ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 311 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 311
Topic #: 1
[All PCNSE Questions]

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted.
How should the engineer proceed?

  • A. Create a Security policy to allow access to those sites
  • B. Install the unsupported cipher into the firewall to allow the sites to be decrypted
  • C. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
  • D. Allow the firewall to block the sites to improve the security posture
Show Suggested Answer Hide Answer
Suggested Answer: C 🗳️
by DrNick0 at Sept. 18, 2022, 7:13 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
secdaddy
Highly Voted 2 years, 4 months ago
From the question "...websites are required for corporate users to access". From this we can infer that access to the websites is required by the customer/business which means the sites shouldn't be blocked, even if from a security standpoint we would prefer it so C can be correct.
upvoted 5 times
Alen
2 years, 3 months ago
"evaluating which websites are required for corporate users to access". As part of theirstartegy they are attempting to determine whether they require the users to access the websites or not. ideally you would block the traffic with unsupported ciphers ensuring clients have a higher TLS version. if the client requires access to the site, a decryption profile can be created with a lower TLS to suite
upvoted 1 times
...
...
franko_72
Most Recent 1 year, 1 month ago
Pretty sure this was on the exam, has to be C. July 2023
upvoted 3 times
...
mohr22
1 year, 11 months ago
C: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-exclusions Traffic that breaks decryption for technical reasons, such as using a pinned certificate, an incomplete certificate chain, unsupported ciphers, or mutual authentication (attempting to decrypt the traffic results in blocking the traffic). Palo Alto Networks provides a predefined SSL Decryption Exclusion list (DeviceCertificate ManagementSSL Decryption Exclusion) that excludes hosts with applications and services that are known to break decryption technically from SSL Decryption by default. If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to list manually by server hostname. The firewall blocks sites whose applications and services break decryption technically unless you add them to the SSL Decryption Exclusion list.
upvoted 1 times
...
TAKUM1y
2 years, 2 months ago
Selected Answer: C
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-exclusions
upvoted 3 times
...
confusion
2 years, 3 months ago
Selected Answer: C
C question already says unsupported cypher sites are needed for corp access, so shall not be decrypted --> exemption for them
upvoted 3 times
...
DrNick0
2 years, 4 months ago
unsupported ciphers is not a valid reason to add the url to the exclution list. Only cert pinning og mutual auth is. The answer must be D.
upvoted 3 times
confusion
2 years, 3 months ago
"websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons" D would block these sites, so not complying to the requirement in the question, C seems as more correct answer given the requirements.
upvoted 1 times
Nawda
1 year, 4 months ago
lol wth checkout their name XD
upvoted 1 times
...
...
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel