A Security policy rule is configured with a Vulnerability Protection Profile and an action of `Deny`. Which action will this cause configuration on the matched traffic?
A.
The configuration is invalid. The Profile Settings section will be grayed out when the Action is set to ג€Denyג€.
B.
The configuration will allow the matched session unless a vulnerability signature is detected. The ג€Denyג€ action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile.
C.
The configuration is invalid. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit.
D.
The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to ג€Denyג€.
D is correct
First note in above link states:
"Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy."
The first thing the firewall checks per it's flow is the security policy match and action. The Security Profile never gets checked if a match happens on a policy set to deny that match.
it is kind of burdening the firewall resource by allowing the traffic payload to be scanned once the traffic is denied to get a network service so the answer should be A or the question it self is doubting is weather the action "Deny" is it for the security rule or is it for the security profile ? if it is for the security profile it should be "Drop"
If a traffic flow matches a security policy whose action is set to Deny, it doesn't matter what security profiles are configured within the policy, cause the traffic will be dropped regardless.
D is correct.
Provide additional protection from threats, vulnerabilities, and data leaks. Security profiles are evaluated only for rules that have an allow action.
Agreed. Failed Exam today. Only had about 8 questions from this dump. They are shifting to focus to Panaorama Deployment, Device Groups and Template stacks, UserID and mapping, Certificate questions and SSL decryption and SD-WAN. There is some Prisma on there, as well. You may not pass if you rely on this.
A is the right answer, Vulnerability profile can only be checked if the traffic is allowed. there is no reason for a firewall to check traffic for vulnerability when it has been denied and will be dropped.
this traffic will not make it through the slow path of traffic flow in palo alto and so no session will be created because the traffic is DENIED!!!
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
bbud55
Highly Voted 3 years, 6 months agoDaNhiCon
Most Recent 1 week, 3 days agoMarshpillowz
8 months, 1 week agoavator
9 months, 2 weeks agoChris71Mach1
1 year, 9 months agoKuronekosama
2 years agoPakawat
2 years, 2 months agoMeko
2 years, 3 months agodatz
2 years, 4 months agotururu1496
2 years, 6 months agobigdaddy_69
2 years, 8 months agoBighize
2 years, 10 months agoKane002
2 years, 10 months agoNNgiggs
2 years, 11 months agor0ze
2 years, 11 months agoCeejer
3 years agoSMahaldar
3 years, 2 months ago