Palo Alto Networks NetSec-Analyst Exam - Topic 1 Question 12 Discussion

Actual exam question for Palo Alto Networks's NetSec-Analyst exam

Question #: 12
Topic #: 1

A financial institution must comply with a regulation that prohibits the decryption of any traffic destined for "Banking" or "Healthcare" websites. How should the analyst implement this requirement while still decrypting other web traffic?

ASet the default Decryption Profile to 'No-Decrypt.'

BCreate a Decryption Policy with the action 'No Decrypt' and select the relevant URL categories.

CAdd the banking URLs to the 'External Dynamic List.'

DUse a NAT policy to bypass the SSL engine for those categories.

Show Suggested Answer

Suggested Answer: B

Comprehensive and Detailed 150 to 250 words of Explanation From Palo Alto Networks Network Security Analyst Knowledge:

Compliance and privacy are major objectives for a Network Security Analyst. Palo Alto Networks firewalls use Decryption Policies to determine which traffic should be inspected and which should be bypassed.

By creating a specific policy rule with the action set to 'No Decrypt,' the analyst can use URL Categories (such as financial-services and health-and-medicine) as the matching criteria. When an internal user visits a banking site, the firewall identifies the category and allows the encrypted session to pass through untouched, maintaining the user's privacy and meeting regulatory requirements. This rule must be placed higher in the policy list than the general 'Decrypt Everything' rule to ensure it takes precedence. This granular control allows the organization to eliminate security 'blind spots' for most web traffic while respecting the sensitive nature of specific personal data.

by Jestine at May 16, 2026, 05:25 AM

Limited Time Offer

25%

Off

Get Premium NetSec-Analyst Questions as Interactive Web-Based Practice Test or PDF

Contribute your Thoughts:

Submit Cancel

Currently there are no comments in this discussion, be the first to comment!