Exam PCNSE topic 1 question 220 discussion

BCE is correct.

Tricky question. Memorize this: you have three types of decryption actions 1. SSL Forward Proxy (acts as a proxy between the client and the server, so the client's certificate and the fw cert mus be the same). 2. SSL Inbound Inspection (for your servers exposed to the internet, the fw acts as if it were the server, so you import the server's cert and its private key). 3. SSH Proxy for SSH and SSH Tunnel (this last should be blocked as a BP). Besides, you can also forward decrypted traffic to an external appliance through decryption mirror, so you would need to ask for a license in the csp and configure your fw to send the clear text traffic to your appliance. A says "ssl outbound PROXYLESS..." so it basically results in completely the opposite of that ssl forward proxy does lmao. Kind of the same with D since you act as the server, meaning you could be "proxying" the session but thats not how it's called by PANW.

BCE The firewall provides three types of Decryption policy rules: SSL Forward Proxy to control outbound SSL traffic, SSL Inbound Inspection to control inbound SSL traffic, and SSH Proxy to control tunneled SSH traffic. You can attach a Decryption profile to a policy rule to apply granular access settings to traffic, such as checks for server certificates, unsupported modes, and failures. You can also use Decryption Mirroring to forward decrypted traffic as plaintext to a third party solution for additional analysis and archiving.

this answer conflicts with 189 on this list, decryption mirroring is counted as a rule profile or not? You can also use a Decryption policy rule to define Decryption Mirroring. On this question it is an answer and on 189 is not.

Nothing exist as A&B , leaves us with options BCE

BCE. The firewall provides three types of Decryption policy rules: SSL Forward Proxy to control outbound SSL traffic, SSL Inbound Inspection to control inbound SSL traffic, and SSH Proxy to control tunneled SSH traffic. You can attach a Decryption profile to a policy rule to apply granular access settings to traffic, such as checks for server certificates, unsupported modes, and failures. You can also use Decryption Mirroring to forward decrypted traffic as plaintext to a third party solution for additional analysis and archiving.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-overview

BCE correct

SSL Forward Proxy SSL Inbound Inspection. SSH Proxy You can also use Decryption Mirroring to forward decrypted traffic as plaintext to a third party solution for additional analysis and archiving. Ref: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-overview.html#idd71f8b4d-cd40-4c6c-905f-2f8c7fca6537