Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 344
Which two policy components are required to block traffic in real time using a dynamic user group (DUG)? (Choose two.)
Answer options
- A. A Decryption policy to decrypt the traffic and see the tag
- B. A Deny policy with the “tag” App-ID to block the tagged traffic
- C. An Allow policy for the initial traffic
- D. A Deny policy for the tagged traffic
Correct answer: C, D
Explanation
The correct options are C and D. An Allow policy is needed to permit the initial traffic, while a Deny policy is required to block traffic that is tagged. The other options, A and B, do not fulfill the requirement for immediate traffic blocking in the context of a dynamic user group.