A,C,D are all correct for this question:
Depending on your needs, create Decryption profiles to:
Block sessions based on certificate status, including blocking sessions with >>>expired certificates, >>>untrusted issuers, unknown certificate status, certificate status check timeouts, and certificate extensions.
Block sessions with >>>unsupported versions and cipher suites, and that require using client authentication.
There are three tabs under decryption profile under device groups > objects. SSL decryption, No decryption and SSH proxy. Under No decryption "Block sessions with expired certificates" and "Block sessions with untrusted issuers".
On an actual FW - the No Decrypt tab has ONLY these two options (copy/paste from the FW):
"Block sessions with expired certificates"
"Block sessions with untrusted issuers"
There is no blocking of unsupported ciphers on the No Decryption tab specifically.
I would attach a screenshot if I could.
Here is the documentation for A and D.
https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/decryption/decryption-concepts/no-decryption-decryption-profile#id185BA08H0PP
A and D are correct.
"No Decryption" is the Keyword of this question.
There are following 2 items in the Server Certificate Verification in the No Decryption configuration.
- Block sessions with expired certificates
- Block sessions with untrusted issuers
A C & D are correct based on https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/define-traffic-to-decrypt/create-a-decryption-profile
Not sure about this question, as the URL below says this:
Block sessions based on certificate status, including blocking sessions with expired certificates, untrusted issuers, unknown certificate status, certificate status check timeouts, and certificate extensions.
Block sessions with unsupported versions and cipher suites, and that require using client authentication.
So theoretically A, C, and D seem to be correct, but we only need to chose 2?
The "No decrypt" in the question does not make C incorrect. Unsupported cipher is also a benefit of the decryption profile. There is a BitTorrent question earlier that a decryption profile due to unsupported cipher was given as the answer.
This section is not available anymore. Please use the main Exam Page.PCNSE Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
djedeen
Highly Voted 2 years, 3 months agoNazmulHossain
Most Recent 5 days, 11 hours agoNazmulHossain
5 days, 11 hours agokabuelenain
2 months, 2 weeks agokambata
9 months, 3 weeks agoS_A_M_M_Y
5 months, 1 week agoPnosuke
1 year, 2 months agoPnosuke
1 year, 2 months agoMarshpillowz
1 year, 3 months agoNawda
1 year, 7 months agoNawda
1 year, 7 months agolildevil
1 year, 10 months agostudycerts
2 years, 4 months agodians
2 years, 4 months agoobatel
2 years, 4 months agomarkeloff23
2 years, 1 month agoTechn
1 year, 10 months agofireb
2 years, 6 months agoTAKUM1y
2 years, 7 months ago