Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?

An engineer must configure a new SSL decryption deployment.

Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted?
A . There must be a certificate with both the Forward Trust option and Forward Untrust option selected.
B. A Decryption profile must be attached to the Security policy that the traffic matches.
C. A Decryption profile must be attached to the Decryption policy that the traffic matches.
D. There must be a certificate with only the Forward Trust option selected.

View Answer

Answer: D

Explanation:

A certificate with only the Forward Trust option selected is required for SSL Forward Proxy decryption, which is the most common type of SSL decryption deployment1. A certificate with both the Forward Trust and Forward Untrust options selected is required for SSL Inbound Inspection decryption, which is less common2. A Decryption profile is not required before any traffic that matches an SSL decryption rule is decrypted, but it is recommended to apply one to control how the firewall handles traffic that cannot be decrypted3.

References:

1: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/decryption/decryption-concepts/ssl-forward-proxy

2: https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/threat-prevention/decryption/decryption-concepts/ssl-inbound-inspection

3: https://docs.paloaltonetworks.com/best-practices/10-1/decryption-best-practices/decryption-best-practices/deploy-ssl-decryption-using-best-practices