An analyst is investigating why an App-ID for a custom application is showing as " unknown-tcp " in the Traffic logs. The application is running on port 8080. What is the most likely cause of this identification failure?
Correct Answer: A
Explanation:
Comprehensive and Detailed 150 to 250 words of Explanation From Palo Alto Networks Network Security Analyst Knowledge: When traffic is logged as unknown-tcp or unknown-udp , it indicates that the App-ID engine has inspected the traffic but could not find a matching signature in its database. For proprietary or internal applications, this is the expected behavior unless the analyst has created a Custom Application Signature . To resolve this, the analyst must capture the packet flow and identify a unique data pattern (signature) within the payload that identifies the application. Once the custom App-ID is created and committed, the firewall will correctly categorize the traffic, allowing the analyst to apply granular security profiles and reporting. Identifying and remediating " unknown " traffic is a key monitoring objective, as it helps eliminate visibility gaps and prevents malicious traffic from " hiding " behind unidentified protocols.
Question 2
An analyst needs to create a security rule to allow access to a specific web application that identifies itself as " web-browsing " but uses a custom, non-standard port of TCP 9000. Which configuration ensures the App-ID engine can still inspect this traffic?
Correct Answer: B
Explanation:
Comprehensive and Detailed 150 to 250 words of Explanation From Palo Alto Networks Network Security Analyst Knowledge: In a Palo Alto Networks environment, the Service column in a security rule defines the destination port used for the initial session establishment. If an application like web-browsing (which typically uses TCP 80 or 443) is running on a non-standard port like TCP 9000 , the analyst must create a custom Service object for that port. Using this custom service object in the security rule allows the session to be established on port 9000 while maintaining full App-ID inspection. This is critical because it allows the firewall to verify that the traffic is actually web-browsing and not a threat masquerading as a web service. Option A is incorrect because " application-default " would restrict the traffic to standard ports only. Option C (Application Override) is incorrect because it would disable Layer 7 inspection entirely, which is a significant security risk. By using a custom service with the correct App-ID, the analyst ensures that security remains granular and effective without disrupting non-standard business applications.
Question 3
An analyst is creating a " Data Pattern " for DLP that needs to match a specific 10-digit customer account number that always starts with the letters " ACC " . Which pattern type should be used?
Correct Answer: B
Explanation:
Comprehensive and Detailed 150 to 250 words of Explanation From Palo Alto Networks Network Security Analyst Knowledge: To identify specific, structured text patterns within a data stream, the analyst must use a Regular Expression (Regex) . Regex allows for the definition of precise strings and numerical sequences. In this scenario, the analyst would define a Regex such as ^ACC[0-9]{7}$ to capture exactly what is needed. This objective is fundamental to effective Data Loss Prevention (DLP) , as it allows the organization to protect its unique, proprietary data formats that are not covered by standard predefined patterns like credit card numbers. By creating granular custom patterns, the analyst can prevent the exfiltration of sensitive internal documents while minimizing the false positives that occur with overly broad search terms.
Demo Practice Mode
You are viewing only the questions marked as Demo.