Palo Alto Networks Certified Network Security Administrator (PCNSA) — Question 268

The compliance officer requests that all evasive applications need to be blocked on all perimeter firewalls out to the internet. The firewall is configured with two zones:
1. trust for internal networks
2. untrust to the internet
Based on the capabilities of the Palo Alto Networks NGFW, what are two ways to configure a security policy using App-ID to comply with this request? (Choose two.)

Answer options

• A. Create a deny rule at the top of the policy from trust to untrust with service application-default and add an application filter with the evasive characteristic
• B. Create a deny rule at the top of the policy from trust to untrust over any service and select evasive as the application
• C. Create a deny rule at the top of the policy from trust to untrust with service application-default and select evasive as the application
• D. Create a deny rule at the top of the policy from trust to untrust over any service and add an application filter with the evasive characteristic

Correct answer: A, D

Explanation

Option A is correct because it effectively blocks evasive applications by using an application filter, which specifically targets the evasive characteristic while using application-default service. Option D is also correct as it includes an application filter but allows any service, which meets the requirement. Options B and C do not utilize an application filter, which is necessary for identifying and blocking evasive applications effectively.