PCNSE Question #608: Real Exam Question with Answer & Explanation

Question

An engineer wants to forward all decrypted traffic on a PA-850 firewall to a forensic tool with a decrypt mirror interface. Which statement is true regarding the configuration of the Decryption Port Mirroring feature?

Options

• AThe engineer should install the Decryption Port Mirror license and reboot the firewall.
• BThe PA-850 firewall does not support decrypt mirror interface, so the engineer needs to upgrade
• CThe engineer must assign an IP from the same subnet with the forensic tool to the decrypt mirror
• DThe engineer must assign the related virtual-router to the decrypt mirror interface.

Explanation

Decryption Port Mirroring is a licensed feature on PAN-OS that allows decrypted traffic to be copied and forwarded to a designated mirror interface for analysis by a forensic or DLP tool. To enable this feature, the administrator must: (1) obtain and install the Decryption Port Mirror license, and (2) reboot the firewall to activate the license. The PA-850 does support decrypt port mirroring (B is false). The mirror interface does not require an IP address - it operates as a Layer 1 passive tap port that simply receives copied traffic (C is false). A virtual router does not need to be assigned to a decrypt mirror interface since it does not route traffic (D is false). After reboot, the interface can be designated as a decrypt mirror interface in the firewall's network configuration.

No community discussion yet for this question.