> Is it fair to say that an NGFW *must* decrypt SSL traffic in order to > fully categorize for IPS/IDS prevention? well, not really. aside from damage, it will not 'protect' you against more modern transports, such as quic, which were designed to keep the net open. randy