Question 358 of 524
Decryption and MonitoringhardMultiple ChoiceObjective-mapped

Quick Answer

The correct answer is to implement decryption exclusion rules for financial and healthcare websites. This resolves the high CPU from decryption by removing certificate pinned sites from the inspection load, as these sites often use certificate pinning or incompatible cipher suites that force the firewall’s dataplane to repeatedly fail or renegotiate SSL/TLS handshakes, spiking CPU to 85-95%. On the PCNSA exam, this scenario tests your understanding of SSL Forward Proxy performance tuning and the trade-off between security and resource utilization; a common trap is to assume adding more hardware or licensing solves the issue, but the real fix is policy-based exclusion. Remember the memory tip: “Pin it, skip it”—if a site uses certificate pinning, exclude it from decryption to protect both CPU and connectivity.

PCNSA Decryption and Monitoring Practice Question

This PCNSA practice question tests your understanding of decryption and monitoring. This is a configuration task: choose the command set that satisfies every stated requirement. Small differences — like 'secret' vs 'password' or 'transport input ssh' vs 'all' — change whether the answer is correct. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A large enterprise uses Palo Alto Networks firewalls with SSL Forward Proxy to inspect all HTTPS traffic (port 443) from internal users. Recently, users have reported slow web browsing and intermittent failures when accessing certain financial and healthcare websites. The firewall's dataplane CPU consistently reaches 85-95% during business hours. The decryption policy is configured with a single rule that decrypts all outbound HTTPS traffic using the default SSL Forward Proxy settings. The firewall is a PA-5250 with ample license capacity. What should the administrator do to resolve the performance issues while maintaining security posture?

Question 1hardmultiple choice
Full question →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

Implement decryption exclusion rules for financial and healthcare websites.

Option C is correct because financial and healthcare websites often use certificate pinning or require specific cipher suites that may not be compatible with the firewall's default SSL Forward Proxy settings. By excluding these sites from decryption, the administrator reduces the decryption load on the dataplane CPU and avoids breaking connectivity to sensitive sites, while still decrypting the majority of HTTPS traffic to maintain security posture.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • Increase the maximum number of concurrent SSL sessions allowed.

    Why it's wrong here

    This would not reduce CPU usage; it might exacerbate the issue.

  • Disable decryption for high-bandwidth websites such as video streaming services.

    Why it's wrong here

    This would reduce inspection for popular services, potentially missing threats.

  • Implement decryption exclusion rules for financial and healthcare websites.

    Why this is correct

    Excluding problematic sites reduces decryption overhead while maintaining security on most traffic.

    Related concept

    Read the scenario before looking for a memorised answer.

  • Enable hardware acceleration for SSL decryption.

    Why it's wrong here

    The PA-5250 already uses hardware acceleration; this would not solve the CPU issue.

Common exam traps

Common exam trap: answer the scenario, not the keyword

The trap here is that candidates may assume hardware acceleration (Option D) is a magic fix for all performance issues, but in reality, the PA-5250 already has it enabled, and the bottleneck is the CPU's capacity to handle the cryptographic operations, not the acceleration feature itself.

Detailed technical explanation

How to think about this question

SSL Forward Proxy works by intercepting HTTPS connections, generating a new certificate on-the-fly, and re-encrypting traffic between the firewall and the client. This process is CPU-intensive because it requires asymmetric cryptography for each new session, and the PA-5250's dataplane CPU handles this decryption. Financial and healthcare websites often use Extended Validation (EV) certificates or implement HTTP Public Key Pinning (HPKP), which can cause certificate validation failures when the firewall's proxy certificate is presented, leading to user-visible errors or connection drops. Excluding these sites via a decryption policy rule (based on URL category) offloads the decryption work and preserves compatibility without sacrificing security for other traffic.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A small business has 20 workstations on the 192.168.1.0/24 network and one public IP from its ISP. The router uses PAT (NAT overload) so all 20 devices share one public address using different source ports. NAT questions test whether you understand the four address terms and which direction each translation applies.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related PCNSA practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free PCNSA practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this PCNSA question test?

Decryption and Monitoring — This question tests Decryption and Monitoring — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: Implement decryption exclusion rules for financial and healthcare websites. — Option C is correct because financial and healthcare websites often use certificate pinning or require specific cipher suites that may not be compatible with the firewall's default SSL Forward Proxy settings. By excluding these sites from decryption, the administrator reduces the decryption load on the dataplane CPU and avoids breaking connectivity to sensitive sites, while still decrypting the majority of HTTPS traffic to maintain security posture.

What should I do if I get this PCNSA question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Last reviewed: Jun 25, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This PCNSA practice question is part of Courseiva's free Palo Alto Networks certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the PCNSA exam.