exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam

Exam PCNSE topic 1 question 85 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 85
Topic #: 1
[All PCNSE Questions]

A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443?

  • A. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow
  • B. Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow
  • C. Rule # 1: application: ssl; service: application-default; action: allow Rule #2: application: web-browsing; service: application-default; action: allow
  • D. Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow
Show Suggested Answer Hide Answer
Suggested Answer: D 🗳️

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
YasserSaied
Highly Voted 3 years, 7 months ago
D -- Server hosts HTTP/HTTPs both on Port 443 .. that means to access the HTTP on port 443, web-browsing "Application" need to be enabled on "service-https" service
upvoted 14 times
Prutser2
3 years, 6 months ago
in addition, rule 2 is to allow the incoming encrypted SSL traffic, and once decrypted, rule1 will allow webbrowsing on port 443, cos that is what the server is listening on, so D
upvoted 4 times
...
...
trashboat
Highly Voted 3 years, 8 months ago
A is the correct answer. The TCP session will be built and hit the SSL decryption policy, which will decrypt the packets and forward them on HTTP via TCP/443 - this is behavior for PAN-OS 10.0+. That being said, I also think the first rule in A would suffice to allow the traffic.
upvoted 8 times
confusion
2 years, 9 months ago
A and C are exactly the same, there must be something wrong in these answers.
upvoted 1 times
confusion
2 years, 2 months ago
ignore that!
upvoted 1 times
...
...
Elvenking
2 years, 9 months ago
A is wrong. The first rule uses application-default, so no match there when "web-browsing" is changed to while app inspection is remade after decryption. It needs be service at port 443 explicitly.
upvoted 1 times
...
datz
2 years, 7 months ago
A is wrong app-default on web browsing - wont allow 443
upvoted 1 times
...
...
Oswaldo_CCSM
Most Recent 2 weeks, 4 days ago
Selected Answer: C
The order is important because SSL decryption must happen before web-browsing (HTTP) traffic is allowed to reach the web server in cleartext. Therefore, the first rule allows the SSL traffic to be decrypted, and the second rule allows the decrypted web-browsing traffic to pass to the server.
upvoted 1 times
...
Moadil_001
4 months, 1 week ago
Selected Answer: C
Rule #1: application: ssl; service: application-default; action: allow Reason: The first rule allows the initial SSL handshake to occur, which is necessary for the firewall to decrypt the traffic. Once the traffic is decrypted, it can be identified as web-browsing. Rule #2: application: web-browsing; service: application-default; action: allow Reason: After the SSL traffic is decrypted, it is identified as web-browsing traffic. The second rule is needed to allow this now-decrypted web-browsing traffic through on TCP port 443.
upvoted 1 times
...
Eluis007
9 months, 2 weeks ago
A rule would allow the web traffic to pass over both, 80 and 443, D rule would allow just over 443, so D
upvoted 1 times
...
Jared28
10 months, 2 weeks ago
Selected Answer: C
As was mentioned below, for a bit now the app-id web-browsing shows a default secure port of TCP 443. So *when ssl is decrypted* and the decrypted traffic matches web-browsing, TCP 443 will be allowed with app-default.
upvoted 3 times
...
DatITGuyTho1337
1 year ago
Voting for answer A, due to this article "https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/application-default"
upvoted 3 times
...
Micutzu
1 year, 3 months ago
Selected Answer: D
I think that all the option are valid to allow cleartext web-browsing traffic on tcp/443. The most precise rule it's D.
upvoted 1 times
...
Eiffelsturm
1 year, 6 months ago
So D was correct before the default secure ports were introduced I think. You can see them in the GUI. According to this KB article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHqCAK with Decryption enabled those applications are identified correctly as e.g. web-browsing if it's active on 443 and the Security Policy with "application-default" will allow it. The question is if the Exam is this up to date :D
upvoted 1 times
...
hz78
1 year, 8 months ago
B is correct. In option D, the first Security policy rule allows web-browsing traffic on the HTTPS service (service-https), which is not applicable in this scenario since the web server is configured to host its contents over HTTP(S) and is listening on TCP port 443 for incoming connections. If we allow the web-browsing application traffic using the HTTPS service, the firewall will forward the traffic to the web server without decrypting it, since it is HTTPS traffic. However, the web server is hosting its contents over HTTP(S), so the firewall needs to decrypt the traffic before forwarding it to the web server. Therefore, the correct service to be used in the first Security policy rule is service-http instead of service-https. This will allow the firewall to decrypt the traffic before forwarding it to the web server and also allow web-browsing traffic from the Trust zone to the DMZ zone. Hence, option B is the correct answer.
upvoted 3 times
...
Frightened_Acrobat
1 year, 10 months ago
I agree D. However, the way the question is worded and answers are very tricky. It's not the way you'd go about explaining this or executing the solution IRL. Shame on Palo Alto for trying to mislead us purposely on questions like this. I mean we only have an average of 1 min, 4sec per question. Rule 2 is unnecessary to allow cleartext, which is the stated goal of the question. No decryption is necessary for the firewall to identify cleartext web-browsing traffic. A bad question overall.
upvoted 4 times
...
Bruno_Nascimento
1 year, 12 months ago
The correct Answer is A. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/application-default
upvoted 3 times
DatITGuyTho1337
1 year ago
I agree, especially after reading the article!
upvoted 1 times
...
...
Chris71Mach1
2 years ago
Selected Answer: D
I didn't even get to rule 2 before I knew D was the right answer. It's the only one that lists the application as web-browsing and the service as HTTPS.
upvoted 2 times
...
spydog
2 years, 3 months ago
Selected Answer: A
Starting from PanOS 9.0 answer A is correct. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/application-default Couple of applications are defined with "standard" and "secure" ports, which allow you to use application web-browsing with application-default ports, after decryption. First rule from A will match the traffic after decryption. Second rule is needed to allow the initial connection to be established. Traffic will be initially allowed over second rule and after decryption application will shift and new lookup will match fist rule
upvoted 3 times
...
juan_L
2 years, 5 months ago
C -- Is the correct, On first packets application will be identified as SSL, once the tunnel established (after TLS hello exchanging between Client and Server, cipher chosen.... dears check TLS negotiation wikis) the firewall starts to decrypt via proxy forward, in that moment the app is identified as web-browsing. The TLS tunnnel mus be negotiated first and this handshake will be identified as SSL.
upvoted 2 times
...
Pretorian
2 years, 5 months ago
If you go to objects > applications (applipedia doesn't show this) and search for "web-browsing" open that signature and locate the field "standard port" and "secure port" you'll see port 80 and 443. This means that if you create a policy allowing web-browsing with application default, this app will be allowed on both of those ports. Now you no longer need to create a policy allowing SSL on port 443 before your policy allowing web-browsing. This is now from the past. This is true for a handful of applications only at this point. Which means that this question might show an answer along those lines if it ever gets updated.
upvoted 4 times
...
Pretorian
2 years, 5 months ago
If you go to objects > applications (applipedia doesn't show this) and search for "web-browsing" open that signature and locate the field "standard port" and "secure port" you'll see port 80 and 443. This means that if you create a policy allowing web-browsing with application default, this app will be allowed on both of those ports. Now you no longer need to create a policy allowing SSL on port 443 before your policy allowing web-browsing. This is now from the past. This is true for a handful of applications only at this point. Which means that this question might show an answer Long those lines if it ever gets updated.
upvoted 1 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
Loading ...
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago