Palo Alto Networks NetSec-Analyst Exam - Topic 1 Question 11 Discussion

Actual exam question for Palo Alto Networks's NetSec-Analyst exam

Question #: 11
Topic #: 1

A company requires that all encrypted traffic from the "Accounting" department be decrypted for inspection, while all other departments remain encrypted. How should the analyst configure the Decryption Policy?

ACreate a single rule with 'Source Zone' set to Accounting and 'Action' to Decrypt.

BCreate a 'No Decrypt' rule for all zones except Accounting.

CUse 'User-ID' in the Decryption Policy to target only members of the Accounting group.

DApply a decryption profile to the Accounting Security Policy rule.

Show Suggested Answer

Suggested Answer: C

Comprehensive and Detailed 150 to 250 words of Explanation From Palo Alto Networks Network Security Analyst Knowledge:

The most granular and efficient way to apply decryption to a specific department is by using User-ID within the Decryption Policy. This ensures that the policy follows the users themselves, regardless of which specific IP address or zone they are currently using.

By selecting the 'Accounting' group from the identity provider (e.g., Active Directory) in the 'Source User' column, the analyst ensures that only their SSL/TLS sessions are decrypted for threat inspection. This objective balances high-security requirements for sensitive departments with the privacy expectations and performance considerations of the rest of the organization. It is a key best practice for a Network Security Analyst to use identity as the primary factor in decryption decisions, as it provides the most persistent and accurate control over the security posture.

by Sherita at May 06, 2026, 03:14 AM

Limited Time Offer

25%

Off

Get Premium NetSec-Analyst Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!