Question 1hardmultiple choice
Read the full Decryption and Monitoring explanation →PCNSA Decryption and Monitoring • Complete Question Bank
Complete PCNSA Decryption and Monitoring question bank — all 0 questions with answers and detailed explanations.
Refer to the exhibit. # show system info | match decrypt Decryption status: enabled Decryption sessions: 523 (current), 1024 (peak) Certificate errors: 12 (since last hour) # show decryption statistics Policy hits: Decrypt: 1500, No Decrypt: 300 TLS version failures: 5 (TLS 1.0: 3, TLS 1.1: 2)
Refer to the exhibit.
{
"decryption_rules": [
{
"name": "rule1",
"source_zone": ["trust"],
"destination_zone": ["untrust"],
"source_address": ["any"],
"destination_address": ["any"],
"category": ["financial-services"],
"action": "no-decrypt",
"description": "Skip decryption for finance sites"
},
{
"name": "rule2",
"source_zone": ["trust"],
"destination_zone": ["untrust"],
"source_address": ["any"],
"destination_address": ["any"],
"category": ["any"],
"action": "decrypt",
"description": "Decrypt all other traffic"
}
]
}Refer to the exhibit.
```
admin@PA-500> show decryption statistics
Decryption Statistics:
Total Sessions Decrypted: 1500
Total Sessions Failed: 50
Failed Reasons:
handshake_failure: 30
certificate_unknown: 15
decryption_error: 5
```Refer to the exhibit. ``` admin@PA-500> show running decryption-policy Decryption policy: # name from to source destination service action profile 1 decrypt-all trust untrust any any any decrypt default 2 no-decrypt-fin trust untrust 10.0.0.0/24 192.168.1.0/24 any no-decrypt none 3 decrypt-inbound untrust trust any 10.0.0.5/32 https decrypt inbound ```
Refer to the exhibit. ``` admin@PA-500> show log traffic | match 10.0.0.5 Time Source Dest Application Action Decrypted 2023/01/01 10.0.0.5 192.168.1.1 ssl allow yes 2023/01/01 10.0.0.5 8.8.8.8 dns allow no ```
> show system info | match cert cert-management-status: OK certificate-expiry-warning: cert 'Decrypt-CA' expires in 30 days
> show decryption rule rule name: Default-No-Decrypt, source: any, dest: any, action: no-decrypt rule name: Decrypt-Web, source: any, dest: any, action: decrypt, profile: strict
1. 2023/08/15 10:30:45, info, ssl-decrypt, session 12345, Decryption failed: certificate validation error: certificate is not yet valid
# show decryption statistics Decryption failures: 120 SSL handshake failures: 80 Certificate validation failures: 40 Decryption successful: 980
admin@PA-5050> show system info | match uptime Uptime: 12 days, 4 hours, 23 minutes admin@PA-5050> show running resource-monitor Resource Monitor: Data Plane CPU: 78% Data Plane Memory: 82% Session Utilization: 95% Session Capacity: 1000000 Active Sessions: 950000 SSL/TLS Proxy Sessions: 5000 Decryption Policy Matches: 12000
admin@PA-3020> show running decryption policy Decryption Policy: # Name Source Zone Dest Zone Source User Destination Service Action 1 No-Decrypt-Int internal external any any any no-decrypt 2 Decrypt-Corp internal external corp-users any service-https decrypt 3 Decrypt-All external internal any any service-https decrypt 4 Block-No-Decrypt internal external any any any block
admin@PA-5250> show ssl-decrypt statistics
SSL Decryption Statistics:
Total Sessions Inspected: 15000
Sessions Decrypted Successfully: 12000
Sessions Failed: 3000
- SSL Handshake Failure: 2000
- Certificate Validation Failure: 500
- Unsupported Cipher: 300
- Other: 200
admin@PA-5250> show ssl-decrypt certificate cache
Certificate Cache: size 10000, active 9500
Forward Trust Certificate: CN=PA-Forward-Trust
Forward Untrust Certificate: CN=PA-Forward-Untrustadmin@PA-220> show logging system | match ssl 2023-06-15 10:23:45 severity=warning msg="SSL decryption: certificate validation failed for session 12345, server certificate expired" 2023-06-15 10:24:01 severity=info msg="SSL decryption: session 12346 decrypted successfully" 2023-06-15 10:24:15 severity=warning msg="SSL decryption: session 12347 failed, unsupported protocol version"
{
"decryption-policy": {
"rules": [
{
"name": "Decrypt-HTTPs-Corp",
"source-zones": ["internal"],
"dest-zones": ["external"],
"source-users": ["corp-users"],
"destination-addresses": ["any"],
"service": ["service-https"],
"action": "decrypt",
"decryption-profile": "Standard-Decrypt"
}
]
},
"decryption-profile": {
"name": "Standard-Decrypt",
"ssl-decrypt-settings": {
"forward-trust-cert": "PA-Forward-Trust",
"forward-untrust-cert": "PA-Forward-Untrust",
"decrypt-unknown-protocol": false,
"ssl-protocol-settings": {
"min-version": "tls1-0",
"max-version": "tls1-2"
}
}
}
}