Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 582

A network security engineer wants to prevent resource-consumption issues on the firewall.
Which strategy is consistent with decryption best practices to ensure consistent performance?

Answer options

• A. Use Decryption profiles to downgrade processor-intensive ciphers to ciphers that are less processor-intensive
• B. Use Decryption profiles to drop traffic that uses processor-intensive ciphers
• C. Use PFS in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic
• D. Use RSA in a Decryption profile for higher-priority and higher-risk traffic, and use less processor-intensive decryption methods for lower-risk traffic

Correct answer: C

Explanation

The correct answer is C because using PFS for high-priority traffic ensures stronger security while managing performance by applying less demanding methods for lower-risk traffic. Option A suggests downgrading ciphers but does not address prioritization; B focuses on dropping traffic rather than optimizing it; D incorrectly suggests RSA, which may not be as efficient as PFS for high-risk scenarios.