An application filter is a dynamic object used to group applications based on their attributes, such as category, subcategory, technology, and risk factor. To block all high-risk applications, an administrator would create an application filter that matches applications with a risk level of 4 (high) and 5 (critical). This filter can then be referenced in a Security policy rule with a "deny" action. This approach is superior to a static group because the filter automatically updates to include new applications that Palo Alto Networks identifies as high-risk in subsequent content updates, ensuring the policy remains effective without manual intervention.

A. A HIP profile is used with GlobalProtect to assess the security status of an endpoint and grant network access based on compliance, not to classify applications.

C. An application group is a static, manually defined list of applications. It would not automatically include new applications identified as high-risk in the future.

D. A Vulnerability Protection profile is a security profile used to detect and prevent exploits targeting software vulnerabilities within allowed traffic, not to block applications based on risk.

1. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2: In the section "Objects > Application Filters

" it states

"Create application filters to dynamically group applications by application attribute... For example

you can create a filter that includes all applications that have a high risk factor and then use that filter to block access to those applications." This directly supports the use of an application filter for the described task.

2. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2: The section "Objects > Application Groups" describes them as "static groups of applications that you can use in policies

" which contrasts with the dynamic nature required to block all high-risk applications

including future ones.

3. Palo Alto Networks PAN-OS® Administrator’s Guide 10.2: The chapter on "Security Profiles" explains that a "Vulnerability Protection" profile "protects your network from attacks that target system vulnerabilities." This confirms its purpose is exploit prevention

not application control by risk category.