View all questions & answers for the Palo Alto Network Security Professional (NetSec-Pro) Exam Materials exam


Question 51 Discussion

A company has an ongoing initiative to monitor and control IT-sanctioned SaaS applications. To be successful, it will require configuration of decryption policies, along with data filtering and URL Filtering Profiles used in Security policies. Based on the need to decrypt SaaS applications, which two steps are appropriate to ensure success? (Choose two answers)

  • A. Validate which certificates will be used to establish trust.
  • B. Configure SSL Forward Proxy.
  • C. Create new self-signed certificates to use for decryption.
  • D. Configure SSL Inbound Inspection.
Correct Answer: A,B

Brave-Dump Clients Votes

AB 100%

Comments



Ayesha 2026-02-16 03:48:10

Selected Answers: A, B


To successfully monitor, control, and decrypt IT-sanctioned SaaS applications, the two appropriate steps from the given options are:

Validate which certificates will be used to establish trust.

SSL decryption requires the use of keys and certificates to establish the Palo Alto Networks Next-Generation Firewall (NGFW) or Prisma Access as a trusted third party (proxy) between the client and the server .

For SSL Forward Proxy decryption, a Forward Trust certificate must be configured. This certificate is presented by the firewall to clients when establishing sessions for decryption .

It is a best practice to use enterprise CA-signed certificates for this purpose, as network devices typically already trust the enterprise CA, simplifying deployment. If self-signed certificates are used, they must be installed on all client systems, which is generally recommended only for small deployments or proof-of-concept trials .

Proper certificate configuration is crucial; an error will occur if the certificate is not correctly marked as a "Forward Trust certificate" .

Configure SSL Forward Proxy.

SSL Forward Proxy decryption is specifically designed to inspect traffic exiting your internal network to the internet . This is the relevant mode for monitoring and controlling users' access to external IT-sanctioned SaaS applications.

Configuring SSL Forward Proxy is a foundational step for managing SaaS applications when no upstream devices are already decrypting HTTPS traffic .

This involves creating a decryption policy rule where the action is set to Decrypt and the type is set to SSL Forward Proxy .

The firewall acts as a proxy, generating a new certificate for the accessed URL, signed by a trusted CA certificate, which is presented to the client during the SSL handshake .