Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 556

Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.)

Answer options

• A. Create a no-decrypt Decryption Policy rule.
• B. Configure a Dynamic Address Group for untrusted sites.
• C. Create a Security Policy rule with a vulnerability Security Profile attached.
• D. Enable the ג€Block sessions with untrusted issuersג€ setting.

Correct answer: A, D

Explanation

The correct answers are A and D because creating a no-decrypt Decryption Policy rule allows traffic with untrusted certificates to be blocked while avoiding decryption, and enabling the 'Block sessions with untrusted issuers' setting directly prevents access to those sites. Options B and C do not specifically address blocking untrusted certificates and involve configurations that do not fulfill the requirement of automatic blocking.