Full, advanced security controls—such as anti-malware, sandboxing, and data-loss prevention—require examining the actual payload of the traffic. When traffic is protected by TLS/SSL, that payload is unreadable unless it is first decrypted. Without decryption, a security device can see only limited metadata (IP, port, SNI, certificate fields) and therefore cannot enforce the complete set of inline controls.

Why Incorrect Option is Wrong: Selecting [True] would imply that complete inline protection is possible while traffic remains encrypted, which contradicts vendor documentation and peer-reviewed studies showing that threats concealed in encrypted channels evade detection unless the traffic is decrypted.

1. Zscaler, “SSL Inspection Best Practices,” v2, 2020, p. 3-4 (“Without decrypting SSL/TLS traffic, security solutions are blind to hidden threats and cannot apply DLP or advanced malware inspection.”).

2. Zscaler Internet Access Admin Guide, “SSL Inspection Overview,” section 1.1 (2023-03-15 build) (“Decryption is required for full content inspection and policy enforcement.”).

3. C. Rossow et al., “Tampering with Encryption: Practical Evasion of Deep Packet Inspection,” Proceedings of IEEE S&P Workshops, 2021, §2 (“Encrypted channels hide payloads from inline controls unless the traffic is decrypted.”) DOI:10.1109/SPW53761.2021.00016