Application-ID
What is the result of Match usage option?
Use of Match Rule copies all the applications from Apps-Seen to Apps on Rule.
What are the 4 major technologies that App-ID use to help identify applications?
1. application signatures 2. unknown protocol decoder 3. known protocol decoder 4. protocol decryption
At least three methods are available to the firewall for processing traffic identified only as unknown-tcp, unknown-udp, or web-browsing. What are they?
1. create a custom application with a custom signature 2. configure an Application Override policy 3. Block unknown-tcp, unknown-udp in a security rule
what are the 3 options when you want to a port-based rule?
1. create cloned rule 2. add to rule 3. match usage
Iterative process of identifying unknown application traffic? (3 steps)
1. create rules to allow or block apps known to to be traversing the firewall 2. create temporary rule to detect unidentified applications traversing the firewall 3. as applications are identified, create specific rules to allow or block them
3 phases of moving application-based policies
1. identify legacy port-based policy rule 2. add application-based rules above corresponding port-based rules 3. remove port-based rules
_________ uses multiple techniques to label traffic by application rather than just port
App-ID
If the ____________is enabled and a Security policy rule denies a web-based application, then a browser-based response page is displayed
Application Block page
The ___________ option creates a new application-based rule and places it in the Security policy directly above the original port-based rule.
Create Cloned Rule
What to consider when the firewall examines a UDP packet compared to a TCP packet?
In most cases, all the information that the firewall need to examine UDP packets is contained in the first packet. For TCP packet, The application data could reside in either the client's HTTP Get request or in the server's reply. For this reason, the firewall might have to examine the fifth packet. If the traffic is encrypted, the firewall must evaluate the administrator-defined Decryption policy to determine what to do next
To display application dependencies in the web interface, browse to ______
Objects > Applications
The __________ provides a simple workflow to migrate your legacy or port-based Security policy rulebase to an App-ID based rulebase, which improves security by reducing the attack surface and providing information about applications being used.
Policy Optimizer
What is the result of using "Create Cloned Rule"?
The firewall removes the application (e.g. ftp) from the port-based rule Apps Seen list because the application now will be controlled by the new cloned rule.
What is the result of using "Add to rule"?
The firewall removes the web-browsing (e.g.) application from the port-based rule Apps Seen list and moves it to the Apps on Rule column because the web browsing traffic now will be controlled by the new cloned rule.
______ use port blocking to control traffic. To allow a service such as DNS that uses port 53, the traditional firewall is configured to allow port 53 traffic.
Traditional firewalls
Which three statements are true regarding App-ID? (Choose three.) a. It addresses the traffic classification limitations of traditional firewalls. b. It is the Palo Alto Networks traffic classification mechanism. c. It uses multiple identification mechanisms to determine the exact identity of applications traversing the network. d. It still is in the developmental stage and is not yet released.
a, b, c
No App Specified displays ___________?
all port-based Security policy rules
The firewall considers any rule port-based if its Application field is configured as ______
any
In Palo Alto Networks terms, a(n) _________ is a specific program or feature whose communication can be labeled, monitored and controlled
application
A(n) ____________ is an object that dynamically groups applications based on application attributes that you select from the App-ID database.
application filter
A(n) ________________ is a static, administrator-defined set of applications which enable you to create a logical grouping of applications that can be applied to Security and QoS policy rules.
application group
An application can be classified in one of two main categories:
applications known to App-ID and applications unknown to App-ID
Which item is the name of an object that dynamically groups applications based on application attributes that you define: Category, Subcategory, Technology, Risk, and Characteristic? a. application b. application filter c. application group d. Application Profile
b
when you create a policy to allow ______, you also ensure that the firewall allows the other applications on which the application depends.
dependent applications
In most cases, all the information that the firewall need to examine UDP packets is contained in the _________
first packet
The Applications & Usage window includes an Apps Seen column that displays a list of all applications that ___________
have been seen and identified by the Security policy rule
For many dependent applications, the App-ID database implicitly allows the required _______ so an administrator wouldn't have to configure additional Security policy rules.
implicit application
______________ is a set of application decoders that understand the syntax and commands of common application.
known protocol decoder
2 default predefined services in the Service/URL category tab are:
service-http service-https
Application override also disables Security Profiles. You still must create a Security policy rule to allow the application to traverse between firewall zones. true or false?
true
Network traffic can shift from one application to another during a session. true or false?
true
The "Add to rule" can be riskier because some required applications could be inadvertently missed. True or False?
true
True or false? Application groups can contain applications, filters, or other application groups.
true
True or false? In Palo Alto Networks terms, an application is a specific program or feature that can be detected, monitored, and blocked if necessary.
true
We should use "Match usage" option only when the rule has seen a small number of well-known applications with legitimate business purposes. True or False?
true
______ attempts to identify the application based on its network behavior.
unknown protocol decoder
Before App-ID would identify traffic as facebook-base, it would first identify the traffic as which application?
web-browsing
