Exam PCNSE All QuestionsBrowse all questions from this exam
Go to Exam
Question 85

A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.

Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web-browsing traffic to this server on tcp/443?

    Correct Answer: A

    To allow cleartext web-browsing traffic on TCP port 443, the security policy rules should first allow the identification and decryption of HTTPS traffic, which is then parsed as web-browsing traffic. The first rule allows for web-browsing traffic on its application-default service, which covers standard secure port 443 post-decryption. The second rule permits SSL traffic on the application-default service, allowing the initial encrypted connection. Therefore, Rule #1: application: web-browsing; service: application-default; action: allow and Rule #2: application: ssl; service: application-default; action: allow is the most suitable configuration.

Discussion
YasserSaiedOption: D

D -- Server hosts HTTP/HTTPs both on Port 443 .. that means to access the HTTP on port 443, web-browsing "Application" need to be enabled on "service-https" service

Prutser2

in addition, rule 2 is to allow the incoming encrypted SSL traffic, and once decrypted, rule1 will allow webbrowsing on port 443, cos that is what the server is listening on, so D

trashboatOption: A

A is the correct answer. The TCP session will be built and hit the SSL decryption policy, which will decrypt the packets and forward them on HTTP via TCP/443 - this is behavior for PAN-OS 10.0+. That being said, I also think the first rule in A would suffice to allow the traffic.

confusion

A and C are exactly the same, there must be something wrong in these answers.

confusion

ignore that!

Elvenking

A is wrong. The first rule uses application-default, so no match there when "web-browsing" is changed to while app inspection is remade after decryption. It needs be service at port 443 explicitly.

datz

A is wrong app-default on web browsing - wont allow 443

PretorianOption: A

If you go to objects > applications (applipedia doesn't show this) and search for "web-browsing" open that signature and locate the field "standard port" and "secure port" you'll see port 80 and 443. This means that if you create a policy allowing web-browsing with application default, this app will be allowed on both of those ports. Now you no longer need to create a policy allowing SSL on port 443 before your policy allowing web-browsing. This is now from the past. This is true for a handful of applications only at this point. Which means that this question might show an answer along those lines if it ever gets updated.

Frightened_AcrobatOption: D

I agree D. However, the way the question is worded and answers are very tricky. It's not the way you'd go about explaining this or executing the solution IRL. Shame on Palo Alto for trying to mislead us purposely on questions like this. I mean we only have an average of 1 min, 4sec per question. Rule 2 is unnecessary to allow cleartext, which is the stated goal of the question. No decryption is necessary for the firewall to identify cleartext web-browsing traffic. A bad question overall.

Bruno_NascimentoOption: A

The correct Answer is A. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/application-default

DatITGuyTho1337

I agree, especially after reading the article!

spydogOption: A

Starting from PanOS 9.0 answer A is correct. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/application-default Couple of applications are defined with "standard" and "secure" ports, which allow you to use application web-browsing with application-default ports, after decryption. First rule from A will match the traffic after decryption. Second rule is needed to allow the initial connection to be established. Traffic will be initially allowed over second rule and after decryption application will shift and new lookup will match fist rule

hz78Option: B

B is correct. In option D, the first Security policy rule allows web-browsing traffic on the HTTPS service (service-https), which is not applicable in this scenario since the web server is configured to host its contents over HTTP(S) and is listening on TCP port 443 for incoming connections. If we allow the web-browsing application traffic using the HTTPS service, the firewall will forward the traffic to the web server without decrypting it, since it is HTTPS traffic. However, the web server is hosting its contents over HTTP(S), so the firewall needs to decrypt the traffic before forwarding it to the web server. Therefore, the correct service to be used in the first Security policy rule is service-http instead of service-https. This will allow the firewall to decrypt the traffic before forwarding it to the web server and also allow web-browsing traffic from the Trust zone to the DMZ zone. Hence, option B is the correct answer.

Chris71Mach1Option: D

I didn't even get to rule 2 before I knew D was the right answer. It's the only one that lists the application as web-browsing and the service as HTTPS.

juan_LOption: C

C -- Is the correct, On first packets application will be identified as SSL, once the tunnel established (after TLS hello exchanging between Client and Server, cipher chosen.... dears check TLS negotiation wikis) the firewall starts to decrypt via proxy forward, in that moment the app is identified as web-browsing. The TLS tunnnel mus be negotiated first and this handshake will be identified as SSL.

Eluis007Option: D

A rule would allow the web traffic to pass over both, 80 and 443, D rule would allow just over 443, so D

Jared28Option: C

As was mentioned below, for a bit now the app-id web-browsing shows a default secure port of TCP 443. So *when ssl is decrypted* and the decrypted traffic matches web-browsing, TCP 443 will be allowed with app-default.

DatITGuyTho1337Option: A

Voting for answer A, due to this article "https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/application-default"

MicutzuOption: D

I think that all the option are valid to allow cleartext web-browsing traffic on tcp/443. The most precise rule it's D.

EiffelsturmOption: D

So D was correct before the default secure ports were introduced I think. You can see them in the GUI. According to this KB article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHqCAK with Decryption enabled those applications are identified correctly as e.g. web-browsing if it's active on 443 and the Security Policy with "application-default" will allow it. The question is if the Exam is this up to date :D

PretorianOption: A

If you go to objects > applications (applipedia doesn't show this) and search for "web-browsing" open that signature and locate the field "standard port" and "secure port" you'll see port 80 and 443. This means that if you create a policy allowing web-browsing with application default, this app will be allowed on both of those ports. Now you no longer need to create a policy allowing SSL on port 443 before your policy allowing web-browsing. This is now from the past. This is true for a handful of applications only at this point. Which means that this question might show an answer Long those lines if it ever gets updated.

secdaddyOption: D

goal : cleartext (web-browsing/http) on tcp/443 server hosts both http and https on 443 web-browsing on 443 must be checked before SSL application on 443 drops the packet http application-default = 80 so must use service-https for 443 (only D)

DatITGuyTho1337

application default ports for web-browsing app is 80 and 443, so it means the firewall will consider both when processing. I don't think you need a separate rule for to answer the question.

SkirkaOption: D

Should be