PCNSE Question #465: Real Exam Question with Answer & Explanation

Question

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted. How should the engineer proceed?

Options

• AAllow the firewall to block the sites to improve the security posture
• BAdd the sites to the SSL Decryption Exclusion list to exempt them from decryption
• CInstall the unsupported cipher into the firewall to allow the sites to be decrypted
• DCreate a Security policy to allow access to those sites

Explanation

When sites use cipher suites that the Palo Alto Networks firewall does not support for SSL/TLS decryption (e.g., certain legacy or non-standard ciphers), attempting to decrypt that traffic will cause the connection to fail, effectively blocking user access. The correct remediation is to add those sites to the SSL Decryption Exclusion list, which tells the firewall to bypass decryption for that traffic and allow it to pass through uninspected. Option A (allowing the block) is not acceptable when corporate users require access to those sites. Option C (installing unsupported ciphers) is not operationally feasible on a firewall. Option D (creating a Security policy to allow) would not resolve the decryption failure - a Security policy alone does not bypass SSL inspection; a decryption exclusion is required.

No community discussion yet for this question.