A is the answer and not C. Yes in PAN-OS 10 the Decryption Log was introduced but that is more suited for troubleshooting where decryption broke the SSL/TLS session. It is far easier to check if a session was decrypted by checking the Traffic Log. It is clear here in the PAN-OS 10 Admin guide, section "Verify Decryption", that to check the Traffic Log to verify if decryption happened. Silly enough it also states in the very same document that you can check the decryption log (but, it seems to miss out that only for decryption failures). https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/verify-decryption.html Here is the link for Decryption Log, you will read that it only logs unsuccessful decryption attempts. https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs.html#idb1b7e4a6-b48c-4ca7-8569-b785da780dd6 Now I am not running PAN-OS 10 in the real world so I can't say 100% but reading off the documentation, that is how I would answer the question.

As of, August 17th, the Palo Alto Networks Certified Network Security Engineer (PCNSE) and the Palo Alto Networks Certified Network Security Administrator (PCNSA) certification exams reflect changes based on PAN-OS 10.0. Correct Answer is C https://live.paloaltonetworks.com/t5/certification-articles/pcnse-and-pcnsa-exam-changes-with-10-0/ta-p/344832

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/verify-decryption

Palo Alto introduces questions on the new version when it gets to the X.1. So since now it is 10.0 the exam focuses on the 9.1 version, so correct answer is A, for the time being.

v10 answer is C https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs.html

Although the newer version have dedicate log type for "Decryption", as others already pointed out, those logs can be used to troubleshoot decryption/negotiations issues. The question is asking how you can determine if session was decrypted - the best way to is still to check the details of the traffic log and see if the flag "decrypted" is checked. In addition, according to documentations by default only the unsuccessful decryption handshakes will be logged under "Decryption", which means if session is successfully decrypted, no log will be shown here and you might think that session was not decrypted.

Traffic log can show status of decryption or not first.

I think A, because it say "whether a session was decrypted". Decryption log is for traffic is already decrypted, but in Traffic log you can see if the traffic is decrypted or not.

A is correct: Decryption logs are dependent on traffic logs being enabled. PAN-OS 10 doc cited here: The Decryption log learns each session’s App-ID from the Traffic log, so Traffic logs must be enabled to see the App-ID in the Decryption log. If Traffic logs are disabled, the App-ID shows as incomplete.

Please keep in mind, the PCNSE 9 exam focuses only on PANOS 9.1 Answer = A Question is simply asking which log shows whether a session was decrypted.

Old question, probably before there even were Decryption logs. I'd still put Traffic though, just because you can filter by Decrypted column really easy.

A is correct

C not A on 10.2 and 11.0

If a security rule is logging it will always show if it was decrypted (and is the simplest thing to look at). By default, the decryption rules log only on unsuccessful SSL handshakes. If you're troubleshooting, this is the log to go look at but if all you want to do is figure out decrypted yes/no, traffic log even in 10.0+.

There is now a decryption log: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-logs.html

The exam is based in panos 9.1 as far as I know, so answer should be A.

Answer is A. There´s no thing as Decryption log.