Examice

Exam PCNSE All QuestionsBrowse all questions from this exam

Question 56

An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications

DNS, SSL, and web-browsing.

The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.

Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

Create a decryption rule matching the encrypted BitTorrent traffic with action ג€No-Decrypt,ג€ and place the rule at the top of the Decryption policy.

Create a Security policy rule that matches application ג€encrypted BitTorrentג€ and place the rule at the top of the Security policy.

Disable the exclude cache option for the firewall.

Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule.

Correct Answer: D

To stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL, it is necessary to create a Decryption Profile to block traffic using unsupported cyphers and attach the profile to the decryption rule. Unsupported cyphers are likely the reason for the failure in identifying and decrypting the BitTorrent traffic, causing it to be misclassified as SSL.

Discussion

ChiaPet75Option: D

D is Correct There is no application called "encrypted BitTorrent" so "B" is not the correct answer. If the application was just "BitTorrent" then "B" would be correct. "A" would not work either since you would still need to create a Decryption Profile which is not mentioned. "D" is the most complete answer which is to create the Decryption Profile and attach it to the Decryption rule. I found a PaloAlto KB article about blocking Tor traffic using a Decryption Profile that is blocking Unsupported cipher's, expired certificates, etc. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK

lol1000Option: D

D is the least wrong

Kjohnsting

Don't love this kind of question. Seems incomplete.

Kane002Option: D

The administrator has created a decryption policy, but bittorrent is slipping past it, only being detected as "ssl", so the admin needs to create a decryption profile to block the evasive behavior, probably bittorrent is using an unsupported cipher, hence the decryption policy failure. D.

hcirOption: D

for some reason, the first bittorrent connection was not recognised by app-id as neither dns, ssl nor http. Hence, it was dropped. The other 2 were ssl, and they were not decrypted, so they went through. Because decryption was supposed to decrypt everything, the only reason it was not decrypted can only be related to decryption cypher suite incompatibility. Hence, the answer is D.

UFanatOption: D

D - correct. You need to fix decryption options, not security policy rule.

AbuHussainOption: D

answer is D

GabuuOption: D

D is correct

trashboatOption: D

D is correct: B is not correct because the reason the two other sessions are showing allowed as SSL is because they are not being decrypted, otherwise they would be recognized as tor/unknown application and not allowed on the security policy rule. The likely reason for this is they are using unsupported ciphers/etc. - so the answer is D. C is not relevant. A is also not correct because the goal is to decrypt the traffic to identify it, so this is the opposite of what is trying to be accomplished.

frodo1791Option: D

B is not correct... as "encrypted bittorrent" doesn't exist in app-id. So I should go D...

Silent_SanctuaryOption: D

D is correct Block sessions that use cipher suites you don’t support. You configure which cipher suites (encryption algorithms) to allow on the SSL Protocol Settings tab. Don’t allow users to connect to sites with weak cipher suites.

MarshpillowzOption: D

D appears to be correct

JRKhanOption: D

Most suitable answer is D. The firewall couldnt decrypt the traffic probably because of the use of unsupported ciphers hence the reason in subsequent packets the application is identified as SSL. If the firewall was able to decrypt the traffic, even if it couldnt identify the application it would mark the traffic as web-browsing and not SSL.

ThelioNNOption: A

Guys, why not A. Seems correct, the FW will leave the bittorrent as bittorrent and block it. Instead of decrypting it. Are we sure the Bittorrent crypto is going to use unsupported ciphers (as that can easily be fixed from the developers)?

FaheemParakkot

As per the question, the first packet is identified as UnKnown Application. Which means, even if you created a rule for BitTorrent, it wont match.

ZabolOption: D

I think it is D, App-ID doesn't have Encrypted-Bittorent

hpbdcbOption: D

check https://applipedia.paloaltonetworks.com/ there is no app encrypted bittorrent. other then that the rest is clear so D.

Pb1805Option: D

Correct answer is D