A Firewall Engineer is migrating a legacy firewall to a Palo Alto Networks firewall in order to use features like App-ID and SSL decryption.
Which order of steps is best to complete this migration?
A Firewall Engineer is migrating a legacy firewall to a Palo Alto Networks firewall in order to use features like App-ID and SSL decryption.
Which order of steps is best to complete this migration?
To successfully migrate a legacy firewall to a Palo Alto Networks firewall while utilizing advanced features like App-ID and SSL decryption, the most logical order of operations involves first migrating port-based rules to App-ID rules. This ensures that the firewall can correctly identify and control applications, which is crucial for the accurate setup and functioning of security policies. After this, implementing SSL decryption can be done effectively, as the App-ID rules will provide a robust foundation to handle encrypted traffic. This sequence helps in avoiding misconfigurations and ensures smoother deployment of decryption policies.
Why not C ? Don't we need visibility (via decryption) before app-ID can function?
Definitely D. The link provided by some, pay close attention to this specific line (and the non-standard port part): "...Security policy rules are likely to use application default ports to prevent traffic from using non-standard ports." Granted you could account for non-default ports just fine beforehand too but test is on PAN BPs so D
Migrate from port-based to application-based Security policy rules before you create and deploy Decryption policy rules. https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment
D is correct. Migrate from port-based to applicaon-based Security policy rules before you create and deploy Decrypon policy rules. If you create Decrypon rules based on port-based Security policy and then migrate to applicaon-based Security policy, the change could cause the Decrypon rules to block traffic that you intend to allow because Security policy rules are likely to use applicaon default ports to prevent traffic from using non-standard ports. Migrang to App-ID based rules before deploying decrypon ensures that when you test your decrypon deployment, you’ll discover Security policy misconfiguraons and fix them before rolling decrypon out to the general user populaon.
Can you post the link where you got your information ?
https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment "Migrating to App-ID based rules before deploying decryption ensures that when you test your decryption deployment"
D move to App-ID befohttps://www.examtopics.com/exams/palo-alto-networks/pcnse/view/#re you implement Decryption
https://docs.paloaltonetworks.com/best-practices/10-2/decryption-best-practices/decryption-best-practices/plan-ssl-decryption-best-practice-deployment