When a Palo Alto Networks firewall encounters a TLS session using an unsupported cipher suite or protocol version, and the Decryption Profile is configured to allow it, the firewall cannot decrypt the traffic. To maintain performance and avoid repeatedly attempting to decrypt sessions that are known to be undecryptable, the firewall bypasses decryption for the current session. It then adds the server's IP address and the Server Name Indication (SNI) to the SSL decryption exclusion cache. This ensures subsequent connections to the same server are not subjected to decryption attempts for a default period of 12 hours.

A: The firewall is designed to prevent protocol downgrade attacks, not to perform them as a function of its operation.

B: The firewall cannot continue decryption because the mode is unsupported. It allows the encrypted traffic to pass, but the decryption process is aborted for that session.

C: This is incorrect because the Decryption Profile is explicitly configured to allow unsupported modes, not block them. Blocking would be the action if the profile were set to "Block."

1. Palo Alto Networks PAN-OS® Administrator’s Guide 11.0: In the section on Decryption Profiles

the behavior for unsupported parameters is detailed. For "Unsupported Cipher Suites

" it states: "If you select Decrypt

the firewall allows the connection but does not decrypt it. To prevent the firewall from attempting to decrypt future connections to the same site

it adds the site to the SSL decryption exclusion cache."

Source: Palo Alto Networks. (2023). PAN-OS® Administrator’s Guide 11.0. "Objects > Decryption Profile > SSL Forward Proxy Tab".

2. Palo Alto Networks TechDocs - Troubleshoot SSL Decryption: This document explains the mechanisms for handling decryption failures. It clarifies that when a session cannot be decrypted due to an unsupported cipher and the policy allows it

the server is added to an exclusion cache to prevent future decryption attempts.

Source: Palo Alto Networks. (n.d.). Troubleshoot SSL Decryption. "SSL Decryption Not Working as Expected". Retrieved from the official Palo Alto Networks TechDocs portal.

3. Palo Alto Networks TechDocs - SSL Decryption for Advanced Users: This resource details the internal workings

including the exclusion cache. It confirms that servers using unsupported ciphers are added to this cache to optimize performance by bypassing future decryption attempts.

Source: Palo Alto Networks. (n.d.). SSL Decryption for Advanced Users - LIVEcommunity. "SSL Decryption Failure Handling".