ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 89 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 89
Topic #: 1
[All PCNSE Questions]

Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a `No Decrypt` action? (Choose two.)

  • A. Block sessions with expired certificates
  • B. Block sessions with client authentication
  • C. Block sessions with unsupported cipher suites
  • D. Block sessions with untrusted issuers
  • E. Block credential phishing
Show Suggested Answer Hide Answer
Suggested Answer: AD 🗳️
by TAKUM1y at Sept. 22, 2022, 3 a.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
djedeen
Highly Voted 2 years, 1 month ago
A,C,D are all correct for this question: Depending on your needs, create Decryption profiles to: Block sessions based on certificate status, including blocking sessions with >>>expired certificates, >>>untrusted issuers, unknown certificate status, certificate status check timeouts, and certificate extensions. Block sessions with >>>unsupported versions and cipher suites, and that require using client authentication.
upvoted 6 times
...
kabuelenain
Most Recent 1 week, 5 days ago
Selected Answer: AD
On an actual FW - the No Decrypt tab has ONLY these two options (copy/paste from the FW): "Block sessions with expired certificates" "Block sessions with untrusted issuers" There is no blocking of unsupported ciphers on the No Decryption tab specifically. I would attach a screenshot if I could.
upvoted 1 times
...
kambata
7 months, 3 weeks ago
Selected Answer: AC
A and C, checked on an actual firewall, those are the only settings in NO DECRYPT.
upvoted 2 times
S_A_M_M_Y
3 months, 1 week ago
That is literally wrong. At the moment I am looking at the no decrypt tab and it shows ... expired Certs and ... untrusted Issuers
upvoted 3 times
...
...
Pnosuke
1 year ago
Here is the documentation for A and D. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/decryption/decryption-concepts/no-decryption-decryption-profile#id185BA08H0PP
upvoted 2 times
...
Pnosuke
1 year ago
A and D are correct. "No Decryption" is the Keyword of this question. There are following 2 items in the Server Certificate Verification in the No Decryption configuration. - Block sessions with expired certificates - Block sessions with untrusted issuers
upvoted 1 times
...
Marshpillowz
1 year, 1 month ago
Selected Answer: AD
A and D correct
upvoted 1 times
...
Nawda
1 year, 5 months ago
Selected Answer: CD
V as well
upvoted 1 times
Nawda
1 year, 5 months ago
I meant c
upvoted 1 times
...
...
lildevil
1 year, 8 months ago
A C & D are correct based on https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/define-traffic-to-decrypt/create-a-decryption-profile
upvoted 2 times
...
studycerts
2 years, 2 months ago
Selected Answer: AD
Not sure about this question, as the URL below says this: Block sessions based on certificate status, including blocking sessions with expired certificates, untrusted issuers, unknown certificate status, certificate status check timeouts, and certificate extensions. Block sessions with unsupported versions and cipher suites, and that require using client authentication. So theoretically A, C, and D seem to be correct, but we only need to chose 2?
upvoted 3 times
dians
2 years, 2 months ago
C is not correct because of the action "No decrypt", it's not relevant to talk about cipher suites in this case because there is no decryption
upvoted 4 times
obatel
2 years, 2 months ago
The "No decrypt" in the question does not make C incorrect. Unsupported cipher is also a benefit of the decryption profile. There is a BitTorrent question earlier that a decryption profile due to unsupported cipher was given as the answer.
upvoted 3 times
markeloff23
1 year, 11 months ago
yes, see bittorrent question
upvoted 1 times
...
...
Techn
1 year, 8 months ago
exactly, https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption/decryption-concepts/no-decryption-decryption-profile
upvoted 2 times
...
...
...
fireb
2 years, 4 months ago
A & D are the correct options.
upvoted 1 times
...
TAKUM1y
2 years, 5 months ago
Selected Answer: AD
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/define-traffic-to-decrypt/create-a-decryption-profile
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago