Exam PCNSE topic 1 question 198 discussion

A and D: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-exclusions/create-a-policy-based-decryption-exclusion

Should be A and D

D : Traffic that you should never decrypt because it contains personally identifiable information (PII) or other sensitive information, such as the URL Filtering categories financial-services, health-and-medicine, and government.

A and D correct

qwerqwer a d

A:https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-exclusions/exclude-a-server-from-decryption B:https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-exclusions/create-a-policy-based-decryption-exclusion

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-exclusions/create-a-policy-based-decryption-exclusion

A and D, no doubt. A - Because decryption requires to proxy TLS and client certificate will not be used. B- Compliance issues avoid to open tunnels to certain entities (...)

Web server which requires mutual authentication does not support ssl decryption. And you should exclude sensitive sites from decryption.

Should be A and D

For mutual authentication we must configure SSL Decryption Exclusion and once we include a destination into SSL Decryption Exclusion all the decryption policy rules are bypassed, therefor there is not action of "NO DECRYPT". "No decrypt" it's only inside decryption policy rule. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-exclusions/create-a-policy-based-decryption-exclusion.html "Traffic that originates or is destined for executives or other users whose traffic shouldn’t be decrypted." = restricted/limited group of users In my opinion the correct answers are B&D.