CCNA Securing Traffic and App-ID Questions

63 questions · Securing Traffic and App-ID · All types, answers revealed

1
MCQhard

After upgrading PAN-OS from version 9.1 to 10.0, an administrator notices that traffic for an internal custom application is now classified as unknown-tcp instead of the expected custom application. The application was defined using a custom App-ID in the previous version. What is the most likely cause?

A.The new version deprecated the application signature.
B.The custom App-ID is incompatible with the new version and needs to be re-created.
C.The firewall license expired after the upgrade.
D.The upgrade reset the firewall configuration.
AnswerB

Upgrades can change App-ID engine behavior; custom applications may require redefinition.

Why this answer

Option B is correct: Custom App-IDs may not be compatible with the new PAN-OS version and might need to be re-created or updated. Option A is wrong because application signatures are not automatically deprecated without custom App-ID issues. Option C is wrong because the upgrade does not typically reset configurations.

Option D is wrong because the license is not directly relevant to App-ID.

2
MCQeasy

A network engineer notices that traffic from an internal user to a web application is being incorrectly identified as 'web-browsing' instead of the custom application 'my-app'. The engineer has already created a custom application 'my-app' with the correct signature. What is the most likely reason for the misidentification?

A.The custom application is not activated in the security policy rule.
B.The application override is not configured.
C.The vulnerability protection profile is dropping the traffic.
D.The decryption policy is blocking the traffic.
AnswerB

Correct: Application override forces the firewall to identify traffic using the custom application's signature, overriding the default identification.

Why this answer

Since the custom application signature exists but is not being used, the firewall's default identification overrides it. Configuring an application override forces the firewall to use the custom application's signature instead of the default one.

3
MCQhard

Refer to the exhibit. An administrator notices that HTTPS traffic to a specific website is being denied. What is the most likely cause?

A.The HTTPS traffic is being identified as web-browsing instead of ssl, so it does not match rule 2 and is denied by rule 3.
B.Rule 2 does not have a service set to application-default, so it cannot match the traffic.
C.The traffic is from trust to trust, matching rule 4, but still denied.
D.The traffic requires a specific service other than application-default.
AnswerA

If App-ID misidentifies HTTPS traffic as web-browsing, it fails to match rule 2 and is blocked.

Why this answer

Option A is correct: The firewall may identify HTTPS traffic as web-browsing due to a lack of SSL decryption or other factors. Rule 1 allows web-browsing but with service application-default, which expects port 80, not 443. Therefore, HTTPS traffic does not match rule 1, nor rule 2 (since it's identified as web-browsing), and falls to rule 3, which denies.

Option B is wrong because rule 2 allows ssl on port 443, but the traffic is not identified as ssl. Option C is wrong because rule 2 does not require other services. Option D is wrong because rule 4 is for trust-to-trust, not trust-to-untrust.

4
MCQhard

Refer to the exhibit. A network engineer notices high CPU utilization on the firewall. The output shows that 4500 sessions are pending App-ID identification. What is the most likely cause of the high number of pending sessions?

A.An application override policy is being used extensively.
B.Security policy rules are not optimized, causing excessive traffic to be processed by App-ID.
C.SSL decryption is disabled for most traffic.
D.The application database is outdated and missing signatures.
AnswerB

Poorly designed security policies can cause unnecessary traffic to be inspected, leading to a high number of pending sessions.

Why this answer

When security policy rules are not optimized, excessive traffic may be processed by App-ID, causing a backlog of sessions waiting for application identification. The firewall's dataplane can become overwhelmed if too many sessions require deep packet inspection before a decision is made, leading to high CPU utilization and a large number of pending App-ID sessions.

Exam trap

The trap here is that candidates often assume a high number of pending App-ID sessions is caused by a lack of signatures or decryption, when in fact it is typically a symptom of rulebase inefficiency that forces excessive traffic through the App-ID engine.

How to eliminate wrong answers

Option A is wrong because an application override policy bypasses App-ID entirely, which would reduce pending sessions, not increase them. Option C is wrong because disabling SSL decryption actually reduces the processing burden on App-ID, as encrypted traffic cannot be fully inspected for application identification, so it would not cause a high number of pending sessions. Option D is wrong because an outdated application database might cause misidentification or missed signatures, but it would not directly cause a high number of sessions to remain pending; pending sessions are typically due to processing backlogs, not missing signatures.

5
MCQmedium

During an audit, it is discovered that some traffic from a legacy application is being incorrectly identified as 'ssl' because the application uses a custom encryption scheme over TCP port 443. The engineer has created a custom application signature that matches the legacy application's handshake. What additional configuration is needed to ensure the legacy application is correctly identified?

A.Create an application override rule to force the identification.
B.Create a security policy rule that explicitly allows the custom application.
C.Change the default port of the custom application from 443 to a different port.
D.Disable SSL decryption for that traffic.
AnswerA

Correct: Application override ensures the custom signature is used, overriding the default identification.

Why this answer

Since the traffic uses port 443, the firewall's default SSL decoder identifies it as 'ssl'. An application override forces the firewall to use the custom signature instead.

6
Multi-Selecthard

Which THREE attributes can be used in a custom App-ID signature to identify an application? (Choose three.)

Select 3 answers
A.Protocol (TCP, UDP, etc.)
B.Port number
C.Data pattern (regular expression or byte sequence)
D.URL category
E.Security policy action
AnswersA, B, C

Protocol is a mandatory field in custom signatures.

Why this answer

Options A, C, and E are correct. Protocol (A) is the base attribute; data pattern (C) matches payload content; port (E) can define known ports. Option B is incorrect because security policies are not part of signature definition.

Option D is incorrect because URL category is for URL filtering, not App-ID signature.

7
Multi-Selectmedium

A security administrator is configuring App-ID to identify custom applications over TCP port 8080. The traffic is HTTP-based but the firewall is classifying it as 'web-browsing'. Which two steps should the administrator take to ensure the traffic is correctly identified as the custom application? (Choose two.)

Select 2 answers
A.Create an application override for the custom application.
B.Enable SSL decryption on the traffic.
C.Set the application to 'any' in the security policy.
D.Configure a security policy rule to allow the application.
E.Create a custom App-ID signature for the application.
AnswersA, E

An application override forces the firewall to classify the traffic as the specified application, ensuring correct identification.

Why this answer

Option A (create an application override) forces the firewall to classify the traffic as the custom application regardless of detection. Option B (create a custom App-ID signature) allows the firewall to properly identify the application via pattern matching. Option C is about allowing, not identifying.

Option D is irrelevant for HTTP traffic. Option E sets application to any, which prevents identification.

8
MCQmedium

An administrator wants to apply different security policies for different applications that may use the same IP addresses and ports. Which firewall configuration feature should be used?

A.Application Override
B.Quality of Service (QoS) policy
C.Security policy with App-ID
D.Decryption policy
AnswerC

Security rules can match on application identity, allowing per-application policies.

Why this answer

Option D is correct: Security policies with App-ID allow you to define rules based on the identified application, enabling different policies for different applications on the same IP/port. Option A is wrong because Application Override bypasses App-ID. Option B is wrong because Decryption policy does not enforce access control.

Option C is wrong because QoS only prioritizes traffic, does not filter.

9
MCQeasy

An administrator needs to create a custom application for a proprietary database protocol that uses TCP port 7890. What is the first step in defining this application in App-ID?

A.Create a new application and define the default port.
B.Create a new application group.
C.Create a new custom application tag.
D.Create a new application filter.
AnswerA

Correct: Creating the application object with its default port is the foundational step.

Why this answer

The first step is to create a new application object and define the default port. Creating an application group or filter assumes the application already exists. Tags are optional labels.

10
MCQhard

Refer to the exhibit. A user at 10.1.1.100 reports that they cannot access a website at 10.2.2.200 over HTTPS. The firewall shows the session is allowed with application web-browsing, but the security policy rule "Allow-Web" has application set to ssl. What is the most likely cause?

A.The application override is configured incorrectly.
B.The security policy rule order is incorrect.
C.The SSL decryption policy is not configured.
D.The service is set to application-default.
AnswerC

Without decryption, App-ID sees only the SSL handshake and identifies the traffic as web-browsing on port 443, not as the more specific ssl application.

Why this answer

Option C is correct because without SSL decryption, the firewall cannot inspect the encrypted payload to identify the application as ssl; it classifies it as web-browsing based on port 443. Option A is wrong because application override would force a specific application, but the issue is that the session shows a different application, not that override is misconfigured. Option B is wrong because the session is allowed, indicating a rule is matched; rule order may not be the direct cause since the allowed traffic shows web-browsing.

Option D is wrong because service application-default allows the default port, but the application still needs to be identified correctly.

11
MCQeasy

An engineer wants to block all peer-to-peer file sharing traffic using App-ID. What security policy action should be used?

A.Drop.
B.Reset-both.
C.Allow with antivirus profile.
D.Deny.
AnswerD

Correct: Deny blocks the traffic and sends a TCP reset.

Why this answer

The standard action to block traffic in a security policy rule is 'deny'. 'Drop' also blocks but does not send a TCP reset, while 'deny' sends a reset. 'Allow' would permit the traffic, and 'reset-both' is a type of deny, but 'deny' is the typical best practice.

12
MCQhard

A firewall in a high-availability pair shows that App-ID signatures are not syncing between units. Sessions are failing over but application identification is incorrect on the passive unit. What should the administrator verify?

A.Ensure both units have the same App-ID license installed.
B.Configure session distribution for symmetric return.
C.Verify that application override policies are replicated via HA configuration sync.
D.Check that sessions are established on both units.
AnswerC

Application overrides need to be synced; if not, the passive unit may misidentify traffic.

Why this answer

Option D is correct because application override policies are not synced via HA; they are local. Option A is wrong because license is not per-unit. Option B is wrong because session setup is not the issue.

Option C is wrong because session distribution does not affect identification.

13
Multi-Selecthard

An administrator is troubleshooting low throughput for a business-critical application that is identified as web-browsing instead of the custom app. The firewall is in inline mode. Which THREE potential causes should be investigated?

Select 3 answers
A.SSL decryption is not enabled.
B.The application signature is outdated.
C.The custom application uses a non-standard port.
D.Application Override policy is incorrectly configured.
E.The firewall is in tap mode.
AnswersB, C, D

An outdated signature may not recognize the custom application.

Why this answer

Options A, B, and D are correct: An incorrectly configured Application Override policy could misdirect traffic, outdated application signatures may not recognize the custom app, and a non-standard port could cause the custom app to be misidentified as web-browsing. Option C is wrong because SSL decryption is not directly related to misidentification as web-browsing. Option E is wrong because tap mode is not relevant in inline mode.

14
MCQmedium

A security policy has an application list with 'facebook-chat' and 'facebook-base'. A user reports that Facebook messages are being blocked. The firewall logs show the application as 'facebook-base' but not as 'facebook-chat'. What is the most likely reason?

A.The App-ID signature for 'facebook-chat' is outdated.
B.The application 'facebook-chat' is a dependency that is not allowed in the policy.
C.The firewall is blocking the application 'facebook-chat' due to content filtering.
D.The traffic is using a non-standard port for chat.
AnswerB

Dependent apps must be allowed explicitly or using application group.

Why this answer

Option A is correct because 'facebook-chat' is a dependent application of 'facebook-base'; if the policy only allows 'facebook-base', the dependency may not be automatically included. Option B is wrong because signature updates are not the cause. Option C is wrong because ports are not the issue.

Option D is wrong because blocking is not causing missing application.

15
Multi-Selecthard

During a security incident, an analyst notices that certain malware traffic is using port 443 but is being identified as 'ssl'. The malware uses a unique handshake that differs from standard SSL. Which two actions should the analyst take to correctly identify and block this malware? (Choose two.)

Select 2 answers
A.Add the custom application to a security rule with action Deny.
B.Disable SSL decryption on the firewall.
C.Create a custom application signature that matches the malware handshake.
D.Create a decryption policy to forward proxy decrypt the traffic.
E.Create an application override rule that forces identification as the custom application.
AnswersC, E

Correct: This enables the firewall to recognize the malware traffic.

Why this answer

First, create a custom application signature that matches the malware handshake. Then, apply an application override to force the firewall to use that signature instead of the default 'ssl' identification. After identification, the malware can be blocked via a security rule, but the question focuses on identification.

16
MCQhard

A threat log entry shows a threat detected in SSL traffic to 10.0.0.5, which is a server in the internal network. However, the decryption policy has a rule to no-decrypt traffic to 10.0.0.0/8 from internal sources. What is the most likely reason the threat was detected?

A.The decryption policy rule order is incorrect; the 'No-Decrypt-Internal' rule should be after the 'Decrypt-All' rule.
B.The threat was detected in decrypted traffic because the source was external.
C.The threat log is misconfigured.
D.The security policy is blocking the traffic before decryption.
AnswerB

Correct: The source is likely external, so the traffic is decrypted by rule 2, and the threat profile detected it.

Why this answer

The 'No-Decrypt-Internal' rule applies only to source addresses in 192.168.0.0/16. If the source of the traffic is not within that range (e.g., external), then the traffic to 10.0.0.5 matches the 'Decrypt-All' rule and is decrypted, allowing threat detection.

17
MCQeasy

A firewall shows session logs with application 'incomplete' for many SSL connections. Which action should be taken to improve App-ID accuracy?

A.Disable application identification for SSL traffic.
B.Enable HTTP/2 protocol decoding.
C.Enable SSL decryption for the traffic.
D.Allow sessions with application 'incomplete' in policy.
AnswerC

Decryption reveals the underlying application.

Why this answer

Option A is correct because SSL decryption allows the firewall to inspect encrypted content, improving application identification. Option B is wrong because allowing incomplete sessions does not improve accuracy. Option C is wrong because disabling security policies is not necessary.

Option D is wrong because enabling HTTP/2 is not directly relevant.

18
MCQmedium

A company uses App-ID to identify traffic on their Palo Alto Networks firewall. They notice that a particular application, custom-db-sync, is not being identified correctly. The traffic uses a proprietary protocol over TCP port 4444. The firewall currently has a security rule allowing any application on that port. Which step should the engineer take to enable App-ID to correctly identify custom-db-sync?

A.Create a custom App-ID for custom-db-sync using the Application Object and define the appropriate signatures.
B.Enable unknown application identification in the security rule.
C.Use the default application override for port 4444 to allow traffic.
D.Change the security rule to use 'application-default' as the service to rely on port-based identification.
AnswerA

Custom App-IDs allow identification of proprietary protocols by defining signatures.

Why this answer

Option A is correct because App-ID relies on application signatures to identify traffic, not just port numbers. Since custom-db-sync uses a proprietary protocol over TCP 4444, the firewall cannot match it to any built-in App-ID. Creating a custom App-ID with appropriate signatures (e.g., protocol decoders, pattern matches) allows the firewall to correctly identify this custom application, enabling policy enforcement beyond port-based rules.

Exam trap

The trap here is that candidates often confuse 'application override' (which bypasses App-ID) with 'custom App-ID' (which enhances App-ID), leading them to choose option C, thinking it will force identification when it actually disables App-ID for that traffic.

How to eliminate wrong answers

Option B is wrong because enabling unknown application identification only allows the firewall to treat unidentified traffic as 'unknown-tcp' or 'unknown-udp', but it does not create a specific signature to identify custom-db-sync; the traffic would still not be recognized as that custom application. Option C is wrong because an application override bypasses App-ID entirely, forcing the firewall to treat all traffic on port 4444 as a specified application, which defeats the purpose of using App-ID to correctly identify the custom protocol. Option D is wrong because using 'application-default' as the service only changes the port binding to the default port for the identified application, but since custom-db-sync is not identified at all, this action does not enable its recognition; App-ID must first identify the application before 'application-default' can be relevant.

19
MCQmedium

An administrator notices that traffic for a known application 'ms-update' is being blocked. The security policy has a rule allowing 'ms-update' from the internal network to the internet. However, the traffic is being denied. What should the administrator check first?

A.Confirm that the source and destination users are correctly configured.
B.Ensure that a security profile is applied to the rule to allow the application.
C.Check if the rule is placed after a deny-all rule.
D.Verify that the firewall is correctly identifying the traffic as 'ms-update' using App-ID.
AnswerD

If the traffic is not identified as 'ms-update', the rule will not match.

Why this answer

App-ID is the core mechanism that identifies applications by inspecting traffic beyond port numbers. If the firewall misidentifies the traffic (e.g., as 'ssl' or 'web-browsing' instead of 'ms-update'), the security rule specifically allowing 'ms-update' will not match, and the traffic will be denied by the implicit deny rule. Therefore, verifying App-ID identification is the first logical step.

Exam trap

The trap here is that candidates assume a rule allowing an application by name will automatically match traffic on standard ports, forgetting that App-ID must first correctly identify the application for the rule to apply.

How to eliminate wrong answers

Option A is wrong because source and destination users are irrelevant when the rule is based on application identification, not user identity; user configuration would only matter if the rule had a User-ID condition. Option B is wrong because security profiles (e.g., antivirus, vulnerability protection) are applied after the rule matches and do not affect whether the rule permits or denies traffic; they only inspect allowed traffic. Option C is wrong because a deny-all rule at the end of the policy list would block all unmatched traffic, but the question states a rule allowing 'ms-update' exists; the issue is that the rule is not matching, not that it is placed incorrectly relative to a deny-all rule.

20
Multi-Selectmedium

Which TWO actions can help App-ID correctly identify a custom application that communicates over TCP port 8443 using SSL/TLS with a known internal hostname?

Select 2 answers
A.Disable App-ID on port 8443.
B.Use an application override with port 8443.
C.Add a custom URL category for the domain.
D.Create a custom application with a hostname condition.
E.Enable SSL forward proxy and import the internal CA certificate.
AnswersD, E

Hostname condition matches the SNI to identify the application.

Why this answer

Options A and B are correct: Enabling SSL forward proxy with the internal CA allows decryption to see the SNI, and creating a custom application with a hostname condition uses that SNI for identification. Option C is wrong because disabling App-ID on that port prevents identification. Option D is wrong because an application override bypasses App-ID.

Option E is wrong because URL categories do not affect App-ID.

21
MCQeasy

When configuring a custom application signature, which field is mandatory to define the application?

A.Category
B.Protocol
C.Port
D.Subcategory
AnswerB

Protocol is required for the firewall to know which signatures to apply.

Why this answer

Option B is correct because the protocol (TCP, UDP, etc.) is required for signature matching. Option A is wrong because category is optional. Option C is wrong because ports are optional if using protocol decoder.

Option D is wrong because subcategory is optional.

22
MCQmedium

A company uses a custom application for internal VoIP traffic. The custom App-ID signature is configured with the correct protocol and port, but traffic is still not matching. The firewall shows the application as 'unknown-tcp'. What should the administrator check next?

A.Verify that the port range in the custom application is correct.
B.Update the App-ID signature database.
C.Check for asymmetric routing on the firewall.
D.Ensure a protocol decoder (e.g., SIP) is enabled for the application.
AnswerD

VoIP often uses dynamic ports; a protocol decoder is needed for full identification.

Why this answer

Option C is correct because many VoIP applications use dynamic ports after initial connection, so a protocol decoder (like SIP or H.323) may be needed. Option A is incorrect because the port is already configured. Option B is incorrect because asymmetric routing would affect detection but is less likely for internal VoIP.

Option D is incorrect because signature updates are not relevant for custom apps.

23
MCQmedium

Refer to the exhibit. A network engineer wants to allow only 'ms-update' and 'facebook-base' traffic. After committing the above security policy, they find that 'ssl' traffic is also being allowed. What is the most likely reason?

A.Rule 1 allows all applications because it uses 'application any'.
B.App-ID is not enabled on the firewall.
C.Rule 4 is a deny rule but it is not effective because the traffic is allowed earlier.
D.The rule order is incorrect; rule 3 should be moved before rule 1.
AnswerA

Rule 1 matches all applications before the more specific rules, causing all traffic to be allowed.

Why this answer

Rule 1 uses 'application any', which matches all applications regardless of the specific App-ID. Since security policies are evaluated from top to bottom and the first matching rule is applied, any traffic that matches Rule 1's source, destination, and service will be allowed, including 'ssl' traffic. The explicit allow rules for 'ms-update' and 'facebook-base' are irrelevant because Rule 1 catches all traffic first.

Exam trap

Palo Alto Networks often tests the misconception that adding a deny rule later in the policy will block traffic that was already allowed by an earlier rule, but the trap here is that rule order is evaluated top-down and the first match wins, so a broad allow rule with 'application any' will permit all traffic before any deny or specific allow rules are reached.

How to eliminate wrong answers

Option B is wrong because if App-ID were not enabled, the firewall would not be able to identify any applications, and traffic would be handled by the default interzone rule (typically deny), not by allowing 'ssl' traffic. Option C is wrong because Rule 4 being a deny rule is irrelevant; the issue is that traffic is matched and allowed by an earlier rule (Rule 1) before reaching any deny rule. Option D is wrong because moving Rule 3 before Rule 1 would not fix the problem; Rule 1 would still match all traffic first, and Rule 3 would never be evaluated for traffic that matches Rule 1.

24
Drag & Dropmedium

Order the steps to upgrade the PAN-OS software on a standalone firewall.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Upgrade requires download, upload, install, reboot, and verification.

25
Multi-Selecthard

A network engineer is troubleshooting an issue where a web application is being incorrectly identified as 'web-browsing' instead of 'webmail-gmail' by the Palo Alto Networks firewall. The firewall has App-ID enabled and all signatures are up to date. Which TWO actions should the engineer take to resolve this misidentification?

Select 2 answers
A.Disable unknown application identification to force stricter matching.
B.Create a custom App-ID for webmail-gmail with stricter signatures.
C.Review the session log to see if the application changed during the session.
D.Increase the application identification timeout to allow more time for identification.
E.Enable packet capture on the security rule to collect traffic for analysis.
AnswersC, E

Session logs show App-ID updates; the application may have been re-identified later.

Why this answer

Option C is correct because App-ID can reclassify a session as more data becomes available. A session that starts as 'web-browsing' may later be identified as 'webmail-gmail' once the firewall sees application-specific traffic (e.g., SMTP, IMAP, or proprietary Gmail API calls). Reviewing the session log to see if the application changed during the session helps confirm whether the firewall eventually identified the correct application.

Exam trap

The trap here is that candidates assume a static, one-time identification and overlook the fact that App-ID can dynamically reclassify a session as more data is analyzed, making the session log a critical diagnostic tool.

26
MCQhard

An organization has two different applications (AppA and AppB) that both use TCP port 8080. The firewall must apply different security policies to each application. What is the recommended approach?

A.Use source/destination IP addresses in security policies instead of App-ID.
B.Add the applications on separate virtual wire interfaces.
C.Change the port of one application to a different value.
D.Create an application override policy to identify each application by IP address.
AnswerD

Application override matches based on user-defined criteria, allowing separate policies.

Why this answer

Option B is correct because application override allows you to force a custom application identification based on criteria like IP addresses, even on the same port. Option A is wrong because changing port is not always feasible. Option C is wrong because using only IP addresses is not sufficient for port sharing.

Option D is wrong because additional interfaces do not solve the identification problem.

27
MCQmedium

Refer to the exhibit. A firewall administrator is troubleshooting why some applications are not being correctly identified. The firewall is running App-ID version 8000-7120. What does the 'appid packet buffer: 1024 KB' indicate?

A.App-ID can only handle 1024 KB of packet data per session.
B.The firewall can buffer up to 1024 KB of packet data for App-ID analysis.
C.The firewall logs the first 1024 KB of every session for App-ID.
D.The firewall offloads App-ID processing to a dedicated buffer of 1024 KB.
AnswerB

This buffer stores packets for deep inspection when needed.

Why this answer

The 'appid packet buffer: 1024 KB' indicates the maximum amount of packet payload data the firewall can buffer per session for App-ID analysis. This buffer stores the initial packets of a session so that App-ID can inspect the payload for application signatures, even if the data arrives in multiple packets. Option B correctly states this buffering capability.

Exam trap

The trap here is confusing the buffer size with a per-session data limit or a logging threshold, when in fact it is a temporary storage mechanism for App-ID analysis.

How to eliminate wrong answers

Option A is wrong because App-ID does not have a hard limit of 1024 KB of packet data per session; the buffer size is a configurable limit for buffering, not a processing limit. Option C is wrong because the firewall does not log the first 1024 KB of every session; it buffers the data for analysis, not for logging purposes. Option D is wrong because App-ID processing is not offloaded to a dedicated buffer; the buffer is part of the firewall's normal packet processing pipeline and is used for temporary storage during signature matching.

28
Multi-Selectmedium

A security engineer is troubleshooting a Palo Alto Networks firewall where HTTP traffic is being incorrectly identified by App-ID. The engineer has verified that the application is correctly configured in the application override policy. Which two factors could cause App-ID to fail to recognize the application?

Select 2 answers
A.The traffic is allowed by a security policy rule.
B.An application override policy is configured for the traffic.
C.SSL decryption is not enabled for the traffic.
D.The application is not in the Palo Alto Networks application database.
E.The firewall is using port-based application identification.
AnswersC, D

Without SSL decryption, App-ID cannot inspect encrypted traffic, leading to incorrect or failed identification.

Why this answer

Option C is correct because App-ID relies on analyzing the content of the traffic, including decrypted payloads, to identify applications. If SSL decryption is not enabled for HTTPS traffic, the firewall sees only encrypted packets and cannot inspect the application layer data, forcing App-ID to fall back to port-based or IP-based identification, which may misidentify the application.

Exam trap

The trap here is that candidates may think an application override policy ensures correct identification, but in reality it bypasses App-ID entirely, so it does not cause App-ID to fail—it prevents App-ID from running at all.

29
MCQhard

During a security audit, it is discovered that some HTTP traffic is being incorrectly identified as 'web-browsing' instead of 'ssl' even though the traffic uses HTTPS. The firewall is positioned as a transparent bridge and no SSL decryption is configured. What is the most likely cause?

A.SSL decryption must be enabled for the firewall to correctly identify SSL traffic.
B.The firewall is not seeing the full SSL handshake due to asymmetric routing.
C.The default interzone rule is blocking the SSL identification packets.
D.The security policy allows 'web-browsing' before 'ssl' in the rule order.
AnswerB

Asymmetric routing can prevent the firewall from seeing the SSL handshake, causing it to identify the traffic as HTTP.

Why this answer

When a firewall operates as a transparent bridge without SSL decryption, it relies on the Server Name Indication (SNI) field or the certificate exchange during the TLS handshake to identify HTTPS traffic as 'ssl'. Asymmetric routing causes the firewall to see only one direction of the TCP handshake (e.g., only the SYN or only the SYN-ACK), preventing it from observing the full TLS handshake. Without the complete handshake, App-ID cannot extract the necessary signatures (e.g., TLS version, cipher suites, certificate details) and falls back to classifying the traffic as 'web-browsing' based on port 443.

Exam trap

The trap here is that candidates assume SSL decryption is mandatory for SSL identification, but the firewall can identify HTTPS without decryption by inspecting the TLS handshake; the real issue is that asymmetric routing prevents the firewall from seeing the complete handshake, causing App-ID to fall back to port-based classification.

How to eliminate wrong answers

Option A is wrong because SSL decryption is not required for App-ID to identify SSL traffic; the firewall can identify HTTPS by inspecting the TLS handshake metadata (e.g., SNI, certificate) without decrypting the payload. Option C is wrong because interzone rules control traffic flow between zones, not the identification process; App-ID operates before policy enforcement, so a default interzone rule would not prevent the firewall from seeing the SSL handshake packets. Option D is wrong because security policy rule order affects which action is taken on traffic, not how App-ID classifies it; App-ID identifies the application first, then matches it against the policy, so rule order does not cause misidentification.

30
MCQmedium

A company has an application signature for an internal ERP system that uses a proprietary protocol over TCP port 4444. The ERP traffic is sometimes misidentified as unknown-tcp. Which App-ID mechanism should be used to improve identification without affecting the default App-ID engine?

A.Configure a port-based application override for port 4444.
B.Enable SSL decryption for the ERP traffic.
C.Create a custom application with a data pattern (signature).
D.Create an application override to allow the traffic without App-ID.
AnswerC

Custom applications with data patterns allow App-ID to identify proprietary protocols by inspecting payload content.

Why this answer

Option C is correct because creating a custom application with a data pattern (e.g., a signature) allows the firewall to identify the proprietary protocol without altering the default engine. Option A is wrong because enabling SSL decryption is not relevant for a proprietary protocol that is not SSL. Option B is wrong because an application override bypasses App-ID entirely.

Option D is wrong because using a port override does not improve identification; it only bypasses App-ID.

31
MCQeasy

Given the security policy above, what will happen to an HTTP request from a user to a public website?

A.It will be allowed but then blocked by the threat profile.
B.It will be denied because web-browsing is not identified.
C.It will be denied because rule 2 blocks all.
D.It will be allowed because rule 1 matches and action is allow.
AnswerD

Correct: Rule 1 matches web-browsing traffic and allows it.

Why this answer

The HTTP traffic will be identified as 'web-browsing' and match rule 1 first. The action is 'allow', so the traffic is permitted. The threat profile inspects but does not block unless a threat is found.

32
MCQhard

A network security engineer is troubleshooting an issue where certain VoIP traffic is being dropped by the firewall. The traffic logs show that the application is identified as 'voip' and the security rule allows 'voip'. However, the traffic is still being dropped. What should the engineer check next?

A.Confirm that the VoIP protocol is supported by App-ID.
B.Ensure that the security rule action is set to 'allow' and not 'deny'.
C.Verify that the application override is not set for this traffic.
D.Check if a vulnerability protection profile is dropping the traffic based on a threat signature.
AnswerD

Correct: Security profiles can drop traffic even if the security rule allows the application.

Why this answer

Even if a security rule allows traffic, security profiles (such as vulnerability protection, antivirus, etc.) can drop traffic. The threat logs should be checked for profile drops.

33
Multi-Selecteasy

Which TWO settings must be configured in a security policy rule to ensure the rule only matches when a specific application is detected on its standard port?

Select 2 answers
A.Set the Source Zone and Destination Zone.
B.Enable Threat Prevention.
C.Set the Service to 'application-default'.
D.Configure Logging at session start.
E.Set the Application to the specific application.
AnswersC, E

application-default restricts the rule to the application's default port.

Why this answer

Options A and B are correct: Setting the application to the desired app ensures the rule matches that app, and setting the service to application-default ensures the rule only matches when the app uses its standard port, preventing other apps on the same port from matching. Option C is not specific to application matching. Options D and E are not required for matching.

34
MCQhard

During a security audit, an administrator finds that traffic on TCP port 443 is classified as web-browsing, but the firewall is configured to use SSL decryption. However, the traffic is not decrypted because it uses a self-signed certificate from an internal CA that is not trusted by the firewall. How should the administrator fix this to enable proper App-ID?

A.Configure SSH decryption for the traffic.
B.Disable SSL decryption for that traffic and rely on port-based identification.
C.Import the internal CA certificate and enable SSL forward proxy.
D.Create a custom App-ID override for the application.
AnswerC

This allows the firewall to trust the self-signed certificate and decrypt the traffic.

Why this answer

Option A is correct: importing the internal CA certificate and enabling SSL forward proxy with that CA allows the firewall to decrypt traffic using self-signed certificates, enabling App-ID to see the true application. Option B is wrong because disabling SSL decryption for that traffic would prevent identification. Option C is wrong because using SSH decryption is for SSH, not HTTPS.

Option D is wrong because a custom App-ID override does not address the decryption issue.

35
MCQmedium

A network engineer wants to reduce the number of applications in security policies by combining several applications that are always used together. What is the best practice?

A.Use a wildcard application for the protocol.
B.Create a custom application that covers all the applications.
C.Configure an application group and add all related applications.
D.Remove the individual applications and just use port-based rules.
AnswerC

Application groups allow grouping for easier policy management.

Why this answer

Option C is correct because using application groups simplifies policy management and ensures consistent policy for related applications. Option A is wrong because wildcard applications are too broad. Option B is wrong because creating a custom container application is not a standard feature.

Option D is wrong because removing applications reduces visibility.

36
MCQmedium

An engineer wants to block the use of file-sharing application BitTorrent, but allow file transfers over SFTP which also uses port 22. What is the most effective way to achieve this using App-ID?

A.Create an application filter that matches sftp.
B.Use QoS to limit BitTorrent traffic.
C.Use an application override to classify all port 22 traffic as sftp.
D.Create a security rule that denies application 'bittorrent' and allows application 'sftp'.
AnswerD

Correct: This uses App-ID to differentiate and apply appropriate actions per application.

Why this answer

App-ID can differentiate between applications on the same port. Creating separate security rules for each application allows blocking one and allowing the other.

37
MCQmedium

A large enterprise uses a custom application that communicates over TCP port 8080 using HTTP. The application traffic is correctly identified as 'custom-app' by App-ID. Recently, the development team changed the application to use HTTPS on the same port. The firewall administrator updated the security policy to allow the application, using the same application name, but now the traffic is being denied. The firewall logs show the application as 'ssl' and the action 'deny'. The security policy has a rule that allows 'custom-app' from inside to outside. What should the administrator do to resolve this issue?

A.Create an application override for the traffic on port 8080.
B.Disable App-ID for that traffic and use a port-based policy.
C.Change the security policy rule to allow application 'ssl' instead.
D.Update the custom application definition to include SSL decryption and a hostname match.
AnswerD

This enables the firewall to decrypt and identify the HTTPS traffic as the custom application.

Why this answer

Option B is correct because the custom application definition was designed for HTTP, not HTTPS. To identify the new HTTPS traffic as the custom application, the administrator must update the definition to include SSL decryption and a hostname match, so that App-ID correctly recognizes the encrypted traffic. Option A is wrong because an override would bypass App-ID, losing visibility.

Option C is wrong because allowing all SSL traffic is too broad a security risk. Option D is wrong because disabling App-ID is not a best practice and reduces security.

38
MCQhard

An administrator is configuring SSL Forward Proxy decryption and wants to ensure that traffic to internal servers with self-signed certificates is decrypted, but traffic to external banking sites is excluded from decryption. They have created a decryption policy with two rules: first rule with 'No Decrypt' for the external banking URLs, second rule with 'Decrypt' for all other traffic. However, the banking traffic is still being decrypted. What is the most likely issue?

A.The SSL Forward Proxy profile is set to ignore the decryption policy.
B.The firewall is using a different decryption port than 443.
C.The decryption policy rules are in the wrong order; the 'Decrypt' rule should be first.
D.The URL category for banking is not correctly identified.

Why this answer

Decryption policy rules are evaluated top-down. If the 'Decrypt' rule is placed first, it matches all traffic and decrypts it, including banking. The 'No Decrypt' rule must come before the 'Decrypt' rule.

39
Matchingmedium

Match each PAN-OS component to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Handles configuration, logging, and reporting

Processes traffic and enforces security policies

Manages routing and session setup

Collects and stores logs for analysis

Centralized management for multiple firewalls

Why these pairings

These are key architectural components in Palo Alto Networks firewalls.

40
MCQhard

A company deploys a Palo Alto Networks firewall in a data center. They have a critical application that uses a proprietary protocol over UDP port 12345. The firewall is not correctly identifying the traffic as the custom App-ID they created. They have verified that the custom App-ID is correctly configured and committed. What is the most likely cause?

A.The firewall must be rebooted for the custom App-ID to take effect.
B.An application override rule has not been configured to associate the traffic with the custom App-ID.
C.The custom App-ID must be enabled in the 'Applications' section of the firewall settings.
D.The firewall cannot identify applications over UDP.
AnswerB

Application override is required to bypass signature-based identification and assign the custom App-ID.

Why this answer

The custom App-ID is correctly configured and committed, but the firewall still does not identify the traffic because App-IDs are based on application signatures and behavioral analysis. For a proprietary protocol over UDP, the firewall may not have a signature to match it, so an application override rule is required to explicitly associate the traffic (based on IP, port, or protocol) with the custom App-ID. Without this override, the firewall will continue to treat the traffic as unknown or attempt to match it against built-in App-IDs.

Exam trap

The trap here is that candidates assume a correctly configured custom App-ID will automatically identify traffic, but they overlook the need for an Application Override rule to explicitly bind the traffic to that App-ID when the firewall cannot match it via signatures.

How to eliminate wrong answers

Option A is wrong because rebooting the firewall is unnecessary; custom App-IDs take effect immediately after commit, not requiring a reboot. Option C is wrong because custom App-IDs are not enabled in a separate 'Applications' section; they are created and applied via Security policy rules or Application Override rules. Option D is wrong because Palo Alto Networks firewalls can identify applications over UDP; App-ID supports both TCP and UDP protocols, and the issue is specifically about the lack of a signature for this proprietary protocol.

41
Multi-Selectmedium

Which TWO of the following are valid methods to create a custom App-ID on a Palo Alto Networks firewall?

Select 2 answers
A.Right-clicking on a session in the Traffic log and selecting 'Create App-ID'.
B.Using the 'Application Command Center' to automatically generate custom App-IDs.
C.Using the 'set application' command in the CLI.
D.Importing an App-ID definition file from a CSV.
E.Using the 'Objects' > 'Application Filters' menu in the web interface.
AnswersC, E

CLI allows configuration of custom applications.

Why this answer

Option C is correct because the 'set application' CLI command allows you to define a custom App-ID by specifying characteristics such as protocol, port, and signature. This is a direct method to create a custom application object on a Palo Alto Networks firewall, as documented in the administrator's guide.

Exam trap

The trap here is that candidates may confuse 'Create Application Override' (which bypasses App-ID) with 'Create App-ID' (which defines a new application), leading them to select option A, or they may mistakenly think the ACC can generate App-IDs, which it cannot.

42
MCQeasy

A network administrator wants to ensure that all traffic traversing the firewall is correctly identified by App-ID before any security policies are evaluated. Which step is essential?

A.Enable App-ID on the firewall interfaces.
B.Configure security zones properly.
C.Enable Threat Prevention profiles.
D.Ensure App-ID is enabled in the security policy rules.
AnswerD

App-ID is applied per rule; enabling it ensures identification occurs.

Why this answer

Option A is correct: App-ID must be enabled in the security policy rule (or globally) to ensure identification occurs before policy evaluation. Option B is wrong because App-ID does not require enabling on interfaces separately. Option C is wrong because zones define traffic boundaries, not App-ID.

Option D is wrong because threat prevention is unrelated to App-ID.

43
MCQmedium

Dynamics Inc., a mid-sized company, uses Palo Alto Networks PA-5250 firewalls at their data center. They recently deployed a new web-based CRM application that uses HTTPS and WebSocket connections on TCP port 8443. The security team configured a custom application 'crm-app' with a signature that matches the 'Host' header in HTTP requests, and set the protocol decoder to 'tcp' and the port to 8443. The application is used in a security policy to allow traffic from internal users to the CRM server. However, after deployment, the traffic logs show the application is identified as 'ssl' instead of 'crm-app'. The firewall's App-ID and threat prevention subscriptions are active and up to date. The team has verified that the custom application signature is correctly configured, and the traffic clearly matches the defined host header. Which action should be taken to ensure the CRM traffic is correctly identified by App-ID?

A.Increase the 'timeout' value for the custom application signature from 0 to 60 seconds.
B.Modify the custom application signature to use the 'tcp' protocol decoder and set the port to 8443.
C.Disable SSL decryption for the CRM traffic to allow App-ID to inspect the unencrypted HTTP headers.
D.Create a new security rule with an application override that sets the application to 'crm-app' for the CRM traffic.
AnswerD

An application override forces the firewall to identify the traffic as the specified application, bypassing App-ID's detection. This is a valid approach when App-ID fails to correctly classify traffic despite a properly configured custom signature.

Why this answer

Option B is correct because when App-ID fails to correctly identify traffic despite a properly configured custom application signature, an application override in a security policy can force the identification. This is a supported and common troubleshooting step. Option A is incorrect because disabling SSL decryption would prevent App-ID from inspecting HTTPS headers, making identification less accurate.

Option C is incorrect because the timeout parameter controls how long App-ID waits before updating the application, not the initial identification. Option D is incorrect because the protocol decoder and port are already correctly set per the verification; changing them would not resolve the misclassification.

44
Drag & Dropmedium

Order the steps to configure a security policy allowing HTTP traffic from the inside to the outside zone.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Security policies define traffic flow by zone, application, and service.

45
MCQeasy

A security administrator notices that HTTP traffic is correctly identified as web-browsing but HTTPS traffic is showing as ssl. The company uses a custom HTTPS-based application that needs to be identified by its own App-ID. What should the administrator do?

A.Enable SSL decryption on the firewall.
B.Configure a custom URL category for the application.
C.Create an App-ID override (custom application) for the custom application.
D.Disable App-ID for the traffic.
AnswerC

App-ID overrides allow custom application signatures to match specific traffic patterns.

Why this answer

Option B is correct because creating an App-ID override allows the administrator to define a custom application signature for the traffic, ensuring it is identified as the custom application rather than ssl. Option A is wrong because configuring a custom URL category does not affect App-ID. Option C is wrong because SSL decryption alone does not change the application identity; it only allows inspection.

Option D is wrong because disabling App-ID would bypass application identification entirely.

46
Multi-Selectmedium

An engineer is configuring App-ID for a network that uses both standard and custom applications. Which of the following are best practices for using App-ID effectively? (Choose three.)

Select 3 answers
A.Rely solely on default application signatures for all traffic identification.
B.Use application filters to create dynamic application groups based on characteristics.
C.Use application groups to simplify policy management for related applications.
D.Disable App-ID for traffic on well-known ports to reduce processing overhead.
E.Regularly update Application and Threats content to keep signatures current.
AnswersB, C, E

Correct: Filters allow grouping by attributes without manual updates.

Why this answer

Using application groups simplifies policy management. Regular updates ensure accurate identification. Application filters allow dynamic grouping based on characteristics.

Relying solely on default signatures may miss custom apps, and disabling App-ID on well-known ports reduces visibility.

47
MCQmedium

A financial trading firm has a low-latency network. The firewall administrator notices that some trading application traffic is being dropped sporadically. The security policy allows the application 'trading-app' over default port 5000. The logs show the application is identified correctly as 'trading-app', but the action is deny. The administrator checks the security policy and finds that there is a prior rule that denies all traffic with application 'unknown-tcp'. What could be causing the trading application traffic to match the deny rule?

A.The application 'trading-app' is not fully recognized for some sessions, causing fallback to 'unknown-tcp'.
B.The application is identified as both 'trading-app' and 'unknown-tcp' due to a software bug.
C.The traffic is using a non-standard port, so the standard rule does not match.
D.There is a decryption policy causing the application to be misidentified.
AnswerA

Inconsistent identification can occur if the application signature does not match all variations of the traffic.

Why this answer

Option C is correct: App-ID may correctly identify most sessions as 'trading-app', but if some sessions have slightly different characteristics (e.g., variations in the protocol), the firewall may fail to identify them and fall back to 'unknown-tcp'. The prior deny rule then blocks those sessions. Option A is wrong because App-ID does not assign multiple identities to the same session.

Option B is wrong because the traffic uses the default port. Option D is wrong because no decryption policy is mentioned.

48
MCQmedium

A security engineer notices that traffic from a trusted internal application is being blocked by the firewall. The application communicates using a proprietary protocol over TCP port 8443. The engineer has already created a custom App-ID for this application but the traffic is still being blocked. What is the most likely reason?

A.The custom App-ID must be added to a security profile group.
B.The custom App-ID needs a vulnerability profile to be activated.
C.The security policy rule uses the destination port instead of App-ID.
D.An application override rule must be configured to associate the custom App-ID with the traffic.
AnswerD

Application override is necessary to bypass signature-based identification and assign the custom App-ID.

Why this answer

Option D is correct because when a custom App-ID is created for a proprietary protocol, the firewall cannot automatically identify the application by inspecting the traffic. An application override rule is required to explicitly map the traffic (based on IP, port, or other criteria) to the custom App-ID, bypassing the firewall's default App-ID identification process. Without this override, the firewall continues to apply its default classification, which may block the traffic if it doesn't match any known application.

Exam trap

The trap here is that candidates assume creating a custom App-ID is sufficient for the firewall to automatically identify the traffic, but they overlook the mandatory step of configuring an application override rule to bind the custom App-ID to the specific traffic flows.

How to eliminate wrong answers

Option A is wrong because a security profile group (which includes vulnerability, anti-virus, and other profiles) is not required for App-ID to function; it is an optional grouping for policy enforcement. Option B is wrong because a vulnerability profile is unrelated to App-ID identification; it is used for threat prevention after traffic is allowed. Option C is wrong because the security policy rule can use App-ID as a match criterion regardless of the destination port; the issue is that the custom App-ID is not being applied to the traffic, not that the rule is misconfigured to use port instead.

49
MCQhard

A company has a Palo Alto Networks firewall in a high-availability active/passive setup. After a failover event, the new active firewall is not correctly identifying some custom applications. The custom application objects and signatures are synchronized via Panorama. What is the most likely cause?

A.The application override rules are not synchronized.
B.The security policy rules referencing the custom applications are not present.
C.The custom application objects were created locally on the previous active firewall and not pushed from Panorama.
D.The custom application signatures are not committed on the new active firewall.
AnswerC

Correct: Local objects are not shared via Panorama, so they would be missing on the new active firewall.

Why this answer

If custom applications were created locally on the previous active firewall, they would not be present on the new active. Panorama push should include them, but if they were local, they would be missing.

50
MCQhard

A managed security service provider (MSSP) manages firewalls for multiple customers. One customer reports that their ERP application traffic is being dropped intermittently. The firewall logs show that the traffic is sometimes identified as 'erp-app' and allowed, and other times identified as 'unknown-tcp' and denied. The ERP application uses a proprietary protocol over TCP port 5555. The firewall has a custom application definition for 'erp-app' that uses a data pattern. The administrator verifies that the data pattern is correct. What should the administrator do to ensure consistent identification?

A.Increase the session timeout for the application.
B.Create a vulnerability protection profile to inspect the traffic.
C.Enable SSL decryption on the firewall.
D.Modify the custom application to include a port condition (default port 5555).
AnswerD

This provides a reliable port-based fallback when the data pattern is not seen.

Why this answer

Option D is correct: Adding a port condition to the custom application definition (e.g., setting the default port to 5555) provides a fallback identification mechanism when the data pattern is not detected in a session. This ensures that traffic on port 5555 is consistently identified as 'erp-app'. Option A is wrong because increasing session timeout does not affect identification.

Option B is wrong because the protocol is proprietary, not SSL. Option C is wrong because vulnerability protection is for threat prevention, not identification.

51
Multi-Selectmedium

Which TWO factors can cause traffic to be classified as 'incomplete' by App-ID? (Choose two.)

Select 2 answers
A.SSL decryption is not enabled for the session.
B.The firewall CPU is too slow to process packets.
C.The content-ID engine has not been licensed.
D.Asymmetric routing where the firewall sees only one direction of traffic.
E.A deny rule that blocks the traffic.
AnswersA, D

Encrypted payload cannot be inspected for application identification.

Why this answer

Options A and D are correct. Option A: Asymmetric routing can cause incomplete because the firewall may only see half the session. Option D: SSL decryption not enabled for encrypted traffic prevents full inspection of the payload.

Option B is wrong because policy configuration does not affect classification. Option C is wrong because slow processing does not cause incomplete; it may cause packet drops but not incomplete. Option E is wrong because content-ID is separate and not directly causing incomplete.

52
Multi-Selecteasy

Which TWO are best practices when configuring App-ID for a production environment? (Choose two.)

Select 2 answers
A.Disable App-ID for traffic that does not match any known application to improve performance.
B.Configure all security policies based on port only for consistency.
C.Use applications instead of ports in security policies.
D.Enable security profiles (e.g., vulnerability protection) along with App-ID.
E.Limit application usage to only well-known applications to reduce attack surface.
AnswersC, D

App-ID provides application-level control.

Why this answer

Options A and C are correct. Option A: Using application-based policy improves security and flexibility. Option C: Combining App-ID with other security profiles (e.g., content-ID) enables comprehensive inspection.

Option B is wrong because disabling App-ID for all traffic defeats the purpose. Option D is wrong because relying solely on ports is not recommended. Option E is wrong because using only well-known applications reduces visibility.

53
MCQeasy

A network administrator notices that web-browsing traffic is being classified as 'incomplete' in the App-ID table. What is the most likely cause?

A.The App-ID signature database is outdated.
B.The security policy does not have an allow rule for web-browsing.
C.The firewall is experiencing asymmetric routing.
D.SSL decryption is not enabled for the traffic.
AnswerD

Without SSL decryption, encrypted traffic cannot be fully inspected, leading to 'incomplete' App-ID.

Why this answer

Option D is correct because SSL decryption is required to inspect encrypted traffic for App-ID to identify applications beyond the SSL protocol itself. Without decryption, the traffic may remain as 'incomplete' if the payload is encrypted. Option A is wrong because App-ID updates do not affect classification of encrypted traffic without decryption.

Option B is wrong because policy configuration does not cause incomplete classification. Option C is wrong because asymmetric routing can cause incomplete, but it is less common than lack of decryption in this scenario.

54
MCQeasy

A school district wants to allow YouTube for Education (a subcategory of YouTube) but block general YouTube traffic. The firewall uses URL filtering and App-ID. Currently, all YouTube traffic is identified as 'youtube' application, and the URL filtering category is 'educational-videos' for the education version. The administrator creates a security rule that allows application 'youtube' and URL category 'educational-videos'. However, all YouTube traffic is being blocked. What is the most likely cause?

A.The rule must also specify the source zone.
B.The application 'youtube' matches all YouTube traffic, so the URL category does not further filter because the application is matched first.
C.The URL category is not being applied because the traffic is encrypted and SSL decryption is not enabled.
D.The URL filtering license is not installed or expired.
AnswerC

Without decryption, the firewall cannot see the URL, so the URL category condition never matches.

Why this answer

Option D is correct: YouTube traffic uses HTTPS, and without SSL decryption, the firewall cannot inspect the URL. Therefore, the URL category condition fails, and the rule does not match. The traffic is then denied by a default deny rule.

Option A is wrong because the URL filtering license is required but typically already in place. Option B is wrong because zones are configured. Option C is wrong because application and URL category are ANDed; the issue is decryption, not logic.

55
Matchingmedium

Match each decryption type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Decrypts outbound traffic to inspect it

Decrypts inbound traffic to servers

Decrypts SSH traffic for policy enforcement

Traffic bypasses decryption

Sends decrypted traffic to a monitoring tool

Why these pairings

These are decryption options in Palo Alto Networks firewalls.

56
MCQeasy

A network administrator wants to allow only specific applications such as 'facebook-base' and 'youtube' while blocking all other applications. Which type of security rule should be used to achieve this?

A.Create a security rule with application conditions set to 'facebook-base' and 'youtube' and action set to 'allow'.
B.Create a security rule with destination port 80 and 443 and action set to 'allow'.
C.Create a security profile that blocks all applications not in the allow list.
D.Create a URL filtering rule to allow 'social-networking' and 'multimedia' categories.
AnswerA

This rule allows only the specified applications.

Why this answer

Option A is correct because App-ID allows you to create a security rule that explicitly allows only the specified applications ('facebook-base' and 'youtube') while implicitly denying all other traffic. Since the default action for any traffic not matching an allow rule is 'deny', this rule achieves the goal of blocking all other applications without needing an explicit block rule.

Exam trap

The trap here is that candidates often confuse port-based rules (Option B) with application-based rules, assuming that allowing ports 80/443 is sufficient to control application access, but App-ID is required to distinguish between applications using the same port.

How to eliminate wrong answers

Option B is wrong because allowing destination ports 80 and 443 would permit all HTTP/HTTPS traffic, including applications like 'facebook-base' and 'youtube', but it would also allow many other web-based applications (e.g., 'twitter', 'dropbox'), failing to block them. Option C is wrong because security profiles (e.g., Antivirus, Vulnerability Protection) do not control which applications are allowed or blocked; they inspect traffic that is already permitted by the security rule's action. Option D is wrong because URL filtering rules control access based on URL categories, not application identities; 'social-networking' and 'multimedia' categories would include many applications beyond just 'facebook-base' and 'youtube', and URL filtering cannot enforce application-level granularity like App-ID can.

57
Multi-Selecteasy

A security administrator needs to block an application that uses multiple ports, including dynamic ports. Which of the following methods can be used to block this application using App-ID? (Choose two.)

Select 2 answers
A.Create an application override to force identification of the application on all ports.
B.Create a security rule with the application set to the malicious application and action Deny.
C.Use decryption to inspect the application content.
D.Create a custom application with multiple default ports.
E.Create a security rule with the destination port range that covers all possible ports.
AnswersB, D

Correct: Denying by application blocks the traffic regardless of port.

Why this answer

Creating a security rule with the application set denies traffic based on App-ID identification, independent of port. A custom application can define multiple default ports to aid identification, but the key is that denial is based on application identity, not port.

58
MCQmedium

A security team is deploying SSL Decryption for inbound traffic to protect against threats hidden in encrypted traffic. However, they want to exclude financial transactions that use client certificates for authentication. What is the best approach?

A.Create a decryption policy rule with a condition matching the client certificate.
B.Create a decryption policy rule that excludes the financial application based on URL category.
C.Use an SSL Forward Proxy decryption profile with 'Exclude Certificate' list.
D.Use a decryption policy rule with 'No Decrypt' action for the financial application.
AnswerD

Correct: This directly excludes traffic identified as the financial application from decryption.

Why this answer

The decryption policy allows you to set 'No Decrypt' action based on application or URL. Using an application identifier is precise and does not rely on URL categories, which may be broad.

59
MCQhard

During a security audit, it is discovered that a custom application signature matches too broadly, causing benign traffic to be classified as the custom app. What change should be made to narrow the signature?

A.Remove the protocol field from the signature.
B.Use a wider port range and remove data patterns.
C.Add a data pattern filter to match a specific payload signature.
D.Expand the port range to include more traffic.
AnswerC

Data patterns narrow matching to specific traffic characteristics.

Why this answer

Option D is correct because adding a data pattern filter (e.g., specific byte sequence) increases precision. Option A is wrong because removing protocol makes it broader. Option B is wrong because expanding port range makes it broader.

Option C is wrong because port ranges are not causal for overmatching if the data pattern is missing.

60
Multi-Selecthard

Which THREE of the following can cause App-ID to incorrectly identify traffic?

Select 3 answers
A.Multiple security rules are configured for the same traffic.
B.Asymmetric routing causes the firewall to see only one direction of traffic.
C.SSL decryption is not enabled for the traffic.
D.IP fragmentation occurs before the firewall.
E.Traffic is forwarded through an HTTP proxy.
AnswersB, C, D

Asymmetric routing can prevent the firewall from seeing the full session, causing inaccurate identification.

Why this answer

Asymmetric routing causes App-ID to see only one direction of traffic (e.g., SYN but no SYN-ACK). App-ID relies on bidirectional flow inspection to identify applications; without seeing both directions, the firewall cannot complete the application signature match or protocol handshake, leading to incorrect or failed identification.

Exam trap

The trap here is that candidates often think IP fragmentation is a rare or non-impactful scenario, but it directly prevents App-ID from seeing complete application headers, making it a common cause of misidentification in real-world networks.

61
MCQmedium

An organization uses a SaaS application that runs on a dynamic set of IP addresses. The application traffic is currently identified as ssl and not as the specific application. How can the administrator improve application identification for this SaaS application?

A.Disable App-ID for that traffic to reduce overhead.
B.Create a custom application with hostname conditions.
C.Use a port-based application override.
D.Configure a URL filtering category for the application.
AnswerB

Hostname conditions match the SNI in TLS, allowing identification even with dynamic IPs.

Why this answer

Option C is correct: Creating a custom application with hostname conditions (e.g., using SNI) allows the firewall to identify the SaaS application even when IPs change. Option A is wrong because port override bypasses App-ID. Option B is wrong because URL filtering does not affect App-ID.

Option D is wrong because disabling App-ID is counterproductive.

62
MCQmedium

An engineer checks the application counter and sees that my-custom-app has zero packets, but they expected traffic from 10.0.0.0/24 to 10.1.0.0/24 to be identified as my-custom-app. What is the most likely reason?

A.The traffic is being identified as ssl instead.
B.The application override rule does not have the correct port.
C.The security policy does not allow the traffic.
D.The custom application my-custom-app is not committed.
AnswerB

Correct: Without a port, the override rule does not trigger, and traffic is identified normally.

Why this answer

The application override rule does not specify a port or service. By default, app override rules require a port to match; without it, the rule fails to match, and traffic is identified by default signatures.

63
MCQeasy

A company uses a Palo Alto Networks firewall with App-ID enabled. They have a custom application that communicates over TCP port 5001. The administrator has created a custom App-ID signature and a security rule that allows this application from the internal zone (trust) to the external zone (untrust). Users report that the custom application traffic is being blocked. The administrator checks the traffic logs and sees that the sessions are being matched to a different security rule that denies any traffic from trust to untrust. The deny rule appears before the custom allow rule in the policy list. The custom App-ID signature is properly defined and tested. What should the administrator do to resolve this issue?

A.Modify the custom App-ID signature to match more precisely.
B.Create an application override for the custom application.
C.Add a virtual wire interface to ensure traffic reaches the firewall.
D.Reorder the security rules so the custom allow rule is above the deny rule.
AnswerD

Placing the more specific allow rule before the broad deny rule ensures the traffic matches the correct rule.

Why this answer

Option D is correct because the deny rule is matching before the allow rule due to policy ordering. Reordering the rules to place the custom allow rule before the deny rule will allow the traffic. Option A is wrong because the custom signature is already correctly defined.

Option B is wrong because application override is not needed; the signature works. Option C is wrong because the traffic is reaching the firewall, as shown by the logs.

Ready to test yourself?

Try a timed practice session using only Securing Traffic and App-ID questions.