A customer with a legacy firewall architecture is focused on port and protocol level security, and has heard that next generation firewalls open all ports by default.
What is the appropriate rebuttal that positions the value of a NGFW over a legacy firewall?
The most accurate response to address the customer's misconception about next generation firewalls like those from Palo Alto Networks is that default policies block all interzone traffic. This ensures that traffic control is implemented unless explicitly allowed by policy. Moreover, Palo Alto Networks allows you to control applications based on default ports or a configurable list of approved ports on a per-policy basis. This highlights the flexibility and control provided by NGFWs over legacy systems, without leaving all ports open by default.
Practically, B is correct
B is better
B is true, C is wrong because it's say that he open the app ports only and it's wrong i can run an application on another not default port and it ll work.
B is correct as a best practice also
But the question is about Ports, that PA keeps all ports open by default so C is correct as an answer to this specific question.
But Interzone ports are closed by default, so not all ports are open
B and not C as "only opening ports after understanding the application request", the Palo Alto's can function as a layer 3 firewall based solely on port and no need to understand the application e.g unknown-tcp
Read the answers a few times, B and C is valid, can't distinguished. Each firewall blocks interzone traffic, not specific to PA.