View all questions & answers for the Palo Alto Security Service Edge Engineer Exam Materials exam
Question 46 Discussion
Comments
Selected Answers: A
A. Advanced Threat Prevention option to block "Domain Fronting"
The attack described is Domain Fronting — using a fake SNI to bypass initial filters while placing the real blocked destination in the HTTP Host header. Advanced Threat Prevention detects the mismatch between the SNI and the HTTP Host header and blocks the session via Anti-Spyware signature Threat ID 86467.
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes/features-introduced-in-pan-os/content-inspection-features
Options C and D are incorrect because they only compare the SNI against the Server Certificate, not against the HTTP Host header inside the payload.
Option B is incorrect because Malicious Behavior URL category filtering doesn't specifically inspect the SNI-to-Host-Header relationship.
Selected Answers: A
Here's why:
Domain Fronting Detection: Palo Alto Networks firewalls, with Advanced Threat Prevention, can detect and block "domain fronting," which is also known as SNI spoofing. This technique involves a malicious user crafting a packet to indicate a fake website in the SNI field while connecting to a different, often blocked, website via the HTTP Host Header. The firewall identifies this discrepancy, generating a threat log as a spyware signature. This capability protects against malware distribution and evasion techniques
A malicious user is attempting to connect to a blocked website by crafting a packet using a fake SNI and the correct website in the HTTP host header. Which option will prevent this form of attack? (Choose one answer)
Brave-Dump Clients Votes