Examice

Exam PCNSE All QuestionsBrowse all questions from this exam

Question 311

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted.

How should the engineer proceed?

Create a Security policy to allow access to those sites

Install the unsupported cipher into the firewall to allow the sites to be decrypted

Add the sites to the SSL Decryption Exclusion list to exempt them from decryption

Allow the firewall to block the sites to improve the security posture

Correct Answer: C

When traffic to certain websites cannot be decrypted due to technical reasons like unsupported ciphers, the best course of action is to add those sites to the SSL Decryption Exclusion list. This will ensure that the necessary access to these sites is maintained for corporate users while avoiding decryption issues.

Discussion

secdaddyOption: C

From the question "...websites are required for corporate users to access". From this we can infer that access to the websites is required by the customer/business which means the sites shouldn't be blocked, even if from a security standpoint we would prefer it so C can be correct.

Alen

"evaluating which websites are required for corporate users to access". As part of theirstartegy they are attempting to determine whether they require the users to access the websites or not. ideally you would block the traffic with unsupported ciphers ensuring clients have a higher TLS version. if the client requires access to the site, a decryption profile can be created with a lower TLS to suite

TAKUM1yOption: C

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-exclusions

confusionOption: C

C question already says unsupported cypher sites are needed for corp access, so shall not be decrypted --> exemption for them

DrNick0Option: D

unsupported ciphers is not a valid reason to add the url to the exclution list. Only cert pinning og mutual auth is. The answer must be D.

confusion

"websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons" D would block these sites, so not complying to the requirement in the question, C seems as more correct answer given the requirements.

Nawda

lol wth checkout their name XD

franko_72Option: C

Pretty sure this was on the exam, has to be C. July 2023

mohr22Option: C

C: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-exclusions Traffic that breaks decryption for technical reasons, such as using a pinned certificate, an incomplete certificate chain, unsupported ciphers, or mutual authentication (attempting to decrypt the traffic results in blocking the traffic). Palo Alto Networks provides a predefined SSL Decryption Exclusion list (DeviceCertificate ManagementSSL Decryption Exclusion) that excludes hosts with applications and services that are known to break decryption technically from SSL Decryption by default. If you encounter sites that break decryption technically and are not on the SSL Decryption Exclusion list, you can add them to list manually by server hostname. The firewall blocks sites whose applications and services break decryption technically unless you add them to the SSL Decryption Exclusion list.