Exam PCNSE topic 1 question 85 discussion

D -- Server hosts HTTP/HTTPs both on Port 443 .. that means to access the HTTP on port 443, web-browsing "Application" need to be enabled on "service-https" service

A is the correct answer. The TCP session will be built and hit the SSL decryption policy, which will decrypt the packets and forward them on HTTP via TCP/443 - this is behavior for PAN-OS 10.0+. That being said, I also think the first rule in A would suffice to allow the traffic.

With application-default turned on, the firewall strictly enforces cleartext web-browsing traffic only on port 80 and SSL-tunneled traffic only on port 443. This is stated on the documentation as per link on latest PAN-OS 11.1 and later. https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/app-id/application-default

Regla #1: application: web-browsing; service: application-default; action: allow Regla #2: application: ssl; service: application-default; action: allow Por qué: El tráfico inicialmente es SSL (aplicación ssl) en puerto 443, que coincidirá con la Regla #2 para permitir el tráfico y que el proxy pueda desencriptar. Después de la desencriptación, el firewall reevalúa el tráfico que ahora es cleartext HTTP (aplicación web-browsing) pero sigue en puerto 443. En esta segunda evaluación, la Regla #1 (web-browsing + application-default) permitirá el tráfico. application-default para web-browsing cubre puerto 80 y puerto 443 (en PAN-OS modernos), por lo que es suficiente y más flexible que usar service-https. El orden es fundamental: primero la regla que permita web-browsing para el tráfico desencriptado, y después la regla ssl para el tráfico cifrado original.

Regla #1: application: web-browsing; service: application-default; action: allow Regla #2: application: ssl; service: application-default; action: allow Por qué: El tráfico inicialmente es SSL (aplicación ssl) en puerto 443, que coincidirá con la Regla #2 para permitir el tráfico y que el proxy pueda desencriptar. Después de la desencriptación, el firewall reevalúa el tráfico que ahora es cleartext HTTP (aplicación web-browsing) pero sigue en puerto 443. En esta segunda evaluación, la Regla #1 (web-browsing + application-default) permitirá el tráfico. application-default para web-browsing cubre puerto 80 y puerto 443 (en PAN-OS modernos), por lo que es suficiente y más flexible que usar service-https. El orden es fundamental: primero la regla que permita web-browsing para el tráfico desencriptado, y después la regla ssl para el tráfico cifrado original.

Application: web-browsing; standart-port: 80, secured port: 443 Application: ssl; port: 443. I am going for C. But, why not *A and *B!! Is order of rules really matter here? Firewall will go through all the rules both before and after the decryption. Only thing is matter FW requires both the rules. ** D will not work. As the rule is not allowing web-browsing with port 80 at all. Which is required after decryption for plain text web traffic. As forward proxy decryption is configured, SSL rule is not required at all. Only one rule allowing web-browsing with app-default will work. As we-browsing with service app-default has both port 80 and 443. HTTPS traffic will not be detected as web-browsing. It will be detected as SSL before decryption. After decryption the application will be detected as web-browsing. So, before decryption port 443 needs to be allowed and after decryption web-browsing port 80 needs to be allowed.

The order is important because SSL decryption must happen before web-browsing (HTTP) traffic is allowed to reach the web server in cleartext. Therefore, the first rule allows the SSL traffic to be decrypted, and the second rule allows the decrypted web-browsing traffic to pass to the server.

Rule #1: application: ssl; service: application-default; action: allow Reason: The first rule allows the initial SSL handshake to occur, which is necessary for the firewall to decrypt the traffic. Once the traffic is decrypted, it can be identified as web-browsing. Rule #2: application: web-browsing; service: application-default; action: allow Reason: After the SSL traffic is decrypted, it is identified as web-browsing traffic. The second rule is needed to allow this now-decrypted web-browsing traffic through on TCP port 443.

A rule would allow the web traffic to pass over both, 80 and 443, D rule would allow just over 443, so D

As was mentioned below, for a bit now the app-id web-browsing shows a default secure port of TCP 443. So *when ssl is decrypted* and the decrypted traffic matches web-browsing, TCP 443 will be allowed with app-default.

Voting for answer A, due to this article "https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/application-default"

I think that all the option are valid to allow cleartext web-browsing traffic on tcp/443. The most precise rule it's D.

So D was correct before the default secure ports were introduced I think. You can see them in the GUI. According to this KB article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHqCAK with Decryption enabled those applications are identified correctly as e.g. web-browsing if it's active on 443 and the Security Policy with "application-default" will allow it. The question is if the Exam is this up to date :D

B is correct. In option D, the first Security policy rule allows web-browsing traffic on the HTTPS service (service-https), which is not applicable in this scenario since the web server is configured to host its contents over HTTP(S) and is listening on TCP port 443 for incoming connections. If we allow the web-browsing application traffic using the HTTPS service, the firewall will forward the traffic to the web server without decrypting it, since it is HTTPS traffic. However, the web server is hosting its contents over HTTP(S), so the firewall needs to decrypt the traffic before forwarding it to the web server. Therefore, the correct service to be used in the first Security policy rule is service-http instead of service-https. This will allow the firewall to decrypt the traffic before forwarding it to the web server and also allow web-browsing traffic from the Trust zone to the DMZ zone. Hence, option B is the correct answer.

I agree D. However, the way the question is worded and answers are very tricky. It's not the way you'd go about explaining this or executing the solution IRL. Shame on Palo Alto for trying to mislead us purposely on questions like this. I mean we only have an average of 1 min, 4sec per question. Rule 2 is unnecessary to allow cleartext, which is the stated goal of the question. No decryption is necessary for the firewall to identify cleartext web-browsing traffic. A bad question overall.

The correct Answer is A. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/application-default

I didn't even get to rule 2 before I knew D was the right answer. It's the only one that lists the application as web-browsing and the service as HTTPS.