A Security policy rule is configured with a Vulnerability Protection Profile and an action of `Deny`.
Which action will this cause configuration on the matched traffic?
A Security policy rule is configured with a Vulnerability Protection Profile and an action of `Deny`.
Which action will this cause configuration on the matched traffic?
The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to 'Deny'. This is because Security Profiles are evaluated only for rules that have an 'Allow' action. Therefore, when matched traffic is subject to a deny action, it is immediately blocked, and no further processing by Security Profiles occurs.
D is correct https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/security-profiles.html First note in above link states: "Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy." The first thing the firewall checks per it's flow is the security policy match and action. The Security Profile never gets checked if a match happens on a policy set to deny that match.
Agreed. Failed Exam today. Only had about 8 questions from this dump. They are shifting to focus to Panaorama Deployment, Device Groups and Template stacks, UserID and mapping, Certificate questions and SSL decryption and SD-WAN. There is some Prisma on there, as well. You may not pass if you rely on this.
Allow = security profile processing.
D. Security policies are evaluated before security profiles in the SP3. The packet will be discarded and the security profile will never be consulted.
D is correct answer.
it is kind of burdening the firewall resource by allowing the traffic payload to be scanned once the traffic is denied to get a network service so the answer should be A or the question it self is doubting is weather the action "Deny" is it for the security rule or is it for the security profile ? if it is for the security profile it should be "Drop"
If a traffic flow matches a security policy whose action is set to Deny, it doesn't matter what security profiles are configured within the policy, cause the traffic will be dropped regardless.
D is correct. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/security-policy/components-of-a-security-policy-rule Provide additional protection from threats, vulnerabilities, and data leaks. Security profiles are evaluated only for rules that have an allow action.
D is correct : "Blocks traffic and enforces the default Deny Action defined for the application that is being denied.." https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/security-policy/security-policy-actions
D - traffic is already deny.
D for sure. if the Sec policy is already denied, no point checking Sec profiles, etc
Answer: D
A is the right answer, Vulnerability profile can only be checked if the traffic is allowed. there is no reason for a firewall to check traffic for vulnerability when it has been denied and will be dropped. this traffic will not make it through the slow path of traffic flow in palo alto and so no session will be created because the traffic is DENIED!!!
Correct Answer: D
Thank god for the discussion.. So many of these solutions are wrong
D is correct ans.
D, the security policy is set to deny, this is enough not to allow the oacket, considering the polcy evaluation order, where security profiles get evalauted last, really the sec profile is not relevant as the packet is already denied