ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 454 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 454
Topic #: 1
[All PCNSE Questions]

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt.

Which three items should be prioritized for decryption? (Choose three.)

  • A. Financial, health, and government traffic categories
  • B. Less-trusted internal IP subnets
  • C. Known malicious IP space
  • D. High-risk traffic categories
  • E. Public-facing servers
Show Suggested Answer Hide Answer
Suggested Answer: B 🗳️
by [deleted] at Dec. 20, 2022, 1:46 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
[Removed]
Highly Voted 2 years ago
CDE are correct answers
upvoted 24 times
evdw
2 years ago
Agree on CDE
upvoted 6 times
Eiffelsturm
1 year, 1 month ago
why do you want to decrypt known malicious IPs? Block them
upvoted 14 times
...
...
...
lildevil
Highly Voted 1 year, 7 months ago
BDE, we all know why not A, but why would you decrypt C...if you block that traffic (as you should) then security profiles are not even applied (even if you set them on a blocking security profile, they wont take any affect) so why set up a decryption profile for it?
upvoted 16 times
...
corpguy
Most Recent 2 months ago
Selected Answer: B
BDE are correct, malicious sites (C) would be blocked, you would not waste resources decrypting them.
upvoted 1 times
...
Yohinar
2 months, 1 week ago
Selected Answer: E
BDE - A you should never decrypt and C you should already block
upvoted 1 times
...
dtisolutions
3 months, 1 week ago
B D E , I agree A is out of the question , usually you should never decrypt those and C normally you already block
upvoted 1 times
...
0d2fdfa
7 months, 3 weeks ago
Selected Answer: C
CDE are correct answers
upvoted 1 times
...
evilCorpBot7494
10 months, 2 weeks ago
BDE. C should be blocked anyway so there is no need to decrypt it. A) Should not be decrypted due to regulations and privacy.
upvoted 3 times
...
Marshpillowz
11 months, 2 weeks ago
B, D and E
upvoted 1 times
...
franko_72
1 year, 1 month ago
B D E for sure.
upvoted 2 times
...
Andromeda1800
1 year, 1 month ago
My opinion is that B, D, E are correct. C shouldn't be correct because you are supposed to block Known malicious IP space and not decrypt it. Option A (Financial, health, and government traffic categories) usually is not supposed to be decrypted due to regulatory compliance and data privacy.
upvoted 2 times
...
brian7857ffs45
1 year, 1 month ago
This question was on the exam.. Nov 2023
upvoted 2 times
...
Xuzi
1 year, 1 month ago
Selected Answer: B
BDE for sure
upvoted 2 times
...
dgonz
1 year, 3 months ago
changing my answer to BDE you should block C
upvoted 2 times
...
dgonz
1 year, 4 months ago
Selected Answer: D
should be C D E
upvoted 1 times
...
Betty2022
1 year, 5 months ago
Selected Answer: B
I feel that B D E are correct https://docs.paloaltonetworks.com/best-practices/9-1/data-center-best-practices/data-center-best-practice-security-policy/how-to-decrypt-data-center-traffic Within the data center, decrypt as much east-west traffic as possible.If performance considerations due to incorrect firewall sizing prevent you from decrypting all traffic, prioritize the most critical servers, the highest risk traffic categories, and less trusted segments and IP subnets Answer: B. Less-trusted internal IP subnets >> less trusted segments and IP subnets D. High-risk traffic categories >> the highest risk traffic categories E. Public-facing servers >> prioritize the most critical servers meaning any servers that the company host that is protected by PAN FW > Therefore: prioritize the most critical servers,
upvoted 5 times
...
kinho1985
1 year, 6 months ago
A, C e D
upvoted 1 times
...
navid1365
1 year, 8 months ago
I would go with BDE. C does not make any sense. You should block known malicious ip addresses with a an EDL in a security policy, not decrypt it.
upvoted 4 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago