Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a `No Decrypt` action? (Choose two.)
Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a `No Decrypt` action? (Choose two.)
Assigning a Decryption Profile to a Decryption policy rule with a 'No Decrypt' action offers specific benefits. One of these is blocking sessions with expired certificates, as expired certificates might indicate compromised security or misconfigured systems. Another benefit includes blocking sessions with untrusted issuers, ensuring that only certificates from known and trusted sources are allowed. This action improves overall network security without decrypting the traffic.
A,C,D are all correct for this question: Depending on your needs, create Decryption profiles to: Block sessions based on certificate status, including blocking sessions with >>>expired certificates, >>>untrusted issuers, unknown certificate status, certificate status check timeouts, and certificate extensions. Block sessions with >>>unsupported versions and cipher suites, and that require using client authentication.
Not sure about this question, as the URL below says this: Block sessions based on certificate status, including blocking sessions with expired certificates, untrusted issuers, unknown certificate status, certificate status check timeouts, and certificate extensions. Block sessions with unsupported versions and cipher suites, and that require using client authentication. So theoretically A, C, and D seem to be correct, but we only need to chose 2?
C is not correct because of the action "No decrypt", it's not relevant to talk about cipher suites in this case because there is no decryption
The "No decrypt" in the question does not make C incorrect. Unsupported cipher is also a benefit of the decryption profile. There is a BitTorrent question earlier that a decryption profile due to unsupported cipher was given as the answer.
yes, see bittorrent question
exactly, https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/no-decryption-decryption-profile
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/define-traffic-to-decrypt/create-a-decryption-profile
A C & D are correct based on https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/define-traffic-to-decrypt/create-a-decryption-profile
A & D are the correct options.
V as well
I meant c
A and D correct
A and D are correct. "No Decryption" is the Keyword of this question. There are following 2 items in the Server Certificate Verification in the No Decryption configuration. - Block sessions with expired certificates - Block sessions with untrusted issuers
Here is the documentation for A and D. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/decryption/decryption-concepts/no-decryption-decryption-profile#id185BA08H0PP
A and C, checked on an actual firewall, those are the only settings in NO DECRYPT.