A Firewall Engineer is migrating a legacy firewall to a Palo Alto Networks firewall in order to use features like App-ID and SSL decryption. Which order of steps is best to complete this migration?
A.
First migrate SSH rules to App-ID; then implement SSL decryption.
B.
Configure SSL decryption without migrating port-based security rules to App-ID rules.
C.
First implement SSL decryption; then migrate port-based rules to App-ID rules.
D.
First migrate port-based rules to App-ID rules; then implement SSL decryption.
Definitely D. The link provided by some, pay close attention to this specific line (and the non-standard port part):
"...Security policy rules are likely to use application default ports to prevent traffic from using non-standard ports."
Granted you could account for non-default ports just fine beforehand too but test is on PAN BPs so D
Migrate from port-based to application-based Security policy rules before you create and deploy Decryption policy rules.
https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment
Putting C as a protest vote. That best practice statement is stupid from Palo. As if an engineer would forget which ports he configured in a few decryption rules and couldn't easily look at them. I'd want my App-ID visibility right off the bat - granular App-IDs won't work without decryption.
Agreed. You would end up going back and adding new App-IDs into the rule anyway. Also you would want to know about as many decryption issues as soon as possible to put in exclusions for them early on.
https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment
"Migrating to App-ID based rules before deploying decryption ensures that when you test your decryption deployment"
D is correct. Migrate from port-based to applicaon-based Security policy rules before you create and
deploy Decrypon policy rules. If you create Decrypon rules based on port-based Security
policy and then migrate to applicaon-based Security policy, the change could cause the
Decrypon rules to block traffic that you intend to allow because Security policy rules are
likely to use applicaon default ports to prevent traffic from using non-standard ports.
Migrang to App-ID based rules before deploying decrypon ensures that when you test
your decrypon deployment, you’ll discover Security policy misconfiguraons and fix them
before rolling decrypon out to the general user populaon.
Can you post the link where you got your information ?
upvoted 1 times
...
...
This section is not available anymore. Please use the main Exam Page.PCNSE Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
secdaddy
Highly Voted 2 years, 6 months agoJared28
1 year, 1 month agoRoger123444
Highly Voted 2 years, 5 months agoBTSeeYa
Most Recent 8 months, 2 weeks agoAcidscars
4 weeks, 1 day agogully300
2 years, 2 months agoconfusion
2 years, 5 months agoTAKUM1y
2 years, 5 months agoGBD35055
2 years, 6 months agoGabuu
2 years, 6 months ago