Exam PCNSE topic 1 question 312 discussion

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment

Answer is C. If firewall resources are an issue, use stronger decryption for higher-priority traffic and use less processor-intensive decryption to decrypt and inspect lower-priority traffic until you can increase the available resources.

PFS is more secure but more resource intensive RSA less secure but saves resources.. so C

Option A involves optimizing the decryption process by using less processor-intensive ciphers for traffic that doesn't require the highest level of security. This allows you to strike a balance between security and performance, ensuring that your firewall can handle the decryption workload efficiently without compromising security.

Definitely C A and B are not relevant As per the link and the text below Use RSA for traffic that isnt sensitive ( so D is wrong because you would use RSA for low risk /non sensitive traffic and not higher-priority and higher-risk traffic as in option D ) Which leaves C as the most correct The performance cost of PFS trades off against the higher security that PFS achieves, but PFS may not be needed for all types of traffic. You can save firewall CPU cycles by using RSA for traffic that you want to decrypt and inspect for threats but that isn’t sensitive. If firewall resources are an issue, use stronger decryption (such as PFS) for higher-priority traffic and use less processor-intensive decryption to decrypt and inspect lower-priority traffic until you can increase the available resources. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment

Perfect Forward Secrecy (PFS) ephemeral key exchange algorithms such as Diffie-Hellman Ephemeral (DHE) Elliptic-Curve Diffie-Hellman Exchange (ECDHE) consume more processing resources than Rivest-Shamir-Adleman (RSA) algorithms https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment

The correct answer is D. he combination of these factors determines how decryption consumes firewall processing resources. To best utilize the firewall’s resources, understand the risks of the data you’re protecting. If firewall resources are an issue, use stronger decryption for higher-priority traffic and use less processor-intensive decryption to decrypt and inspect lower-priority traffic until you can increase the available resources. For example, you could use RSA instead of ECDHE and ECDSA for traffic that isn’t sensitive or high-priority to preserve firewall resources for using PFS-based decryption for higher priority, sensitive traffic. (You’re still decrypting and inspecting the lower-priority traffic, but trading off consuming fewer computational resources with using algorithms that aren’t as secure as PFS.) The key is to understand the risks of different traffic types and treat them accordingly.

Option C If firewall resources are an issue, use stronger decryption for higher-priority traffic and use less processor-intensive decryption to decrypt and inspect lower-priority traffic until you can increase the available resources https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment

C "For example, you could use RSA instead of ECDHE and ECDSA for traffic that isn’t sensitive or high-priority to preserve firewall resources for using PFS-based decryption for higher priority, sensitive traffic. (You’re still decrypting and inspecting the lower-priority traffic, but trading off consuming fewer computational resources with using algorithms that aren’t as secure as PFS.) "

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment

based on the link that KAMBATA provided i think it is C

f firewall resources are an issue, use stronger decryption for higher-priority traffic and use less processor-intensive decryption to decrypt and inspect lower-priority traffic until you can increase the available resources. For example, you could use RSA instead of ECDHE and ECDSA for traffic that isn’t sensitive or high-priority to preserve firewall resources for using PFS-based decryption for higher priority, sensitive traffic.

I think C, PFS for high security traffic and RSA on low end stuff.

i thnik D You can save firewall CPU cycles by using RSA for traffic that you want to decrypt and inspect for threats but that isn’t sensitive.