PCNSE Exam QuestionsBrowse all questions from this exam
Go to Exam

PCNSE Exam - Question 56

An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications

DNS, SSL, and web-browsing.

The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.

Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?

Show Answer
Correct Answer: D

To stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL, it is necessary to create a Decryption Profile to block traffic using unsupported cyphers and attach the profile to the decryption rule. Unsupported cyphers are likely the reason for the failure in identifying and decrypting the BitTorrent traffic, causing it to be misclassified as SSL.

Discussion

17 comments
Sign in to comment
ChiaPet75Option: D
Jun 12, 2020

D is Correct There is no application called "encrypted BitTorrent" so "B" is not the correct answer. If the application was just "BitTorrent" then "B" would be correct. "A" would not work either since you would still need to create a Decryption Profile which is not mentioned. "D" is the most complete answer which is to create the Decryption Profile and attach it to the Decryption rule. I found a PaloAlto KB article about blocking Tor traffic using a Decryption Profile that is blocking Unsupported cipher's, expired certificates, etc. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK

lol1000Option: D
Oct 29, 2020

D is the least wrong

Kane002Option: D
Nov 17, 2021

The administrator has created a decryption policy, but bittorrent is slipping past it, only being detected as "ssl", so the admin needs to create a decryption profile to block the evasive behavior, probably bittorrent is using an unsupported cipher, hence the decryption policy failure. D.

Kjohnsting
Feb 1, 2023

Don't love this kind of question. Seems incomplete.

Silent_SanctuaryOption: D
May 25, 2020

D is correct Block sessions that use cipher suites you don’t support. You configure which cipher suites (encryption algorithms) to allow on the SSL Protocol Settings tab. Don’t allow users to connect to sites with weak cipher suites.

frodo1791Option: D
Apr 17, 2021

B is not correct... as "encrypted bittorrent" doesn't exist in app-id. So I should go D...

trashboatOption: D
Apr 29, 2021

D is correct: B is not correct because the reason the two other sessions are showing allowed as SSL is because they are not being decrypted, otherwise they would be recognized as tor/unknown application and not allowed on the security policy rule. The likely reason for this is they are using unsupported ciphers/etc. - so the answer is D. C is not relevant. A is also not correct because the goal is to decrypt the traffic to identify it, so this is the opposite of what is trying to be accomplished.

GabuuOption: D
Jan 24, 2022

D is correct

AbuHussainOption: D
Mar 23, 2022

answer is D

UFanatOption: D
Jun 15, 2022

D - correct. You need to fix decryption options, not security policy rule.

hcirOption: D
Jun 15, 2024

for some reason, the first bittorrent connection was not recognised by app-id as neither dns, ssl nor http. Hence, it was dropped. The other 2 were ssl, and they were not decrypted, so they went through. Because decryption was supposed to decrypt everything, the only reason it was not decrypted can only be related to decryption cypher suite incompatibility. Hence, the answer is D.

Pb1805Option: D
Jun 5, 2020

Correct answer is D

hpbdcbOption: D
Nov 23, 2020

check https://applipedia.paloaltonetworks.com/ there is no app encrypted bittorrent. other then that the rest is clear so D.

ZabolOption: D
Jun 20, 2021

I think it is D, App-ID doesn't have Encrypted-Bittorent

ThelioNNOption: A
May 24, 2023

Guys, why not A. Seems correct, the FW will leave the bittorrent as bittorrent and block it. Instead of decrypting it. Are we sure the Bittorrent crypto is going to use unsupported ciphers (as that can easily be fixed from the developers)?

FaheemParakkot
Sep 2, 2023

As per the question, the first packet is identified as UnKnown Application. Which means, even if you created a rule for BitTorrent, it wont match.

JRKhanOption: D
Jan 9, 2024

Most suitable answer is D. The firewall couldnt decrypt the traffic probably because of the use of unsupported ciphers hence the reason in subsequent packets the application is identified as SSL. If the firewall was able to decrypt the traffic, even if it couldnt identify the application it would mark the traffic as web-browsing and not SSL.

MarshpillowzOption: D
Jan 23, 2024

D appears to be correct