An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.
Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?
To reduce the load on the firewall, the administrator can use RSA instead of ECDSA for traffic that isn’t sensitive or high-priority. RSA, despite being less secure and less memory efficient than ECDSA, is less resource-intensive in terms of CPU usage. This can help manage the resource limits more effectively without sacrificing the performance of decryption for critical traffic.
I think the answer should be B since RSA is less resource intesive than ECDSA
Agree B. RSA is less secure but also less cpu intensive, hence it can be used for less sensitive traffic.
D....Key size. The RSA algorithm uses significantly larger cryptographic keys than ECDSA. To reach 128-bit security, RSA needs to use keys that are at least 3072 bits in length. Meanwhile, it's sufficient for ECDSA to generate public keys twice the size of the desired 128-bit security to reach this standard.
should be D, ECDSA runs faster than RSA. It also requires significantly less memory.
Based on (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment). You could use RSA instead of ECDHE and ECDSA for traffic that isn’t sensitive or high-priority to preserve firewall resources for using PFS-based decryption for higher priority, sensitive traffic. > Answer should be B based on the official documentation.
Agree B
SSL Forward Proxy and SSL Inbound Inspection do two different jobs, and the way the question is phrased they could both be on. The answer, without turning anything off is to use a less intensive decryption/encryption method - Answer is B