ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 603 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 603
Topic #: 1
[All PCNSE Questions]

An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits.

Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall?

  • A. Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption.
  • B. Use RSA instead of ECDSA for traffic that isn’t sensitive or high-priority.
  • C. Use the highest TLS protocol version to maximize security.
  • D. Use ECDSA instead of RSA for traffic that isn’t sensitive or high-priority.
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by b53fdf1 at March 28, 2024, 12:22 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
b53fdf1
Highly Voted 9 months, 3 weeks ago
Selected Answer: B
I think the answer should be B since RSA is less resource intesive than ECDSA
upvoted 5 times
...
kambata
Most Recent 1 month, 3 weeks ago
Selected Answer: B
If firewall resources are an issue, use stronger decryption for higher-priority traffic and use less processor-intensive decryption to decrypt and inspect lower-priority traffic until you can increase the available resources. For example, you could use RSA instead of ECDHE and ECDSA for traffic that isn’t sensitive or high-priority to preserve firewall resources for using PFS-based decryption for higher priority, sensitive traffic.
upvoted 1 times
...
M_F1985
1 month, 3 weeks ago
Selected Answer: B
"Perfect Forward Secrecy (PFS) ephemeral key exchange algorithms such as Diffie-Hellman Ephemeral (DHE) Elliptic-Curve Diffie-Hellman Exchange (ECDHE) consume more processing resources than Rivest-Shamir-Adleman (RSA) algorithms"
upvoted 1 times
...
insertnicknamehere
2 months, 1 week ago
The answer is D. ECDSA uses less computational power, memory, and energy, making it suitable for devices with limited resources Please update at the correct answer.
upvoted 4 times
...
redgi0
4 months, 2 weeks ago
Selected Answer: D
from chat GPT :) ECDSA is generally less resource-consumptive than RSA in an NGFW decryption policy due to its lower computational complexity and smaller key sizes for equivalent security levels. This makes ECDSA the preferred choice in environments where performance and resource optimization are critical.
upvoted 3 times
DatITGuyTho1337
2 months, 3 weeks ago
Looks like Chat GPT lied to you. See fulanitodetalcr's post citing actual vendor documentation. I wouldn't rely on AI for learning, just do the work yourself. :)
upvoted 2 times
redgi0
1 month, 2 weeks ago
correct. Changing answer to B
upvoted 1 times
...
...
...
thelittleyellowbirdie
5 months ago
this was in my exam 09/08/2024
upvoted 3 times
...
fulanitodetalcr
6 months ago
Based on (https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/prepare-to-deploy-decryption/size-the-decryption-firewall-deployment). You could use RSA instead of ECDHE and ECDSA for traffic that isn’t sensitive or high-priority to preserve firewall resources for using PFS-based decryption for higher priority, sensitive traffic. > Answer should be B based on the official documentation.
upvoted 1 times
...
Mtro
8 months, 2 weeks ago
D....Key size. The RSA algorithm uses significantly larger cryptographic keys than ECDSA. To reach 128-bit security, RSA needs to use keys that are at least 3072 bits in length. Meanwhile, it's sufficient for ECDSA to generate public keys twice the size of the desired 128-bit security to reach this standard.
upvoted 2 times
...
Candydaivd
8 months, 3 weeks ago
Selected Answer: D
should be D, ECDSA runs faster than RSA. It also requires significantly less memory.
upvoted 3 times
...
PacketsDownRange99
8 months, 4 weeks ago
Selected Answer: B
Agree B
upvoted 1 times
...
VenomX51
9 months, 2 weeks ago
Selected Answer: B
SSL Forward Proxy and SSL Inbound Inspection do two different jobs, and the way the question is phrased they could both be on. The answer, without turning anything off is to use a less intensive decryption/encryption method - Answer is B
upvoted 1 times
...
hcir
9 months, 3 weeks ago
Agree B. RSA is less secure but also less cpu intensive, hence it can be used for less sensitive traffic.
upvoted 3 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago