Exam PCNSE topic 1 question 210 discussion

Plan to decrypt the riskiest traffic first (URL categories most likely to harbor malicious traffic, such as gaming or high-risk) and then decrypt more as you gain experience https://docs.paloaltonetworks.com/advanced-url-filtering/administration/configuring-url-filtering/url-filtering-best-practices

https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment

Interestingly Both seems to be BPA: This answer might have 2 answers in the exam. Create policy to decrypt the rest of the traffic by configuring SSL Forward Proxy, SSL Inbound Inspection, and SSH Proxy rules. Always decrypt the online-storage-and-backup, web-based-email, web-hosting, personal-sites-and-blogs, content-delivery-networks, and high-risk URL categories. https://docs.paloaltonetworks.com/best-practices/10-1/decryption-best-practices/decryption-best-practices/deploy-ssl-decryption-using-best-practices

As a best practice the high-risk category should be blocked, leaving only C

Plan to decrypt the riskiest traffic first (URL Categories most likely to harbor malicious traffic, such as gaming or high-risk) and then decrypt more as you gain experience. Alternatively, decrypt the URL Categories that don’t affect your business first (if something goes wrong, it won’t affect business), for example, news feeds. - Taken from PANOS10 best practices found in https://docs.paloaltonetworks.com/best-practices/10-0/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment

Correct Answer is B. 'Online Storage and Backup is not a URL Category. "Always decrypt the online-storage-and-backup, web-based-email, web-hosting, personal-sites-and-blogs, content-delivery-networks, and high-risk URL categories. Limit SSH Proxy to administrators who manage network devices, log all SSH traffic, and configure Multi-Factor Authentication to prevent unauthorized SSH access." https://docs.paloaltonetworks.com/best-practices/10-0/decryption-best-practices/decryption-best-practices/deploy-ssl-decryption-using-best-practices

The question is referring to URL categories used as best practice for SSL decryption, and not all URL categories. Please read STEP 3 last bullet from here: https://docs.paloaltonetworks.com/best-practices/8-1/decryption-best-practices/decryption-best-practices/deploy-ssl-decryption-using-best-practices.html "If you can’t decypt everything, always decrypt the online-storage-and-backup, web-based-email, web-hosting, personal-sites-and-blogs, and content-delivery-networks URL categories."

Online Storage and Backup is not an URL category so option B

I suggest C as correct answer. https://docs.paloaltonetworks.com/best-practices/10-1/decryption-best-practices/decryption-best-practices/deploy-ssl-decryption-using-best-practices.html " . Always decrypt the online-storage-and-backup, web-based-email, web-hosting, personal-sites-and-blogs, content-delivery-networks, and high-risk URL categories. .."