A large university uses a Palo Alto Networks firewall to secure its network. The security team has implemented a policy to block peer-to-peer (P2P) file sharing applications. They have configured a security rule that denies all applications in the 'peer-to-peer' category. However, they notice that some students are still able to download files using BitTorrent. The traffic logs show the application as 'bittorrent' but the rule does not match. Upon investigation, the rule is applied to the correct zones and includes the peer-to-peer category. The source and destination are any. What is the most likely cause of this issue?
If a preceding rule allows the traffic, the deny rule will not be evaluated.
Why this answer
Option D is correct because in Palo Alto Networks firewalls, security rules are evaluated in order from top to bottom. If a rule that allows traffic (e.g., a broad allow rule) is placed before the deny rule for peer-to-peer applications, the traffic will match the allow rule first and be permitted, never reaching the deny rule. This is a common misconfiguration where rule ordering overrides the intended policy, even when the deny rule is correctly configured with the peer-to-peer category.
Exam trap
The trap here is that candidates often focus on App-ID configuration details (like categories or updates) and overlook the fundamental concept of rule ordering, which is a common cause of policy bypass in firewall management.
How to eliminate wrong answers
Option A is wrong because BitTorrent is indeed classified under the 'peer-to-peer' application category in Palo Alto Networks App-ID, so the category should match. Option B is wrong because the question states the rule includes the 'peer-to-peer category', which can be applied via an application filter or group; using an application group would still work if it contains the correct applications, but the issue is rule ordering, not the method of application selection. Option C is wrong because the traffic logs show the application as 'bittorrent', meaning App-ID has successfully identified it; a missing update would result in 'incomplete' or 'unknown' application identification, not a correctly identified application that fails to match.