An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy? (Choose three.)
An engineer is tasked with enabling SSL decryption across the environment. What are three valid parameters of an SSL Decryption policy? (Choose three.)
To enable SSL decryption across an environment, the SSL Decryption policy can be configured using specific parameters. Source users allow the policy to be applied based on the users generating traffic. URL categories enable the policy to categorize and decrypt traffic based on predefined URL groups, offering granular control over which websites can be accessed securely. Source and destination IP addresses help define the scope of the decryption policy by specifying which IP ranges are included or excluded in the decryption process. Therefore, the valid parameters of an SSL Decryption policy are source users, URL categories, and source and destination IP addresses.
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/define-traffic-to-decrypt/create-a-decryption-policy-rule
BDE is correct, checked it in LAB
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0 "In particular, decryption can be based upon URL categories, source users, and source/destination IP addresses."
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/define-traffic-to-decrypt/create-a-decryption-policy-rule
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/define-traffic-to-decrypt/create-a-decryption-policy-rule
Decryption and Authentication policies dont use application
You cannot decrypt any traffic from any type of VPN, if it is GlobalProtect or AnyConnect etc. App-ID is a function in the NGFW not an element in which you can use in a oolicy. But source user, Source IP and Destination IP you can use in the SSL decrypt policy. there are HIP option you can use but this is not associated with the GlobalProtect.
Who decides about what is right here? You can easily check that App-ID or GlobalProtect HIP aren't in the Decryption Policy Rule options. Disappointed with this site
BDE is correct
BDE Buuuuut!!! im checking my firewall and you can put HIP at source tab.... so global protect hip should be ok i think :O
BDE: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/define-traffic-to-decrypt/create-a-decryption-policy-rule
BDE. 1.Users—Select Source and set the Source User for whom to decrypt traffic. 2. IP addresses, address objects, and/or address groups—Select Source and/or Destination to match to traffic based on Source Address and/or the Destination Address 3. Select Service/URL Category to set the rule to match to traffic based on service
BDE Src: Zone, Address, User Dst: Zone, Address Service/URL category