For SSL Inbound Inspection, the Palo Alto Networks firewall must decrypt traffic destined for an internal server. To achieve this, it functions as a proxy, intercepting the SSL/TLS connection between the external client and the internal server. The firewall uses the server's certificate and private key (which must be loaded onto the firewall) to impersonate the server to the client. It terminates the client's session, inspects the decrypted content, and then establishes a new, separate SSL/TLS session with the internal server. This process is fundamentally a "meddler-in-the-middle" (or man-in-the-middle) architecture. The use of Perfect Forward Secrecy (PFS) does not alter this behavior; the firewall simply negotiates separate ephemeral keys for each of the two sessions it manages.

B. The firewall cannot act transparently. To decrypt and inspect the traffic, it must actively terminate and re-establish the SSL/TLS session, which is an intrusive, not transparent, action.

C. This option is incorrect because the question specifically addresses SSL (Secure Sockets Layer) inspection, not SSH (Secure Shell) connections, which is a different protocol.

D. This describes SSL Forward Proxy (outbound inspection), where the firewall decrypts traffic from an internal client to an external server, not SSL Inbound Inspection.

1. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2, "SSL Inbound Inspection."

Section: Decryption > SSL Inbound Inspection

Content: "For SSL Inbound Inspection, the firewall acts as a proxy between the external client and the internal server. The firewall uses the private key of the server certificate that you import onto the firewall to decrypt and inspect the traffic from the client before sending it to the server." This text explicitly describes the proxy (meddler-in-the-middle) behavior.

2. Palo Alto Networks Technical Documentation, "Configure SSL Inbound Inspection."

Section: Get Started > Set Up SSL Inbound Inspection

Content: "To perform SSL Inbound Inspection, the firewall intercepts SSL traffic destined for an internal server and acts as a proxy. The firewall must have the server certificate and private key to successfully impersonate the server so that it can establish an SSL session with the external client." This confirms the firewall's role as an intercepting proxy.