Palo Alto Networks System Engineer – Strata — Question 75

A customer with a legacy firewall architecture focused on port-and-protocol-level security has heard that NGFWs open all ports by default.

Which of the following statements regarding Palo Alto Networks NGFWs is an appropriate rebuttal that explains an advantage over legacy firewalls?

Answer options

• A. They do not consider port information, instead relying on App-ID signatures that do not reference ports.
• B. They protect all applications on all ports while leaving all ports open by default.
• C. They can control applications by application-default service ports or a configurable list of approved ports on a per-policy basis.
• D. They keep ports closed by default, only opening after understanding the application request, and then opening only the application-specified ports.

Correct answer: C

Explanation

Option C is correct because Palo Alto Networks NGFWs can control which applications are allowed to use specific ports, enhancing security by permitting only defined applications through approved ports. Options A and B misrepresent how NGFWs operate, while D describes a different feature that is not the main advantage over legacy firewalls.