A security administrator notices that traffic to a specific website is being denied. The traffic log shows that the application is 'ssl' and the action is 'deny' with the rule being 'Allow-SSL'. What is the most likely cause?
Application-default restricts matching to the default port (443 for ssl), so port 8443 traffic does not match.
Why this answer
The security rule 'Allow-SSL' is configured with 'service' set to 'application-default', which means it only permits traffic on the default port for SSL (TCP 443). Since the website uses port 8443, the traffic is denied because the rule does not match the non-standard port. The firewall's application identification still correctly identifies the traffic as 'ssl', but the service constraint prevents the rule from applying, resulting in a deny action.
Exam trap
The trap here is that candidates assume the 'Allow-SSL' rule should match all SSL traffic regardless of port, but Cisco tests the nuance that 'application-default' restricts the rule to only the default port for that application, causing a deny on non-standard ports like 8443.
How to eliminate wrong answers
Option A is wrong because a blacklist would cause traffic to be denied by a different rule (e.g., a block rule based on IP), not by a rule named 'Allow-SSL' that is explicitly allowing SSL traffic. Option B is wrong because the rule is being matched (the log shows rule 'Allow-SSL'), so its position in the rulebase is irrelevant; the issue is that the rule's service condition is not satisfied. Option D is wrong because an expired SSL certificate would cause browser warnings or TLS handshake failures, but the firewall would still allow the traffic if the rule matches; the firewall does not validate certificate expiration at the rule enforcement level.