Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 554

When planning to configure SSL Forward Proxy on a PA-5260, a user asks how SSL decryption can be implemented using a phased approach in alignment with
Palo Alto Networks best practices. What should you recommend?

Answer options

• A. Enable SSL decryption for known malicious source IP addresses
• B. Enable SSL decryption for malicious source users
• C. Enable SSL decryption for source users and known malicious URL categories
• D. Enable SSL decryption for known malicious destination IP addresses

Correct answer: C

Explanation

The correct answer is C because enabling SSL decryption for source users and known malicious URL categories allows for targeted decryption, focusing on potential threats while minimizing impact on legitimate traffic. Options A and D would not comprehensively address the users accessing those URLs, and option B only targets users without considering the broader context of the URLs they access.