What is the primary purpose of SSL Inbound Decryption in a Palo Alto Networks firewall?
Correct: SSL Inbound Decryption allows the firewall to inspect encrypted traffic by acting as a MITM between the client and server.
Which of the following is a limitation of SSL Inbound Decryption?
Correct: SSL Inbound Inspection does not support session resumption, which can affect performance for clients using this feature.
What command is used to view SSL decryption statistics on the firewall?
Correct: The `debug dataplane show ssl-decrypt ssl-stats` command provides detailed decryption statistics.
Which feature allows the firewall to identify users in encrypted traffic?
Correct: User-ID integrates with SSL decryption to identify users in encrypted traffic for application control and policy enforcement.
What is the correct sequence of steps when SSL Inbound Decryption is enabled?
Correct: The firewall acts as a MITM, establishing two encrypted sessions (client-firewall and firewall-server).
Which of the following is NOT a requirement for SSL Inbound Decryption?
Correct: The client must trust the firewall’s certificate, but the server does not need to allow the firewall as a CA.
Which of the following is a common cause of SSL decryption failure?
Correct: A cipher suite mismatch between the client and server can cause decryption to fail.
What is the role of the certificate chain in SSL Inbound Decryption?
Correct: The certificate chain (including intermediate certificates) ensures the client trusts the firewall's certificate.
Which of the following is a best practice for SSL Inbound Decryption?
Correct: Regular updates ensure compatibility with modern protocols and avoid decryption failures.
What happens if the firewall’s certificate expires?
Correct: An expired certificate will cause clients to reject the connection, resulting in decryption failure.
What is the main benefit of logging URLs during SSL decryption?
Correct: Logging URLs during SSL decryption allows the firewall to filter traffic based on content and category.
Which User-ID method does NOT require agent installation?
Correct: Agentless methods like LDAP do not require agent installation on endpoints.
Which protocol version is supported by default for SSL Inbound Decryption?
Correct: TLS 1.2 and later are supported by default; older protocols like SSLv3 are deprecated.
Which of the following is a valid reason to exclude URLs from logging during SSL decryption?
Correct: URLs may contain sensitive or personal data that should not be logged for privacy or regulatory compliance.
What is the primary purpose of a decryption profile?
Correct: Decryption profiles specify the protocols and cipher suites to be inspected.
Which of the following is a common gotcha when configuring SSL Inbound Decryption?
Correct: Higher-priority decryption profiles can override lower ones, leading to unexpected behavior.
Which of the following is a valid use case for SSL Inbound Decryption in a corporate environment?
Correct: SSL Inbound Decryption allows monitoring and filtering of internal server traffic for compliance and threat prevention.
Which command is used to display the certificate chain on the firewall?
Correct: `show system setting ssl-decrypt certificate-cache` displays the certificate chain stored on the firewall.
Which of the following is NOT a recommended practice for SSL Inbound Decryption?
Correct: Disabling SSL decryption for all internal servers removes visibility into encrypted traffic, increasing security risks.
What is the primary benefit of using User-ID agentless methods in a large enterprise?
Correct: Agentless methods reduce the need for deploying and managing agents on every endpoint.