ExamTopics Logo
Mail Us[email protected]
Menu
Palo-Alto-Networks Discussions
exam questions

Exam PCNSE All Questions

View all questions & answers for the PCNSE exam
Go to Exam

Exam PCNSE topic 1 question 17 discussion

Actual exam question from Palo Alto Networks's PCNSE
Question #: 17
Topic #: 1
[All PCNSE Questions]

Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log?

  • A. web-browsing and 443
  • B. SSL and 80
  • C. SSL and 443
  • D. web-browsing and 80
Show Suggested Answer Hide Answer
Suggested Answer: A 🗳️
by tester12 at Sept. 9, 2019, 8:51 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
Pacheco
Highly Voted 4 years, 3 months ago
Made an account just to tell you guys the correct answer is A. Application is first identified as SSL on port 443, then decrypted, then identified as web-browsing on port 443. Application identification changes due to app shift, but the port number doesn't! Correct answer is A.
upvoted 39 times
kerberos
3 years, 5 months ago
you are correct!
upvoted 1 times
...
...
mannyvic
Highly Voted 5 years, 2 months ago
The answer should be C.... Application - HTTPS = SSL, HTTP = Web Browsing.......Service- SSL=443, Web-Browsing=80
upvoted 11 times
kraut
3 years, 8 months ago
no, since ssl forward proxy is in place. ssl is getting "decrypted", and traffic is identified as web-browsing. app-id will be ssl initially but *shift*!
upvoted 3 times
...
...
Nico1973
Most Recent 2 months, 2 weeks ago
Selected Answer: A
A. web-browsing and 443 Explanation: When traffic to https://www.microsoft.com is decrypted by a Palo Alto Networks firewall: Application: The decrypted traffic is classified as web-browsing (since it’s HTTP/HTTPS web traffic). Service/Port: The original encrypted traffic uses port 443 (HTTPS), and this port is retained in the logs even after decryption. Why Not the Other Options? B. SSL and 80 → Incorrect. Port 80 is for HTTP (unencrypted), and "SSL" is not the app name after decryption. C. SSL and 443 → "SSL" is the application name before decryption. Once decrypted, it becomes web-browsing. D. web-browsing and 80 → Port 80 is for HTTP, but Microsoft’s site uses HTTPS (port 443). Key Notes: Before decryption: App = ssl, Port = 443. After decryption: App = web-browsing, Port = 443 (retained from original flow). Thus, A is correct for decrypted packets.
upvoted 1 times
...
NazmulHossain
5 months, 1 week ago
Selected Answer: A
As the question asks about the application after packet decryption, it will see the application as Web-Browsing with port 443.
upvoted 1 times
...
0d2fdfa
7 months, 1 week ago
Selected Answer: A
As mentioned before, application is identified as ssl and then web browsing after decryption.
upvoted 1 times
...
Marshpillowz
10 months, 3 weeks ago
Selected Answer: A
Answer is A.
upvoted 1 times
...
Woody
2 years ago
A, apparently.
upvoted 1 times
...
fireb
2 years, 5 months ago
Option A is correct.
upvoted 1 times
...
Meko
2 years, 6 months ago
Selected Answer: A
After being decrypted, the traffic is web-browsing traffic / port 443. Before being decrypted, the traffic is ssl traffic / port 443.
upvoted 2 times
...
UFanat
2 years, 6 months ago
Selected Answer: A
Correct answer: A. After a packet is decrypted we see web browsing in logs.
upvoted 2 times
...
William88
2 years, 6 months ago
Correct answer is A
upvoted 1 times
...
datz
2 years, 6 months ago
Selected Answer: A
If its decrypted than it will know that APP-ID = Web-Browsing and port 443 - SO A for sure
upvoted 1 times
...
Elvenking
2 years, 8 months ago
It is definitely "A". Just looked it up on a firewall: show session all filter source 192.168.0.*** -------------------------------------------------------------------------------- ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port]) Vsys Dst[Dport]/Zone (translated IP[Port]) -------------------------------------------------------------------------------- 20714 web-browsing ACTIVE FLOW *NS 192.168.0.***[63325]/abc00/6 (***.***.***.***[35661]) vsys1 104.208.16.90[443]/def00 (104.208.16.90[443]) and looking more closely: show session id 20714 Session 20714 c2s flow: source: 192.168.0.*** [abc00] dst: 104.208.16.90 proto: 6 sport: 63325 dport: 443 ... application : web-browsing ... tracker stage firewall : TCP FIN tracker stage l7proc : proxy timer expired end-reason : tcp-fin
upvoted 6 times
...
AbuHussain
2 years, 8 months ago
Selected Answer: A
Correct answer is A.
upvoted 1 times
...
Syn1337
2 years, 9 months ago
Selected Answer: A
Correct answer is A.
upvoted 1 times
...
kam1967
3 years, 1 month ago
The exam has changed. I only saw 4-5 questions from this dump on the exam.
upvoted 6 times
renzanjo
3 years, 1 month ago
Seriously??
upvoted 3 times
Bighize
3 years ago
kam1967 is telling the truth. same thing happened to me.
upvoted 1 times
RJ45TP
3 years ago
Have you seen a good dump anywhere else!?
upvoted 1 times
...
...
...
Breyarg
2 years, 12 months ago
ffs i just paid to use this as well...... anyone have a valid dump!?!?!? i have my exam next week :(
upvoted 1 times
LaithFraij
1 year, 9 months ago
what happened with you ?
upvoted 1 times
...
...
...
evdw
3 years, 7 months ago
Correct answer : A
upvoted 2 times
...
Load full discussion...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel