Exam PCNSE topic 1 question 85 discussion

D -- Server hosts HTTP/HTTPs both on Port 443 .. that means to access the HTTP on port 443, web-browsing "Application" need to be enabled on "service-https" service

A is the correct answer. The TCP session will be built and hit the SSL decryption policy, which will decrypt the packets and forward them on HTTP via TCP/443 - this is behavior for PAN-OS 10.0+. That being said, I also think the first rule in A would suffice to allow the traffic.

Application: web-browsing; standart-port: 80, secured port: 443 Application: ssl; port: 443. I am going for C. But, why not *A and *B!! Is order of rules really matter here? Firewall will go through all the rules both before and after the decryption. Only thing is matter FW requires both the rules. ** D will not work. As the rule is not allowing web-browsing with port 80 at all. Which is required after decryption for plain text web traffic. As forward proxy decryption is configured, SSL rule is not required at all. Only one rule allowing web-browsing with app-default will work. As we-browsing with service app-default has both port 80 and 443. HTTPS traffic will not be detected as web-browsing. It will be detected as SSL before decryption. After decryption the application will be detected as web-browsing. So, before decryption port 443 needs to be allowed and after decryption web-browsing port 80 needs to be allowed.

The order is important because SSL decryption must happen before web-browsing (HTTP) traffic is allowed to reach the web server in cleartext. Therefore, the first rule allows the SSL traffic to be decrypted, and the second rule allows the decrypted web-browsing traffic to pass to the server.

Rule #1: application: ssl; service: application-default; action: allow Reason: The first rule allows the initial SSL handshake to occur, which is necessary for the firewall to decrypt the traffic. Once the traffic is decrypted, it can be identified as web-browsing. Rule #2: application: web-browsing; service: application-default; action: allow Reason: After the SSL traffic is decrypted, it is identified as web-browsing traffic. The second rule is needed to allow this now-decrypted web-browsing traffic through on TCP port 443.

A rule would allow the web traffic to pass over both, 80 and 443, D rule would allow just over 443, so D

As was mentioned below, for a bit now the app-id web-browsing shows a default secure port of TCP 443. So *when ssl is decrypted* and the decrypted traffic matches web-browsing, TCP 443 will be allowed with app-default.

Voting for answer A, due to this article "https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/application-default"

I think that all the option are valid to allow cleartext web-browsing traffic on tcp/443. The most precise rule it's D.

So D was correct before the default secure ports were introduced I think. You can see them in the GUI. According to this KB article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHqCAK with Decryption enabled those applications are identified correctly as e.g. web-browsing if it's active on 443 and the Security Policy with "application-default" will allow it. The question is if the Exam is this up to date :D

B is correct. In option D, the first Security policy rule allows web-browsing traffic on the HTTPS service (service-https), which is not applicable in this scenario since the web server is configured to host its contents over HTTP(S) and is listening on TCP port 443 for incoming connections. If we allow the web-browsing application traffic using the HTTPS service, the firewall will forward the traffic to the web server without decrypting it, since it is HTTPS traffic. However, the web server is hosting its contents over HTTP(S), so the firewall needs to decrypt the traffic before forwarding it to the web server. Therefore, the correct service to be used in the first Security policy rule is service-http instead of service-https. This will allow the firewall to decrypt the traffic before forwarding it to the web server and also allow web-browsing traffic from the Trust zone to the DMZ zone. Hence, option B is the correct answer.

I agree D. However, the way the question is worded and answers are very tricky. It's not the way you'd go about explaining this or executing the solution IRL. Shame on Palo Alto for trying to mislead us purposely on questions like this. I mean we only have an average of 1 min, 4sec per question. Rule 2 is unnecessary to allow cleartext, which is the stated goal of the question. No decryption is necessary for the firewall to identify cleartext web-browsing traffic. A bad question overall.

The correct Answer is A. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/application-default

I didn't even get to rule 2 before I knew D was the right answer. It's the only one that lists the application as web-browsing and the service as HTTPS.

Starting from PanOS 9.0 answer A is correct. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/application-default Couple of applications are defined with "standard" and "secure" ports, which allow you to use application web-browsing with application-default ports, after decryption. First rule from A will match the traffic after decryption. Second rule is needed to allow the initial connection to be established. Traffic will be initially allowed over second rule and after decryption application will shift and new lookup will match fist rule

C -- Is the correct, On first packets application will be identified as SSL, once the tunnel established (after TLS hello exchanging between Client and Server, cipher chosen.... dears check TLS negotiation wikis) the firewall starts to decrypt via proxy forward, in that moment the app is identified as web-browsing. The TLS tunnnel mus be negotiated first and this handshake will be identified as SSL.

If you go to objects > applications (applipedia doesn't show this) and search for "web-browsing" open that signature and locate the field "standard port" and "secure port" you'll see port 80 and 443. This means that if you create a policy allowing web-browsing with application default, this app will be allowed on both of those ports. Now you no longer need to create a policy allowing SSL on port 443 before your policy allowing web-browsing. This is now from the past. This is true for a handful of applications only at this point. Which means that this question might show an answer along those lines if it ever gets updated.