PALO PSE Platform Study Guide PDF

m
PALO ALTO
NETWORKS
PSE PLATFORM
PROFESSIONAL 9.0
STUDY GUIDE
July 2019
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2018-2019 Palo Alto Networks – all rights reserved.
Aperture, AutoFocus, Demisto, GlobalProtect, Palo Alto Networks, PAN-OS, Panorama, RedLock, Traps, and WildFire are trademarks of Palo Alto Networks,
Inc. All other trademarks are the property of their respective owners.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 2
Table of Contents
Welcome ..................................................................................................................................................... 11
Overview ..................................................................................................................................................... 11
Prerequisites ............................................................................................................................................... 11
Exam Format ............................................................................................................................................... 11
Exam Domain .......................................................................................................................................... 12
Weight (%)............................................................................................................................................... 12
Positioning: Platform .......................................................................................................................... 12
Positioning: Next-Generation Firewall ................................................................................................ 12
Positioning: Tools – SLR, UTD, BPA, Heatmaps, Expedition, and SaaS Risk Assessment Report ........ 12
Solution Design: Platform ................................................................................................................... 12
Solution Design: Panorama ................................................................................................................. 12
Solution Design and NGFW Configuration: Custom............................................................................ 12
Solution Design: NGFW Configuration – Security ............................................................................... 12
Solution Design: NGFW Configuration – Visibility .............................................................................. 12
Solution Design: NGFW Configuration – Decryption .......................................................................... 12
Solution Design: Sizing ........................................................................................................................ 12
Total ........................................................................................................................................................ 12
How to Take This Exam ............................................................................................................................... 12
Positioning: Platform .................................................................................................................................. 13
Identify the Architecture Components That Benefit from WildFire ....................................................... 14
References .......................................................................................................................................... 15
Sample Question ................................................................................................................................. 15
Identify Components and Techniques Used by WildFire ........................................................................ 15
References .......................................................................................................................................... 17
Sample Question ................................................................................................................................. 17
Identify the Impact of Threat Intelligence Data from Palo Alto Networks ............................................. 17
References .......................................................................................................................................... 17
Sample Questions ............................................................................................................................... 18
Identify Sources of Data for Threat Intelligence ..................................................................................... 18
References .......................................................................................................................................... 19
Sample Question ................................................................................................................................. 19
Identify How the Security Operating Platform Helps Secure SaaS, IaaS, and PaaS ................................ 19
References .......................................................................................................................................... 20
Identify the Core Values of the Palo Alto Networks Security Operating Platform ................................. 21
References .......................................................................................................................................... 22
Sample Question ................................................................................................................................. 22
Positioning: Next-Generation Firewall ........................................................................................................ 22
Identify the Protections That the Next-Generation Firewall Uses to Prevent Command-and-Control
Traffic ...................................................................................................................................................... 22
References .......................................................................................................................................... 23
Sample Question ................................................................................................................................. 24
Identify the Reporting Capabilities of the Palo Alto Networks Next-Generation Firewall ..................... 24
References .......................................................................................................................................... 24
Identify the Process of Automated Report Distribution ......................................................................... 25
References .......................................................................................................................................... 25
Sample Question ................................................................................................................................. 25
Identify the Capabilities That Detect Indicators of Compromise............................................................ 26
References .......................................................................................................................................... 26
Sample Question ................................................................................................................................. 26
Identify How to Position the Value of a Next-Generation Firewall over Legacy Firewall and over Native
Cloud Security Offerings ......................................................................................................................... 26
References .......................................................................................................................................... 27
Sample Question ................................................................................................................................. 28
Positioning: Tools – SLR, UTD, BPA, PPA, Heatmaps, Expedition, and SaaS Risk Assessment Report ........ 28
Identify the Presale Benefits of Expedition............................................................................................. 28
References .......................................................................................................................................... 29
Sample Question ................................................................................................................................. 29
Compare and Contrast the Contents Shown by the SLR or BPA for Customers with and Without
Decryption............................................................................................................................................... 29
References .......................................................................................................................................... 30
Sample Question ................................................................................................................................. 30
Recognize How to Configure Next-Generation Firewalls for Evaluation Purposes ................................ 30
References .......................................................................................................................................... 30
Sample Question ................................................................................................................................. 31
Apply the Characteristics and Best Practices of UTD Seminars to Customer Opportunities.................. 31
Reference ............................................................................................................................................ 31
Sample Question ................................................................................................................................. 31
Identify the Appropriate Use and Benefits of Running a SaaS Risk Assessment .................................... 31
Reference ............................................................................................................................................ 32
Sample Question ................................................................................................................................. 33
Given a Scenario, Plan Use of Multiple Tools to Validate the Value of the Security Operating Platform
and Associated Services .......................................................................................................................... 33
References .......................................................................................................................................... 36
Sample Question ................................................................................................................................. 36
Given a Scenario, Identify Which Customer Success Tool(s) to Present to a Customer......................... 36
References .......................................................................................................................................... 38
Sample Question ................................................................................................................................. 38
Solution Design: Platform ........................................................................................................................... 38
Given a Customer Environment, Identify the NGFW Model That Should Be Used to Secure the
Network .................................................................................................................................................. 38
Reference ............................................................................................................................................ 39
Sample Question ................................................................................................................................. 39
Given a Customer Environment, Identify How Prisma SaaS Should Be Used to Secure the Enterprise. 39
References .......................................................................................................................................... 40
Sample Question ................................................................................................................................. 40
Given a Customer Environment, Identify How AutoFocus Should Be Used to Secure the Enterprise ... 40
References .......................................................................................................................................... 40
Sample Question ................................................................................................................................. 40
Given a Customer Environment, Identify How Traps Should Be Used to Secure the Endpoint ............. 41
References .......................................................................................................................................... 41
Sample Question ................................................................................................................................. 42
Given a Customer Environment, Identify How WildFire Should Be Used to Secure the Enterprise ...... 42
References .......................................................................................................................................... 43
Sample Question ................................................................................................................................. 43
Given a Customer Environment, Identify How Cortex XDR (Magnifier) Would Be Recommended to
Secure the Enterprise.............................................................................................................................. 43
References .......................................................................................................................................... 44
Sample Question ................................................................................................................................. 44
Assemble the Bill of Materials Given a Palo Alto Networks Firewall Solution Scenario Including
Products, Subscription Licenses, and Support ........................................................................................ 44
References .......................................................................................................................................... 45
Sample Question ................................................................................................................................. 45
Given a Customer Environment, Identify How NGFW, WildFire, Traps, Prisma SaaS, and Cortex XDR
Should Be Used to Secure the Enterprise ............................................................................................... 46
References .......................................................................................................................................... 46
Sample Question ................................................................................................................................. 47
Given a Scenario, Identify the Components Needed for Visibility and Enforcement with the Public
Cloud ....................................................................................................................................................... 47
References .......................................................................................................................................... 48
Sample Question ................................................................................................................................. 49
Given a Scenario, Identify the Components Needed for Visibility and Enforcement with SaaS ............ 49
References .......................................................................................................................................... 50
Sample Question ................................................................................................................................. 50
Given a Scenario, Identify Cortex Data Lake (Logging Service) Usage with Traps, Prisma Access, and
Next-Generation Firewalls ...................................................................................................................... 50
References .......................................................................................................................................... 51
Sample Question ................................................................................................................................. 52
Given a Scenario, Identify Which Components of the Platform Require Cortex Data Lake (Logging
Service).................................................................................................................................................... 52
References .......................................................................................................................................... 52
Sample Question ................................................................................................................................. 53
Given a Scenario, Identify Which Components of the Platform Require Panorama .............................. 53
References .......................................................................................................................................... 54
Sample Question ................................................................................................................................. 55
Identify Which Platform Components Are Used Consistently Across a Given Set of Computing
Environment Locations ........................................................................................................................... 55
References .......................................................................................................................................... 56
Sample Question ................................................................................................................................. 56
Solution Design: Panorama ......................................................................................................................... 56
Identify How to Use Device Groups and Templates to Manage a Deployment ..................................... 56
References .......................................................................................................................................... 57
Identify the Benefits of Panorama for Deploying Palo Alto Networks Products .................................... 58
References .......................................................................................................................................... 58
Sample Question ................................................................................................................................. 59
Given a Customer Scenario, Identify How to Design a Log-Redundant Panorama Deployment ........... 59
References .......................................................................................................................................... 59
Sample Question ................................................................................................................................. 60
Identify Scenarios for Panorama: Physical, Virtual, and Cloud ............................................................... 60
References .......................................................................................................................................... 61
Understand How Cortex Data Lake Is Designed and How to Use It with Panorama .............................. 61
Reference ............................................................................................................................................ 62
Sample Question ................................................................................................................................. 62
Identify Variables to Scale Panorama ..................................................................................................... 62
References .......................................................................................................................................... 63
Sample Question ................................................................................................................................. 64
Given a Customer Environment, Identify How to Size Panorama for HA ............................................... 64
References .......................................................................................................................................... 65
Sample Question ................................................................................................................................. 65
Solution Designs and NGFW Configuration: Custom .................................................................................. 65
Given a Design Requirement, Identify the Best Practice Approach to High Availability ........................ 65
References .......................................................................................................................................... 66
Sample Question ................................................................................................................................. 66
Identify the Functions of a Given High Availability Port ......................................................................... 67
References .......................................................................................................................................... 67
Sample Question ................................................................................................................................. 67
Identify License Requirements for Receiving Near Real-Time Dynamic Updates .................................. 68
References .......................................................................................................................................... 68
Sample Question ................................................................................................................................. 68
Demonstrate Knowledge of Prisma Access ............................................................................................ 68
References .......................................................................................................................................... 70
Sample Question ................................................................................................................................. 70
Demonstrate Knowledge of Custom WildFire Data Expansion and Use ................................................ 70
References .......................................................................................................................................... 71
Sample Question ................................................................................................................................. 71
Solution Design: NGFW Configuration - Security ........................................................................................ 72
Demonstrate Knowledge of Advanced Features and Configuration Capabilities .................................. 72
References .......................................................................................................................................... 73
Sample Question ................................................................................................................................. 74
Identify How to Protect Against Known Attacks..................................................................................... 74
References .......................................................................................................................................... 75
Sample Question ................................................................................................................................. 75
Identify the Next-Generation Firewall Components That Protect Against Unknown Attacks ............... 76
References .......................................................................................................................................... 76
Sample Question ................................................................................................................................. 77
Identify Where and How Credential Theft Occurs .................................................................................. 77
References .......................................................................................................................................... 78
Sample Question ................................................................................................................................. 78
Solution Design: NGFW Configuration - Visibility ....................................................................................... 78
Identify Where to Configure User-ID in the Web Interface and How to Obtain Its Parameters ............ 78
References .......................................................................................................................................... 80
Identify the Best Practices for Deployment of User-ID........................................................................... 81
References .......................................................................................................................................... 82
Identify the Processes and Thought Around Configuring App-ID ........................................................... 83
References .......................................................................................................................................... 83
Learn by Doing .................................................................................................................................... 84
Sample Question ................................................................................................................................. 84
Identify App-ID Deployment Best Practices and Techniques ................................................................. 84
References .......................................................................................................................................... 85
Sample Question ................................................................................................................................. 85
Identify Best Practices for Tuning a Palo Alto Networks Firewall for Maximum Effectiveness.............. 86
References .......................................................................................................................................... 86
Sample Question ................................................................................................................................. 87
Solution Design: NGFW Configuration - Decryption ................................................................................... 87
Identify the Differences in Decryption Configuration Between Forward Proxy, Inbound Proxy, and SSH
Proxy ....................................................................................................................................................... 87
References .......................................................................................................................................... 88
Sample Question ................................................................................................................................. 89
Identify How to Overcome Privacy and Legal Objections to Decryption................................................ 89
References .......................................................................................................................................... 89
Sample Question ................................................................................................................................. 90
Identify Which External Devices Work with Decryption Capabilities ..................................................... 90
Reference ............................................................................................................................................ 90
Sample Question ................................................................................................................................. 90
Identify Functionality Requirements, Use Cases, and Deployment Scenarios for Decryption Broker ... 90
References .......................................................................................................................................... 91
Sample Question ................................................................................................................................. 92
Solution Design: Sizing ................................................................................................................................ 92
Given a Customer Environment, Identify How to Size Cortex XDR (Magnifier) ..................................... 92
Reference ............................................................................................................................................ 93
Sample Question ................................................................................................................................. 93
Given a Customer Environment, Identify How to Size Prisma SaaS ....................................................... 93
Reference ............................................................................................................................................ 94
Sample Question ................................................................................................................................. 94
Given a Customer Environment, Identify How to Size Prisma Access .................................................... 94
References .......................................................................................................................................... 95
Sample Question ................................................................................................................................. 95
Sample Test ................................................................................................................................................. 96
Answers to Sample Questions .................................................................................................................. 100
Sample Test Answer Key ........................................................................................................................... 112
Glossary ..................................................................................................................................................... 114
Continuing Your Learning Journey with Palo Alto Networks .................................................................... 120
Digital Learning ..................................................................................................................................... 120
Instructor-Led Training ......................................................................................................................... 120
Learning Through the Community ........................................................................................................ 120
Welcome
Welcome to the Palo Alto Networks PSE Platform Professional 9.0 Study Guide. The purpose of this guide
is to help you prepare for your PSE Platform Pro 9.0 exam and achieve your PSE credential. This study
guide is a summary of the key topic areas that you are expected to know to be successful at the exam. It
is organized based on the exam blueprint and key exam objectives, and the headings used in the guide
correspond to the testing objectives in the exam blueprint.
Overview
This document is the Study Guide for the Palo Alto Networks Systems Engineer: Platform Professional
Certification Exam, abbreviated as PSE: Platform – P. This exam has been refreshed to reflect product
updates and has increased in scope to encompass the former PSE: Cyber Security subdiscipline, which
has been deprecated.
This new exam is now better focused on the Palo Alto Networks Security Operating Platform as a whole,
and has been carefully tuned to better evaluate an SE’s pre-sales capability.
Prerequisites
You should complete the following prerequisites before attempting the exam:
 You have passed the Palo Alto Networks Systems Engineer: Platform – Associate Accreditation
Exam, abbreviated as PSE: Platform – A.
 You have completed a year of full-time experience as a Palo Alto Networks SE, either as a Palo
Alto Networks employee SE or as a Partner employee SE.
Exam Format
The test format is 60 multiple-choice items. Candidates will have 5 minutes to complete the Non-
Disclosure Agreement (NDA) and 80 minutes to complete the questions, and 5 minutes to complete a
survey. The Beta exam is available in English only.
The beta exam fee is USD 90.00.
This exam is based on PAN-OS® Version 9.0.
Exam Domain Weight (%)
Positioning: Platform 17
Positioning: Next-Generation Firewall 15
Positioning: Tools – SLR, UTD, BPA, Heatmaps, Expedition, and SaaS Risk
Assessment Report 7
Solution Design: Platform 13
Solution Design: Panorama 8
Solution Design and NGFW Configuration: Custom 8
Solution Design: NGFW Configuration – Security 12
Solution Design: NGFW Configuration – Visibility 7
Solution Design: NGFW Configuration – Decryption 7
Solution Design: Sizing 6
Total 100
How to Take This Exam

The exam is available through the third-party Pearson VUE testing platform at
https://home.pearsonvue.com/paloaltonetworks.
To access the PSE Professional exams, candidates need to add the Private Access Code:
1) PSE-PAC (if you are taking the exam at a test center)

2) PSE-OP (if you are taking the exam at home or in the office)
Positioning: Platform
The Palo Alto Networks Security Operating Platform prevents successful cyberattacks by harnessing
analytics to automate routine tasks and enforcement. Tight integration across the platform, and with
partners, simplifies security to secure users, applications, and data.
The following image of the Security Operating Platform shows how Cortex, the Next-Generation
Firewall, Prisma Access, Traps, VM-Series, Prisma SaaS, the Cortex Data Lake, and cloud-delivered
security services fit into the platform:
The platform includes visibility and enforcement security products, Palo Alto Networks security services
and Cortex. Cortex supports Palo Alto Networks apps, third-party partner apps, and customer apps and
allows their innovative functionality to be easily consumed by customers. Cortex also supports
enforcement of security decisions facilitated by these apps.
The following figure shows how the platform leverages visibility by collecting data and providing it to
Cortex:
For an introductory overview to the Palo Alto Networks Security Operating Platform, see What is a
Security Operating Platform?:
https://www.paloaltonetworks.com/cyberpedia/what-is-security-operating-platform
Identify the Architecture Components That Benefit from WildFire

WildFire® inspects millions of samples daily from its global network of customers and threat intelligence
partners. It looks for new forms of previously unknown malware, exploits, malicious domains, and
outbound command-and-control (C2) activity. WildFire matches any forwarded samples against its
database of known files and designates never-before-seen items for further investigation using static
and dynamic analysis against multiple operating systems and application versions as shown in the
following diagram.
References
 WildFire at a Glance:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/faqs/at-a-glance-
wildfire.pdf
WildFire® Filetype Support:
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-file-
type-support.html
Sample Question
For answers, see the “Answers to Sample Questions” section.
1) Which file types are not supported as an upload sample for file upload by WildFire from the
wildfire.paloaltonetworks.com/wildfire/upload page?
a) iOS applications
b) Android applications
c) Windows applications
d) Microsoft Excel files
Identify Components and Techniques Used by WildFire

WildFire reproduces a variety of analysis environments, including the operating system, to identify
malicious behaviors within samples. Multiple analysis environments may be used to determine the
nature of the file, depending on the characteristics and features of the sample. WildFire uses static
analysis with machine learning to initially determine whether known and variants of known samples are
malicious. This initial verdict is used to determine the environments WildFire uses to inspect the
unknown samples in greater detail. This further inspection is done by extracting additional information
and indicators from dynamic analysis. WildFire observes the file as it would behave when executed
within client systems and looks for various signs of malicious activities, such as changes to browser
security settings, injection of code into other processes, modification of files in operating system folders,
or attempts by the sample to access malicious domains. Sometimes, files are obfuscated using custom
or open source methods. In this case, the WildFire cloud decompresses and decrypts the file in-memory
within the dynamic analysis environment before analyzing it using static analysis.
The components and techniques used by WildFire vary from submission to submission, and thus depend
on the submission itself. But the following figure depicts an example of how WildFire might process a
submission:
WildFire analyzes files using the following methods:
• Static analysis: Detects known threats by analyzing the characteristics of samples prior to
execution
• Machine learning: Identifies variants of known threats by comparing malware feature sets
against a dynamically updated classification system
• Dynamic unpacking (WildFire Cloud analysis only): Identifies and unpacks files that have been
encrypted using custom or open source methods and prepares it for static analysis
• Dynamic analysis: A custom-built, evasion-resistant virtual environment in which previously

unknown submissions are detonated to determine real-world effects and behavior
• Bare metal analysis (WildFire cloud analysis only): A fully hardware-based analysis environment
specifically designed for advanced VM-aware threats. Samples that display the characteristics of
an advanced VM-aware threat are steered toward the bare metal appliance by the heuristic
engine.
References
 WildFire Concepts from WildFire 9.0 Administrator’s Guide:
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-
concepts.html
 WildFire 9.0 What’s New Guide:
https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new.html
 WildFire landing page:
https://docs.paloaltonetworks.com/wildfire
Sample Question
2) WildFire functionality is like that of a sandbox. Is the statement an accurate description?
a) Yes, WildFire functionality is exactly that of a virtual sandbox in the cloud, provided to test
applications that customers run in the cloud.
b) No, WildFire does not supply sandbox functionality, although it competes with products that do.
c) No, WildFire provides dynamic analysis, machine learning, and other techniques along with
sandbox functionality.
d) Yes, WildFire provides all its functionality as part of its virtual-physical hybrid sandbox
environment.
Identify the Impact of Threat Intelligence Data from Palo Alto Networks
The firewall forwards unknown samples for WildFire analysis based on the configured WildFire Analysis
Profile settings. It detects links included in emails, files that are attached to emails, and browser‐based
file downloads, and also leverages the Palo Alto Networks App‐ID feature to detect file transfers within
applications. The firewall checks the sample hash against WildFire hashes to determine whether
WildFire has previously analyzed the sample. If the sample has never been seen by WildFire , the firewall
forwards the sample for WildFire analysis. Samples that WildFire previously identified as malware are
blocked.
For private clouds, Palo Alto Networks offers the WF-500 WildFire Appliance:
References
 WildFire 9.0 Administrator’s Guide:
• WildFire Concepts:
concepts.html
• WildFire Subscription:
subscription
• Firewall File Forwarding Capacity by Model:
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/submit-files-for-wildfire-
analysis/firewall-file-forwarding-capacity-by-model
 PAN-OS 9.0 Administrator’s Guide:
• Install Content and Software Updates:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/software-and-content-
updates/install-content-and-software-updates.html
Sample Questions
3) Can you get WildFire functionality without an internet connection?

a) no
b) yes, using a WF-400 appliance
c) yes, using a WF-500 appliance
d) yes, using a WF-600 appliance
4) Which fully populated firewall has the highest file forwarding capacity through its data ports?
a) VM-100
b) PA-200
c) PA-5280
d) PA-7080
Identify Sources of Data for Threat Intelligence

Every WildFire customer benefits from the collective security intelligence gathered from all customers. If
one customer encounters a previously unknown threat, WildFire can help protect hundreds of other
organizations or millions of endpoints from that threat.
The following figure shows an example combining sources of data that feed WildFire.
References
Documentation about WildFire integration with third-party products follows:
 Airwatch:
https://docs.vmware.com/en/VMware-AirWatch/9.3/vmware-airwatch-guides-93/GUID-AW93-
WildFire_Int_Systems.html
 Proofpoint:
https://www.proofpoint.com/us/technology-partners/palo-alto-networks
 Tanium:
https://docs.tanium.com/connect/connect/paloalto.html
 Tripwire:
http://www.tripwire.com/solutions/integrations/palo-alto/
 Trusteer:
http://www.trusteer.com/sites/default/files/PANIntegration.pdf
Sample Question
5) Which information does Tanium get from WildFire?

a) none; it provides information to WildFire
b) indicators of compromise (IoCs)
c) hashes of malware for EXE and MSI files
d) hashes of malware for APK files
Identify How the Security Operating Platform Helps Secure SaaS, IaaS, and
PaaS
Combinations of best-of-breed point solutions present some problems in data centers, and these
problems become intractable once organizations incorporate public cloud offerings into their IT service.
Such approaches lack the foundational visibility across network, endpoint, and cloud, and never achieve
consistent Security policy or prevention.
Disparate technologies produce independent logs and alerts. Security teams typically must drive manual
responses to them and may need to coordinate action across dozens of security products. They
experience data overload and cannot respond sufficiently quickly to the resulting overwhelming influx of
information. This problem is exacerbated by the increasing automation and volume of attacks. Attempts
to help deal with this information influx by adding even more new but disparate technologies, increase
this security sprawl. So, these attempts usually make the problem worse.
The Palo Alto Networks Security Operating Platform provides consistent visibility, enforcement, and
Security policy across the network, endpoint, and cloud. As a single platform, it allows organizations to
simply consume new cybersecurity products while maintaining unified logging, alerts, and automation.
The following figure shows how the Security Operating Platform components (VM-Series firewalls,
Traps, Prisma SaaS and Prisma Public Cloud) fit in a hybrid cloud environment:
One specific feature that helps the platform secure SaaS applications is on the firewall. The firewall
supports identification of SaaS application hosting characteristics.
PAN-OS® 9.0 introduced enhanced App-ID ACC filters, and some of these filters specifically help
customers analyze risks related to SaaS applications. Five new unfavorable hosting characteristics are
available for filtering in the ACC: data breaches, poor terms of service, no certifications, poor financial
viability, and IP-based access restrictions. These enhanced ACC filters enable viewing detailed risk
profiles and usage statistics relevant to SaaS application risks, and help provide visibility and control of
SaaS application use.
References
 Firewall App-ID ACC filters for SaaS:
https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/app-id-
features/saas-application-hosting-characteristics
 Cloud Security with the Palo Alto Networks Security Operating Platform:
https://www.paloaltonetworks.com/solutions/initiatives/public-cloud
 Securing business in a multi-cloud environment:
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/whitepapers/how-to-secure-your-business-in-a-multi-cloud-world
Sample Questions
6) Which option is an example of how the next-generation firewall can provide visibility and
enforcement around SaaS applications?
a) Through partnership with SaaS application vendors, special virtual firewalls that support a
subset of full firewall functionality are used inside the SaaS applications themselves.
b) A built-in default security rule in the firewall blocks dangerous SaaS applications based on an
automatically updated database of dangerous SaaS applications.
c) Built-in default functionality in the firewall sends all files sent or received by SaaS applications to
WildFire.
d) The firewall can filter SaaS applications based on whether they comply with industry
certifications such as SOC1, HIPAA, and FINRAA.
7) When a cloud deployment is secured, which role does the next-generation firewall play?
a) A member of the VM-Series is attached to each VM in the cloud environment, to stop malware,
exploits, and ransomware before they can compromise the virtual systems they are attached to.
b) The NGFW exports its Security policy through Panorama, which in turn distributes that policy to
the cloud-based Prisma SaaS service that enforces the NGFW Security policy against each VM
used in the cloud environment.
c) The NGFW exports its Security policy to WildFire, which lives in the cloud and enforces the
NGFW Security policy throughout the cloud environment.
d) The NGFW is used to consistently control access to applications and data based on user
credentials and traffic payload content for private or public cloud, internet, data center, or SaaS
applications.
Identify the Core Values of the Palo Alto Networks Security Operating Platform
The Palo Alto Networks Security Operating Platform has four major features that enable the prevention
of successful cyberattacks:
1. Natively integrated technologies that leverage a single-pass prevention architecture to exert

positive control based on applications, users, and content to reduce the organizational attack
surface; that support open communication, orchestration, and visibility; and that enable
consistent security posture from the network, to the cloud, to the endpoint
2. Automated creation and delivery of protection mechanisms against new threats to network,
cloud, and endpoint environments
3. Extensibility and flexibility that allow for protection of customers as they expand, move off
their physical network, or adopt new technologies
4. Threat intelligence sharing that provides protection by taking advantage of the network effect
(information about threats identified at a customer site is propagated to all other customers)
References
• Segment Your Network Using Interfaces and Zones:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/segment-
your-network-using-interfaces-and-zones.html
 Palo Alto Networks Compatibility Matrix:
• What Features Does Prisma Access Support?
https://www.paloaltonetworks.com/documentation/global/compatibility-
matrix/globalprotect/what-features-does-globalprotect-support
 Traps Management Service Administrator’s Guide:
• About Traps:
https://www.paloaltonetworks.com/documentation/traps/tms/traps-management-service-
admin/traps-management-service-overview/traps-management-service
Sample Question
8) Which kind of attack cannot be stopped by the Palo Alto Networks Security Operating Platform?
a) attacks through SaaS applications, such as exfiltration through Box
b) attacks that do not cross the firewall, regardless of source or destination
c) attacks based on social engineering that mimic normal user behavior
d) denial-of-service attacks from a trusted source
e) intrazone attacks, regardless of source or destination
Positioning: Next-Generation Firewall

Identify the Protections That the Next-Generation Firewall Uses to Prevent
Command-and-Control Traffic
We know that there’s no perfect solution to prevent all threats from entering your network, which is
why we also focus on preventing multistage attacks, secondary downloads, and data from leaving
through attacker-controlled communication channels via command and control (C2).
We use content-based protections to stop attacks at the C2 stage, thus preventing attackers from
controlling infected endpoints, spreading laterally within your organization, and accomplishing their
objectives. The following picture shows how URL filtering works with pattern matching to recognize and
stop C2 communications.
References
 Command and Control:
https://www.paloaltonetworks.com/features/command-control
 New command and control URL category:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZkCAK
• Set Up Antivirus, Anti-Spyware, and Vulnerability Protection:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/set-up-
antivirus-anti-spyware-and-vulnerability-protection.html
• DNS Sinkholing:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/use-dns-
queries-to-identify-infected-hosts-on-the-network/dns-sinkholing
• URL filtering overview:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering/url-filtering-
overview
Sample Question
9) Which two profile types can block a C2 channel? (Choose two.)

a) Anti-Spyware
b) Certification
c) Command and Control
d) Decryption
e) URL Filtering
Identify the Reporting Capabilities of the Palo Alto Networks Next-Generation

Firewall
The reporting capabilities on the firewall enable customers to monitor their network, validate policies,
and focus their efforts on maintaining network security for keeping users safe and productive. Here is an
example of a report. Generally, all firewall models support the same monitoring and reporting
capabilities, but this isn’t always true. For example, the PA-7000 generation-two log processing modules
do not store logs locally, and firewalls using those modules don’t provide local ACC functionality. Local
ACC functionality depends on locally stored logs. ACC functionality for those firewalls is available
through Panorama.
References
• Custom Reports:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/view-and-
manage-reports/custom-reports
• VM-50 Lite report-related limitations:
https://www.paloaltonetworks.com/documentation/81/pan-
os/newfeaturesguide/virtualization-features/vm-50-lite
Sample Questions
10) The customer wants a monthly report of the number of connections (of a particular application)
per day. Where do you specify that the report is by days?
a) Query Builder
b) “Group By” field
c) “Order By” field
d) “Time Frame” field
11) The customer wants a monthly connections report for a particular application to be generated
based on hourly activity. Where is this setting specified?
a) Query Builder
b) “Group By” field
c) “Sort By” field
Identify the Process of Automated Report Distribution

The firewall provides an assortment of more than 40 predefined reports that it generates every day. You
can view these reports directly on the firewall. You also can view custom reports and summary reports.
Reports can be scheduled for daily delivery or can be delivered weekly on a specified day. Scheduled
reports are executed starting at 2 a.m., and email delivery starts after all scheduled reports have been
generated.
References
• View Reports:
manage-reports/view-reports
• Manage Report Groups:
manage-reports/view-reports/monitoring/view-and-manage-reports/manage-report-groups
• Schedule Reports for Email Delivery:
manage-reports/view-reports/monitoring/view-and-manage-reports/schedule-reports-for-
email-delivery
Sample Question
12) You can receive regularly scheduled reports in which two ways? (Choose two.)
a) Retrieve the reports from the Palo Alto Networks web-based user interface.
b) Upload the report to a document repository using FTP.
c) Configure automatic email delivery for regularly scheduled reports.
d) Configure automatic printing to the office printer.
e) Upload the report to the domain’s document repository using a shared drive.
Identify the Capabilities That Detect Indicators of Compromise

The Botnet report enables you to use heuristic and behavior‐based mechanisms to identify potential
malware‐infected or botnet‐infected hosts in your network. To evaluate botnet activity and infected
hosts, the firewall correlates user and network activity data in Threat, URL, and Data Filtering logs with
the list of malware URLs in PAN‐DB; known dynamic DNS domain providers; and domains registered
within the last 30 days. You can configure the report to identify hosts that visited those sites and hosts
that communicated with Internet Relay Chat (IRC) servers or that used unknown applications. Malware
often uses dynamic DNS to avoid IP blacklisting, and IRC servers often use bots for automated functions.
References
• Generate Botnet Reports:
manage-reports/generate-botnet-reports
Sample Question
13) An author of malware buys five new domain names each week and uses those domains for C2.
How does that practice affect a botnet report for the network the malware is attacking?
a) It helps disguise the malware.
b) It fails to disguise the malware because access to new domains (registered in the last week)
is counted as suspicious.
c) It fails to disguise the malware because access to new domains (registered in the last 30 days)
d) It fails to disguise the malware because access to new domains (registered in the last 60 days)
Identify How to Position the Value of a Next-Generation Firewall over Legacy

Firewall and over Native Cloud Security Offerings
Legacy firewalls and Unified Threat Management (UTM) solutions cannot enable the next generation of
applications, users, and infrastructures because they classify traffic based only on ports and protocols.
For example, traditional products identify most of your web traffic as simply HTTP coming through port
80, with no information about the specific applications associated with that port and protocol. But this
problem is not limited to port 80.
These applications increasingly are using encrypted SSL tunnels on port 443. They use clever evasive
tactics to disguise themselves or use port hopping to find any entry point through your firewall. Legacy
firewalls and UTMs cannot safely enable these applications. At best, they can attempt to prevent the
application from entering the network, which stifles your business and restricts you from benefitting
from innovation.
Palo Alto Networks next-generation firewalls enable control of applications and content (by user, not
just IP address) at up to 20Gbps with no performance degradation. The App-ID technology enables
applications – regardless of port, protocol, evasive tactic, or SSL encryption. It scans content to stop
targeted threats and prevent data leakage. You can safely enable the use of applications, and maintain
complete visibility and control.
The picture places some of the platform visibility and control technology based on applications, content,
and users in context.
References
concepts
• Segment Your Network Using Interfaces and Zones:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/segment-
your-network-using-interfaces-and-zones
 Palo Alto Networks Compatibility Matrix:
• What Features Does Prisma Access Support?
https://www.paloaltonetworks.com/documentation/global/compatibility-
matrix/globalprotect/what-features-does-globalprotect-support
• About Traps:
Sample Question
14) Which Palo Alto Networks product directly protects corporate laptops when people use them
from home?
a) next-generation firewall
b) Traps
c) Panorama
d) WildFire
Positioning: Tools – SLR, UTD, BPA, PPA, Heatmaps, Expedition, and SaaS
Risk Assessment Report
Identify the Presale Benefits of Expedition
Expedition is the fourth evolution of the Palo Alto Networks migration tool. The main purpose of this
tool is to help reduce the time and effort involved in migrating a configuration from one of the
supported security vendors to Palo Alto Networks. The tool analyzes an existing environment to convert
existing Security policies to those used by Palo Alto Networks next-generation firewalls, and it assists
with the transition from proof of concepts of migration to security in the new production environment.
Expedition can be used to convert an existing configuration from Checkpoint, from Cisco, or from other
vendors to PAN-OS® software. The use of Expedition is much quicker than manual conversion, and the
saved time can be used to improve the security of the new environment.
Functionality was added in the third evolution of the tool to allow Security policies based on App-ID and
User-ID. With Expedition, there also is a machine learning module to help generate new Security
policies. The new policies originating from this module are based on actual log traffic. The Best Practice
Assessment (BPA) Tool is used to check that the configuration complies with the Best Practices
recommended by our security experts.
Primary functions of Expedition are as follows:
 Third-party migration
 Adoption of App-ID
 Optimization
 Consolidation
 Centralized management with Panorama
 Auto-zoning
 Customized response pages
Palo Alto Networks provides a combination of tools, expertise, and best practices to help you analyze an
existing environment, migrate policies and firewall settings to the next-generation firewall, and assist in
all phases of the transition. This transition is depicted in the following figure:
References
 Migration Tool datasheet:
an/en_US/resources/datasheets/migration-tool
Sample Question
15) Which option is not a feature of Expedition?

a) policy migration
b) auto-zoning
c) adoption of App-ID
d) Best Practice Assessment Tool
e) Security Lifecycle Review
Compare and Contrast the Contents Shown by the SLR or BPA for Customers
with and Without Decryption
The Security Lifecycle Review (SLR) examines your network traffic and then generates a comprehensive
report unique to your organization. You’ll discover the applications and threats exposing vulnerabilities
in your security’s posture.
References
 Getting Started with Security Lifecycle Review:
https://docs.paloaltonetworks.com/cloud-services/apps/security-lifecycle-review/security-
lifecycle-review-getting-started/getting-started.html#
 Executive Security Lifecycle Review Quick Start Guide for Partners:
https://www.paloaltonetworks.com/content/dam/pan/en_US/partners/nextwave/85132/execu
tive-slr-partners-quickstartguide.pdf
 SE Success Tools topics in the PSE Platform Associate course:
Palo Alto Networks Accredited Systems Engineer (PSE): Platform Associate On-Demand Learning
Sample Question
16) The CEO is concerned that employees are using too much of the organization’s bandwidth for
YouTube, thus causing a performance problem. Which section of the SLR confirms or allays this
concern?
a) High-Risk Applications
b) Bandwidth Consumed by Applications
c) Categories Consuming the Most Bandwidth
d) Categories with the Most Applications
Recognize How to Configure Next-Generation Firewalls for Evaluation

Purposes
To configure an NGFW for evaluation purposes, typically you put an interface in TAP mode and connect
it to the SPAN port of a centrally located switch. You then collect at least a week’s worth of traffic
statistics and get the statistics using a Stats Dump file.
References
• Tap Interfaces:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure-
interfaces/tap-interfaces
• Stats Dump Time Frame:
https://live.paloaltonetworks.com/t5/Management-Articles/Changing-the-Time-Frame-for-
a-Report-Stats-Dump/ta-p/59208
Sample Question
17) Which interface mode do you use to generate the Stats Dump file that can be converted into an
SLR? Assume that you want to make the evaluation as non-intrusive as possible.
a) tap
b) virtual wire
c) Layer 2
d) Layer 3
Apply the Characteristics and Best Practices of UTD Seminars to Customer

Opportunities
The Palo Alto Networks Ultimate Test Drive (UTD) program is designed to provide you with a guided
hands-on experience of Palo Alto Networks products. You can offer multiple test drives to prospective
customers:
 Next-Generation Firewall
 Threat Prevention
 Virtualized Data Center
 Migration Process
 Advanced Endpoint Protection
 VM-Series for Amazon Web Services (AWS)
Reference
 Ultimate Test Drive Brochure:
an/en_US/resources/datasheets/ultimate-test-drive-brochure
Sample Question
18) Which two elements of the NGFW does the NGFW UTD show potential customers? (Choose
two.)
a) how to set up NGFW for the first time
b) how to modify the Security policy
c) how to view log entries and reports
d) how to migrate from a different firewall to NGFW
e) how to integrate with Advanced Endpoint Protection
Identify the Appropriate Use and Benefits of Running a SaaS Risk Assessment
The SaaS Risk Assessment Report is the Prisma SaaS analog to the firewall’s SLR. It is used to proactively
identify problems with how assets are stored and shared across all Prisma SaaS-secured SaaS
applications, and the report enables security professionals to act to reduce exposure. The full report can
be generated on-demand and used as a periodic check-in. It can highlight SaaS application usage for
executives and compare SaaS data and application security posture versus that of an industry. The
report:
 provides a summary of key findings

 summarizes information about policy violations
 captures how sensitive content is exposed
 lists the top domains with which your users are sharing files
 identifies users with the most incidents
 enumerates the most popular file types and incidents per file type across managed cloud
applications
Here’s an excerpt from a report showing the summary of key findings.
Reference
 Generate the SaaS Risk Assessment Report:
https://docs.paloaltonetworks.com/aperture/aperture-admin/generate-reports-on-
aperture/generate-the-saas-risk-assessment-report.html
 Architecture Guide for SaaS:
https://loop.paloaltonetworks.com/docs/DOC-35652 (available to partners on request)
Sample Question
19) What can the SaaS Risk Assessment Report show?

a) sensitive content shared with untrusted users
b) weak decryption policies employed for credential storage
c) motion picture copyright violations
d) unusual patterns of allowed data access
Given a Scenario, Plan Use of Multiple Tools to Validate the Value of the
Security Operating Platform and Associated Services
Palo Alto Networks provides a variety of tools to help both selling teams and customers succeed with
their security prevention intentions. Platform Professional Certification Exam candidates should
understand the value and use of these tools and how the tools fit into a sales cycle. There are four key
tools: the Prevention Posture Assessment (PPA), the Best Practice Assessment, the Security Lifecycle
Review, and the migration tool Expedition. The BPA and SLR have a useful Heatmap as part of their
reports.
These tools are best applied in a cycle, which is depicted in the following figure:
The PPA is used to help obtain a current environment baseline for a customer or prospect, and to
determine how they want their environment to change from a security perspective. It’s a question and
answer session. About 80 questions are required to characterize the level of current and targeted
security across different architectural areas. These questions ask a customer about their current
capabilities, how much of their security platform’s feature set is turned on, and their security target as a
long-term strategy.
The PPA generates a 15- to 20-page report of a customer’s current security capabilities along with a
roadmap to help them reach their security target in 12 to 18 months.
The tool is appropriate both as an initial assessment and for stimulating a security discussion using the
customer’s information exposed by the answers to the questions.
Another assessment tool is the Best Practice Assessment.
This tool analyzes an existing customer’s environment. The BPA uses a file from their existing firewalls or
Panorama to assess and report on the customer’s security feature and capability adoption. Of the
feature sets available on the products they have, it shows which features are enabled and are being
used. A BPA report and Heatmap are generated. The following image shows a section of a BPA Heatmap
that shows App-ID, User-ID, and service and port adoption.
The Heatmap shows the current state with respect to feature use, and also trends related to feature
use. The report shows a best-practice pass or fail for every configuration option in a customer’s firewall.
The BPA tool is built from the rulebases documented in a Best Practice Guide that is about 350 pages
long .
For the configuration options that fail, the specific changes required to bring best practice compliance
are documented. The following report excerpt shows that logging should be enabled for intrazone allow
rules:
The tool can be used at the end of a deployment to document what has been done to meet a scope of
work and also what still needs to be done either by the customer or with a follow-up services
engagement. Good practice is to use the tool periodically, such as every six or twelve months after
installation, to learn about any changes and to explore additional work opportunities.
Expedition is Palo Alto Networks tool to assist in migration from competitive firewalls. It allows partners
and customers to be able to execute a transition easily from legacy products such as ASA and products
from Checkpoint, or Fortinet. Sales teams can start with a customer’s existing configuration and run that
through Expedition. The tool helps the process of creating a new rule base for the next-generation
firewall. It guides conversion from port and protocol rules to application rules, and it ensures that
security profiles for anti-virus, vulnerability scanning, and command and control are included within the
configuration.
For ongoing measurement and assessment for Palo Alto Networks customers, we use the Security
Lifecycle Review. The tool uses a Stats Dump file collected from a customer’s firewall to examine all the
applications that are running in the customer’s environment, all the SaaS applications that the customer
is using, all the known viruses they have running, and all the known vulnerabilities that they have.
The SLR includes a 15- to 20-page report that provides significant visibility into the activity of a
customer’s environment. The report can be used, along with Heatmaps and BPAs, for ongoing
assessments. The following figure from an SLR report shows the bandwidth-hogging applications found
in the customer’s environment, along with the applications’ risk ratings and other associated
information:
The combined use of all these tools provides a rich set of technology to engage customers in helpful
conversations.
References
 The Prevention Posture Assessment
https://researchcenter.paloaltonetworks.com/2016/11/setting-expectations-prevention-
readiness-prevention-posture-assessment/
 Palo Alto Networks Prevention Architecture:
https://www.paloaltonetworks.com/customers/prevention-architecture.html
Sample Question
20) Which two steps are essential parts of the PPA process? (Choose two.)
a) a structured interview with the customer about their security prevention capabilities
b) upload of a file generated by the customer’s firewall capturing the threats they are facing
c) a report to the customer about how to improve their security posture
d) a discussion about expectations of threat prevention in a proof-of-concept
Given a Scenario, Identify Which Customer Success Tool(s) to Present to a

Customer
The use of Palo Alto Networks security prevention success tools available to SEs can naturally start with
assessment of the customer’s current state and desired future state.
The Prevention Posture Assessment is a tool that is used to provide a starting point for exploring a
customer’s current and future security posture. It consists of about 80 questions that cover all different
areas of security architecture and are required to determine the level of security that customers need.
The assessment process steps through questions that ask about current capabilities, how much of their
security solution’s feature set is turned on, and their long-term security strategy, among others. It
typically results in a 15- to 20-page report that describes the customer’s current security prevention
status, and it typically defines a roadmap for the next 12 to 18 months to help them to their desired
security posture. It’s best suited as a tool to get an initial assessment or to initiate a security discussion
with a customer using their own information by walking through the questions.
The Best Practices Assessment, with Heatmaps, is a tool used to analyze an existing customer’s
environment. It requires a file from the customer’s firewall or from Panorama. The Heatmap shows the
customer’s feature capability adoption. It ranks adoption by green, yellow, or red, depending on how
well the features are enabled or actually used. This is another perspective about the customer’s current
security prevention and also can be used to stimulate a discussion about their security goals. The Best
Practice Assessment, which uses the same file as the Heatmap, automatically compares the customer’s
current configuration with best practices for that configuration. It gives a pass/fail on each configuration
option, and describes modifications needed to bring failed options into compliance with best practices.
The BPA and Heatmaps have several uses. One is to show, at the end of a deployment, what’s been
done during the deployment and what still needs to be done to meet the deployment’s statement of
work. Another use is to learn with a regular cadence about changes related to the desired security
posture or whether more work needs to be done.
Expedition allows partners and customers to transition from a legacy product to the Palo Alto Networks
Security Operating Platform. This tool uses existing configurations of other firewalls, such as those from
Cisco, Fortinet, or CheckPoint, to create a rulebase for the next-generation firewall. It also will provide
suggestions for converting port and protocol rules to application rules, and for ensuring that security
profiles for antivirus, vulnerability, and C2 are included in the configuration.
The Security Lifecycle Review is used for ongoing measurement and assessment. It looks at a Stats Dump
file to determine all applications running in the customer’s network, SaaS applications whose data
passes through the firewall, and known viruses or used vulnerabilities in their current environment. A
report that typically is 15 to 20 pages long provides good visibility into the customer’s environment.
The following figure shows when the tools are most effectively used:
References
 Assessment and Review Tools:
https://docs.paloaltonetworks.com/best-practices/9-0/data-center-best-practices.html
Sample Question
21) Which two success tools are most appropriate for a prospective customer that is using a
competitor’s offerings but has no security prevention strategy? (Choose two.)
a) Expedition
b) Prevention Posture Assessment
c) Security Lifecycle Review
d) Best Practice Assessment with Heatmaps
e) Data Center Segmentation Strategy Analyzer
Solution Design: Platform

Given a Customer Environment, Identify the NGFW Model That Should Be Used
to Secure the Network
If you select a model that is too weak, performance will suffer, and the customer will return the firewall.
A model that is too strong will be too expensive. You must select the correct model for the
circumstances.
Reference
 Compare Firewalls:
https://www.paloaltonetworks.com/products/product-selection
Sample Question
22) A potential customer has many satellite offices, each of which is connected to the internet
using a 250Mbps link. The customer requirements include threat prevention for all the traffic.
Which model does Palo Alto Networks recommend be deployed in those offices to fulfill these
requirements, assuming a reduction in network capacity is unacceptable and cost is a
concern?
a) PA-100
b) PA-500
c) PA-2020
d) PA-3020
Given a Customer Environment, Identify How Prisma SaaS Should Be Used to

Secure the Enterprise
The use of software-as-a-service (SaaS) applications is creating new risks and gaps in security visibility
which allow malware propagation, data leakage, and regulatory non-compliance. Prisma SaaS delivers
complete visibility and granular enforcement. Prisma SaaS looks across all user, folder, and file activity
within sanctioned SaaS applications, thus providing detailed analysis and analytics about use without
requiring any additional hardware, software, or network changes. Prisma Public Cloud provides
continuous monitoring and reporting of public clouds using the API control plane, including continuous,
automated compliance audits.
The following figure depicts how SaaS applications and Prisma SaaS fit into the Security Operating
Platform:
References
 Prisma SaaS at a Glance:
https://www.paloaltonetworks.com/resources/datasheets/aperture-at-glance
Sample Question
23) Which step is required to ensure that web storage is not used to exfiltrate sensitive data from
an enterprise that must use web storage to collaborate with business partners?
a) disconnect from the internet
b) configure a local shared drive and use that instead of web storage
c) install Advanced Endpoint Protection
d) use the firewall to forbid uploads to other web storage instances
Given a Customer Environment, Identify How AutoFocus Should Be Used to

AutoFocus is a Palo Alto Networks threat intelligence service, accelerates analysis and response efforts
for the most damaging, unique, and targeted attacks. The hosted security service is natively integrated
with the Palo Alto Networks Security Operating Platform, which extends your threat analysis and
hunting capabilities without additional IT security resources. AutoFocus provides the visibility and threat
context required to respond more quickly to critical attacks.
References
 AutoFocus at a Glance:
an/en_US/resources/datasheets/autofocus-at-a-glance
Sample Question
24) AutoFocus cannot perform which action?
a) distinguish between attacks that attempt to exfiltrate data (violate confidentiality) and
attacks that attempt to modify it (violate integrity)
b) display the processes started by specific malware
c) display the network connections used by specific malware
d) distinguish between commodity attacks and advanced persistent threats (APTs) directed
against the customer’s organization or industry
Given a Customer Environment, Identify How Traps Should Be Used to Secure

the Endpoint
The Traps solution is made up of a central Traps Management System (TMS) and the Traps agent
protection software installed on each endpoint. This distributed solution is a more effective and efficient
approach to preventing attacks than running a complete solution on each endpoint. Traps does not try
to stay current with the ever-growing list of known threats, but instead sets up a series of roadblocks
that prevent the attacks at their initial entry points. That initial entry point is where legitimate
executable files are about to allow malicious access to the system.
Traps targets software vulnerabilities in processes that open non-executable files using exploit
prevention techniques. Traps also uses malware prevention techniques to prevent malicious executable
files from running. The Traps solution uses this twofold approach to prevent all types of attacks,
whether they are known threats or unknown threats.
The following picture shows Traps injecting itself into a process to prevent an attack.
References
• About Traps:
Sample Question
25) Should a Traps agent be installed on desktop PCs that stay behind the corporate firewall?
a) No, because they are protected by the firewall.
b) Yes, because sometimes people take desktops from behind the corporate firewall home to
work, and corporation might properly deploy Prisma Access to extend the firewall’s protection
to mobile users.
c) Yes, because a network connection from a desktop PC behind the corporate firewall could
bypass the corporate firewall.
d) Yes, because malware and exploit files might be able to traverse the network before they are
identified by WildFire, and file propagation methods such as the use of USB drives bypass the
firewall.
Given a Customer Environment, Identify How WildFire Should Be Used to

The Palo Alto Networks WildFire engine exposes zero-day and targeted malware through direct
observation in a virtual environment within the WildFire system. The WildFire feature also makes
extensive use of the Palo Alto Networks App-ID technology by identifying file transfers within all
applications, not just in email attachments or browser-based file downloads.
References
• WildFire Deployments
deployments
Sample Question
26) The firewall of a defense contractor is not connected to the internet. However, it is connected
to the classified SIPRNet. The contractor is concerned about getting malware files through
that network. Can this defense contractor use the WildFire service for protection?
a) No, because there is no network path to the WildFire cloud.
b) No, because all SIPRNet files are encrypted.
c) Yes, but only for PE-type file analysis.
d) Yes, they can use a WF-500 appliance.
Given a Customer Environment, Identify How Cortex XDR (Magnifier) Would

Be Recommended to Secure the Enterprise
Cortex XDR (previously Magnifier) is a cloud-based network security service that natively integrates
network, endpoint, and cloud data to detect and report on post-intrusion threats. Cortex XDR uses
behavioral analytics to reveal the root causes and this helps speed up investigations. The following
figure shows an example of the Cortex XDR web interface representing root cause analysis:
Cortex XDR identifies or learns normal behavior on your network so that it can recognize abnormal
behavior. It includes a streamlined user interface for efficient investigation of this abnormal behavior.
Cortex XDR leverages the visibility provided by the Palo Alto Networks security platform to observe
activity. It accesses logs through the Palo Alto Networks Cortex Data Lake, and it maintains profiles of
users and devices. Magnifier (now Cortex XDR) was the first application in Cortex.
Cortex XDR uses other Palo Alto Networks software to help its analytics and reporting functions. For
example, Cortex XDR uses the WildFire cloud service to analyze suspicious files that Pathfinder might
identify on your endpoints. Information from Traps, Pathfinder, and Directory Sync helps behavior
analysis and provides context for alert analysis and representation in the Cortex XDR web interface.
References
 Cortex XDR (Magnifier) topics in the PSE Platform Associate course:
 Cortex XDR Behavioral Analytics Data Sheet:
an/en_US/resources/datasheets/magnifier
 Cortex XDR Configuration and Activation:
https://www.paloaltonetworks.com/documentation/cloud-services/magnifier/magnifier-
getting-started/magnifier-installation
Sample Question
27) How does Cortex XDR help prevent lateral threat movement?
a) Cortex XDR agents test all traffic for known viruses and malware at every interface of every
device within the network.
b) Cortex XDR dynamically creates and manages VM-Series firewalls as traffic increases inside a
network.
c) Cortex XDR applies machine learning techniques to recognize deviations from normal use inside
the network.
d) Cortex XDR applies machine learning and other artificial intelligence to compare network activity
to that of thousands of other customers.
Assemble the Bill of Materials Given a Palo Alto Networks Firewall Solution
Scenario Including Products, Subscription Licenses, and Support
A sales team helps customers during the firewall sales cycle to determine what to order. The team’s
requirement considerations include the following:
 Position in the customer environment

 Required firewall throughput, capacity, and capabilities
 High availability
Pricing is obtained from the Palo Alto Networks confidential price lists for North America and for
International.
SKUs are specified on orders for the firewall devices and may need to be specified for transceivers, rack
mount kits for the PA-220, airflow kits for the PA-5200 series, and onsite spares.
SKUs also are specified for Threat Prevention, WildFire, PAN-DB URL, and the DNS Security service
subscriptions. Data Filtering, File Blocking, DoS Protection, Zone Protection, and forwarding of PE files to
the WildFire cloud do not require separate subscriptions. Subscriptions must be purchased for both
devices in an HA pair, but their SKUs are not identical and they are discounted for the second device in
the pair. Use an -HA2 suffix on the SKUs for the second device to ensure this discount.
Best practice for a firewall bill of materials is to order pairs to support HA; to include the WildFire,
Threat, PAN-DB, and DNS Security service subscription; and to include a Support license.
The following table shows the Support levels:
References
 Support Services Overview:
https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/services/support-services-overview.pdf
 Subscriptions You Can Use with the Firewall:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/subscriptions/all-
subscriptions.html
 Firewall Product Selection:
https://www.paloaltonetworks.com/products/product-selection
Sample Question
28) A price-sensitive customer requires 300,000 connections per second. Which firewall model should
they purchase?
a) PA-220
b) PA-3250
c) PA-5280
d) PA-7080
Given a Customer Environment, Identify How NGFW, WildFire, Traps, Prisma
SaaS, and Cortex XDR Should Be Used to Secure the Enterprise
All the components in the platform, including the next-generation firewall, WildFire, Traps, Prisma SaaS,
and Prisma Public Cloud, work together to provide optimal security. The following Security Operating
Platform depiction shows one perspective of how these products and components fit together. Cortex
XDR is one of the Palo Alto Networks apps.
References
 Firewall Overview:
an/en_US/resources/datasheets/firewall-feature-overview-datasheet)
 WildFire Concepts:
concepts
 What is a Security Operating Platform?
https://www.paloaltonetworks.com/cyberpedia/what-is-security-operating-platform
 Prisma SaaS at a Glance:
an/en_US/resources/datasheets/aperture-at-glance
 Cortex XDR Behavioral Analytics Datasheet
an/en_US/resources/datasheets/magnifier
 Prisma Public Cloud:
https://www.paloaltonetworks.com/products/secure-the-cloud/evident
Sample Question
29) Which products describe the components of the Palo Alto Networks Security Operating
Platform that contribute to endpoint security?
a) Traps and the next-generation firewall
b) WildFire and Traps
c) Traps, WildFire, and the next-generation firewall
d) next-generation firewall, Prisma Access, Traps, and WildFire
Given a Scenario, Identify the Components Needed for Visibility and

Enforcement with the Public Cloud
Public cloud environments require visibility and enforcement for traffic, for infrastructure and cloud
platform, and for hosts.
Firewalls provide inline security and protect and segment traffic that’s coming into applications, traffic
between applications, and traffic that’s leaving applications. This visibility and enforcement are
extended to remote and mobile public cloud users with Prisma Access. Both infrastructure as a service
(Iaas) and platform as a service (PaaS) offerings generally expose a very rich set of APIs for cloud
platforms. These APIs provide good information about how these services are being consumed,
configured, and deployed. Security software on hosts secures applications and OSs from within
workloads or within the host itself. This software can help detect and prevent even zero-day attacks.
Inline security, API-based security, and endpoint security combine to deliver Palo Alto Networks
protection in a public cloud environment. VM-Series firewalls provide inline security. These firewalls
have full next-generation firewall capabilities and are designed and architected for the cloud. Prisma
gathers critical information via APIs for Infrastructure as a Service, Platform as a Service, and software as
a service, and provides continuous security and compliance. Traps is delivered as a lightweight agent
and provides OS and host protection.
This combination is how Palo Alto Networks provides security in the cloud. It delivers critical protections.
The following figure shows the placement and roles of the Palo Alto Networks products that provide
visibility and enforcement for Public Cloud environments.
References
 Securing Your Public Cloud:
https://www.paloaltonetworks.com/solutions/initiatives/public-cloud
 At a Glance Public Cloud:
 https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/faqs/at-a-glance-
public-cloud.pdf
 Prisma Public Cloud Monitoring and Compliance:
https://www.paloaltonetworks.com/products/secure-the-cloud/redlock
 Public Cloud topics in the PSE Platform Associate course:
 PSE Public Cloud Associate course:
Palo Alto Networks Accredited Systems Engineer (PSE): Public Cloud Associate On-Demand
Learning
Sample Question
30) Which component of Palo Alto Networks public cloud security solution protects against C2
communications in an AWS environment?
a) Prisma Public Cloud
b) Traps
c) Prisma SaaS
d) VM-Series
Given a Scenario, Identify the Components Needed for Visibility and

Enforcement with SaaS
Cloud Access Security Brokers (CASBs) became necessary when employees began accessing SaaS
applications from outside of secured environments. IT departments lost control over SaaS access, and
established proxies and reverse proxies to be between users and SaaS applications. These solutions have
various problems, including the lack of a consistent Security policy spanning SaaS, enterprise, and cloud
environments. Palo Alto Networks provides security for SaaS applications with a combination of inline
and API-based offerings.
Prisma Access service extends the firewall’s inline visibility and enforcement along with segmentation,
secure access and threat prevention to BYOD SaaS users. It enables a customer to maintain its consistent
security posture. This approach combines the user, content and application inspection features of the
security service to provide industry-leading CASB functionality.
Prisma SaaS leverages application API access to deliver visibility and granular enforcement across all
user, folder, and file activity within sanctioned SaaS applications. It also provides detailed analysis and
analytics on usage without requiring any additional hardware, software, or network changes.
The following figure shows how Prisma SaaS and Prisma Access work with unsanctioned, tolerated, and
sanctioned applications as a cloud-delivered SaaS security solution.
References
 SaaS topics in the PSE Platform Associate course:
 What is SaaS?
https://www.paloaltonetworks.com/cyberpedia/what-is-saas
 Generate the SaaS Application Usage Report:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/monitoring/generate-the-saas-
application-usage-report
Sample Question
31) How does the next-generation firewall fit into the Palo Alto Networks SaaS security solution?
a) It is replaced by Prisma Access.
b) It provides inline security.
c) Its functionality is superseded by the CASB proxy and reverse proxy.
d) It provides the same security for in-house applications that Prisma SaaS provides for SaaS
applications.
Given a Scenario, Identify Cortex Data Lake (Logging Service) Usage with
Traps, Prisma Access, and Next-Generation Firewalls
Visibility for the Palo Alto Networks Security Operating Platform is critical, and the data collected by
sensors in the platform leads the industry in its subtlety and extraction of traffic context. This data is
collected and analyzed, which enables enforcement thus often is automated. The data is stored in
various data storage facilities and integrated into the Cortex Data Lake. For example, Traps logs are sent
to the Cortex Data Lake. Firewall logs and logs from Prisma SaaS also are sent to the Cortex Data Lake.
The following figure depicts integration of the platform with Cortex Data Lake:
References
 Configure Firewalls to Forward Logs to the Cortex Data Lake:
https://docs.paloaltonetworks.com/content/techdocs/en_US/cloud-services/services/logging-
service/logging-service-getting-started/get-started-with-logging-service/configure-the-firewalls-
to-forward-logs-to-the-logging-service.html
 Manage Logging Storage for Traps:
https://docs.paloaltonetworks.com/content/techdocs/en_US/traps/tms/traps-management-
service-admin/get-started-with-tms/manage-logging-storage-traps.html
 Get Started with the Cortex Data Lake:
https://docs.paloaltonetworks.com/content/techdocs/en_US/cloud-services/services/logging-
service/logging-service-getting-started/get-started-with-logging-service.html
Sample Question
32) How does the Cortex Data Lake fit with platform visibility and enforcement?
a) All applications and components of the platform, and third-party services and applications can
both feed and extract data and its context from the Cortex Data Lake.
b) Firewalls, Prisma Access, Traps, and WildFire feed the Cortex Data Lake, and Cortex XDR and
third-party applications apply AI and other technologies for analysis and enforcement.
c) AutoFocus, and Cortex XDR feed data and context to the Cortex Data Lake, and physical and
virtual firewalls along with Prisma SaaS provide consistent Security policy enforcement for the
platform.
d) The Cortex Data Lake essentially is a rebranding of Logging mode for Panorama, providing an
auto-scaled cloud-delivered service with exactly the same logging functionality as Panorama.
Given a Scenario, Identify Which Components of the Platform Require Cortex

Data Lake (Logging Service)
The data required for full functionality of all platform components is stored in various data storage
facilities and mostly integrated into the Cortex Data Lake. For example, Cortex XDR uses and relies on
Firewall logs and logs from Prisma Access. Cortex XDR also uses Directory Sync data currently sent to
Cortex Hub rather than the Cortex Data Lake, and uses Pathfinder data that currently is sent directly to
the Cortex XDR application. Other applications and third-party applications also access the Cortex Data
Lake. The following table shows the Cortex Data Lake access permissions that an application can
leverage.
References
 Cortex Hub Getting Started Guide:
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cortex/cortex-
hub/cortex-hub-getting-started/cortex-hub-getting-started.pdf
 Cortex Hub Landing Page:
https://apps.paloaltonetworks.com/apps
Sample Question
33) What is a platform component use of Cortex Data Lake?

a) Traps receives data from the Cortex Data Lake to do its zero-day attack analysis.
b) Cortex XDR provides data to the Cortex Data Lake after applying AI and machine learning to
firewall and other sensor traffic.
c) Prisma Access extracts data from the Cortex Data Lake to help inform CASB proxy functionality
for tolerated SaaS applications.
d) Third-party applications make use of data in the Cortex Data Lake.
Given a Scenario, Identify Which Components of the Platform Require

Panorama
Panorama provides centralized firewall management and visibility. Panorama network security
management provides consistent rules for a dynamic network and threat landscape. It enables
managing network security with a single security rulebase for threat prevention, URL filtering,
application awareness, user identification, sandboxing, file blocking, and data filtering. It also provides
dynamic security updates and rule usage analysis. Panorama provides automated threat correlation and
identifies compromised hosts, and a customizable Application Command Center for comprehensive
insight into current and historical data about networks and threats.
Panorama also can be used for AutoFocus Threat Intelligence Summaries for a specified security artifact.
These summaries provide the latest WildFire submissions and verdicts; passive DNS history for URLs,
domains, and IP addresses; and threats that Unit 42 has identified as posing a direct security risk.
The following figure shows the Application Command Center representation of analyzed data from
multiple firewalls:
References
 Enable AutoFocus Threat Intelligence:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/learn-more-
about-and-assess-threats/assess-firewall-artifacts-with-autofocus/enable-autofocus-threat-
intelligence
 Panorama Data Sheet:
an/en_US/resources/datasheets/panorama-centralized-management-datasheet
 Panorama Licensing:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/set-up-
panorama/register-panorama-and-install-licenses.html
Sample Question
34) How do licenses work with Panorama?

a) All the firewalls managed by a Panorama instance must be individually licensed, and these
licenses can be managed by Panorama, but Panorama itself does not require a license.
b) Panorama needs its own management and support licenses registered, activated, and retrieved.
c) Panorama has its own Logging mode, and a Logging Service (Cortex Data Lake) license is
included in that functionality.
d) All the licenses associated with firewalls managed by a Panorama instance are included in the
Panorama license for that instance.
Identify Which Platform Components Are Used Consistently Across a Given Set
of Computing Environment Locations
It’s hard enough to provide and manage consistent security with best-of-breed point products in a single
environment, but with multiple locations and form factors and inconsistent filtering of false positives,
this can become all-consuming or impossible.
The Palo Alto Networks Security Operating Platform provides Security policy consistency, and its
components span multiple locations and form factors. PAN-OS software applies to physical and
virtualized firewalls in private and public clouds, and is extended with Prisma Access to provide remote
and mobile users the same Security policy. Panorama makes it easy to manage that Security policy. The
Cortex Data Lake sources data from Panorama, WildFire, firewalls, Traps, and Pathfinder. And the
WildFire malware analysis prevention service consistently provides its artifact information to Traps,
Panorama, firewalls, and AutoFocus.
The following figure shows how the architecture of the platform accommodates consistent Security
policy across multiple locations and form factors:
References
 Palo Alto Networks Security Operating Platform:
https://www.paloaltonetworks.com/products/security-operating-platform
 Security Operating Platform Datasheet:
an/en_US/resources/whitepapers/security-operating-platform-overview-r3
Sample Question
35) Which platform component provides multi-cloud API-based consistent security?

a) WildFire
b) Panorama
c) Cortex XDR
d) Prisma Public Cloud
Solution Design: Panorama

Identify How to Use Device Groups and Templates to Manage a Deployment
Before you can use Panorama effectively, you must group the firewalls in your network into logical units
called device groups. A device group enables grouping based on network segmentation, geographic
location, organizational function, or any other common aspect of firewalls that requires similar policy
configurations. You can use device groups to configure policy rules and the objects they reference. You
can organize a device group hierarchically, with shared rules and objects at the top, and device group-
specific rules and objects at subsequent levels, which enables you to create a hierarchy of rules that
enforce how firewalls handle traffic.
You use templates to configure the settings that enable firewalls to operate on the network. Templates
enable you to define a common base configuration using the Network and Device tabs on Panorama.
For example, you can use templates to manage interface and zone configurations, server profiles for
logging and syslog access, and network profiles for controlling access to zones and IKE gateways. When
you define a template, consider assigning firewalls that are the same hardware model and require
access to similar network resources, such as gateways and syslog servers.
References
 Panorama 9.0 Administrator’s Guide:
• Templates and Template Stacks:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/panorama-web-
interface/panorama-templates/template-stacks.html
• Device Groups:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/panorama-web-
interface/panorama-device-groups.html
• Device Group Policies:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-
overview/centralized-firewall-configuration-and-update-management/device-
groups/device-group-policies.html
• Device Group Objects:
overview/centralized-firewall-configuration-and-update-management/device-
groups/device-group-objects.html
Sample Questions
36) In Panorama, which policy gets evaluated first?

a) device group pre-rules
b) device group post-rules
c) shared pre-rules
d) shared post-rules
e) local firewall rules
37) Can the same rule allow traffic from different sources on different firewalls?
a) No, rules mean the same on all firewalls that receive the same policy.
b) No, because device groups are pushed from Panorama to all firewalls.
c) Yes, because different firewalls can have different zone definitions.
d) Yes, because there could be clauses in a rule with effects limited to a specific device group.
Identify the Benefits of Panorama for Deploying Palo Alto Networks Products
Panorama network security management enables you to control your distributed network of our
firewalls from one central location. You can use a single console to view all your firewall traffic, manage
all aspects of device configuration, monitor devices, push global policies, and generate reports on traffic
patterns or security incidents.
References
 Panorama at a Glance:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/faqs/PAN_AAG_pano
rama_052615.pdf
Device Monitoring on Panorama:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-firewalls/device-
monitoring-on-panorama
Sample Question
38) Which is not an advantage of using Panorama?

a) centralized management
b) higher throughput on the firewalls
c) centralized view of collected logs
d) automatic event correlation
Given a Customer Scenario, Identify How to Design a Log-Redundant

Panorama Deployment
Deployment of the Panorama virtual appliance or M-Series appliance in a redundant configuration has
the following benefits:
 Centralized management: Centralized policy and device management that allows for rapid
deployment and management of up to 1,000 firewalls
 Visibility: Centralized logging and reporting to analyze and report about user-generated traffic
and potential threats
 Role-based access control: Appropriate levels of administrative control at the firewall level or
global level for administration and management
References
 Deploy Panorama with Dedicated Log Collectors:
 https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-log-
collection/log-collection-deployments/deploy-panorama-with-dedicated-log-collectors
 Panorama High Availability:
 https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-high-
availability
 Panorama HA Prerequisites:
availability/panorama-ha-prerequisites
 Logging Considerations in Panorama HA:
availability/logging-considerations-in-panorama-ha
 Panorama Sizing and Design Guide:
https://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing-and-Design-
Guide/ta-p/72181
Sample Question
39) A company has a physical data center with physical firewalls on their premises and several
applications protected by virtual firewalls on AWS. Now they will install Panorama in High
Availability mode. Which answer best describes the requirements for the HA Panorama
peers?
a) an M-100 pair or an M-500 pair, or one of each, with both peers in either Panorama mode or
Management Only mode
b) any two models of virtual appliances, with both peers in either Panorama mode or Management
Only mode, or in Legacy mode for ESXi and vCloud Air models
c) any pair of identically provisioned Panorama servers of the same model and mode, except that
Log Collector mode cannot be used for HA
d) any pair of identically provisioned Panorama servers of any model or mode, except that Log
Collector mode cannot be used for HA
Identify Scenarios for Panorama: Physical, Virtual, and Cloud

Before you can begin using Panorama for centralized management, logging, and reporting, you must
register the Panorama appliance and retrieve the licenses.
Every instance of Panorama requires valid licenses that entitle you to manage the devices and to obtain
support. The device management license enforces the maximum number of devices that can be
managed by Panorama. The support license enables Panorama software updates and dynamic content
updates for the latest application and threat signatures, among other updates, that are published by
Palo Alto Networks.
Panorama can be deployed on the M-100 or the M-500 management appliances, and individual
management and logging components can be separated in a distributed manner to accommodate large
volumes of log data.
Panorama also can be deployed as a virtual appliance on VMware ESXi, which allows organizations to
support their virtualization initiatives and consolidate rack space, which sometimes is limited or costly in
a data center.
References
 Panorama 9.0 Administrator’s Guide:
• Register Panorama and Install Licenses, including all the subsections:
panorama/register-panorama-and-install-licenses
• Manage Licenses and Updates:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-licenses-and-
updates
• Manage Licenses of Firewalls Using Panorama:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-licenses-and-
updates/manage-licenses-on-firewalls-using-panorama
• Panorama Models:
overview/panorama-models
Sample Questions
40) How often does Panorama contact the Palo Alto Networks licensing server to look for new
licenses for its firewalls?
a) never; you need to check manually
b) once a week
c) every 24 hours
d) every 6 hours
41) What is the maximum storage capacity of a single Panorama virtual appliance in Panorama
mode?
a) 2TB
b) 12TB
c) 18TB
d) 24TB
Understand How Cortex Data Lake Is Designed and How to Use It with
Panorama
The Palo Alto Networks Cortex Data Lake provides cloud-based, centralized log storage and aggregation
for both on-premises and virtual firewalls, for Prisma Access, and for other cloud-delivered services such
as the Traps management service.
The Cortex Data Lake ensures that logging data is up-to-date and available when needed. It provides a
scalable logging infrastructure that reduces the need for Log Collectors to meet log retention
requirements. The Cortex Data Lake complements existing Log Collector deployments. Existing log
collection infrastructure can be augmented with the cloud-based Cortex Data Lake to expand
operational capacity. Regardless of where the data resides, Panorama can analyze all firewall logs and
provide insight into actionable events.
The following figure shows how Panorama and the Cortex Data Lake work together:
Reference
 Cortex Data Lake Getting Started Guide:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-
documentation/cloud-services/1-0/logging-service/logging-service-getting-started-guide.pdf
Sample Question
42) How is the Cortex Data Lake integration with Panorama facilitated?
a) No integration is necessary; data flows from Panorama to the Cortex data lake and vice versa.
b) A Panorama plugin is installed in the Cortex Data Lake.
c) A Cloud Services plugin is installed in Panorama.
d) Agents run in both the Cortex Data Lake and Panorama.
Identify Variables to Scale Panorama

When you size a Panorama deployment, consider log sizing requirements, requirements for the Cortex
Data Lake, and tiering of Panorama.
Sizing requirements are driven by organizational and regulatory policy, redundancy requirements,
average daily logging rates, and the average size of the logs. See the “References” section for more
information about these factors, and for Cortex Data Lake requirements and Panorama management
capabilities. The following figure, from the Panorama Interconnect article cited in the “References”
section shows the Panorama Interconnect hierarchy. A Panorama controller manages multiple
Panorama nodes, which in turn manage multiple devices.
References
 Panorama Logging Requirements:
panorama/determine-panorama-log-storage-requirements.html
 Panorama Management Capacity:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/panorama-
features/device-management-capacity-enhancement.html
 Panorama Interconnect:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-large-scale-
firewall-deployments/panorama-interconnect/panorama-interconnect-overview.html
 Cortex data lake Getting Started Guide:
documentation/cloud-services/1-0/logging-service/logging-service-getting-started-guide.pdf
Sample Question
43) Which value should be used as a typical log entry size if no other information is available about log
sizes?
a) 0.5KB
b) 0.5MB
c) 0.5GB
d) 0.5TB
Given a Customer Environment, Identify How to Size Panorama for HA

Special considerations are involved when you size Panorama HA deployments. Panorama servers in an
HA configuration are peers and generally use either active or passive synchronization for managing
firewalls, Log Collectors, and WildFire appliances. Peers must be the same model and mode. Variables
that are unique to each peer are not synchronized. HA peers use the management interface to
synchronize configuration elements. Panorama appliances in Log Collector mode do not support HA. The
following figure shows the organization of HA peers in a deployment.
References
 Panorama High Availability Requirements:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-high-
availability/panorama-ha-prerequisites.html
 Logging Considerations for HA Landing Page:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-high-
availability/logging-considerations-in-panorama-ha.html
Sample Question
44) Which Panorama settings stay synchronized between HA pairs?

a) device groups
b) templates
c) DNS servers
d) policy rules
Solution Designs and NGFW Configuration: Custom

Given a Design Requirement, Identify the Best Practice Approach to High
Availability
High availability (HA) is when two firewalls are placed in a group and have their configuration
synchronized to prevent a single point of failure on your network. A heartbeat connection between the
firewall peers ensures seamless failover if a peer goes down. Set up two firewalls in an HA pair to
provide redundancy and allow you to ensure business continuity. The figure shows an example topology
of an HA pair.
References
• HA Concepts with subtopics:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/ha-concepts
• HA Lite:
https://live.paloaltonetworks.com/t5/Learning-Articles/What-is-HA-Lite-on-Palo-Alto-
Networks-PA-200-and-VM-Series/ta-p/62553
Sample Question
45) Which feature is not supported in active/active (A/A) mode?

a) IPsec tunneling
b) DHCP client
c) link aggregation
d) configuration synchronization
Identify the Functions of a Given High Availability Port
High-end systems have two high availability ports, one for management and one for data:
References
• HA Links and Backup Links:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/ha-
concepts/ha-links-and-backup-links
• Set Up Active/Passive HA:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/set-up-
activepassive-ha
• Set Up Active/Active HA:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/set-up-
activeactive-ha
Sample Question
46) Which dedicated High Availability port is used for which plane?
a) HA1 for the data plane, HA2 for the management plane
b) HA1 for the management plane, HA2 for the data plane
c) MGT for the management plane; HA2 as a backup
d) HA1 for the management plane, HA2 for the data plane in the PA-7000 Series
Identify License Requirements for Receiving Near Real-Time Dynamic Updates
Palo Alto Networks regularly posts updates for application detection, threat protection, and Prisma
Access data files through dynamic updates.
References
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/install-
content-and-software-updates
Sample Question
For answers, see “Answers to Sample Questions” section.
47) Which two updates should be scheduled to occur once a day? (Choose two.)
a) Antivirus
b) PAN-DB URL Filtering
c) WildFire
d) Applications and Threats
e) SMS channel
Demonstrate Knowledge of Prisma Access

Prisma Access is a cloud-based security infrastructure service that simplifies the process of scaling a Palo
Alto Networks next-generation security platform to extend security to remote network locations and
mobile users. Because it is a cloud service, it does not require you to build out a global security
infrastructure and expanding operational capacity. With Prisma Access, Palo Alto Networks
automatically deploys next-generation firewalls, portals, and gateways in the correct locations.
The following figure shows how Prisma Access fits with the Cortex Data Lake, next-generation firewalls,
and Panorama:
Palo Alto Networks deploys and manages the Prisma Access service security infrastructure globally to
secure remote networks and mobile users.
Prisma Access requires the following elements:
 A service infrastructure in the form of an RFC 1918-compliant subnet that does not overlap with
other IP addresses used internally. Prisma Access uses this subnet’s IP addresses for network
infrastructure between remote network locations and mobile users, and for service connections
to the headquarters or the data center. Internal communication within the cloud uses dynamic
routing.
 Service connections to give mobile and remote network users access to corporate resources, to
enable mobile users access to remote network locations, and to enable the cloud service to
connect with authentication servers. These service connections require an IPsec tunnel from
each headquarters or data center location to Prisma Access, and routing to and from the tunnels
to the subnetworks that contain the resources that remote network and mobile users access.
 An IPsec-compliant firewall, router, or SD-WAN device that can establish a tunnel to Prisma
Access for remote networks, and routing from users at the remote network location through the
IPsec tunnel to enable Prisma Access to enforce Security policy on automatically deployed next-
generation firewalls in regions specified in the Panorama cloud services plugin.
 A designated RFC 1918-compliant IP address pool for the service to use to assign IP addresses
for the client VPN tunnels. The addresses in this pool must not overlap with other address pools
you use internally or pools you assign for the service connections. Prisma Access for mobile
users automatically deploys Prisma Access portals and gateways in the cloud. The designated
pool allows users to receive VPN configurations, which will route them to the closest Prisma
Access gateway for policy enforcement.
 Firewalls, gateways, and portals that are deployed as part of the Prisma Access infrastructure
must forward all logs to the Cortex data lake, and a Cortex data lake license is required.
References
 Prisma Access Getting Started Guide:
documentation/cloud-services/1-0/gp-cloud-services/globalprotect-cloud-service-getting-
started-guide.pdf
 Prisma Access Lightboard Video:
https://www.paloaltonetworks.com/products/innovations/globalprotect-cloud-service
Sample Question
48) What does the phrase “Prisma Access extends security to remote network locations and mobile
users” mean in the context of the security that firewalls provide to a network?
a) Prisma Access independently provides the same type of protection as the firewalls, rebuilt
for the various infrastructures used for remote network locations and mobile users.
b) Prisma Access independently provides the exact same protection as the firewalls, rebuilt
for the various infrastructures used for remote network locations and mobile users.
c) Prisma Access securely routes traffic for remote network locations and mobile users
through the same PAN-OS based firewalls used to protect the network.
d) Prisma Access leverages native cloud security and other security infrastructure to provide
security to remote network locations and mobile users.
Demonstrate Knowledge of Custom WildFire Data Expansion and Use

MineMeld is an open-source application that streamlines the aggregation, enforcement, and sharing of
threat intelligence in the form of indicators of compromise. It facilitates enforcement of prevention,
including generation of IP blacklists.
MineMeld natively integrates with Palo Alto Networks security platforms to automatically create new
prevention-based controls for identified URLs, IPs, and domain intelligence derived from all sources
feeding into the tool. These sources include to the Palo Alto Networks Security Operating Platform.
Organizations can block IOC-related threats through External Dynamic Lists and Dynamic Address
Groups.
MineMeld integrates with the Palo Alto Networks AutoFocus contextual threat intelligence service.
Customers use AutoFocus to target and analyze IOCs, and block associated threats on Next-Generation
Firewalls with export lists and through MineMeld.
AutoFocus can obtain the data it analyzes from WildFire, URL Filtering with PAN-DB, Traps, Prisma SaaS,
Palo Alto Networks global passive DNS network, and Unit 42. So data from WildFire can be combined
with these other sources and processed to provide automated protection with External Dynamic Lists
(EDLs) and Dynamic Address Groups (DAGs). And the platform can share tags with AutoFocus and
MineMeld for further automation.
The following figure shows MineMeld from the AutoFocus web interface. Miner nodes collect data from
sources such as WildFire. Processors analyze that data, and Output nodes specify how the data is used
for enforcement, such as by providing EDLs for firewalls.
References
 AutoFocus Datasheet
an/en_US/resources/datasheets/autofocus-threat-intelligence
 AutoFocus Administrators Guide - MineMeld:
https://docs.paloaltonetworks.com/autofocus/autofocus-admin/autofocus-
apps/minemeld.html
Sample Question
49) Which combination facilitates leveraging the combination of WildFire analysis with PAN-DB and
third-party IOC services?
a) Panorama and WildFire
b) AutoFocus and MineMeld
c) Traps and Cortex XDR
d) Prisma SaaS and Prisma Public Cloud
Solution Design: NGFW Configuration - Security
Demonstrate Knowledge of Advanced Features and Configuration Capabilities
The next-generation firewall offers a variety of advanced features, such as support for DAGs, multi-
factor authentication, Decryption Brokers and profiles, vsys, custom App-IDs, and custom reports. These
topics are described in the Administrator’s Guide.
The figure shows the firewall’s web interface used to define a custom report, and the resulting report
based on that definition.
References
 Use Dynamic Address Groups in Policy:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/monitor-changes-in-the-
virtual-environment/use-dynamic-address-groups-in-policy.html
 Decryption Broker:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-
broker.html
 Create a Decryption Profile:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/define-traffic-to-
decrypt/create-a-decryption-profile.html
 Configure Multi-Factor Authentication:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-
factor-authentication.html
 vsys landing page:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/virtual-systems/virtual-systems-
overview.html
 Create a Custom Application:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/use-application-objects-
in-policy/create-a-custom-application.html
 vsys landing page:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/view-and-manage-
reports/custom-reports.html
Sample Question
50) What can a Decryption Profile specify?

a) a list of applications that are not to be decrypted
b) custom definitions of decryption algorithms
c) sessions to be blocked based on decryption resource availability
d) sessions to be forwarded to certain users based on ability to decrypt
Identify How to Protect Against Known Attacks

Vulnerability Protection Profiles stop attempts to exploit system flaws or gain unauthorized access to
systems. Anti‐Spyware Profiles help identify infected hosts as traffic leaves the network, but
Vulnerability Protection Profiles protect against threats entering the network. For example, Vulnerability
Protection Profiles help protect against buffer overflows, illegal code execution, and other attempts to
exploit system vulnerabilities. The default Vulnerability Protection Profile protects clients and servers
from all known critical-, high-, and medium‐severity exploits.
References
• Use DNS Queries to Identify Infected Hosts on the Network:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/use-dns-
queries-to-identify-infected-hosts-on-the-network
• Vulnerability Protection Profiles:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/vulnerability-
protection-profiles
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/install-
content-and-software-updates
Sample Question
51) Which profile type is used to protect against most protocol-based attacks?
a) Antivirus
b) URL Filtering
c) Vulnerability Protection
d) WildFire Analysis
Identify the Next-Generation Firewall Components That Protect Against
Unknown Attacks
The WildFire virtual environment identifies previously unknown malware and generates signatures that
Palo Alto Networks firewalls can use to then detect and block the malware. When a Palo Alto Networks
firewall detects an unknown sample (a file or a link included in an email), the firewall automatically can
forward the sample for WildFire analysis. WildFire determines the sample to be Benign, Grayware, or
Malicious based on the properties, behaviors, and activities that the sample displays when it is analyzed
and executed in the WildFire sandbox. WildFire then generates signatures that will be used to recognize
the newly discovered malware, and makes the latest signatures globally available every five minutes. All
Palo Alto Networks firewalls then can compare incoming samples against these signatures so that they
can automatically block the malware first detected by a single firewall.
The following figure shows how the platform as a whole works to discover known and unknown threats:
References
concepts
 A Hacker’s View of Antivirus:
https://www.paloaltonetworks.com/products/secure-the-endpoint/traps
 Best Practices for Ransomware Prevention:
https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-Ransomware-
Prevention/ta-p/74148
Sample Question
52) Which security posture is most likely to stop unknown attacks?

a) allow all the traffic that is not explicitly denied
b) deny all the traffic that is not explicitly allowed
c) deny all the traffic that is not explicitly allowed from the outside, and allow all the traffic that is
not explicitly denied from the inside
d) deny all the traffic that is not explicitly allowed from the inside, and allow all the traffic that
is not explicitly denied from the outside
Identify Where and How Credential Theft Occurs

The next-generation firewall acts against credential theft in three ways.
One way the firewall acts against credential theft is to detect and prevent incoming phishing attacks by
controlling sites to which users can submit corporate credentials, based on the site’s URL category. The
firewall blocks users from submitting credentials to untrusted sites while allowing users to continue to
submit credentials to sanctioned sites.
This credential phishing prevention works by scanning username and password submissions to websites.
The submissions are compared with valid corporate credentials. A firewall that detects a user
attempting to submit credentials to a site in a restricted URL category either displays a block response
page or a continue page to allow credential submission.
Enablement of this credential phishing prevention requires both User-ID, to detect when users submit
valid corporate credentials to a site, and URL Filtering, to specify the URL categories where users cannot
enter their corporate credentials.
A second way the firewall works to prevent credential theft is by blocking outgoing access to known
phishing sites with PAN-DB URL filtering by creating a URL Filtering Security Profile and configuring it to
detect corporate credential submissions in allowed URL categories.
A third way for the firewall to control credential theft threats is to limit the lateral movement of the
attack with a policy to protect critical applications from use of stolen credentials by using multi-factor
authentication.
The following figure shows the next-generation firewall’s capabilities to neutralize credential theft by
adding preventive capabilities to stop the theft and the abuse of passwords across a specific credential
theft lifecycle:
References
 Preventing Credential-Based Attacks (Text and Videos):
https://www.paloaltonetworks.com/products/innovations/credential-theft-prevention
 Understanding the Role of Stolen Credentials in Data Breaches (Whitepaper):
https://get.info.paloaltonetworks.com/webApp/prevent-phishing-and-credential-theft-
whitepaper-en
Sample Question
53) How does an administrator specify in the firewall that certain credentials should not be sent to
certain URLs?
a) with a URL Filtering Profile
b) with User-ID
c) with App-ID
d) with a Credential Theft Profile
Solution Design: NGFW Configuration - Visibility

Identify Where to Configure User-ID in the Web Interface and How to Obtain
Its Parameters
User and group information must be directly integrated into the technology platforms that secure
modern organizations. Knowledge of who is using the applications on your network, and who may have
transmitted a threat or is transferring files, strengthens Security policies and reduces incident response
times. User-ID is a standard feature on Palo Alto Networks next-generation firewalls that enables you to
leverage user information stored in a wide range of repositories.
The following figure shows the web interface configuration of User-ID:
Before policy rules based on a user or group are defined, an LDAP Server Profile must be created that
defines how the firewall connects and authenticates to the directory server. The firewall supports a
variety of directory servers, including Microsoft Active Directory (AD), Novell eDirectory, and Sun ONE
Directory Server. The Server Profile also defines how the firewall searches the directory to retrieve the
list of groups and the corresponding list of members. If you are using a directory server that is not
natively supported by the firewall, integrate the group mapping function using the XML API.
The following figure shows the configuration of an LDAP Server Profile:
References
 Configure User Mapping Using the Windows User-ID Agent:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/configure-user-mapping-
using-the-windows-user-id-agent
 Configure User Mapping Using the PAN-OS Integrated User-ID Agent:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/configure-user-mapping-
using-the-pan-os-integrated-user-id-agent
 Configure User-ID to Monitor Syslog Senders for User Mapping:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-ip-addresses-to-
users/configure-user-id-to-monitor-syslog-senders-for-user-mapping
 Map IP Addresses to Usernames Using Captive Portal:
users/map-ip-addresses-to-usernames-using-captive-portal
 Deploy User-ID for Numerous Mapping Information Sources:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/deploy-user-id-in-a-large-
scale-network/deploy-user-id-for-numerous-mapping-information-sources
 User-ID Concepts:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/user-id-concepts
 Create a Dedicated Service Account for the User-ID Agent:
users/create-a-dedicated-service-account-for-the-user-id-agent
Sample Questions
54) What is the maximum number of servers supported by a single User-ID agent?
a) 10
b) 50
c) 100
d) 500
55) How does the firewall know that a specific connection comes from a specific user?
a) Every connection has a user ID encoded in it.
b) User-ID is supported only in protocols that use user authentication, which provides the user
identity to the firewall and the back end.
c) The firewall always uses the IP address in the IP header to locate the user ID, but this initial
identification is overridden by additional techniques such as HTTP proxies that provide the
client’s IP address in the HTTP header.
d) Usually the firewall uses the IP address in the IP header to locate the user ID, but additional
techniques are available as alternatives such as HTTP proxies providing the client’s IP address
in the HTTP header.
Identify the Best Practices for Deployment of User-ID
For business flexibility, many organizations have the need to support multiple types of end users across
a variety of locations and access technologies. In these environments, IP addresses no longer are an
effective proxy for end users. Instead, user and group information must be directly integrated into the
technology platforms that secure modern organizations.
When you enable User-ID on internal and trusted zones, these services are not exposed to the internet,
which helps to keep these services protected from any potential attacks. If User-ID and WMI probing are
enabled on an external untrusted zone (such as the internet), probes could be sent outside your
protected network, thus resulting in an information disclosure of the User-ID agent service account
name, domain name, and encrypted password hash. This information can be cracked and exploited by
an attacker to gain unauthorized access to protected resources. Therefore, User-ID should never be
enabled on an untrusted zone.
References
 User-ID Tech Brief:
an/en_US/resources/techbriefs/user-id-tech-brief
 User-ID Deployment Best Practices:
https://live.paloaltonetworks.com/t5/Learning-Articles/Best-Practices-for-Securing-User-ID-
Deployments/ta-p/61606
Sample Questions
56) A customer has a proprietary user authentication system that is not supported by User-ID. Can
you provide User-ID information to their firewall, and if so, how?
a) It is impossible. The customer will need to upgrade to something more standard.
b) It can be done, but only for HTTP applications because HTTP supports XFF headers.
c) It can be done using the XML API.
d) It can be done, but it requires programming that can be performed only by the Palo Alto
Networks Professional Services organization.
57) Should you limit the permission of the user who runs the User-ID agent? If so, why?
a) Yes, because of the principle of least privilege. You should give processes only those
permissions that are necessary for them to work.
b) Yes, to an extent. You can give it most privileges, but there is no actual user, so you
should not let it start an interactive login.
c) Yes, to an extent. You can give it most privileges, but there is no actual user, so you
should not let it have remote access.
d) No, there is nothing wrong with using the administrator’s account.
Identify the Processes and Thought Around Configuring App-ID

App‐ID is a patented traffic classification system available only in Palo Alto Networks firewalls. It
identifies applications regardless of port, protocol, encryption (SSH or SSL), or any other evasive tactic
used by the application. It applies multiple classification mechanisms (application signatures, application
protocol decoding, and heuristics) to your network traffic stream to accurately identify applications.
References
 App-ID Overview:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/app-id-overview
 Manage Custom or Unknown Applications:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-custom-or-
unknown-applications
in-policy/create-a-custom-application
 Policies > Application Override:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/policies/policies-
application-override.html
 Defining Applications:
 https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/objects/objects-
applications/applications-overview
 App-ID Tech Brief:
an/en_US/resources/techbriefs/app-id-tech-brief
 HTTP Header Insertion and Modification:
an/en_US/resources/techbriefs/app-id-tech-brief
Learn by Doing
 Play with App-ID on the user interface:
• Attempt to define a custom application
• View the application information and characteristics for a Palo Alto Networks App-ID. See if
you can see the App-ID signature, timeouts, etc.
Sample Question
58) Which three reasons could cause a firewall that is fully configured, including decryption, to not
recognize an application? (Choose three.)
a) The application is running over SSL.
b) There is no App-ID signature for an unanticipated application.
c) The application is running over ICMP.
d) The application is running over UDP.
e) A TCP handshake completed but no application traffic reached the firewall.
f) Payload reached the firewall, but not enough data packets to identify the application.
Identify App-ID Deployment Best Practices and Techniques

Before you can safely enable applications, you must classify all traffic, across all ports, all the time. With
App‐ID, the only applications that typically are classified as unknown traffic—tcp, udp, or non‐syn‐tcp—
in the ACC and the Traffic logs are commercially available applications that have not yet been added to
App‐ID, internal or custom applications on your network, or potential threats.
References
 Manage Custom or Unknown Applications:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-custom-or-
unknown-applications
in-policy/create-a-custom-application
 What is Application Dependency?
https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-What-is-Application-
Dependency/ta-p/54270
Sample Question
59) Which two methods are best practices for adding a custom application that runs on TCP port 25
to the firewall? (Choose two.)
a) Request an App-ID from Palo Alto Networks.
b) Create a custom application with a signature.
c) Create a custom application and define an Application Override policy.
d) Write JavaScript code to identify the application.
e) Write Python code to identify the application.
Identify Best Practices for Tuning a Palo Alto Networks Firewall for Maximum
Effectiveness
A best practice Security policy is iterative. It safely enables applications, users, and content by viewing
and controlling all traffic flow, across all ports, all the time. As soon as you define the initial Internet
gateway Security policy, you must begin to monitor the traffic that matches the temporary rules
designed to identify policy gaps, monitor behavior that generates alarms, and tune your policy
accordingly. By monitoring traffic that is covered by these rules, you can make appropriate adjustments
to your rules to either ensure that all traffic is hitting your application whitelist or allow rules, or to
assess whether particular applications should be allowed. As you tune your rulebase, you should see less
and less traffic hitting these rules. When you no longer see traffic encountering these rules, your
positive enforcement whitelist rules are complete and you can remove the temporary rules.
References
 Create Best Practice Security Profiles:
https://docs.paloaltonetworks.com/best-practices/9-0/data-center-best-practices/data-center-
best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles.html
 Step 4: Create the Temporary Tuning Rules:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/best-practice-internet-
gateway-security-policy/define-the-initial-internet-gateway-security-policy/step-4-create-the-
temporary-tuning-rules
 Monitor and Fine Tune the Policy Rulebase:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/best-practice-internet-
gateway-security-policy/monitor-and-fine-tune-the-policy-rulebase
Rule Usage Tracking:
https://www.paloaltonetworks.com/documentation/81/pan-
os/newfeaturesguide/management-features/rule-usage-tracking
Sample Question
60) Which five types of file does WildFire analyze as executables? (Choose five.)
a) JAR
b) Portable Document Format
c) MP4
d) Portable Executable
e) Office Open XML (.docx)
f) Executable and Linkable Format
g) BMP
Solution Design: NGFW Configuration - Decryption

Identify the Differences in Decryption Configuration Between Forward Proxy,
Inbound Proxy, and SSH Proxy
With SSL Forward Proxy decryption, the firewall resides between the internal client and outside server.
The firewall uses Forward Trust or Forward Untrust certificates to establish itself as a trusted third party
to the session between the client and the server. When the client initiates an SSL session with the
server, the firewall intercepts the client’s SSL request and forwards the SSL request to the server. The
server sends a certificate intended for the client that is intercepted by the firewall. If the server’s
certificate is signed by a CA that the firewall trusts, the firewall creates a copy of the server’s certificate
signed by the Forward Trust certificate and sends the certificate to the client to authenticate. If the
server’s certificate is signed by a CA that the firewall does not trust, the firewall creates a copy of the
server’s certificate and signs it with the Forward Untrust certificate and sends it to the client. In this
case, the client sees a block page warning that the site they’re attempting to connect to is not trusted
and the client can choose to proceed or terminate the session. When the client authenticates the
certificate, the SSL session is established with the firewall functioning as a trusted forward proxy to the
site that the client is accessing.
Use SSL Inbound Inspection to decrypt and inspect inbound SSL traffic from a client to a targeted server
(any server you have the certificate for and can import onto the firewall). For example, if an employee is
remotely connected to a web server hosted on the company network and is attempting to add
restricted internal documents to a Dropbox folder (which uses SSL for data transmission), SSL Inbound
Inspection can be used to ensure that the sensitive data does not move outside the secure company
network by blocking or restricting the session.
In an SSH Proxy configuration, the firewall resides between a client and a server. When the client sends
an SSH request to the server, the firewall intercepts the request and forwards the SSH request to the
server. The firewall then intercepts the server’s response and forwards the response to the client,
establishing an SSH tunnel between the firewall and the client and an SSH tunnel between the firewall
and the server, with the firewall functioning as a proxy. As traffic flows between the client and the
server, the firewall can distinguish whether the SSH traffic is being routed normally or if it is using SSH
tunneling (port forwarding). Content and threat inspections are not performed on SSH tunnels;
however, if SSH tunnels are identified by the firewall, the SSH tunneled traffic is blocked and restricted
according to configured Security policies.
References
 Decryption Overview:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-overview
 Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode:
https://live.paloaltonetworks.com/t5/Learning-Articles/Difference-Between-SSL-Forward-Proxy-
and-Inbound-Inspection/ta-p/55553
 Decryption Port Mirroring:
concepts/decryption-mirroring
Sample Question
61) Which decryption mode or modes require(s) the private key of the destination server? (Choose a
single answer.)
a) Forward Proxy
b) Inbound Inspection
c) Both Forward Proxy and Inbound Inspection
d) SSH Proxy
Identify How to Overcome Privacy and Legal Objections to Decryption

You can configure decryption exceptions to exclude applications, URL categories, and targeted server
traffic from decryption:
 Exclude certain URL categories or applications that either do not work properly with decryption
enabled or for any other reason, including for legal or privacy purposes. You can use a
Decryption policy to exclude traffic from decryption based on source, destination, URL category,
service (port or protocol), and TCP port numbers. For example, with SSL decryption enabled, you
can choose URL categories to exclude traffic that is categorized as financial or health‐related
from decryption.
 Exclude server traffic from SSL decryption based on the Common Name (CN) in the server
certificate. For example, if you have SSL decryption enabled but have certain servers for which
you do not want to decrypt traffic, such as the web services for your HR systems, exclude those
servers from decryption by importing the server certificate onto the firewall and modifying the
certificate to be an SSL Exclude certificate.
References
• Decryption Exclusions:
exclusions#93953, including all the subtopics
 PAN-OS Web Interface Reference Guide 8.0:
• Policies > Decryption in the Web Interface:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-
help/policies/policies-decryption.html
• Objects > Decryption Profile in the Web Interface:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/objects/objects-
decryption-profile
Sample Question
62) Which parameter cannot be used in a Decryption policy rule?

a) User-ID
b) App-ID
c) Source Zone
d) Destination Zone
Identify Which External Devices Work with Decryption Capabilities

In addition to Decryption Brokers, the firewall supports the ability to provide decrypted traffic to
external devices. The figure shows the process for mirroring decrypted traffic.
Reference
 Decryption Mirroring:
concepts/decryption-mirroring.html
Sample Question
For answers, see “Answers to Sample Questions” section.
63) Which factor is consistent with decryption port mirroring?

a) a deployment on AWS
b) a suspicious IT team member
c) legal requirements to keep PII private
d) a vsys deployment
Identify Functionality Requirements, Use Cases, and Deployment Scenarios for

Decryption Broker
A firewall acting as a Decryption Broker uses dedicated decryption forwarding interfaces to send
decrypted traffic to a security chain—a set of inline, third-party security appliances—for additional
analysis. Two types of security chain networks are supported with a Decryption Broker (Layer 3 security
chains and transparent bridge security chains), and the firewall can direct traffic through the security
chain unidirectionally or bidirectionally. A single firewall can distribute decrypted sessions among up to
64 security chains, and can monitor security chains to ensure that they are effectively processing traffic.
The following figure shows how decryption brokerage works:
The Decryption Broker can be used in several configurations. A pair of interfaces can be used to support
a single transparent bridge security chain, or multiple pairs can be used to support multiple such chains.
The broker interfaces can be configured to run in both directions or in one direction. They might be
configured to run both directions to allow the security chain to process cleartext in a different order for
outbound versus inbound traffic. They might be configured to run in only one direction if the security
chain has a stateless device such as a packet recorder that processes both inbound and outbound traffic
in the same direction. The interfaces might be configured to support multiple chains to balance the
processing load or provide redundancy. The broker can be used to monitor the health of the security
chains it feeds. Details about these use cases are provided in links from the “Decryption Broker
Concepts” reference.
References
 Decryption Broker:
https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/decryption-
features/decryption-broker
 Decryption Broker Concepts:
broker/decryption-broker-concepts
Sample Question
64) What is the role of a security chain in Decryption Broker deployments?

a) sits outside the firewall and is accessed through dedicated firewall interfaces
b) a defined sequence of virtual devices inside the firewall that process decrypted cleartext
c) a sequence of interfaces and non-transparent bridges that securely control the decryption of
encrypted traffic
d) a combination of certificates’ chain of trust and protection of encrypted data throughout the
process of decryption and re-encryption
Solution Design: Sizing

Given a Customer Environment, Identify How to Size Cortex XDR (Magnifier)
Cortex XDR requires the Cortex Data Lake to process logs coming from Palo Alto Networks products.
Only one Cortex XDR instance can be tied to each Cortex Data Lake instance. When Cortex XDR is sized
for a deployment, both the storage used by Cortex XDR itself and also the associated Cortex Data Lake
instance must be sized.
The sources of data for the Cortex Data Lake are Traps, the firewall or Panorama, and Prisma Access.
Directory Sync data is sent to the Cortex hub apart from Cortex Data Lake, and Pathfinder data is sent
directly to the Cortex XDR - Analytics application. This data generally does not need to be sized.
The size of a Cortex Data Lake instance is determined by the log rate and retention period. Cortex XDR
requires at least a 30-day retention period. The retention period is based on the longest required
retention among applications logged.
The Cortex Data Lake instance SKU is per 1TB on a subscription basis of one or three years.
After the data lake instance is sized, a Cortex XDR license is required based on the amount of data the
licensed Cortex XDR instance accesses from the firewall. The Cortex XDR SKU required is determined by
the range the data lake instance falls in. See the following table:
Data Lake Instance Size (in TB) Cortex XDR Size (in TB)
1 to 5 Up to 5
6 to 10 Up to 10
11 to 25 Up to 25
26 to 50 Up to 50
51 to 100 Up to 100
More than 100 Special
You should experiment with the Cortex Sizing Calculator (see the “Reference” section).
Reference
 Cortex Sizing Calculator:
https://apps.paloaltonetworks.com/logging-service-calculator
Sample Question
65) An environment generates 3TB of firewall data and 4TB of Traps data over 30 days. Which licenses
must be purchased for Cortex XDR?
a) a 4TB license for Traps logs, a 3TB license for firewall logs, and a Cortex XDR license for up to
5TB
b) a 7TB license for Cortex Data Lake and a Cortex XDR license for up to 3TB
c) a 4TB license for Traps logs, a 3TB license for firewall logs, and a Cortex XDR license for up to
10TB
d) a 7TB license for Cortex Data Lake and a Cortex XDR license for up to 10TB
Given a Customer Environment, Identify How to Size Prisma SaaS

Prisma SaaS is sold as a stand-alone, cloud-hosted, subscription service. It is offered in subscriptions of
one, three, and five years. Prisma SaaS has user-based (account-based) and support licenses, and
premium support is included with the service license. When Prisma SaaS is licensed by the number of
users, its minimum license is a base license for up to 250 users. A “user” is counted as an account with a
sanctioned application. Licenses are sold with either one application or all applications; a 250-user
license for all applications would suffice for a customer with 250 box accounts, 200 SFDC accounts, and
250 github accounts.
The following table shows the licenses required for numbers of users:
Users Application License Required

200 Box
50 Jive 250 users, all apps
250 Office 365
1000 SFDC 1,000 users, one app
200 Box
5000 Dropbox
50 SFDC 5,000 users, all apps
700 ServiceNow
250 Slack
Reference
 Prisma SaaS License Types:
https://docs.paloaltonetworks.com/aperture/aperture-admin/get-started-with-
aperture/register-and-activate-aperture-licenses/aperture-license-types.html
Sample Question
66) Which Prisma SaaS licensing is required for a customer with 5,000 employees, 200 SFDC accounts,
and 1,000 ServiceNow accounts?
a) 5,000 users, all apps license
b) 5,000 users, one app license
c) 200 users, all apps license and a 5,000 users, one app license
d) 1,000 users, all apps license
Given a Customer Environment, Identify How to Size Prisma Access

Prisma Access requires Panorama for management in hardware, private cloud, or public cloud
environments, and requires Cortex Data Lake for log collection. Customers purchase a bandwidth pool
to allocate to their different sites, and assign bandwidth to each site using Panorama. The best practice
is to size each site by matching the ISP link speed. Bandwidth tiers range from 200Mbps to more than
10,000Mbps. Prisma Access for mobile users follows a similar tiered pricing model based on total
number of users, with tiers ranging from 200 unique users to more than 50,000. Pricing is based on the
capacity that customers purchase, regardless of what portion they use.
Service connection is not bandwidth-limited. It uses the IPsec protocol, and performance levels over
1Gbps should be attainable. Prisma Access stores logs through the cloud-based Palo Alto Networks
Cortex Data Lake.
Any Panorama size can be used with Prisma Access if it is Panorama 8.0.5 or later.
The following is a screenshot of the Prisma Access service pricing calculator included in the “References”
section:
References
 Prisma Access Pricing Calculator:
https://www.paloaltonetworks.com/content/dam/pan/en_US/field/products/docs/global-
protect/globalprotect-cloud-service-price-calculator.xlsx
 Prisma Access Licensing Training:
https://identity.paloaltonetworks.com/idp/startSSO.ping?PartnerSpId=csod&TargetResource=ht
tps://paloaltonetworks.csod.com/LMS/LoDetails/DetailsLo.aspx?loid=f4598573-6b18-4d10-
8438-24417a0e1455
Sample Question
67) A Prisma Access customer has 50,000 unique mobile users, but uses only 2,000 at a time. Which
mobile user license do they need?
a) 2,000 users
b) 50,000 users
c) a weighted average of usage over time
d) a pay-as-you-go license
Sample Test
Answers are in the “Sample Test Answer Key” section.
1) Which file type is not supported by WildFire?

a) Java applications in JAR
b) Microsoft Word
c) batch
d) PDF
2) Which two answers could be used to handle a prospect’s objection that updating the WildFire
malware list twice a week is unacceptable? (Choose two.)
a) With a WildFire subscription you get an update every few minutes.
b) With the Threat subscription you get an update every few minutes.
c) With the Threat subscription you get an update every hour.
d) With the Threat subscription you get an update every 24 hours.
3) Which information does IBM Trusteer get from WildFire?

b) indicators of compromise (IoCs)
4) Which Palo Alto Networks product directly protects corporate laptops when people use them from
home?
b) Panorama
c) WildFire
d) Prisma Access
5) Which two C2 channels may be used when a computer tries to access the URL
http://part1.of.big.secret.i.am.exfiltrating.evil.com/part2/of/the/same/secret? (Choose two.)
a) email
b) DNS
c) URL
d) SMS
e) ICMP
6) Where in a Custom Report do you specify the application to which it applies?

a) Query Builder
b) Group By field
c) Order By field
d) Time Frame field
7) Which log type does not have five severity levels?
a) Threat
b) WildFire Submission
c) Correlation
d) System
8) Which two behaviors would fail to disguise malware from a firewall? (Choose two.)
a) use domains known to be run by dynamic DNS providers
b) disguise C2 traffic as email
c) browse directly to IP addresses without DNS resolution
d) infect multiple hosts before accessing the C2 channel, so that each time the C2 request message
comes from a different IP address
e) slow down C2 traffic to one packet in each direction each day
9) Which element of the NGFW does the NGFW UTD show potential customers?
b) how to migrate from a different firewall to NGFW
c) how to integrate with Advanced Endpoint Protection
d) how to integrate with WildFire
10) Which firewall series (one or more) requires you to specify in the Bill of Materials the Network
Processing Cards (NPCs) to include?
a) A Bill of Materials that specifies the NPC is never needed; Palo Alto Networks appliances don’t
support hardware customization.
b) PA-7000
c) PA-5200 and PA-7000
d) PA-3000, PA-5200, and PA-7000
11) Which step is required to ensure that web storage is not used to exfiltrate sensitive data from an
enterprise that must use web storage to collaborate with business partners?
c) use Prisma SaaS to ensure that the information shared to the web storage is not sensitive
d) install Advanced Endpoint Protection
12) In Panorama, which policy gets evaluated last?

c) shared pre-rules
13) What is the difference between templates and device groups?
a) Templates are used for network parameters and device groups are used for security definitions
(rules and objects).
b) Device groups are used for network parameters and templates are used for security definitions
(rules and objects).
c) Panorama has device groups, but there is no such thing as a template in Panorama.
d) Panorama has templates, but there is no such thing as a device group in Panorama.

a) ability to recognize more applications on the firewall
b) centralized management
15) Which three features are not supported by HA lite, but are available on higher-end models? (Choose
three.)
a) link aggregation
b) DHCP lease information synchronization
c) PPPoE lease information synchronization
d) active/passive (A/P) high availability (without session synchronizations)
e) active/passive (A/P) high availability (with session synchronizations)
f) active/active (A/A) high availability
16) Which scenario could cause “split brain” in an active/passive (A/P) high availability setup?
a) The connection between the management plane ports is encrypted.
b) The connection between the data-plane ports is broken and there is no configured backup, so
there is no heartbeat.
c) The connection between the management plane ports is broken and there is no configured
backup, so there is no heartbeat.
d) Only if both connections are broken would you get a “split brain” problem.
17) A best practice is to either block executables or to send them to WildFire. Which three file types are
analyzed as executables by WildFire? (Choose three.)
a) JAR
b) Portable Document Format
c) Python Script
d) Office Open XML (.docx)
e) iPhone apps
18) Which action could disconnect a potentially infected host from the network?
a) Alert
b) Reset Client
c) Reset Server
d) Block IP
19) Which component of the Security Operating Platform turns unknown attacks into known attacks?
b) Advanced Endpoint Protection
c) WildFire
d) AutoFocus
20) What is the maximum number of servers that a User-ID agent supports?
a) 20
b) 100
c) 1,000
d) There is no limit.
21) Must the agent account be a member of the Distributed COM Users group?
a) yes, always
b) only when using the Windows-based User-ID agent
c) only when using the PAN-OS integrated User-ID agent
d) no, never
22) Which characteristic of a predefined application can be viewed and modified by an administrator?
a) timeout values
b) name
c) hash
d) dependencies
23) Which two decryption modes require an SSL certificate? (Choose two.)
a) Forward Proxy
b) Inbound Inspection
c) Reverse Proxy
d) SSH Proxy
e) Outbound Inspection
Answers to Sample Questions
Asterisks indicate correct answers.
1) Which file types are not supported as an upload sample for file upload by WildFire from the
wildfire.paloaltonetworks.com/wildfire/upload page?
a) iOS applications*
b) Android applications
c) Windows applications
d) Microsoft Excel files
2) WildFire functionality is like that of a sandbox. Is the statement an accurate description?

a) Yes, WildFire functionality is exactly that of a virtual sandbox in the cloud, provided to test
applications that customers run in the cloud.
b) No, WildFire does not supply sandbox functionality, although it competes with products that do.
c) No, WildFire provides dynamic analysis, machine learning, and other techniques along with
sandbox functionality.*
d) Yes, WildFire provides all its functionality as part of its virtual-physical hybrid sandbox
environment.
3) Can you get WildFire functionality without an internet connection?

a) no
b) yes, using a WF-400 appliance
c) yes, using a WF-500 appliance*
d) yes, using a WF-600 appliance
4) Which fully populated firewall has the highest file forwarding capacity through its data ports?
a) VM-100
b) PA-200
c) PA-5280
d) PA-7080*
5) Which information does Tanium get from WildFire?

b) indicators of compromise (IoCs)*
6) Which option is an example of how the next-generation firewall can provide visibility and
enforcement around SaaS applications?
a) Through partnership with SaaS application vendors, special virtual firewalls that support a
subset of full firewall functionality are used inside the SaaS applications themselves.
b) A built-in default security rule in the firewall blocks dangerous SaaS applications based on an
automatically updated database of dangerous SaaS applications.
c) Built-in default functionality in the firewall sends all files sent or received by SaaS applications to
WildFire.
d) The firewall can filter SaaS applications based on whether they comply with industry
certifications such as SOC1, HIPAA, and FINRAA.*
7) When a cloud deployment is secured, which role does the next-generation firewall play?
a) A member of the VM-Series is attached to each VM in the cloud environment, to stop malware,
exploits, and ransomware before they can compromise the virtual systems they are attached to.
b) The NGFW exports its Security policy through Panorama, which in turn distributes that policy to
the cloud-based Prisma SaaS service that enforces the NGFW Security policy against each VM
used in the cloud environment.
c) The NGFW exports its Security policy to WildFire, which lives in the cloud and enforces the
NGFW Security policy throughout the cloud environment.
d) The NGFW is used to consistently control access to applications and data based on user
credentials and traffic payload content for private or public cloud, internet, data center, or SaaS
applications.*
8) Which kind of attack cannot be stopped by the Palo Alto Networks Security Operating Platform?
a) attacks through SaaS applications, such as exfiltration through Box
b) attacks that do not cross the firewall, regardless of source or destination
c) attacks based on social engineering that mimic normal user behavior*
d) denial-of-service attacks from a trusted source
e) intrazone attacks, regardless of source or destination
9) Which two profile types can block a C2 channel? (Choose two.)

a) Anti-Spyware*
b) Certification
c) Command and Control
d) Decryption
e) URL Filtering *
10) The customer wants a monthly report of the number of connections (of a particular application)
per day. Where do you specify that the report is by days?
a) Query Builder
b) “Group By” field*
c) “Order By” field
11) The customer wants a monthly connections report for a particular application to be generated
based on hourly activity. Where is this setting specified?
a) Query Builder
b) “Group By” field*
c) “Sort By” field
12) You can receive regularly scheduled reports in which two ways? (Choose two.)
a) Retrieve the reports from the Palo Alto Networks web-based user interface.*
b) Upload the report to a document repository using FTP.
c) Configure automatic email delivery for regularly scheduled reports.*
d) Configure automatic printing to the office printer.
e) Upload the report to the domain’s document repository using a shared drive.
13) An author of malware buys five new domain names each week and uses those domains for C2.
How does that practice affect a botnet report for the network the malware is attacking?
a) It helps disguise the malware.
b) It fails to disguise the malware because access to new domains (registered in the last week)
c) It fails to disguise the malware because access to new domains (registered in the last 30 days)
is counted as suspicious.*
d) It fails to disguise the malware because access to new domains (registered in the last 60 days)
14) Which Palo Alto Networks product directly protects corporate laptops when people use them
from home?
b) Traps*
c) Panorama
d) WildFire
15) Which option is not a feature of Expedition?

a) policy migration
b) auto-zoning
c) adoption of App-ID
d) Best Practice Assessment Tool
e) Security Lifecycle Review*
16) The CEO is concerned that employees are using too much of the organization’s bandwidth for
YouTube, thus causing a performance problem. Which section of the SLR confirms or allays this
concern?
a) High-Risk Applications
b) Bandwidth Consumed by Applications
c) Categories Consuming the Most Bandwidth*
d) Categories with the Most Applications
17) Which interface mode do you use to generate the Stats Dump file that can be converted into an
SLR? Assume that you want to make the evaluation as non-intrusive as possible.
a) Tap*
b) virtual wire
c) Layer 2
d) Layer 3
18) Which two elements of the NGFW does the NGFW UTD show potential customers? (Choose
two.)
b) how to modify the Security policy*
c) how to view log entries and reports*
d) how to migrate from a different firewall to NGFW
e) how to integrate with Advanced Endpoint Protection
19) What can the SaaS Risk Assessment Report show?

a) sensitive content shared with untrusted users*
b) weak decryption policies employed for credential storage
c) motion picture copyright violations
d) unusual patterns of allowed data access
20) Which two steps are essential parts of the PPA process? (Choose two.)
a) a structured interview with the customer about their security prevention capabilities*
b) upload of a file generated by the customer’s firewall capturing the threats they are facing
c) a report to the customer about how to improve their security posture*
a discussion about expectations of threat prevention in a proof-of-concept
21) Which two success tools are most appropriate for a prospective customer that is using a
competitor’s offerings but has no security prevention strategy? (Choose two.)
a) Expedition
b) Prevention Posture Assessment*
c) Security Lifecycle Review*
d) Best Practice Assessment with Heatmaps
e) Data Center Segmentation Strategy Analyzer
22) A potential customer has many satellite offices, each of which is connected to the internet
using a 250Mbps link. The customer requirements include threat prevention for all the traffic.
Which model does Palo Alto Networks recommend be deployed in those offices to fulfill these
requirements, assuming a reduction in network capacity is unacceptable and cost is a
concern?
a) PA-100
b) PA-500
c) PA-2020
d) PA-3020*
23) Which step is required to ensure that web storage is not used to exfiltrate sensitive data from
an enterprise that must use web storage to collaborate with business partners?
c) install Advanced Endpoint Protection
d) use the firewall to forbid uploads to other web storage instances*
24) AutoFocus cannot perform which action?

a) distinguish between attacks that attempt to exfiltrate data (violate confidentiality) and
attacks that attempt to modify it (violate integrity)*
b) display the processes started by specific malware
c) display the network connections used by specific malware
d) distinguish between commodity attacks and advanced persistent threats (APTs) directed
against the customer’s organization or industry
25) Should a Traps agent be installed on desktop PCs that stay behind the corporate firewall?
a) No, because they are protected by the firewall.
b) Yes, because sometimes people take desktops from behind the corporate firewall home to
work, and corporation might properly deploy Prisma Access to extend the firewall’s protection
to mobile users.
c) Yes, because a network connection from a desktop PC behind the corporate firewall could
bypass the corporate firewall.
d) Yes, because malware and exploit files might be able to traverse the network before they are
identified by WildFire, and file propagation methods such as the use of USB drives bypass the
firewall.*
26) The firewall of a defense contractor is not connected to the internet. However, it is connected
to the classified SIPRNet. The contractor is concerned about getting malware files through
that network. Can this defense contractor use the WildFire service for protection?
a) No, because there is no network path to the WildFire cloud.
b) No, because all SIPRNet files are encrypted.
c) Yes, but only for PE-type file analysis.
d) Yes, they can use a WF-500 appliance.*
27) How does Cortex XDR help prevent lateral threat movement?
a) Cortex XDR agents test all traffic for known viruses and malware at every interface of every
device within the network.
b) Cortex XDR dynamically creates and manages VM-Series firewalls as traffic increases inside a
network.
c) Cortex XDR applies machine learning techniques to recognize deviations from normal use inside
the network.*
d) Cortex XDR applies machine learning and other artificial intelligence to compare network activity
to that of thousands of other customers.
28) A price-sensitive customer requires 300,000 connections per second. Which firewall model should
they purchase?
a) PA-220
b) PA-3250
c) PA-5280*
d) PA-7080
29) Which products describe the components of the Palo Alto Networks Security Operating
Platform that contribute to endpoint security?
a) Traps and the next-generation firewall
b) WildFire and Traps
c) Traps, WildFire, and the next-generation firewall
d) next-generation firewall, Prisma Access, Traps, and WildFire*
30) Which component of Palo Alto Networks public cloud security solution protects against C2
communications in an AWS environment?
a) Prisma Public Cloud
b) Traps
c) Prisma SaaS
d) VM-Series*
31) How does the next-generation firewall fit into the Palo Alto Networks SaaS security solution?
a) It is replaced by Prisma Access.
b) It provides inline security.*
c) Its functionality is superseded by the CASB proxy and reverse proxy.
d) It provides the same security for in-house applications that Prisma SaaS provides for SaaS
applications.
32) How does the Cortex Data Lake fit with platform visibility and enforcement?
a) All applications and components of the platform, and third-party services and applications can
both feed and extract data and its context from the Cortex Data Lake.
b) Firewalls, Prisma Access, Traps, and WildFire feed the Cortex Data Lake, and Cortex XDR and
third-party applications apply AI and other technologies for analysis and enforcement.*
c) AutoFocus, and Cortex XDR feed data and context to the Cortex Data Lake, and physical and
virtual firewalls along with Prisma SaaS provide consistent Security policy enforcement for the
platform.
d) The Cortex Data Lake essentially is a rebranding of Logging mode for Panorama, providing an
auto-scaled cloud-delivered service with exactly the same logging functionality as Panorama.
33) What is a platform component use of Cortex Data Lake?

a) Traps receives data from the Cortex Data Lake to do its zero-day attack analysis.
b) Cortex XDR provides data to the Cortex Data Lake after applying AI and machine learning to
firewall and other sensor traffic.
c) Prisma Access extracts data from the Cortex Data Lake to help inform CASB proxy functionality
for tolerated SaaS applications.
d) Third-party applications make use of data in the Cortex Data Lake.*
34) How do licenses work with Panorama?

a) All the firewalls managed by a Panorama instance must be individually licensed, and these
licenses can be managed by Panorama, but Panorama itself does not require a license.
b) Panorama needs its own management and support licenses registered, activated, and
retrieved.*
c) Panorama has its own Logging mode, and a Logging Service (Cortex Data Lake) license is
included in that functionality.
d) All the licenses associated with firewalls managed by a Panorama instance are included in the
Panorama license for that instance.
35) Which platform component provides multi-cloud API-based consistent security?

a) WildFire
b) Panorama
c) Cortex XDR
d) Prisma Public Cloud*
36) In Panorama, which policy gets evaluated first?

c) shared pre-rules*
37) Can the same rule allow traffic from different sources on different firewalls?
a) No, rules mean the same on all firewalls that receive the same policy.
b) No, because device groups are pushed from Panorama to all firewalls.
c) Yes, because different firewalls can have different zone definitions.*
d) Yes, because there could be clauses in a rule with effects limited to a specific device group.

a) centralized management
b) higher throughput on the firewalls*
39) A company has a physical data center with physical firewalls on their premises and several
applications protected by virtual firewalls on AWS. Now they will install Panorama in High
Availability mode. Which answer best describes the requirements for the HA Panorama peers?
a) an M-100 pair or an M-500 pair, or one of each, with both peers in either Panorama mode or
Management Only mode
b) any two models of virtual appliances, with both peers in either Panorama mode or Management
Only mode, or in Legacy mode for ESXi and vCloud Air models
c) any pair of identically provisioned Panorama servers of the same model and mode, except that
Log Collector mode cannot be used for HA*
d) any pair of identically provisioned Panorama servers of any model or mode, except that Log
Collector mode cannot be used for HA
40) How often does Panorama contact the Palo Alto Networks licensing server to look for new licenses
for its firewalls?
a) never; you need to check manually
b) once a week
c) every 24 hours*
d) every 6 hours
41) What is the maximum storage capacity of a single Panorama virtual appliance in Panorama mode?
a) 2TB
b) 12TB
c) 18TB
d) 24TB*
42) How is the Cortex Data Lake integration with Panorama facilitated?
a) No integration is necessary; data flows from Panorama to the Cortex data lake and vice versa.
b) A Panorama plugin is installed in the Cortex Data Lake.
c) A Cloud Services plugin is installed in Panorama.*
d) Agents run in both the Cortex Data Lake and Panorama.
43) Which value should be used as a typical log entry size if no other information is available about log
sizes?
a) 0.5KB*
b) 0.5MB
c) 0.5GB
d) 0.5TB
44) Which Panorama settings stay synchronized between HA pairs?

a) device groups
b) templates
c) DNS servers
d) policy rules*
45) Which feature is not supported in active/active (A/A) mode?

a) IPsec tunneling
b) DHCP client*
c) link aggregation
d) configuration synchronization
46) Which dedicated High Availability port is used for which plane?
a) HA1 for the data plane, HA2 for the management plane
b) HA1 for the management plane, HA2 for the data plane*
c) MGT for the management plane; HA2 as a backup
d) HA1 for the management plane, HA2 for the data plane in the PA-7000 Series
47) Which two updates should be scheduled to occur once a day? (Choose two.)
a) Antivirus*
b) PAN-DB URL Filtering
c) WildFire
d) Applications and Threats*
e) SMS channel
48) What does the phrase “Prisma Access extends security to remote network locations and mobile
users” mean in the context of the security that firewalls provide to a network?
a) Prisma Access independently provides the same type of protection as the firewalls, rebuilt for
the various infrastructures used for remote network locations and mobile users.
b) Prisma Access independently provides the exact same protection as the firewalls, rebuilt for the
various infrastructures used for remote network locations and mobile users.
c) Prisma Access securely routes traffic for remote network locations and mobile users through the
same PAN-OS based firewalls used to protect the network.*
d) Prisma Access leverages native cloud security and other security infrastructure to provide
security to remote network locations and mobile users.
49) Which combination facilitates leveraging the combination of WildFire analysis with PAN-DB and
third-party IOC services?
a) Panorama and WildFire
b) AutoFocus and MineMeld*
c) Traps and Cortex XDR
d) Prisma SaaS and Prisma Public Cloud
50) What can a Decryption Profile specify?

a) a list of applications that are not to be decrypted
b) custom definitions of decryption algorithms
c) sessions to be blocked based on decryption resource availability*
d) sessions to be forwarded to certain users based on ability to decrypt
51) Which profile type is used to protect against most protocol-based attacks?
a) Antivirus
b) URL Filtering
c) Vulnerability Protection*
d) WildFire Analysis
52) Which security posture is most likely to stop unknown attacks?

a) allow all the traffic that is not explicitly denied
b) deny all the traffic that is not explicitly allowed*
c) deny all the traffic that is not explicitly allowed from the outside, and allow all the traffic that is
not explicitly denied from the inside
d) deny all the traffic that is not explicitly allowed from the inside, and allow all the traffic that is
not explicitly denied from the outside
53) How does an administrator specify in the firewall that certain credentials should not be sent to
certain URLs?
a) with a URL Filtering Profile*
b) with User-ID
c) with App-ID
d) with a Credential Theft Profile
54) What is the maximum number of servers supported by a single User-ID agent?
a) 10
b) 50
c) 100*
d) 500
55) How does the firewall know that a specific connection comes from a specific user?
a) Every connection has a user ID encoded in it.
b) User-ID is supported only in protocols that use user authentication, which provides the user
identity to the firewall and the back end.
c) The firewall always uses the IP address in the IP header to locate the user ID, but this initial
identification is overridden by additional techniques such as HTTP proxies that provide the
client’s IP address in the HTTP header.
d) Usually the firewall uses the IP address in the IP header to locate the user ID, but additional
techniques are available as alternatives such as HTTP proxies providing the client’s IP address in
the HTTP header.*
56) A customer has a proprietary user authentication system that is not supported by User-ID. Can you
provide User-ID information to their firewall, and if so, how?
a) It is impossible. The customer will need to upgrade to something more standard.
b) It can be done, but only for HTTP applications because HTTP supports XFF headers.
c) It can be done using the XML API.*
d) It can be done, but it requires programming that can be performed only by the Palo Alto
Networks Professional Services organization.
57) Should you limit the permission of the user who runs the User-ID agent? If so, why?
a) Yes, because of the principle of least privilege. You should give processes only those permissions
that are necessary for them to work.*
b) Yes, to an extent. You can give it most privileges, but there is no actual user, so you should not
let it start an interactive login.
c) Yes, to an extent. You can give it most privileges, but there is no actual user, so you should not
let it have remote access.
d) No, there is nothing wrong with using the administrator’s account.
58) Which three reasons could cause a firewall that is fully configured, including decryption, to not
recognize an application? (Choose three.)
a) The application is running over SSL.
b) There is no App-ID signature for an unanticipated application.*
c) The application is running over ICMP.
d) The application is running over UDP.
e) A TCP handshake completed but no application traffic reached the firewall.*
f) Payload reached the firewall, but not enough data packets to identify the application.*
59) Which two methods are best practices for adding a custom application that runs on TCP port 25 to
the firewall? (Choose two.)
a) Request an App-ID from Palo Alto Networks.*
b) Create a custom application with a signature.*
c) Create a custom application and define an Application Override policy.
d) Write JavaScript code to identify the application.
e) Write Python code to identify the application.
60) Which five types of file does WildFire analyze as executables? (Choose five.):
a) JAR*
b) Portable Document Format*
c) MP4
d) Portable Executable*
e) Office Open XML (.docx)*
f) Executable and Linkable Format*
g) BMP
61) Which decryption mode or modes require(s) the private key of the destination server? (Choose a
single answer.)
a) Forward Proxy
b) Inbound Inspection*
c) Both Forward Proxy and Inbound Inspection
d) SSH Proxy
62) Which parameter cannot be used in a Decryption policy rule?

a) User-ID
b) App-ID*
c) Source Zone
d) Destination Zone
63) Which factor is consistent with decryption port mirroring?

a) a deployment on AWS
b) a suspicious IT team member
c) legal requirements to keep PII private
d) a vsys deployment*
64) What is the role of a security chain in Decryption Broker deployments?

a) sits outside the firewall and is accessed through dedicated firewall interfaces*
b) a defined sequence of virtual devices inside the firewall that process decrypted cleartext
c) a sequence of interfaces and non-transparent bridges that securely control the decryption of
encrypted traffic
d) a combination of certificates’ chain of trust and protection of encrypted data throughout the
process of decryption and re-encryption
65) An environment generates 3TB of firewall data and 4TB of Traps data over 30 days. Which licenses
must be purchased for Cortex XDR?
a) a 4TB license for Traps logs, a 3TB license for firewall logs, and a Cortex XDR license for up to
5TB
b) a 7TB license for Cortex Data Lake and a Cortex XDR license for up to 3TB
c) a 4TB license for Traps logs, a 3TB license for firewall logs, and a Cortex XDR license for up to
10TB
d) a 7TB license for Cortex Data Lake and a Cortex XDR license for up to 10TB*
66) Which Prisma SaaS licensing is required for a customer with 5,000 employees, 200 SFDC accounts,
and 1,000 ServiceNow accounts?
a) 5,000 users, all apps license
b) 5,000 users, one app license
c) 200 users, all apps license and a 5,000 users, one app license
d) 1,000 users, all apps license*
67) A Prisma Access customer has 50,000 unique mobile users, but uses only 2,000 at a time. Which
mobile user license do they need?
a) 2,000 users
b) 50,000 users*
c) a weighted average of usage over time
d) a pay-as-you-go license
Sample Test Answer Key

1. C
2. A, D
3. B
4. D
5. B, C
6. A
7. B
8. A, C
9. D
10. B
11. C
12. D
13. A
14. A
15. A, E, F
16. C
17. A, B, D
18. D
19. C
20. B
21. C
22. A
23. A, B
Glossary
Advanced Encryption Standard (AES): A symmetric block cipher based on the Rijndael cipher.
AES: See Advanced Encryption Standard (AES).
API: See application programming interface (API).
application programming interface (API): A set of routines, protocols, and tools for building software
applications and integrations.
bot: Individual endpoints that are infected with advanced malware that enables an attacker to take
control of the compromised endpoint. Also known as a zombie. See also botnet.
botnet: A network of bots (often tens of thousands or more) working together under the control of
attackers using numerous command and control (C2) servers. See also bot.
bring your own apps (BYOA): Closely related to BYOD, BYOA is a policy trend in which organizations
permit end users to download, install, and use their own personal apps on mobile devices, primarily
smartphones and tablets, for work-related purposes. See also bring your own device (BYOD).
bring your own device (BYOD): A policy trend in which organizations permit end users to use their own
personal devices, primarily smartphones and tablets, for work-related purposes. BYOD relieves
organizations from the cost of providing equipment to employees, but creates a management challenge
because of the vast number and type of devices that must be supported. See also bring your own apps
(BYOA).
BYOA: See bring your own apps (BYOA).
BYOD: See bring your own device (BYOD).
covered entity: Defined by HIPAA as a healthcare provider that electronically transmits PHI (such as
doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies), a health plan
(such as a health insurance company, health maintenance organization, company health plan, or
government program including Medicare, Medicaid, military and veterans’ healthcare), or a healthcare
clearinghouse. See also Health Insurance Portability and Accountability Act (HIPAA) and protected health
information (PHI).
data encapsulation: A process in which protocol information from the OSI layer immediately above is
wrapped in the data section of the OSI layer immediately below. See also open systems interconnection
(OSI) reference model.
DDoS: See distributed denial-of-service (DDoS).
distributed denial-of-service (DDOS): A type of cyberattack in which extremely high volumes of network
traffic such as packets, data, or transactions are sent to the target victim’s network to make their
network and systems (such as an e-commerce website or other web application) unavailable or
unusable.
EHR: See electronic health record (EHR).
electronic health record (EHR): As defined by HealthIT.gov, an EHR “goes beyond the data collected in
the provider’s office and include[s] a more comprehensive patient history. EHR data can be created,
managed, and consulted by authorized providers and staff from across more than one healthcare
organization.”
electronic medical record (EMR): As defined by HealthIT.gov, an EMR “contains the standard medical
and clinical data gathered in one provider’s office.”
EMR: See electronic medical record (EMR).
endpoint: A computing device such as a desktop or laptop computer, handheld scanner, Point of Sale
(POS) terminal, printer, satellite radio, security or videoconferencing camera, self-service kiosk, server,
smart meter, smart TV, smartphone, tablet, or Voice over Internet Protocol (VoIP) phone. Although
endpoints can include servers and network equipment, the term generally is used to describe end user
devices.
Extensible Markup Language (XML): A programming language specification that defines a set of rules
for encoding documents in a human- and machine-readable formats.
false negative: In anti-malware, malware that is incorrectly identified as a legitimate file or application.
In intrusion detection, a threat that is incorrectly identified as legitimate traffic. See also false positive.
false positive: In anti-malware, a legitimate file or application that is incorrectly identified as malware.
In intrusion detection, legitimate traffic that is incorrectly identified as a threat. See also false negative.
favicon (“favorite icon”): A small file containing one or more small icons associated with a particular
website or webpage.
generic routing encapsulation (GRE): A tunneling protocol developed by Cisco Systems that can
encapsulate various network layer protocols inside virtual point-to-point links.
GLBA: See Gramm-Leach-Bliley Act (GLBA).
Gramm-Leach-Bliley Act (GLBA): A U.S. law that requires financial institutions to implement privacy and
information Security policies to safeguard the non-public personal information of clients and consumers.
Also known as the Financial Services Modernization Act of 1999.
GRE: See generic routing encapsulation (GRE).
hacker: Originally used to refer to anyone with highly specialized computing skills, without connoting
good or bad purposes. However, common misuse of the term has redefined a hacker as someone that
circumvents computer security with malicious intent, such as a cybercriminal, cyberterrorist, or
hacktivist.
hash signature: A cryptographic representation of an entire file or program’s source code.
Health Insurance Portability and Accountability Act (HIPAA): A U.S. law that defines data privacy and
security requirements to protect individuals’ medical records and other personal health information. See
also covered entity and protected health information (PHI).
HIPAA: See Health Insurance Portability and Accountability Act (HIPAA).
indicator of compromise (IoC): A network or operating system (OS) artifact that provides a high level of
confidence that a computer security incident has occurred.
IoC: See indicator of compromise (IoC).
least privilege: A network security principle in which only the permission or access rights necessary to
perform an authorized task are granted.
malware: Malicious software or code that typically damages, takes control of, or collects information
from an infected endpoint. Malware broadly includes viruses, worms, Trojan horses (including Remote
Access Trojans, or RATs), anti-AV, logic bombs, backdoors, rootkits, bootkits, spyware, and (to a lesser
extent) adware.
Network and Information Security (NIS) Directive: A European Union (EU) directive that imposes
network and information security requirements – to be enacted by national laws across the EU within
two years of adoption in 2016 – for banks, energy companies, healthcare providers, and digital service
providers, among others.
NIS: See Network and Information Security (NIS) Directive.
one-way (hash) function: A mathematical function that creates a unique representation (a hash value)
of a larger set of data in a manner that is easy to compute in one direction (input to output), but not in
the reverse direction (output to input). The hash function can’t recover the original text from the hash
value. However, an attacker could attempt to guess what the original text was and see if it produces a
matching hash value.
open systems interconnection (OSI) reference model: Defines standard protocols for communication
and interoperability using a layered approach in which data is passed from the highest layer
(application) downward through each layer to the lowest layer (physical), then transmitted across the
network to its destination, then passed upward from the lowest layer to the highest layer. See also data
encapsulation.
OSI model: See open systems interconnection (OSI) reference model.
packet capture (pcap): A traffic intercept of data packets that can be used for analysis.
Payment Card Industry Data Security Standards (PCI DSS): A proprietary information security standard
mandated and administered by the PCI Security Standards Council (SSC), and applicable to any
organization that transmits, processes, or stores payment card (such as debit and credit cards)
information. See also PCI Security Standards Council (SSC).
pcap: See packet capture (pcap).
PCI: See Payment Card Industry Data Security Standards (PCI DSS).
PCI DSS: See Payment Card Industry Data Security Standards (PCI DSS).
PCI Security Standards Council (SSC): Comprised of Visa, MasterCard, American Express, Discover, and
JCB, the SSC maintains, evolves, and promotes PCI DSS. See also Payment Card Industry Data Security
Standards (PCI DSS).
Personal Information Protection and Electronic Documents Act (PIPEDA): A Canadian privacy law that
defines individual rights with respect to the privacy of their personal information, and governs how
private sector organizations collect, use, and disclose personal information in the course of business.
Personally Identifiable Information (PII): Defined by the U.S. National Institute of Standards and
Technology (NIST) as “any information about an individual maintained by an agency, including (1) any
information that can be used to distinguish or trace an individual’s identity… and (2) any other
information that is linked or linkable to an individual….”
PHI: See protected health information (PHI).
PII: See Personally Identifiable Information (PII).
PIPEDA: See Personal Information Protection and Electronic Documents Act (PIPEDA).
PKI: See public key infrastructure (PKI).
protected health information (PHI): Defined by HIPAA as information about an individual’s health
status, provision of healthcare, or payment for healthcare that includes identifiers such as names,
geographic identifiers (smaller than a state), dates, phone and fax numbers, email addresses, Social
Security numbers, medical record numbers, or photographs. See also Health Insurance Portability and
Accountability Act (HIPAA).
public key infrastructure (PKI): A set of roles, policies, and procedures needed to create, manage,
distribute, use, store, and revoke digital certificates and manage public key encryption.
QoS: See quality of service (QoS).
quality of service (QoS): The overall performance of specific applications or services on a network
including error rate, bit rate, throughput, transmission delay, availability, jitter, etc. QoS policies can be
configured on certain network and security devices to prioritize certain traffic, such as voice or video,
over other, less performance-intensive traffic, such as file transfers.
RADIUS: See Remote Authentication Dial-In User Service (RADIUS).
Remote Authentication Dial-In User Service (RADIUS): A client/server protocol and software that
enables remote access servers to communicate with a central server to authenticate users and authorize
access to a system or service.
representational state transfer (REST): An architectural programming style that typically runs over
HTTP, and is commonly used for mobile apps, social networking websites, and mashup tools.
REST: See representational state transfer (REST).
SaaS: See Software as a Service (SaaS).
Sarbanes-Oxley (SOX) Act: A U.S. law that increases financial governance and accountability in publicly
traded companies.
script kiddie: Someone with limited hacking and/or programming skills that uses malicious programs
(malware) written by others to attack a computer or network.
Secure Sockets Layer (SSL): A cryptographic protocol for managing authentication and encrypted
communication between a client and server to protect the confidentiality and integrity of data
exchanged in the session.
software as a service (SaaS): A cloud computing service model, defined by the U.S. National Institute of
Standards and Technology (NIST), in which “the capability provided to the consumer is to use the
provider’s applications running on a cloud infrastructure. The applications are accessible from various
client devices through either a thin client interface, such as a web browser, or a program interface. The
consumer does not manage or control the underlying cloud infrastructure including network, servers,
operating systems, storage, or even individual application capabilities, with the possible exception of
limited user-specific application configuration settings.”
SOX: See Sarbanes-Oxley (SOX) Act.
spear phishing: A highly targeted phishing attack that uses specific information about the target to make
the phishing attempt appear legitimate.
SSL: See Secure Sockets Layer (SSL).
STIX: See structured threat information expression (STIX).
structured threat information expression (STIX): An XML format for conveying data about cybersecurity
threats in a standardized format. See also Extensible Markup Language (XML).
TLS: See Transport Layer Security (TLS).
Transport Layer Security (TLS): The successor to SSL (although it still is commonly referred to as SSL).
See also Secure Sockets Layer (SSL).
uniform resource locator (URL): A unique reference (or address) to an internet resource, such as a
webpage.
URL: See uniform resource locator (URL).
vulnerability: A bug or flaw that exists in a system or software, and creates a security risk.
zero-day threat: The window of vulnerability that exists from the time a new (unknown) threat is
released until security vendors release a signature file or security patch for the threat.
zombie: See bot.
Continuing Your Learning Journey with Palo Alto Networks
Training from Palo Alto Networks and our Authorized Training Centers delivers the knowledge and
expertise to prepare you to protect our way of life in the digital age. Our trusted security certifications
give you the Palo Alto Networks Security Operating Platform knowledge necessary to prevent successful
cyberattacks and to safely enable applications.
Digital Learning
For those of you who want to keep up to date on our technology, a learning library of free digital
learning is available. These on-demand, self-paced digital learning classes are a helpful way to reinforce
the key information for those who have been to the formal hands-on classes. They also serve as a useful
overview and introduction to working with our technology for those unable to travel to a hands-on,
instructor-led class.
Simply register in our Learning Center and you will be given access to our digital learning portfolio.
These online classes cover foundational material and contain narrated slides, knowledge checks, and,
where applicable, demos for you to access.
New courses are being added often, so check back to see new curriculum available.
Instructor-Led Training
Looking for a hands-on, instructor-led course in your area?
Palo Alto Networks Authorized Training Centers (ATCs) are located globally and offer a breadth of
solutions from onsite training to public, open environment classes. There are about 38 authorized
training centers at more than 80 locations worldwide. For class schedule, location, and training
offerings, see https://www.paloaltonetworks.com/services/education/atc-locations.
Learning Through the Community

You also can learn from peers and other experts in the field. Check out our communities’ site
https://live.paloaltonetworks.com, where you can:
 Discover reference material

 Learn best practices
 Learn what is trending

PALO PSE Platform Study Guide PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PALO PSE Platform Study Guide PDF

Uploaded by

Copyright:

Available Formats

m

The beta exam fee is USD 90.00.

This exam is based on PAN-OS® Version 9.0.

Positioning: Next-Generation Firewall 15

Solution Design: Platform 13

Solution Design: Panorama 8

Solution Design and NGFW Configuration: Custom 8

Solution Design: NGFW Configuration – Security 12

Solution Design: NGFW Configuration – Visibility 7

Solution Design: NGFW Configuration – Decryption 7

Solution Design: Sizing 6

How to Take This Exam

1) PSE-PAC (if you are taking the exam at a test center)

Identify the Architecture Components That Benefit from WildFire

Identify Components and Techniques Used by WildFire

WildFire analyzes files using the following methods:

• Dynamic analysis: A custom-built, evasion-resistant virtual environment in which previously

3) Can you get WildFire functionality without an internet connection?

Identify Sources of Data for Threat Intelligence

5) Which information does Tanium get from WildFire?

1. Natively integrated technologies that leverage a single-pass prevention architecture to exert

Positioning: Next-Generation Firewall

9) Which two profile types can block a C2 channel? (Choose two.)

Identify the Reporting Capabilities of the Palo Alto Networks Next-Generation

Identify the Process of Automated Report Distribution

Identify the Capabilities That Detect Indicators of Compromise

Identify How to Position the Value of a Next-Generation Firewall over Legacy

15) Which option is not a feature of Expedition?

Recognize How to Configure Next-Generation Firewalls for Evaluation

Apply the Characteristics and Best Practices of UTD Seminars to Customer

 provides a summary of key findings

Here’s an excerpt from a report showing the summary of key findings.

19) What can the SaaS Risk Assessment Report show?

Another assessment tool is the Best Practice Assessment.

Given a Scenario, Identify Which Customer Success Tool(s) to Present to a

Solution Design: Platform

Given a Customer Environment, Identify How Prisma SaaS Should Be Used to

Given a Customer Environment, Identify How AutoFocus Should Be Used to

Given a Customer Environment, Identify How Traps Should Be Used to Secure

Given a Customer Environment, Identify How WildFire Should Be Used to

Given a Customer Environment, Identify How Cortex XDR (Magnifier) Would

 Position in the customer environment

The following table shows the Support levels:

Given a Scenario, Identify the Components Needed for Visibility and

Given a Scenario, Identify the Components Needed for Visibility and

Given a Scenario, Identify Which Components of the Platform Require Cortex

33) What is a platform component use of Cortex Data Lake?

Given a Scenario, Identify Which Components of the Platform Require

34) How do licenses work with Panorama?

35) Which platform component provides multi-cloud API-based consistent security?

Solution Design: Panorama

36) In Panorama, which policy gets evaluated first?

38) Which is not an advantage of using Panorama?

Given a Customer Scenario, Identify How to Design a Log-Redundant

Identify Scenarios for Panorama: Physical, Virtual, and Cloud

Identify Variables to Scale Panorama

Given a Customer Environment, Identify How to Size Panorama for HA

44) Which Panorama settings stay synchronized between HA pairs?

Solution Designs and NGFW Configuration: Custom

45) Which feature is not supported in active/active (A/A) mode?

Demonstrate Knowledge of Prisma Access

Prisma Access requires the following elements:

Demonstrate Knowledge of Custom WildFire Data Expansion and Use