Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 155

An engineer must configure a new SSL decryption deployment.
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

Answer options

• A. A Decryption profile must be attached to the Decryption policy that the traffic matches.
• B. There must be a certificate with both the Forward Trust option and Forward Untrust option selected.
• C. A Decryption profile must be attached to the Security policy that the traffic matches.
• D. There must be a certificate with only the Forward Trust option selected.

Correct answer: D

Explanation

The correct answer is D because having a certificate with only the Forward Trust option allows the SSL decryption process to proceed successfully. Options A and C are incorrect because they refer to profiles related to policies rather than the necessary certificate. Option B is incorrect as it requires both options when only the Forward Trust option is needed.