Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 292

An engineer wants to forward all decrypted traffic on a PA-850 firewall to a forensic tool with a decrypt mirror interface.

Which statement is true regarding the configuration of the Decryption Port Mirroring feature?

Answer options

• A. The engineer should install the Decryption Port Mirror license and reboot the firewall.
• B. The PA-850 firewall does not support decrypt mirror interface, so the engineer needs to upgrade the firewall to PA-3200 series.
• C. The engineer must assign an IP from the same subnet with the forensic tool to the decrypt mirror interface.
• D. The engineer must assign the related virtual-router to the decrypt mirror interface.

Correct answer: A

Explanation

The correct answer is A because the Decryption Port Mirror feature requires a specific license to be installed, and a reboot is necessary for the changes to take effect. Option B is incorrect as the PA-850 does support decrypt mirror; option C is irrelevant since the IP assignment is not a requirement for enabling the feature; option D is also incorrect because the virtual-router assignment is not a prerequisite for the decrypt mirror interface.