Exam PCNSE topic 1 question 43 discussion

Custom applications take precedence over predefined applications when traffic matches both a custom-defined signature and a Palo Alto Networks signature. Accordingly, Traffic logs reflect the custom application name once the new application has been configured. Answer is A

A. https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/about-custom-application-signatures.html

Question is tricky worded. The firewall will use the custom application if there are both a custom and palo alto defined applicaton available. (Answer A) However the question asks which of both **SHOULD** be used and that is answer C. So answer C is correct for this question.

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/about-custom-application-signatures.html

"Custom applications take precedence over predefined applications when traffic matches both a custom-defined signature and a Palo Alto Networks signature. Accordingly, Traffic logs reflect the custom application name once the new application has been configured."

Question states the apps are identical in signatures and asks what "should" be used. Wouldn't you want Palo Alto modifying and updating that App-ID in the future for you, as it's threat intel teams gather global information, or do you want to do that yourself for various App-IDs?

The correct answer is C. Downloaded application. Here's why: App-ID Prioritization: Palo Alto firewalls prioritize official, vendor-provided application signatures (those downloaded in updates) over custom applications. This ensures that the firewall leverages the most up-to-date and reliable application identification mechanisms. Conflict Resolution: When a conflict occurs, the firewall will automatically use the downloaded application, overriding the custom application to avoid potential misidentification. Maintaining Custom Apps: While custom applications are useful for unique traffic not covered by standard applications, it's important to regularly review them against official App-ID updates to avoid conflicts and potential misidentification of traffic.

Correct answer is C

I believe the answer is C, as the question says: "What application SHOULD be used", in that case we should use the downloaded app.

Poorly written question. Best practice would be to use the Downloaded application. I think they're asking for which takes precedence so it will be A.

https://docs.paloaltonetworks.com/pan-os/u-v/custom-app-id-and-threat-signatures/custom-application-and-threat-signatures/about-custom-application-signatures Custom applications take precedence over predefined applications when traffic matches both a custom-defined signature and a Palo Alto Networks signature

C - As others stated which *SHOULD* be used. If you want the best possible Content-ID inspections, best protection, you *should* use the app defined by PA themselves.

"Which application SHOULD be used to identify traffic traversing the NGFW?" is the question. Palo looking for answer C

C. Custom apps take precedence, but the question is saying that PA has released an App-ID for that app, and therefore the custom application should be deleted and the downloaded app should be used instead.

Custom App Sigs DO take precedance over the default downloaded one. But that is not what this question is asking. The questions asks ,"SHOULD you use..." and to that effect no, you should not use the custom application any longer. Instead, use the Palo Alto created App Sig. Answer is C

everything what is custom has the highest priority (prcedence)

A, custom apps take precedence over palo app updates