The correct answer is A. Inbound decryption is where you are decrypting traffic to your internal server. You don't use a Root CA, you load that server's cert and private key. The Root cert is 'Optional'
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/configure-ssl-inbound-inspection.html
From Palo Alto's TechDocs:
"HSM clients integrated with Palo Alto Networks firewalls and Panorama enable enhanced security for the private keys used in SSL/TLS decryption (both SSL forward proxy and SSL inbound inspection). In addition, you can use the HSM to encrypt master keys."
Answer A is WRONG: the security policy allowing SSL will affect encrtypted traffic to'from the server. It has NO bearing on the decryption process. The question never mentioned problems with traffic to/from the original server. It only said issues with decryption.
Initially I was leaning more to D, but I just realised it is misleading... Issues with HSM module could indeed cause inbound decryption problems, because HSM is used to store the private key. Without the private key FW cannot decrypt inbound traffic.
However HSM store the private key, while the certificate is imported once during the setup - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/certificate-management/secure-keys-with-a-hardware-security-module/store-private-keys-on-an-hsm#idcaadcd26-7f7c-494a-bfaa-bdfb51826aec
On other hand it is very important to understand the big difference between SSL Inbound Inspection and SSL Forward Proxy. With Inbound inspection firewall does not proxy the SSL session. Since it have the private key, client and server establish SSL directly with each other, while firewall can peak inside the encrypted traffic - because it has the private key for the server and have obvserved the SSL negotiation and can calculate the ley used for encryption.
Because of this traffic for SSL inbound inspection does not pass over SSL proxy,
Also listen carefully arround the end of this video, where they said - "you still need to allow encrypted taffic" , which will be SSL - https://www.youtube.com/watch?v=oTivQY1RHu4
We do inbound decryption because we do not want to allow SSL to a target server. We want to decrypt all SSL and then allow some of the decrypted apps to the target server. For decryption you do not need to allow SSL in a security policy.
We mostly use inbound decryption for Exchange and have a bunch of apps that are allowed there in the corresponding security policy. SSL we do not allow. And this works fine.
In the list of possible answers here the only one that could affect decryption and makes some kind of sense even if it may be very seldomly used, is answer D. I think it is not well written but could be some source of failure. Whereas A, B and C do not hinder inbound SSL decryption.
I believe A is the correct answer, even if you have the certs configured correctly, if you don't have Security Policy, you can't decrypt or exclude websites from the decryption. If you google how to solve a decryption issue on PA, the first thing you get is to check your security policy.
The Answer here is C, the question cannot be talking of inbound Decryption except the traffic has been allowed by the security policy. So security policy is out of question here.
Traffic that encounters any problems with decryption must have been allowed by the Security policy.
The question is talking about inbound traffic which means the firewall has imported the server certificate and its private key to be able to decrypt the traffic for inspection before passing it to the server if it is benign.
This server cert is self signed by an internal CA could be the source of the problem see answer C.
Correct is A, First check the security policy then the security profiles used in the security policy that the traffic matched.
With an SSL Inbound Inspection Decryption policy enabled, the firewall decrypts all SSL traffic identified by the policy to clear text traffic and inspects it. The firewall blocks, restricts, or allows the traffic based on the Decryption profile attached to the policy and the Security policy that applies to the traffic, including and any configured Antivirus, Vulnerability Protection, Anti-Spyware, URL-Filtering, and File Blocking profiles
Correct answer is A
Use SSL Inbound Inspection to decrypt and inspect inbound SSL traffic destined for a network server (you can perform SSL Inbound Inspection for any server if you load the server certificate onto the firewall). With an SSL Inbound Inspection Decryption policy enabled, the firewall decrypts all SSL traffic identified by the policy to clear text traffic and inspects it. The firewall blocks, restricts, or allows the traffic based on the Decryption profile attached to the policy and the Security policy that applies to the traffic, including and any configured Antivirus, Vulnerability Protection, Anti-Spyware, URL-Filtering, and File Blocking profiles. As a best practice, enable the firewall to forward decrypted SSL traffic for WildFire analysis and signature generation.
Configuring SSL Inbound Inspection includes installing the targeted server certificate on the firewall, creating an SSL Inbound Inspection Decryption policy, and applying a Decryption profile to the policy.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
BellaDrake
Highly Voted 2 years, 6 months agokabuelenain
Most Recent 1 week, 6 days agoMarshpillowz
7 months agobeikenes
1 year, 8 months agolol12
1 year, 10 months agoTAKUM1y
1 year, 10 months agospydog
1 year, 10 months agospydog
1 year, 10 months agospydog
1 year, 10 months agoashmeow
2 years agouwestani
2 years, 2 months agoeazy99
2 years, 2 months agojonboy22
2 years, 2 months agoSMahaldar
3 years agoZabol
3 years, 2 months agoNNgiggs
3 years, 2 months agorocioha
3 years, 5 months agoachille5
3 years, 5 months agolucaboban
3 years, 5 months agoJpmuir
3 years, 5 months ago