PCNSE · Question #386
PCNSE Question #386: Real Exam Question with Answer & Explanation
The correct answer is C: Add only the Evernote application to the Security policy rule.. Palo Alto's App-ID includes dependency awareness. When you create a security rule for a higher-level application like Evernote, PAN-OS automatically knows that Evernote depends on SSL and web-browsing as underlying protocols. You only need to add Evernote to the Security policy r
Question
An administrator is required to create an application-based Security policy rule to allow Evernote. The Evernote application implicitly uses SSL and web browsing. What is the minimum the administrator needs to configure in the Security rule to allow only Evernote?
Options
- AAdd the Evernote application to the Security policy rule, then add a second Security policy rule
- BAdd the HTTP, SSL, and Evernote applications to the same Security policy
- CAdd only the Evernote application to the Security policy rule.
- DCreate an Application Override using TCP ports 443 and 80.
Explanation
Palo Alto's App-ID includes dependency awareness. When you create a security rule for a higher-level application like Evernote, PAN-OS automatically knows that Evernote depends on SSL and web-browsing as underlying protocols. You only need to add Evernote to the Security policy rule - the firewall will implicitly allow the dependent applications needed for it to function. Adding SSL and web-browsing explicitly (B) would over-permit traffic beyond just Evernote. Creating an Application Override (D) would bypass App-ID entirely, defeating the purpose of application-based policy. A second rule (A) is unnecessary.
Topics
Community Discussion
No community discussion yet for this question.