NETSEC-GENERALIST Question #15: Real Exam Question with Answer & Explanation

The correct answer is C: Block sessions on certificate errors.. An SSH Proxy decryption profile allows Palo Alto Networks NGFWs to inspect encrypted SSH traffic and prevent exploitation by attackers. To reduce the network attack surface, the two best security settings are: Block Sessions on Certificate Errors ( Correct) Prevents attackers fro

Threat Prevention

Question

Which two SSH Proxy decryption profile configurations will reduce network attack surface? (Choose two.)

Options

AAllow sessions if resources not available.
BAllow sessions with unsupported versions.
CBlock sessions on certificate errors.
DBlock sessions with unsupported versions.

Explanation

An SSH Proxy decryption profile allows Palo Alto Networks NGFWs to inspect encrypted SSH traffic and prevent exploitation by attackers. To reduce the network attack surface, the two best security settings are: Block Sessions on Certificate Errors ( Correct) Prevents attackers from using self-signed or fraudulent certificates to bypass security inspections. Ensures that SSH connections use valid and trusted certificates only. Block Sessions with Unsupported Versions ( Correct) Older SSH versions (e.g., SSH-1) are vulnerable to exploits and weak encryption. Ensures that only secure SSH protocols (e.g., SSH-2) are allowed.

Topics

#SSH Decryption#Attack Surface Reduction#Security Best Practices#Threat Prevention

Community Discussion

No community discussion yet for this question.

Full NETSEC-GENERALIST Practice Browse All NETSEC-GENERALIST Questions