Which action will this configuration cause on the matched traffic?

A Security policy rule is configured with a Vulnerability Protection Profile and an action of "Deny."

Which action will this configuration cause on the matched traffic?
A . The Profile Settings section will be grayed out when the Action is set to "Deny"
B. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit
C. The configuration will allow the matched session unless a vulnerability signature is detected.
D. The "Deny" action will supersede the per-severity defined actions defined in the associated Vulnerability Protection Profile It will cause the firewall to deny the matched sessions.
Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny"

View Answer

Answer: D

Explanation:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/security-profiles.html

First note in above link states:

"Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy."

The first thing the firewall checks per it’s flow is the security policy match and action. The Security Profile never gets checked if a match happens on a policy set to deny that match.