Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 124

A Security policy rule is configured with a Vulnerability Protection Profile and an action of `Deny`.
Which action will this cause configuration on the matched traffic?

Answer options

• A. The configuration is invalid. The Profile Settings section will be grayed out when the Action is set to ג€Denyג€.
• B. The configuration will allow the matched session unless a vulnerability signature is detected. The ג€Denyג€ action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile.
• C. The configuration is invalid. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit.
• D. The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to ג€Denyג€.

Correct answer: D

Explanation

The correct answer is D, as setting the action to `Deny` means the firewall will block any traffic that matches the rule, regardless of the Vulnerability Protection Profile. Options A and C incorrectly state that the configuration is invalid, while option B incorrectly suggests that matched sessions would be allowed unless a vulnerability is detected.