Professional Documents
Culture Documents
PALO PSE Platform Study Guide PDF
PALO PSE Platform Study Guide PDF
PALO ALTO
NETWORKS
PSE PLATFORM
PROFESSIONAL 9.0
STUDY GUIDE
July 2019
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2018-2019 Palo Alto Networks – all rights reserved.
Aperture, AutoFocus, Demisto, GlobalProtect, Palo Alto Networks, PAN-OS, Panorama, RedLock, Traps, and WildFire are trademarks of Palo Alto Networks,
Inc. All other trademarks are the property of their respective owners.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 2
Table of Contents
Welcome ..................................................................................................................................................... 11
Overview ..................................................................................................................................................... 11
Prerequisites ............................................................................................................................................... 11
Exam Format ............................................................................................................................................... 11
Exam Domain .......................................................................................................................................... 12
Weight (%)............................................................................................................................................... 12
Positioning: Platform .......................................................................................................................... 12
Positioning: Next-Generation Firewall ................................................................................................ 12
Positioning: Tools – SLR, UTD, BPA, Heatmaps, Expedition, and SaaS Risk Assessment Report ........ 12
Solution Design: Platform ................................................................................................................... 12
Solution Design: Panorama ................................................................................................................. 12
Solution Design and NGFW Configuration: Custom............................................................................ 12
Solution Design: NGFW Configuration – Security ............................................................................... 12
Solution Design: NGFW Configuration – Visibility .............................................................................. 12
Solution Design: NGFW Configuration – Decryption .......................................................................... 12
Solution Design: Sizing ........................................................................................................................ 12
Total ........................................................................................................................................................ 12
How to Take This Exam ............................................................................................................................... 12
Positioning: Platform .................................................................................................................................. 13
Identify the Architecture Components That Benefit from WildFire ....................................................... 14
References .......................................................................................................................................... 15
Sample Question ................................................................................................................................. 15
Identify Components and Techniques Used by WildFire ........................................................................ 15
References .......................................................................................................................................... 17
Sample Question ................................................................................................................................. 17
Identify the Impact of Threat Intelligence Data from Palo Alto Networks ............................................. 17
References .......................................................................................................................................... 17
Sample Questions ............................................................................................................................... 18
Identify Sources of Data for Threat Intelligence ..................................................................................... 18
References .......................................................................................................................................... 19
Sample Question ................................................................................................................................. 19
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 3
Identify How the Security Operating Platform Helps Secure SaaS, IaaS, and PaaS ................................ 19
References .......................................................................................................................................... 20
Sample Questions ............................................................................................................................... 21
Identify the Core Values of the Palo Alto Networks Security Operating Platform ................................. 21
References .......................................................................................................................................... 22
Sample Question ................................................................................................................................. 22
Positioning: Next-Generation Firewall ........................................................................................................ 22
Identify the Protections That the Next-Generation Firewall Uses to Prevent Command-and-Control
Traffic ...................................................................................................................................................... 22
References .......................................................................................................................................... 23
Sample Question ................................................................................................................................. 24
Identify the Reporting Capabilities of the Palo Alto Networks Next-Generation Firewall ..................... 24
References .......................................................................................................................................... 24
Sample Questions ............................................................................................................................... 25
Identify the Process of Automated Report Distribution ......................................................................... 25
References .......................................................................................................................................... 25
Sample Question ................................................................................................................................. 25
Identify the Capabilities That Detect Indicators of Compromise............................................................ 26
References .......................................................................................................................................... 26
Sample Question ................................................................................................................................. 26
Identify How to Position the Value of a Next-Generation Firewall over Legacy Firewall and over Native
Cloud Security Offerings ......................................................................................................................... 26
References .......................................................................................................................................... 27
Sample Question ................................................................................................................................. 28
Positioning: Tools – SLR, UTD, BPA, PPA, Heatmaps, Expedition, and SaaS Risk Assessment Report ........ 28
Identify the Presale Benefits of Expedition............................................................................................. 28
References .......................................................................................................................................... 29
Sample Question ................................................................................................................................. 29
Compare and Contrast the Contents Shown by the SLR or BPA for Customers with and Without
Decryption............................................................................................................................................... 29
References .......................................................................................................................................... 30
Sample Question ................................................................................................................................. 30
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 4
Recognize How to Configure Next-Generation Firewalls for Evaluation Purposes ................................ 30
References .......................................................................................................................................... 30
Sample Question ................................................................................................................................. 31
Apply the Characteristics and Best Practices of UTD Seminars to Customer Opportunities.................. 31
Reference ............................................................................................................................................ 31
Sample Question ................................................................................................................................. 31
Identify the Appropriate Use and Benefits of Running a SaaS Risk Assessment .................................... 31
Reference ............................................................................................................................................ 32
Sample Question ................................................................................................................................. 33
Given a Scenario, Plan Use of Multiple Tools to Validate the Value of the Security Operating Platform
and Associated Services .......................................................................................................................... 33
References .......................................................................................................................................... 36
Sample Question ................................................................................................................................. 36
Given a Scenario, Identify Which Customer Success Tool(s) to Present to a Customer......................... 36
References .......................................................................................................................................... 38
Sample Question ................................................................................................................................. 38
Solution Design: Platform ........................................................................................................................... 38
Given a Customer Environment, Identify the NGFW Model That Should Be Used to Secure the
Network .................................................................................................................................................. 38
Reference ............................................................................................................................................ 39
Sample Question ................................................................................................................................. 39
Given a Customer Environment, Identify How Prisma SaaS Should Be Used to Secure the Enterprise. 39
References .......................................................................................................................................... 40
Sample Question ................................................................................................................................. 40
Given a Customer Environment, Identify How AutoFocus Should Be Used to Secure the Enterprise ... 40
References .......................................................................................................................................... 40
Sample Question ................................................................................................................................. 40
Given a Customer Environment, Identify How Traps Should Be Used to Secure the Endpoint ............. 41
References .......................................................................................................................................... 41
Sample Question ................................................................................................................................. 42
Given a Customer Environment, Identify How WildFire Should Be Used to Secure the Enterprise ...... 42
References .......................................................................................................................................... 43
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 5
Sample Question ................................................................................................................................. 43
Given a Customer Environment, Identify How Cortex XDR (Magnifier) Would Be Recommended to
Secure the Enterprise.............................................................................................................................. 43
References .......................................................................................................................................... 44
Sample Question ................................................................................................................................. 44
Assemble the Bill of Materials Given a Palo Alto Networks Firewall Solution Scenario Including
Products, Subscription Licenses, and Support ........................................................................................ 44
References .......................................................................................................................................... 45
Sample Question ................................................................................................................................. 45
Given a Customer Environment, Identify How NGFW, WildFire, Traps, Prisma SaaS, and Cortex XDR
Should Be Used to Secure the Enterprise ............................................................................................... 46
References .......................................................................................................................................... 46
Sample Question ................................................................................................................................. 47
Given a Scenario, Identify the Components Needed for Visibility and Enforcement with the Public
Cloud ....................................................................................................................................................... 47
References .......................................................................................................................................... 48
Sample Question ................................................................................................................................. 49
Given a Scenario, Identify the Components Needed for Visibility and Enforcement with SaaS ............ 49
References .......................................................................................................................................... 50
Sample Question ................................................................................................................................. 50
Given a Scenario, Identify Cortex Data Lake (Logging Service) Usage with Traps, Prisma Access, and
Next-Generation Firewalls ...................................................................................................................... 50
References .......................................................................................................................................... 51
Sample Question ................................................................................................................................. 52
Given a Scenario, Identify Which Components of the Platform Require Cortex Data Lake (Logging
Service).................................................................................................................................................... 52
References .......................................................................................................................................... 52
Sample Question ................................................................................................................................. 53
Given a Scenario, Identify Which Components of the Platform Require Panorama .............................. 53
References .......................................................................................................................................... 54
Sample Question ................................................................................................................................. 55
Identify Which Platform Components Are Used Consistently Across a Given Set of Computing
Environment Locations ........................................................................................................................... 55
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 6
References .......................................................................................................................................... 56
Sample Question ................................................................................................................................. 56
Solution Design: Panorama ......................................................................................................................... 56
Identify How to Use Device Groups and Templates to Manage a Deployment ..................................... 56
References .......................................................................................................................................... 57
Sample Questions ............................................................................................................................... 58
Identify the Benefits of Panorama for Deploying Palo Alto Networks Products .................................... 58
References .......................................................................................................................................... 58
Sample Question ................................................................................................................................. 59
Given a Customer Scenario, Identify How to Design a Log-Redundant Panorama Deployment ........... 59
References .......................................................................................................................................... 59
Sample Question ................................................................................................................................. 60
Identify Scenarios for Panorama: Physical, Virtual, and Cloud ............................................................... 60
References .......................................................................................................................................... 61
Sample Questions ............................................................................................................................... 61
Understand How Cortex Data Lake Is Designed and How to Use It with Panorama .............................. 61
Reference ............................................................................................................................................ 62
Sample Question ................................................................................................................................. 62
Identify Variables to Scale Panorama ..................................................................................................... 62
References .......................................................................................................................................... 63
Sample Question ................................................................................................................................. 64
Given a Customer Environment, Identify How to Size Panorama for HA ............................................... 64
References .......................................................................................................................................... 65
Sample Question ................................................................................................................................. 65
Solution Designs and NGFW Configuration: Custom .................................................................................. 65
Given a Design Requirement, Identify the Best Practice Approach to High Availability ........................ 65
References .......................................................................................................................................... 66
Sample Question ................................................................................................................................. 66
Identify the Functions of a Given High Availability Port ......................................................................... 67
References .......................................................................................................................................... 67
Sample Question ................................................................................................................................. 67
Identify License Requirements for Receiving Near Real-Time Dynamic Updates .................................. 68
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 7
References .......................................................................................................................................... 68
Sample Question ................................................................................................................................. 68
Demonstrate Knowledge of Prisma Access ............................................................................................ 68
References .......................................................................................................................................... 70
Sample Question ................................................................................................................................. 70
Demonstrate Knowledge of Custom WildFire Data Expansion and Use ................................................ 70
References .......................................................................................................................................... 71
Sample Question ................................................................................................................................. 71
Solution Design: NGFW Configuration - Security ........................................................................................ 72
Demonstrate Knowledge of Advanced Features and Configuration Capabilities .................................. 72
References .......................................................................................................................................... 73
Sample Question ................................................................................................................................. 74
Identify How to Protect Against Known Attacks..................................................................................... 74
References .......................................................................................................................................... 75
Sample Question ................................................................................................................................. 75
Identify the Next-Generation Firewall Components That Protect Against Unknown Attacks ............... 76
References .......................................................................................................................................... 76
Sample Question ................................................................................................................................. 77
Identify Where and How Credential Theft Occurs .................................................................................. 77
References .......................................................................................................................................... 78
Sample Question ................................................................................................................................. 78
Solution Design: NGFW Configuration - Visibility ....................................................................................... 78
Identify Where to Configure User-ID in the Web Interface and How to Obtain Its Parameters ............ 78
References .......................................................................................................................................... 80
Sample Questions ............................................................................................................................... 80
Identify the Best Practices for Deployment of User-ID........................................................................... 81
References .......................................................................................................................................... 82
Sample Questions ............................................................................................................................... 82
Identify the Processes and Thought Around Configuring App-ID ........................................................... 83
References .......................................................................................................................................... 83
Learn by Doing .................................................................................................................................... 84
Sample Question ................................................................................................................................. 84
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 8
Identify App-ID Deployment Best Practices and Techniques ................................................................. 84
References .......................................................................................................................................... 85
Sample Question ................................................................................................................................. 85
Identify Best Practices for Tuning a Palo Alto Networks Firewall for Maximum Effectiveness.............. 86
References .......................................................................................................................................... 86
Sample Question ................................................................................................................................. 87
Solution Design: NGFW Configuration - Decryption ................................................................................... 87
Identify the Differences in Decryption Configuration Between Forward Proxy, Inbound Proxy, and SSH
Proxy ....................................................................................................................................................... 87
References .......................................................................................................................................... 88
Sample Question ................................................................................................................................. 89
Identify How to Overcome Privacy and Legal Objections to Decryption................................................ 89
References .......................................................................................................................................... 89
Sample Question ................................................................................................................................. 90
Identify Which External Devices Work with Decryption Capabilities ..................................................... 90
Reference ............................................................................................................................................ 90
Sample Question ................................................................................................................................. 90
Identify Functionality Requirements, Use Cases, and Deployment Scenarios for Decryption Broker ... 90
References .......................................................................................................................................... 91
Sample Question ................................................................................................................................. 92
Solution Design: Sizing ................................................................................................................................ 92
Given a Customer Environment, Identify How to Size Cortex XDR (Magnifier) ..................................... 92
Reference ............................................................................................................................................ 93
Sample Question ................................................................................................................................. 93
Given a Customer Environment, Identify How to Size Prisma SaaS ....................................................... 93
Reference ............................................................................................................................................ 94
Sample Question ................................................................................................................................. 94
Given a Customer Environment, Identify How to Size Prisma Access .................................................... 94
References .......................................................................................................................................... 95
Sample Question ................................................................................................................................. 95
Sample Test ................................................................................................................................................. 96
Answers to Sample Questions .................................................................................................................. 100
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 9
Sample Test Answer Key ........................................................................................................................... 112
Glossary ..................................................................................................................................................... 114
Continuing Your Learning Journey with Palo Alto Networks .................................................................... 120
Digital Learning ..................................................................................................................................... 120
Instructor-Led Training ......................................................................................................................... 120
Learning Through the Community ........................................................................................................ 120
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 10
Welcome
Welcome to the Palo Alto Networks PSE Platform Professional 9.0 Study Guide. The purpose of this guide
is to help you prepare for your PSE Platform Pro 9.0 exam and achieve your PSE credential. This study
guide is a summary of the key topic areas that you are expected to know to be successful at the exam. It
is organized based on the exam blueprint and key exam objectives, and the headings used in the guide
correspond to the testing objectives in the exam blueprint.
Overview
This document is the Study Guide for the Palo Alto Networks Systems Engineer: Platform Professional
Certification Exam, abbreviated as PSE: Platform – P. This exam has been refreshed to reflect product
updates and has increased in scope to encompass the former PSE: Cyber Security subdiscipline, which
has been deprecated.
This new exam is now better focused on the Palo Alto Networks Security Operating Platform as a whole,
and has been carefully tuned to better evaluate an SE’s pre-sales capability.
Prerequisites
You should complete the following prerequisites before attempting the exam:
You have passed the Palo Alto Networks Systems Engineer: Platform – Associate Accreditation
Exam, abbreviated as PSE: Platform – A.
You have completed a year of full-time experience as a Palo Alto Networks SE, either as a Palo
Alto Networks employee SE or as a Partner employee SE.
Exam Format
The test format is 60 multiple-choice items. Candidates will have 5 minutes to complete the Non-
Disclosure Agreement (NDA) and 80 minutes to complete the questions, and 5 minutes to complete a
survey. The Beta exam is available in English only.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 11
Exam Domain Weight (%)
Positioning: Platform 17
Positioning: Tools – SLR, UTD, BPA, Heatmaps, Expedition, and SaaS Risk
Assessment Report 7
Total 100
To access the PSE Professional exams, candidates need to add the Private Access Code:
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 12
Positioning: Platform
The Palo Alto Networks Security Operating Platform prevents successful cyberattacks by harnessing
analytics to automate routine tasks and enforcement. Tight integration across the platform, and with
partners, simplifies security to secure users, applications, and data.
The following image of the Security Operating Platform shows how Cortex, the Next-Generation
Firewall, Prisma Access, Traps, VM-Series, Prisma SaaS, the Cortex Data Lake, and cloud-delivered
security services fit into the platform:
The platform includes visibility and enforcement security products, Palo Alto Networks security services
and Cortex. Cortex supports Palo Alto Networks apps, third-party partner apps, and customer apps and
allows their innovative functionality to be easily consumed by customers. Cortex also supports
enforcement of security decisions facilitated by these apps.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 13
The following figure shows how the platform leverages visibility by collecting data and providing it to
Cortex:
For an introductory overview to the Palo Alto Networks Security Operating Platform, see What is a
Security Operating Platform?:
https://www.paloaltonetworks.com/cyberpedia/what-is-security-operating-platform
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 14
References
WildFire at a Glance:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/faqs/at-a-glance-
wildfire.pdf
WildFire® Filetype Support:
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-file-
type-support.html
Sample Question
For answers, see the “Answers to Sample Questions” section.
1) Which file types are not supported as an upload sample for file upload by WildFire from the
wildfire.paloaltonetworks.com/wildfire/upload page?
a) iOS applications
b) Android applications
c) Windows applications
d) Microsoft Excel files
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 15
or attempts by the sample to access malicious domains. Sometimes, files are obfuscated using custom
or open source methods. In this case, the WildFire cloud decompresses and decrypts the file in-memory
within the dynamic analysis environment before analyzing it using static analysis.
The components and techniques used by WildFire vary from submission to submission, and thus depend
on the submission itself. But the following figure depicts an example of how WildFire might process a
submission:
• Static analysis: Detects known threats by analyzing the characteristics of samples prior to
execution
• Machine learning: Identifies variants of known threats by comparing malware feature sets
against a dynamically updated classification system
• Dynamic unpacking (WildFire Cloud analysis only): Identifies and unpacks files that have been
encrypted using custom or open source methods and prepares it for static analysis
• Bare metal analysis (WildFire cloud analysis only): A fully hardware-based analysis environment
specifically designed for advanced VM-aware threats. Samples that display the characteristics of
an advanced VM-aware threat are steered toward the bare metal appliance by the heuristic
engine.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 16
References
WildFire Concepts from WildFire 9.0 Administrator’s Guide:
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-
concepts.html
WildFire 9.0 What’s New Guide:
https://docs.paloaltonetworks.com/wildfire/u-v/wildfire-whats-new.html
WildFire landing page:
https://docs.paloaltonetworks.com/wildfire
Sample Question
For answers, see the “Answers to Sample Questions” section.
2) WildFire functionality is like that of a sandbox. Is the statement an accurate description?
a) Yes, WildFire functionality is exactly that of a virtual sandbox in the cloud, provided to test
applications that customers run in the cloud.
b) No, WildFire does not supply sandbox functionality, although it competes with products that do.
c) No, WildFire provides dynamic analysis, machine learning, and other techniques along with
sandbox functionality.
d) Yes, WildFire provides all its functionality as part of its virtual-physical hybrid sandbox
environment.
Identify the Impact of Threat Intelligence Data from Palo Alto Networks
The firewall forwards unknown samples for WildFire analysis based on the configured WildFire Analysis
Profile settings. It detects links included in emails, files that are attached to emails, and browser‐based
file downloads, and also leverages the Palo Alto Networks App‐ID feature to detect file transfers within
applications. The firewall checks the sample hash against WildFire hashes to determine whether
WildFire has previously analyzed the sample. If the sample has never been seen by WildFire , the firewall
forwards the sample for WildFire analysis. Samples that WildFire previously identified as malware are
blocked.
For private clouds, Palo Alto Networks offers the WF-500 WildFire Appliance:
References
WildFire 9.0 Administrator’s Guide:
• WildFire Concepts:
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 17
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-
concepts.html
• WildFire Subscription:
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-
subscription
• Firewall File Forwarding Capacity by Model:
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/submit-files-for-wildfire-
analysis/firewall-file-forwarding-capacity-by-model
PAN-OS 9.0 Administrator’s Guide:
• Install Content and Software Updates:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/software-and-content-
updates/install-content-and-software-updates.html
Sample Questions
For answers, see the “Answers to Sample Questions” section.
4) Which fully populated firewall has the highest file forwarding capacity through its data ports?
a) VM-100
b) PA-200
c) PA-5280
d) PA-7080
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 18
The following figure shows an example combining sources of data that feed WildFire.
References
Documentation about WildFire integration with third-party products follows:
Airwatch:
https://docs.vmware.com/en/VMware-AirWatch/9.3/vmware-airwatch-guides-93/GUID-AW93-
WildFire_Int_Systems.html
Proofpoint:
https://www.proofpoint.com/us/technology-partners/palo-alto-networks
Tanium:
https://docs.tanium.com/connect/connect/paloalto.html
Tripwire:
http://www.tripwire.com/solutions/integrations/palo-alto/
Trusteer:
http://www.trusteer.com/sites/default/files/PANIntegration.pdf
Sample Question
For answers, see the “Answers to Sample Questions” section.
Identify How the Security Operating Platform Helps Secure SaaS, IaaS, and
PaaS
Combinations of best-of-breed point solutions present some problems in data centers, and these
problems become intractable once organizations incorporate public cloud offerings into their IT service.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 19
Such approaches lack the foundational visibility across network, endpoint, and cloud, and never achieve
consistent Security policy or prevention.
Disparate technologies produce independent logs and alerts. Security teams typically must drive manual
responses to them and may need to coordinate action across dozens of security products. They
experience data overload and cannot respond sufficiently quickly to the resulting overwhelming influx of
information. This problem is exacerbated by the increasing automation and volume of attacks. Attempts
to help deal with this information influx by adding even more new but disparate technologies, increase
this security sprawl. So, these attempts usually make the problem worse.
The Palo Alto Networks Security Operating Platform provides consistent visibility, enforcement, and
Security policy across the network, endpoint, and cloud. As a single platform, it allows organizations to
simply consume new cybersecurity products while maintaining unified logging, alerts, and automation.
The following figure shows how the Security Operating Platform components (VM-Series firewalls,
Traps, Prisma SaaS and Prisma Public Cloud) fit in a hybrid cloud environment:
One specific feature that helps the platform secure SaaS applications is on the firewall. The firewall
supports identification of SaaS application hosting characteristics.
PAN-OS® 9.0 introduced enhanced App-ID ACC filters, and some of these filters specifically help
customers analyze risks related to SaaS applications. Five new unfavorable hosting characteristics are
available for filtering in the ACC: data breaches, poor terms of service, no certifications, poor financial
viability, and IP-based access restrictions. These enhanced ACC filters enable viewing detailed risk
profiles and usage statistics relevant to SaaS application risks, and help provide visibility and control of
SaaS application use.
References
Firewall App-ID ACC filters for SaaS:
https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/app-id-
features/saas-application-hosting-characteristics
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 20
Cloud Security with the Palo Alto Networks Security Operating Platform:
https://www.paloaltonetworks.com/solutions/initiatives/public-cloud
Securing business in a multi-cloud environment:
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/whitepapers/how-to-secure-your-business-in-a-multi-cloud-world
Sample Questions
For answers, see the “Answers to Sample Questions” section.
6) Which option is an example of how the next-generation firewall can provide visibility and
enforcement around SaaS applications?
a) Through partnership with SaaS application vendors, special virtual firewalls that support a
subset of full firewall functionality are used inside the SaaS applications themselves.
b) A built-in default security rule in the firewall blocks dangerous SaaS applications based on an
automatically updated database of dangerous SaaS applications.
c) Built-in default functionality in the firewall sends all files sent or received by SaaS applications to
WildFire.
d) The firewall can filter SaaS applications based on whether they comply with industry
certifications such as SOC1, HIPAA, and FINRAA.
7) When a cloud deployment is secured, which role does the next-generation firewall play?
a) A member of the VM-Series is attached to each VM in the cloud environment, to stop malware,
exploits, and ransomware before they can compromise the virtual systems they are attached to.
b) The NGFW exports its Security policy through Panorama, which in turn distributes that policy to
the cloud-based Prisma SaaS service that enforces the NGFW Security policy against each VM
used in the cloud environment.
c) The NGFW exports its Security policy to WildFire, which lives in the cloud and enforces the
NGFW Security policy throughout the cloud environment.
d) The NGFW is used to consistently control access to applications and data based on user
credentials and traffic payload content for private or public cloud, internet, data center, or SaaS
applications.
Identify the Core Values of the Palo Alto Networks Security Operating Platform
The Palo Alto Networks Security Operating Platform has four major features that enable the prevention
of successful cyberattacks:
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 21
4. Threat intelligence sharing that provides protection by taking advantage of the network effect
(information about threats identified at a customer site is propagated to all other customers)
References
PAN-OS 9.0 Administrator’s Guide:
• Segment Your Network Using Interfaces and Zones:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/segment-
your-network-using-interfaces-and-zones.html
Palo Alto Networks Compatibility Matrix:
• What Features Does Prisma Access Support?
https://www.paloaltonetworks.com/documentation/global/compatibility-
matrix/globalprotect/what-features-does-globalprotect-support
Traps Management Service Administrator’s Guide:
• About Traps:
https://www.paloaltonetworks.com/documentation/traps/tms/traps-management-service-
admin/traps-management-service-overview/traps-management-service
Sample Question
For answers, see the “Answers to Sample Questions” section.
8) Which kind of attack cannot be stopped by the Palo Alto Networks Security Operating Platform?
a) attacks through SaaS applications, such as exfiltration through Box
b) attacks that do not cross the firewall, regardless of source or destination
c) attacks based on social engineering that mimic normal user behavior
d) denial-of-service attacks from a trusted source
e) intrazone attacks, regardless of source or destination
We use content-based protections to stop attacks at the C2 stage, thus preventing attackers from
controlling infected endpoints, spreading laterally within your organization, and accomplishing their
objectives. The following picture shows how URL filtering works with pattern matching to recognize and
stop C2 communications.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 22
References
Command and Control:
https://www.paloaltonetworks.com/features/command-control
New command and control URL category:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClZkCAK
PAN-OS 9.0 Administrator’s Guide:
• Set Up Antivirus, Anti-Spyware, and Vulnerability Protection:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/set-up-
antivirus-anti-spyware-and-vulnerability-protection.html
• DNS Sinkholing:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/use-dns-
queries-to-identify-infected-hosts-on-the-network/dns-sinkholing
• URL filtering overview:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/url-filtering/url-filtering-
overview
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 23
Sample Question
For answers, see the “Answers to Sample Questions” section.
References
PAN-OS 9.0 Administrator’s Guide:
• Custom Reports:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/view-and-
manage-reports/custom-reports
• VM-50 Lite report-related limitations:
https://www.paloaltonetworks.com/documentation/81/pan-
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 24
os/newfeaturesguide/virtualization-features/vm-50-lite
Sample Questions
For answers, see the “Answers to Sample Questions” section.
10) The customer wants a monthly report of the number of connections (of a particular application)
per day. Where do you specify that the report is by days?
a) Query Builder
b) “Group By” field
c) “Order By” field
d) “Time Frame” field
11) The customer wants a monthly connections report for a particular application to be generated
based on hourly activity. Where is this setting specified?
a) Query Builder
b) “Group By” field
c) “Sort By” field
d) “Time Frame” field
References
PAN-OS 9.0 Administrator’s Guide:
• View Reports:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/view-and-
manage-reports/view-reports
• Manage Report Groups:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/view-and-
manage-reports/view-reports/monitoring/view-and-manage-reports/manage-report-groups
• Schedule Reports for Email Delivery:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/view-and-
manage-reports/view-reports/monitoring/view-and-manage-reports/schedule-reports-for-
email-delivery
Sample Question
For answers, see the “Answers to Sample Questions” section.
12) You can receive regularly scheduled reports in which two ways? (Choose two.)
a) Retrieve the reports from the Palo Alto Networks web-based user interface.
b) Upload the report to a document repository using FTP.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 25
c) Configure automatic email delivery for regularly scheduled reports.
d) Configure automatic printing to the office printer.
e) Upload the report to the domain’s document repository using a shared drive.
References
PAN-OS 9.0 Administrator’s Guide:
• Generate Botnet Reports:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/view-and-
manage-reports/generate-botnet-reports
Sample Question
For answers, see the “Answers to Sample Questions” section.
13) An author of malware buys five new domain names each week and uses those domains for C2.
How does that practice affect a botnet report for the network the malware is attacking?
a) It helps disguise the malware.
b) It fails to disguise the malware because access to new domains (registered in the last week)
is counted as suspicious.
c) It fails to disguise the malware because access to new domains (registered in the last 30 days)
is counted as suspicious.
d) It fails to disguise the malware because access to new domains (registered in the last 60 days)
is counted as suspicious.
These applications increasingly are using encrypted SSL tunnels on port 443. They use clever evasive
tactics to disguise themselves or use port hopping to find any entry point through your firewall. Legacy
firewalls and UTMs cannot safely enable these applications. At best, they can attempt to prevent the
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 26
application from entering the network, which stifles your business and restricts you from benefitting
from innovation.
Palo Alto Networks next-generation firewalls enable control of applications and content (by user, not
just IP address) at up to 20Gbps with no performance degradation. The App-ID technology enables
applications – regardless of port, protocol, evasive tactic, or SSL encryption. It scans content to stop
targeted threats and prevent data leakage. You can safely enable the use of applications, and maintain
complete visibility and control.
The picture places some of the platform visibility and control technology based on applications, content,
and users in context.
References
WildFire 9.0 Administrator’s Guide:
• WildFire Concepts:
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-
concepts
PAN-OS 9.0 Administrator’s Guide:
• Segment Your Network Using Interfaces and Zones:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/segment-
your-network-using-interfaces-and-zones
Palo Alto Networks Compatibility Matrix:
• What Features Does Prisma Access Support?
https://www.paloaltonetworks.com/documentation/global/compatibility-
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 27
matrix/globalprotect/what-features-does-globalprotect-support
Traps Management Service Administrator’s Guide:
• About Traps:
https://www.paloaltonetworks.com/documentation/traps/tms/traps-management-service-
admin/traps-management-service-overview/traps-management-service
Sample Question
For answers, see the “Answers to Sample Questions” section.
14) Which Palo Alto Networks product directly protects corporate laptops when people use them
from home?
a) next-generation firewall
b) Traps
c) Panorama
d) WildFire
Positioning: Tools – SLR, UTD, BPA, PPA, Heatmaps, Expedition, and SaaS
Risk Assessment Report
Identify the Presale Benefits of Expedition
Expedition is the fourth evolution of the Palo Alto Networks migration tool. The main purpose of this
tool is to help reduce the time and effort involved in migrating a configuration from one of the
supported security vendors to Palo Alto Networks. The tool analyzes an existing environment to convert
existing Security policies to those used by Palo Alto Networks next-generation firewalls, and it assists
with the transition from proof of concepts of migration to security in the new production environment.
Expedition can be used to convert an existing configuration from Checkpoint, from Cisco, or from other
vendors to PAN-OS® software. The use of Expedition is much quicker than manual conversion, and the
saved time can be used to improve the security of the new environment.
Functionality was added in the third evolution of the tool to allow Security policies based on App-ID and
User-ID. With Expedition, there also is a machine learning module to help generate new Security
policies. The new policies originating from this module are based on actual log traffic. The Best Practice
Assessment (BPA) Tool is used to check that the configuration complies with the Best Practices
recommended by our security experts.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 28
Primary functions of Expedition are as follows:
Third-party migration
Adoption of App-ID
Optimization
Consolidation
Centralized management with Panorama
Auto-zoning
Customized response pages
Palo Alto Networks provides a combination of tools, expertise, and best practices to help you analyze an
existing environment, migrate policies and firewall settings to the next-generation firewall, and assist in
all phases of the transition. This transition is depicted in the following figure:
References
Migration Tool datasheet:
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/migration-tool
Sample Question
For answers, see the “Answers to Sample Questions” section.
Compare and Contrast the Contents Shown by the SLR or BPA for Customers
with and Without Decryption
The Security Lifecycle Review (SLR) examines your network traffic and then generates a comprehensive
report unique to your organization. You’ll discover the applications and threats exposing vulnerabilities
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 29
in your security’s posture.
References
Getting Started with Security Lifecycle Review:
https://docs.paloaltonetworks.com/cloud-services/apps/security-lifecycle-review/security-
lifecycle-review-getting-started/getting-started.html#
Executive Security Lifecycle Review Quick Start Guide for Partners:
https://www.paloaltonetworks.com/content/dam/pan/en_US/partners/nextwave/85132/execu
tive-slr-partners-quickstartguide.pdf
SE Success Tools topics in the PSE Platform Associate course:
Palo Alto Networks Accredited Systems Engineer (PSE): Platform Associate On-Demand Learning
Sample Question
For answers, see the “Answers to Sample Questions” section.
16) The CEO is concerned that employees are using too much of the organization’s bandwidth for
YouTube, thus causing a performance problem. Which section of the SLR confirms or allays this
concern?
a) High-Risk Applications
b) Bandwidth Consumed by Applications
c) Categories Consuming the Most Bandwidth
d) Categories with the Most Applications
References
PAN-OS 9.0 Administrator’s Guide:
• Tap Interfaces:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/networking/configure-
interfaces/tap-interfaces
• Stats Dump Time Frame:
https://live.paloaltonetworks.com/t5/Management-Articles/Changing-the-Time-Frame-for-
a-Report-Stats-Dump/ta-p/59208
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 30
Sample Question
For answers, see the “Answers to Sample Questions” section.
17) Which interface mode do you use to generate the Stats Dump file that can be converted into an
SLR? Assume that you want to make the evaluation as non-intrusive as possible.
a) tap
b) virtual wire
c) Layer 2
d) Layer 3
Next-Generation Firewall
Threat Prevention
Virtualized Data Center
Migration Process
Advanced Endpoint Protection
VM-Series for Amazon Web Services (AWS)
Reference
Ultimate Test Drive Brochure:
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/ultimate-test-drive-brochure
Sample Question
For answers, see the “Answers to Sample Questions” section.
18) Which two elements of the NGFW does the NGFW UTD show potential customers? (Choose
two.)
a) how to set up NGFW for the first time
b) how to modify the Security policy
c) how to view log entries and reports
d) how to migrate from a different firewall to NGFW
e) how to integrate with Advanced Endpoint Protection
Identify the Appropriate Use and Benefits of Running a SaaS Risk Assessment
The SaaS Risk Assessment Report is the Prisma SaaS analog to the firewall’s SLR. It is used to proactively
identify problems with how assets are stored and shared across all Prisma SaaS-secured SaaS
applications, and the report enables security professionals to act to reduce exposure. The full report can
be generated on-demand and used as a periodic check-in. It can highlight SaaS application usage for
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 31
executives and compare SaaS data and application security posture versus that of an industry. The
report:
Reference
Generate the SaaS Risk Assessment Report:
https://docs.paloaltonetworks.com/aperture/aperture-admin/generate-reports-on-
aperture/generate-the-saas-risk-assessment-report.html
Architecture Guide for SaaS:
https://loop.paloaltonetworks.com/docs/DOC-35652 (available to partners on request)
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 32
Sample Question
For answers, see the “Answers to Sample Questions” section.
Given a Scenario, Plan Use of Multiple Tools to Validate the Value of the
Security Operating Platform and Associated Services
Palo Alto Networks provides a variety of tools to help both selling teams and customers succeed with
their security prevention intentions. Platform Professional Certification Exam candidates should
understand the value and use of these tools and how the tools fit into a sales cycle. There are four key
tools: the Prevention Posture Assessment (PPA), the Best Practice Assessment, the Security Lifecycle
Review, and the migration tool Expedition. The BPA and SLR have a useful Heatmap as part of their
reports.
These tools are best applied in a cycle, which is depicted in the following figure:
The PPA is used to help obtain a current environment baseline for a customer or prospect, and to
determine how they want their environment to change from a security perspective. It’s a question and
answer session. About 80 questions are required to characterize the level of current and targeted
security across different architectural areas. These questions ask a customer about their current
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 33
capabilities, how much of their security platform’s feature set is turned on, and their security target as a
long-term strategy.
The PPA generates a 15- to 20-page report of a customer’s current security capabilities along with a
roadmap to help them reach their security target in 12 to 18 months.
The tool is appropriate both as an initial assessment and for stimulating a security discussion using the
customer’s information exposed by the answers to the questions.
This tool analyzes an existing customer’s environment. The BPA uses a file from their existing firewalls or
Panorama to assess and report on the customer’s security feature and capability adoption. Of the
feature sets available on the products they have, it shows which features are enabled and are being
used. A BPA report and Heatmap are generated. The following image shows a section of a BPA Heatmap
that shows App-ID, User-ID, and service and port adoption.
The Heatmap shows the current state with respect to feature use, and also trends related to feature
use. The report shows a best-practice pass or fail for every configuration option in a customer’s firewall.
The BPA tool is built from the rulebases documented in a Best Practice Guide that is about 350 pages
long .
For the configuration options that fail, the specific changes required to bring best practice compliance
are documented. The following report excerpt shows that logging should be enabled for intrazone allow
rules:
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 34
The tool can be used at the end of a deployment to document what has been done to meet a scope of
work and also what still needs to be done either by the customer or with a follow-up services
engagement. Good practice is to use the tool periodically, such as every six or twelve months after
installation, to learn about any changes and to explore additional work opportunities.
Expedition is Palo Alto Networks tool to assist in migration from competitive firewalls. It allows partners
and customers to be able to execute a transition easily from legacy products such as ASA and products
from Checkpoint, or Fortinet. Sales teams can start with a customer’s existing configuration and run that
through Expedition. The tool helps the process of creating a new rule base for the next-generation
firewall. It guides conversion from port and protocol rules to application rules, and it ensures that
security profiles for anti-virus, vulnerability scanning, and command and control are included within the
configuration.
For ongoing measurement and assessment for Palo Alto Networks customers, we use the Security
Lifecycle Review. The tool uses a Stats Dump file collected from a customer’s firewall to examine all the
applications that are running in the customer’s environment, all the SaaS applications that the customer
is using, all the known viruses they have running, and all the known vulnerabilities that they have.
The SLR includes a 15- to 20-page report that provides significant visibility into the activity of a
customer’s environment. The report can be used, along with Heatmaps and BPAs, for ongoing
assessments. The following figure from an SLR report shows the bandwidth-hogging applications found
in the customer’s environment, along with the applications’ risk ratings and other associated
information:
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 35
The combined use of all these tools provides a rich set of technology to engage customers in helpful
conversations.
References
The Prevention Posture Assessment
https://researchcenter.paloaltonetworks.com/2016/11/setting-expectations-prevention-
readiness-prevention-posture-assessment/
SE Success Tools topics in the PSE Platform Associate course:
Palo Alto Networks Accredited Systems Engineer (PSE): Platform Associate On-Demand Learning
Palo Alto Networks Prevention Architecture:
https://www.paloaltonetworks.com/customers/prevention-architecture.html
Sample Question
For answers, see the “Answers to Sample Questions” section.
20) Which two steps are essential parts of the PPA process? (Choose two.)
a) a structured interview with the customer about their security prevention capabilities
b) upload of a file generated by the customer’s firewall capturing the threats they are facing
c) a report to the customer about how to improve their security posture
d) a discussion about expectations of threat prevention in a proof-of-concept
The Prevention Posture Assessment is a tool that is used to provide a starting point for exploring a
customer’s current and future security posture. It consists of about 80 questions that cover all different
areas of security architecture and are required to determine the level of security that customers need.
The assessment process steps through questions that ask about current capabilities, how much of their
security solution’s feature set is turned on, and their long-term security strategy, among others. It
typically results in a 15- to 20-page report that describes the customer’s current security prevention
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 36
status, and it typically defines a roadmap for the next 12 to 18 months to help them to their desired
security posture. It’s best suited as a tool to get an initial assessment or to initiate a security discussion
with a customer using their own information by walking through the questions.
The Best Practices Assessment, with Heatmaps, is a tool used to analyze an existing customer’s
environment. It requires a file from the customer’s firewall or from Panorama. The Heatmap shows the
customer’s feature capability adoption. It ranks adoption by green, yellow, or red, depending on how
well the features are enabled or actually used. This is another perspective about the customer’s current
security prevention and also can be used to stimulate a discussion about their security goals. The Best
Practice Assessment, which uses the same file as the Heatmap, automatically compares the customer’s
current configuration with best practices for that configuration. It gives a pass/fail on each configuration
option, and describes modifications needed to bring failed options into compliance with best practices.
The BPA and Heatmaps have several uses. One is to show, at the end of a deployment, what’s been
done during the deployment and what still needs to be done to meet the deployment’s statement of
work. Another use is to learn with a regular cadence about changes related to the desired security
posture or whether more work needs to be done.
Expedition allows partners and customers to transition from a legacy product to the Palo Alto Networks
Security Operating Platform. This tool uses existing configurations of other firewalls, such as those from
Cisco, Fortinet, or CheckPoint, to create a rulebase for the next-generation firewall. It also will provide
suggestions for converting port and protocol rules to application rules, and for ensuring that security
profiles for antivirus, vulnerability, and C2 are included in the configuration.
The Security Lifecycle Review is used for ongoing measurement and assessment. It looks at a Stats Dump
file to determine all applications running in the customer’s network, SaaS applications whose data
passes through the firewall, and known viruses or used vulnerabilities in their current environment. A
report that typically is 15 to 20 pages long provides good visibility into the customer’s environment.
The following figure shows when the tools are most effectively used:
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 37
References
Assessment and Review Tools:
https://docs.paloaltonetworks.com/best-practices/9-0/data-center-best-practices.html
SE Success Tools topics in the PSE Platform Associate course:
Palo Alto Networks Accredited Systems Engineer (PSE): Platform Associate On-Demand Learning
Sample Question
For answers, see the “Answers to Sample Questions” section.
21) Which two success tools are most appropriate for a prospective customer that is using a
competitor’s offerings but has no security prevention strategy? (Choose two.)
a) Expedition
b) Prevention Posture Assessment
c) Security Lifecycle Review
d) Best Practice Assessment with Heatmaps
e) Data Center Segmentation Strategy Analyzer
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 38
Reference
Compare Firewalls:
https://www.paloaltonetworks.com/products/product-selection
Sample Question
For answers, see the “Answers to Sample Questions” section.
22) A potential customer has many satellite offices, each of which is connected to the internet
using a 250Mbps link. The customer requirements include threat prevention for all the traffic.
Which model does Palo Alto Networks recommend be deployed in those offices to fulfill these
requirements, assuming a reduction in network capacity is unacceptable and cost is a
concern?
a) PA-100
b) PA-500
c) PA-2020
d) PA-3020
The following figure depicts how SaaS applications and Prisma SaaS fit into the Security Operating
Platform:
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 39
References
Prisma SaaS at a Glance:
https://www.paloaltonetworks.com/resources/datasheets/aperture-at-glance
Sample Question
For answers, see the “Answers to Sample Questions” section.
23) Which step is required to ensure that web storage is not used to exfiltrate sensitive data from
an enterprise that must use web storage to collaborate with business partners?
a) disconnect from the internet
b) configure a local shared drive and use that instead of web storage
c) install Advanced Endpoint Protection
d) use the firewall to forbid uploads to other web storage instances
References
AutoFocus at a Glance:
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/autofocus-at-a-glance
Sample Question
For answers, see the “Answers to Sample Questions” section.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 40
24) AutoFocus cannot perform which action?
a) distinguish between attacks that attempt to exfiltrate data (violate confidentiality) and
attacks that attempt to modify it (violate integrity)
b) display the processes started by specific malware
c) display the network connections used by specific malware
d) distinguish between commodity attacks and advanced persistent threats (APTs) directed
against the customer’s organization or industry
Traps targets software vulnerabilities in processes that open non-executable files using exploit
prevention techniques. Traps also uses malware prevention techniques to prevent malicious executable
files from running. The Traps solution uses this twofold approach to prevent all types of attacks,
whether they are known threats or unknown threats.
The following picture shows Traps injecting itself into a process to prevent an attack.
References
Traps Management Service Administrator’s Guide:
• About Traps:
https://www.paloaltonetworks.com/documentation/traps/tms/traps-management-service-
admin/traps-management-service-overview/traps-management-service
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 41
Sample Question
For answers, see the “Answers to Sample Questions” section.
25) Should a Traps agent be installed on desktop PCs that stay behind the corporate firewall?
a) No, because they are protected by the firewall.
b) Yes, because sometimes people take desktops from behind the corporate firewall home to
work, and corporation might properly deploy Prisma Access to extend the firewall’s protection
to mobile users.
c) Yes, because a network connection from a desktop PC behind the corporate firewall could
bypass the corporate firewall.
d) Yes, because malware and exploit files might be able to traverse the network before they are
identified by WildFire, and file propagation methods such as the use of USB drives bypass the
firewall.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 42
References
WildFire 9.0 Administrator’s Guide:
• WildFire Deployments
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-
deployments
Sample Question
For answers, see the “Answers to Sample Questions” section.
26) The firewall of a defense contractor is not connected to the internet. However, it is connected
to the classified SIPRNet. The contractor is concerned about getting malware files through
that network. Can this defense contractor use the WildFire service for protection?
a) No, because there is no network path to the WildFire cloud.
b) No, because all SIPRNet files are encrypted.
c) Yes, but only for PE-type file analysis.
d) Yes, they can use a WF-500 appliance.
Cortex XDR identifies or learns normal behavior on your network so that it can recognize abnormal
behavior. It includes a streamlined user interface for efficient investigation of this abnormal behavior.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 43
Cortex XDR leverages the visibility provided by the Palo Alto Networks security platform to observe
activity. It accesses logs through the Palo Alto Networks Cortex Data Lake, and it maintains profiles of
users and devices. Magnifier (now Cortex XDR) was the first application in Cortex.
Cortex XDR uses other Palo Alto Networks software to help its analytics and reporting functions. For
example, Cortex XDR uses the WildFire cloud service to analyze suspicious files that Pathfinder might
identify on your endpoints. Information from Traps, Pathfinder, and Directory Sync helps behavior
analysis and provides context for alert analysis and representation in the Cortex XDR web interface.
References
Cortex XDR (Magnifier) topics in the PSE Platform Associate course:
Palo Alto Networks Accredited Systems Engineer (PSE): Platform Associate On-Demand Learning
Cortex XDR Behavioral Analytics Data Sheet:
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/magnifier
Cortex XDR Configuration and Activation:
https://www.paloaltonetworks.com/documentation/cloud-services/magnifier/magnifier-
getting-started/magnifier-installation
Sample Question
For answers, see the “Answers to Sample Questions” section.
27) How does Cortex XDR help prevent lateral threat movement?
a) Cortex XDR agents test all traffic for known viruses and malware at every interface of every
device within the network.
b) Cortex XDR dynamically creates and manages VM-Series firewalls as traffic increases inside a
network.
c) Cortex XDR applies machine learning techniques to recognize deviations from normal use inside
the network.
d) Cortex XDR applies machine learning and other artificial intelligence to compare network activity
to that of thousands of other customers.
Assemble the Bill of Materials Given a Palo Alto Networks Firewall Solution
Scenario Including Products, Subscription Licenses, and Support
A sales team helps customers during the firewall sales cycle to determine what to order. The team’s
requirement considerations include the following:
Pricing is obtained from the Palo Alto Networks confidential price lists for North America and for
International.
SKUs are specified on orders for the firewall devices and may need to be specified for transceivers, rack
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 44
mount kits for the PA-220, airflow kits for the PA-5200 series, and onsite spares.
SKUs also are specified for Threat Prevention, WildFire, PAN-DB URL, and the DNS Security service
subscriptions. Data Filtering, File Blocking, DoS Protection, Zone Protection, and forwarding of PE files to
the WildFire cloud do not require separate subscriptions. Subscriptions must be purchased for both
devices in an HA pair, but their SKUs are not identical and they are discounted for the second device in
the pair. Use an -HA2 suffix on the SKUs for the second device to ensure this discount.
Best practice for a firewall bill of materials is to order pairs to support HA; to include the WildFire,
Threat, PAN-DB, and DNS Security service subscription; and to include a Support license.
References
Support Services Overview:
https://www.paloaltonetworks.com/content/dam/paloaltonetworks-
com/en_US/assets/pdf/services/support-services-overview.pdf
Subscriptions You Can Use with the Firewall:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/subscriptions/all-
subscriptions.html
Firewall Product Selection:
https://www.paloaltonetworks.com/products/product-selection
Sample Question
For answers, see the “Answers to Sample Questions” section.
28) A price-sensitive customer requires 300,000 connections per second. Which firewall model should
they purchase?
a) PA-220
b) PA-3250
c) PA-5280
d) PA-7080
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 45
Given a Customer Environment, Identify How NGFW, WildFire, Traps, Prisma
SaaS, and Cortex XDR Should Be Used to Secure the Enterprise
All the components in the platform, including the next-generation firewall, WildFire, Traps, Prisma SaaS,
and Prisma Public Cloud, work together to provide optimal security. The following Security Operating
Platform depiction shows one perspective of how these products and components fit together. Cortex
XDR is one of the Palo Alto Networks apps.
References
Firewall Overview:
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/firewall-feature-overview-datasheet)
Traps Management Service Administrator’s Guide:
https://www.paloaltonetworks.com/documentation/traps/tms/traps-management-service-
admin/traps-management-service-overview/traps-management-service
WildFire Concepts:
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-
concepts
What is a Security Operating Platform?
https://www.paloaltonetworks.com/cyberpedia/what-is-security-operating-platform
Prisma SaaS at a Glance:
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/aperture-at-glance
Cortex XDR Behavioral Analytics Datasheet
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/magnifier
Prisma Public Cloud:
https://www.paloaltonetworks.com/products/secure-the-cloud/evident
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 46
Sample Question
For answers, see the “Answers to Sample Questions” section.
29) Which products describe the components of the Palo Alto Networks Security Operating
Platform that contribute to endpoint security?
a) Traps and the next-generation firewall
b) WildFire and Traps
c) Traps, WildFire, and the next-generation firewall
d) next-generation firewall, Prisma Access, Traps, and WildFire
Firewalls provide inline security and protect and segment traffic that’s coming into applications, traffic
between applications, and traffic that’s leaving applications. This visibility and enforcement are
extended to remote and mobile public cloud users with Prisma Access. Both infrastructure as a service
(Iaas) and platform as a service (PaaS) offerings generally expose a very rich set of APIs for cloud
platforms. These APIs provide good information about how these services are being consumed,
configured, and deployed. Security software on hosts secures applications and OSs from within
workloads or within the host itself. This software can help detect and prevent even zero-day attacks.
Inline security, API-based security, and endpoint security combine to deliver Palo Alto Networks
protection in a public cloud environment. VM-Series firewalls provide inline security. These firewalls
have full next-generation firewall capabilities and are designed and architected for the cloud. Prisma
gathers critical information via APIs for Infrastructure as a Service, Platform as a Service, and software as
a service, and provides continuous security and compliance. Traps is delivered as a lightweight agent
and provides OS and host protection.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 47
This combination is how Palo Alto Networks provides security in the cloud. It delivers critical protections.
The following figure shows the placement and roles of the Palo Alto Networks products that provide
visibility and enforcement for Public Cloud environments.
References
Securing Your Public Cloud:
https://www.paloaltonetworks.com/solutions/initiatives/public-cloud
At a Glance Public Cloud:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/faqs/at-a-glance-
public-cloud.pdf
Prisma Public Cloud Monitoring and Compliance:
https://www.paloaltonetworks.com/products/secure-the-cloud/redlock
Public Cloud topics in the PSE Platform Associate course:
Palo Alto Networks Accredited Systems Engineer (PSE): Platform Associate On-Demand Learning
PSE Public Cloud Associate course:
Palo Alto Networks Accredited Systems Engineer (PSE): Public Cloud Associate On-Demand
Learning
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 48
Sample Question
For answers, see the “Answers to Sample Questions” section.
30) Which component of Palo Alto Networks public cloud security solution protects against C2
communications in an AWS environment?
a) Prisma Public Cloud
b) Traps
c) Prisma SaaS
d) VM-Series
Prisma Access service extends the firewall’s inline visibility and enforcement along with segmentation,
secure access and threat prevention to BYOD SaaS users. It enables a customer to maintain its consistent
security posture. This approach combines the user, content and application inspection features of the
security service to provide industry-leading CASB functionality.
Prisma SaaS leverages application API access to deliver visibility and granular enforcement across all
user, folder, and file activity within sanctioned SaaS applications. It also provides detailed analysis and
analytics on usage without requiring any additional hardware, software, or network changes.
The following figure shows how Prisma SaaS and Prisma Access work with unsanctioned, tolerated, and
sanctioned applications as a cloud-delivered SaaS security solution.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 49
References
SaaS topics in the PSE Platform Associate course:
Palo Alto Networks Accredited Systems Engineer (PSE): Platform Associate On-Demand Learning
What is SaaS?
https://www.paloaltonetworks.com/cyberpedia/what-is-saas
Generate the SaaS Application Usage Report:
https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/monitoring/generate-the-saas-
application-usage-report
Sample Question
For answers, see the “Answers to Sample Questions” section.
31) How does the next-generation firewall fit into the Palo Alto Networks SaaS security solution?
a) It is replaced by Prisma Access.
b) It provides inline security.
c) Its functionality is superseded by the CASB proxy and reverse proxy.
d) It provides the same security for in-house applications that Prisma SaaS provides for SaaS
applications.
Given a Scenario, Identify Cortex Data Lake (Logging Service) Usage with
Traps, Prisma Access, and Next-Generation Firewalls
Visibility for the Palo Alto Networks Security Operating Platform is critical, and the data collected by
sensors in the platform leads the industry in its subtlety and extraction of traffic context. This data is
collected and analyzed, which enables enforcement thus often is automated. The data is stored in
various data storage facilities and integrated into the Cortex Data Lake. For example, Traps logs are sent
to the Cortex Data Lake. Firewall logs and logs from Prisma SaaS also are sent to the Cortex Data Lake.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 50
The following figure depicts integration of the platform with Cortex Data Lake:
References
Configure Firewalls to Forward Logs to the Cortex Data Lake:
https://docs.paloaltonetworks.com/content/techdocs/en_US/cloud-services/services/logging-
service/logging-service-getting-started/get-started-with-logging-service/configure-the-firewalls-
to-forward-logs-to-the-logging-service.html
Manage Logging Storage for Traps:
https://docs.paloaltonetworks.com/content/techdocs/en_US/traps/tms/traps-management-
service-admin/get-started-with-tms/manage-logging-storage-traps.html
Get Started with the Cortex Data Lake:
https://docs.paloaltonetworks.com/content/techdocs/en_US/cloud-services/services/logging-
service/logging-service-getting-started/get-started-with-logging-service.html
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 51
Sample Question
For answers, see the “Answers to Sample Questions” section.
32) How does the Cortex Data Lake fit with platform visibility and enforcement?
a) All applications and components of the platform, and third-party services and applications can
both feed and extract data and its context from the Cortex Data Lake.
b) Firewalls, Prisma Access, Traps, and WildFire feed the Cortex Data Lake, and Cortex XDR and
third-party applications apply AI and other technologies for analysis and enforcement.
c) AutoFocus, and Cortex XDR feed data and context to the Cortex Data Lake, and physical and
virtual firewalls along with Prisma SaaS provide consistent Security policy enforcement for the
platform.
d) The Cortex Data Lake essentially is a rebranding of Logging mode for Panorama, providing an
auto-scaled cloud-delivered service with exactly the same logging functionality as Panorama.
References
Cortex Hub Getting Started Guide:
https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cortex/cortex-
hub/cortex-hub-getting-started/cortex-hub-getting-started.pdf
Cortex Hub Landing Page:
https://apps.paloaltonetworks.com/apps
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 52
Sample Question
For answers, see the “Answers to Sample Questions” section.
Panorama also can be used for AutoFocus Threat Intelligence Summaries for a specified security artifact.
These summaries provide the latest WildFire submissions and verdicts; passive DNS history for URLs,
domains, and IP addresses; and threats that Unit 42 has identified as posing a direct security risk.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 53
The following figure shows the Application Command Center representation of analyzed data from
multiple firewalls:
References
Enable AutoFocus Threat Intelligence:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/learn-more-
about-and-assess-threats/assess-firewall-artifacts-with-autofocus/enable-autofocus-threat-
intelligence
Panorama Data Sheet:
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/panorama-centralized-management-datasheet
Panorama Licensing:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/set-up-
panorama/register-panorama-and-install-licenses.html
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 54
Sample Question
For answers, see the “Answers to Sample Questions” section.
Identify Which Platform Components Are Used Consistently Across a Given Set
of Computing Environment Locations
It’s hard enough to provide and manage consistent security with best-of-breed point products in a single
environment, but with multiple locations and form factors and inconsistent filtering of false positives,
this can become all-consuming or impossible.
The Palo Alto Networks Security Operating Platform provides Security policy consistency, and its
components span multiple locations and form factors. PAN-OS software applies to physical and
virtualized firewalls in private and public clouds, and is extended with Prisma Access to provide remote
and mobile users the same Security policy. Panorama makes it easy to manage that Security policy. The
Cortex Data Lake sources data from Panorama, WildFire, firewalls, Traps, and Pathfinder. And the
WildFire malware analysis prevention service consistently provides its artifact information to Traps,
Panorama, firewalls, and AutoFocus.
The following figure shows how the architecture of the platform accommodates consistent Security
policy across multiple locations and form factors:
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 55
References
Palo Alto Networks Security Operating Platform:
https://www.paloaltonetworks.com/products/security-operating-platform
Security Operating Platform Datasheet:
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/whitepapers/security-operating-platform-overview-r3
Sample Question
For answers, see the “Answers to Sample Questions” section.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 56
specific rules and objects at subsequent levels, which enables you to create a hierarchy of rules that
enforce how firewalls handle traffic.
You use templates to configure the settings that enable firewalls to operate on the network. Templates
enable you to define a common base configuration using the Network and Device tabs on Panorama.
For example, you can use templates to manage interface and zone configurations, server profiles for
logging and syslog access, and network profiles for controlling access to zones and IKE gateways. When
you define a template, consider assigning firewalls that are the same hardware model and require
access to similar network resources, such as gateways and syslog servers.
References
Panorama 9.0 Administrator’s Guide:
• Templates and Template Stacks:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/panorama-web-
interface/panorama-templates/template-stacks.html
• Device Groups:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/panorama-web-
interface/panorama-device-groups.html
• Device Group Policies:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-
overview/centralized-firewall-configuration-and-update-management/device-
groups/device-group-policies.html
• Device Group Objects:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-
overview/centralized-firewall-configuration-and-update-management/device-
groups/device-group-objects.html
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 57
Sample Questions
For answers, see the “Answers to Sample Questions” section.
37) Can the same rule allow traffic from different sources on different firewalls?
a) No, rules mean the same on all firewalls that receive the same policy.
b) No, because device groups are pushed from Panorama to all firewalls.
c) Yes, because different firewalls can have different zone definitions.
d) Yes, because there could be clauses in a rule with effects limited to a specific device group.
Identify the Benefits of Panorama for Deploying Palo Alto Networks Products
Panorama network security management enables you to control your distributed network of our
firewalls from one central location. You can use a single console to view all your firewall traffic, manage
all aspects of device configuration, monitor devices, push global policies, and generate reports on traffic
patterns or security incidents.
References
Panorama at a Glance:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/faqs/PAN_AAG_pano
rama_052615.pdf
Device Monitoring on Panorama:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-firewalls/device-
monitoring-on-panorama
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 58
Sample Question
For answers, see the “Answers to Sample Questions” section.
Centralized management: Centralized policy and device management that allows for rapid
deployment and management of up to 1,000 firewalls
Visibility: Centralized logging and reporting to analyze and report about user-generated traffic
and potential threats
Role-based access control: Appropriate levels of administrative control at the firewall level or
global level for administration and management
References
Deploy Panorama with Dedicated Log Collectors:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-log-
collection/log-collection-deployments/deploy-panorama-with-dedicated-log-collectors
Panorama High Availability:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-high-
availability
Panorama HA Prerequisites:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-high-
availability/panorama-ha-prerequisites
Logging Considerations in Panorama HA:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-high-
availability/logging-considerations-in-panorama-ha
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 59
Panorama Sizing and Design Guide:
https://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing-and-Design-
Guide/ta-p/72181
Sample Question
For answers, see the “Answers to Sample Questions” section.
39) A company has a physical data center with physical firewalls on their premises and several
applications protected by virtual firewalls on AWS. Now they will install Panorama in High
Availability mode. Which answer best describes the requirements for the HA Panorama
peers?
a) an M-100 pair or an M-500 pair, or one of each, with both peers in either Panorama mode or
Management Only mode
b) any two models of virtual appliances, with both peers in either Panorama mode or Management
Only mode, or in Legacy mode for ESXi and vCloud Air models
c) any pair of identically provisioned Panorama servers of the same model and mode, except that
Log Collector mode cannot be used for HA
d) any pair of identically provisioned Panorama servers of any model or mode, except that Log
Collector mode cannot be used for HA
Every instance of Panorama requires valid licenses that entitle you to manage the devices and to obtain
support. The device management license enforces the maximum number of devices that can be
managed by Panorama. The support license enables Panorama software updates and dynamic content
updates for the latest application and threat signatures, among other updates, that are published by
Palo Alto Networks.
Panorama can be deployed on the M-100 or the M-500 management appliances, and individual
management and logging components can be separated in a distributed manner to accommodate large
volumes of log data.
Panorama also can be deployed as a virtual appliance on VMware ESXi, which allows organizations to
support their virtualization initiatives and consolidate rack space, which sometimes is limited or costly in
a data center.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 60
References
Panorama 9.0 Administrator’s Guide:
• Register Panorama and Install Licenses, including all the subsections:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/set-up-
panorama/register-panorama-and-install-licenses
• Manage Licenses and Updates:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-licenses-and-
updates
• Manage Licenses of Firewalls Using Panorama:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-licenses-and-
updates/manage-licenses-on-firewalls-using-panorama
• Panorama Models:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-
overview/panorama-models
Sample Questions
For answers, see the “Answers to Sample Questions” section.
40) How often does Panorama contact the Palo Alto Networks licensing server to look for new
licenses for its firewalls?
a) never; you need to check manually
b) once a week
c) every 24 hours
d) every 6 hours
41) What is the maximum storage capacity of a single Panorama virtual appliance in Panorama
mode?
a) 2TB
b) 12TB
c) 18TB
d) 24TB
Understand How Cortex Data Lake Is Designed and How to Use It with
Panorama
The Palo Alto Networks Cortex Data Lake provides cloud-based, centralized log storage and aggregation
for both on-premises and virtual firewalls, for Prisma Access, and for other cloud-delivered services such
as the Traps management service.
The Cortex Data Lake ensures that logging data is up-to-date and available when needed. It provides a
scalable logging infrastructure that reduces the need for Log Collectors to meet log retention
requirements. The Cortex Data Lake complements existing Log Collector deployments. Existing log
collection infrastructure can be augmented with the cloud-based Cortex Data Lake to expand
operational capacity. Regardless of where the data resides, Panorama can analyze all firewall logs and
provide insight into actionable events.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 61
The following figure shows how Panorama and the Cortex Data Lake work together:
Reference
Cortex Data Lake Getting Started Guide:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-
documentation/cloud-services/1-0/logging-service/logging-service-getting-started-guide.pdf
Sample Question
For answers, see the “Answers to Sample Questions” section.
42) How is the Cortex Data Lake integration with Panorama facilitated?
a) No integration is necessary; data flows from Panorama to the Cortex data lake and vice versa.
b) A Panorama plugin is installed in the Cortex Data Lake.
c) A Cloud Services plugin is installed in Panorama.
d) Agents run in both the Cortex Data Lake and Panorama.
Sizing requirements are driven by organizational and regulatory policy, redundancy requirements,
average daily logging rates, and the average size of the logs. See the “References” section for more
information about these factors, and for Cortex Data Lake requirements and Panorama management
capabilities. The following figure, from the Panorama Interconnect article cited in the “References”
section shows the Panorama Interconnect hierarchy. A Panorama controller manages multiple
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 62
Panorama nodes, which in turn manage multiple devices.
References
Panorama Logging Requirements:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/set-up-
panorama/determine-panorama-log-storage-requirements.html
Panorama Management Capacity:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/panorama-
features/device-management-capacity-enhancement.html
Panorama Interconnect:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-large-scale-
firewall-deployments/panorama-interconnect/panorama-interconnect-overview.html
Cortex data lake Getting Started Guide:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-
documentation/cloud-services/1-0/logging-service/logging-service-getting-started-guide.pdf
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 63
Sample Question
For answers, see the “Answers to Sample Questions” section.
43) Which value should be used as a typical log entry size if no other information is available about log
sizes?
a) 0.5KB
b) 0.5MB
c) 0.5GB
d) 0.5TB
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 64
References
Panorama High Availability Requirements:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-high-
availability/panorama-ha-prerequisites.html
Logging Considerations for HA Landing Page:
https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/panorama-high-
availability/logging-considerations-in-panorama-ha.html
Sample Question
For answers, see the “Answers to Sample Questions” section.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 65
References
PAN-OS 9.0 Administrator’s Guide:
• HA Concepts with subtopics:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/ha-concepts
• HA Lite:
https://live.paloaltonetworks.com/t5/Learning-Articles/What-is-HA-Lite-on-Palo-Alto-
Networks-PA-200-and-VM-Series/ta-p/62553
Sample Question
For answers, see the “Answers to Sample Questions” section.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 66
Identify the Functions of a Given High Availability Port
High-end systems have two high availability ports, one for management and one for data:
References
PAN-OS 9.0 Administrator’s Guide:
• HA Links and Backup Links:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/ha-
concepts/ha-links-and-backup-links
• Set Up Active/Passive HA:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/set-up-
activepassive-ha
• Set Up Active/Active HA:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/set-up-
activeactive-ha
Sample Question
For answers, see the “Answers to Sample Questions” section.
46) Which dedicated High Availability port is used for which plane?
a) HA1 for the data plane, HA2 for the management plane
b) HA1 for the management plane, HA2 for the data plane
c) MGT for the management plane; HA2 as a backup
d) HA1 for the management plane, HA2 for the data plane in the PA-7000 Series
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 67
Identify License Requirements for Receiving Near Real-Time Dynamic Updates
Palo Alto Networks regularly posts updates for application detection, threat protection, and Prisma
Access data files through dynamic updates.
References
PAN-OS 9.0 Administrator’s Guide:
• Install Content and Software Updates:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/install-
content-and-software-updates
Sample Question
For answers, see “Answers to Sample Questions” section.
47) Which two updates should be scheduled to occur once a day? (Choose two.)
a) Antivirus
b) PAN-DB URL Filtering
c) WildFire
d) Applications and Threats
e) SMS channel
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 68
The following figure shows how Prisma Access fits with the Cortex Data Lake, next-generation firewalls,
and Panorama:
Palo Alto Networks deploys and manages the Prisma Access service security infrastructure globally to
secure remote networks and mobile users.
A service infrastructure in the form of an RFC 1918-compliant subnet that does not overlap with
other IP addresses used internally. Prisma Access uses this subnet’s IP addresses for network
infrastructure between remote network locations and mobile users, and for service connections
to the headquarters or the data center. Internal communication within the cloud uses dynamic
routing.
Service connections to give mobile and remote network users access to corporate resources, to
enable mobile users access to remote network locations, and to enable the cloud service to
connect with authentication servers. These service connections require an IPsec tunnel from
each headquarters or data center location to Prisma Access, and routing to and from the tunnels
to the subnetworks that contain the resources that remote network and mobile users access.
An IPsec-compliant firewall, router, or SD-WAN device that can establish a tunnel to Prisma
Access for remote networks, and routing from users at the remote network location through the
IPsec tunnel to enable Prisma Access to enforce Security policy on automatically deployed next-
generation firewalls in regions specified in the Panorama cloud services plugin.
A designated RFC 1918-compliant IP address pool for the service to use to assign IP addresses
for the client VPN tunnels. The addresses in this pool must not overlap with other address pools
you use internally or pools you assign for the service connections. Prisma Access for mobile
users automatically deploys Prisma Access portals and gateways in the cloud. The designated
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 69
pool allows users to receive VPN configurations, which will route them to the closest Prisma
Access gateway for policy enforcement.
Firewalls, gateways, and portals that are deployed as part of the Prisma Access infrastructure
must forward all logs to the Cortex data lake, and a Cortex data lake license is required.
References
Prisma Access Getting Started Guide:
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/technical-
documentation/cloud-services/1-0/gp-cloud-services/globalprotect-cloud-service-getting-
started-guide.pdf
Prisma Access Lightboard Video:
https://www.paloaltonetworks.com/products/innovations/globalprotect-cloud-service
Sample Question
For answers, see the “Answers to Sample Questions” section.
48) What does the phrase “Prisma Access extends security to remote network locations and mobile
users” mean in the context of the security that firewalls provide to a network?
a) Prisma Access independently provides the same type of protection as the firewalls, rebuilt
for the various infrastructures used for remote network locations and mobile users.
b) Prisma Access independently provides the exact same protection as the firewalls, rebuilt
for the various infrastructures used for remote network locations and mobile users.
c) Prisma Access securely routes traffic for remote network locations and mobile users
through the same PAN-OS based firewalls used to protect the network.
d) Prisma Access leverages native cloud security and other security infrastructure to provide
security to remote network locations and mobile users.
MineMeld natively integrates with Palo Alto Networks security platforms to automatically create new
prevention-based controls for identified URLs, IPs, and domain intelligence derived from all sources
feeding into the tool. These sources include to the Palo Alto Networks Security Operating Platform.
Organizations can block IOC-related threats through External Dynamic Lists and Dynamic Address
Groups.
MineMeld integrates with the Palo Alto Networks AutoFocus contextual threat intelligence service.
Customers use AutoFocus to target and analyze IOCs, and block associated threats on Next-Generation
Firewalls with export lists and through MineMeld.
AutoFocus can obtain the data it analyzes from WildFire, URL Filtering with PAN-DB, Traps, Prisma SaaS,
Palo Alto Networks global passive DNS network, and Unit 42. So data from WildFire can be combined
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 70
with these other sources and processed to provide automated protection with External Dynamic Lists
(EDLs) and Dynamic Address Groups (DAGs). And the platform can share tags with AutoFocus and
MineMeld for further automation.
The following figure shows MineMeld from the AutoFocus web interface. Miner nodes collect data from
sources such as WildFire. Processors analyze that data, and Output nodes specify how the data is used
for enforcement, such as by providing EDLs for firewalls.
References
AutoFocus Datasheet
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/autofocus-threat-intelligence
AutoFocus Administrators Guide - MineMeld:
https://docs.paloaltonetworks.com/autofocus/autofocus-admin/autofocus-
apps/minemeld.html
Sample Question
For answers, see the “Answers to Sample Questions” section.
49) Which combination facilitates leveraging the combination of WildFire analysis with PAN-DB and
third-party IOC services?
a) Panorama and WildFire
b) AutoFocus and MineMeld
c) Traps and Cortex XDR
d) Prisma SaaS and Prisma Public Cloud
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 71
Solution Design: NGFW Configuration - Security
Demonstrate Knowledge of Advanced Features and Configuration Capabilities
The next-generation firewall offers a variety of advanced features, such as support for DAGs, multi-
factor authentication, Decryption Brokers and profiles, vsys, custom App-IDs, and custom reports. These
topics are described in the Administrator’s Guide.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 72
The figure shows the firewall’s web interface used to define a custom report, and the resulting report
based on that definition.
References
Use Dynamic Address Groups in Policy:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/monitor-changes-in-the-
virtual-environment/use-dynamic-address-groups-in-policy.html
Decryption Broker:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-
broker.html
Create a Decryption Profile:
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 73
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/define-traffic-to-
decrypt/create-a-decryption-profile.html
Configure Multi-Factor Authentication:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/authentication/configure-multi-
factor-authentication.html
vsys landing page:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/virtual-systems/virtual-systems-
overview.html
Create a Custom Application:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/use-application-objects-
in-policy/create-a-custom-application.html
vsys landing page:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/monitoring/view-and-manage-
reports/custom-reports.html
Sample Question
For answers, see the “Answers to Sample Questions” section.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 74
References
PAN-OS 9.0 Administrator’s Guide:
• Use DNS Queries to Identify Infected Hosts on the Network:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/threat-prevention/use-dns-
queries-to-identify-infected-hosts-on-the-network
• Vulnerability Protection Profiles:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/vulnerability-
protection-profiles
• Install Content and Software Updates:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/getting-started/install-
content-and-software-updates
Sample Question
For answers, see the “Answers to Sample Questions” section.
51) Which profile type is used to protect against most protocol-based attacks?
a) Antivirus
b) URL Filtering
c) Vulnerability Protection
d) WildFire Analysis
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 75
Identify the Next-Generation Firewall Components That Protect Against
Unknown Attacks
The WildFire virtual environment identifies previously unknown malware and generates signatures that
Palo Alto Networks firewalls can use to then detect and block the malware. When a Palo Alto Networks
firewall detects an unknown sample (a file or a link included in an email), the firewall automatically can
forward the sample for WildFire analysis. WildFire determines the sample to be Benign, Grayware, or
Malicious based on the properties, behaviors, and activities that the sample displays when it is analyzed
and executed in the WildFire sandbox. WildFire then generates signatures that will be used to recognize
the newly discovered malware, and makes the latest signatures globally available every five minutes. All
Palo Alto Networks firewalls then can compare incoming samples against these signatures so that they
can automatically block the malware first detected by a single firewall.
The following figure shows how the platform as a whole works to discover known and unknown threats:
References
WildFire 9.0 Administrator’s Guide:
• WildFire Concepts:
https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-
concepts
A Hacker’s View of Antivirus:
https://www.paloaltonetworks.com/products/secure-the-endpoint/traps
Best Practices for Ransomware Prevention:
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 76
https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-Ransomware-
Prevention/ta-p/74148
Sample Question
For answers, see the “Answers to Sample Questions” section.
One way the firewall acts against credential theft is to detect and prevent incoming phishing attacks by
controlling sites to which users can submit corporate credentials, based on the site’s URL category. The
firewall blocks users from submitting credentials to untrusted sites while allowing users to continue to
submit credentials to sanctioned sites.
This credential phishing prevention works by scanning username and password submissions to websites.
The submissions are compared with valid corporate credentials. A firewall that detects a user
attempting to submit credentials to a site in a restricted URL category either displays a block response
page or a continue page to allow credential submission.
Enablement of this credential phishing prevention requires both User-ID, to detect when users submit
valid corporate credentials to a site, and URL Filtering, to specify the URL categories where users cannot
enter their corporate credentials.
A second way the firewall works to prevent credential theft is by blocking outgoing access to known
phishing sites with PAN-DB URL filtering by creating a URL Filtering Security Profile and configuring it to
detect corporate credential submissions in allowed URL categories.
A third way for the firewall to control credential theft threats is to limit the lateral movement of the
attack with a policy to protect critical applications from use of stolen credentials by using multi-factor
authentication.
The following figure shows the next-generation firewall’s capabilities to neutralize credential theft by
adding preventive capabilities to stop the theft and the abuse of passwords across a specific credential
theft lifecycle:
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 77
References
Preventing Credential-Based Attacks (Text and Videos):
https://www.paloaltonetworks.com/products/innovations/credential-theft-prevention
Understanding the Role of Stolen Credentials in Data Breaches (Whitepaper):
https://get.info.paloaltonetworks.com/webApp/prevent-phishing-and-credential-theft-
whitepaper-en
Sample Question
For answers, see the “Answers to Sample Questions” section.
53) How does an administrator specify in the firewall that certain credentials should not be sent to
certain URLs?
a) with a URL Filtering Profile
b) with User-ID
c) with App-ID
d) with a Credential Theft Profile
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 78
Before policy rules based on a user or group are defined, an LDAP Server Profile must be created that
defines how the firewall connects and authenticates to the directory server. The firewall supports a
variety of directory servers, including Microsoft Active Directory (AD), Novell eDirectory, and Sun ONE
Directory Server. The Server Profile also defines how the firewall searches the directory to retrieve the
list of groups and the corresponding list of members. If you are using a directory server that is not
natively supported by the firewall, integrate the group mapping function using the XML API.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 79
References
Configure User Mapping Using the Windows User-ID Agent:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/configure-user-mapping-
using-the-windows-user-id-agent
Configure User Mapping Using the PAN-OS Integrated User-ID Agent:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/configure-user-mapping-
using-the-pan-os-integrated-user-id-agent
Configure User-ID to Monitor Syslog Senders for User Mapping:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-ip-addresses-to-
users/configure-user-id-to-monitor-syslog-senders-for-user-mapping
Map IP Addresses to Usernames Using Captive Portal:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-ip-addresses-to-
users/map-ip-addresses-to-usernames-using-captive-portal
Deploy User-ID for Numerous Mapping Information Sources:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/deploy-user-id-in-a-large-
scale-network/deploy-user-id-for-numerous-mapping-information-sources
User-ID Concepts:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/user-id-concepts
Create a Dedicated Service Account for the User-ID Agent:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/user-id/map-ip-addresses-to-
users/create-a-dedicated-service-account-for-the-user-id-agent
Sample Questions
For answers, see the “Answers to Sample Questions” section.
54) What is the maximum number of servers supported by a single User-ID agent?
a) 10
b) 50
c) 100
d) 500
55) How does the firewall know that a specific connection comes from a specific user?
a) Every connection has a user ID encoded in it.
b) User-ID is supported only in protocols that use user authentication, which provides the user
identity to the firewall and the back end.
c) The firewall always uses the IP address in the IP header to locate the user ID, but this initial
identification is overridden by additional techniques such as HTTP proxies that provide the
client’s IP address in the HTTP header.
d) Usually the firewall uses the IP address in the IP header to locate the user ID, but additional
techniques are available as alternatives such as HTTP proxies providing the client’s IP address
in the HTTP header.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 80
Identify the Best Practices for Deployment of User-ID
For business flexibility, many organizations have the need to support multiple types of end users across
a variety of locations and access technologies. In these environments, IP addresses no longer are an
effective proxy for end users. Instead, user and group information must be directly integrated into the
technology platforms that secure modern organizations.
When you enable User-ID on internal and trusted zones, these services are not exposed to the internet,
which helps to keep these services protected from any potential attacks. If User-ID and WMI probing are
enabled on an external untrusted zone (such as the internet), probes could be sent outside your
protected network, thus resulting in an information disclosure of the User-ID agent service account
name, domain name, and encrypted password hash. This information can be cracked and exploited by
an attacker to gain unauthorized access to protected resources. Therefore, User-ID should never be
enabled on an untrusted zone.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 81
References
User-ID Tech Brief:
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/techbriefs/user-id-tech-brief
User-ID Deployment Best Practices:
https://live.paloaltonetworks.com/t5/Learning-Articles/Best-Practices-for-Securing-User-ID-
Deployments/ta-p/61606
Sample Questions
For answers, see the “Answers to Sample Questions” section.
56) A customer has a proprietary user authentication system that is not supported by User-ID. Can
you provide User-ID information to their firewall, and if so, how?
a) It is impossible. The customer will need to upgrade to something more standard.
b) It can be done, but only for HTTP applications because HTTP supports XFF headers.
c) It can be done using the XML API.
d) It can be done, but it requires programming that can be performed only by the Palo Alto
Networks Professional Services organization.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 82
57) Should you limit the permission of the user who runs the User-ID agent? If so, why?
a) Yes, because of the principle of least privilege. You should give processes only those
permissions that are necessary for them to work.
b) Yes, to an extent. You can give it most privileges, but there is no actual user, so you
should not let it start an interactive login.
c) Yes, to an extent. You can give it most privileges, but there is no actual user, so you
should not let it have remote access.
d) No, there is nothing wrong with using the administrator’s account.
References
App-ID Overview:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/app-id-overview
Manage Custom or Unknown Applications:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-custom-or-
unknown-applications
Create a Custom Application:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/use-application-objects-
in-policy/create-a-custom-application
Policies > Application Override:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/policies/policies-
application-override.html
Defining Applications:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/objects/objects-
applications/applications-overview
App-ID Tech Brief:
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 83
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/techbriefs/app-id-tech-brief
HTTP Header Insertion and Modification:
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/techbriefs/app-id-tech-brief
Learn by Doing
Play with App-ID on the user interface:
• Attempt to define a custom application
• View the application information and characteristics for a Palo Alto Networks App-ID. See if
you can see the App-ID signature, timeouts, etc.
Sample Question
For answers, see the “Answers to Sample Questions” section.
58) Which three reasons could cause a firewall that is fully configured, including decryption, to not
recognize an application? (Choose three.)
a) The application is running over SSL.
b) There is no App-ID signature for an unanticipated application.
c) The application is running over ICMP.
d) The application is running over UDP.
e) A TCP handshake completed but no application traffic reached the firewall.
f) Payload reached the firewall, but not enough data packets to identify the application.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 84
References
Manage Custom or Unknown Applications:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-custom-or-
unknown-applications
Create a Custom Application:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/use-application-objects-
in-policy/create-a-custom-application
What is Application Dependency?
https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-What-is-Application-
Dependency/ta-p/54270
Sample Question
For answers, see the “Answers to Sample Questions” section.
59) Which two methods are best practices for adding a custom application that runs on TCP port 25
to the firewall? (Choose two.)
a) Request an App-ID from Palo Alto Networks.
b) Create a custom application with a signature.
c) Create a custom application and define an Application Override policy.
d) Write JavaScript code to identify the application.
e) Write Python code to identify the application.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 85
Identify Best Practices for Tuning a Palo Alto Networks Firewall for Maximum
Effectiveness
A best practice Security policy is iterative. It safely enables applications, users, and content by viewing
and controlling all traffic flow, across all ports, all the time. As soon as you define the initial Internet
gateway Security policy, you must begin to monitor the traffic that matches the temporary rules
designed to identify policy gaps, monitor behavior that generates alarms, and tune your policy
accordingly. By monitoring traffic that is covered by these rules, you can make appropriate adjustments
to your rules to either ensure that all traffic is hitting your application whitelist or allow rules, or to
assess whether particular applications should be allowed. As you tune your rulebase, you should see less
and less traffic hitting these rules. When you no longer see traffic encountering these rules, your
positive enforcement whitelist rules are complete and you can remove the temporary rules.
References
Create Best Practice Security Profiles:
https://docs.paloaltonetworks.com/best-practices/9-0/data-center-best-practices/data-center-
best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles.html
Step 4: Create the Temporary Tuning Rules:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/best-practice-internet-
gateway-security-policy/define-the-initial-internet-gateway-security-policy/step-4-create-the-
temporary-tuning-rules
Monitor and Fine Tune the Policy Rulebase:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/policy/best-practice-internet-
gateway-security-policy/monitor-and-fine-tune-the-policy-rulebase
Rule Usage Tracking:
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 86
https://www.paloaltonetworks.com/documentation/81/pan-
os/newfeaturesguide/management-features/rule-usage-tracking
Sample Question
For answers, see the “Answers to Sample Questions” section.
60) Which five types of file does WildFire analyze as executables? (Choose five.)
a) JAR
b) Portable Document Format
c) MP4
d) Portable Executable
e) Office Open XML (.docx)
f) Executable and Linkable Format
g) BMP
Use SSL Inbound Inspection to decrypt and inspect inbound SSL traffic from a client to a targeted server
(any server you have the certificate for and can import onto the firewall). For example, if an employee is
remotely connected to a web server hosted on the company network and is attempting to add
restricted internal documents to a Dropbox folder (which uses SSL for data transmission), SSL Inbound
Inspection can be used to ensure that the sensitive data does not move outside the secure company
network by blocking or restricting the session.
In an SSH Proxy configuration, the firewall resides between a client and a server. When the client sends
an SSH request to the server, the firewall intercepts the request and forwards the SSH request to the
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 87
server. The firewall then intercepts the server’s response and forwards the response to the client,
establishing an SSH tunnel between the firewall and the client and an SSH tunnel between the firewall
and the server, with the firewall functioning as a proxy. As traffic flows between the client and the
server, the firewall can distinguish whether the SSH traffic is being routed normally or if it is using SSH
tunneling (port forwarding). Content and threat inspections are not performed on SSH tunnels;
however, if SSH tunnels are identified by the firewall, the SSH tunneled traffic is blocked and restricted
according to configured Security policies.
References
Decryption Overview:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-overview
Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode:
https://live.paloaltonetworks.com/t5/Learning-Articles/Difference-Between-SSL-Forward-Proxy-
and-Inbound-Inspection/ta-p/55553
Decryption Port Mirroring:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-
concepts/decryption-mirroring
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 88
Sample Question
For answers, see the “Answers to Sample Questions” section.
61) Which decryption mode or modes require(s) the private key of the destination server? (Choose a
single answer.)
a) Forward Proxy
b) Inbound Inspection
c) Both Forward Proxy and Inbound Inspection
d) SSH Proxy
Exclude certain URL categories or applications that either do not work properly with decryption
enabled or for any other reason, including for legal or privacy purposes. You can use a
Decryption policy to exclude traffic from decryption based on source, destination, URL category,
service (port or protocol), and TCP port numbers. For example, with SSL decryption enabled, you
can choose URL categories to exclude traffic that is categorized as financial or health‐related
from decryption.
Exclude server traffic from SSL decryption based on the Common Name (CN) in the server
certificate. For example, if you have SSL decryption enabled but have certain servers for which
you do not want to decrypt traffic, such as the web services for your HR systems, exclude those
servers from decryption by importing the server certificate onto the firewall and modifying the
certificate to be an SSL Exclude certificate.
References
PAN-OS 9.0 Administrator’s Guide:
• Decryption Exclusions:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-
exclusions#93953, including all the subtopics
PAN-OS Web Interface Reference Guide 8.0:
• Policies > Decryption in the Web Interface:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-
help/policies/policies-decryption.html
• Objects > Decryption Profile in the Web Interface:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/objects/objects-
decryption-profile
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 89
Sample Question
For answers, see the “Answers to Sample Questions” section.
Reference
Decryption Mirroring:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-
concepts/decryption-mirroring.html
Sample Question
For answers, see “Answers to Sample Questions” section.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 90
analysis. Two types of security chain networks are supported with a Decryption Broker (Layer 3 security
chains and transparent bridge security chains), and the firewall can direct traffic through the security
chain unidirectionally or bidirectionally. A single firewall can distribute decrypted sessions among up to
64 security chains, and can monitor security chains to ensure that they are effectively processing traffic.
The Decryption Broker can be used in several configurations. A pair of interfaces can be used to support
a single transparent bridge security chain, or multiple pairs can be used to support multiple such chains.
The broker interfaces can be configured to run in both directions or in one direction. They might be
configured to run both directions to allow the security chain to process cleartext in a different order for
outbound versus inbound traffic. They might be configured to run in only one direction if the security
chain has a stateless device such as a packet recorder that processes both inbound and outbound traffic
in the same direction. The interfaces might be configured to support multiple chains to balance the
processing load or provide redundancy. The broker can be used to monitor the health of the security
chains it feeds. Details about these use cases are provided in links from the “Decryption Broker
Concepts” reference.
References
Decryption Broker:
https://www.paloaltonetworks.com/documentation/81/pan-os/newfeaturesguide/decryption-
features/decryption-broker
Decryption Broker Concepts:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/decryption/decryption-
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 91
broker/decryption-broker-concepts
Sample Question
For answers, see the “Answers to Sample Questions” section.
The sources of data for the Cortex Data Lake are Traps, the firewall or Panorama, and Prisma Access.
Directory Sync data is sent to the Cortex hub apart from Cortex Data Lake, and Pathfinder data is sent
directly to the Cortex XDR - Analytics application. This data generally does not need to be sized.
The size of a Cortex Data Lake instance is determined by the log rate and retention period. Cortex XDR
requires at least a 30-day retention period. The retention period is based on the longest required
retention among applications logged.
The Cortex Data Lake instance SKU is per 1TB on a subscription basis of one or three years.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 92
After the data lake instance is sized, a Cortex XDR license is required based on the amount of data the
licensed Cortex XDR instance accesses from the firewall. The Cortex XDR SKU required is determined by
the range the data lake instance falls in. See the following table:
Data Lake Instance Size (in TB) Cortex XDR Size (in TB)
1 to 5 Up to 5
6 to 10 Up to 10
11 to 25 Up to 25
26 to 50 Up to 50
51 to 100 Up to 100
More than 100 Special
You should experiment with the Cortex Sizing Calculator (see the “Reference” section).
Reference
Cortex Sizing Calculator:
https://apps.paloaltonetworks.com/logging-service-calculator
Sample Question
For answers, see the “Answers to Sample Questions” section.
65) An environment generates 3TB of firewall data and 4TB of Traps data over 30 days. Which licenses
must be purchased for Cortex XDR?
a) a 4TB license for Traps logs, a 3TB license for firewall logs, and a Cortex XDR license for up to
5TB
b) a 7TB license for Cortex Data Lake and a Cortex XDR license for up to 3TB
c) a 4TB license for Traps logs, a 3TB license for firewall logs, and a Cortex XDR license for up to
10TB
d) a 7TB license for Cortex Data Lake and a Cortex XDR license for up to 10TB
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 93
The following table shows the licenses required for numbers of users:
Reference
Prisma SaaS License Types:
https://docs.paloaltonetworks.com/aperture/aperture-admin/get-started-with-
aperture/register-and-activate-aperture-licenses/aperture-license-types.html
Sample Question
For answers, see the “Answers to Sample Questions” section.
66) Which Prisma SaaS licensing is required for a customer with 5,000 employees, 200 SFDC accounts,
and 1,000 ServiceNow accounts?
a) 5,000 users, all apps license
b) 5,000 users, one app license
c) 200 users, all apps license and a 5,000 users, one app license
d) 1,000 users, all apps license
Service connection is not bandwidth-limited. It uses the IPsec protocol, and performance levels over
1Gbps should be attainable. Prisma Access stores logs through the cloud-based Palo Alto Networks
Cortex Data Lake.
Any Panorama size can be used with Prisma Access if it is Panorama 8.0.5 or later.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 94
The following is a screenshot of the Prisma Access service pricing calculator included in the “References”
section:
References
Prisma Access Pricing Calculator:
https://www.paloaltonetworks.com/content/dam/pan/en_US/field/products/docs/global-
protect/globalprotect-cloud-service-price-calculator.xlsx
Prisma Access Licensing Training:
https://identity.paloaltonetworks.com/idp/startSSO.ping?PartnerSpId=csod&TargetResource=ht
tps://paloaltonetworks.csod.com/LMS/LoDetails/DetailsLo.aspx?loid=f4598573-6b18-4d10-
8438-24417a0e1455
Sample Question
For answers, see the “Answers to Sample Questions” section.
67) A Prisma Access customer has 50,000 unique mobile users, but uses only 2,000 at a time. Which
mobile user license do they need?
a) 2,000 users
b) 50,000 users
c) a weighted average of usage over time
d) a pay-as-you-go license
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 95
Sample Test
Answers are in the “Sample Test Answer Key” section.
2) Which two answers could be used to handle a prospect’s objection that updating the WildFire
malware list twice a week is unacceptable? (Choose two.)
a) With a WildFire subscription you get an update every few minutes.
b) With the Threat subscription you get an update every few minutes.
c) With the Threat subscription you get an update every hour.
d) With the Threat subscription you get an update every 24 hours.
4) Which Palo Alto Networks product directly protects corporate laptops when people use them from
home?
a) next-generation firewall
b) Panorama
c) WildFire
d) Prisma Access
5) Which two C2 channels may be used when a computer tries to access the URL
http://part1.of.big.secret.i.am.exfiltrating.evil.com/part2/of/the/same/secret? (Choose two.)
a) email
b) DNS
c) URL
d) SMS
e) ICMP
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 96
7) Which log type does not have five severity levels?
a) Threat
b) WildFire Submission
c) Correlation
d) System
8) Which two behaviors would fail to disguise malware from a firewall? (Choose two.)
a) use domains known to be run by dynamic DNS providers
b) disguise C2 traffic as email
c) browse directly to IP addresses without DNS resolution
d) infect multiple hosts before accessing the C2 channel, so that each time the C2 request message
comes from a different IP address
e) slow down C2 traffic to one packet in each direction each day
9) Which element of the NGFW does the NGFW UTD show potential customers?
a) how to set up NGFW for the first time
b) how to migrate from a different firewall to NGFW
c) how to integrate with Advanced Endpoint Protection
d) how to integrate with WildFire
10) Which firewall series (one or more) requires you to specify in the Bill of Materials the Network
Processing Cards (NPCs) to include?
a) A Bill of Materials that specifies the NPC is never needed; Palo Alto Networks appliances don’t
support hardware customization.
b) PA-7000
c) PA-5200 and PA-7000
d) PA-3000, PA-5200, and PA-7000
11) Which step is required to ensure that web storage is not used to exfiltrate sensitive data from an
enterprise that must use web storage to collaborate with business partners?
a) disconnect from the internet
b) configure a local shared drive and use that instead of web storage
c) use Prisma SaaS to ensure that the information shared to the web storage is not sensitive
d) install Advanced Endpoint Protection
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 97
13) What is the difference between templates and device groups?
a) Templates are used for network parameters and device groups are used for security definitions
(rules and objects).
b) Device groups are used for network parameters and templates are used for security definitions
(rules and objects).
c) Panorama has device groups, but there is no such thing as a template in Panorama.
d) Panorama has templates, but there is no such thing as a device group in Panorama.
15) Which three features are not supported by HA lite, but are available on higher-end models? (Choose
three.)
a) link aggregation
b) DHCP lease information synchronization
c) PPPoE lease information synchronization
d) active/passive (A/P) high availability (without session synchronizations)
e) active/passive (A/P) high availability (with session synchronizations)
f) active/active (A/A) high availability
16) Which scenario could cause “split brain” in an active/passive (A/P) high availability setup?
a) The connection between the management plane ports is encrypted.
b) The connection between the data-plane ports is broken and there is no configured backup, so
there is no heartbeat.
c) The connection between the management plane ports is broken and there is no configured
backup, so there is no heartbeat.
d) Only if both connections are broken would you get a “split brain” problem.
17) A best practice is to either block executables or to send them to WildFire. Which three file types are
analyzed as executables by WildFire? (Choose three.)
a) JAR
b) Portable Document Format
c) Python Script
d) Office Open XML (.docx)
e) iPhone apps
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 98
18) Which action could disconnect a potentially infected host from the network?
a) Alert
b) Reset Client
c) Reset Server
d) Block IP
19) Which component of the Security Operating Platform turns unknown attacks into known attacks?
a) next-generation firewall
b) Advanced Endpoint Protection
c) WildFire
d) AutoFocus
20) What is the maximum number of servers that a User-ID agent supports?
a) 20
b) 100
c) 1,000
d) There is no limit.
21) Must the agent account be a member of the Distributed COM Users group?
a) yes, always
b) only when using the Windows-based User-ID agent
c) only when using the PAN-OS integrated User-ID agent
d) no, never
22) Which characteristic of a predefined application can be viewed and modified by an administrator?
a) timeout values
b) name
c) hash
d) dependencies
23) Which two decryption modes require an SSL certificate? (Choose two.)
a) Forward Proxy
b) Inbound Inspection
c) Reverse Proxy
d) SSH Proxy
e) Outbound Inspection
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 99
Answers to Sample Questions
Asterisks indicate correct answers.
1) Which file types are not supported as an upload sample for file upload by WildFire from the
wildfire.paloaltonetworks.com/wildfire/upload page?
a) iOS applications*
b) Android applications
c) Windows applications
d) Microsoft Excel files
4) Which fully populated firewall has the highest file forwarding capacity through its data ports?
a) VM-100
b) PA-200
c) PA-5280
d) PA-7080*
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 100
6) Which option is an example of how the next-generation firewall can provide visibility and
enforcement around SaaS applications?
a) Through partnership with SaaS application vendors, special virtual firewalls that support a
subset of full firewall functionality are used inside the SaaS applications themselves.
b) A built-in default security rule in the firewall blocks dangerous SaaS applications based on an
automatically updated database of dangerous SaaS applications.
c) Built-in default functionality in the firewall sends all files sent or received by SaaS applications to
WildFire.
d) The firewall can filter SaaS applications based on whether they comply with industry
certifications such as SOC1, HIPAA, and FINRAA.*
7) When a cloud deployment is secured, which role does the next-generation firewall play?
a) A member of the VM-Series is attached to each VM in the cloud environment, to stop malware,
exploits, and ransomware before they can compromise the virtual systems they are attached to.
b) The NGFW exports its Security policy through Panorama, which in turn distributes that policy to
the cloud-based Prisma SaaS service that enforces the NGFW Security policy against each VM
used in the cloud environment.
c) The NGFW exports its Security policy to WildFire, which lives in the cloud and enforces the
NGFW Security policy throughout the cloud environment.
d) The NGFW is used to consistently control access to applications and data based on user
credentials and traffic payload content for private or public cloud, internet, data center, or SaaS
applications.*
8) Which kind of attack cannot be stopped by the Palo Alto Networks Security Operating Platform?
a) attacks through SaaS applications, such as exfiltration through Box
b) attacks that do not cross the firewall, regardless of source or destination
c) attacks based on social engineering that mimic normal user behavior*
d) denial-of-service attacks from a trusted source
e) intrazone attacks, regardless of source or destination
10) The customer wants a monthly report of the number of connections (of a particular application)
per day. Where do you specify that the report is by days?
a) Query Builder
b) “Group By” field*
c) “Order By” field
d) “Time Frame” field
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 101
11) The customer wants a monthly connections report for a particular application to be generated
based on hourly activity. Where is this setting specified?
a) Query Builder
b) “Group By” field*
c) “Sort By” field
d) “Time Frame” field
12) You can receive regularly scheduled reports in which two ways? (Choose two.)
a) Retrieve the reports from the Palo Alto Networks web-based user interface.*
b) Upload the report to a document repository using FTP.
c) Configure automatic email delivery for regularly scheduled reports.*
d) Configure automatic printing to the office printer.
e) Upload the report to the domain’s document repository using a shared drive.
13) An author of malware buys five new domain names each week and uses those domains for C2.
How does that practice affect a botnet report for the network the malware is attacking?
a) It helps disguise the malware.
b) It fails to disguise the malware because access to new domains (registered in the last week)
is counted as suspicious.
c) It fails to disguise the malware because access to new domains (registered in the last 30 days)
is counted as suspicious.*
d) It fails to disguise the malware because access to new domains (registered in the last 60 days)
is counted as suspicious.
14) Which Palo Alto Networks product directly protects corporate laptops when people use them
from home?
a) next-generation firewall
b) Traps*
c) Panorama
d) WildFire
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 102
16) The CEO is concerned that employees are using too much of the organization’s bandwidth for
YouTube, thus causing a performance problem. Which section of the SLR confirms or allays this
concern?
a) High-Risk Applications
b) Bandwidth Consumed by Applications
c) Categories Consuming the Most Bandwidth*
d) Categories with the Most Applications
17) Which interface mode do you use to generate the Stats Dump file that can be converted into an
SLR? Assume that you want to make the evaluation as non-intrusive as possible.
a) Tap*
b) virtual wire
c) Layer 2
d) Layer 3
18) Which two elements of the NGFW does the NGFW UTD show potential customers? (Choose
two.)
a) how to set up NGFW for the first time
b) how to modify the Security policy*
c) how to view log entries and reports*
d) how to migrate from a different firewall to NGFW
e) how to integrate with Advanced Endpoint Protection
20) Which two steps are essential parts of the PPA process? (Choose two.)
a) a structured interview with the customer about their security prevention capabilities*
b) upload of a file generated by the customer’s firewall capturing the threats they are facing
c) a report to the customer about how to improve their security posture*
a discussion about expectations of threat prevention in a proof-of-concept
21) Which two success tools are most appropriate for a prospective customer that is using a
competitor’s offerings but has no security prevention strategy? (Choose two.)
a) Expedition
b) Prevention Posture Assessment*
c) Security Lifecycle Review*
d) Best Practice Assessment with Heatmaps
e) Data Center Segmentation Strategy Analyzer
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 103
22) A potential customer has many satellite offices, each of which is connected to the internet
using a 250Mbps link. The customer requirements include threat prevention for all the traffic.
Which model does Palo Alto Networks recommend be deployed in those offices to fulfill these
requirements, assuming a reduction in network capacity is unacceptable and cost is a
concern?
a) PA-100
b) PA-500
c) PA-2020
d) PA-3020*
23) Which step is required to ensure that web storage is not used to exfiltrate sensitive data from
an enterprise that must use web storage to collaborate with business partners?
a) disconnect from the internet
b) configure a local shared drive and use that instead of web storage
c) install Advanced Endpoint Protection
d) use the firewall to forbid uploads to other web storage instances*
25) Should a Traps agent be installed on desktop PCs that stay behind the corporate firewall?
a) No, because they are protected by the firewall.
b) Yes, because sometimes people take desktops from behind the corporate firewall home to
work, and corporation might properly deploy Prisma Access to extend the firewall’s protection
to mobile users.
c) Yes, because a network connection from a desktop PC behind the corporate firewall could
bypass the corporate firewall.
d) Yes, because malware and exploit files might be able to traverse the network before they are
identified by WildFire, and file propagation methods such as the use of USB drives bypass the
firewall.*
26) The firewall of a defense contractor is not connected to the internet. However, it is connected
to the classified SIPRNet. The contractor is concerned about getting malware files through
that network. Can this defense contractor use the WildFire service for protection?
a) No, because there is no network path to the WildFire cloud.
b) No, because all SIPRNet files are encrypted.
c) Yes, but only for PE-type file analysis.
d) Yes, they can use a WF-500 appliance.*
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 104
27) How does Cortex XDR help prevent lateral threat movement?
a) Cortex XDR agents test all traffic for known viruses and malware at every interface of every
device within the network.
b) Cortex XDR dynamically creates and manages VM-Series firewalls as traffic increases inside a
network.
c) Cortex XDR applies machine learning techniques to recognize deviations from normal use inside
the network.*
d) Cortex XDR applies machine learning and other artificial intelligence to compare network activity
to that of thousands of other customers.
28) A price-sensitive customer requires 300,000 connections per second. Which firewall model should
they purchase?
a) PA-220
b) PA-3250
c) PA-5280*
d) PA-7080
29) Which products describe the components of the Palo Alto Networks Security Operating
Platform that contribute to endpoint security?
a) Traps and the next-generation firewall
b) WildFire and Traps
c) Traps, WildFire, and the next-generation firewall
d) next-generation firewall, Prisma Access, Traps, and WildFire*
30) Which component of Palo Alto Networks public cloud security solution protects against C2
communications in an AWS environment?
a) Prisma Public Cloud
b) Traps
c) Prisma SaaS
d) VM-Series*
31) How does the next-generation firewall fit into the Palo Alto Networks SaaS security solution?
a) It is replaced by Prisma Access.
b) It provides inline security.*
c) Its functionality is superseded by the CASB proxy and reverse proxy.
d) It provides the same security for in-house applications that Prisma SaaS provides for SaaS
applications.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 105
32) How does the Cortex Data Lake fit with platform visibility and enforcement?
a) All applications and components of the platform, and third-party services and applications can
both feed and extract data and its context from the Cortex Data Lake.
b) Firewalls, Prisma Access, Traps, and WildFire feed the Cortex Data Lake, and Cortex XDR and
third-party applications apply AI and other technologies for analysis and enforcement.*
c) AutoFocus, and Cortex XDR feed data and context to the Cortex Data Lake, and physical and
virtual firewalls along with Prisma SaaS provide consistent Security policy enforcement for the
platform.
d) The Cortex Data Lake essentially is a rebranding of Logging mode for Panorama, providing an
auto-scaled cloud-delivered service with exactly the same logging functionality as Panorama.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 106
37) Can the same rule allow traffic from different sources on different firewalls?
a) No, rules mean the same on all firewalls that receive the same policy.
b) No, because device groups are pushed from Panorama to all firewalls.
c) Yes, because different firewalls can have different zone definitions.*
d) Yes, because there could be clauses in a rule with effects limited to a specific device group.
39) A company has a physical data center with physical firewalls on their premises and several
applications protected by virtual firewalls on AWS. Now they will install Panorama in High
Availability mode. Which answer best describes the requirements for the HA Panorama peers?
a) an M-100 pair or an M-500 pair, or one of each, with both peers in either Panorama mode or
Management Only mode
b) any two models of virtual appliances, with both peers in either Panorama mode or Management
Only mode, or in Legacy mode for ESXi and vCloud Air models
c) any pair of identically provisioned Panorama servers of the same model and mode, except that
Log Collector mode cannot be used for HA*
d) any pair of identically provisioned Panorama servers of any model or mode, except that Log
Collector mode cannot be used for HA
40) How often does Panorama contact the Palo Alto Networks licensing server to look for new licenses
for its firewalls?
a) never; you need to check manually
b) once a week
c) every 24 hours*
d) every 6 hours
41) What is the maximum storage capacity of a single Panorama virtual appliance in Panorama mode?
a) 2TB
b) 12TB
c) 18TB
d) 24TB*
42) How is the Cortex Data Lake integration with Panorama facilitated?
a) No integration is necessary; data flows from Panorama to the Cortex data lake and vice versa.
b) A Panorama plugin is installed in the Cortex Data Lake.
c) A Cloud Services plugin is installed in Panorama.*
d) Agents run in both the Cortex Data Lake and Panorama.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 107
43) Which value should be used as a typical log entry size if no other information is available about log
sizes?
a) 0.5KB*
b) 0.5MB
c) 0.5GB
d) 0.5TB
46) Which dedicated High Availability port is used for which plane?
a) HA1 for the data plane, HA2 for the management plane
b) HA1 for the management plane, HA2 for the data plane*
c) MGT for the management plane; HA2 as a backup
d) HA1 for the management plane, HA2 for the data plane in the PA-7000 Series
47) Which two updates should be scheduled to occur once a day? (Choose two.)
a) Antivirus*
b) PAN-DB URL Filtering
c) WildFire
d) Applications and Threats*
e) SMS channel
48) What does the phrase “Prisma Access extends security to remote network locations and mobile
users” mean in the context of the security that firewalls provide to a network?
a) Prisma Access independently provides the same type of protection as the firewalls, rebuilt for
the various infrastructures used for remote network locations and mobile users.
b) Prisma Access independently provides the exact same protection as the firewalls, rebuilt for the
various infrastructures used for remote network locations and mobile users.
c) Prisma Access securely routes traffic for remote network locations and mobile users through the
same PAN-OS based firewalls used to protect the network.*
d) Prisma Access leverages native cloud security and other security infrastructure to provide
security to remote network locations and mobile users.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 108
49) Which combination facilitates leveraging the combination of WildFire analysis with PAN-DB and
third-party IOC services?
a) Panorama and WildFire
b) AutoFocus and MineMeld*
c) Traps and Cortex XDR
d) Prisma SaaS and Prisma Public Cloud
51) Which profile type is used to protect against most protocol-based attacks?
a) Antivirus
b) URL Filtering
c) Vulnerability Protection*
d) WildFire Analysis
53) How does an administrator specify in the firewall that certain credentials should not be sent to
certain URLs?
a) with a URL Filtering Profile*
b) with User-ID
c) with App-ID
d) with a Credential Theft Profile
54) What is the maximum number of servers supported by a single User-ID agent?
a) 10
b) 50
c) 100*
d) 500
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 109
55) How does the firewall know that a specific connection comes from a specific user?
a) Every connection has a user ID encoded in it.
b) User-ID is supported only in protocols that use user authentication, which provides the user
identity to the firewall and the back end.
c) The firewall always uses the IP address in the IP header to locate the user ID, but this initial
identification is overridden by additional techniques such as HTTP proxies that provide the
client’s IP address in the HTTP header.
d) Usually the firewall uses the IP address in the IP header to locate the user ID, but additional
techniques are available as alternatives such as HTTP proxies providing the client’s IP address in
the HTTP header.*
56) A customer has a proprietary user authentication system that is not supported by User-ID. Can you
provide User-ID information to their firewall, and if so, how?
a) It is impossible. The customer will need to upgrade to something more standard.
b) It can be done, but only for HTTP applications because HTTP supports XFF headers.
c) It can be done using the XML API.*
d) It can be done, but it requires programming that can be performed only by the Palo Alto
Networks Professional Services organization.
57) Should you limit the permission of the user who runs the User-ID agent? If so, why?
a) Yes, because of the principle of least privilege. You should give processes only those permissions
that are necessary for them to work.*
b) Yes, to an extent. You can give it most privileges, but there is no actual user, so you should not
let it start an interactive login.
c) Yes, to an extent. You can give it most privileges, but there is no actual user, so you should not
let it have remote access.
d) No, there is nothing wrong with using the administrator’s account.
58) Which three reasons could cause a firewall that is fully configured, including decryption, to not
recognize an application? (Choose three.)
a) The application is running over SSL.
b) There is no App-ID signature for an unanticipated application.*
c) The application is running over ICMP.
d) The application is running over UDP.
e) A TCP handshake completed but no application traffic reached the firewall.*
f) Payload reached the firewall, but not enough data packets to identify the application.*
59) Which two methods are best practices for adding a custom application that runs on TCP port 25 to
the firewall? (Choose two.)
a) Request an App-ID from Palo Alto Networks.*
b) Create a custom application with a signature.*
c) Create a custom application and define an Application Override policy.
d) Write JavaScript code to identify the application.
e) Write Python code to identify the application.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 110
60) Which five types of file does WildFire analyze as executables? (Choose five.):
a) JAR*
b) Portable Document Format*
c) MP4
d) Portable Executable*
e) Office Open XML (.docx)*
f) Executable and Linkable Format*
g) BMP
61) Which decryption mode or modes require(s) the private key of the destination server? (Choose a
single answer.)
a) Forward Proxy
b) Inbound Inspection*
c) Both Forward Proxy and Inbound Inspection
d) SSH Proxy
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 111
65) An environment generates 3TB of firewall data and 4TB of Traps data over 30 days. Which licenses
must be purchased for Cortex XDR?
a) a 4TB license for Traps logs, a 3TB license for firewall logs, and a Cortex XDR license for up to
5TB
b) a 7TB license for Cortex Data Lake and a Cortex XDR license for up to 3TB
c) a 4TB license for Traps logs, a 3TB license for firewall logs, and a Cortex XDR license for up to
10TB
d) a 7TB license for Cortex Data Lake and a Cortex XDR license for up to 10TB*
66) Which Prisma SaaS licensing is required for a customer with 5,000 employees, 200 SFDC accounts,
and 1,000 ServiceNow accounts?
a) 5,000 users, all apps license
b) 5,000 users, one app license
c) 200 users, all apps license and a 5,000 users, one app license
d) 1,000 users, all apps license*
67) A Prisma Access customer has 50,000 unique mobile users, but uses only 2,000 at a time. Which
mobile user license do they need?
a) 2,000 users
b) 50,000 users*
c) a weighted average of usage over time
d) a pay-as-you-go license
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 112
17. A, B, D
18. D
19. C
20. B
21. C
22. A
23. A, B
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 113
Glossary
Advanced Encryption Standard (AES): A symmetric block cipher based on the Rijndael cipher.
application programming interface (API): A set of routines, protocols, and tools for building software
applications and integrations.
bot: Individual endpoints that are infected with advanced malware that enables an attacker to take
control of the compromised endpoint. Also known as a zombie. See also botnet.
botnet: A network of bots (often tens of thousands or more) working together under the control of
attackers using numerous command and control (C2) servers. See also bot.
bring your own apps (BYOA): Closely related to BYOD, BYOA is a policy trend in which organizations
permit end users to download, install, and use their own personal apps on mobile devices, primarily
smartphones and tablets, for work-related purposes. See also bring your own device (BYOD).
bring your own device (BYOD): A policy trend in which organizations permit end users to use their own
personal devices, primarily smartphones and tablets, for work-related purposes. BYOD relieves
organizations from the cost of providing equipment to employees, but creates a management challenge
because of the vast number and type of devices that must be supported. See also bring your own apps
(BYOA).
covered entity: Defined by HIPAA as a healthcare provider that electronically transmits PHI (such as
doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies), a health plan
(such as a health insurance company, health maintenance organization, company health plan, or
government program including Medicare, Medicaid, military and veterans’ healthcare), or a healthcare
clearinghouse. See also Health Insurance Portability and Accountability Act (HIPAA) and protected health
information (PHI).
data encapsulation: A process in which protocol information from the OSI layer immediately above is
wrapped in the data section of the OSI layer immediately below. See also open systems interconnection
(OSI) reference model.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 114
DDoS: See distributed denial-of-service (DDoS).
distributed denial-of-service (DDOS): A type of cyberattack in which extremely high volumes of network
traffic such as packets, data, or transactions are sent to the target victim’s network to make their
network and systems (such as an e-commerce website or other web application) unavailable or
unusable.
electronic health record (EHR): As defined by HealthIT.gov, an EHR “goes beyond the data collected in
the provider’s office and include[s] a more comprehensive patient history. EHR data can be created,
managed, and consulted by authorized providers and staff from across more than one healthcare
organization.”
electronic medical record (EMR): As defined by HealthIT.gov, an EMR “contains the standard medical
and clinical data gathered in one provider’s office.”
endpoint: A computing device such as a desktop or laptop computer, handheld scanner, Point of Sale
(POS) terminal, printer, satellite radio, security or videoconferencing camera, self-service kiosk, server,
smart meter, smart TV, smartphone, tablet, or Voice over Internet Protocol (VoIP) phone. Although
endpoints can include servers and network equipment, the term generally is used to describe end user
devices.
Extensible Markup Language (XML): A programming language specification that defines a set of rules
for encoding documents in a human- and machine-readable formats.
false negative: In anti-malware, malware that is incorrectly identified as a legitimate file or application.
In intrusion detection, a threat that is incorrectly identified as legitimate traffic. See also false positive.
false positive: In anti-malware, a legitimate file or application that is incorrectly identified as malware.
In intrusion detection, legitimate traffic that is incorrectly identified as a threat. See also false negative.
favicon (“favorite icon”): A small file containing one or more small icons associated with a particular
website or webpage.
generic routing encapsulation (GRE): A tunneling protocol developed by Cisco Systems that can
encapsulate various network layer protocols inside virtual point-to-point links.
Gramm-Leach-Bliley Act (GLBA): A U.S. law that requires financial institutions to implement privacy and
information Security policies to safeguard the non-public personal information of clients and consumers.
Also known as the Financial Services Modernization Act of 1999.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 115
hacker: Originally used to refer to anyone with highly specialized computing skills, without connoting
good or bad purposes. However, common misuse of the term has redefined a hacker as someone that
circumvents computer security with malicious intent, such as a cybercriminal, cyberterrorist, or
hacktivist.
Health Insurance Portability and Accountability Act (HIPAA): A U.S. law that defines data privacy and
security requirements to protect individuals’ medical records and other personal health information. See
also covered entity and protected health information (PHI).
indicator of compromise (IoC): A network or operating system (OS) artifact that provides a high level of
confidence that a computer security incident has occurred.
least privilege: A network security principle in which only the permission or access rights necessary to
perform an authorized task are granted.
malware: Malicious software or code that typically damages, takes control of, or collects information
from an infected endpoint. Malware broadly includes viruses, worms, Trojan horses (including Remote
Access Trojans, or RATs), anti-AV, logic bombs, backdoors, rootkits, bootkits, spyware, and (to a lesser
extent) adware.
Network and Information Security (NIS) Directive: A European Union (EU) directive that imposes
network and information security requirements – to be enacted by national laws across the EU within
two years of adoption in 2016 – for banks, energy companies, healthcare providers, and digital service
providers, among others.
one-way (hash) function: A mathematical function that creates a unique representation (a hash value)
of a larger set of data in a manner that is easy to compute in one direction (input to output), but not in
the reverse direction (output to input). The hash function can’t recover the original text from the hash
value. However, an attacker could attempt to guess what the original text was and see if it produces a
matching hash value.
open systems interconnection (OSI) reference model: Defines standard protocols for communication
and interoperability using a layered approach in which data is passed from the highest layer
(application) downward through each layer to the lowest layer (physical), then transmitted across the
network to its destination, then passed upward from the lowest layer to the highest layer. See also data
encapsulation.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 116
packet capture (pcap): A traffic intercept of data packets that can be used for analysis.
Payment Card Industry Data Security Standards (PCI DSS): A proprietary information security standard
mandated and administered by the PCI Security Standards Council (SSC), and applicable to any
organization that transmits, processes, or stores payment card (such as debit and credit cards)
information. See also PCI Security Standards Council (SSC).
PCI: See Payment Card Industry Data Security Standards (PCI DSS).
PCI DSS: See Payment Card Industry Data Security Standards (PCI DSS).
PCI Security Standards Council (SSC): Comprised of Visa, MasterCard, American Express, Discover, and
JCB, the SSC maintains, evolves, and promotes PCI DSS. See also Payment Card Industry Data Security
Standards (PCI DSS).
Personal Information Protection and Electronic Documents Act (PIPEDA): A Canadian privacy law that
defines individual rights with respect to the privacy of their personal information, and governs how
private sector organizations collect, use, and disclose personal information in the course of business.
Personally Identifiable Information (PII): Defined by the U.S. National Institute of Standards and
Technology (NIST) as “any information about an individual maintained by an agency, including (1) any
information that can be used to distinguish or trace an individual’s identity… and (2) any other
information that is linked or linkable to an individual….”
PIPEDA: See Personal Information Protection and Electronic Documents Act (PIPEDA).
protected health information (PHI): Defined by HIPAA as information about an individual’s health
status, provision of healthcare, or payment for healthcare that includes identifiers such as names,
geographic identifiers (smaller than a state), dates, phone and fax numbers, email addresses, Social
Security numbers, medical record numbers, or photographs. See also Health Insurance Portability and
Accountability Act (HIPAA).
public key infrastructure (PKI): A set of roles, policies, and procedures needed to create, manage,
distribute, use, store, and revoke digital certificates and manage public key encryption.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 117
quality of service (QoS): The overall performance of specific applications or services on a network
including error rate, bit rate, throughput, transmission delay, availability, jitter, etc. QoS policies can be
configured on certain network and security devices to prioritize certain traffic, such as voice or video,
over other, less performance-intensive traffic, such as file transfers.
Remote Authentication Dial-In User Service (RADIUS): A client/server protocol and software that
enables remote access servers to communicate with a central server to authenticate users and authorize
access to a system or service.
representational state transfer (REST): An architectural programming style that typically runs over
HTTP, and is commonly used for mobile apps, social networking websites, and mashup tools.
Sarbanes-Oxley (SOX) Act: A U.S. law that increases financial governance and accountability in publicly
traded companies.
script kiddie: Someone with limited hacking and/or programming skills that uses malicious programs
(malware) written by others to attack a computer or network.
Secure Sockets Layer (SSL): A cryptographic protocol for managing authentication and encrypted
communication between a client and server to protect the confidentiality and integrity of data
exchanged in the session.
software as a service (SaaS): A cloud computing service model, defined by the U.S. National Institute of
Standards and Technology (NIST), in which “the capability provided to the consumer is to use the
provider’s applications running on a cloud infrastructure. The applications are accessible from various
client devices through either a thin client interface, such as a web browser, or a program interface. The
consumer does not manage or control the underlying cloud infrastructure including network, servers,
operating systems, storage, or even individual application capabilities, with the possible exception of
limited user-specific application configuration settings.”
spear phishing: A highly targeted phishing attack that uses specific information about the target to make
the phishing attempt appear legitimate.
structured threat information expression (STIX): An XML format for conveying data about cybersecurity
threats in a standardized format. See also Extensible Markup Language (XML).
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 118
TLS: See Transport Layer Security (TLS).
Transport Layer Security (TLS): The successor to SSL (although it still is commonly referred to as SSL).
See also Secure Sockets Layer (SSL).
uniform resource locator (URL): A unique reference (or address) to an internet resource, such as a
webpage.
vulnerability: A bug or flaw that exists in a system or software, and creates a security risk.
zero-day threat: The window of vulnerability that exists from the time a new (unknown) threat is
released until security vendors release a signature file or security patch for the threat.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 119
Continuing Your Learning Journey with Palo Alto Networks
Training from Palo Alto Networks and our Authorized Training Centers delivers the knowledge and
expertise to prepare you to protect our way of life in the digital age. Our trusted security certifications
give you the Palo Alto Networks Security Operating Platform knowledge necessary to prevent successful
cyberattacks and to safely enable applications.
Digital Learning
For those of you who want to keep up to date on our technology, a learning library of free digital
learning is available. These on-demand, self-paced digital learning classes are a helpful way to reinforce
the key information for those who have been to the formal hands-on classes. They also serve as a useful
overview and introduction to working with our technology for those unable to travel to a hands-on,
instructor-led class.
Simply register in our Learning Center and you will be given access to our digital learning portfolio.
These online classes cover foundational material and contain narrated slides, knowledge checks, and,
where applicable, demos for you to access.
New courses are being added often, so check back to see new curriculum available.
Instructor-Led Training
Looking for a hands-on, instructor-led course in your area?
Palo Alto Networks Authorized Training Centers (ATCs) are located globally and offer a breadth of
solutions from onsite training to public, open environment classes. There are about 38 authorized
training centers at more than 80 locations worldwide. For class schedule, location, and training
offerings, see https://www.paloaltonetworks.com/services/education/atc-locations.
©2018-2019, Palo Alto Networks, Inc. PALO ALTO NETWORKS PSE PLATFORM PROFESSIONAL 9.0 STUDY GUIDE 120