Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 385

A Security policy rule is configured with a Vulnerability Protection Profile and an action of “Deny”.

Which action will this configuration cause on the matched traffic?

Answer options

• A. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to “Deny”.
• B. The configuration will allow the matched session unless a vulnerability signature is detected. The “Deny” action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile.
• C. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit.
• D. The Profile Settings section will be grayed out when the Action is set to “Deny”.

Correct answer: A

Explanation

The correct answer is A because a 'Deny' action explicitly instructs the firewall to block any sessions that match the rule, rendering any configured Security Profiles ineffective. Answer B is incorrect as it contradicts the nature of the 'Deny' action, while C is wrong because the rule is not skipped, and D misrepresents the behavior of the Profile Settings section.