Which event will happen if an administrator uses an Application Override Policy?
Which event will happen if an administrator uses an Application Override Policy?
When an administrator uses an Application Override Policy on a Palo Alto Networks Next-Generation Firewall, the firewall stops App-ID processing at Layer 4. This means that the firewall no longer performs Layer-7 deep application inspection for the session, instead handling it only at the stateful inspection level (Layer 4). As a result, the traffic is treated based on its port and protocol characteristics, and not subjected to the more detailed application identification process.
Correct: B "If you define an application override, the firewall stops processing at Layer-4. The custom application name is assigned to the session to help identify it in the logs, and the traffic is not scanned for threats." (See the bottom of the page) https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/manage-custom-or-unknown-applications
updated link https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/manage-custom-or-unknown-applications
Alternatively, if you would like the firewall to process the custom application using fast path (Layer-4 inspection instead of using App-ID for Layer-7 inspection), you can reference the custom application in an application override policy rule. An application override with a custom application will prevent the session from being processed by the App-ID engine, which is a Layer-7 inspection. Instead it forces the firewall to handle the session as a regular stateful inspection firewall at Layer-4, and thereby saves application processing time.
correct, so this question is all about the wording, with application override, there is no app ID inspection, only statefull. so answer B wording makes it wrong. a side effect of this is that threat inspection is not taking place , so it could be answer A also
B is correct
I do not agree that B is the correct answer, however is the only best choice. answer A: CTD processing time is not decreased, we can only do it or not answer B: APP-ID is layer 7 processing not layer 4 answer C: APP name is assigned by the Application override policy not security policy answer D: There is no APP-ID processing, so the time is not increased
I agree. B is correct mainly by elimination. because if the app-ID assigned to the traffic by an Application Override policy rule includes an application signature that has a Parent App based on a non-custom application, then Content-ID (layer 7) inspection of the payload content is possible.
B is the correct Answer, A can not be an option because A talks of reduction in APP ID processing time. there will be no APP ID processing all together so APP ID is out of the question When an override is configured.
Answer is C. App Override stops Layer 7 processing not layer 4.
because it uses the TCP port as override method, it stops at layer 4
Correct b. App-ID stops "at" layer 4.
Agree with Joe. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/manage-custom-or-unknown-applications Vote for C. B is incorrect!
B is the correct answer
B https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/application-override-policy
Correct: B Ref: https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/application-override-policy
B is correct
Tricky configured question. But it's B. NGFW is not processing at Layer 7 if Application Override Policy is in use for this app. Only Layer 4 processing.
So technically A is also true, but *only for traffic that does not have a pre-defined application.*
B is the correct answer as application override will stop processing traffic identified as a custom application at/after layer 4, however note the Special Note in the following documentation: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVLCA0 "The exception to this is when you override to a pre-defined application that supports threat inspection."
B - correct