PCNSE Exam QuestionsBrowse all questions from this exam
Go to Exam

PCNSE Exam - Question 85

A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.

Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443?

Show Answer
Correct Answer: A

To allow cleartext web-browsing traffic on TCP port 443, the security policy rules should first allow the identification and decryption of HTTPS traffic, which is then parsed as web-browsing traffic. The first rule allows for web-browsing traffic on its application-default service, which covers standard secure port 443 post-decryption. The second rule permits SSL traffic on the application-default service, allowing the initial encrypted connection. Therefore, Rule #1: application: web-browsing; service: application-default; action: allow and Rule #2: application: ssl; service: application-default; action: allow is the most suitable configuration.

Discussion

30 comments
Sign in to comment
YasserSaied
Jun 15, 2021

D -- Server hosts HTTP/HTTPs both on Port 443 .. that means to access the HTTP on port 443, web-browsing "Application" need to be enabled on "service-https" service

Prutser2
Jun 30, 2021

in addition, rule 2 is to allow the incoming encrypted SSL traffic, and once decrypted, rule1 will allow webbrowsing on port 443, cos that is what the server is listening on, so D

trashboat
Apr 30, 2021

A is the correct answer. The TCP session will be built and hit the SSL decryption policy, which will decrypt the packets and forward them on HTTP via TCP/443 - this is behavior for PAN-OS 10.0+. That being said, I also think the first rule in A would suffice to allow the traffic.

confusion
Apr 8, 2022

A and C are exactly the same, there must be something wrong in these answers.

confusion
Nov 1, 2022

ignore that!

Elvenking
Apr 10, 2022

A is wrong. The first rule uses application-default, so no match there when "web-browsing" is changed to while app inspection is remade after decryption. It needs be service at port 443 explicitly.

datz
May 29, 2022

A is wrong app-default on web browsing - wont allow 443

confusion
Nov 1, 2022

ignore that!

Pretorian
Aug 6, 2022

If you go to objects > applications (applipedia doesn't show this) and search for "web-browsing" open that signature and locate the field "standard port" and "secure port" you'll see port 80 and 443. This means that if you create a policy allowing web-browsing with application default, this app will be allowed on both of those ports. Now you no longer need to create a policy allowing SSL on port 443 before your policy allowing web-browsing. This is now from the past. This is true for a handful of applications only at this point. Which means that this question might show an answer along those lines if it ever gets updated.

Frightened_Acrobat
Mar 3, 2023

I agree D. However, the way the question is worded and answers are very tricky. It's not the way you'd go about explaining this or executing the solution IRL. Shame on Palo Alto for trying to mislead us purposely on questions like this. I mean we only have an average of 1 min, 4sec per question. Rule 2 is unnecessary to allow cleartext, which is the stated goal of the question. No decryption is necessary for the firewall to identify cleartext web-browsing traffic. A bad question overall.

shetoshandasa
Mar 17, 2021

Wrong answer. Answer should be "D" https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEyCAK

vj77
Apr 28, 2021

this article is published in 2018, so not relevant to the latest OS

GivemeMoney
Jan 17, 2022

link is walled behind a login portal.

achille5
Mar 21, 2021

D because of the question requirement, enforce 443 in web-browsing app

frodo1791
Apr 18, 2021

Nope, it says "the server hosts its content over HTTP(S)" and not over HTTPS. That means, the server is using HTTP and HTTPS.

bbud55
Mar 29, 2021

If I'm reading this correctly, the question isn't completely valid after 9.0. A policy configured with web-browsing and application default will allow decryption to happen and use both standard and secure ports 80/443. "...behavior when selecting the Application as web-browsing and the Service to application-default. Web-browsing will be allowed over both its standard and secure port. The security policy will allow web-browsing over both port 80 and 443." https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmdLCAS It looks like the first policy in "A" would cover any traffic using web-browsing/app default after 9.0.

Trung2735
Aug 16, 2021

Since A & C are similar result. D is probably the correct, and this question preferred to before 9.0

jaruch8412Option: D
Jan 26, 2022

D is correct, as the port is 443.

datzOption: D
May 29, 2022

D for sure: traffic comes in As SSL - App default (encrypted) After decryption traffic comes in As web-browsing - on port 443(so service-https) needs to be allowed. Easy question - Answer D

sov4
Jul 29, 2023

This is the way

spydogOption: A
Oct 2, 2022

Starting from PanOS 9.0 answer A is correct. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/application-default Couple of applications are defined with "standard" and "secure" ports, which allow you to use application web-browsing with application-default ports, after decryption. First rule from A will match the traffic after decryption. Second rule is needed to allow the initial connection to be established. Traffic will be initially allowed over second rule and after decryption application will shift and new lookup will match fist rule

Bruno_Nascimento
Jan 17, 2023

The correct Answer is A. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/application-default

DatITGuyTho1337
Dec 19, 2023

I agree, especially after reading the article!

hz78
May 2, 2023

B is correct. In option D, the first Security policy rule allows web-browsing traffic on the HTTPS service (service-https), which is not applicable in this scenario since the web server is configured to host its contents over HTTP(S) and is listening on TCP port 443 for incoming connections. If we allow the web-browsing application traffic using the HTTPS service, the firewall will forward the traffic to the web server without decrypting it, since it is HTTPS traffic. However, the web server is hosting its contents over HTTP(S), so the firewall needs to decrypt the traffic before forwarding it to the web server. Therefore, the correct service to be used in the first Security policy rule is service-http instead of service-https. This will allow the firewall to decrypt the traffic before forwarding it to the web server and also allow web-browsing traffic from the Trust zone to the DMZ zone. Hence, option B is the correct answer.

DatITGuyTho1337
Dec 19, 2023

Voting for answer A, due to this article "https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/application-default"

Jared28Option: C
Mar 2, 2024

As was mentioned below, for a bit now the app-id web-browsing shows a default secure port of TCP 443. So *when ssl is decrypted* and the decrypted traffic matches web-browsing, TCP 443 will be allowed with app-default.

Oswaldo_CCSMOption: C
Dec 28, 2024

The order is important because SSL decryption must happen before web-browsing (HTTP) traffic is allowed to reach the web server in cleartext. Therefore, the first rule allows the SSL traffic to be decrypted, and the second rule allows the decrypted web-browsing traffic to pass to the server.

FS68
Oct 7, 2021

D is the only with both rules on tcp443

UFanatOption: D
Jun 9, 2022

port 443 requires service-https to be allowed for web browsing not application default (which means service-http and port 80)

secdaddy
Jul 31, 2022

goal : cleartext (web-browsing/http) on tcp/443 server hosts both http and https on 443 web-browsing on 443 must be checked before SSL application on 443 drops the packet http application-default = 80 so must use service-https for 443 (only D)

DatITGuyTho1337
Dec 19, 2023

application default ports for web-browsing app is 80 and 443, so it means the firewall will consider both when processing. I don't think you need a separate rule for to answer the question.

Pretorian
Aug 6, 2022

If you go to objects > applications (applipedia doesn't show this) and search for "web-browsing" open that signature and locate the field "standard port" and "secure port" you'll see port 80 and 443. This means that if you create a policy allowing web-browsing with application default, this app will be allowed on both of those ports. Now you no longer need to create a policy allowing SSL on port 443 before your policy allowing web-browsing. This is now from the past. This is true for a handful of applications only at this point. Which means that this question might show an answer Long those lines if it ever gets updated.

juan_L
Aug 15, 2022

C -- Is the correct, On first packets application will be identified as SSL, once the tunnel established (after TLS hello exchanging between Client and Server, cipher chosen.... dears check TLS negotiation wikis) the firewall starts to decrypt via proxy forward, in that moment the app is identified as web-browsing. The TLS tunnnel mus be negotiated first and this handshake will be identified as SSL.

Chris71Mach1Option: D
Jan 10, 2023

I didn't even get to rule 2 before I knew D was the right answer. It's the only one that lists the application as web-browsing and the service as HTTPS.

GivemeMoney
Jan 17, 2022

A and C are flip flopped can't be them. B rule#1 service: service-http question asks for https. D Rule#1 service: service-https it's https so it's correct.

confusion
Apr 8, 2022

"The web server hosts its contents over HTTP(S)", so IMO question asks for HTTP+HTTPS

Jared28Option: A
Mar 23, 2022

Answer A: App-ID for web-browsing shows secure port tcp/443 as part of the app (making it an app-default). I tested this in a lab as well to verify.

Makaveli1
Apr 7, 2022

the question is: "Which combination of service and application, AND ORDER OF SECURITY POLICY RULES, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443?" If we have to consider also the order I would mark C as the correct answer. 1st the traffic will be identified as SSL on port 443, then the content inspection will kick in and will further identify the traffic as web-browsing.

SkirkaOption: D
Jul 26, 2022

Should be

Eiffelsturm
Jul 4, 2023

So D was correct before the default secure ports were introduced I think. You can see them in the GUI. According to this KB article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHqCAK with Decryption enabled those applications are identified correctly as e.g. web-browsing if it's active on 443 and the Security Policy with "application-default" will allow it. The question is if the Exam is this up to date :D

MicutzuOption: D
Oct 13, 2023

I think that all the option are valid to allow cleartext web-browsing traffic on tcp/443. The most precise rule it's D.

Eluis007
Apr 5, 2024

A rule would allow the web traffic to pass over both, 80 and 443, D rule would allow just over 443, so D

Moadil_001Option: C
Sep 7, 2024

Rule #1: application: ssl; service: application-default; action: allow Reason: The first rule allows the initial SSL handshake to occur, which is necessary for the firewall to decrypt the traffic. Once the traffic is decrypted, it can be identified as web-browsing. Rule #2: application: web-browsing; service: application-default; action: allow Reason: After the SSL traffic is decrypted, it is identified as web-browsing traffic. The second rule is needed to allow this now-decrypted web-browsing traffic through on TCP port 443.

NazmulHossainOption: C
Apr 20, 2025

Application: web-browsing; standart-port: 80, secured port: 443 Application: ssl; port: 443. I am going for C. But, why not *A and *B!! Is order of rules really matter here? Firewall will go through all the rules both before and after the decryption. Only thing is matter FW requires both the rules. ** D will not work. As the rule is not allowing web-browsing with port 80 at all. Which is required after decryption for plain text web traffic. As forward proxy decryption is configured, SSL rule is not required at all. Only one rule allowing web-browsing with app-default will work. As we-browsing with service app-default has both port 80 and 443. HTTPS traffic will not be detected as web-browsing. It will be detected as SSL before decryption. After decryption the application will be detected as web-browsing. So, before decryption port 443 needs to be allowed and after decryption web-browsing port 80 needs to be allowed.