Exam PCNSE topic 1 question 437 discussion

Looks like should be C according to below https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFRCA0 The ipsec application contains the following sub-apps: ike ipsec-ah ipsec-esp ipsec-esp-udp(NAT-T) The sub-apps above are allowed implicitly when the ipsec application is configured as allowed.

A: Add a Security policy to allow UDP/500 - will not work as stated from others when NAT-T is enabled it will also use UDP4500 https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC "To check if NAT-T is enabled, packets will be on port 4500 instead of 500 from the 5th and 6th messages of main mode." B: Add a Security policy to allow the IKE application. - will not work as per the above D:Add a Security policy to allow UDP/4501 - will not work as per the above C: Add a Security policy to allow the IPSec application. - having checked on PANOS 10.2 the IPSec application has 4 sub(?) applications - ike (Standard Ports: tcp/500, udp/500) - ipsec-ah (Standard Ports: IP Protocol 51) - ipsec-esp (Standard Ports: IP Protocol 50) - ipsec-esp-udp (Standard Ports: udp/4500, udp/4501)

behind a NAT. So only C is possible

*C is correct

Answer should be B, it is dropping the IKE and also NAT-T works on port 4500 not 4501

In Objects > Applications it can be seen that ike app uses tcp/500 and/or udp/500 and that it doesn't depend on any other app (for example ipsec). Since PA is always recommending to use app ID I would choose B.

Answer is C

I believe its safe to allow IPsec application which will encompass both udp/500 and udp/4500, udp/4501.

Ipsec apps include ike an the other ipsec. Option C

Ipsec apps include ike an the other ipsec. Option C

Should be C. Tested in my lab. The IPSec app contains ike, ipsec-ha, ipsec-esp, and ipsec-udp, which covers everything in the question.

Should be C as it will include other sub APPs... IKE 500 for answer A is not right as NAT-T is enabled

adding my vote

adding my vote

FWIW, this was a PCNSE test question in Jan 2023.

I had done this before, and it works by just allowing the IKE application in the policy rule. I will vote for B

I believe it is B. because as mentioned above NAT-T is enabled so ,packets will be on port 4500 instead of 500 from the 5th and 6th messages of main mode. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClivCAC