Exam PCNSE topic 1 question 278 discussion

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/define-traffic-to-decrypt/create-a-decryption-policy-rule

Decryption and Authentication policies dont use application

You cannot decrypt any traffic from any type of VPN, if it is GlobalProtect or AnyConnect etc. App-ID is a function in the NGFW not an element in which you can use in a oolicy. But source user, Source IP and Destination IP you can use in the SSL decrypt policy. there are HIP option you can use but this is not associated with the GlobalProtect.

Who decides about what is right here? You can easily check that App-ID or GlobalProtect HIP aren't in the Decryption Policy Rule options. Disappointed with this site

BDE is correct

BDE Buuuuut!!! im checking my firewall and you can put HIP at source tab.... so global protect hip should be ok i think :O

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0 "In particular, decryption can be based upon URL categories, source users, and source/destination IP addresses."

BDE: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/decryption/define-traffic-to-decrypt/create-a-decryption-policy-rule

BDE. 1.Users—Select Source and set the Source User for whom to decrypt traffic. 2. IP addresses, address objects, and/or address groups—Select Source and/or Destination to match to traffic based on Source Address and/or the Destination Address 3. Select Service/URL Category to set the rule to match to traffic based on service

BDE Src: Zone, Address, User Dst: Zone, Address Service/URL category

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/define-traffic-to-decrypt/create-a-decryption-policy-rule

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/define-traffic-to-decrypt/create-a-decryption-policy-rule