If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how should a Security policy with App-ID be configured?
If users from the Trusted zone need to allow traffic to an SFTP server in the DMZ zone, how should a Security policy with App-ID be configured?
To allow traffic from the Trusted zone to an SFTP server in the DMZ zone using a Security policy with App-ID, you should configure the policy with the source zone as Trusted and the destination zone as DMZ. The service should be set to Application-Default, and the application should be specified as SSH, as SFTP operates over SSH. The action should be Allow to permit the traffic. This setup ensures that only the standard ports used by the SSH application are allowed, providing a more secure and accurate match for the intended traffic.
B is correct "Select SSH as the application and set the service to application-default." https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHtCAK
B - This configuration allows the firewall to identify the SFTP traffic (which uses the SSH protocol) and permit it from the Trusted zone to the DMZ zone1. The ‘Application-Default’ service setting ensures that only the standard ports for the specified application (SSH in this case) are allowed