I'm thinking C.
Here's my train of thought, let me know what you think.
B and D are certainly not right. A and C could be both technically true, but which is more accurate? A indicates that "after app has been identified", so we can interpret that in the Flow Diagram as the step in App-ID which says "Pattern based application identification" however, considering the Packet Flow Sequence, after the app is identified, there are still several steps that don't lead directly to Content ID. First it checks for policy matches that will allow it (so it might still get dropped). Then it will check if there are any Security Profiles (ContentID) that will be applicable. QoS and SSL Decryption also might occur at this point. My point is there's a whole bunch of stuff still going on between the "app being identified" and content inspection.
My conclusion is that whenever content inspection is performed it's always before packet forwarding. And it is not always the case that it happens immediatly after the app has been identified.
Content inspection isn't always done (e.g. Application Override), but if it is then it either returns 'detection' and security policy is referenced again or 'no detection' and then traffic is re-encrypted (if SSL decrypted), and THEN the packet is forwarded. So since C isn't always true, I feel like A is the correct answer. I can definitely see how a similar argument can be made for C though, so I agree that both are almost equally correct.
agree. besides, if app is not identified, when it arrives to content inspection it just will not be inspected. so since apps are NOT always identified A cant be. however, both App ID and Content ID ALWAYS happen before packet forwarding process
I feel like this question could be simply asked as "When do you learn to read?"
A: After you are done being a toddler
C: Sometime before you die of old age
Technically both are correct. Seriously Palo? Are we supposed to play the choose the more correct answer game? C feels like the broader safer answer. If the Application is Incomplete or Insufficient Data and can't be identified, that doesn't stop Palo from attempting content inspection so it would make A questionable.
While C isn't technically wrong (since inspection does happen before forwarding), A is the more accurate answer because content inspection happens specifically after the application has been identified. That’s the critical part of the packet flow, where the firewall decides how to treat the traffic based on its policies.
Content inspection occurred after the session app identified. If app not identified, it would be
app override policy match >> pattern based app identification >> security policy lookup based on app >> Rule match with action allowed >> Content inspection
C is not possible because there are several options before packet forwarding, content inspection is one of them. content inspection only happens if the traffic has gone through the app-id engine
A. after the application has been identified
Content inspection is typically performed after the application has been identified in the packet flow process of many firewall systems, including Palo Alto Networks firewalls. This allows for the content of the packets to be inspected for threats and policy violations based on the identified application.
My two cents. It's C. Scroll down to section 6, Content Inspection, happens right before Forwarding/Egress.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
The content inspection is performed ONLY if application is identified. If it's an unknown app then the content inspection doesn't happen but the packet it's forwarded, if the security policy allow.
I'm going to have to go with option C here. A and D both are technically correct. However, A and D are both not neccessary steps in the process. C is a neccessary step. This is one of those "which is the better answer" scenarios.
This section is not available anymore. Please use the main Exam Page.PCNSE Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
shamhala1228
Highly Voted 4 years, 8 months agotrashboat
3 years, 11 months agoochc
4 years, 4 months agoAcidscars
Highly Voted 4 years, 1 month agodivi1
Most Recent 2 days, 7 hours agoCatza
2 months, 3 weeks agoNSO_Blue
5 months, 2 weeks agoATRRHMN
5 months, 4 weeks agoalexia_net
7 months agoapiloran
9 months, 1 week agohcir
10 months, 1 week agonolox
11 months agoaurang
1 year, 1 month agofranko_72
1 year, 2 months agoms997
1 year, 3 months agogc999
1 year, 4 months agoMicutzu
1 year, 6 months agoBetty2022
1 year, 8 months agoFrightened_Acrobat
1 year, 8 months ago