Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 546

During the process of developing a decryption strategy and evaluating which websites are required for corporate users to access, several sites have been identified that cannot be decrypted due to technical reasons. In this case, the technical reason is unsupported ciphers. Traffic to these sites will therefore be blocked if decrypted.
How should the engineer proceed?

Answer options

• A. Create a Security policy to allow access to those sites
• B. Install the unsupported cipher into the firewall to allow the sites to be decrypted
• C. Add the sites to the SSL Decryption Exclusion list to exempt them from decryption
• D. Allow the firewall to block the sites to improve the security posture

Correct answer: C

Explanation

The correct approach is to add the sites to the SSL Decryption Exclusion list, as this will prevent the firewall from attempting to decrypt their traffic, which is not possible due to unsupported ciphers. Options A and B are not viable as they either compromise security or are technically unfeasible. Option D is less favorable than C, as it does not address the need for user access to those sites.