Palo Alto Networks SSE Engineer — Question 7

A malicious user is attempting to connect to a blocked website by crafting a packet using a fake SNI and the correct website in the HTTP host header.
Which option will prevent this form of attack?

Answer options

• A. Advanced Threat Prevention option to block “Domain Fronting”
• B. Advanced URL Filtering and block the “Malicious Behavior” category
• C. Advanced URL Filtering and block “SNI mismatch with Server Certificate (SAN/CN)”
• D. SSL Decryption to “Block sessions on SNI mismatch with Server Certificate (SAN/CN)”

Correct answer: D

Explanation

The correct answer is D because SSL Decryption allows the system to inspect the SNI and ensure it matches the server's certificate, blocking any sessions that don't comply. Option A addresses a different type of threat, while B focuses on blocking general malicious behavior, and C does not provide the necessary decryption to validate the SNI against the certificate properly.