I'm thinking C.
Here's my train of thought, let me know what you think.
B and D are certainly not right. A and C could be both technically true, but which is more accurate? A indicates that "after app has been identified", so we can interpret that in the Flow Diagram as the step in App-ID which says "Pattern based application identification" however, considering the Packet Flow Sequence, after the app is identified, there are still several steps that don't lead directly to Content ID. First it checks for policy matches that will allow it (so it might still get dropped). Then it will check if there are any Security Profiles (ContentID) that will be applicable. QoS and SSL Decryption also might occur at this point. My point is there's a whole bunch of stuff still going on between the "app being identified" and content inspection.
My conclusion is that whenever content inspection is performed it's always before packet forwarding. And it is not always the case that it happens immediatly after the app has been identified.
Content inspection isn't always done (e.g. Application Override), but if it is then it either returns 'detection' and security policy is referenced again or 'no detection' and then traffic is re-encrypted (if SSL decrypted), and THEN the packet is forwarded. So since C isn't always true, I feel like A is the correct answer. I can definitely see how a similar argument can be made for C though, so I agree that both are almost equally correct.
agree. besides, if app is not identified, when it arrives to content inspection it just will not be inspected. so since apps are NOT always identified A cant be. however, both App ID and Content ID ALWAYS happen before packet forwarding process
I feel like this question could be simply asked as "When do you learn to read?"
A: After you are done being a toddler
C: Sometime before you die of old age
Technically both are correct. Seriously Palo? Are we supposed to play the choose the more correct answer game? C feels like the broader safer answer. If the Application is Incomplete or Insufficient Data and can't be identified, that doesn't stop Palo from attempting content inspection so it would make A questionable.
While C isn't technically wrong (since inspection does happen before forwarding), A is the more accurate answer because content inspection happens specifically after the application has been identified. That’s the critical part of the packet flow, where the firewall decides how to treat the traffic based on its policies.
Content inspection occurred after the session app identified. If app not identified, it would be
app override policy match >> pattern based app identification >> security policy lookup based on app >> Rule match with action allowed >> Content inspection
C is not possible because there are several options before packet forwarding, content inspection is one of them. content inspection only happens if the traffic has gone through the app-id engine
A. after the application has been identified
Content inspection is typically performed after the application has been identified in the packet flow process of many firewall systems, including Palo Alto Networks firewalls. This allows for the content of the packets to be inspected for threats and policy violations based on the identified application.
My two cents. It's C. Scroll down to section 6, Content Inspection, happens right before Forwarding/Egress.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
The content inspection is performed ONLY if application is identified. If it's an unknown app then the content inspection doesn't happen but the packet it's forwarded, if the security policy allow.
I'm going to have to go with option C here. A and D both are technically correct. However, A and D are both not neccessary steps in the process. C is a neccessary step. This is one of those "which is the better answer" scenarios.
Outside of this flow diagram I couldn't find anything concrete in any docs. Based on the flow diagram you can see there is a question "Session App Identified?", if the answer is "No" then it is sent to the App-ID process before being sent back to the FW Fastpath process. If Content Inspection is applicable then the packet is sent onward to that process.https://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309
A is correct
"The firewall first performs an application-override policy lookup to see if there is a rule match. If there is, the application is known and content inspection is skipped for this session .
If there is no application-override rule, then application signatures are used to identify the application. The firewall uses protocol decoding in the content inspection stage to determine if an application changes from one application to another ."
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
shamhala1228
Highly Voted 4 years, 5 months agotrashboat
3 years, 8 months agoochc
4 years, 1 month agoAcidscars
Highly Voted 3 years, 10 months agoNSO_Blue
Most Recent 2 months, 2 weeks agoATRRHMN
2 months, 3 weeks agoalexia_net
3 months, 3 weeks agoapiloran
6 months, 1 week agohcir
7 months agonolox
7 months, 3 weeks agoaurang
10 months, 3 weeks agofranko_72
11 months, 3 weeks agoms997
1 year agogc999
1 year, 1 month agoMicutzu
1 year, 3 months agoBetty2022
1 year, 5 months agoFrightened_Acrobat
1 year, 5 months agoChiaPet75
1 year, 6 months agoTechn
1 year, 7 months agoBetty2022
1 year, 5 months ago