ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 484 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 484
Topic #: 1
[All PCNSE Questions]

A company requires the firewall to block expired certificates issued by internet-hosted websites. The company plans to implement decryption in the future, but it does not perform SSL Forward Proxy decryption at this time.

Without the use of SSL Forward Proxy decryption, how is the firewall still able to identify and block expired certificates issued by internet-hosted websites?

  • A. By having a Certificate profile that contains the website's Root CA assigned to the respective Security policy rule
  • B. By using SSL Forward Proxy to decrypt SSL and TLS handshake communication and the server/client session keys in order to validate a certificate's authenticity and expiration
  • C. By using SSL Forward Proxy to decrypt SSL and TLS handshake communication in order to validate a certificates authenticity and expiration
  • D. By having a Decryption profile that blocks sessions with expired certificates in the No Decryption section and assigning it to a No Decrypt policy rule
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️
by evdw at Jan. 3, 2023, 8:58 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
evilCorpBot7494
3 months, 3 weeks ago
Selected Answer: D
D makes the most sense, you still don't decrypt, but in that section you can Enable OCSP and CRL functionalities and select to block sessions with expired certs.
upvoted 1 times
...
Marshpillowz
5 months, 2 weeks ago
Selected Answer: D
Answer is D
upvoted 1 times
...
Betty2022
11 months, 4 weeks ago
Selected Answer: D
D is our answer: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/no-decryption-decryption-profile#id185BA08H0PP
upvoted 1 times
...
evdw
1 year, 6 months ago
Selected Answer: D
Correct answer D https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/troubleshoot-and-monitor-decryption/decryption-troubleshooting-workflow-examples/troubleshoot-certificate-expiration-issues
upvoted 4 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago