Exam PCNSE topic 1 question 56 discussion

D is Correct There is no application called "encrypted BitTorrent" so "B" is not the correct answer. If the application was just "BitTorrent" then "B" would be correct. "A" would not work either since you would still need to create a Decryption Profile which is not mentioned. "D" is the most complete answer which is to create the Decryption Profile and attach it to the Decryption rule. I found a PaloAlto KB article about blocking Tor traffic using a Decryption Profile that is blocking Unsupported cipher's, expired certificates, etc. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK

D is the least wrong

Answer is D. I believe what happened here is the firewall attempted to decrypt the traffic, but this resulted in a decryption error, causing the session to be dropped, and the URL was placed in the SSL Devryption Exlcusion cache automagically to prevent the issue from happening again. The next time, the packet was not decrypted due to being in the exclusion cache, and was then marked as SSL. Blocking connections with unsupported ciphers would prevent this traffic from making it out

for some reason, the first bittorrent connection was not recognised by app-id as neither dns, ssl nor http. Hence, it was dropped. The other 2 were ssl, and they were not decrypted, so they went through. Because decryption was supposed to decrypt everything, the only reason it was not decrypted can only be related to decryption cypher suite incompatibility. Hence, the answer is D.

D appears to be correct

Most suitable answer is D. The firewall couldnt decrypt the traffic probably because of the use of unsupported ciphers hence the reason in subsequent packets the application is identified as SSL. If the firewall was able to decrypt the traffic, even if it couldnt identify the application it would mark the traffic as web-browsing and not SSL.

Guys, why not A. Seems correct, the FW will leave the bittorrent as bittorrent and block it. Instead of decrypting it. Are we sure the Bittorrent crypto is going to use unsupported ciphers (as that can easily be fixed from the developers)?

Don't love this kind of question. Seems incomplete.

D - correct. You need to fix decryption options, not security policy rule.

answer is D

D is correct

The administrator has created a decryption policy, but bittorrent is slipping past it, only being detected as "ssl", so the admin needs to create a decryption profile to block the evasive behavior, probably bittorrent is using an unsupported cipher, hence the decryption policy failure. D.

I think it is D, App-ID doesn't have Encrypted-Bittorent

D is correct: B is not correct because the reason the two other sessions are showing allowed as SSL is because they are not being decrypted, otherwise they would be recognized as tor/unknown application and not allowed on the security policy rule. The likely reason for this is they are using unsupported ciphers/etc. - so the answer is D. C is not relevant. A is also not correct because the goal is to decrypt the traffic to identify it, so this is the opposite of what is trying to be accomplished.

B is not correct... as "encrypted bittorrent" doesn't exist in app-id. So I should go D...

check https://applipedia.paloaltonetworks.com/ there is no app encrypted bittorrent. other then that the rest is clear so D.

Correct answer is D