Prevention Posture Assessment (PPA)
The PPA is a set of questionnaires that help uncover security risk prevention gaps across all areas of network and
... [Show More] security architecture. The PPA not only helps to identify all security risks, it also provides detailed suggestions on how to prevent the risks and close the gaps. The assessment, guided by an experienced Palo Alto Networks sales engineer, helps determine the areas of greatest risk where you should focus prevention activities. You can run the PPA on firewalls and on Panorama.
Best Practice Assessment (BPA) Tool
The BPA for next-generation firewalls and Panorama evaluates a device's configuration by measuring the adoption of capabilities, validating whether the policies adhere to best practices, and providing recommendations and instructions for how to remediate failed best practice checks.
The Security Policy Adoption Heatmap component filters the information by device groups, serial numbers, zones, areas of architecture, and other categories. The results include trending data, which shows the rate of security improvement as you adopt new capabilities, fix gaps, and progress toward a Zero-Trust network.
The BPA component performs more than 200 security checks on a firewall or Panorama configuration and provides a pass/fail score for each check. Each check is a best practice identified by Palo Alto Networks security experts. If a check returns a failing score, the tool provides the justification for the failing score and how to fix the issue.
In anti-malware, what does false positive mean?
a false positive incorrectly identifies a legitimate file or application as malware
In anti-malware, what does false negative mean?
a false negative incorrectly identifies malware as a legitimate file or application
Software as a Service (SaaS)
Customers are provided access to an application running on a cloud infrastructure. The application is accessible from various client devices and interfaces, but the customer has no knowledge of, and does not manage or control, the underlying cloud infrastructure. The customer may have access to limited user-specific application settings, and security of the customer data is still the responsibility of the customer.
Platform as a Service (PaaS)
Customers can deploy supported applications onto the providers cloud infrastructure, but the customer has no knowledge of, and does not manage or control, the underlying cloud infrastructure. The customer has control over the deployed applications and limited configuration settings for the application-hosting environment. The company owns the deployed applications and data, it is therefore responsible for the security of those applications and data.
Infrastructure as a Service (IaaS)
Customers can provision processing, storage, networks, and other computing resources and deploy and run operating systems and applications. However, the customer has no knowledge of, and does not manage or control, the underlying cloud infrastructure. The customer has control over operating systems, storage, and deployed applications, along with some networking components (for example, host firewalls). The company owns deployed applications and data, and it is therefore responsible for the security of those applications and data.
Palo Alto Networks Security Operating Platform
is a purpose built, fully integrated cybersecurity approach that helps organizations get control of their networks and protect critical assets
Which three options are key components of Security Operating Platform?
1- Network Security
2- Advanced Endpoint Protection
3- Cloud Security
What are the essential functional requirements for an effective NGFW include?
1- Application Identification - Accurately identify applications regardless of port, protocol, evasive techniques or encryption. Provide visibility of applications and granular policy-based control over applications, including individual application functions.
2- User identification - Accurately identify users and subsequently use identity information as an attribute for policy control.
3- Content identification - Content identification controls traffic based on complete analysis of all allowed traffic, using multiple threat prevention and data loss prevention techniques in a single pass architecture that fully integrates all security functions.
Applications and Threats content
Applications and Threats content updates deliver the very latest application and threat signatures to the firewall. The applications portion of the package includes new and modified App-IDs and does not require a license. The full Applications and Threats content package, which also includes new and modified threat signatures, requires a Threat Prevention license. As the firewall automatically retrieves and installs the latest application and threat signatures (based on your custom settings), it starts enforcing security policy based on the latest App-IDs and threat protection without any additional configuration.
Security First Posture
An organization with a security-first posture prioritizes protection using the latest threat signatures over application availability. You're primarily using the firewall for its threat prevention capabilities. Any changes to App-ID that impact how security policy enforces application traffic is secondary.
Mission-critical security posture
A mission-critical network prioritizes application availability over protection using the latest threat signatures. Your network has zero tolerance for downtime. The firewall is deployed inline to enforce security policy and if you're using App-ID in security policy, any change a content releases introduces that affects App-ID could cause downtime.
PANs use positive enforcement mode. What does that mean?
An important point to highlight is that Palo Alto Networks NGFWs use a positive enforcement model, which means that all traffic can be denied except those applications that are expressly allowed via policy. This positive enforcement model means that in some cases the unknown traffic can be easily blocked or tightly controlled.
Authentication events. Monitoring of the authentication events on a network allows User-ID to associate a user with the IP address of the device from which the user logs in to enforce policy on the firewall. User-ID can be configured to monitor authentication events for:
1-Microsoft Active Directory: User-ID constantly monitors domain controller event logs to identify users when they log onto the domain. When a user logs onto the Windows domain, a new authentication event is recorded on the corresponding Windows Domain controller. By remotely monitoring the authentication events on Windows domain controllers, User-ID can recognize authentication events to identify users on the network for creation and enforcement of policy.
2-Microsoft Exchange Server: User-ID can be configured to constantly monitor Microsoft Exchange logon events produced by clients accessing their email. Using this technique, even Mac OS X, Apple iOS, and Linux/UNIX client systems that don't directly authenticate to Microsoft Active Directory can be discovered and identified.
3-Novell eDirectory: User-ID can query and monitor logon information to identify users and group memberships via standard lightweight directory access protocol (LDAP) queries on Novell eDirectory servers.
User authentication. This technique allows organizations to configure a challengeresponse authentication sequence to collect user and IP address information, using the following tools:
1-Captive Portal: In cases where administrators need to establish rules under which users are required to authenticate to the firewall prior to accessing the internet, Captive Portal can be deployed. Captive Portal is used in cases where the user cannot be identified using other mechanisms. In addition to an explicit username and password prompt, Captive Portal can also be configured to send an NT LAN Manager (NTLM) authentication request to the web browser to make the authentication process transparent to the user.
2-GlobalProtect: Users logging in to the network with GlobalProtect (discussed in Section 3.3.2) provide user and host information to the firewall that, in turn, can be used for policy control.
Syslog listener
The agent runs a syslog listener on a designated port that can parse the syslog messages and convert the information into appropriate User-ID mappings.
Traffic logs
These logs display an entry for the start and end of each session. Each entry includes the following information: date and time; source and destination zones, addresses, and ports; application name; security rule applied to the traffic flow; rule action (allow, deny, or drop); ingress and egress interface; number of bytes; and session end reason.
Threat logs
These logs display entries when traffic matches one of the security profiles attached to a security rule on the firewall. Each entry includes the following information: date and time; type of threat (such as virus or spyware); threat description or URL (Name column); source and destination zones, addresses, and ports; application name; alarm action (such as allow or block); and severity level.
URL Filtering logs
These logs display entries for traffic that matches URL Filtering Profiles attached to security rules. For example, the firewall generates a log if a rule blocks access to specific websites and website categories or if you configured a rule to generate an alert when a user accesses a website.
WildFire Submissions logs
The firewall forwards samples (files and em [Show Less]