An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?
An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage?
An administrator encountering problems with inbound decryption should check the security policy rule allowing SSL to the target server. Inbound decryption involves decrypting traffic intended for an internal server, and for the firewall to decrypt and inspect this traffic, a security policy rule must be correctly configured to allow SSL traffic to the internal server. If this rule is not in place or has issues, the decryption process can be hindered. Ensuring that the appropriate security policies are set up is a crucial triage step in resolving decryption problems.
The correct answer is A. Inbound decryption is where you are decrypting traffic to your internal server. You don't use a Root CA, you load that server's cert and private key. The Root cert is 'Optional' https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/configure-ssl-inbound-inspection.html
I believe A is the correct answer, even if you have the certs configured correctly, if you don't have Security Policy, you can't decrypt or exclude websites from the decryption. If you google how to solve a decryption issue on PA, the first thing you get is to check your security policy. Check out this link https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloUCAS
Great Answer!
only A
I think it is C, the question says Inbound Decryption, based on the same question in PCNSE exam Guide Certificate needs to be checked,
The Answer here is C, the question cannot be talking of inbound Decryption except the traffic has been allowed by the security policy. So security policy is out of question here. Traffic that encounters any problems with decryption must have been allowed by the Security policy. The question is talking about inbound traffic which means the firewall has imported the server certificate and its private key to be able to decrypt the traffic for inspection before passing it to the server if it is benign. This server cert is self signed by an internal CA could be the source of the problem see answer C.
agree with answer A. you dont need tha ca. you need the server certificate imported previus to enable the ssl inb inspection
Answer is A.
It is worth mentioning that the policy needs to allow application identified when the SSL traffic is decrypted.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-inbound-inspection
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-inbound-inspection
I will agree correct answer is A.
Initially I was leaning more to D, but I just realised it is misleading... Issues with HSM module could indeed cause inbound decryption problems, because HSM is used to store the private key. Without the private key FW cannot decrypt inbound traffic. However HSM store the private key, while the certificate is imported once during the setup - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/certificate-management/secure-keys-with-a-hardware-security-module/store-private-keys-on-an-hsm#idcaadcd26-7f7c-494a-bfaa-bdfb51826aec
On other hand it is very important to understand the big difference between SSL Inbound Inspection and SSL Forward Proxy. With Inbound inspection firewall does not proxy the SSL session. Since it have the private key, client and server establish SSL directly with each other, while firewall can peak inside the encrypted traffic - because it has the private key for the server and have obvserved the SSL negotiation and can calculate the ley used for encryption. Because of this traffic for SSL inbound inspection does not pass over SSL proxy, Also listen carefully arround the end of this video, where they said - "you still need to allow encrypted taffic" , which will be SSL - https://www.youtube.com/watch?v=oTivQY1RHu4
A makes sense. CRL is not very relevant for inbound.
We do inbound decryption because we do not want to allow SSL to a target server. We want to decrypt all SSL and then allow some of the decrypted apps to the target server. For decryption you do not need to allow SSL in a security policy. We mostly use inbound decryption for Exchange and have a bunch of apps that are allowed there in the corresponding security policy. SSL we do not allow. And this works fine. In the list of possible answers here the only one that could affect decryption and makes some kind of sense even if it may be very seldomly used, is answer D. I think it is not well written but could be some source of failure. Whereas A, B and C do not hinder inbound SSL decryption.
Correct is A, First check the security policy then the security profiles used in the security policy that the traffic matched. With an SSL Inbound Inspection Decryption policy enabled, the firewall decrypts all SSL traffic identified by the policy to clear text traffic and inspects it. The firewall blocks, restricts, or allows the traffic based on the Decryption profile attached to the policy and the Security policy that applies to the traffic, including and any configured Antivirus, Vulnerability Protection, Anti-Spyware, URL-Filtering, and File Blocking profiles
Correct answer is A Use SSL Inbound Inspection to decrypt and inspect inbound SSL traffic destined for a network server (you can perform SSL Inbound Inspection for any server if you load the server certificate onto the firewall). With an SSL Inbound Inspection Decryption policy enabled, the firewall decrypts all SSL traffic identified by the policy to clear text traffic and inspects it. The firewall blocks, restricts, or allows the traffic based on the Decryption profile attached to the policy and the Security policy that applies to the traffic, including and any configured Antivirus, Vulnerability Protection, Anti-Spyware, URL-Filtering, and File Blocking profiles. As a best practice, enable the firewall to forward decrypted SSL traffic for WildFire analysis and signature generation. Configuring SSL Inbound Inspection includes installing the targeted server certificate on the firewall, creating an SSL Inbound Inspection Decryption policy, and applying a Decryption profile to the policy.
Answer is C, I do not believe it is A since a security policy is not configured to decrypt traffic. Instead a Decryption Policy must be configured.
only A