Get Unlimited Contributor Access to the all ExamTopics Exams!
Take advantage of PDF Files for 1000+ Exams along with community discussions and pass IT Certification Exams Easily.
I'm thinking C.
Here's my train of thought, let me know what you think.
B and D are certainly not right. A and C could be both technically true, but which is more accurate? A indicates that "after app has been identified", so we can interpret that in the Flow Diagram as the step in App-ID which says "Pattern based application identification" however, considering the Packet Flow Sequence, after the app is identified, there are still several steps that don't lead directly to Content ID. First it checks for policy matches that will allow it (so it might still get dropped). Then it will check if there are any Security Profiles (ContentID) that will be applicable. QoS and SSL Decryption also might occur at this point. My point is there's a whole bunch of stuff still going on between the "app being identified" and content inspection.
My conclusion is that whenever content inspection is performed it's always before packet forwarding. And it is not always the case that it happens immediatly after the app has been identified.
Content inspection isn't always done (e.g. Application Override), but if it is then it either returns 'detection' and security policy is referenced again or 'no detection' and then traffic is re-encrypted (if SSL decrypted), and THEN the packet is forwarded. So since C isn't always true, I feel like A is the correct answer. I can definitely see how a similar argument can be made for C though, so I agree that both are almost equally correct.
agree. besides, if app is not identified, when it arrives to content inspection it just will not be inspected. so since apps are NOT always identified A cant be. however, both App ID and Content ID ALWAYS happen before packet forwarding process
I feel like this question could be simply asked as "When do you learn to read?"
A: After you are done being a toddler
C: Sometime before you die of old age
Technically both are correct. Seriously Palo? Are we supposed to play the choose the more correct answer game? C feels like the broader safer answer. If the Application is Incomplete or Insufficient Data and can't be identified, that doesn't stop Palo from attempting content inspection so it would make A questionable.
A. after the application has been identified
Content inspection is typically performed after the application has been identified in the packet flow process of many firewall systems, including Palo Alto Networks firewalls. This allows for the content of the packets to be inspected for threats and policy violations based on the identified application.
My two cents. It's C. Scroll down to section 6, Content Inspection, happens right before Forwarding/Egress.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
The content inspection is performed ONLY if application is identified. If it's an unknown app then the content inspection doesn't happen but the packet it's forwarded, if the security policy allow.
I'm going to have to go with option C here. A and D both are technically correct. However, A and D are both not neccessary steps in the process. C is a neccessary step. This is one of those "which is the better answer" scenarios.
Outside of this flow diagram I couldn't find anything concrete in any docs. Based on the flow diagram you can see there is a question "Session App Identified?", if the answer is "No" then it is sent to the App-ID process before being sent back to the FW Fastpath process. If Content Inspection is applicable then the packet is sent onward to that process.https://live.paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309
A is correct
"The firewall first performs an application-override policy lookup to see if there is a rule match. If there is, the application is known and content inspection is skipped for this session .
If there is no application-override rule, then application signatures are used to identify the application. The firewall uses protocol decoding in the content inspection stage to determine if an application changes from one application to another ."
So this analysis makes both A and C right.
Content inspection happens "after the application has been identified" but "before the packet forwarding process". LOL.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
shamhala1228
Highly Voted 3 years, 8 months agotrashboat
2 years, 11 months agoochc
3 years, 5 months agoAcidscars
Highly Voted 3 years, 2 months agoaurang
Most Recent 1 month, 3 weeks agofranko_72
2 months, 3 weeks agoms997
3 months, 3 weeks agogc999
5 months agoMicutzu
6 months, 1 week agoBetty2022
8 months, 3 weeks agoFrightened_Acrobat
9 months agoChiaPet75
9 months, 3 weeks agoTechn
10 months, 1 week agoBetty2022
8 months, 3 weeks agoliericky88
11 months, 2 weeks agobo2la
1 year agoPaloSteve
9 months, 2 weeks agoPallab_Kundu
1 year, 1 month agohdrnzienlaoroljol
1 year, 2 months agoyazid0016
1 year, 2 months agomohr22
1 year, 2 months ago