Why not C ? Don't we need visibility (via decryption) before app-ID can function?

Migrate from port-based to application-based Security policy rules before you create and deploy Decryption policy rules. https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment

Putting C as a protest vote. That best practice statement is stupid from Palo. As if an engineer would forget which ports he configured in a few decryption rules and couldn't easily look at them. I'd want my App-ID visibility right off the bat - granular App-IDs won't work without decryption.

https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment "Migrating to App-ID based rules before deploying decryption ensures that when you test your decryption deployment"

D move to App-ID befohttps://www.examtopics.com/exams/palo-alto-networks/pcnse/view/#re you implement Decryption

https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment

D is correct. Migrate from port-based to applicaon-based Security policy rules before you create and deploy Decrypon policy rules. If you create Decrypon rules based on port-based Security policy and then migrate to applicaon-based Security policy, the change could cause the Decrypon rules to block traffic that you intend to allow because Security policy rules are likely to use applicaon default ports to prevent traffic from using non-standard ports. Migrang to App-ID based rules before deploying decrypon ensures that when you test your decrypon deployment, you’ll discover Security policy misconfiguraons and fix them before rolling decrypon out to the general user populaon.