ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 603 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 603
Topic #: 1
[All PCNSE Questions]

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?

  • A. Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.
  • B. Use RSA instead of ECDSA for traffic that isn’t sensitive or high-priority.
  • C. Use the highest TLS protocol version to maximize security.
  • D. Use ECDSA instead of RSA for traffic that isn’t sensitive or high-priority.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by b53fdf1 at March 28, 2024, 12:22 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
b53fdf1
Highly Voted 1 year, 2 months ago
Selected Answer: B
I think the answer should be B since RSA is less resource intesive than ECDSA
upvoted 5 times
...
432c74b
Most Recent 3 months, 1 week ago
Selected Answer: B
"RSA (not the RSA key exchange algorithm) consumes less resources than Elliptic Curve Digital Signature Algorithm (ECDSA) but ECDSA is more secure." "You can save firewall CPU cycles by using RSA for traffic that you want to decrypt and inspect for threats but that isn’t sensitive." https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment
upvoted 1 times
...
JackyCCK
3 months, 1 week ago
Selected Answer: B
If you say RSA consume less computing power, but at what measure ? both algorithms using the same number of bit ? How is that a fair comparison ? I think the comparison should be at the same security level, which is 256-bit keys ECDSA vs 3072-bit keys RSA.
upvoted 1 times
JackyCCK
3 months, 1 week ago
If NGFW resources are an issue, use stronger decryption for higher-priority traffic and use less processor-intensive decryption for lower-priority traffic until you can increase the available resources. For example, you could use RSA instead of ECDHE and ECDSA for traffic that isn’t sensitive or high-priority. This preserves NGFW resources for PFS-based decryption of higher priority, sensitive traffic. (You’re still decrypting and inspecting the lower-priority traffic, but trading off consuming fewer computational resources with using algorithms that aren’t as secure as PFS.)
upvoted 1 times
JackyCCK
3 months, 1 week ago
The above state what palo alto said, but I still think this is a stupid problem. Even though ECDSA uses large keys, they are significantly smaller than in the case of RSA. For ECDSA to reach the 128-bit security standard, it’s enough to use 256-bit keys. In comparison, RSA needs at least 3072-bit keys to match the same standard. Regardless of the smaller keys in use, ECDSA provides the same level of security as RSA. The smaller key size also makes ECDSA a perfect algorithm for mobile applications because they require less bandwidth.
upvoted 1 times
...
...
...
JackyCCK
3 months, 1 week ago
Selected Answer: B
An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.
upvoted 1 times
...
de7cdfd
4 months, 1 week ago
Selected Answer: D
ECDSA uses smaller key sizes than the RSA algorithm and, therefore, provides a performance enhancement for processing SSL/TLS connections. ECDSA also provides equal or greater security than RSA. ECDSA is recommended for client browsers and operating systems that support it but you may be required to select RSA for compatibility with legacy browsers and operating systems.
upvoted 1 times
...
kambata
6 months, 1 week ago
Selected Answer: B
If firewall resources are an issue, use stronger decryption for higher-priority traffic and use less processor-intensive decryption to decrypt and inspect lower-priority traffic until you can increase the available resources. For example, you could use RSA instead of ECDHE and ECDSA for traffic that isn’t sensitive or high-priority to preserve firewall resources for using PFS-based decryption for higher priority, sensitive traffic.
upvoted 1 times
...
M_F1985
6 months, 1 week ago
Selected Answer: B
"Perfect Forward Secrecy (PFS) ephemeral key exchange algorithms such as Diffie-Hellman Ephemeral (DHE) Elliptic-Curve Diffie-Hellman Exchange (ECDHE) consume more processing resources than Rivest-Shamir-Adleman (RSA) algorithms"
upvoted 1 times
...
insertnicknamehere
6 months, 3 weeks ago
The answer is D. ECDSA uses less computational power, memory, and energy, making it suitable for devices with limited resources Please update at the correct answer.
upvoted 4 times
...
redgi0
9 months ago
Selected Answer: D
from chat GPT :) ECDSA is generally less resource-consumptive than RSA in an NGFW decryption policy due to its lower computational complexity and smaller key sizes for equivalent security levels. This makes ECDSA the preferred choice in environments where performance and resource optimization are critical.
upvoted 3 times
DatITGuyTho1337
7 months, 1 week ago
Looks like Chat GPT lied to you. See fulanitodetalcr's post citing actual vendor documentation. I wouldn't rely on AI for learning, just do the work yourself. :)
upvoted 2 times
redgi0
6 months ago
correct. Changing answer to B
upvoted 1 times
...
...
...
thelittleyellowbirdie
9 months, 2 weeks ago
this was in my exam 09/08/2024
upvoted 3 times
...
fulanitodetalcr
10 months, 2 weeks ago
Based on (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment). You could use RSA instead of ECDHE and ECDSA for traffic that isn’t sensitive or high-priority to preserve firewall resources for using PFS-based decryption for higher priority, sensitive traffic. > Answer should be B based on the official documentation.
upvoted 2 times
...
Mtro
1 year ago
D....Key size. The RSA algorithm uses significantly larger cryptographic keys than ECDSA. To reach 128-bit security, RSA needs to use keys that are at least 3072 bits in length. Meanwhile, it's sufficient for ECDSA to generate public keys twice the size of the desired 128-bit security to reach this standard.
upvoted 2 times
...
Candydaivd
1 year, 1 month ago
Selected Answer: D
should be D, ECDSA runs faster than RSA. It also requires significantly less memory.
upvoted 3 times
...
PacketsDownRange99
1 year, 1 month ago
Selected Answer: B
Agree B
upvoted 1 times
...
VenomX51
1 year, 1 month ago
Selected Answer: B
SSL Forward Proxy and SSL Inbound Inspection do two different jobs, and the way the question is phrased they could both be on. The answer, without turning anything off is to use a less intensive decryption/encryption method - Answer is B
upvoted 1 times
...
hcir
1 year, 2 months ago
Agree B. RSA is less secure but also less cpu intensive, hence it can be used for less sensitive traffic.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel