Palo Alto Networks System Engineer – Strata — Question 18

A customer with a legacy firewall architecture is focused on port and protocol level security, and has heard that next generation firewalls open all ports by default.
What is the appropriate rebuttal that positions the value of a NGFW over a legacy firewall?

Answer options

• A. Palo Alto Networks does not consider port information, instead relying on App-ID signatures that do not reference ports
• B. Default policies block all interzone traffic. Palo Alto Networks empowers you to control applications by default ports or a configurable list of approved ports on a per-policy basis
• C. Palo Alto Networks keep ports closed by default, only opening ports after understanding the application request, and then opening only the application- specified ports
• D. Palo Alto Networks NGFW protects all applications on all ports while leaving all ports opened by default

Correct answer: B

Explanation

The correct answer is B because it accurately describes how Palo Alto Networks' default policies block all interzone traffic while allowing control over applications via default or approved ports. Option A is incorrect as it misrepresents the role of App-ID signatures. Option C is misleading because it doesn't highlight the capability to manage applications at the policy level as effectively as option B does. Option D is incorrect as it contradicts the fundamental security approach of NGFWs.