PCNSA Study Guide 86 Questions with Verified Answers
What are the 3 major goals of the Palo Alto Security Operating Platform? - CORRECT ANSWER 1.
... [Show More] Prevent successful cyber attacks: Operate with ease using best practices. (Prevention Focused)
2. Focus on what matters: Automate tasks, using context and analytics, to reduce response time and speed deployments. (Highly Automated)
3. Consume innovations quickly: Improve security effectiveness and efficiency with tightly integrated innovations. (Safely enable Applications)
What are the 7 stages of the Cyber-Attack Life Cycle? - CORRECT ANSWER 1. Reconnaissance
2. Weaponization
3. Delivery
4. Exploitation
5. Installation
6. Command and Control
7. Act on the Objective
What are the major components of the Palo Alto Security Operating Platform(1-3) - CORRECT ANSWER 1. Network Security: Using Virtual Machine firewalls, VM-Series. Cloud-based firewalls, called Global Protect. and Physical Firewalls, PA series.
2. Advanced Endpoint Protection: Using Traps -blocks exploits, ransomware, malware, file less attacks. Includes use of Wildfire cloud-based threat analysis when using Traps. Integrates with PAN OS.
3. Cloud Security: Works with Amazon, Azure, Google Cloud. Delivered by:
Inline Security (VM-Series FW).
API Security (Evident).
Host Security (Traps).
What are the major components of the Palo Alto Security Operating Platform? (4) - CORRECT ANSWER 4. Cloud-Delivered Security Services:
-AutoFocus - Aggregates threat information
-Global Protect - Implement Firewall services in cloud infrastructure.
-URL Filtering - Uses PAN DB.
-WildFire Malware Analysis - Uses shared data/analytics to prevent zero day exploits.
-MineMeld Threat Intel Sharing - Open source app that aggregates, enforces, and shares threat intelligence.
-Magnifier Behavior Analytics - Uses machine learning to identify anomalies and attacks. Stops Targeted Attacks, Malicious Insiders, Risky Behavior, Compromised End-points.
What are the major components of the Palo Alto Security Operating Platform? (5-6) - CORRECT ANSWER 5. Application Framework: Which consists of:
Infrastructure: A suite of cloud APIs, services, compute, and native access to customer specific data-stores.
6. Logging Service: On‐premises log management traditionally has been a chore. Now the clouddelivered
Logging Service allows you to easily collect large volumes of log data, so innovative apps
can gain insight from your environment. You can simplify your log infrastructure, automate log
management, and use your data to prevent attacks more effectively.
What is the SP3 architecture? - CORRECT ANSWER Single Pass Software, Parallel-Processing Hardware. The idea here is the PAN-OS only scans the traffic one time and classifies the traffic, followed by a set of enforcement and threat prevention options. Parallel-Processing: Palo Alto NextGen firewalls have separate CPU/RAM/Memory hardware for the Management Plane and Data Plane. This means doing a large job on the Management Plane won't effect the Data Plane that's processing network traffic.
"Scan it all, Scan it once".
What are the hardware components of Palo Alto ? - CORRECT ANSWER Palo Alto devices on higher end hardware models, have dedcicated CPU for each of the following, that operate in parallel, in one pass.
Control Plane:
-Management
-Logging
-Reporting
Data Plane:
-Signature Matching: exploits, spyware, CC#, SSN#,
-Security Processing: App-ID, User-ID, policy match, SSL/IPSEC, decompression
-Network Processing: flow control, MAC lookup, route lookup, QoS, NATr
What is the idea behind a Zero Trust Model? - CORRECT ANSWER The old model of trusting internal traffic from the organization needs to be replaced in order to keep up with today's security concerns. Traditional network security happens at the edge, in a "North-South" traffic flow:
Examples of "internal":
-Remote employees
-Partners
-Wireless users
-Remote branch/offices
-Internal employees
Zero trust addresses the shortcoming idea of "perimeter-centric" strategy. Zero Trust is rooted in the principle of "never trust, always verify". The idea is to "trust and verify" internal network traffic in a East-West movement laterally.
What are the three main concepts of Zero Trust? - CORRECT ANSWER 1. All resources are accessed in a secure manner regardless of location. This is especially important when you consider use cases like: tablet computers, smart phones, home workers, road warriors.
2. Access Control: is on a "need-to-know" basis and is strictly enforced. It is implemented on a granular basis.
3. All traffic is logged and inspected: Must be done on traffic that is North-South, but also East-West within the organization.
What are the stages of the Cyber-Attack Life Cycle? - CORRECT ANSWER Unauthorized Access:
1. Reconnaissance
2. Weaponization and Delivery
3. Exploitation
Unauthorized Use:
4. Installation
5. Command-and-Control
6. Actions on the Objective
List some methods of prevent each stage of the Cyber-Attack Life Cycle. - CORRECT ANSWER 1. Reconnaissance - Continuous scanning and inspection of traffic flows to detect scans/sweeps. Security awareness training to on what should not be posted to the internet.
2. Weaponization/Delivery - Gain network visiiblity, even with SSL by using decryption ring. Use IPS, anti-malware, DNS monitoring, DNS sink holing, and content blocking, training on spear-phishing
3. Exploitation: Patch systems, educate users on phishing, blocking vulnerabilities at end points. Automatic threat updates.
4. Installation: Limit local user admin access, use security zones with enforced user access controls.
5. Command+Control: Block outbound C2 connections, Block uploads that match file and data patterns, redirect internal malicious outbound communications to sinkholes.
6. Actions on the Objective: Use threat intel tools to hunt of indicators of compromise o the network. Monitor and inspect traffic between security zones. Enforce user access control at zones. URL filtering block outbound to known malicious known URLs.
Which Plane does the MGMT Port use on a Palo Alto? - CORRECT ANSWER The MGMT port runs off the control plane. All initial configurations use the MGMT port, even if you're using the Web Interface.
The MGMT port is configured under Device Tab -> Interfaces
Configure the IP address, Netmask, Default Gateway, and at least one DNS server address. You can also choose which type of service can be used to connect to the MGMT Port: HTTP, HTTPS, SSH, Telnet.
Default MGMT IP: 192.168.1.1
Default login/pw: admin/admin
For the Serial Connection: Parameters for terminal emulation: 9600-8-N-1.
What are the two CLI modes on a Palo Alto? - CORRECT ANSWER Operational Mode - allows you to view information
Configure Mode - make changes to the device.
What is a Management Interface Profile? - CORRECT ANSWER A Management Interface Profile is a configuration that can be attached to a Data Interface that runs on the Data Plane. This is helpful if the MGMT port goes down - you can still manage the firewall using one of the data ports running on the data plane. Using a Management Profile, you can bind these services to specific data ports:
HTTPS, SSH, Ping (Default)
Telnet, HTTP, SNMP, Response Pages, User-ID
If no Management Profile is configured, that data port will deny all attempts to connect to the management IP address.
Where and how do you configure a Management Interface Profile? - CORRECT ANSWER On the Web UI, go to Network tab. Then, on the right, scroll down and under Network Profiles, you'll see "Interface Mgmt".
Here, you create a profile that can then be attached to interfaces under the "Interface" portion of Network tab.
You can select which services are able to connect, like HTTPS, Ping, SSH, etc. You can also attach permuted IPs, which is an ACL to allow inbound address to connect to the control plane / management access.
What are the Functional Category tabs on the web GUI? - CORRECT ANSWER •Dashboard: Provides general information such as device name, MGT IP address, and licensing information. This page can be augmented by adding widgets.
•ACC: Uses the firewall logs to graphically depict traffic trends on your network
• Monitor: Provides logging visibility and the ability to run packet captures
• Policies: Allows the creation of policies such as security policy and NAT policy
• Objects: Allows the creation of objects such as Address objects
• Network: Allows the configuration of network parameters such as interfaces and zones
• Device: Allows the configuration of system information such as the host name or certificates
What is a Service Route? - CORRECT ANSWER The PA firewall will, by default, use the Management interface to communicate with external server such as DNS, email, Palo Alto update servers, External Dynamic Lists, and Panorama.
Service routes allow the management interface to use the data plane and data ports to communicate, and those ports must have appropriate security policy rules.
To configure, go to: Device -> Setup -> Services -> Service Route Configuration -> Customize.
Alternatively, you can select Use Management Interface For All. (If you have a L3 interface on the PA for that Management IP).
What 3 primary services must be configured on a Palo Alto when you set it up? - CORRECT ANSWER DNS: You must specify at least 1 dns server. You can do this under Device -> Setup -> Services -> Global
NTP: You must specify at least 1 NTP server. You can do this under Device -> Setup -> Services -> Global
DHCP/Static MGMT IP: You must assign a management IP either using static assignment or DHCP. Configure this under the management interface
How does the candidate configuration and running configuration operate? - CORRECT ANSWER Changes made to the firewall config are first stored on the Control Plane, in the Candidate Config. You can save a Candidate Config as a Snapshot.XML. A Candidate Config must be committed to the firewall in order for it to be the Running Config. The Running Config it stored on the Data Plane, and is what live traffic/production runs off.
What are the different Config Management options?> - CORRECT ANSWER Restore Last Saved: This option restores the last saved candidate configuration from the local drive.
Revert to Running Config: This option restores the current running configuration. This operation undoes all the changes you made to the candidate configuration since the last commit and restores the config from the running-config.xml file.
Load Configuration Version: This option overwrites the current candidate configuration with a previous version of the running configuration that is stored on the firewall. The firewall creates a timestamped version of the running configuration whenever a commit is made.
Export Named Configuration Snapshot
This option exports the current running configuration, a candidate configuration snapshot, or a previously imported configuration (candidate or running). The firewall exports the configuration as an XML file with the specified name. You can save the snapshot in any network location. These exports often are used as backups. These XML files also can be used as templates for building other firewall configurations.
Export Configuration Version
This option exports a version of the running configuration as an XML file.
What does Export Device State do? - CORRECT ANSWER It exports the Running Config, State information including device group and template setting pushed from Panorama. If the firewall is a GlobalProtect portal, the bundle also includes certificate informaiton, a list of sattlies that the portal manages, and satellite authentication info.
What types of updates does Palo Alto provide? - CORRECT ANSWER Antivirus - New definitions every 24 hours. Includes WildFire signature detects if you have a Threat Prevention subscription. WildFire subscribers can update it every 1 minute (Best Practice). (WildFire Publishes every 5 minutes).
Applications - New app signatures every month, updates current apps weeky. Need Maintenance support contract.
GlobalProtect Data File - vender-specific for defiing/evaluating host information profile data (HIP) returned by GlobalProtect. Need GP subscription.
GlobalProtect Clientless VPN - contains new/updated app signatures to enable client-less VPNM access to common web apps.
Palo Alto Networks (PAN-DB) URL filtering - Complements App-ID by enabling you to configure the firewall to identify and control access to web (HTTP and HTTPS) traffic and to protect your network from attack.
How and where do you perform Updates for various components like Wildfire, Anti-Virus, etc.? - CORRECT ANSWER You can perform updates via:
-MGMT Port over control plane
-Data Port of data plane (Using the Service Route)
-Upload from a desktop PC
-Palo Alto networks customer support portal
-Panorama
Go to:
Device -> Dynamic Updates -> Install
How and where do you perform PAN-OS updates? - CORRECT ANSWER PAN-OS updates are managed under:
Device -> Software
1. Read the release notes.
2. Make sure connected to reliable power source.
3. Create externally stored config backup
You must first update to the base version, X.0, then you can update to the maintenance updates afterworld.
I.E 8.0 first, then 8.1, 8,2. etc.
Note that a PAN-OS update requires a full restart of the firewall.
What are the types of Administrator roles on a PA? - CORRECT ANSWER Default - the default admin account is local and has full access
Role-Based Profle: Custom Admin roles that can be configured to have more granual control over which parts of the firewall GUI / functional areas, and which VSys they have access to. When new features are added to PAN-OS, these roles must be manually updated.
Dynamic-Based Role: These admin roles are predefined and do not need to be updated when new PANOS features are released. Some Dynamic Roles:
-Superuser - Full read/write access
-Superuser - (read-only) - can read all of the firewall only.
-Vsys Admin - Full access to a specific virtual system
-Vsys Admin (read only) - read only to a specific virtual system
-Device Administrator - Full access to firewall settings except for creating new admin or virtual systems
-Device Admin read only: Read only access except for password profiles and admin accounts.
To access, go to:
Device -> Administrators
What types of authentication does PAN-OS support when dealing with External Administrator Accounts? - CORRECT ANSWER Local Database, RADIUS, LDP, TACACS+, SMAL, Kerberos
How does an Authentication Profile work? - CORRECT ANSWER An Authentication Profile provides authentication settings that can be applied to administrator accounts, SSL-VPN access, and Captive Portals.
-It references a Server Profile, which gives Server Name, IP address, and the service port that it listens on, and other info.
You can go under Device -> Server Profiles and choose which type of server you want to configure.
How does an Authentication Sequence work? - CORRECT ANSWER An Authentication Sequence is a sequence of 1 or more Authentication Profiles that are processed in a specific order. If an external admin account does not reference as an auth sequence, it references a specific Auth Profile.
How do you set Minimum Password Length? - CORRECT ANSWER Go to Device -> Setup -> Management Tab. Click under authentication settings to click min password complexity.
Then go to Device -> Settings -> Password Profile
What is a Security Zone and how does the Palo Alto use them? - CORRECT ANSWER A security zone is used to logically group networks that are designed to contain certain types of traffic (The admin decides to group them). The Palo Alto then uses the security zones to analyze, control, and log network traffic as it traverses from one zone interface to another.
Security policy rules are applied to zones, not interfaces, to allow or deny traffic, apply QoS, perform NAT, apploy securityu profiles, or set logging parameters.
There are 5 Primary Zone Types:
(Tap, Layer 2, Layer 3, Tunnel, Virtual Wire)
External Zones are a special type that allow traffic to pass from one Vsys to another Vsys.
Mgmt and High Availability ports have no zone.
What are the two broad Security Zone Categories? - CORRECT ANSWER Interzone - Traffic between interfaces that are in differnet security zones is denied by default
Intrazone - Traffic between interfaces within the same zone is allowed by default
What are the secondary types of Ethernet interface types? - CORRECT ANSWER Decrypt Mirror: This feature enables decrypted traffic from a firewall to be copied and sent to a traffic collection tool, like a Data Loss Prevention appliance. Not available on VM series. Uses a free license.
Log Card: On 7000 series. A data port is configured to perform log forwarding like syslog, email, snmp, because the mgmt port cannot handle all the log traffic.
Aggregate: Bundled multiple phyiscal HA3, Vware, Layer 2, Layer 3 interfaces into one logical inteface for load balancing and redundancy using 801.AX LACP.
HA Interfacee: One HA interface is for config sync and heartbeats, the other HA interface is for state sync. If active/active is used, a third HA interface forwards packets.
Loopback: Layer 3 virtual interfaces connected to a virtual router.
Tunnel: A virtual interface used with VPN tunnels to deliver encrypted traffic between two end points.
What are the primary interface types? - CORRECT ANSWER Tap: A Tap interface monitors traffic that is connected to a network switch's MIRROR/SPAN port. The firewall is then able to analyze for App-ID, Content-ID, and other traffic, just as if the traffic was passing through the firewall. Info is viewable in monitor and ACC, good for creating security policies. Can be deployed without disrupting production networks.
Layer 2: Switches traffic between other Layer 2 interfaces. Each Layer 2 interface MUST be assigned to a VLAN object. You can assign Layer 2 interfaces to different Zones, but in the same VLAN, allowing for inspection/shaping. Layer 2 interfaces do not participate in STP, but do forward BPDUs.
First, configure a VLAN object, go to Network > VLAN > Add.
Next, configure a Layer 2 interface, go to Network > Interfaces > Ethernet > .
Layer 3: A Virtual Router object must exist in order for Layer 3 interfaces to route. Supports Ipv6, MTU, static ARP, LLDP, IPv6 NDP, link speed, duplex. Can be used to manage the firewall using Interface Management Profile. Layer 3 interfaces can also have sub-interfaces with an IP attached to each interface, like RoTAS for Cisco.
Describe how a Virtural Wire Works and how to implement it. - CORRECT ANSWER Virtual Wire: Binds two ethernet interfaces together to allow traffic to pass through the firewall. No network fuctions are peforrmed on the VWire interfaces, but security policy and NAT can still be applied. Requires no changes from adjacent network devices.
The 2 Virtual Wires need to be in a Zone, the same or different. Intrazone traffic is permit-all, while Interzone traffic is deny-all and requires security policies (by default).
Virtual Wire interfaces can be subdivided into VWire Subinterfaces that can be used to classify traffic accroding to VLAN tags, IP addresses, raterm-35nges or subnets. Can be used to separate traffic into different zones for more granular control than regular VWire interfaces.
To configure a Virtual Wire subinterface, go to Network > Interfaces > Ethernet and select, but do not open, a Virtual Wire interface. Then click Add Subinterfaces as the bottom of the web interface window
How do you configure a Virtual Router? - CORRECT ANSWER Go to Network -> Virtual Routers -> Add. There you can name the Vrouter and add Layer 3 interfaces into it.
Which routing protocols does a Palo Alto support? - CORRECT ANSWER Dynamic Routing Protocols:
BGP4
OSPFv2
OSPFv3
RIPv2
Multicast Routing Protocols:
IGMPv1, IGMPV2, GMPv3
PIM-SM-PIM-ASM, PIM-SSM
Note: Static routes use an Administrative Distance of 10. This can be modified.
How does the RIB and FIB function on a Palo Alto Virtual Router? - CORRECT ANSWER The Routing Information Base is populated by learned routes (Static and Dynamically learned).
The Virtual Router chooses the best routes from the RIB, and places them into the Forwarding Information Base. When you examine the FIB, you're seeing the best routes.
CLI:
show routing fib : shows you best routes
What is the function of Path Monitoring with respect to Static Routes? - CORRECT ANSWER Path Monitoring allows the Palo Alto to monitor upstream interfaces on remote, reliable devices using ICMP pings. If the path monitoring failes, an associated static route is removed from the routing table. An altenate route can then be used to route traffic. You can view the static route monitoring under Virtual Router - More Details, -> Routing Tab -> Staic Route Monitor subtab.
Where are the default security rules? - CORRECT ANSWER The Intrazone and Interfzone default rules are at the bottom of the rule. Any rule that sits above them is considered a Universal rule. Best practice to log both of these rules.
What is a Shadow Rule ? - CORRECT ANSWER A shadow rule is a rule that a broader rule matching the criteria is configured ABOVE a more specific rule.
Note: Best practice is so configure the security policies so that more specific rules are near the top, where as broader rule are configured near the bottom of the policy list.
Whart are the two basic types of NAT? - CORRECT ANSWER Source NAT: This replaces the original source IP address within the Layer 3 header. This is usually when a packet originates inside an organizations network and is a Private IP, not routable on the internet.
Destination NAT: This replaces the original destination IP address within the Layer 3 header. This is usually when a packet arrives from the internet to an organizations network, the public routable IP is replaced with a private IP that resides within the network.
What are the Source NAT types? - CORRECT ANSWER Static IP - Same address is alwaysed for translation and the port is unchanged. Can be for a single IP, or a range of IPs.
Dynamic IP - The original source address translates to the next address in the specified range. Up to 32,000 consectuive IP addresses supported. Port unchanged. Dynamic IP pool can contain multiple subnets.
Dynamic IP and Port - The most common type of SNAT. Allows multiple original source IPs to be mapped to one Public IP address.
How do security policies and Source NAT policy function together? - CORRECT ANSWER If you use an IP address in a security police rule, you must add the IP address value that existed BEFORE the NAT was implemented, which is called Pre-NAT. After the IP address is tranlsated, determine the Post-NAT security zone.
When configuing security policies that contain IP's used in a NAT, always use:
"pre-NAT IP; post-NAT zone."
What is Dynamic IP-Port NAT Oversubscription? - CORRECT ANSWER NAT Over subscription Rate - This is the number of times the source translated IP address and Port pairing can be used at the same time - assuming each destination IP address is different. A lower rate will decrease the number of source device translations, but provide higher NAT rule capacities.
Default Setting: No oversubscription.
Available Settings:
1x = no over subscription, each IP-Port pair can only be used once.
2x: 2 times
4x: 4 times
8x: 8 times.
What are the Destination NAT types? - CORRECT ANSWER Destination NAT is typically used to allow an external client to access an internal host, like a web server.
Static - Translates a destination IP to a static IP or a range of IPs and Port numbers.
Dynamic IP - With Session distribution. Can use FQDN, address object, or address group - If the DNS or Object contain more than 1 IP, the firewall will distribute the sessions among the addresses using the method specified in the config.
How do security policies and Destination NAT policy function together? - CORRECT ANSWER You must use the Pre-NAT IP address. After the destination IP address is translated, Post-NAT, determine what the security zone would be for that Post-NAT IP.
Remember,
"Pre-NAT IP, Post-NAT Zone"
What is application shift? - CORRECT ANSWER This when an application in a single session changes multiple times. For example, if a user goes to icloud.com that is initally seen as web browsing. However, once the user logs in and opens icloud web app, it changes to icloud-base. If the user checks their e-mail, it then shifts to icloud-email.
What is a dependent application? - CORRECT ANSWER Within the PAN-OS, some applications are dependent on other applications. If Application #1 is dependent on Application #2, then both Application #1 and #2 need to be allowed within the security policy.
When you go to commit a security policy, there will be an App Dependency tab if is a dependency warning.
Or, navigate to Objects -> Applications and click on the application, it will show you the dependencies.
What is an Applicaiton Filter and how do you set it up? - CORRECT ANSWER You can create one "application ID" but choosing multiple App-ID's based on Category, Subcategory, Tags, Tisk, and Characteristics. For example, if you wanted to create an App-ID that was for all music streaming, you could select Subcategory = Music Streaming and apply it to a filter. That filter then shows up as option in the security policy.
Go to Objects-> Application Filters -> Add
There you can build your filter, name it, and save it.
In the security policy, you can click.
In PAN-OS 9.1, you can configure an Application Filter to filter based on the assigned application tags.
What is an Application Group and how do you set it up? - CORRECT ANSWER An application group is a group of App-IDs created by an administrator. It is different than a filter in that each App-ID is added to the group, vs. a filter that allows you to filter by specific critera.
Multiple applications and applications filters can be combined into one Application Group. You can also added Application Groups into other Application Groups, making a nested group
What are the 5 Application App-ID Properties? - CORRECT ANSWER 1. Category - Used to generate Top 10 Application Categories chart within the ACC.
2. Subcategory - Same as above
3. Technology - tech most closely associated with the application.
4. Risk - a relative risk rating 1 to 5, with 5 being the most risky
5. Characteristics - Identifies some of the behaviors:
(Capable of File Transfer, Excessive Bandwidth Use, Tunnels Other Applications, Has known vulnerabilities, used by malware, evasive, pervasive, prone to misue, continue scanning for other applications)
What are some of the application time outs? - CORRECT ANSWER TCP Half Closed
Maximum length of time that a session remains in the session table between receiving the first FIN and receiving the second FIN or RST. If the timer expires,
the session is closed.
TCP Time Wait
Maximum length of time that a session remains in the session table after receiving the second FIN or RST. If the timer expires, the session is closed. If this time is not configured at the application level, the global setting is used (range is 1 to 600 seconds). If this value is configured at the application level, it overrides
the global TCP Time Wait setting.
What can happen if you update App-ID Content? - CORRECT ANSWER If you update the defintions of App-ID it could break some security rules as the new content update splits or creates new App-IDs for old ones. For example and old App-ID may be web browsing but with the update it has it's own App-ID. You can disable new apps in content update. Under Application and Threat Update Schedule -> Check box for "Disable new apps in content update".
To see applicaitons that have been modified, click Review Apps in the Action column.
What are the 3 ways to implement security policies to include dependent applications? - CORRECT ANSWER 1. When creating a security policy, Policies -> Security -> Add -> Application, once you add an application, the "Depends on" tab appears, and you can add any sub-application to the rule. (Best practice)
2. When you perform a Commit, on the Commit Status window, there will be an App Dependency sub-tab that will show any missing dependencies you need to add.
3. You can go to the Objects -> Applications tab and click on app, it will will display "depends on:" near the top.
What are Dynamic User Groups? - CORRECT ANSWER A new feature in PAN-OS 9.1. Allows for control off access to resources managed by firewall policies, such as, Security, Authentication, and Decryption. You can add them to the Source User field.
Go to Objects -> Dynamic User Group -> You can create a DUG, add a tag, and the specific which users belong. This is manual tagging.
What is "Auto-Remediation" with respect to DUGs? - CORRECT ANSWER This means the firewall has the capability to automatically respond to user activity. It also reduces the firewall's time to react to malicious user activity.
1. Collect user data/metadata info via PA logs or SIEM logs.
2. Analyze user data stored in logs, SIEM, User/entity behavior analytics system.3
3. Tag username to define their DUG membership.
4. User the DUG membership to control user access.
-PAN-OS and Panorama must be at 9.1 to use DUG.
-You must configure 2 security rules to enforce a DUG auto remediation. One allows traffic to be analyzed, and to be added to the DUG. The second rule blocks the desired traffic to users within the DUG. The deny rule must sit above the allow / tagging rule.
In relation to Security Policies, what is a Security Profile? - CORRECT ANSWER A Security Profile is used after a packet has passed through a security police and then scanned using the settings the security profile such as: Antivirus, Anti-spyware, Vulnerability protection, URL filtering, File Blocking, Wildfire Analysis, Data Filtering
A Security Profile Group is a an object containing multiple security profiles.
What is a Threat Log and what are the 5 levels? - CORRECT ANSWER A Threat Log displays when traffic matches one of the Security Profiles attached to a security policy. Threat logs are used as the source of information that is displayed on the Application Control Center tab (ACC).
1. Critical - Serious threats that could affect large array widely deployed systems and little effort is needed by the attacker.
2. High - Could become critical but have mitigating factors, like they might be difficult to exploit, or does not have a large victim pool.
3. Medium - Minor threat the pose minimal impact, like a DoS attack, limited attack surface.
4. Low - warning-level, little impact on organization's infrastructure.
5. Informational - suspicious events that do not pose immediate threat.
Explain the interaction between Security Policy and Security Profile. - CORRECT ANSWER A packet must match all the requirements within a security policy to get the security policy action to be applied (Allow/Deny/Drop/Reset). If the packet is allowed, then the Security Profile is used to inspect that packet.
What is the default action for Antivirus Security Profile Actions? - CORRECT ANSWER Inspects the listed protocol decoder for virus and generates alerts for SMTP, IMAP, and POP3 while blocking FTP, HTTP, and SMB.
Allow - allow application traffic
Altert - Generate an alrt for each application traffic flow stored in the Threat Log.
Drop - Drop the application traffic
Reset -(server/client/both) - TCP reset, UDP is just drops
What is the default action for Anti-Spyware Security Profile Actions? - CORRECT ANSWER Default - use whatever the siganture says
Strict - Override default for critical, high, medium severity and block, regardless of what the signature says to do.
Allow - allow application traffic
Alert - Generate an alrt for each application traffic flow stored in the Threat Log.
Reset - (Server/client/both) - Reset for TCP, UDP dropped
Block IP - block traffic either from a source, or source-destination pair, for a period of time. Customizable time limit.
What is DNS sinkhole and where is it setup? - CORRECT ANSWER Creates a firewall response to a DNS query for a known malicious domain, causing the DNS to resolve to an IP address that you define. Can identify hosts that are infected. Setup in Anti-spyware profile.
What is the default action for Vulnerability Protection Security Profile Actions? - CORRECT ANSWER The default Vulnerability Protection security profile protects clients and servers from all known critical-, high-, and medium-severity threats. You also can create exceptions that enable you to change the response to a specific signature.
The Exceptions setting found under the Exceptions tab enables you to change the response for a specific signature based on its Threat ID number or name
What are the URL Filtering Security Profile Actions? - CORRECT ANSWER Alert - Allowed, logged in URL filter log
Allow - allowed, no log entry created
Block - Blocked, and response page loaded. Log entry created.
Continue - Prompted with a response page, allowd to continue, log generated.
Override - Response page that allows to continue, but needs password (for help desk, or admins etc), log entry generated.
None - Used in custom profiles only. Ensures that custom category will not have effect on other URL filters.
What are the File Blocking Security Profile Actions? - CORRECT ANSWER Alert - an entry is added to the threat log
Block - The file is blocked
Continue - Resposne page that allows the user to continue, it alerts them if they want to proceed.
What is Safe Search? - CORRECT ANSWER Enables the firewall to force users to use the "Safe Search" filter on the following search engines: Google, Yahoo, Bing, Yandex, and Youtube. It is a best effort setting. It can also block search results that
What is HTTP Header Logging? - CORRECT ANSWER Provides visibility into the attributes included in an HTTP request sent to a server. Stored in the URL filtering log.
User Agent - The web browser that was used to access the URL.
Referrer - URL of the page that linked the user to another page. It is the source that redirected/referred the user to the page being requested.
X-Forward For - Holds the IP address of the user who requested the page.
What are the 3 DoS mitigation tools offered by PAN-OS? - CORRECT ANSWER Zone Protection Profile - Applies only to new sessions in ingress zones and provide broad protection against flood attacks by limiting connectioins per second to the FW, PLUS por scans, host sweeps, packet based attackes, and Layer 2 Protocol attacks Broad based protection. One protection profile per zone. Enforced only when no sessio match for the packet - b/c basedon CPS not packet-per second.
Dos Protection profile and policy rules - Provide granular protection of specific, critical devices for new sessions. Classified profiles protect individual devices by limiting the CPS for a specific device or specific devices. Aggregate profiles limit the total CPS for a group of devices but don't limit the CPS for a particular device in the group to less than the total allowed for the group,
Packet Buffer Protection - Protects gainst single ession DoS attacks that attempt to overwhelm the firewalls packet buffer
Which types of attack does Zone Protection Profile protect against? - CORRECT ANSWER SYN Random Early Drop - When flow exceeds Activate rate threshold, fireall drops SYN packets randomly. If MAX is reached, then all packets are dropped above that right.
SYN Cookie - Firewall acts like a Proxy, intercepts TCP-SYN, generates a cookie for the server, sends SYN-ACK back with the cookie. Awaits ACK with cookie attached. If it does return with cookie, considered valid connection. Preferred config.
ICMP se similar Activate/Max rules as above.
Other IP - Use similar Activate/Max rules as above. But looks at IP connections without existing sessions.
Zone Protection Profiles:
-Drop packet swith undesirable characteristics
-Strip undesirable options from packets before admitting to the zone
What are the 5 major categories of packet-based attack protection? - CORRECT ANSWER IP Drop - drop Unknown, Malformed, Strict Source Routing, Loose Source Routing, and Spoofed IP address for internal zones
TCP Drop - Use the default TCP SYN w/Data, TCP SYNACK w/data, add Mismatched overlapping TCP segment, and split handshake, strip TCP Timestamp.
ICMP Drop -
IPv6 Drop
ICMPv6 Drop
The Palo Alto Networks Security Operating Platform is designed for which three
purposes? (Choose three.)
A. consume innovations quickly
B. ensure compliance
C. focus on what matters
D. prevent successful cyberattacks - CORRECT ANSWER A. consume innovations quickly
D. prevent successful cyberattacks
Which item is not one of the six primary components of the Palo Alto Networks
Security Operating Platform?
A. Applications (Palo Alto Networks apps, third‐party apps, customer apps)
B. Cloud‐Delivered Security Services
C. WildFire
D. Application Framework and Logging Service
E. Network Security
F. Advanced Endpoint Protection
G. Cloud Security - CORRECT ANSWER C. WildFire
Which cloud‐delivered security service provides instant access to community‐based threat data?
A. Aperture
B. AutoFocus
C. Threat 42
D. Magnifier - CORRECT ANSWER B. AutoFocus
Which cloud‐delivered security services provides security for branches and mobile users?
A. MineMeld
B. Magnifier
C. Traps
D. Global Protect - CORRECT ANSWER D. Global Protect
5. Which Palo Alto Networks Security Operating Platform component provides access to apps from Palo Alto Networks, third parties, and customers?
A. Applications (Palo Alto Networks apps, third‐party apps, customer apps)
B. Cloud‐Delivered Security Services
C. WildFire
D. Application Framework
E. Network Security
F. Advanced Endpoint Protection
G. Cloud Security - CORRECT ANSWER A. Applications (Palo Alto Networks apps, third‐party apps, customer apps)
Which Palo Alto Networks firewall feature provides all of the following abilities?
- Stops malware, exploits, and ransomware before they can compromise endpoints
- Provides protection while endpoints are online and offline, on network and off
- Coordinates enforcement with network and cloud security to prevent
successful attacks
- Detects threats and automates containment to minimize impact
- Includes WildFire cloud‐based threat analysis service with your Traps subscription
- Integrates with the Palo Alto Networks Security Operating Platform
A. Traps
B. Aperture
C. URL Filtering
D. WildFire
E. GlobalProtect
F. AutoFocus - CORRECT ANSWER A. Traps
7. Which management features does the control plane provide? (Choose three.)
A. security processing
B. logging
C. reporting
D. firewall configuration
E. signature matching
F. network processing - CORRECT ANSWER B. logging
C. reporting
D. firewall configuration
Which three data processing features does the data plane provide? (Choose three.)
A. network processing
B. security processing
C. signature matching
D. firewall configuration
E. logging
F. reporting - CORRECT ANSWER A. network processing
B. security processing
C. signature matching
What are three components of the Network Processing module? (Choose three.)
A. QoS
B. NAT
C. App‐ID
D. flow control
E. url match
F. spyware - CORRECT ANSWER A. QoS
B. NAT
D. flow control
Which approach most accurately defines the Palo Alto Networks SP3 architecture?
A. prioritize first
B. sequential processing
C. scan it all, scan it once
D. zero trust segmentation platform - CORRECT ANSWER C. scan it all, scan it once
What is the result of using a stream‐based design of architecture?
A. superior performance
B. increased latency
C. superior latency
D. increased functionality - CORRECT ANSWER C. superior latency
Which security model does Palo Alto Networks recommend that you deploy?
A. separation‐of‐trust
B. Zero Trust
C. trust‐then‐verify
D. never trust - CORRECT ANSWER B. Zero Trust
The Zero Trust model is implemented to specifically address which type of traffic?
A. east‐west
B. north‐south
C. left‐right
D. up‐down - CORRECT ANSWER A. east‐west
What are the three main concepts of Zero Trust? (Choose three.)
A. All resources are accessed in a secure manner, regardless of location.
B. Access control is on a "need‐to‐know" basis and is strictly enforced.
C. Credentials need to be verified.
D. All traffic is logged and inspected.
E. Internal users are trusted implicitly.
F. External users are trusted explicitly. - CORRECT ANSWER A. All resources are accessed in a secure manner, regardless of location.
B. Access control is on a "need‐to‐know" basis and is strictly enforced.
D. All traffic is logged and inspected.
Which two statements are true about the Zero Trust model? (Choose two.)
A. Traffic is inspected laterally.
B. Traffic is inspected east‐west.
C. Internal traffic is implicitly trusted.
D. External traffic is implicitly trusted. - CORRECT ANSWER A. Traffic is inspected laterally.
B. Traffic is inspected east‐west.
Which three Palo Alto Networks products secure your network? (Choose three.)
A. MineMerge
B. Aperture
C. URL filtering
D. AutoMagnifier
E. TrapContent
F. WildFire - CORRECT ANSWER B. Aperture
C. URL filtering
F. WildFire [Show Less]