium

An engineer is configuring SSL Forward Proxy decryption for internal users. The firewall must decrypt traffic to all external HTTPS sites except specific financial services domains that require end-to-end encryption. Which best practice should the engineer implement to achieve this?

A.Disable decryption globally and create a custom URL category for the financial domains to enable decryption only for those.
B.Create two Decryption Policy rules: one with 'ssl-decrypt' action for the general category and a second rule with 'no-decrypt' action for the financial domains.
C.Upload the server certificates for the financial domains to the firewall and enable 'no-decrypt' on the Decryption Profile.
D.Configure a single Decryption Policy rule with a 'decrypt' action and add the financial domains to the 'Exclude Certificate' list.
AnswerB

This allows decryption of most traffic while exempting the specified domains, following best practice.

Why this answer

Option B is correct because it follows the best practice of using a 'no-decrypt' rule with higher priority than the 'ssl-decrypt' rule to exclude specific traffic from decryption. This ensures that traffic to financial services domains is not decrypted, while all other external HTTPS traffic is decrypted as required.

Exam trap

The trap here is that candidates may confuse the 'Exclude Certificate' list in the Decryption Profile with a method to prevent decryption, when in fact it only affects certificate re-signing, not the decryption action itself.

How to eliminate wrong answers

Option A is wrong because disabling decryption globally and then enabling it only for specific domains would require decryption of financial traffic, which contradicts the requirement for end-to-end encryption. Option C is wrong because uploading server certificates for financial domains and enabling 'no-decrypt' on the Decryption Profile does not prevent decryption; the 'no-decrypt' action must be set in the Decryption Policy rule, not the profile. Option D is wrong because adding financial domains to the 'Exclude Certificate' list in a Decryption Profile only excludes those certificates from being re-signed, but the traffic is still decrypted, which violates the end-to-end encryption requirement.

11
MCQhard

An organization is deploying SSL inbound proxy decryption (SSLi) to protect servers in a DMZ. Which consideration is critical for the firewall to properly decrypt inbound traffic destined to these servers?

A.The firewall must present the server's public certificate to clients.
B.The firewall must have a trusted CA certificate installed.
C.The firewall must possess the server's private key to re-encrypt traffic.
D.The firewall must be configured to only accept TLS 1.2 or higher.
AnswerC

Required for the firewall to act as a proxy.

Why this answer

In SSL inbound proxy decryption (SSLi), the firewall acts as a man-in-the-middle. To decrypt the client's encrypted request, it must terminate the TLS connection from the client. To then re-encrypt and forward the request to the destination server, the firewall needs the server's private key to generate a new TLS session with the server.

Without the private key, the firewall cannot complete the re-encryption handshake with the server, making option C correct.

Exam trap

The trap here is that candidates often confuse inbound decryption (where the firewall needs the server's private key) with outbound decryption (where the firewall needs a trusted CA certificate to generate certificates for clients), leading them to incorrectly select option B.

How to eliminate wrong answers

Option A is wrong because the firewall does not present the server's public certificate to clients; instead, it generates a new certificate on-the-fly (often signed by an internal CA) to present to the client, while the server's original certificate is used only for the firewall-to-server leg. Option B is wrong because a trusted CA certificate is required for the firewall to validate server certificates during outbound decryption, not for inbound decryption where the firewall already controls the server's private key. Option D is wrong because TLS version restrictions (e.g., only TLS 1.2 or higher) are a security best practice but not a critical requirement for the firewall to perform decryption; the firewall can decrypt any TLS version it supports.

12
MCQmedium

A company wants to decrypt traffic to productivity and collaboration sites but avoid decrypting traffic to financial and healthcare sites due to compliance. How should the SSL decryption policy be configured?

A.Add all financial and healthcare sites to a custom URL list and exclude them.
B.Create a decrypt-all rule and then add exceptions for financial and healthcare categories.
C.Create a rule to decrypt based on URL categories except financial and healthcare.
D.Use time-based rules to apply decryption only during business hours.
AnswerC

Allows targeted decryption based on categories.

Why this answer

Option B is correct because URL Category-based rules allow granular exclusion by category. Option A is wrong because decrypting all then blocking exceptions is inefficient. Option C is wrong because site lists are static and not category-based.

Option D is wrong because decryption policy does not support schedule-based rules.

13
MCQhard

A user from subnet 10.0.1.0/24 accesses a website categorized as 'Finance'. Based on the exhibit, what will be the result?

A.The traffic will not be decrypted because Rule 3 matches.
B.The traffic will be decrypted by Rule 2.
C.The traffic will be blocked because no matching rule exists.
D.The traffic will be decrypted by Rule 1.
AnswerB

Rule 2 is a catch-all that will match and decrypt.

Why this answer

Option B is correct because Rule 2 matches traffic from subnet 10.0.1.0/24 to the 'Finance' category and has an action of 'decrypt'. The exhibit shows Rule 2 with source 10.0.1.0/24, destination category 'Finance', and action 'decrypt'. Since the user's traffic matches all criteria in Rule 2, it will be decrypted.

Rule 3 is not evaluated because Rule 2 matches first and has a higher priority (lower rule number).

Exam trap

Palo Alto Networks often tests the rule evaluation order in decryption policies, where candidates mistakenly think a later rule (like Rule 3) overrides an earlier matching rule (Rule 2) due to a more specific category or action, but in reality, the first match wins regardless of specificity.

How to eliminate wrong answers

Option A is wrong because Rule 3 matches a different source subnet (10.0.2.0/24) and a different category ('Health'), so it does not apply to this traffic; the traffic will not be decrypted by Rule 3. Option C is wrong because a matching rule (Rule 2) exists, so the traffic will not be blocked due to no matching rule. Option D is wrong because Rule 1 has an action of 'no-decrypt' and matches a different source subnet (10.0.0.0/24), so it does not decrypt the traffic.

14
MCQeasy

What is the primary purpose of SSL decryption in a Palo Alto Networks firewall?

A.Mask the original source IP address for privacy.
B.Inspect encrypted traffic for malware, exploits, and data leakage.
C.Allow only inbound SSL traffic to be inspected.
D.Improve network performance by reducing encryption overhead.
AnswerB

Core function of SSL decryption.

Why this answer

SSL decryption in a Palo Alto Networks firewall is primarily used to inspect encrypted traffic (HTTPS, SMTPS, etc.) for threats such as malware, exploits, and data leakage. Without decryption, the firewall cannot apply threat prevention, URL filtering, or data filtering policies to the encrypted payload, leaving a blind spot in security enforcement.

Exam trap

The trap here is that candidates often confuse SSL decryption with performance optimization or privacy features, but the PCNSE exam emphasizes that its core purpose is to enable visibility and inspection of encrypted traffic for threat detection.

How to eliminate wrong answers

Option A is wrong because masking the original source IP address is the function of source NAT (SNAT) or privacy features like Private IP masking, not SSL decryption. Option C is wrong because SSL decryption can inspect both inbound and outbound traffic; it is not limited to inbound SSL traffic only. Option D is wrong because SSL decryption actually adds processing overhead due to the decryption/re-encryption cycle, it does not improve network performance or reduce encryption overhead.

15
MCQmedium

Which best practice should be followed for certificate management when deploying SSL Forward Proxy decryption in a large enterprise?

A.Use an internal certificate authority (CA) and distribute the CA certificate to all clients via Group Policy.
B.Use a self-signed certificate and manually install it on each client.
C.Use a wildcard certificate from a public CA to simplify deployment.
D.Use a certificate from a public CA that is already trusted by clients.
AnswerA

Standard best practice for enterprise environments.

Why this answer

Using an internal CA and distributing its certificate via Group Policy ensures that all clients trust the decryption certificate used by the firewall to re-encrypt traffic. This avoids certificate warnings and allows seamless SSL Forward Proxy decryption. It also enables centralized management and revocation, which is critical for large enterprise deployments.

Exam trap

Palo Alto Networks often tests the misconception that a public CA certificate can be used directly for re-encryption, but the trap here is that the firewall must generate certificates on-the-fly, requiring an internal CA to sign them, not a public CA certificate that would expose the private key.

How to eliminate wrong answers

Option B is wrong because self-signed certificates are not trusted by clients by default, requiring manual installation on every client, which is impractical and insecure in a large enterprise. Option C is wrong because wildcard certificates from a public CA cannot be used for SSL Forward Proxy decryption; the firewall must generate a unique certificate per session, and a wildcard certificate would expose the private key to the firewall, violating security best practices. Option D is wrong because a public CA certificate already trusted by clients would not allow the firewall to decrypt traffic; the firewall needs to present a certificate that clients trust, but using a public CA certificate for re-encryption would require the firewall to hold the private key, which is a security risk and not scalable.

16
MCQhard

A Palo Alto Networks firewall is configured for SSL Forward Proxy decryption. The security team wants to ensure that decrypted traffic is also inspected by an external DLP appliance. How should this be achieved?

A.Configure the DLP appliance to decrypt traffic itself.
B.Configure a Decryption Policy to decrypt traffic and then use a Decryption Forwarding service to forward decrypted traffic to the DLP appliance.
C.Configure the firewall to re-encrypt traffic before sending to DLP.
D.Add a decryption policy on the firewall to exclude traffic to the DLP appliance.
AnswerB

This is the correct method using Decryption Forwarding feature.

Why this answer

Option B is correct because the Palo Alto Networks firewall can be configured with a Decryption Forwarding service, which allows decrypted traffic to be forwarded to an external DLP appliance for additional inspection. This is achieved by defining a Decryption Forwarding profile that specifies the DLP appliance as the destination, ensuring that traffic decrypted by the SSL Forward Proxy is sent in clear text to the DLP appliance for content inspection.

Exam trap

The trap here is that candidates may think re-encrypting traffic (Option C) is necessary for security, but the correct approach is to forward decrypted traffic in clear text to the DLP appliance, as re-encryption would require the DLP to decrypt again, defeating the purpose of the inspection.

How to eliminate wrong answers

Option A is wrong because the DLP appliance decrypting traffic itself would require it to have access to the private keys or to perform a man-in-the-middle decryption, which is redundant and bypasses the firewall's decryption capabilities; the firewall is already performing SSL Forward Proxy decryption. Option C is wrong because re-encrypting traffic before sending to the DLP appliance would defeat the purpose of inspection, as the DLP appliance would need to decrypt it again to analyze the content, adding unnecessary complexity and latency. Option D is wrong because excluding traffic to the DLP appliance from decryption would mean the traffic sent to the DLP appliance remains encrypted, preventing the DLP appliance from inspecting the content; the decryption policy should include the traffic destined for the DLP appliance.

17
Multi-Selecthard

Which TWO statements are true about TLS version 1.3 support in Palo Alto Networks decryption?

Select 2 answers
A.TLS 1.3 decryption uses the same proxy ciphers as TLS 1.2.
B.TLS 1.3 decryption is supported in PAN-OS 9.0 and later.
C.TLS 1.3 decryption requires the firewall to have a hardware security module (HSM).
D.TLS 1.3 decryption is only supported for inbound inspection (SSL Inbound Inspection).
E.TLS 1.3 decryption is supported for both forward proxy and inbound inspection.
AnswersB, E

Palo Alto Networks introduced TLS 1.3 decryption starting from PAN-OS 9.0.

Why this answer

Option B is correct because TLS 1.3 decryption support was introduced in PAN-OS 9.0, enabling the firewall to decrypt and inspect TLS 1.3 traffic. This allows organizations to maintain visibility into encrypted traffic using the latest TLS protocol without requiring additional hardware or software upgrades beyond the PAN-OS version.

Exam trap

The trap here is that candidates often assume TLS 1.3 decryption requires the same proxy ciphers as TLS 1.2 or is limited to inbound inspection, but Palo Alto Networks explicitly supports both forward proxy and inbound inspection with distinct cipher suite handling starting in PAN-OS 9.0.

18
Multi-Selecthard

Which THREE steps should be taken to troubleshoot an SSL decryption issue where users are unable to access specific HTTPS websites? (Choose three.)

Select 3 answers
A.Check the decryption log for errors such as 'ssl_decrypt_unsupported_cipher' or 'ssl_decrypt_cert_verify_failed'.
B.Update the URL filtering database to ensure the site is categorized correctly.
C.Verify that the firewall's decryption certificate is trusted by the client.
D.Disable decryption globally to see if the sites become accessible.
E.Use the packet capture tool to analyze the SSL handshake between client, firewall, and server.
AnswersA, C, E

Logs provide specific error hints.

Why this answer

Option A is correct because the decryption log provides direct visibility into SSL/TLS handshake failures. Errors like 'ssl_decrypt_unsupported_cipher' indicate the firewall cannot negotiate a cipher it supports, while 'ssl_decrypt_cert_verify_failed' points to certificate validation issues, such as an untrusted or expired server certificate. These logs are the primary diagnostic tool for pinpointing why decryption fails for specific HTTPS sites.

Exam trap

The trap here is that candidates often confuse decryption failures with URL filtering or policy issues, leading them to select option B, when in fact decryption logs and certificate trust are the direct troubleshooting steps for SSL decryption problems.

19
MCQmedium

A company is deploying SSL Forward Proxy decryption for outbound HTTPS traffic. They want to ensure that traffic to financial sites (e.g., *.bank.com) is not decrypted due to compliance requirements. Which method should be used to exclude this traffic from decryption?

A.Configure the SSL/TLS Service Profile to bypass decryption for the domain.
B.Configure a Decryption Profile to exclude the domain.
C.Create a Decryption Policy rule matching the traffic and set the action to 'No Decrypt'.
D.Enable certificate revocation checking for the decryption zone.
AnswerC

Decryption Policy rules with 'No Decrypt' action are the correct way to exclude traffic from decryption based on zone, URL category, etc.

Why this answer

Option C is correct because in Palo Alto Networks firewalls, SSL Forward Proxy decryption is controlled by Decryption Policy rules. To exclude specific traffic from decryption, you create a Decryption Policy rule that matches the traffic (e.g., destination domain *.bank.com) and set the action to 'No Decrypt'. This ensures the firewall forwards the traffic without intercepting or decrypting it, meeting compliance requirements.

Exam trap

The trap here is confusing the purpose of Decryption Profiles (which control decryption behavior) with Decryption Policy rules (which control which traffic is decrypted), leading candidates to incorrectly select Option B.

How to eliminate wrong answers

Option A is wrong because the SSL/TLS Service Profile is used to define the certificate and protocol settings for decryption, not to bypass decryption for specific domains. Option B is wrong because a Decryption Profile controls advanced decryption settings like certificate revocation checking and protocol versions, not the decision to decrypt or not. Option D is wrong because enabling certificate revocation checking for the decryption zone affects validation of certificates during decryption, not the exclusion of traffic from decryption.

20
MCQmedium

Based on the exhibit, what is the most likely cause for the majority of bypassed sessions?

A.The firewall's SSL/TLS service profile does not include the cipher suites used by the clients or servers.
B.The firewall is overloaded and cannot handle more decryption sessions.
C.The decryption certificate is not trusted by clients.
D.There is a network connectivity issue between firewall and servers.
AnswerA

Most bypasses are due to unsupported ciphers.

Why this answer

The majority of bypassed sessions are most likely caused by a cipher mismatch between the firewall's SSL/TLS service profile and the clients or servers. When the firewall decrypts traffic, it must negotiate a cipher suite that both the client and server support; if the service profile does not include the cipher suites used by the endpoints, the firewall cannot complete the SSL/TLS handshake and bypasses the session. This is a common misconfiguration in Palo Alto Networks firewalls where the SSL/TLS service profile's cipher list is too restrictive.

Exam trap

The trap here is that candidates often confuse 'bypassed sessions' with 'decryption failures' due to certificate issues or network problems, but bypassed sessions specifically indicate the firewall intentionally skipped decryption due to configuration mismatches like cipher or protocol version incompatibility.

How to eliminate wrong answers

Option B is wrong because firewall overload typically results in session drops or resource exhaustion errors, not a high percentage of bypassed sessions; bypassed sessions indicate the firewall intentionally skipped decryption due to policy or configuration issues, not capacity limits. Option C is wrong because an untrusted decryption certificate causes client-side certificate warnings or connection failures, not bypassed sessions; bypassed sessions occur when the firewall cannot decrypt, not when the client rejects the certificate. Option D is wrong because a network connectivity issue between the firewall and servers would cause session timeouts or connection resets, not bypassed sessions; bypassed sessions are logged when the firewall decides not to decrypt, not when it cannot reach the server.

21
MCQeasy

A user reports that after SSL decryption was enabled, certain web applications fail to load completely. What is the most likely reason?

A.The URL is not allowed in the decryption policy.
B.The user's browser proxy settings are incorrect.
C.The application uses certificate pinning which rejects the firewall's decryption certificate.
D.The firewall's decryption is causing excessive latency.
AnswerC

Certificate pinning is a common cause of failure with SSL decryption.

Why this answer

Certificate pinning is a security mechanism where an application embeds the exact certificate or public key of the server it expects to communicate with. When SSL decryption is enabled, the firewall replaces the original server certificate with its own decryption certificate. The application detects this mismatch and rejects the connection, causing it to fail to load completely.

This is a common issue with applications that implement strict certificate pinning, such as banking apps or certain mobile applications.

Exam trap

The trap here is that candidates often confuse certificate pinning with general certificate validation or assume that any decryption policy misconfiguration (like URL filtering) is the cause, rather than recognizing the specific application-level security mechanism that explicitly rejects the firewall's decryption certificate.

How to eliminate wrong answers

Option A is wrong because the URL being allowed or not in the decryption policy controls whether decryption is applied, but does not cause partial loading failures; if the URL is not allowed, decryption is simply not performed and the traffic passes through normally. Option B is wrong because incorrect browser proxy settings would typically cause a complete failure to reach any HTTPS sites, not selective failures with specific web applications after SSL decryption is enabled. Option D is wrong while excessive latency can degrade performance, it would not cause web applications to fail to load completely; the failure is due to certificate validation rejection, not timing out.

22
MCQmedium

After enabling SSL Forward Proxy decryption, users report that they cannot access HTTPS websites and receive certificate errors. The firewall's decryption certificate is properly installed on client machines. What is the most likely cause?

A.The firewall's decryption certificate is not trusted by the clients' certificate store.
B.The decryption certificate has expired.
C.The decryption certificate is not renewed automatically.
D.The decryption certificate is self-signed.
AnswerA

Clients must trust the firewall's CA certificate to avoid warnings.

Why this answer

The most likely cause is that the firewall's decryption certificate is not trusted by the clients' certificate store. Even if the certificate is properly installed on client machines, if it is not explicitly added to the trusted root certification authorities store, browsers will reject the connection with certificate errors. SSL Forward Proxy decryption requires the firewall to generate a new certificate for each HTTPS session, signed by its own CA certificate; clients must trust that CA certificate to avoid warnings.

Exam trap

The trap here is that candidates often assume 'properly installed' means the certificate is trusted, but in SSL decryption, the certificate must be placed in the trusted root store, not just imported as a personal certificate; Cisco (Palo Alto) tests this distinction to catch those who overlook the specific trust store requirement.

How to eliminate wrong answers

Option B is wrong because an expired decryption certificate would cause certificate errors, but the question states the certificate is properly installed and users receive errors; expiration is a possible cause but not the most likely given the context of proper installation. Option C is wrong because automatic renewal of the decryption certificate is not a standard feature in PAN-OS; certificates must be manually renewed or replaced, so this is not a common cause of access issues. Option D is wrong because a self-signed certificate is the typical type used for SSL Forward Proxy decryption in Palo Alto firewalls; the issue is not that it is self-signed, but that it is not trusted by the clients.

23
Matchingmedium

Match each high availability (HA) term to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

One firewall handles traffic; the other stands by

Both firewalls handle traffic simultaneously

Keepalive messages exchanged between HA peers

Original active firewall reclaims role after recovery

Firewall that initially processed a session

Why these pairings

These are key concepts in Palo Alto Networks HA configuration.

24
MCQmedium

A company uses SSL Forward Proxy decryption for user traffic. Recently, some users cannot access a specific HTTPS website that uses a self-signed certificate. The firewall's decryption policy is set to 'decrypt' and the action is 'forward proxy'. The firewall does not have the self-signed CA certificate installed. What is the most likely cause of the issue?

A.The firewall cannot decrypt the session because it does not trust the self-signed certificate of the website.
B.The website is not included in the decryption policy's URL category.
C.The firewall's decryption certificate is not trusted by the client browsers.
D.The firewall's forward proxy decryption requires a server certificate that matches the original website.
AnswerA

The firewall must trust the server's certificate to re-sign for the client; without the self-signed CA, it cannot.

Why this answer

In SSL Forward Proxy decryption, the firewall must generate a new server certificate on-the-fly to present to the client. To do this, it needs to trust the original server's certificate so it can validate the server's identity and then re-sign the session. Since the website uses a self-signed certificate and the firewall does not have that CA certificate installed, the firewall cannot validate the server's certificate, causing the decryption to fail and the session to be blocked.

Exam trap

Palo Alto Networks often tests the distinction between the firewall's ability to validate the server certificate (which requires the server's CA to be trusted) versus the client's trust in the firewall's decryption certificate, leading candidates to confuse client-side trust issues with server-side validation failures.

How to eliminate wrong answers

Option B is wrong because the decryption policy's URL category determines which traffic is decrypted, not whether the firewall can validate the server's certificate; if the URL category were the issue, the traffic would simply not be decrypted, not fail with a certificate trust error. Option C is wrong because the client browsers trusting the firewall's decryption certificate is a separate issue that affects browser warnings, not the firewall's ability to decrypt the session; the firewall can still decrypt even if clients don't trust its certificate. Option D is wrong because forward proxy decryption does not require the firewall's certificate to match the original website; the firewall generates a new certificate with the same subject name as the original site, signed by its own CA, which is the standard behavior for forward proxy.

25
MCQhard

You are a network security engineer at a multinational corporation. The company has a main data center and three branch offices connected via MPLS. The firewall at the data center is a PA-5250 running PAN-OS 10.2. The firewall is configured for SSL Forward Proxy decryption of all outbound HTTPS traffic from internal users to the internet. Recently, users in Branch Office A report that they cannot access several external HTTPS websites, while users at other branches and the data center have no issues. The decryption policy for Branch Office A is identical to the others. You check the decryption statistics and see that for Branch Office A, the number of 'SSL handshake failures' is high. You also notice that the firewall's system log shows errors like 'peer certificate chain validation failure' for sessions from Branch Office A. The firewall has a forward trust certificate issued by an internal CA, and the internal CA certificate is installed on all clients. What is the most likely cause of this issue?

A.The forward trust certificate has expired or is not trusted by the clients in Branch Office A.
B.The decryption profile for Branch Office A is configured with an incorrect cipher suite that is not supported by the external websites.
C.Traffic from Branch Office A is asymmetrically routed, causing the TLS handshake to be incomplete.
D.The decryption policy rule for Branch Office A is missing the 'ssl-decrypt' action.
AnswerC

Asymmetric routing can cause the firewall to see only one side of the TCP handshake, leading to SSL handshake failures.

Why this answer

C is correct because asymmetric routing causes the firewall to see only one side of the TCP handshake, preventing it from completing the TLS handshake. When traffic from Branch Office A takes a different return path (e.g., via another MPLS link or direct internet breakout), the firewall cannot associate the server's SYN-ACK with the original client SYN, leading to SSL handshake failures and 'peer certificate chain validation failure' errors in the logs. The decryption policy and certificates are identical across branches, so the issue is specific to the network path.

Exam trap

The trap here is that candidates often blame certificate trust or decryption profile misconfigurations first, overlooking that asymmetric routing is a common network-layer cause of SSL decryption failures even when all security policies and certificates are correctly configured.

How to eliminate wrong answers

Option A is wrong because the forward trust certificate is issued by an internal CA that is installed on all clients, and the decryption policy is identical across branches; if the certificate were expired or untrusted, all branches would be affected, not just Branch Office A. Option B is wrong because the decryption profile's cipher suite configuration is identical across branches, and cipher mismatch would typically cause 'no shared cipher' errors, not 'peer certificate chain validation failure' or high SSL handshake failures. Option D is wrong because if the decryption policy rule were missing the 'ssl-decrypt' action, the firewall would not attempt decryption at all, and the decryption statistics would show no decrypted sessions or SSL handshake failures for that branch.

26
Multi-Selecthard

Which THREE statements are true regarding SSL Forward Proxy decryption on Palo Alto Networks firewalls?

Select 3 answers
A.SSL Forward Proxy decryption can only be applied to traffic destined for TCP port 443.
B.Decryption policy rules can match on source zone, source user, destination IP, URL category, and service.
C.The firewall must generate a certificate on-the-fly signed by a trusted CA for each decrypted session.
D.An 'ssl-decrypt' action in a decryption rule requires that the associated decryption profile includes a certificate for the firewall to use.
E.The firewall can inspect the Server Name Indication (SNI) field in the ClientHello to determine the destination hostname.
AnswersB, C, E

These are common match criteria for decryption policy rules.

Why this answer

Option B is correct because Palo Alto Networks decryption policy rules can match on a wide range of criteria including source zone, source user, destination IP, URL category, and service. This granularity allows administrators to selectively decrypt traffic based on business needs and security policies, not just basic IP/port matching.

Exam trap

The trap here is that candidates assume SSL Forward Proxy decryption is limited to port 443, but Palo Alto firewalls can decrypt SSL/TLS on any TCP port by inspecting the handshake, and they also mistakenly think the decryption profile must contain a certificate for the firewall, when in fact the CA certificate is configured separately and the firewall generates session-specific certificates automatically.

27
Drag & Dropmedium

Order the steps to configure a static route on a Palo Alto Networks firewall.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static routes are defined per virtual router with destination and next-hop.

28
MCQmedium

A company has deployed SSL Inbound Inspection to inspect HTTPS traffic to their internal web server hosting a custom application that requires mutual TLS authentication. The firewall is configured with a decryption policy that includes the server's certificate and the action 'decrypt'. The web server is configured to request client certificates. After implementation, users report that the application fails to authenticate them. The firewall logs show that SSL handshake with the client completes successfully, but the server never receives the client certificate during the handshake. The administrator has verified that the decryption policy is active and the server certificate is correctly imported. What is the most likely cause of this issue?

A.The decryption policy is set to 'no-decrypt' for the application's traffic.
B.The client certificates are not trusted by the firewall.
C.The firewall's SSL Inbound Inspection profile is set to 'passive' mode.
D.The firewall is not configured to forward client certificates to the server.
AnswerD

In SSL Inbound Inspection, the firewall must be configured to forward client certificates in the decryption profile; otherwise, it does not pass them.

Why this answer

In SSL Inbound Inspection, the firewall acts as a man-in-the-middle, terminating the client's SSL connection and then initiating a new SSL connection to the server. By default, the firewall does not forward the client certificate from the original client handshake to the server. To enable mutual TLS authentication, the administrator must explicitly configure the firewall to forward client certificates, typically via a Decryption Profile setting.

Since the logs show a successful handshake with the client but the server never receives the client certificate, the missing forwarding configuration is the most likely cause.

Exam trap

Palo Alto Networks often tests the distinction between SSL Forward Proxy and SSL Inbound Inspection, and candidates mistakenly assume that client certificates are automatically forwarded in inbound scenarios, when in fact they require explicit configuration in the decryption profile.

How to eliminate wrong answers

Option A is wrong because the decryption policy is verified as active and set to 'decrypt', not 'no-decrypt', and the logs show the SSL handshake completes successfully, which would not happen if decryption were disabled. Option B is wrong because the firewall does not validate client certificates during SSL Inbound Inspection unless specifically configured to do so; the issue is that the client certificate is not being forwarded, not that it is untrusted. Option C is wrong because 'passive' mode is not a valid setting in SSL Inbound Inspection profiles; the firewall uses 'decrypt' action for inbound inspection, and passive mode applies to SSL Forward Proxy decryption, not inbound scenarios.

29
MCQeasy

Based on the exhibit, what is the most likely action for the firewall to take on this session?

A.Re-issue a new certificate to the client.
B.Block the session because the server certificate is invalid.
C.Drop the session and log a security alert.
D.Bypass decryption and allow the session to proceed.
AnswerD

Default behavior is to bypass when certificate verification fails.

Why this answer

The firewall is configured for SSL Forward Proxy decryption, but the server certificate is self-signed or otherwise untrusted (e.g., expired, mismatched CN). In such cases, the firewall cannot re-sign the certificate to establish a trusted decrypted session. The configured action for untrusted server certificates is 'bypass decryption,' which allows the session to proceed without decryption, logging the bypass.

Option D is correct because the firewall will not block or drop the session by default when bypass is configured.

Exam trap

The trap here is that candidates often assume an invalid server certificate always results in a block or drop, but the firewall's behavior depends on the configured 'untrusted certificate action' in the decryption policy, which can be set to bypass.

How to eliminate wrong answers

Option A is wrong because the firewall does not issue a new certificate to the client; in SSL Forward Proxy, the firewall generates a forged certificate on-the-fly signed by its own CA, but only if the server certificate is valid and trusted. Option B is wrong because the firewall does not block the session solely because the server certificate is invalid; it applies the configured untrusted certificate action, which can be 'bypass' or 'block,' and the exhibit shows bypass is configured. Option C is wrong because 'drop the session and log a security alert' would correspond to a 'block' action, not the 'bypass' action shown in the exhibit.

Ready to test yourself?

Try a timed practice session using only Decryption Ssl questions.