When planning to configure SSL Forward Proxy on a PA-5260, a user asks how SSL decryption can be implemented using a phased approach in alignment with Palo Alto Networks best practices. What should you recommend?
A.
Enable SSL decryption for known malicious source IP addresses
B.
Enable SSL decryption for malicious source users
C.
Enable SSL decryption for source users and known malicious URL categories
D.
Enable SSL decryption for known malicious destination IP addresses
Agree C
"Phase in decryption. Plan to decrypt the riskiest traffic first (URL Categories most likely to harbor malicious traffic, such as gaming or high-risk) and then decrypt more as you gain experience."
https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEZCA0
C - seems to be correct as the phased approach talks about URL categories. (Financial services & Health-and-medicine) are often times not allowed by law to decrypt. Also it talks about minimizing the impact for end-users. So enabling rule for some user groups and only for specific and malicious URL categories seems to be by far the most correct choice here.
upvoted 4 times
...
This section is not available anymore. Please use the main Exam Page.PCNSE Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
secdaddy
Highly Voted 2 years, 1 month agoSammy3637
Most Recent 11 months agolol12
1 year, 10 months agoconfusion
2 years agoTAKUM1y
2 years agobimyo
2 years, 1 month ago