Palo Alto Networks Certified Network Security Engineer (PCNSE) — Question 564

A Firewall Engineer is migrating a legacy firewall to a Palo Alto Networks firewall in order to use features like App-ID and SSL decryption.
Which order of steps is best to complete this migration?

Answer options

• A. First migrate SSH rules to App-ID; then implement SSL decryption.
• B. Configure SSL decryption without migrating port-based security rules to App-ID rules.
• C. First implement SSL decryption; then migrate port-based rules to App-ID rules.
• D. First migrate port-based rules to App-ID rules; then implement SSL decryption.

Correct answer: D

Explanation

The correct answer is D because migrating port-based rules to App-ID first allows for better identification of applications through App-ID, which is essential before implementing SSL decryption. This order ensures that the traffic is properly categorized before decryption, enhancing security. Options A, B, and C do not prioritize the correct sequence, potentially leading to security gaps or ineffective rule implementation.