A company requires the firewall to block expired certificates issued by internet-hosted websites. The company plans to implement decryption in the future, but it does not perform SSL Forward Proxy decryption at this time.
Without the use of SSL Forward Proxy decryption, how is the firewall still able to identify and block expired certificates issued by internet-hosted websites?
The firewall is able to identify and block expired certificates issued by internet-hosted websites without performing SSL Forward Proxy decryption by having a Decryption profile that blocks sessions with expired certificates in the No Decryption section and assigning it to a No Decrypt policy rule. This approach allows the firewall to enforce certificate expiration checks even without decrypting the SSL/TLS traffic.
Correct answer D https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-troubleshooting-workflow-examples/troubleshoot-certificate-expiration-issues
D makes the most sense, you still don't decrypt, but in that section you can Enable OCSP and CRL functionalities and select to block sessions with expired certs.
Answer is D
D is our answer: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/no-decryption-decryption-profile#id185BA08H0PP