Q: 10
A malicious user is attempting to connect to a blocked website by crafting a packet using a fake SNI
and the correct website in the HTTP host header.
Which option will prevent this form of attack?
Options
Discussion
Blocking the session needs SSL Decryption with SNI mismatch action, so D fits best. URL Filtering won't actually prevent, just alert or log. Not 100 percent but labs and docs point to D.
D here, official guide and some hands-on labs stress SSL Decryption for actually blocking these SNI mismatch tricks. URL Filtering can log or flag but won’t stop the session. Pretty sure about D but open if anyone saw different on exam sims.
Why would B work? The attack is about SNI mismatch, not just category filtering.
D tbh. If SNI and server cert don't match, session gets blocked, so that ends this attack. Unless Palo changed something?
Its D here. Only SSL Decryption set to block on SNI mismatch will actually stop the user when they try this packet trick. The others just won't catch it fully, I think.
Maybe C here. Blocking "SNI mismatch with Server Certificate" feels like it covers this, since that's the core of the evasion trick.
I’d say D here. Blocking on SNI mismatch with SSL Decryption actually terminates the connection, so this would prevent the fake SNI attack outright. The other options are mostly for logging or alerting. If anyone's done this in lab and saw a different result let me know.
Pretty sure it's D since blocking on SNI mismatch actually kills the session, not just logs it. C is more about detection or alerting. SSL Decryption with that block action really stops this type of evasion. Open if anyone's seen a trick to get C to fully block though.
I don’t think C is right. D blocks the session at SSL/TLS layer, while C only flags the mismatch for logging, not full prevention. Seen this called out in a few practice reports. D.
C/D? I've seen people get tripped up by C, but prevention needs SSL Decryption like in D I think.
Be respectful. No spam.
