A security administrator has configured App-ID updates to be automatically downloaded and installed. The company is currently using an application identified by
App-ID as SuperApp_base.
On a content update notice, Palo Alto Networks is adding new app signatures labeled SuperApp_chat and SuperApp_download, which will be deployed in 30 days.
Based on the information, how is the SuperApp traffic affected after the 30 days have passed?
After the new app signatures are deployed, the traffic matching the SuperApp_chat and SuperApp_download will be denied because it will no longer match the SuperApp_base application. Security policies need to be explicitly defined to allow the new App-IDs. Without updates to these policies, the traffic corresponding to the new signatures will be blocked by default, as they are not covered under the existing rules that only recognize SuperApp_base.
The correct answer is: A. All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
I agree with you @Rebet. To allow the new applications, we need to modify or add a new policy. https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases/review-new-app-id-impact-on-existing-policy-rules
All traffic matching the SuperApp_chat, and SuperApp_download is denied because it no longer matches the SuperApp-base application
The correct answer is: A
A is the only one that make sense
A. You need to modify the policy to include the new application. I have seen in the past these updates denying traffic due to this. I would also refer to @Rebet.
It all depends on how the security policy is configured. If it is using the parent SuperApp, then anything new added under that category will be automatically allowed, so no impact, answer C. But if the security policy is locked to the SuperApp-base, then the traffic to the new apps would be blocked, option A.
Rediculous canf find a clear answer on this!!! Cisco all over again
Edit:update Spoke to one of my colleagues who have been working with PAs for 2 years He has never once had to redefine apps and change policies, seems to be in line with the way PaloAlto does things so I am going to choose C PS - he said he also got that question in his exam and chose C
Update This is wrong, the correct answer is A
The correct answer is "C. No impact because the firewall automatically adds the rules to the App-ID interface". The question is refering to SuperApp and SuperApp is the upper level for SuperApp_base, SuperApp_chat and SuperApp_download. As an example we have the top level FACEBOOK ans subcategories: FACEBOOK_BASE, FACEBOOK_CHAT, FACEBOOK_DOWNLOAD, ...
A is correct. For example, Facebook-chat is a dependency on Facebook-base, and must be specifically allowed through a dependency commit, explicit security policy, etc. It would not be implicitly allowed, things that are implicitly allowed would be ssl and web-browsing, as facebook-base could not function without those.
A is Correct. When new APP-IDs are downloaded and added to device, the security policy must exist to explicitly allow them. But because they're "new" they will get dropped until you modify/add security policy to explicitly allow them otherwise they're dropped by InterZone polcy which drops the traffic by default.
Correct answer is A
A. All traffic matching the SuperApp_chat and SuperApp_download is denied because it no longer matches the SuperApp_base application. This is because the new signatures will start being identified separately, and if there are no pre-configured policies to allow them, this traffic could be blocked by default.
Correct Answer is A: App-ID Updates and Impact Firewall administrators must be careful before they install any App-ID updates because some applications might have changed since the last App-ID update (content update). For example, an application that previously was categorized under web-browsing now might be categorized under its own unique App-ID. Categorization of applications into more specific applications enables more granularity and control of applications within Security policy rules. Because the new App-ID no longer will be categorized as web-browsing, no Security policy rule now will contain this new App-ID. Consequently, the new App-ID will be blocked.
Letter A.
I believe the answer is A because if the new App-IDs are being blocked, it will show in the policy optimizer that those App-IDs are being blocked and must be added again for functionality.
A is the correct answer