Exam PSE-Strata-Pro-24 Topic 1 Question 39 Discussion
Actual exam question for Palo Alto Networks's PSE-Strata-Pro-24 exam
Question #: 39
Topic #: 1
Question #: 39
Topic #: 1
Which two statements correctly describe best practices for sizing a firewall deployment with decryption enabled? (Choose two.)
Suggested Answer: A,C Vote an answer
When planning a firewall deployment with SSL/TLS decryption enabled, it is crucial to consider the additional processing overhead introduced by decrypting and inspecting encrypted traffic. Here are the details for each statement:
* Why "SSL decryption traffic amounts vary from network to network" (Correct Answer A)?SSL decryption traffic varies depending on the organization's specific network environment, user behavior, and applications. For example, networks with heavy web traffic, cloud applications, or encrypted VoIP traffic will have more SSL/TLS decryption processing requirements. This variability means each deployment must be properly assessed and sized accordingly.
* Why "Perfect Forward Secrecy (PFS) ephemeral key exchange algorithms such as Diffie-Hellman Ephemeral (DHE) and Elliptic-Curve Diffie-Hellman Exchange (ECDHE) consume more processing resources than Rivest-Shamir-Adleman (RSA) algorithms" (Correct Answer C)?PFS algorithms like DHE and ECDHE generate unique session keys for each connection, ensuring better security but requiring significantly more processing power compared to RSA key exchange. When decryption is enabled, firewalls must handle these computationally expensive operations for every encrypted session, impacting performance and sizing requirements.
* Why not "Large average transaction sizes consume more processing power to decrypt" (Option B)?While large transaction sizes can consume additional resources, SSL/TLS decryption is more dependent on the number of sessions and the complexity of the encryption algorithms used, rather than the size of the transactions. Hence, this is not a primary best practice consideration.
* Why not "Rivest-Shamir-Adleman (RSA) certificate authentication method consumes more resources than Elliptic Curve Digital Signature Algorithm (ECDSA), but ECDSA is more secure" (Option D)?This statement discusses certificate authentication methods, not SSL/TLS decryption performance. While ECDSA is more efficient and secure than RSA, it is not directlyrelevant to sizing considerations for firewall deployments with decryption enabled.
* Why "SSL decryption traffic amounts vary from network to network" (Correct Answer A)?SSL decryption traffic varies depending on the organization's specific network environment, user behavior, and applications. For example, networks with heavy web traffic, cloud applications, or encrypted VoIP traffic will have more SSL/TLS decryption processing requirements. This variability means each deployment must be properly assessed and sized accordingly.
* Why "Perfect Forward Secrecy (PFS) ephemeral key exchange algorithms such as Diffie-Hellman Ephemeral (DHE) and Elliptic-Curve Diffie-Hellman Exchange (ECDHE) consume more processing resources than Rivest-Shamir-Adleman (RSA) algorithms" (Correct Answer C)?PFS algorithms like DHE and ECDHE generate unique session keys for each connection, ensuring better security but requiring significantly more processing power compared to RSA key exchange. When decryption is enabled, firewalls must handle these computationally expensive operations for every encrypted session, impacting performance and sizing requirements.
* Why not "Large average transaction sizes consume more processing power to decrypt" (Option B)?While large transaction sizes can consume additional resources, SSL/TLS decryption is more dependent on the number of sessions and the complexity of the encryption algorithms used, rather than the size of the transactions. Hence, this is not a primary best practice consideration.
* Why not "Rivest-Shamir-Adleman (RSA) certificate authentication method consumes more resources than Elliptic Curve Digital Signature Algorithm (ECDSA), but ECDSA is more secure" (Option D)?This statement discusses certificate authentication methods, not SSL/TLS decryption performance. While ECDSA is more efficient and secure than RSA, it is not directlyrelevant to sizing considerations for firewall deployments with decryption enabled.
by Carter at Jun 23, 2025, 06:44 AM
0
0
0
10
Comments
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Report Comment
Commenting
You can sign-up / login (it's free).