Pse Strata P Studyguide

PSE Strata Professional
Study Guide
February 2022
PSE Strata Professional by Palo Alto Networks

Table of Contents
How to Use This Study Guide 6
What Has Changed in This Study Guide 6
About the ACRONYM Exam 6

Exam Format 6
How to Take This Exam 6
Disclaimer 7
Audience and Qualifications 7

Skills Required 7
Recommended Training 7
Domain 1: Business Value 8

1.1 Explain the business value of Palo Alto Networks Next-Generation Firewall 8
1.1.1 Describe how the Palo Alto Networks strategic approach to cybersecurity secures an
organization by eliminating implicit trust and continuously validating every stage of a
digital interaction 8
1.1.2 Contrast the technical business value of NGFWs with traditional stateful firewalls 9
1.1.3 Explain the technical business value of Content-ID 10
1.1.4 Explain the technical business value of User-ID and Device-ID 12
1.1.5 Explain how Palo Alto Networks efficiencies lead to platform and process consolidation
15
1.1.6 References 17
1.2 Identify the business value of Panorama 17
1.2.1 Explain the business value of Panorama for unified management 17
1.2.2 Explain the business value of Panorama for centralized logging and reporting 19
1.2.3 References 20
Domain 2: Competitive Differentiators 21

2.1 Emphasize the competitive advantages of real-time analysis 21
2.1.1 Emphasize the competitive advantage of inline machine learning and its ability to
prevent unknown threats 21
2.1.2 Describe the value of the Palo Alto Networks application-first approach 21
2.1.3 References 22
2.2 Explain the benefits of SP3 22
2.2.1 Explain how an NGFW inspects data through an SP3 23
2.2.2 Explain how performance is affected by Security subscription adoption 24
2.2.3 Differentiate between slow path, fast path, and offload 25
2.2.4 References 26
2.3 Compare and contrast the benefits of Advanced URL Filtering and DNS Security 26
2.3.1 Identify where in the inspection process Advanced URL Filtering and DNS Security are
used and how they differ 26
2.3.2 Differentiate between cloud-delivered security services and real-time detection 28
PSE Strata Professional by Palo Alto Networks 2

2.3.3 Identify the dependencies of Advanced URL Filtering and DNS Security 30
2.3.4 Identify the benefits of inspection beyond malicious traffic inspection 34
2.3.5 References 36
Domain 3: Architecture and Planning 37

3.1 Identify customer requirements 37
3.1.1 Explain how reference architecture guides can enable discovery 37
3.1.2 Demonstrate understanding of the design elements that relate to applications, users,
and infrastructure 37
3.1.3 Identify cloud-delivered security services requirements based on a customer’s
architecture or deployment strategy 38
3.1.4 Identify Panorama customer management and logging requirements 40
3.1.5 Differentiate between private and public cloud WildFire 42
3.1.6 References 43
3.2 Identify deployment use cases 43
3.2.1 Explain the use and value of the different deployment modes 43
3.2.2 Identify architecture requirements for internet edge deployments 44
3.2.3 Explain architecture use cases for cloud deployments 46
3.2.4 Explain architecture requirements for core deployments 46
3.2.5 References 50
3.3 Describe the flexibility of Palo Alto Networks platform networking capabilities 50
3.3.1 Explain how virtual routers work on NGFWs 50
3.3.2 Identify the supported routing protocols 51
3.3.3 References 52
3.4 Identify the most effective tools, resources, and reference guides for sizing 53
3.4.1 Identify available tools for platform sizing 53
3.4.2 Demonstrate understanding of decryption requirements 53
3.4.3 Identify and size customer logging requirements 54
3.4.4 Identify tools and capabilities available for customer best practice review 55
3.4.5 References 56
Domain 4: Demonstration and Evaluation 57

4.1 Demonstrate knowledge of the advanced capabilities of the NGFW 57
4.1.1 Describe the value of the Palo Alto Networks consolidated Security policy 57
4.1.2 Describe the NGFW’s ability to enforce application-default behavior and prevent
misuse of nonstandard ports 57
4.1.3 Identify benefits of Policy Optimizer 58
4.1.4 Demonstrate knowledge of the Cloud Identity Engine’s ability to simplify deployment
of cloud-based services to provide user authentication 59
4.1.5 Demonstrate knowledge of dynamic user groups 63
4.1.6 References 64
4.2 Identify NGFW features that can protect against unknown threats 64
4.2.1 Explain how WildFire protects against unknown threats 64
4.2.2 Explain how App-ID prevents malicious use of services and ports 65

4.2.3 Describe the benefits of URL Filtering in protecting against unknown threats 66
4.2.4 Identify configuration artifacts associated with DNS Security 67
4.2.5 References 68
4.3 Identify NGFW features that can protect against known threats 68
4.3.1 Identify configuration artifacts associated with threat prevention 68
4.3.2 Identify configuration artifacts associated with DNS Security 69
4.3.3 Identify configuration artifacts associated with Advanced URL Filtering 70
4.3.4 Explain how adopting external dynamic lists with threat intelligence protects against
known threats 70
4.3.5 References 71
4.4 Explain how NGFWs can prevent credential theft 72
4.4.1 Describe the benefits of credential theft prevention 72
4.4.2 Identify the components required to demonstrate and architect credential phishing
prevention 72
4.4.3 References 75
4.5 Explain the NGFW evaluation process 75
4.5.1 Determine the artifacts required to successfully execute a customer evaluation 75
4.5.2 Identify customer data privacy requirements 76
4.5.3 Define baseline configuration requirements 77
4.5.4 Present results of an evaluation 78
4.5.5 References 80
Domain 5: Network Security Best Practices 81

5.1 Define the Palo Alto Networks best practice methodology using a Zero Trust approach to
network security 81
5.1.1 Identify best practice for eliminating implicit user trust, regardless of user location 82
5.1.2 Identify best practice for eliminating implicit trust within applications 82
5.1.3 Identify best practice for eliminating implicit trust of infrastructure 82
5.1.4 References 83
5.2 Demonstrate understanding of the best practices of the five-step methodology for
implementing the Zero Trust model 83
5.2.1 Explain customer-sensitive data discovery as defined in the Zero Trust model 84
5.2.2 Define best practices for network security 84
5.2.3 Define a customer’s architecture in a Zero Trust network 90
5.2.4 Define Zero Trust policies and controls 91
5.2.5 Explain how Palo Alto Networks validates each transaction in a Zero Trust model 91
5.2.6 References 91
5.3 Identify best practices for implementing SSL decryption 91
5.3.1 Identify decryption requirements 91
5.3.2 Explain the value of SSL default decryption exclusion lists 92
5.3.3 Identify the decryption deployment methods 94
5.3.4 References 99
Appendix A: Sample Questions 100

Appendix B: Answers to Sample Questions 111
Appendix C: What’s Different in This Study Guide 122
Continuing Your Learning Journey with Palo Alto Networks 123

How to Use This Study Guide
Welcome to the Palo Alto Networks® PSE: Strata Professional Study Guide. The purpose
of this guide is to help you prepare for your Palo Alto Networks Systems Engineer: Strata
Professional exam, abbreviated as PSE: Strata Professional.
You can read through this study guide from start to finish, or you may jump straight to topics you
would like to study. Hyperlinked cross-references will help you locate important definitions and
background information from earlier sections.
About the PSE: Strata Professional Exam

The PSE: Strata Professional exam validates the knowledge, skills, and abilities required to be
successful in the technical sales of the Strata products and services. PSE: Strata Professional
certified individuals have demonstrated in-depth knowledge of how to present, demonstrate,
evaluate, and defend the value of Palo Alto Networks Strata technology. For specific topics, refer to
the exam blueprint and the sections outlined within this document.
More information is available from the Palo Alto Networks Loop page at:
https://theloop.paloaltonetworks.com/loop/se-pse-certifications-page-for-se-leaders?contentV1Fall
back=true
PSE Strata technical documentation for partners is located at:

https://beacon.paloaltonetworks.com/student/collection/656332-palo-alto-networks-systems-engin
eer-pse-strata-professional?sid=8f2d9bed-c774-4834-b6d7-273e4ee2cb19&sid_i=0
For employees, technical documentation can be found here:

https://paloaltonetworks.exceedlms.com/student/path/671178-palo-alto-networks-systems-engineer
-pse-strata-professional?sid=bbf7dafd-6f54-461c-856d-1a2754baa1c0&sid_i=2
Exam Format
The exam format is 60 multiple-choice questions. Candidates will have five minutes to complete
the Non-Disclosure Agreement, 80 minutes (one hour, 20 minutes) to complete the exam
questions, and five minutes to complete an exit survey.
The approximate distribution of items by topic (Exam Domain) and topic weightings are
shown in the following table.
Exam Domain Weight (%)
Business Value 11%
Competitive Differentiators 15%
Architecture and Planning 25%

Demonstration and Evaluation 31%
Network Security Best Practices 18%
TOTAL 100%
How to Take This Exam
The exam is available through the third-party Pearson VUE testing platform.
To register for the exam, visit: https://home.pearsonvue.com/paloaltonetworks
To register for PSE Professional exams on the Pearson VUE website, candidates need to add one of
the following private access codes:
1. PSE-PAC (if you are taking the exam at a testing center)
2. PSE-OP (if you are taking the exam at home or in the office)
Full instructions on how to schedule the exam can be found at

https://www.paloaltonetworks.com/content/dam/pan/en_US/partners/marketing/docs/pse-exam-ins
tructions.pdf.
Disclaimer
This study guide is intended to provide information about the objectives covered by this exam,
related resources, and recommended courses. The material contained within this study guide is
not intended to guarantee that a passing score will be achieved on the exam. Palo Alto Networks
recommends that candidates thoroughly understand the objectives indicated in this guide and
use the resources and courses recommended in this guide where needed to gain that
understanding.
Audience and Qualifications

This exam is designed for the individuals with the following job roles:
● Pre-Sales Engineers
● Systems Engineers / Solutions Architects
● Global Systems Integrator Engineers
● Customer Success Engineers
Skills Required
● You can effectively and independently position the Palo Alto Networks network security
solution.
● You can match common network security use cases to customer requirements.
● You can overcome customer technical objections, up to and including showcasing feature
functionality.
● You can proficiently deploy and configure a proof of concept (POC).
● You have six months Palo Alto Networks SE field experience with mentoring.

● You have five years of experience with Network Security in a Pre-Sales or Post-Sales
Engineer role.
● You have experience with cybersecurity products.
● You have passed the PSE: Strata Associate exam (strongly recommended).
Recommended Training
Palo Alto Networks strongly recommends that you attend the following instructor-led training
courses or equivalent digital-learning courses:
● PSE Foundation
● PSE Strata Associate
● SE Boot Camp (internal only)

Domain 1: Business Value
1.1 Explain the business value of Palo Alto Networks Next-Generation Firewall
1.1.1 Describe how the Palo Alto Networks strategic approach to cybersecurity secures an
organization by eliminating implicit trust and continuously validating every stage of a digital
interaction
Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with
technology that is transforming the way people and organizations operate. Our mission is to be the
cybersecurity partner of choice, protecting our digital way of life. We help address the world’s
greatest security challenges with continuous innovation that seizes the latest breakthroughs in
artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform
and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of
thousands of organizations across clouds, networks, and mobile devices. Our vision is a world
where each day is safer and more secure than the one before.
Palo Alto Networks next-generation firewalls (NGFWs) detect known and unknown threats,
including in encrypted traffic, using intelligence generated across many thousands of customer
deployments to reduce risks and prevent a broad range of attacks. For example, they enable users
to access data and applications based on business requirements, and they stop credential theft
and an attacker’s ability to use stolen credentials.
Palo Alto Networks Next-Generation Security Platform enables you to empower your business
using a single-pass software engine that provides full contextual awareness for the application,
content within, and the user. When our platform first sees network traffic, the single-pass software
immediately determines three critical elements that drive your Security policy: the application
identity, regardless of port; the content, malicious or otherwise; and the user identity. With these
three elements as the basis for your Security policy, you can reduce your threat footprint, prevent
attacks, and map policies to users.
Complementing the single-pass, parallel processing architecture (SP3)—and further enabling

security functionality consolidation—is a zone-based policy methodology. Rather than adhere to
the strict “trust/untrust” demilitarized zone (DMZ) boundaries, security zones allow the creation of
logical groupings of physical interfaces, virtual local area networks (VLANs), and IP addresses. Once
created, each zone is then protected by positive control model firewall policies that dictate what
you will, or will not, allow.
The Next-Generation Security Platform enables organizations to:
● Reduce the threat footprint. Classify all traffic, across all ports, all the time. Today,
applications and their associated content can easily bypass a port-based firewall. Our
security platform natively applies multiple classification mechanisms to the traffic stream to
identify applications, threats, and malware. All traffic is classified, regardless of port,
encryption (Secure Sockets Layer [SSL] or Secure Shell [SSH]), or evasive techniques
employed. Unidentified applications—typically a small percentage of traffic, yet high in
potential risk—are automatically categorized for systematic management. Using a positive
control model, a design unique to our platform, you can set policies based on applications

or functions and block all others (implicitly or explicitly), thereby reducing the threat
footprint.
● Prevent known and unknown attacks. Once the threat footprint is reduced by allowing
specific applications and denying all others, coordinated cyberattack prevention can then
be applied to block known malware sites and prevent vulnerability exploits, viruses, spyware,
and malicious Domain Name System (DNS) queries. Any custom or unknown malware is
analyzed and identified by executing the files and directly observing their malicious
behavior in a virtualized sandbox environment. When new malware is discovered, a
signature for the infecting file and related malware traffic is automatically generated and
delivered to you. Threat prevention policies are uniquely applied to specific application
flows, not globally to specific ports.
● Tie policies to users. To improve your security posture and reduce incident response times,
it’s critical to map application usage to user and device type—and to be able to apply that
context to your Security policy. Integration with a wide range of enterprise user repositories
provides the identity of the Microsoft, Windows, Mac, OS, Linux, Android, or iOS user and
device accessing the application. The combined visibility and control over both users and
devices mean you can safely enable the use of any application traversing your network, no
matter where the user is or what type of device they are using. Establishing the context of
the specific applications in use, the content or threat they may carry, and the associated
user or device helps you streamline policy management, improve your security posture, and
accelerate incident investigation.
1.1.2 Contrast the technical business value of NGFWs with traditional stateful firewalls
Stateful firewalls
Early on, stateful inspection firewalls classified traffic by looking only at the destination port (e.g.,
tcp/80 = HTTP). As the need for application awareness arose, many vendors added application
visibility and other software or hardware “blades” into their stateful inspection firewalls. They then
sold this offering as a Unified Threat Management (UTM) solution. UTM systems did not improve
security, since the functions were retrofitted into the firewall and not natively integrated.
Unlike UTM systems, a NGFW is application aware and makes decisions based on application, user,
and content. Its natively integrated design simplifies operation and improves security. Given its
success, the term “NGFW” has now become synonymous with “firewall.”
App-ID
App-ID™ is a traffic-classification technology that identifies applications traversing the network,
irrespective of port, protocol, evasive characteristic, or encryption (SSL or SSH).

App-ID uses as many as four identification techniques to determine the exact identity of
applications traversing the network. Identifying the application is App-ID’s very first task, providing
administrators with the greatest amount of application knowledge and the most flexibility in terms
of safe application. As the foundational element of the Palo Alto Networks NGFW, App-ID provides
visibility and control over work-related and non-work-related applications that can evade detection
by masquerading as legitimate traffic, hopping ports or sneaking through the firewall using
encryption (SSL and SSH). In the past, unapproved or non-work-related applications on the
corporate network were summarily removed or blocked. However, in today’s business environment,
the response options are not nearly as clear. Many of these applications help employees get their
jobs done. App-ID enables administrators to see the applications on the network, learn how they
work, learn their behavioral characteristics, and gauge their relative risk. When used in conjunction
with User-ID™, administrators can see exactly who is using applications based on the user’s
identity, not just an IP address. Armed with this information, administrators can use positive
security model rules to block unknown applications while enabling, inspecting, and shaping
applications that are allowed.
1.1.3 Explain the technical business value of Content-ID
Content-ID™ combines a real-time threat prevention engine with a comprehensive URL database
and elements of application identification to limit unauthorized data and file transfers and detect
and block a wide range of exploits, malware, dangerous web surfing, and targeted and unknown
threats. The application visibility and control delivered by App-ID, combined with the content
inspection enabled by Content-ID, means that IT departments can regain control over application
traffic and related content.
Enterprises of all sizes are at risk from increasingly sophisticated network-borne threats. Content-ID
delivers a new approach based on the complete analysis of all allowed traffic using multiple threat
prevention and data loss prevention techniques in a single, unified engine. Unlike traditional
solutions, Palo Alto Networks actually controls the threat vectors themselves through the granular
management of all types of applications. This immediately reduces the attack surface of the

network, after which all allowed traffic is analyzed for exploits, malware, malicious URLs, and
dangerous or restricted files or content. Content-ID then goes beyond stopping known threats to
proactively identify and block unknown malware and exploits often used in sophisticated network
attacks.
Content-ID is built on a single-pass, parallel processing architecture that uniquely integrates

software and hardware to simplify management, streamline processing, and maximize
performance. The SP3 integrates multiple threat prevention disciplines (intrusion prevention
system [IPS], anti-malware, URL filtering, etc.) into a single stream-based engine with a uniform
signature format. This allows traffic to be fully analyzed in a single pass without the incremental
performance degradation seen in other multifunction gateways. The software is tied directly to a
parallel processing hardware platform that uses function-specific processors for threat prevention
to maximize throughput and minimize latency. The VM-Series firewall supports CPU
oversubscription on all models. CPU oversubscription allows you deploy a higher density of
VM-Series firewalls on hypervisors running on x86 architecture. You can deploy two (2:1) to five (5:1)
VM-Series firewalls per required allocation of CPUs.
Threat prevention
Enterprise networks are facing a rapidly evolving threat landscape full of modern applications,
exploits, malware, and attack strategies that are capable of avoiding traditional methods of
detection. Threats are delivered via applications that dynamically hop ports, use nonstandard ports,
tunnel within other applications, routinely avoid proxies, and hide behind SSL or other types of
encryption. These techniques can prevent traditional security solutions such as IPS and firewalls

from ever inspecting the traffic, thus enabling threats to easily and repeatedly flow across the
network. Additionally, enterprises are exposed to targeted and customized malware that may pass
undetected through traditional antivirus solutions.
Content-ID addresses these challenges with unique threat prevention abilities not found in other
security solutions. First, the NGFW removes the methods that threats use to hide from security
through the complete analysis of all traffic, on all ports, regardless of evasion, tunneling, or
circumvention techniques. Simply put, no threat prevention solution will be effective if it does not
have visibility into the traffic. Only Palo Alto Networks ensures that visibility through the
identification and control of all traffic.
1.1.4 Explain the technical business value of User-ID and Device-ID
User-ID
User-ID enables you to identify all users on your network, across locations, access methods, and
operating system. Knowing who your users are instead of just their IP addresses enables:
● Visibility. Improved visibility into application usage based on users gives you a more
relevant picture of network activity. The power of User-ID becomes evident when you notice
a strange or unfamiliar application on your network. Using either the Application Command
Center (ACC) or the log viewer, your security team can discern what the application is, who
the user is, bandwidth and session consumption, and the source and destination of the
application traffic, as well as any associated threats.
● Policy control. Tying user information to Security policy rules improves safe enablement of
applications traversing the network and ensures that only users who have a business need
for an application have access. For example, some applications must be available to any
known user on your network, such as human resources applications like Workday or
ServiceNow. However, for more sensitive applications, you can reduce your attack surface by
ensuring that only users who need these applications can access them. For example, while

IT support personnel may need access to remote desktop applications, the majority of your
users do not. Limiting access by user information strengthens your security posture.
● Logging, reporting, forensics. If a security incident occurs, forensics analysis and reporting
based on user information rather than IP address provides a more complete picture of the
incident. For example, you can use the predefined User/Group Activity report to see a
summary of the web activity of individual users or user groups. The SaaS Application Usage
report reveals which users are transferring the most data over unsanctioned software as a
service (SaaS) applications.
To enforce user- and group-based policies, the firewall must be able to map IP addresses to
usernames in the packets it receives. User-ID provides many mechanisms to collect this user
mapping information. For example, the User-ID agent monitors server logs for login events and
listens for syslog messages from authenticating services. To identify mappings for IP addresses that
the agent did not map, you can configure an Authentication policy to redirect HTTP requests to a
Captive Portal login. You can tailor the user mapping mechanisms to suit your environment and
even use different mechanisms at different sites to ensure that you are safely enabling access to
applications for all users, in all locations, all the time.
User-ID technology has four main components. The following table lists each component’s name
and primary characteristics.
Component Characteristics
Palo Alto Networks NGFW ● Maps IP addresses to usernames
● Maps usernames to group names
PAN-OS integrated User-ID agent ● Runs on the firewall

● Collects IP address-to-username information
Windows-based User-ID agent ● Runs on a domain member

● Collects IP address-to-username information
Palo Alto Networks Terminal Services The amount of time in which additional alerts for the same
agent activity or behavior are suppressed before Cortex XDR raises
another Analytics alert.
The User-ID agent comes in two forms: an integrated agent resident on the firewall and a
Windows-based agent:
● The PAN-OS integrated agent is included with PAN-OS software.

● The Windows-based agent is available for download from Palo Alto Networks and can be
installed on one or more Windows systems.
● A firewall can communicate with both agent types at the same time.
● Both agent types monitor up to 100 domain controllers or Microsoft Exchange servers.
● Both agent types can monitor users and domain controllers only from a single Active
Directory (AD) domain.
● The integrated agent is designed for small and midsize deployments, such as small remote
offices or lab environments.
● Multiple Windows-based agents can be deployed to handle larger environments or
multiforest domains.
● The Windows-based agents use RPC, whereas the firewall agents employ WMI.
To enable user-and group-based policy enforcement, the firewall requires a list of all available users
and their corresponding group memberships. This allows you to select groups when defining your
policy rules. The firewall collects group mapping information by connecting directly to your
Lightweight Directory Access Protocol (LDAP) directory server or by using XML application
programming interface (API) integration with your directory server. The user identity, as opposed to
an IP address, is an integral component of an effective security infrastructure. Knowing who is
using each of the applications on your network—and who may have transmitted a threat or is
transferring files—can strengthen your Security policy and reduce incident response times. User-ID
enables you to leverage user information stored in a wide range of repositories for visibility, user-
and group-based policy control, and improved logging, reporting, and forensics:
● Enable User-ID on source zones with users who will require user-based access controls for
their requests.
● Enable User-ID on internal zones only. If you enable User-ID and client probing on an
external zone (such as the internet), probes could be sent outside your protected network.
This could result in an information disclosure of the User-ID agent service account name,
domain name, and encrypted password hash, which could allow an attacker to gain
unauthorized access to protected services and applications.
● Create a dedicated service account for the User-ID agent. This is required if you plan to use
the Windows-based User-ID agent or the PAN-OS integrated User-ID agent to monitor
domain controllers, Microsoft Exchange servers, or Windows clients for user login and
logout events.

● Map users to groups. This enables the firewall to connect to your LDAP directory and
retrieve group mapping information so that you can select usernames and group names
when creating policies.
● Map IP addresses to users. How you do this depends on where your users are located and
which types of systems they are using, as well as which systems on your network are
collecting login and logout events for your users. You must configure one or more User-ID
agents to enable user mapping.
Device-ID
Whether or not your environment supports a Bring Your Own Device (BYOD) policy, you likely
already have a large number of devices in your network—maybe even more than you realize. The
number of devices supported on a network, the need for scalability as the number of users and
devices grows, and the expanding infrastructure of the Internet of Things (IoT) present an
ever-evolving area of risk with many possibilities for exploitation by malicious users. Additionally,
once you identify these devices, how do you secure them from vulnerabilities such as outdated
operating software? Using Device-ID™ on your firewall or to push policy from Panorama™ lets you
get device context for events on your network, obtain policy rule recommendations for those
devices, write policies based on devices, and enforce Security policy based on the
recommendations.
Device-ID provides policy rules that are based on a device, regardless of changes to its IP address or
location. By providing traceability for devices and associating network events with specific devices,
Device-ID allows you to gain context for how events relate to devices and write policies that are
associated with devices instead of users, locations, or IP addresses, which can change over time.
You can use Device-ID in Security, Decryption, Quality of Service (QoS), and Authentication policies.
If you use PAN-OS version 8.1.0 through PAN-OS 9.1.x on a firewall, the IoT Security license provides
device classification, behavior analysis, and threat analysis for your devices. If you use PAN-OS 10.0
or later, you can use Device-ID to obtain IP address-to-device mappings to view device context for
network events, use IoT Security to obtain policy rule recommendations for these devices, and gain
visibility for devices in reports and the ACC.
To identify and classify devices, the IoT Security app uses metadata from logs, network protocols,
and sessions on the firewall. This does not include private or sensitive information or data that is
not relevant for device identification. Metadata also forms the basis of the expected behavior for
the device, which then establishes the criteria for the policy rule recommendation that defines
what traffic and protocols to allow for that device.
1.1.5 Explain how Palo Alto Networks efficiencies lead to platform and process consolidation
Palo Alto Networks consolidates multiple, complementary security functions into a single, natively
integrated platform that safely enables users, applications, and traffic across endpoints, networks,
cloud environments, and SaaS environments. The many benefits of this platform approach include:
● Faster time to threat prevention. Automatically correlated insights between security

functions, as well as automatic distribution of signatures and other preventions, quickly
repel the newest threats in all locations.

● Greater security insights. Contextual threat intelligence applied across security functions
results in stronger awareness of network activity.
● Simpler management. The entire suite of security functions and policies is managed from a
single interface, reducing management complexity for IT and security teams.
● Comprehensive, safe enablement. A single pane of glass provides complete visibility into
users, applications, and traffic in all locations across mobile, network, cloud, and SaaS
environments.
● Flexibility. Organizations can choose which security functions to integrate, and can add
security functions over time as business needs change.
● Lower operating costs. New security functions do not require more hardware installations,
additional training for security teams, or more management overhead.
● Less disruption. Adding new security functions does not disrupt availability or require
architecture changes. In many cases you can add security functions remotely, eliminating a
truck roll or the requirement for on-site IT or security staff.
● Reduced latency. Fewer boxes and traffic inspection points improve latency for
time-sensitive applications.
Palo Alto Networks Next-Generation Security Platform automatically correlates insights on

emerging threats across endpoints, data centers, and SaaS and cloud resources, ensuring fast
responses to any threat without manual intervention. As you add security capabilities, coordination
increases—as does return on investment. Platform security capabilities include:
● A NGFW that classifies all traffic—including encrypted traffic—and enforces policies based
on applications, users, and content without sacrificing performance. It can selectively
decrypt encrypted traffic for analysis and segment networks based on users or groups.
● WildFire® cloud-based threat analysis service to dynamically analyze suspicious content in
a virtual environment to discover zero-day threats.
● Threat Prevention, including IPS, malware protection, DNS sinkhole, and command and
control (C2) protection.
● URL Filtering continually updates with new phishing and malware sites, as well as sites
associated with attacks—even blocking malicious links in emails.
● GlobalProtect™ network security for endpoints extends a virtual private network (VPN) and
the protection of the Palo Alto Networks platform to mobile staff, employees with mobile
devices, and third-party contractors.
● Cortex XDR blocks exploits and malware on critical assets, such as point of sale devices,
unpatched servers, and corporate endpoints.
● AutoFocus™ service provides contextual threat intelligence analysis on all Palo Alto
Networks threat data.
● Prisma™ SaaS service provides security for SaaS applications.
● Panorama provides network security management via a virtual or physical appliance.
Next-Generation Security Platform users benefit from the most comprehensive library of collective
threat data in the world. Palo Alto Networks customers share threat data to minimize the spread of
attacks and raise the costs to attackers. The detection of a new threat in one customer
environment sharing threat information triggers the automatic creation and dissemination of
prevention mechanisms across thousands of customers.

1.1.6 References
● Firewall,
https://www.paloaltonetworks.com/cyberpedia/what-is-a-firewall
● Content-ID,
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/tech-briefs/techbrief-
content-id.pdf
1.2 Identify the business value of Panorama
1.2.1 Explain the business value of Panorama for unified management

Panorama enables you to effectively configure, manage, and monitor your Palo Alto Networks
firewalls with central oversight. The three main areas in which Panorama adds value are:
● Centralized configuration and deployment. Simplify central management and rapid

deployment of the firewalls and WildFire appliances on your network by using Panorama to
pre-stage the firewalls and WildFire appliances for deployment. You can then assemble the
firewalls into groups, create templates to apply a base network and device configuration,
and use device groups to administer global and local policy rules.
● Aggregated logging with central oversight for analysis and reporting. Collect
information on activity across all the managed firewalls on the network and centrally
analyze, investigate, and report on the data. This comprehensive view of network traffic, user
activity, and the associated risks empowers you to respond to potential threats using the
rich set of policies to securely enable applications on your network.
● Distributed administration. Delegate or restrict access to global and local firewall

configurations and policies.
Four Panorama models are available: The Panorama virtual appliance, M-600 appliance, M-500
appliance, and M-200 appliance. All of these appliances are supported in PAN-OS 10.0. Panorama’s
centralized management structure, illustrated in the following image, allows you to deploy
Panorama in a high availability (HA) configuration to manage firewalls.

Panorama management architecture
Panorama lets you manage your Palo Alto Networks firewalls with both global oversight and
regional control. Panorama provides multiple tools for global or centralized administration.
Templates/template stacks
Panorama manages common device and network configuration through templates, which can be
used to manage configuration centrally and push changes to managed firewalls. This approach
avoids the need to make the same individual firewall changes repeatedly across many devices. To
make things even easier, templates can be stacked and used like building blocks during device and
network configuration.
Hierarchical device groups

Panorama manages common policies and objects through hierarchical device groups. Multilevel
device groups are used to centrally manage the policies across all deployment locations with
common requirements. Device group hierarchy may be created geographically (e.g., Europe, North

America, and Asia), functionally (e.g., data center, main campus, and branch offices), as a mix of
both, or based on other criteria. This allows for common policy sharing across different virtual
systems on a device.
You can use shared policies for global control while still allowing your regional firewall
administrators autonomy to make specific adjustments for their requirements. At the device group
level, you can create shared policies that are defined as the first set of rules and the last set of
rules—the pre-rules and post-rules, respectively—to be evaluated against match criteria. Pre- and
post-rules can be viewed on a managed firewall, but they can only be edited from Panorama within
the context of the administrative roles that have been defined. The device rules—those between
pre-and post-rules—can be edited by either your regional firewall administrator or a Panorama
administrator who has switched to a firewall device context. In addition, an organization can use
shared objects defined by a Panorama administrator, which can be referenced by regionally
managed device rules.
Role-based administration is used to delegate feature-level administrative access, including the

availability of data (enabled, read-only, or disabled and hidden from view) to different members of
your staff. You can give specific individuals access to the tasks pertinent to their job while making
other access either hidden or read-only. Administrators can commit or revert changes they make in
a Panorama configuration independently of changes made by other administrators.
Software, license updates, and content management

As your deployment grows, you may want to make sure updates are sent to downstream boxes in
an organized manner. For instance, security teams may prefer to centrally qualify a software update
before it is delivered via Panorama to all production firewalls at once. Panorama lets you centrally
manage the update process for software updates, licenses, and content—including application
updates, antivirus signatures, threat signatures, and URL Filtering database entries. Using
templates, device groups, role-based administration, and update management, you can delegate
appropriate access to all management functions, visualization tools, policy creation, reporting, and
logging at global and regional levels.
1.2.2 Explain the business value of Panorama for centralized logging and reporting
Panorama aggregates logs from all managed firewalls and provides visibility across all traffic on the
network. It also provides an audit trail for all policy modifications and configuration changes made
to the managed firewalls. In addition to aggregating logs, Panorama can forward logs as Simple
Network Management Protocol traps, email notifications, syslog messages, and HTTP payloads to
an external server.
For centralized logging and reporting, you can also use the cloud-based Cortex Data Lake, which is
architected to work seamlessly with Panorama. Cortex Data Lake allows your managed firewalls to
forward logs to the Cortex Data Lake infrastructure instead of Panorama or the managed log
collectors, so you can augment your existing distributed log collection setup or scale your current
logging infrastructure without investing time and effort yourself.

The ACC on Panorama provides a single pane for unified reporting across all firewalls. It enables
you to centrally monitor network activity and to analyze, investigate, and report on traffic and
security incidents. On Panorama, you can view logs and generate reports from logs forwarded to
Cortex Data Lake, Panorama, or managed log collectors (if configured), or you can query the
managed firewalls directly. For example, you can generate reports about traffic, threat, or user
activity in the managed network based on logs stored on Panorama (and the managed collectors)
or by accessing the logs stored locally on the managed firewalls or in Cortex Data Lake.
If you do not configure log forwarding to Panorama or Cortex Data Lake, you can schedule reports
to run on each managed firewall and forward the results to Panorama for a combined view of user
activity and network traffic. Although reports do not provide a granular drill-down view of specific
information and activities, they still provide a unified monitoring approach.
1.2.3 References
● PAN-OS Release Notes,

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-release-notes

Domain 2: Competitive Differentiators
2.1 Emphasize the competitive advantages of real-time analysis
2.1.1 Emphasize the competitive advantage of inline machine learning and its ability to prevent
unknown threats
With inline machine learning (ML) powered by intelligence from the WildFire and URL Filtering
services, the time from visibility to prevention of unknown network traffic becomes effectively zero.
With this real-time analysis, organizations can:
● Stop new threats instantly, preventing initial infection and potential spread
● Maintain their speed of business while stopping weaponized files, credential phishing, and
malicious scripts without sacrificing user experience
● Leverage existing investments in Palo Alto Networks NGFWs, WildFire, and URL Filtering
● Enjoy seamless, native integration between NGFW and security subscriptions, eliminating
the need for independent security tools while providing consistent protection and
management
● Future-proofdefenses to evolve with the latest attacks
Attackers have two critical advantages: speed of proliferation and polymorphism. A polymorphic
attack can spread across networks quickly, generating unique variants for each target.
Palo Alto Networks has delivered the world’s first ML-powered NGFW, providing inline ML to block
unknown file-based and web-based threats. Using a patented signatureless approach, WildFire
and URL Filtering proactively prevent weaponized files, credential phishing, and malicious scripts
without compromising business productivity.
2.1.2 Describe the value of the Palo Alto Networks application-first approach
Networks have become more vulnerable because of fundamental shifts in the application
landscape, user behavior, cybersecurity dynamics, and infrastructure. SaaS, Web 2.0, social media,
and cloud-based applications are everywhere. Mobile devices, cloud, and virtualization are
fundamentally changing network architectures. Organizations are highly susceptible to security

breaches and compromised data because of how their users consume data and how the
organizations themselves manage IT.
Legacy firewalls and UTM systems are incapable of enabling the next generation of applications,
users, and infrastructures because they classify traffic based only on ports and protocols. For
example, traditional products identify most web traffic as simply HTTP coming through port 80,
with no information on the specific applications associated with that port and protocol. But this
problem is not limited to port 80.
Malicious applications are increasingly using encrypted SSL tunnels on port 443, clever evasive
tactics to disguise themselves, or port-hopping to find any entry point through firewalls. Legacy
firewalls and UTM systems cannot safely enable these applications. At best, they can attempt to
prevent the application from entering the network—stifling business and hampering innovation in
the process.
The Palo Alto Networks approach

Palo Alto Networks offers real innovation in the NGFW, enabling the unprecedented enablement of
applications and control over content—by user, not just IP address— with no performance
degradation. The Palo Alto Networks NGFW enables applications regardless of port, protocol,
evasive tactic, or SSL encryption and scans content to stop targeted threats and prevent data
leakage. This allows organizations to safely enable application use, maintain complete visibility and
control, and significantly reduce total cost of ownership through network security simplification.
The unique capabilities of the Palo Alto Networks NGFW include:

● The only firewall to classify traffic based on the accurate identification of the application, not
just port/protocol information.
● The only firewall to identify, control, and inspect SSL encrypted traffic and applications.
● The only firewall with real-time (line-rate, low-latency) content scanning to protect against
viruses, spyware, data leakage, and application vulnerabilities based on a stream-based
threat prevention engine.
● The only firewall to provide graphical visualization of applications on a network with detailed
user-, group-, and network-level data categorized by sessions, bytes, ports, threats, and time.
● The only firewall with line-rate, low-latency performance for all of services, even under load.
● The only firewall to identify unknown malicious files, often used in targeted attacks, by
directly and automatically executing them in a virtual, cloud-based environment.
● The only firewall capable of delivering a logical perimeter for mobile users.
● NGFW’s ability to proactively stop new threats with in-line ML.
2.1.3 References
● ML-Powered NGFW,
https://www.paloaltonetworks.com/network-security/next-generation-firewall
● Palo Alto Networks Approach,
https://www.paloaltonetworks.com/company/what-we-do
2.2 Explain the benefits of SP3

Traditional integration approaches go by many names: deep inspection, UTM, deep packet
inspection, and more. Traditional approaches use IPS capabilities for application identification &
vulnerability signatures, AV engines for AV, etc.
These approaches share a common problem: a lack of consistent and predictable performance
when security services are enabled. Specifically, base firewall functions can perform at high
throughput and low latency, but when the added security functions are enabled, performance
decreases while latency increases.
More importantly, these traditional approaches to integration limit security capability. This is
because a sequence of functions approach is inherently less flexible than one in which all functions
share information and enforcement mechanisms.
Implemented in a variety of form factors (both physical and virtual), Palo Alto Networks NGFWs
based on SP3 are the high-performance foundation of a security platform that stops modern
threats.
2.2.1 Explain how an NGFW inspects data through an SP3

While a seemingly obvious approach, security software that looks at traffic in a single pass is unique
to the Palo Alto Networks NGFW. This approach to processing traffic ensures that each task is
performed only once on a set of traffic. Key processing tasks include:
● Networking and management functionality. Uses a common networking foundation with

a common management structure as the foundation of all traffic processing.
● User-ID. Maps IP addresses to users and users to groups (roles) to enable visibility and policy
enforcement by user and group.
● App-ID. Combines application signatures, protocol detection and decryption, protocol
decoding, and heuristics to identify applications. This application identification is carried
through to Content-ID to scan and inspect applications appropriate to their use, as well as
to the policy engine.
● Content-ID. Uses a single hardware-accelerated signature matching engine that uses a
uniform signature format to scan traffic for data (e.g., credit card numbers, Social Security
numbers, and custom patterns) and threats (e.g., vulnerability exploits such as IPS, viruses,
and spyware), plus a URL categorization engine to perform URL filtering.
● Policy engine. Based on networking, management, User-ID, App-ID, and Content-ID
information, uses and enforces a single Security policy to matching traffic.

SP3 is summed up accurately and succinctly with the phrase “scan it all, scan it once.”
2.2.2 Explain how performance is affected by Security subscription adoption
The Palo Alto Networks SP3 addresses performance and flexibility challenges with a unique
single-pass approach to packet processing. This approach increases:
● Performance. By performing operations once per packet, the SP3 eliminates many
redundant functions that plagued previous integration attempts. Networking, policy
lookup, application and decoding, and signature matching for all threats and content are
performed only once as packets are processed. This significantly reduces the amount of
processing overhead required to perform multiple functions in one security device. For
content inspection and threat prevention, the SP3 uses a stream-based, uniform signature
matching engine. Instead of using separate engines and signature sets (requiring multiple
passes) or proxies (requiring download prior to scanning), the SP3 scans traffic for all
signatures once—avoiding the introduction of latency.
● Flexibility. The SP3 also supports superior security posture relative to traditional integration
attempts. This is because the architecture performs full-stack inspection upfront and then
makes all resulting context available to all security enforcement options (including threat
prevention). With traditional integration approaches, full context is not shared between all
enforcement options.

Depending on the subscription activated, different security controls can be enabled on the
protected traffic.
Adding a security control on traffic has a minimal impact on performance in an SP3, because the
same hardware component is already processing the same data for other controls.
2.2.3 Differentiate between slow path, fast path, and offload

When a network connection is managed by the data plane of the firewall, each packet flows
through different processing stages.
The ingress stage receives packets from the physical layer interfaces. In this stage, multiple actions
are performed:
● Layer 2, Layer 3, and Layer 4 packet processing

● Defragmentation
● IPsec/SSL decryption
The session setup stage (also called slow path) is executed if the received packet is related to a new
network connection. In the session setup stage, the following actions are performed:
● Route lookup to forward the packet to the correct destination

● User-ID lookup (optional)
● Zone/denial-of-service (DoS) protection checks
● Forwarding of the packet to the security processing stage
The security processing stage (also called fast path) receives the packet from the ingress stage
(existing sessions) or session setup stage (new session’s packets) and applies the Layer 7 controls
(App-ID, Content-ID) and policy enforcements.
The egress stage manages the QoS traffic shaping and the packet forwarding process. See
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0.) For
specific kinds of traffic, the packets that belong to existing sessions can be offloaded.

An offloaded packet is forwarded by the ingress stage directly to the egress stage, bypassing the
whole security processing. Offloading reduces data plane resource consumption when the security
processing does not give improvements in terms of security.
Only PA‐3050, PA-3060, PA‐3250, PA-3260, PA‐5000 Series, PA-5200 Series, PA-5450, and PA‐7000
Series firewalls include hardware support for session offloading.
2.2.4 References
● Single-Pass Architecture,
https://www.paloaltonetworks.com/resources/whitepapers/single-pass-parallel-processing-a
rchitecture
● Packet Flow Sequence in PAN-OS,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
● Disable Firewall Offloading Traffic,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8cCAC
2.3 Compare and contrast the benefits of Advanced URL Filtering and DNS Security
2.3.1 Identify where in the inspection process Advanced URL Filtering and DNS Security are used
and how they differ
Advanced URL Filtering

Palo Alto Networks Advanced URL Filtering provides real-time URL analysis and malware
prevention to generate a more accurate analysis of URLs than possible with traditional web
database filtering techniques alone. This subscription service is available on firewalls operating
PAN-OS 9.0 and later, with the installation of content release 8390-6607 and later.
Malicious URLs can be updated or introduced before URL filtering databases have an opportunity
to analyze the content; this lag time gives attackers an opening to launch precision attack
campaigns. Advanced URL Filtering compensates for the coverage gaps inherent in database
solutions by providing real-time URL analysis on a per-request basis. When a user visits a URL
designated as risky, the firewall submits the URL to the Advanced URL Filtering service for analysis
using ML and queries PAN-DB for the site’s category (information for recently visited websites are
cached for fast retrieval). The analysis data is used to generate a verdict that the firewall retrieves to
enforce the web-access rules based on your policy configuration. If there is a verdict mismatch
while the data is being analyzed in the cloud, the more severe categorization takes precedence.
Advanced URL Filtering is enabled through the URL Filtering profile and uses the same
configuration settings. If you already have an operational URL filtering deployment, no additional
configuration is necessary to take advantage of Advanced URL Filtering—all web requests
designated as risky are automatically forwarded for analysis. URLs analyzed using Advanced URL
Filtering are displayed in the logs using the category real-time-detection, in addition to the threat
type.
To enable advanced URL filtering security subscription, follow the steps outlined below:
Step 1: Install the Advanced URL Filtering license and verify the installation.
Step 2: Download and install the latest PAN-OS content release.

Step 3: Verify that you have an active URL Filtering profile. If none is configured, create and
configure a URL Filtering profile.
Step 4: Verify that URLs are being analyzed and categorized using the Advanced URL Filtering
service.
DNS Security
DNS Security is a continuously evolving threat prevention service designed to protect and defend
your network from advanced threats using DNS. By leveraging advanced ML and predictive
analytics, the service provides real-time DNS request analysis and rapidly produces and distributes
DNS signatures that are specifically designed to defend against malware using DNS for C2 and
data theft. Combined with an extensible cloud architecture, it provides access to a scalable threat
intelligence system to keep your network protections up to date.
With an active Threat Prevention license, customers can configure their firewalls to sinkhole DNS
requests using a list of domains generated by Palo Alto Networks. These locally accessed,
customizable DNS signature lists are packaged with antivirus and WildFire updates and include
the most relevant threats for policy enforcement and protection at the time of publication. For
improved coverage against threats using DNS, the DNS Security subscription enables users to
access real-time protections using advanced predictive analytics. Using techniques such as domain
generation algorithm (DGA)/DNS tunneling detection and ML, threats hidden within DNS traffic
can be proactively identified and shared through an infinitely scalable cloud service. Because the
DNS signatures and protections are stored in a cloud-based architecture, you can access the full
database of ever-expanding signatures that have been generated using a multitude of data
sources. This allows you to defend against an array of threats using DNS in real time against newly
generated malicious domains that deploy with a DGA. (See
https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dg
a.) To combat future threats, updates to the analysis, detection, and prevention capabilities of the
DNS Security service will be available through content releases.
To access the DNS Security service, you must have a valid Threat Prevention and DNS Security
license.
The following DNS categories are supported with the licensed DNS Security service:
● C2
● Phishing domains
● Malware-hosted domains
● Dynamic DNS-hosted domains
● Newly registered domains
● Grayware domains
● Parked domains
● Proxy avoidance and anonymizers
The following workflow illustrates how DNS Security uses data sources to generate DNS signatures:

2.3.2 Differentiate between cloud-delivered security services and real-time detection
“Cloud security” refers to a broad set of control-based technologies and policies deployed to protect
information, data, applications, and infrastructure associated with cloud computing. As with
on-premises applications and data, those stored in the cloud must be just as vigilantly protected.
The following Palo Alto Networks subscriptions unlock firewall features or enable the firewall to
leverage a Palo Alto Networks cloud-delivered service (or both). The table describes each service or
feature that requires a subscription to work with the firewall. To enable a subscription, you must
first activate subscription licenses; once active, most subscription services can use dynamic content
updates to provide new and updated functionality to the firewall.
SUBSCRIPTIONS
IoT Security The IoT Security solution works with NGFWs to dynamically discover and
maintain a real-time inventory of the IoT devices on your network. Through
artificial intelligence and ML algorithms, the IoT Security solution achieves a
high level of accuracy, even classifying IoT device types encountered for the
first time. And because it’s dynamic, your IoT device inventory is always up
to date. IoT Security also provides the automatic generation of policy
recommendations to control IoT device traffic, as well as the automatic
creation of IoT device attributes for use in firewall policies.

SD-WAN Provides intelligent and dynamic path selection on top of the
industry-leading security that PAN-OS software already delivers. Managed
by Panorama, the SD-WAN implementation includes:
● Centralized configuration management
● Automatic VPN topology creation
● Traffic distribution
● Monitoring and troubleshooting
Threat Prevention Threat Prevention provides:
● Antivirus, anti-spyware (C2), and vulnerability protection
● Built-in external dynamic lists that you can use to secure your
network against malicious hosts
● Ability to identify infected hosts that try to connect to malicious
domains
DNS Security Provides enhanced DNS sinkholing capabilities by querying DNS Security, a
cloud-based service capable of generating DNS signatures using advanced
predictive analytics and ML. This service provides full access to the
continuously expanding DNS-based threat intelligence produced by Palo
Alto Networks. To set up DNS Security, you must first purchase and install a
Threat Prevention license.
URL Filtering Provides the ability to control web access and how users interact with
online content based on dynamic URL categories. You can also prevent
credential theft by controlling the sites to which users can submit their
corporate credentials. To set up URL Filtering, you must purchase and
install a subscription for the supported URL filtering database, PAN-DB.
With PAN-DB, you can set up access to the PAN-DB public cloud or to the
PAN-DB private cloud.
Advanced URL Filtering Uses a cloud-based, ML-powered web security engine to perform ML-based
inspection of web traffic in real time. This reduces reliance on URL
databases and out-of-band web crawling to detect and prevent advanced,
fileless, web-based attacks, including targeted phishing, web-delivered
malware and exploits, C2, social engineering, and other types of web
attacks.
WildFire Basic WildFire support is included as part of the Threat Prevention license.
Anyone with or without a Threat Prevention license can forward PE files to
WildFire for analysis. The WildFire subscription service provides enhanced
services for organizations that require immediate coverage for threats,
frequent WildFire signature updates, advanced file type forwarding (APK,
PDF, Microsoft Office, and Java Applet), and the ability to upload files using
the WildFire API. A WildFire subscription is also required if your firewalls will
be forwarding files to an on-premises WF-500 appliance.
AutoFocus Provides a graphical analysis of firewall traffic logs and identifies potential
risks to your network using threat intelligence from the AutoFocus portal.
With an active license, you can also open an AutoFocus search based on
logs recorded on the firewall.
Cortex Data Lake Provides cloud-based, centralized log storage and aggregation. Cortex Data
Lake is required or highly recommended to support several other
cloud-delivered services, including Cortex XDR, IoT Security, and Prisma
Access.
GlobalProtect Provides mobility solutions or large-scale VPN capabilities. By default, you
can deploy GlobalProtect portals and gateways (without HIP checks)
without a license. If you want to use advanced GlobalProtect features (such
as HIP checks and related content updates, the GlobalProtect Mobile App,
IPv6 connections, or a GlobalProtect Clientless VPN), you will need a
GlobalProtect license for each gateway. There are lots of other things that
need the license, including Linux client, split tunneling based on domain,
split DNS. Refer to
https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/g

lobalprotect-overview/about-globalprotect-licenses.html for more
information.
Virtual Systems This perpetual license is required to enable support for multiple virtual
systems on PA-3200 Series firewalls. You must purchase a Virtual Systems
license if you want to increase the number of virtual systems beyond the
base number provided by default on PA-5200 Series, PA-5450, and PA-7000
Series firewalls (the base number varies by platform). The PA-800 Series,
PA-220, and VM-Series firewalls do not support virtual systems.
Enterprise Data Loss Provides cloud-based protection against unauthorized access, misuse,
Prevention (DLP) extraction, and sharing of sensitive information. Enterprise DLP provides a
single engine for accurate detection and consistent policy enforcement for
sensitive data at rest and in motion using ML-based data classification,
hundreds of data patterns using regular expressions or keywords, and data
profiles using Boolean logic to scan for collective types of data.
SaaS Security Inline Works with Cortex Data Lake to discover all of the SaaS applications in use
on your network. SaaS Security Inline can discover thousands of shadow IT
applications and their users and usage details. SaaS Security Inline also
enforces SaaS policy rule recommendations seamlessly across your existing
Palo Alto Networks firewalls. App-ID Cloud Engine also requires SaaS
Security Inline.
2.3.3 Identify the dependencies of Advanced URL Filtering and DNS Security

Built in the cloud, Advanced URL Filtering is a subscription service that works natively with your
Palo Alto Networks Next-Generation Firewall (NGFW) to secure web access against threats such as
phishing, malware, and command-and-control (C2). The service uses ML to analyze URLs in real
time and classify them into benign or malicious categories, which you can easily build into your
NGFW policy for total control of web traffic. These categories trigger complementary capabilities
across the NGFW platform, enabling additional layers of protection, such as targeted SSL
decryption and advanced logging. Alongside its own analysis, Advanced URL Filtering uses shared
threat information from WildFire® malware prevention service and other sources to automatically
update protections against malicious sites. Advanced URL Filtering delivers:
● Superior protection against web-based attacks with the combined power of our URL
database stopping known threats and our industry-first inline web protection engine
categorizing as well as blocking new malicious URLs in real time, even when content is
cloaked from crawlers. Advanced URL Filtering prevents more than 200,000 attacks per day
that traditional databases cannot, in real time.
● Industry-leading phishing protections that tackle the most common causes of breaches.
● Total control of your web traffic through fine-grained controls and policy settings that
enable you to automate security actions based on users, risk ratings, and content
categories.
● Maximum operational efficiency by enabling web protection through the Palo Alto
Networks platform.
FEATURE DESCRIPTION
Inline Real-Time Web Uses cloud-based inline ML to analyze real web traffic,
Threat Prevention categorizing and blocking malicious URLs in real time. ML
models are retrained frequently, ensuring protection against

new and evolving neverbefore-seen threats (e.g., phishing,
exploits, fraud, C2).
Anti-Evasion Measures Protects against evasive techniques such as cloaking, fake
CAPTCHAs, and HTML character encoding.
URL Database Maintains hundreds of millions of known malicious and benign
URLs categorized through a combination of static, dynamic,
machine learning, and human analysis.
Content Categories Classifies websites based on site content, features, and safety,
and includes more than 70 benign and malicious content
categories.
Risk Ratings Scores URLs on a variety of factors to determine risk. These
security-focused URL categories can help
you reduce your attack surface by providing targeted
decryption and enforcement for sites that pose
varying levels of risk but are not confirmed malicious.
Multi-Category Support Categorizes a URL with up to four categories, allowing for
flexible policy and the creation of custom categories.
Custom Categories Lets you tailor categories and policies to your organization’s
needs. Although Advanced URL Filtering
utilizes a defined set of categories, different organizations may
have different needs around risk
tolerance, compliance, regulation, or acceptable use. To meet
your requirements and fine-tune policies,
administrators can create new custom categories by combining
multiple existing categories.
Real-Time Credential Theft Protection Detects and prevents credential theft by controlling sites to
which users can submit corporate credentials based on the
site’s URL category. This allows you to block users from
submitting credentials to untrusted sites in real time while still
allowing users to only submit credentials to corporate and
sanctioned sites.
Phishing Image Detection Uses ML models to analyze images in webpages to determine
whether they are imitating brands
commonly used in phishing attempts.
Criteria Matching Allows you to designate multiple policy action types based on
URL categories or criteria. Beyond simply blocking or allowing
sites, policy examples may include selective SSL decryption,
advanced logging, blocking downloads, or preventing
credential submission.
Selective SSL Decryption Helps you further reduce risk with targeted decryption. Policies
can be established to selectively decrypt TLS/SSL-encrypted
web traffic, maximizing visibility into potential threats while
keeping you compliant with data privacy regulations. Specific
URL categories (e.g., social networking, web-based email,
content delivery networks) can be designated for decryption
while transactions to and from other types of sites (e.g., those of
governments, banking institutions, healthcare providers) can be
designated to remain encrypted. You can implement simple
policies that enable decryption for applicable content
categories with high or medium risk ratings. Selective
decryption enables optimal security posture while respecting
confidential traffic parameters set by company policies or
external regulations.
Translation Site Filtering Applies URL Filtering policies to URLs that are entered into
language translation websites (e.g., Google Translate) as a
means of bypassing policies.

Search Engine Cached Results Applies URL Filtering policies when end users attempt to view
Prevention the cached results of web searches and internet archives.
Safe Search Enforcement Allows you to prevent inappropriate content from appearing in
users’ search results. With this feature enabled, only Google,
Yandex, Yahoo, or Bing searches with the strictest safe search
options set will be allowed, and all other searches can be
blocked.
Customizable End User Notifications Enables administrators to notify users of a violation using a
custom block page. These pages may include options to
present a warning and allow the user to continue or require a
configurable password that creates a policy exception.
Multilingual Support Supports crawling and analysis in 41 languages.
Reporting Provides visibility into Advanced URL Filtering and related web
activity through a set of predefined or fully customized URL
Filtering reports.
DNS Security
The DNS Security service operates real-time DNS request analysis using predictive analytics and
machine learning on multiple DNS data sources. This is used to generate protections for
DNS-based threats, which are accessible in real-time through configuration of the Anti-Spyware
Security profile attached to a Security policy rule. Each DNS threat category (the DNS Signature
Source) allows you to define separate policy actions as well as a log severity level for a specific
signature type. This enables you to create specific security policies based on the nature of the
threat, according to your network security protocols. Palo Alto Networks also generates and
maintains a list of explicitly allowable domains based on metrics from PAN-DB and Alexa. These
allow list domains are frequently accessed and known to be free of malicious content. The DNS
Security categories and the allow list are updated and extensible through PAN-OS content releases.
You can view your organization’s DNS statistics data generated by the DNS Security Cloud service
using AutoFocus. This provides a fast, visual assessment describing the breakdown of DNS requests
passing through your network based on the available DNS categories. Alternatively, you can
retrieve domain information, as well as the transaction details, such as latency and TTL using the
test dns-proxy dns-signature fqdn <domain> command.
The DNS Security service currently supports detection of the following DNS threat categories:
● Command and Control Domain. C2 includes URLs and domains used by malware and/or
compromised systems to surreptitiously communicate with an attacker’s remote server to
receive malicious commands or exfiltrate data (this includes DNS tunneling detection and
DGA detection) or deplete resources on a target authoritative DNS server (such as
NXNSattack).
● Dynamic DNS Hosted Domains. Dynamic DNS (DDNS) services provide mapping between
hostnames and IP addresses in near real-time to keep changing IP addresses linked to a
specific domain, when static IPs are unavailable. This provides attackers a method of
infiltrating networks by using DDNS services to change the IP addresses that host
command-and-control servers. Malware campaigns and exploit kits can utilize DDNS
services as part of their payload distribution strategy. By utilizing DDNS domains as part of
their hostname infrastructure, adversaries can change the IP address associated with given
DNS records and more easily avoid detection. DNS Security detects exploitative DDNS

services by filtering and cross-referencing DNS data from various sources to generate
candidate lists which are then further validated to maximize accuracy.
● Malware Domains. Malicious domains host and distribute malware and can include
websites that attempt to install various threats (such as executables, scripts, viruses, drive-by
downloads). Malicious domains are distinguishable from C2 domains in that they deliver
malicious payloads into your network via an external source, whereas with C2, infected
endpoints typically attempt to connect to a remote server to retrieve additional instructions
or other malicious content.
● Newly Registered Domains. Newly registered domains are new, never registered domains,
that have been recently added by a TLD operator or entity. While new domains can be
created for legitimate purposes, the vast majority are often used to facilitate malicious
activities, such as operating as C2 servers or used to distribute malware, spam, PUP/adware.
Palo Alto Networks detects newly registered domains by monitoring specific feeds (domain
registries and registrars) and using zone files, passive DNS, WHOIS data to detect
registration campaigns.
● Phishing Domains. Phishing domains attempt to lure users into submitting sensitive data,
such as personal information or user credentials, by masquerading as legitimate websites
through phishing or pharming. These malicious activities can be conducted through social
engineering campaigns (whereby a seemingly trusted source manipulates users into
submitting personal information via email or other forms of electronic communications) or
through web traffic redirection, which directs users to fraudulent sites that appear
legitimate.
● Grayware Domains. (Available with installation of PAN-OS content release 8290 and later).
Grayware domains generally do not pose a direct security threat, however, they can facilitate
vectors of attack, produce various undesirable behaviors, or might simply contain
questionable/offensive content. These can include websites and domains that:
○ Attempt to trick users into granting remote access.

○ Contain adware and other unsolicited applications (such as crypto miners, hijackers,
and PUPs [potentially unwanted programs]).
○ Deploy domain identification concealment actions using fast flux techniques.
○ Demonstrate malicious behavior and usage as evidenced through DNS security
predicative analytics (malicious NRD).
○ Take advantage of user errors when entering web page addresses (typosquatting
domains).
○ Redirect traffic from a legitimate source to a malicious website due to an improperly
configured or stale DNS record on an authoritative DNS server that has not been
removed or otherwise corrected (dangling DNS).
○ Promote illegal activities or scams.
○ Include wildcard DNS entries, which can be used to evade block lists or enable
wildcard DNS attacks by routing traffic to malicious websites.
○ Indicate the presence of DNS traffic with anomalous characteristics when compared
to established baseline profiles built from collected DNS data.

● Parked Domains. (Available with installation of PAN-OS content release 8318 and later)
Parked domains are typically inactive websites that host limited content, often in the form
of click-through ads which may generate revenue for the host entity, but generally do not
contain content that is useful to the end user. While they often function as a legitimate
placeholder or as nothing more than a benign nuisance, they could also be used as a
possible vector for distribution of malware.
● Proxy Avoidance and Anonymizers. (Available with installation of PAN-OS content release
8340 and later) Proxy Avoidance and Anonymizers is traffic to services that are used to
bypass content filtering policies. Users who attempt to circumvent an organization’s
content filtering policies via anonymizer proxy services are blocked at the DNS level.
2.3.4 Identify the benefits of inspection beyond malicious traffic inspection
NEW CONTENT INSPECTION FEATURE DESCRIPTION

DNS Security The firewall can now access the full database of Palo Alto
Networks DNS signatures through a new DNS Security service.
The DNS Security service also performs proactive analysis of
DNS data to predict new malicious domains and to detect C2
evasion techniques—like DGAs and DNS tunneling—that aim to
bypass common protections.
New Security-Focused URL Categories New security-focused URL categories enable you to implement
simple security and decryption policies based on website safety
without requiring you to decide (or even know) what website is
likely to expose you to web-based threats:
● High risk, medium risk, and low risk—These categories

indicate the level of suspicious activity that a site
displays. All URLs—except those that are confirmed
malware, C2, or phishing sites—now include this risk
rating.
● Newly registered domains—This category identifies sites
that were registered within the last 32 days. New
domains are frequently used as tools in malicious
campaigns.
These new categories help you to reduce your attack surface by

providing targeted decryption and enforcement for sites that
pose varying levels of risk but are not confirmed malicious.
Websites are classified with a Security-related category only
when they meet the criteria for that category; as site content
changes, policy enforcement dynamically adapts.
Multicategory URL Filtering PAN-DB, the Palo Alto Networks URL database, now assigns
multiple categories to URLs that classify the content, purpose,
and safety of a site. Every URL now has up to four categories,
including a risk rating that indicates how likely it is that the
page will expose you to threats. More granular URL
categorizations means that you can move beyond a basic
block-or-allow approach to web access. Instead, control how
your users interact with content, especially websites that are
more likely to be used as part of a cyberattack (like blogs or
cloud storage services). For example, allow your users to visit
high-risk websites, but enforce read-only access to questionable
content by blocking hidden JavaScript and preventing
dangerous file downloads.

Built-In External Dynamic List (EDL) for Because bulletproof hosting providers place few, if any,
Bulletproof Hosts restrictions on content, attackers frequently use these services
to host and distribute malicious, illegal, and unethical material.
The Threat Prevention subscription now includes a built-in EDL
that you can use to block IP addresses associated with
bulletproof hosting providers.
EDL Capacity Increases EDL capacities are increased to better accommodate the use of
third-party intelligence feeds, significantly expanding the
number of threat indicators you can leverage within your
network Security policy. Additionally, you can now prioritize
EDLs to make sure that lists containing critical threat indicators
are committed before you reach capacity limits.
Support for Predefined Data Filtering To identify and protect sensitive information from leaving your
Patterns network, the firewall provides 22 predefined data filtering
patterns that identify specific (regulated) information from
countries around the world, such as INSEE Identification
(France) and New Zealand Internal Revenue Department
Identification Numbers. PAN-OS software also performs a
checksum validation for all patterns to eliminate false-positives.
This does not require the Enterprise DLP subscription.
Cellular IoT Security As your business moves to cellular IoT (CIoT) and networks adopt
3GPP CIoT technologies, you need to secure CIoT traffic to
protect your network and CIoT from attacks. Cellular IoT Security
allows you to secure CIoT traffic and gain visibility into CIoT and
device-to-device communication over your network. If you are a
mobile network operator (MNO) or a mobile virtual network
operator (MVNO), such as a utility company focused on oil, gas,
or energy operating as an MVNO, you can now secure CIoT
traffic. CIoT security also allows you to protect MNO
infrastructure and CIoT devices from DoS attacks on both
signaling/control and data layers, from attacks from infected
CIoTs, and from spying attacks. It also allows you to detect and
prevent malware, ransomware, and vulnerabilities. Additionally,
the firewall now supports Narrowband IoT radio access
technology, 3GPP TS 29.274 for GTPv2-C up to Release 15.2.0, and
3GPP TS 29.060 for GTPv1-C up to Release 15.1.0. CIoT security is
supported on VM-Series firewalls, PA-5200 Series firewalls, and
PA-7000 Series firewalls that have all new cards, including new
100G Network Processing Card (NPC), new second-generation
Switch Management Cards (SMCs), and new Log Forwarding
Cards (LFCs).
GTP Event Packet Capture Firewalls now support packet capture for a GTP event to make
troubleshooting easier. GTP packet capture is supported for
events such as GTP-in-GTP, end user IP address spoofing, and
abnormal GTPv1-C, GTPv2-C, and GTP-U messages that have
missing mandatory information elements (IE), invalid IE, invalid
header, out-of-order IE, or unsupported message type. GTP
event packet capture is supported on VM-Series firewalls,
PA-5200 Series firewalls, and PA-7000 Series firewalls that have
all new cards, including new 100G NPCs, new second-generation
SMCs, and new LFCs.
Graceful Enablement of GTP Stateful With PAN-OS 9.0.3 and later releases, you can now enable GTP
Inspection stateful inspection in the firewall gracefully with minimal
disruption to GTP traffic. You can allow GTPv2, GTPv1-C, and
GTP-U packets that fail GTP stateful inspection to pass through
a firewall. Although the firewall drops such packets by default
after GTP stateful inspection is enabled, allowing them to pass

minimizes disruption when you deploy a new firewall or when
you migrate GTP traffic.
Graceful Enablement of Stream Control With PAN-OS 9.0.4 and subsequent versions, you may now
Transmission Protocol (SCTP) Stateful easily enable SCTP stateful inspection in the firewall with little
Inspection disturbance to SCTP traffic. SCTP packets that fail SCTP stateful
inspection can be allowed to flow across a firewall. Although the
firewall rejects such packets by default after enabling SCTP
stateful inspection, allowing them to pass reduces interruption
when deploying a new firewall or migrating SCTP traffic.
2.3.5 References
● Advanced URL Filtering,
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content
/pan/en_US/resources/datasheets/advanced-url-filtering
● Content Inspection Features,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/set-up-data-
filtering/predefined-data-filtering-patterns.html
● DNS Security Analytics,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/dns-security
/dns-security-analytics.html

Domain 3: Architecture and Planning
3.1 Identify customer requirements
3.1.1 Explain how reference architecture guides can enable discovery

Reference architecture guides provide an architectural overview for using Palo Alto Networks
technologies to provide visibility, control, and protection to applications built in a specific
environment. These guides are required reading prior to using their companion deployment
guides. Deployment guides provide decision criteria for deployment scenarios, as well as
procedures for combining Palo Alto Networks technologies with third-party technologies in an
integrated design.
3.1.2 Demonstrate understanding of the design elements that relate to applications, users, and
infrastructure
The Palo Alto Networks approach provides a strong preventive strategy for reducing risk,
preventing the threats you can, and detecting and investigating the threats you can’t. Our
approach also allows organizations to automate responses while gaining intelligence with each
incident.
Palo Alto Networks offers an intelligent network security platform, Strata, to provide consistent and
integrated security controls for your users—whether they are on your network or remote, accessing
applications on-premises or in the cloud. The Strata network security platform provides security
management, cloud-delivered security services, and NGFWs with ML and analytics to identify new
types of threats and devices.
The security strategy for Palo Alto Networks NGFWs is to focus on flexible deployment that protects
all locations with simple and consistent management of the following:
● Users. Identify users and leverage user information as an attribute in policy controls.
● Applications. Identify applications, regardless of port, protocol, or evasive techniques, and
block malicious activity pretending to be legitimate traffic.
● Content. Identify and inspect content to keep the network and users safe from malicious
software.
● Devices. Discover, inventory, and gain visibility into all the devices in your network to apply
policy based on a device type, rather than attempting to track dynamically changing IP
addresses.
The NGFWs inspect all traffic flows to look for potential threats, malicious content, and
unauthorized applications, regardless of device location or type.

The NGFWs allow you to identify users and their IP addresses, safely identify and enable allowed
applications, safeguard against malicious files or unpermitted content, and secure and understand
the devices that are in your network. High-speed decryption capabilities built into the NGFW
enable traffic inspection based on defined Security policy rules that reduce risk, increase visibility,
and block malicious activity and content.
The NGFWs come in physical, virtual, and containerized form factors, and all form factors provide
an SP3. The SP3 increases performance by performing multiple operations only once on a packet.
You can manage NGFWs through Panorama™, a scalable and centralized management platform.
NGFW capabilities are leveraged as a cloud-delivered network security platform called Prisma
Access. Prisma Access provides secure internet access at the service edge for branch, retail, and
mobile users. Prisma Access provides the same consistent networking and security as the physical,
virtualized, and containerized NGFWs to secure your users and data in transit.
In addition to Strata, Palo Alto Networks also offers comprehensive cloud security with the Prisma
Cloud suite of products and offers advanced detection and response capabilities with the Cortex™
suite of products. Strata, Prisma, and Cortex are fully integrated, providing security teams and
security operations (including security operations centers [SOCs]) consistent protection and
visibility from the endpoint to the cloud.
3.1.3 Identify cloud-delivered security services requirements based on a customer’s architecture

or deployment strategy

DNS Security
Automatically secure your DNS traffic by using Palo Alto Networks DNS Security service, a
cloud-based analytics platform providing your firewall with access to DNS signatures generated
using advanced predictive analysis and machine learning, with malicious domain data from a
growing threat intelligence sharing community.
WildFire
The cloud-delivered WildFire® malware analysis service uses data and threat intelligence from the
industry’s largest global community and applies advanced analysis to automatically identify
unknown threats and stop attackers in their tracks.
Threat Prevention
Threat Prevention defends your network against both commodity threats—which are pervasive but
not sophisticated—and targeted, advanced threats perpetuated by organized cyber adversaries.
Threat Prevention includes comprehensive exploit, malware, and command-and-control
protection, and Palo Alto Networks frequently publishes updates that equip the firewall with the
very latest threat intelligence. You can use the Threat Vault to research the latest threats that Palo
Alto Networks next-generation firewalls can detect and prevent.

Palo Alto Networks URL filtering solution, Advanced URL Filtering, gives you a way to control not
only web access, but how users interact with online content. PAN-DB—the Advanced URL Filtering
cloud— classifies sites based on content, features, and safety, and you can enforce your security
policy based on these URL categories. You can also prevent credential phishing theft by tightly
controlling the types of sites to which users can enter their corporate credentials.
Visit Test A Site to see how PAN-DB categorizes a URL, and to learn about all available URL
categories. Review the Advanced URL Filtering datasheet for a high-level summary of how
Advanced URL Filtering enables safe web access; protect your users from dangerous websites,
malware sites, credential-phishing pages and attacks attempting to leverage web browsing to
deliver threats.
Enterprise Data Loss Prevention

Palo Alto Networks Enterprise DLP is the industry’s first cloud-delivered solution that
comprehensively protects sensitive data across all networks, clouds, and users. It easily enables
data protection and compliance in minutes, eliminating deployment and ongoing management
cycles to ensure the most cost effective enterprise DLP on the market.
SaaS Security
SaaS Security is an integrated CASB (Cloud Access Security Broker) solution that helps Security
teams like yours meet the challenges of protecting the growing availability of sanctioned and
unsanctioned SaaS applications and maintaining compliance consistently in the cloud while
stopping threats to sensitive information, users, and resources. SaaS Security options include SaaS
Security API (formerly Prisma SaaS) and the SaaS Security Inline add-on.
Use SaaS Security Inline to discover and manage risks posed by unsanctioned SaaS apps while you
rely on SaaS Security API to scan assets in the cloud space for at-rest detection, inspection, and
remediation across all users, folder, and file activity within sanctioned SaaS applications. With both

SaaS Security Inline and SaaS Security API, you have an integrated CASB that offers better security
outcomes without the complexity of third-party integrations and the overhead and cost of
managing large number of vendors that exist with legacy CASBs. Review the SaaS Security privacy
datasheet for details on the privacy of the data you store in SaaS applications and how SaaS
Security handles that data.
IoT Security
The IoT Security solution works with next-generation firewalls to dynamically discover and maintain
a real-time inventory of the IoT devices on your network. Through AI and machine-learning
algorithms, the IoT Security solution achieves a high level of accuracy, even classifying IoT device
types encountered for the first time. And because it’s dynamic, your IoT device inventory is always
up to date. IoT Security also provides the automatic generation of policy recommendations to
control IoT device traffic, as well as the automatic creation of IoT device attributes for use in firewall
policies. You need an IoT Security subscription to access this solution.
3.1.4 Identify Panorama customer management and logging requirements
Palo Alto Networks® Cortex Data Lake provides cloud-based, centralized log storage and
aggregation for your on premise, virtual (private cloud and public cloud) firewalls, for Prisma
Access, and for cloud-delivered services such as Cortex XDR.
Cortex Data Lake is secure, resilient, and fault-tolerant, and it ensures your logging data is
up-to-date and available when you need it. It provides a scalable logging infrastructure that
alleviates the need for you to plan and deploy Log Collectors to meet your log retention needs. If
you already have on premise Log Collectors, the new Cortex Data Lake can easily complement your
existing setup. You can augment your existing log collection infrastructure with the cloud-based
Cortex Data Lake to expand operational capacity as your business grows, or to meet the capacity
needs for new locations.

When you plan your Panorama deployment, estimate how much log storage capacity Panorama
requires to determine which Panorama models to deploy, whether to expand the storage on those
appliances beyond their default capacities, whether to deploy Dedicated Log Collectors, and
whether to configure log forwarding from Panorama to external destinations. When log storage
reaches the maximum capacity, Panorama automatically deletes older logs to create space for new
ones.
Perform the following steps to determine the approximate log storage that Panorama requires.
Step 1: Determine the log retention requirements of your organization. Factors that affect log
retention requirements include:
● IT policy of your organization.

● Log redundancy if you enable log redundancy when you configure a collector group, each
log will have two copies, which doubles your required log storage capacity)
● Regulatory requirements, such as those specified by the Payment Card Industry Data
Security Standard (PCI DSS), Sarbanes-Oxley Act, and Health Insurance Portability and
Accountability Act (HIPAA).
Step 2: Determine the average daily logging rates.
Do this multiple times each day at peak and nonpeak times to estimate the average. The more
often you sample the rates, the more accurate your estimate.
● Display the current log generation rate in logs per second:

○ If Panorama is not yet collecting logs, access the command line interface (CLI) of
each firewall, run the following command, and calculate the total rates for all the
firewalls. This command displays the number of logs received in the last second:
> debug log-receiver statistics
○ If Panorama is already collecting logs, run the following command at the CLI of each
appliance that receives logs (Panorama management server or Dedicated Log
Collector) and calculate the total rates. This command gives the average logging rate
for the last 5 minutes:
> debug log-collector log-collection-stats show incoming-logs
● Calculate the average of the sampled rates.

● Calculate the daily logging rate by multiplying the average logs per second by 86,400.
Step 3: Estimate the required storage capacity.
Use the formula:
<required_storage_duration> x <average_log_size> x <average_logging_rate>
The average log size varies considerably by log type. However, you can use 500 bytes as an
approximate average log size. For example, if Panorama must store logs for 30 days and the
average total logging rate for all firewalls is 21,254,400 logs per day, then the required log storage
capacity is: 30 x 500 x 21,254,400 = 318,816,000,000 bytes (approximately 318GB).
Step 4: Next steps ...
If you determine that Panorama requires more log storage capacity:
● Expand the log storage capacity on the Panorama virtual appliance.

● Increase storage on the M-Series appliance.
3.1.5 Differentiate between private and public cloud WildFire
Palo Alto Networks firewalls across the world automatically forward unknown files and URL links
found in emails to the WildFire global threat intelligence cloud or to one of three WildFire regional
clouds in Europe, Japan, and Singapore for analysis. Each WildFire cloud analyzes samples and
generates malware signatures and verdicts independently of the other WildFire clouds. WildFire
signatures and verdicts then are shared globally, which enables WildFire users worldwide to
benefit from malware coverage regardless of the location where the malware was first detected.
Licensed WildFire users worldwide also can use the WildFire XML API or WildFire Dashboard to
manually upload files to WildFire for analysis.

In a Palo Alto Networks private cloud deployment, Palo Alto Networks firewalls forward files to a
WildFire appliance on a corporate network that is being used to host a private cloud analysis
location. A WildFire private cloud can receive and analyze files from up to 100 Palo Alto Networks
firewalls. Because the WildFire private cloud is a local sandbox, benign, grayware, and phishing
samples that are analyzed never leave the network. By default, the private cloud also does not send
discovered malware outside of the network; however, a client can choose to automatically forward
malware to the WildFire public cloud for signature generation and distribution. In this case, the
WildFire public cloud reanalyzes the sample, generates a signature to identify the sample, and
distributes the signature to all Palo Alto Networks firewalls with Threat Prevention and WildFire
licenses. Signatures for general distribution to other customers are only generated when
forwarding malicious files to the public cloud offering. The WF-500 will create local signatures for
the customer's firewall deployment only.
3.1.6 References
● Network Security,
/pan/en_US/resources/guides/network-security-overview
● Panorama Administrator's Guide—Determine Panorama Log Storage Requirements,
https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/set-up-panorama/deter
mine-panorama-log-storage-requirements.html
3.2 Identify deployment use cases
3.2.1 Explain the use and value of the different deployment modes
The interface configurations of firewall data ports enable traffic to enter and exit the firewall. A Palo
Alto Networks firewall can operate in multiple deployments simultaneously because you can
configure interfaces to support different deployments. For example, you can configure the
Ethernet interfaces on a firewall for virtual wire, Layer 2, Layer 3, and tap mode. The interfaces that
the firewall supports are:

● Physical interfaces. The firewall supports two types of media—copper and fiber optic—that
can send and receive traffic at different transmission rates. You can configure Ethernet
interfaces as the following types: tap, HA, log card (interface and subinterface), decrypt
mirror, virtual wire (interface and subinterface), Layer 2 (interface and subinterface), Layer 3
(interface and subinterface), and aggregate Ethernet. The available interface types and
transmission speeds vary by hardware model.
● Logical interfaces. These include VLAN interfaces, loopback interfaces, tunnel interfaces,
and software-defined wide area network (SD-WAN) interfaces. You must set up the physical
interface before defining a VLAN, SD-WAN, or tunnel interface.
3.2.2 Identify architecture requirements for internet edge deployments

The VM-Series firewall secures inbound and outbound traffic to and from Amazon Elastic Compute
Cloud (EC2) instances within the Amazon Web Services (AWS) Virtual Private Cloud (VPC). Because
the AWS VPC only supports an IP network (Layer 3 networking capabilities), the VM-Series firewall
can only be deployed with Layer 3 interfaces.
● Deploy the VM-Series firewall to secure the EC2 instances hosted in the AWS VPC.
If you host your applications in the AWS cloud, deploy the VM-Series firewall to protect and
safely enable applications for users who access these applications over the internet. For
example, the following diagram shows the VM-Series firewall deployed in the edge subnet
to which the internet gateway is attached. The application(s) are deployed in the private
subnet, which does not have direct access to the internet.
● When users need to access the applications in the private subnet, the firewall receives the
request and directs it to the appropriate application, after verifying Security policy and
performing destination network address translation (NAT). On the return path, the firewall
receives the traffic, applies Security policy, and uses source NAT to deliver the content to the
user.
● Deploy the VM-Series firewall for VPN access between the corporate network and the EC2
instances within the AWS VPC.
● To connect your corporate network with the applications deployed in the AWS cloud, you
can configure the firewall as a termination point for an IPSec VPN tunnel. This VPN tunnel
allows users on your network to securely access the applications in the cloud.

● For centralized management, consistent enforcement of policy across your entire network,
and centralized logging and reporting, you can also deploy Panorama in your corporate
network. If you need to set up VPN access to multiple VPCs, using Panorama allows you to
group the firewalls by region and administer them with ease.
● Deploy the VM-Series firewall as a GlobalProtect gateway to secure access for remote users
using laptops. The GlobalProtect agent on the laptop connects to the gateway, and based
on the request, the gateway either sets up a VPN connection to the corporate network or
routes the request to the internet. To enforce security compliance for users on mobile
devices (using the GlobalProtect App), the GlobalProtect gateway is used in conjunction
with the GlobalProtect Mobile Security Manager. The GlobalProtect Mobile Security
Manager ensures that mobile devices are managed and configured with the device settings
and account information for use with corporate applications and networks.
● Deploy the VM-Series firewall with the Amazon Elastic Load Balancing (ELB) service,
whereby the firewall can receive data plane traffic on the primary interface in the following
scenarios where the VM-Series firewall is behind the Amazon ELB:
○ The VM-Series firewall(s) is securing traffic outbound directly to the internet without
the need for using a VPN link or a Direct Connect link back to the corporate network.
○ The VM-Series firewall secures an internet-facing application when there is exactly
one back-end server, such as a web server, for each firewall. The VM-Series firewalls
and web servers can scale linearly, in pairs, behind ELB.
If you want to automatically scale VM-Series firewalls with the Amazon ELB service, use the
CloudFormation template available in the GitHub\-repository. This template will allow you to deploy
the VM-Series firewall in an ELB sandwich topology with an internet-facing classic ELB and either
an internal classic load balancer or an internal application load balancer (internal ELB).

3.2.3 Explain architecture use cases for cloud deployments
Virtual firewalls can secure public cloud services from providers such as Google Cloud Platform
(GCP), AWS, and Microsoft Azure. These firewalls typically act as guest virtual machines within
public cloud environments. Some can provide visibility across multiple CSP deployments.
Virtual firewalls also help organizations:
● Meet public cloud user security obligations. CSPs are typically responsible for lift-and-shift
applications, SaaS applications, and cloud infrastructure (database, storage, and
networking). However, organizations using these services are usually responsible for the
security of the operating systems, platforms, access control, data, intellectual property,
source code, and customer-facing content that typically sit on top of the infrastructure.
● Ensure compliance with regulatory standards. Virtual firewalls can be deployed to

implement threat prevention capabilities and segmentation (isolating valuable,
well-protected systems) to meet regulatory standards such as PCI DSS, HIPAA, the
European Union’s General Data Protection Regulation, and Society for Worldwide Interbank
Financial Telecommunications regulations.
● Boost the built-in security features unique to each public cloud platform. Some virtual
firewalls provide inline threat prevention, which helps secure the flow of traffic moving
laterally within a cloud environment and augments the basic, built-in security unique to
each CSP.
3.2.4 Explain architecture requirements for core deployments

Tap deployments
A network tap is a device that provides a way to access data flowing across a computer network.
Tap mode deployment allows you to passively monitor traffic flows across a network by way of a
network tap and Switched Port Analyzer or mirror port.
By deploying the firewall in tap mode, you can get visibility into which applications are running on
your network without having to make any changes to your network design. When in tap mode, the
firewall can also identify threats on your network. Keep in mind that because the traffic is not
running through the firewall when in tap mode, it cannot take any action on the traffic, such as
blocking traffic with threats or applying QoS traffic control.
Advantages:
● Allows visibility into the network traffic.

● Easy to deploy.
● Easy to implement for proof-of-concept (PoC) testing.
● Can be implemented without service interruption.
Disadvantage:
● Device cannot take actions, such as blocking traffic or applying QoS traffic control.
● You cannot perform forward decryption.
Virtual wire deployments

In a virtual wire (vWire) deployment, the firewall is installed transparently in the network. This
deployment mode is typically used when no switching or routing is needed or desired. A vWire
deployment allows the firewall to be installed in any network environment without requiring
configuration changes to adjacent or surrounding network devices.
The vWire deployment mode binds any two Ethernet ports together, placing the firewall inline on
the wire, and can be configured to block or allow traffic based on VLAN tags (VLAN tag “0” is
untagged traffic). Multiple subinterfaces can be added to different security zones to classify traffic
according to a VLAN tag or a combination of a VLAN tag with IP classifiers (i.e., address, range, or
subnet). This allows for granular policy control of the traffic traversing the two vWire interfaces for
specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet.
Advantages:
● Allows visibility into network traffic.

● Simple to install and configure. No configuration changes needed to surrounding network
devices.
● Allows decryption.
● Easy to implement for PoC testing.
● Device can act on the traffic, such as allow, block, or perform QoS.
● Supports NAT in PAN-OS version 4.1 and later.
Disadvantages:
● Cannot perform Layer 3 functionality on the device, such as routing.

● Cannot perform any switching on the device.
Layer 2 deployments

In a Layer 2 deployment, the firewall provides switching between two or more networks. Each
group of interfaces must be assigned to a VLAN, and additional Layer 2 subinterfaces can be
defined as needed. Choose this option when switching is required.
Advantages:
● There is visibility into network traffic.

● The device can act on the traffic, such as block or perform QoS.
Disadvantage:
● The device does not participate in spanning tree protocol.
Layer 3 deployments
In a Layer 3 deployment, the firewall routes traffic between multiple interfaces. An IP address must
be assigned to each interface, and a virtual router must be defined to route the traffic. Choose this
option when routing or NAT is required.
Advantage:
● Provides full firewall functionality, such as traffic visibility, blocking traffic, rate-limiting traffic,
NAT, and routing, including support for common routing protocols.
● Acts as VPN tunnel termination point.

Disadvantage:
● Inserting the device into the network will require IP configuration changes on adjacent
devices.
3.2.5 References
● Plan Your Data Center Best Practice Deployment,
https://docs.paloaltonetworks.com/best-practices/10-1/data-center-best-practices/data-cente
r-best-practices-checklist/plan-data-center-best-practices-deployment-checklist.html
● 3 Virtual Firewall Use Cases,
https://www.paloaltonetworks.com/cyberpedia/3-virtual-firewall-use-cases
3.3 Describe the flexibility of Palo Alto Networks platform networking capabilities
3.3.1 Explain how virtual routers work on NGFWs
A virtual router is a function of the firewall that participates in Layer 3 routing. The firewall uses
virtual routers to obtain routes to other subnets through manually defined static routes or through
participation in one or more Layer 3 routing protocols (dynamic routes). The routes that the firewall
obtains through these methods populate the IP routing information base (RIB) on the firewall.
When a packet is destined for a different subnet than the one it arrived on, the virtual router
obtains the best route from the RIB, places it in the forwarding information base (FIB), and
forwards the packet to the next hop router defined in the FIB. The firewall uses Ethernet switching
to reach other devices on the same IP subnet. (An exception to one best route going in the FIB
occurs if you are using equal-cost multi-path routing, in which case all equal-cost routes go in the
FIB.)
The Ethernet, VLAN, and tunnel interfaces defined on the firewall receive and forward Layer 3
packets. The destination zone is derived from the outgoing interface based on the forwarding
criteria, and the firewall consults policy rules to identify the Security policy rules that it applies to
each packet. In addition to routing to other network devices, virtual routers can route to other
virtual routers within the same firewall if a next hop is specified to point to another virtual router.
You can configure Layer 3 interfaces on a virtual router to participate with dynamic routing
protocols (Border Gateway Protocol [BGP], Open Shortest Path First [OSPF], Open Shortest Path
First routing protocol [OSPFv3], or Routing Information Protocol [RIP]) as well as add static routes.
You can also create multiple virtual routers, each maintaining a separate set of routes that aren’t
shared between virtual routers, enabling you to configure different routing behaviors for different
interfaces.
You can configure dynamic routing from one virtual router to another by configuring a loopback
interface in each virtual router, creating a static route between the two loopback interfaces, and
then configuring a dynamic routing protocol to peer between these two interfaces.
Each Layer 3 Ethernet, loopback, VLAN, and tunnel interface defined on the firewall must be
associated with a virtual router. While each interface can belong to only one virtual router, you can
configure multiple routing protocols and static routes for a virtual router. Regardless of the static

routes and dynamic routing protocols you configure for a virtual router, one general configuration
is required:
Step 1: Gather the required information from your network administrator:
● Interfaces on the firewall that you want to perform routing.

● Administrative distances for static, OSPF internal, OSPF external, internal BGP (IBGP),
external BGP (EBGP), and RIP.
Step 2: Create a virtual router and apply interfaces to it.
The firewall comes with a virtual router named “default.” You can edit the default virtual router or
add a new virtual router.
● Select Network > Virtual Routers.

● Select a virtual router (the one named default or a different virtual router) or select Add the
Name of a new virtual router.
● Select Router Settings > General.
● Click Add in the Interfaces box and select an already defined interface from the drop-down
menu.
● Repeat this step for all interfaces you want to add to the virtual router.
● Click OK.
Step 3: Set administrative distances for static and dynamic routing.
Set administrative distances for types of routes as required for your network. When the virtual
router has two or more different routes to the same destination, it uses administrative distance
(preferring a lower distance) to choose the best path from different routing protocols and static
routes. Administrative distances for types of routes include:
● Static. Range is 10–240; default is 10.

● OSPF Internal. Range is 10–240; default is 30.
● OSPF External. Range is 10–240; default is 110.
● IBGP. Range is 10–240; default is 200.
● EBGP. Range is 10–240; default is 20.
● RIP. Range is 10–240; default is 120.
Step 4: Commit virtual router general settings.
Click OK and Commit.
Step 5: Configure Ethernet, VLAN, loopback, and tunnel interfaces as needed.
3.3.2 Identify the supported routing protocols
You can configure Layer 3 interfaces on a virtual router to participate with dynamic routing
protocols (e.g., BGP, OSPF, OSPFv3, or RIP) as well as add static routes. You can also create multiple
virtual routers, each maintaining a separate set of routes that are not shared between virtual
routers, enabling you to configure different routing behaviors for different interfaces.

RIP. RIP is an interior gateway protocol (IGP) that was designed for small IP networks. RIP relies on
hop count to determine routes; the best routes have the fewest number of hops. RIP is based on
the User Datagram Protocol (UDP) and uses port 520 for route updates. By limiting routes to a
maximum of 15 hops, the protocol helps prevent the development of routing loops while limiting
the supported network size. If more than 15 hops are required, traffic is not routed. RIP also can take
longer to converge than OSPF and other routing protocols. The system firewall supports RIPv2.
OSPF. OSPF is an IGP that is most often used to dynamically manage network routes in large
enterprise networks. It determines routes dynamically by obtaining information from other routers
and advertising routes to other routers by way of Link State Advertisements (LSAs). The information
gathered from the LSAs is used to construct a topology map of the network. This topology map is
shared across routers in the network and used to populate the IP routing table with available
routes.
Changes in the network topology are detected dynamically and used to generate a new topology
map within seconds. A shortest path tree of each route is computed. Metrics associated with each
routing interface are used to calculate the best route. These can include distance, network
throughput, link availability, etc. Additionally, these metrics can be configured statically to direct
the outcome of the OSPF topology map.
The Palo Alto Networks implementation of OSPF fully supports the following RFCs:
● RFC 2328 (for IPv4)

● RFC 5340 (for IPv6)
BGP. BGP is the primary internet routing protocol. BGP determines network reachability based on
IP prefixes that are available within an autonomous system, or a set of IP prefixes that a network
provider has designated to be part of a single routing policy.
3.3.3 References
● Virtual Routers,

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/virtual-routers/virt
ual-router-overview.html
3.4 Identify the most effective tools, resources, and reference guides for sizing
3.4.1 Identify available tools for platform sizing
The choice of the right NGFW appliance model depends upon many parameters, but those
parameters are not always sufficient. For a given customer scenario, parameters alone are not
sufficient to correctly size an appliance.
Avoid relying solely on datasheets and other performance on paper summaries, as they are
inaccurate points of comparison for firewalls. There are fundamental differences in features and
offerings from one firewall vendor to the next. For example, one vendor might measure
consolidated threat prevention features (e.g., IPSs, antivirus, C2, URL filtering) in terms of
performance impact, while another might highlight performance impact based solely on
best-of-breed IPS capabilities in a standalone box. To ensure accurate firewall comparisons,
organizations should size capabilities to their real-world environment requirements (e.g., IPS,
application control, advanced malware detection) in addition to the traffic mix. When doing so, it is
critical to account for performance impacts from any future additions to the firewall system.
In addition, advanced capabilities, such as SSL decryption, will vary in performance impact
depending on processing logistics. Some vendors decrypt using the hardware form factor, while
others decrypt using software—each with varying degrees of performance effect. Further, threat
response performance should only be compared with all required signatures activated. Carefully
read the documentation for out-of-the-box collections of signatures to determine actual coverage.
Performance often continues to degrade with the introduction of additional signatures. Other
considerations include:
● Avoid trade-offs between security and performance. You should never have to decide
between enabling a feature or signature and crippling your performance.
● Accurately map to your requirements for throughput and traffic composition. It is
difficult to argue against testing the actual traffic to be secured.
Simulators cannot represent custom applications, real-world usage scenarios, or shadow IT. To
correctly size your next NGFW while also ensuring maximum performance, security, and return on
investment, you can run a PoC in your organization.
3.4.2 Demonstrate understanding of decryption requirements

You cannot protect your network against threats that you cannot see and inspect. Google’s
Transparency Report (first published in 2010) shows that no matter how you analyze Google web
traffic, in most cases, more than 90 percent of it is encrypted. Decrypt that traffic to protect your
network against hidden threats.
Decryption overview. The SSL and SSH encryption protocols secure traffic between two entities,
such as a web server and a client. SSL and SSH encapsulate traffic, encrypting data so that it is
meaningless to entities other than the client and server with the certificates to affirm trust
between the devices and the keys to decode the data. Decrypt SSL and SSH traffic to do the
following:
● Prevent malware concealed as encrypted traffic from being introduced into your network.
For example, an attacker compromises a website that uses SSL encryption. Employees visit
that website and unknowingly download an exploit or malware. The malware then uses the
infected employee endpoint to move laterally through the network and compromise other
systems.
● Prevent sensitive information from moving outside the network.
● Ensure the appropriate applications are running on a secure network.
● Selectively decrypt traffic. For example, create a Decryption policy and profile to exclude
traffic for financial or healthcare sites from decryption.
Palo Alto Networks firewall decryption is policy-based and can decrypt, inspect, and control
inbound and outbound SSL and SSH connections. A Decryption policy enables you to specify traffic
to decrypt by destination, source, service, or URL category and to block, restrict, or forward the
specified traffic according to the security settings in the associated Decryption profile. A Decryption
profile controls SSL protocols, certificate verification, and failure checks to prevent traffic that uses
weak algorithms or unsupported modes from accessing the network. The firewall uses certificates
and keys to decrypt traffic to plaintext and then enforces App-ID and security settings on the
plaintext traffic, including Decryption, Antivirus, Vulnerability, Anti-Spyware, URL Filtering, WildFire,
and File Blocking profiles. After decrypting and inspecting traffic, the firewall re-encrypts the
plaintext traffic as the traffic exits the firewall to ensure privacy and security.
3.4.3 Identify and size customer logging requirements

Determining the log rate
To determine the log rate for a new customer:
● Leverage information from existing customer sources. Many customers use a third-party
logging solution such as Splunk, ArcSight, or QRadar. The number of logs sent from a
customer’s existing firewall solution can be pulled from those systems. When using this
method, get a log count from the third-party solution for a full day and divide by 86,400 (the
number of seconds in a day). Do this for several days to get an average. Be sure to include
both business and non-business days, as there is usually a large variance in log rate
between the two.
● Use data from an evaluation device. This information can give a useful starting point for
sizing purposes. With input from the customer, data can be extrapolated for other sites in
the same design. This method has the advantage of yielding an average over several days.
Two scripts can assist with gathering and calculating this information. The TS_LPS script can
be run against a tech support file pulled from an evaluation device. This script will calculate
the average connections per second (with 10 minute granularity), which can then be used to
estimate the log rate. The Device_LPS script can be run while the evaluation device is in use
and will pull the actual logging numbers based on the traffic that the evaluation device is
seeing. To use these scripts, download the script you want to use from the Palo Alto
Networks Sizing Storage for the Logging Service Knowledgebase article attachments,
unpack the zip file, and reference the README.txt file for instructions.
If no information is available, use the Device Log Forwarding table as a reference point. This
will be the least accurate method.For existing customers, we can leverage data gathered from their
existing firewalls and log collectors:
● To check the log rate of a single firewall, download the file named “device_lps.zip” from the
Palo Alto Networks Sizing Storage for the Logging Service Knowledgebase article
attachments, unpack the zip file, and reference the README.txt file for instructions. This
package will query a single firewall over a specified period of time (you can choose how
many samples) and give an average number of logs per second for that period. If the
customer does not have a log collector, this process will need to be run against each firewall
in the environment.
● If the customer has a log collector (or log collectors), download the file named “lc_lps.zip”
from the Palo Alto Networks Sizing Storage for the Logging Service Knowledgebase article
attachments, unpack the zip file, and reference the README.txt file for instructions This
package will query the log collector management information base to take a sample of the
incoming log rate over a specified period.
3.4.4 Identify tools and capabilities available for customer best practice review
The Customer Success Team at Palo Alto Networks has developed a prevention architecture with
tools and resources to help you review and assess the security risks of your network and how well
you have used the capabilities of the firewall and other tools to secure your network. Contact your
Palo Alto Networks representative to schedule assessments and reviews (a Palo Alto Networks sales

engineer conducts the reviews to provide expertise in assessing the security state of your network).
As of this publication, the available Security Risk prevention tools include:
Prevention Posture Assessment (PPA). The PPA is a set of questionnaires that help uncover
security risk prevention gaps across all areas of network and security architecture. The PPA not only
helps to identify all security risks, it also provides detailed suggestions on how to prevent the risks
and close the gaps. The assessment, guided by an experienced Palo Alto Networks sales engineer,
helps determine the areas of greatest risk where you should focus prevention activities. You can
run the PPA on firewalls and on Panorama.
Best Practice Assessment (BPA) Tool. The BPA for next-generation firewalls and Panorama
evaluates a device’s configuration by measuring the adoption of capabilities, validating whether
the policies adhere to best practices, and providing recommendations and instructions for how to
remediate failed best practice checks.
The Security Policy Adoption Heatmap component filters the information by device groups, serial
numbers, zones, areas of architecture, and other categories. The results include trending data,
which shows the rate of security improvement as you adopt new capabilities, fix gaps, and progress
toward a Zero-Trust network.
The BPA component performs more than 200 security checks on a firewall or Panorama
configuration and provides a pass/fail score for each check. Each check is a best practice identified
by Palo Alto Networks security experts. If a check returns a failing score, the tool provides the
justification for the failing score and how to fix the issue.
3.4.5 References
● PAN-OS Administrator’s Guide—Decryption,
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption.html
● Sizing Storage for the Logging Service,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVMCA0

Domain 4: Demonstration and Evaluation
4.1 Demonstrate knowledge of the advanced capabilities of the NGFW
4.1.1 Describe the value of the Palo Alto Networks consolidated Security policy
By leveraging the Palo Alto Networks platform to consolidate several security functions, all
organizations can reap the following benefits:
Business Benefits:
● Decrease capital and operations costs with fewer devices to deploy and manage.
● Simplify compliance with a consolidated set of logs and reports on a variety of security
threats.
Operational Benefits:
● Minimize network disruption with the ability to add new security functions as needed on
the same platform.
● Reduce manual work of correlating threats across multiple devices and platforms.
● Simplify and speed report creation process for management.
● Free up security teams to work on high-value work.
Security Benefits:
● Get better visibility into threats through a single pane of glass, with context and analysis.
● Use a positive enforcement model for tighter control of application traffic.
● Reduce the attack surface by eliminating unknown or unexpected applications.
● Enable faster time to threat prevention with automated updates pushed regularly to
devices.
4.1.2 Describe the NGFW’s ability to enforce application-default behavior and prevent misuse of
nonstandard ports
Applications running on unusual ports can indicate an attacker that is attempting to circumvent
traditional port-based protections. Application-default is a feature of Palo Alto Networks firewalls
that gives you an easy way to prevent this type of evasion and safely enable applications on their
most commonly used ports. Application-default is a best practice for application-based Security
policy rules—it reduces administrative overhead and closes security gaps that port-based policy
introduces. Application-default also enables:
● Less overhead. Write simple application-based Security policy rules based on your business
needs, instead of researching and maintaining application-to-port mappings. We’ve defined
the default ports for all applications with an App-ID.
● Stronger security. Enabling applications to run only on their default ports is a security best
practice. Application-default helps you to make sure that critical applications are available
without compromising security if an application is behaving in an unexpected way.
Additionally, the default ports an application uses can sometimes depend on whether the
application is encrypted or cleartext. Port-based policy requires you to open all the default ports an
application might use to account for encryption. Open ports introduce security gaps that an
attacker can leverage to bypass your Security policy. However, application-default differentiates

between encrypted and clear-text application traffic. This means that it can enforce the default
port for an application, regardless of whether it is encrypted or not.
For example, without application-default, you would need to open ports 80 and 443 to enable
web-browsing traffic—you’d be allowing both clear-text and encrypted web browsing traffic on
both ports. With application-default turned on, the firewall strictly enforces clear-text web
browsing traffic only on port 80 and SSL-tunneled traffic only on port 443.
To see the ports that an application uses by default, you can visit Applipedia or select Objects >
Applications. Application details include the application’s standard port—the port it most
commonly uses when in clear-text. For web browsing traffic, SMTP, FTP, LDAP, POP3, and IMAP
details also include the application’s secure port—the port the application uses when encrypted.
Select Policy > Security and add or a modify a rule to enforce applications only on their default
port(s):
4.1.3 Identify benefits of Policy Optimizer

Policy Optimizer provides a simple workflow to migrate your legacy Security policy rulebase to an
App-ID-based rulebase, which improves your security by reducing the attack surface and allowing
visibility into applications so you can safely enable them. Policy Optimizer identifies port-based
rules so you can either convert them to application-based allow rules or add applications from a
port-based rule to an existing application-based rule without compromising application availability.
It also identifies over-provisioned App-ID-based rules (App-ID rules configured with unused
applications). Policy Optimizer helps you prioritize which port-based rules to migrate first, identify
application-based rules that allow applications you do not use, and analyze rule usage
characteristics such as hit count.
Converting port-based rules to application-based rules improves your security posture because you
select the applications you want to allow and deny all other applications, so you eliminate
unwanted and potentially malicious traffic from your network. Combined with restricting
application traffic to its default ports (set the Service to application-default), converting to
application-based rules also prevents evasive applications from running on nonstandard ports.
You can use this feature on firewalls that run PAN-OS version 9.0. You do not have to upgrade
firewalls that Panorama manages to use Policy Optimizer. However, to use Rule Usage (monitor
policy rule usage), managed firewalls must run PAN-OS 8.1 or later. If managed firewalls connect to
log collectors, those log collectors must also run PAN-OS version 9.0. Managed PA-7000 Series
firewalls that have an LPC can also run PAN-OS 8.1 (or later).
You can also use Policy Optimizer feature to migrate port-based rules to application-based rules.
Instead of combing through traffic logs and manually mapping applications to port-based rules,
use Policy Optimizer to identify port-based rules and list the applications that matched each rule.
Then, you can select the applications you want to allow and safely enable them. Converting your
legacy port-based rules to application-based allow rules supports your business applications and
enables you to block any applications associated with malicious activity.
Finally, you can use this feature to identify over-provisioned application-based rules. Rules that are
too broad allow applications that you do not use on your network, which increases the attack
surface and the risk of inadvertently allowing malicious traffic.
4.1.4 Demonstrate knowledge of the Cloud Identity Engine’s ability to simplify deployment of
cloud-based services to provide user authentication
The Cloud Identity Engine consists of two components: Directory Sync, which provides user
information, and the Cloud Authentication Service, which authenticates users. For a more
comprehensive identity solution, Palo Alto Networks recommends using both components, but
you can configure the components independently.
The Cloud Authentication Service uses a cloud-based service to provide user authentication using
Security Assertion Markup Language 2.0-based Identity Providers (IdPs). When the user attempts
to authenticate, the authentication request is redirected to the Cloud Authentication Service,
which redirects the request to the IdP. After the IdP authenticates the user, the firewall maps the
user and applies the Security policy. By using a cloud-based solution, you can reallocate the
resources required for authentication from the firewall or Panorama to the cloud. The Cloud

Authentication Service also allows you to configure the authentication source once instead of for
each authentication method you use (for example, Authentication Portal or administrator
authentication).
Let us look at an Azure AD configuration example.

You can also sync directory changes to the Cloud Identity Engine, which quickly syncs only the
recent changes to your directory and takes much less time than a full sync.
Step 1: Prepare to deploy the Cloud Identity Engine so that it can provide user mappings to the
firewall.
● If you have not already done so, install the device certificate for your firewall or Panorama.
● Activate the Cloud Identity Engine app. You can activate CIE in the application portal/Hub at
https://apps.paloaltonetworks.com/apps
Step 2: Configure Azure Active Directory as your identity source in the Cloud Identity Engine app.
Step 3: Configure a Cloud Identity Engine profile on the firewall.

The Cloud Identity Engine retrieves the information for your instance based on your device
certificate and uses the Palo Alto Networks Services service route.
● On the firewall, select Device > User Identification > Cloud Identity Engine and Add a profile.
● For the Instance, specify each of the following:
○ Region. Select the regional endpoint for your instance.
○ Cloud Identity Engine Instance. If you have more than one instance, select the
instance you want to use.
○ Domain. Select the domain that contains the directories you want to use.
○ Update Interval (min). Enter the number of minutes that you want the firewall to
wait between updates. The default is 60 minutes, and the range is 1–1,440.
● Verify that the profile is Enabled.

● For the User Attributes, select the format for the Primary Username. You can optionally
select the formats for email and an alternate username. You can configure up to three
alternate username formats if your users log in using multiple username formats.
● For the Group Attributes, select the format for the Group Name.

● For the Device Attributes, select the Endpoint Serial Number. If you are using GlobalProtect
and you have enabled Serial Number Check, select the Endpoint Serial Number option to
allow the Cloud Identity Engine to collect serial numbers from managed endpoints. This
information is used by the GlobalProtect portal to check if the serial number exists in the
directory for verification that the endpoint is managed by GlobalProtect.
● Click OK, and then Commit your changes.
Step 4: Configure Security policy rules for your users (for example, by specifying one or more users
or groups that the firewall retrieves from the Cloud Identity Engine as the Source User).
The firewall collects attributes only for the users and groups that you use in Security policy rules,
not all users and groups in the directory.
Step 5: Verify that the firewall has the mapping information from the Cloud Identity Engine:
● On the client device, use the browser to access a webpage that requires authentication.
● Enter your credentials to log in.
● On the firewall, use the show user ip-user-mapping all command to verify that the mapping
information is available to the firewall.

Step 6: If you make changes to the directory that you configure in the Cloud Identity Engine, sync
changes for your directory.
By default, the Cloud Identity Engine syncs changes every 5 minutes. If you want to instantly sync
your directory updates, you can sync just the changes to your Azure AD or on-premises AD. This is
much faster than a full sync of your directory.
Step 7: Configure an IdP for the Cloud Identity Engine for user authentication.
Step 8: Configure an Authentication profile to use the Cloud Authentication Service.
Step 9: Configure an Authentication policy that uses this Authentication profile.
Step 10: Verify that the firewall redirects authentication requests to the Cloud Authentication
Service:
● On the client device, use the browser to access a webpage that requires authentication.
● Enter your credentials to log in.
● Confirm that the access request redirects to the Cloud Authentication Service.
4.1.5 Demonstrate knowledge of dynamic user groups
Dynamic user groups (DUGs) help you to create policy that provides auto-remediation for
anomalous user behavior and malicious activity while maintaining user visibility. Previously,
without DUGs, quarantining users in response to suspicious activity meant making time- and
resource-consuming updates for all members of the group, updating the IP address-to-username
mapping to a label to enforce policy at the cost of user visibility, and having to wait until the firewall
checked the traffic. Now, with DUGs, you can configure a DUG to automatically include users as
members without having to manually create and commit policy or group changes and still
maintain user-to-data correlation at the device level before the firewall even scans the traffic.
To determine what users to include as members, a DUG uses tags as filtering criteria. As soon as a
user matches the filtering criteria, that user becomes a member of the DUG. The tag-based filter
uses logical and or operators. Each tag is a metadata element or attribute-value pair that you

register on the source statically or dynamically. Static tags are part of the firewall configuration,
while dynamic tags are part of the runtime configuration. As a result, you do not need to commit
updates to dynamic tags if they are already associated with a policy that you have committed on
the firewall.
To dynamically register tags, you can use the following:
● The XML API

● The User-ID agent
● Panorama
● The web interface on the firewall
After you create the group and commit the changes, the firewall registers the users and associated
tags and then automatically updates the DUG’s membership. Because updates to DUG
membership are automatic, using DUGs instead of static group objects allows you to respond to
changes in user behavior or potential threats without manual policy changes.
The firewall redistributes the tags for the DUG to the listening redistribution agents, which includes
other firewalls, Panorama, or a Dedicated Log Collector, as well as Cortex applications.
4.1.6 References
● PAN-OS Administrator’s Guide Security Policy,
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/security-policy
● Policy Optimizer,
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy-o
ptimizer.html
● Dynamic User Groups,
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic
-user-groups.html
4.2 Identify NGFW features that can protect against unknown threats
4.2.1 Explain how WildFire protects against unknown threats
WildFire identifies files with potential malicious behaviors and then delivers verdicts based on their
actions by applying threat intelligence, analytics, and correlation alongside advanced capabilities,
including:
● Complete malicious behavior visibility. Identifies threats in all traffic across hundreds of
applications, including web traffic; email protocols like Simple Mail Transfer Protocol (SMTP),
Internet Message Access Protocol (IMAP), and Post Office Protocol (POP); and file-sharing
protocols like Server Message Block protocol (SMB) and File Transfer Protocol (FTP),
regardless of ports or encryption.
● Suspicious network traffic analysis. Monitors all network activity produced by a suspicious
file, including backdoor creation, downloading of next-stage malware, visiting
low-reputation domains, network reconnaissance, and more.

● Fileless attack/script detection. Identifies when potentially malicious scripts, such as
JScript and PowerShell, are traversing the network and forwards them to WildFire for
analysis and execution.
The powerful discovery and analysis capabilities of WildFire are seamlessly integrated with
numerous products across the Palo Alto Networks portfolio as well as within leading partner
solutions.
4.2.2 Explain how App-ID prevents malicious use of services and ports
App-ID, a patented traffic classification system only available in Palo Alto Networks firewalls,
identifies applications regardless of port, protocol, encryption (SSH or SSL), or any other evasive
tactic used by the application. It applies multiple classification mechanisms—application
signatures, application protocol decoding, and heuristics—to your network traffic stream to
accurately identify applications.
Here’s how App-ID identifies applications traversing your network:
● Traffic is matched against policy to check whether it is allowed on the network.
● Signatures are then applied to allowed traffic to identify the application based on unique
application properties and related transaction characteristics. The signature also determines

if the application is being used on its default port or if it is using a nonstandard port. If the
traffic is allowed by policy, the traffic is then scanned for threats and further analyzed to
identify the application more granularly.
● If App-ID determines that encryption (SSL or SSH) is in use, and a Decryption policy rule is in
place, the session is decrypted and application signatures are applied again on the
decrypted flow.
● Decoders for known protocols are then used to apply additional context-based signatures to
detect other applications that may be tunneling inside of the protocol (for example,
Hangouts used across HTTP). Decoders validate that the traffic conforms to the protocol
specification and provide support for NAT traversal and opening dynamic pinholes for
applications such as Session Initiation Protocol (SIP) and File Transfer Protocol (FTP).
● For applications that are particularly evasive and cannot be identified through advanced
signature and protocol analysis, heuristics or behavioral analysis may be used to determine
the identity of the application.
When the application is identified, the policy check determines how to treat the application—for
example, block, allow and scan for threats, inspect for unauthorized file transfer and data patterns,
or shape using QoS.
4.2.3 Describe the benefits of URL Filtering in protecting against unknown threats
We strongly recommend that you block the URL categories that identify malicious or exploitive
content. To get started, you can clone the default URL Filtering profile that blocks malware,
phishing, and C2 URL categories by default. The default URL Filtering profile also blocks the abused
drugs, adult, gambling, hacking, questionable, and weapons URL categories. Whether to block
these URL categories depends on your business requirements. For example, a university probably
will not want to restrict student access to most of these sites because availability is important, but a
business that values security first may block some or all of them.
URL Filtering examines the following URL categories:
● C2. URLs and domains that are used by malware or compromised systems to surreptitiously
communicate with an attacker’s remote server to receive malicious commands or exfiltrate
data.
● Malware. Sites known to host malware or to be used for C2 traffic. May also exhibit exploit
kits.
● Phishing. URLs or domains known to host credential phishing pages or phish for personal
identification information.
● Grayware. Websites and services that do not meet the definition of a virus or pose a direct
security threat but display obtrusive behavior. These sites may influence users to grant
remote access or perform other unauthorized actions. Grayware includes scams, criminal
activities, adware, and other unwanted or unsolicited applications, such as embedded
crypto miners or hijackers that change the elements of the browser. Typo squatting

domains that do not exhibit maliciousness and are not owned by the targeted domain will
be categorized as grayware. Previously, the firewall placed grayware in either the malware or
questionable URL category. If you are unsure about whether to block grayware, start by
alerting on grayware, investigate the alerts, and then decide whether to block grayware or
continue to alert on grayware.
● Dynamic DNS. Hosts and domain names for systems with dynamically assigned IP
addresses that are oftentimes used to deliver malware payloads or C2 traffic. Dynamic DNS
domains do not go through the same vetting process as domains that are registered by a
reputable domain registration company and are therefore less trustworthy.
● Unknown sites. Sites that have not yet been identified by PAN-DB. If availability is critical to
your business and you must allow the traffic, then alert on unknown sites, apply the best
practice Security profiles to the traffic, and investigate the alerts.
● Newly registered-domains. Domains often generated purposely or by DGAs that are used
for malicious activity.
● Copyright infringement. Domains with illegal content, such as content that allows illegal
download of software or other intellectual property, that poses a potential liability risk. This
category was introduced to enable adherence to child protection laws required in the
education industry as well as laws in countries that require internet providers to prevent
users from sharing copyrighted material through their services.
● Extremism. Websites promoting terrorism, racism, fascism, or other extremist views

discriminating against people or groups of different ethnic backgrounds, religions, or other
beliefs. This category was introduced to enable adherence to child protection laws required
in the education industry. In some regions, laws and regulations may prohibit allowing
access to extremist sites, and allowing access may pose a liability risk.
● Proxy avoidance and anonymizers. URLs and services often used to bypass content
filtering products.
● Questionable websites. Websites containing tasteless humor or offensive content

targeting specific demographics of individuals or groups of people.
● Parked domains. Domains registered by individuals, often times later found to be used for
credential phishing. These domains may be similar to legitimate domains—for example,
pal0alt0netw0rks.com—with the intent of phishing for credentials or personally identifiable
information. Or, they may be domains that an individual purchases rights to in hopes that it
may be valuable someday, such as panw.net.
4.2.4 Identify configuration artifacts associated with DNS Security
Configure your DNS policies to protect your network from DNS queries to malicious domains. You
can configure your Anti-Spyware profile to use locally available, downloadable DNS signature sets
(packaged with the Antivirus and WildFire updates) or, optionally, access DNS Security, a
cloud-based service that provides real-time access to DNS signatures and protections against

advanced threats. These are configurable as individual signature sources; additionally, DNS Security
allows you to configure each domain category separately. It is a best practice to override the default
settings and to reconfigure each category with a log severity, policy action, and packet capture
setting that reflects the risks associated with a given domain type.
4.2.5 References
● WildFire,
/pan/en_US/resources/datasheets/wildfire
● PAN-OS Administrator’s Guide—DNS Security,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin.html
4.3 Identify NGFW features that can protect against known threats
4.3.1 Identify configuration artifacts associated with threat prevention
The Palo Alto Networks NGFW protects and defends your network from commodity threats and
advanced persistent threats (APTs). The firewall’s multipronged detection mechanisms include:
● A signature-based (IPS/C2/antivirus) approach

● Heuristics-based (bot detection) approach
● Sandbox-based (WildFire) approach
● Layer 7 protocol analysis-based (App-ID) approach
Commodity threats are exploits that are less sophisticated. They are more easily detected and
prevented using a combination of antivirus, anti-spyware, and vulnerability protection features
combined with URL filtering and application identification capabilities on the firewall.
Advanced threats are perpetuated by organized cyber adversaries who use sophisticated attack
vectors to target your network, most commonly for intellectual property theft and financial data
theft. These threats are more evasive and require intelligent monitoring mechanisms for detailed
host and network forensics on malware. The Palo Alto Networks NGFW, together with WildFire and
Panorama, provides a comprehensive solution that intercepts and breaks the attack chain and
provides visibility to prevent security infringement on your network infrastructure—including
mobile and virtualized.
Signature-based (IPS/C2/antivirus) approach

There are three types of Palo Alto Networks threat signatures, each designed to detect different
types of threats as the firewall scans network traffic:
● Antivirus signatures. Detect viruses and malware found in executables and file types
● Anti-spyware signatures. Detect C2 activity, where spyware on an infected client is
collecting data without the user’s consent and/or communicating with a remote attacker
● Vulnerability signatures. Detect system flaws that an attacker might otherwise attempt to
exploit. A signature’s severity indicates the risk of the detected event, and a signature’s
default action (e.g., block or alert) is how Palo Alto Networks recommends that you enforce
matching traffic.

You must set up antivirus, anti-spyware, and vulnerability protection to tell the firewall which action
to take when it detects a threat. You can easily use the default Security profiles to start blocking
threats based on Palo Alto Networks recommendations. You can modify or create new profiles to
more granularly enforce potential threats on each signature type and category—even on specific
signatures.
Heuristics-based (bot detection) approach based on correlation objects

A correlation object is a definition file that specifies patterns to match against, the data sources to
use for the lookups, and time periods within which to look for these patterns. A pattern is a Boolean
structure of conditions that queries the following data sources (or logs) on the firewall: application
statistics, traffic, traffic summary, threat summary, threat, data filtering, and URL filtering. Each
pattern has a severity rating and a threshold for the number of times the pattern match must
occur within a defined time limit to indicate malicious activity. When the match conditions are
met, a correlated event is logged.
A correlation object can connect isolated network events and look for patterns that indicate a more
significant event. These objects identify suspicious traffic patterns and network
anomalies—including suspicious IP activity, known C2, known vulnerability exploits, or botnet
activity—that, when correlated, indicate with a high probability that a host on the network has
been compromised. Correlation objects are defined and developed by the Palo Alto Networks
Threat Research team and are delivered with the weekly dynamic updates to the firewall and
Panorama. To obtain new correlation objects, the firewall must have a Threat Prevention license.
Panorama requires a support license for updates.
Sandbox-based (WildFire) approach

Palo Alto WildFire is built on a cloud-based architecture that can be utilized by your existing Palo
Alto NGFW. If a public cloud option is out of the question for your company, Palo Alto sells a
WF-500 appliance for private cloud deployments.
Layer 7 approach based on App-ID

App-ID enables visibility into the applications on the network, so you can learn how they work and
understand their behavioral characteristics and relative risks. This application knowledge allows
you to create and enforce Security policy rules to enable, inspect, and shape desired applications
and block unwanted applications. When you define policy rules to allow traffic, App-ID begins to
classify traffic without any additional configuration.
4.3.2 Identify configuration artifacts associated with DNS Security

4.3.3 Identify configuration artifacts associated with Advanced URL Filtering
Advanced URL Filtering provides real-time URL analysis and malware prevention. In addition to
PAN-DB access, the Palo Alto Networks URL filtering database for high-performance URL lookups,
Advanced URL Filtering also offers coverage against malicious URLs and IP addresses. This
multilayered protection solution is configured through your URL Filtering profile.
Step 1: Obtain and install an Advanced URL Filtering license and confirm that it is installed. The
Advanced URL Filtering license includes access to PAN-DB; if the license expires, the firewall ceases
to perform all URL filtering functions, URL category enforcement, and URL cloud lookups.
Additionally, all other cloud-based updates will not function until you install a valid license.
● Select Device > Licenses. In the License Management section, select the license installation
method:
○ Retrieve license keys from license server.
○ Activate feature using authorization code.
● After installing the license, confirm that the Date Expires field in the Advanced URL Filtering
section displays a valid date.
Step 2: Download and install the latest PAN-OS content release. PAN-OS Applications and Threats
content release 8390-6607 and later allows firewalls operating PAN-OS 9.x and later to identify
URLs that have been categorized using the real-time-detection category, identifying URLs
classified by Advanced URL Filtering. For more information about the update, refer to the
Applications and Threat Content Release Notes. You can also review content release notes for apps
and threats on the Palo Alto Networks Support Portal or directly in the firewall web interface: Select
Device > Dynamic Updates and open the release note for a specific content release version.
Step 3: Schedule the firewall to download dynamic updates for applications and threats.
● Select Device > Dynamic Updates.
● In the Schedule field in the Applications and Threats section, click the None link to schedule
periodic updates.
● Applications and threats updates sometimes contain updates for URL filtering related to
safe search enforcement.
4.3.4 Explain how adopting external dynamic lists with threat intelligence protects against
known threats
An EDL is a text file that is hosted on an external web server so that the firewall can import
objects—IP addresses, URLs, and domains—included in the list and enforce policy. To enforce policy
on the entries included in the EDL, you must reference the list in a supported policy rule or profile.
As you modify the list, the firewall dynamically imports the list at the configured interval and

enforces policy without the need to make a configuration change or a commit on the firewall. If the
web server is unreachable, the firewall uses the last successfully retrieved list for enforcing policy
until the connection is restored with the web server. In cases where authentication to the EDL fails,
the Security policy stops enforcing the EDL. To retrieve the EDL, the firewall uses the interface
configured with the Palo Alto Networks Services service route, which is the management interface
by default. You can also customize the service routes that you would like the firewall to use.
The firewall supports four types of EDLs:
● IP address. The firewall typically enforces policy for a source or destination IP address that is
defined as a static object on the firewall. If you need agility in enforcing policy for a list of
source or destination IP addresses that emerge ad hoc, you can use an EDL of type IP
address as a source or destination address object in policy rules, and then configure the
firewall to deny or allow access to the IP addresses included in the list (e.g., IPv4 and IPv6
addresses, IP range, and IP subnets). The firewall treats an EDL of type IP address as an
address object; all the IP addresses included in a list are handled as one address object.
● Predefined IP address. A predefined IP address list is a type of IP address list that refers to
any Palo Alto Networks Malicious IP Address Feeds that have fixed or predefined contents.
These feeds are automatically added to your firewall if you have an active Threat Prevention
license. A predefined IP address list can also refer to any EDL that you create that uses a
Palo Alto Networks IP address feed as a source.
● URL. An EDL of type URL gives you the agility to protect your network from new threat
sources or malware. The firewall handles an EDL with URLs like a custom URL category. You
can use this list in two ways:
○ As a match criterion in Security policy rules, Decryption policy rules, and QoS policy
rules to allow, deny, decrypt, not decrypt, or allocate bandwidth for the URLs in the
custom category.
○ In a URL Filtering profile to define more granular actions, such as continue, alert, or
override, before you attach the profile to a Security policy rule.
● Domain. An EDL of type domain allows you to import custom domain names into the
firewall to enforce policy using an Anti-Spyware profile. This capability is particularly useful if
you subscribe to third-party threat intelligence feeds and want to protect your network
from new threat sources or malware as soon as you learn of a malicious domain. For each
domain that you include in the EDL, the firewall creates a custom DNS-based spyware
signature so that you can enable DNS sinkholing. The DNS-based spyware signature is of
type spyware with medium severity, and each signature is named “Custom Malicious DNS
Query <domain name>.”
4.3.5 References
● Activate The Advanced URL Filtering Subscription,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/enable-advanced-
url-filtering.html
● PAN-OS Administrator’s Guide—External Dynamic List,

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/use-an-external-dynam
ic-list-in-policy/external-dynamic-list.html
4.4 Explain how NGFWs can prevent credential theft
4.4.1 Describe the benefits of credential theft prevention
Phishing sites are sites that attackers disguise as legitimate websites to steal user information,
especially network access credentials. When a phishing email enters a network, it takes just a
single user to click the link and enter credentials to set a breach into motion. You can detect and
prevent in-progress phishing attacks, thereby preventing credential theft, by controlling sites to
which users can submit corporate credentials based on the site’s URL category. This allows you to
block users from submitting credentials to untrusted sites while allowing users to continue to
submit credentials to corporate and sanctioned sites.
Credential phishing prevention works by scanning username and password submissions to

websites and comparing those submissions against valid corporate credentials. You can choose
which websites you want to either allow or block corporate credential submissions based on URL
category. When the firewall detects a user attempting to submit credentials to a site in a category
you have restricted, it either displays a block response page that prevents the user from submitting
credentials or presents a continue page that warns users against submitting credentials to sites
classified in certain URL categories but still allows them to continue with the credential
submission. You can customize these block pages to educate users against reusing corporate
credentials, even on legitimate, non-phishing sites.
To enable credential phishing prevention, you must configure User-ID to detect when users submit
valid corporate credentials to a site (as opposed to personal credentials) and URL Filtering to
specify the URL categories in which you want to prevent users from entering their corporate
credentials. The following topics describe the different methods you can use to detect credential
submissions and provide instructions for configuring credential phishing protection.
Add a decryption policy rule to decrypt the traffic you want to monitor for user credential
submissions. Create a decryption policy rule to define traffic for the firewall to decrypt and the type
of decryption you want the firewall to perform: SSL Forward Proxy, SSL Inbound Inspection, or SSH
Proxy decryption. You can also use a decryption policy rule to define Decryption Mirroring.
4.4.2 Identify the components required to demonstrate and architect credential phishing
prevention
In this example, Bob requests access to an application server through the firewall. The firewall
checks its Authentication policy and finds a rule that matches Bob’s traffic. The Authentication
policy rule invokes multifactor authentication (MFA) to challenge Bob. Bob then enters the
additional authentication factor. After Bob is fully authenticated, the firewall checks its Security
policy to verify whether Bob is authorized to access the application server. If there is a matching
Security policy rule that grants Bob access, then Bob can access the application server.

This example also shows how an attacker with Bob’s stolen username and password will be denied
access to the application server. The attacker submits Bob’s stolen username and password to the
firewall. The firewall checks its Authentication policy for a rule that matches the access requested
by the attacker. The firewall locates a matching rule and invokes MFA to challenge the attacker.
Because the attacker does not know and cannot enter the second authentication factor, the
firewall blocks access to the requested network resource.
An Authentication policy enables an administrator to selectively issue MFA challenges based on the
sensitivity of the information stored on the network resource. A firewall administrator also can
configure the number and strength of the factors of authentication based on the sensitivity of the
information on each network resource. For example, you could require all corporate users to
authenticate using MFA once a day but require IT administrators to use MFA each time they use
remote desktop protocol to access an AD server.

Protect against phishing attacks
The diagram shows how credential phishing prevention identifies and blocks credential phishing
attacks. If an attacker can gain access to valid corporate credentials, such access typically can go
unnoticed for some time because the attacker is using a valid username and password.
In this example, an attacker has compromised a web server to steal user credentials.
Next, Bob receives a phishing email from an attacker that contains a link to the compromised web
server. Phishing emails typically describe some urgent or important action that must be taken or
an important document to be viewed.
Bob clicks the link in his email and connects to a phishing website that requests his credentials for
login. A phishing page can be specifically crafted to look like a legitimate banking site, a corporate
intranet login, Outlook Web Access page, or other application. Bob is tricked by the website and
enters his corporate credentials.
The firewall notices credential information in the web traffic and uses User-ID to detect whether
they are valid corporate credentials. You can configure User-ID to use one of three different
methods to detect corporate credentials in web traffic.
If User-ID detects valid corporate credentials, then the firewall consults its URL filtering
configuration to determine the URL categories for which users should be prevented from entering
their corporate credentials. In this case, Bob is trying to enter his corporate credentials to a blocked
website, so the firewall blocks his credentials from being submitted.

Block is not the only action that you can configure. You also can configure the firewall to allow
credential submission or to present a response page that warns users against submitting
credentials to websites. You can customize your response page to educate users against reusing
corporate credentials, even on legitimate, non-phishing sites.
4.4.3 References
● PAN-OS Administrator’s Guide—Prevent Credential Phishing,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/prevent-credential
-phishing.html
4.5 Explain the NGFW evaluation process
4.5.1 Determine the artifacts required to successfully execute a customer evaluation
Customers need to access data and services that are hosted from a wide range of locations (e.g.,
data centers, internet, and public cloud). Users need to be able to access data and services using
different devices (e.g., laptops, smartphones, and tablets) that can be owned by the company or by
the user (BYOD devices). Users must operate in various locations: private homes, company
headquarters, branch offices, public locations, and even during travel.

Users expect to be able to do all this seamlessly and securely. To guarantee user and network
security, the following security requirements must be met:
● Visibility into who is accessing which service, in which way, to gather what information, even
through encrypted channels.
● Protection against known threats.
● Protection against unknown zero-day threats.
Palo Alto Networks addresses these security requirements with multiple services and capabilities,
as described in the following table. Some capabilities require a specific subscription.
Let us look at Strata capabilities.
Requirement Palo Alto Networks Strata Capabilities

● App-ID
● User-ID
Visibility ● Decryption
● File blocking
● Data filtering
● Antivirus
● Anti-spyware
● Vulnerability protection
Protection against known threats ● URL filtering
● EDLs
● DUGs
● Credential phishing protection
Protection against unknown threats ● WildFire
4.5.2 Identify customer data privacy requirements
Palo Alto Networks privacy practices are informed by the following key principles:
● Accountability. We are responsible for the protection of the personal information entrusted
to us.
● Transparency and control. We inform customers when we collect their personal
information, and we honor their preferences for contacting them.

● Third parties processing our information. We choose trustworthy vendors and suppliers to
process our personal information, and we require them to commit to stringent privacy and
data security standards. We require our partners to commit to privacy policies and
standards that we consider adequate.
● Privacy by design. We apply privacy requirements and our privacy policy principles when
designing our products and when implementing new technologies internally.
● Data integrity and proportionality. We collect personal information for specific and
legitimate business purposes. We collect what we need to get the job done, we store it
safely and accurately, and we retain it as needed for its intended purpose.
● Customer benefit/value for customers. We share with our customers the benefits/value
we derive from processing their personal information.
● Security. We implement technical, organizational, and physical security measures to ensure
an appropriate level of security of the personal information we process.
4.5.3 Define baseline configuration requirements
More and more corporate environments support a BYOD policy, in addition to the growing
infrastructure of IoT devices, network printers, security cameras, and other devices connecting to
their networks. Leaders are presented with both a constantly growing area of risk with many
possibilities for exploitation by malicious users and the need for scalability as the number of users
and the number of accompanying devices on their network increases. And after identifying these
devices, how do leaders secure them from vulnerabilities such as an outdated operating software?
By using Device-ID on firewalls or to push policy from Panorama, organizations can identify
devices, obtain policy rule recommendations for those devices, and enforce Security policy rules
based on these recommendations.
Device-ID operates similarly to how User-ID provides user-based policy and App-ID provides
app-based policy. It provides policy rules that are based on a device, regardless of changes to its IP
address or location. Device-ID provides traceability for devices and associating network events with
specific devices, allowing security teams to gain context for how events relate to devices and write
policies that are associated with devices, instead of users, locations, or IP addresses, which can
change over time.
Device-ID can be used with Security, Decryption, QoS, and Authentication policies. An IP
address-to-MAC address mapping is required by the IoT Security application before any device
classification or analysis can happen. Before the IP address-to-MAC address mapping can be
obtained, the firewall must be able to observe Dynamic Host Configuration Protocol (DHCP)
unicast and broadcast traffic on the network to identify devices. The more traffic the firewall can
observe, the more accurate the policy rule recommendations will be.
Because the firewall needs to both detect the devices based on their traffic and then enforce
Security policy for those devices, the firewall acts as both a sensor to detect the traffic from the
devices and an enforcer by enforcing Security policy for the devices. The firewall automatically
detects new devices as soon as they send DHCP traffic.

PAN-OS 8.1 through 9.1 will gather data and enable the following in the IoT application:
● Device classification
● Behavior analysis
● Threat analysis
In addition to the PAN-OS 9.1 features, PAN-OS 10.0 will provide the following on the firewall:
● The ability to consume IP address-to-device mapping verdicts from the IoT application
● Enforcement by using a device as source or destination match criteria in policies
● The ability to consume policy recommendations from the IoT application
● Reporting visibility in reports and the ACC
4.5.4 Present results of an evaluation
Testing a next-generation firewall in your environment— with your traffic and data, for your specific
use cases—will demonstrate whether that firewall is the right choice for your organization’s unique
needs. With that in mind, here are five critical mistakes to avoid when evaluating a new next
generation firewall and selecting the perfect fit.
Incorrectly Sizing the Firewall

Avoid relying solely on datasheets and other “performance on paper” summaries as they are
inaccurate points of comparison for firewalls. There are fundamental differences in features and
offerings from one firewall vendor to the next. For example, one vendor might measure
consolidated threat prevention features (e.g., intrusion prevention systems [IPS], antivirus,
command and control, URL filtering) in terms of performance impact, while another might
highlight performance impact based solely on best-in-class IPS capabilities in a standalone box.
To ensure accurate “apples to apples” firewall comparisons, you should size capabilities to your
organization’s real-world environments’ requirements (e.g., IPS, application control, advanced
malware detection) and your traffic mix. When doing so, it’s critical to account for performance
impact that may result from enabling other features in the future. In addition, advanced
capabilities, such as TLS/SSL decryption, will vary in performance impact depending on processing
logistics. Some vendors decrypt using the hardware form factor while others decrypt using

software—each with varying effects on performance. Further, threat response performance should
only be compared with all required signatures activated. Carefully read the documentation for
out-of-the-box collections of signatures to determine actual coverage. Performance often
continues to degrade with the introduction of additional signatures. Some further considerations:
● Avoid trade-offs between security and performance. You should never have to decide
between enabling a feature or signature and crippling your performance.
● Accurately map to your requirements for throughput and traffic composition. It is difficult
for anyone to argue against testing the actual traffic to be secured. Simulators can’t
represent custom applications, real-world usage scenarios, or shadow IT.
Choosing a Firewall in a Silo

Several teams within IT count on the firewall to enable them to do their jobs effectively and
efficiently, and they all have different needs and priorities:
● Networking teams prioritize hassle-free integration with current architecture, ease of use
and deployment, and network performance and uptime.
● Security teams focus on seamless integration with existing security controls, better overall
security, and threat prevention versus detect-and-respond tactics.
● Security operations teams work best with single-pane management and automation for
security features and capabilities.
● Data center teams need automated features and capabilities,
segmentation/microsegmentation of hybrid cloud environments, scalability to meet
evolving needs, and single-pane management.
● Application teams want simple, fast, and secure application development and deployment.
In a typical evaluation scenario, the firewall vendor works directly with the networking team to
evaluate and implement a firewall. Accounting only for the needs of the networking team is a
critical mistake, though—one with potentially dire results for other teams that rely on the firewall.
For example, the networking team usually isn’t concerned with security and may very well prefer
an option that doesn’t account for the scope of security your business demands. Both the security
and security operations teams should be engaged early to provide input on the level of threat
prevention and other security capabilities required. For the sake of overall business efficiency and
success, your organization should account for the varying needs of all key stakeholders when
choosing a new firewall.
Buying Into Roadmap Features and Promises

Purchasing a firewall based on the promise of future roadmap features is risky. First, there is a high
probability that timelines will slip, affecting business development, innovation, and execution of
projects and initiatives in progress. Second, there is no guaranteeing the stability, maturity, or
functionality of upcoming features before significant testing. New features may also require major
operating system version upgrades across all firewalls and connected management devices, the
complexity of which can outweigh the benefits.
Instead, you should look at past behavior to predict whether roadmap promises will be fulfilled.
Evaluate your next firewall purchase as part of a trusted and tested platform, verifying that core,
required features are available at the time of purchase. Furthermore, you’ll benefit from selecting a
next-generation firewall platform that can be easily updated with new security innovations,

comprehensive threat information, data analysis, and signatures. This way, security teams can solve
the most challenging security use cases with the best technology available, without the cost or
operational burden of deploying new infrastructure for each new function.
Failing to Account for Ease of Integration and Scalability

A new firewall should enhance your IT infrastructure without complex integration. It should easily
integrate with your current ecosystem without forcing you to replace other infrastructure
components with products from the same vendor—particularly in cases where integration is still
relatively complex even after those replacements. Often, once you’ve successfully migrated to a
single vendor, management issues and complexities persist between individual networking and
security devices.
You can avoid the age-old vendor lock-in hook by choosing a firewall vendor with a strong
community of technology partners to ensure seamless integration with your ecosystem from both
networking and security perspectives. In addition, you should not be forced to manage the
integration efforts of a new security platform—that should be the vendor’s responsibility.
Scalability as business requirements change is also a key factor when choosing a new firewall. A
vendor that uses cloud architecture for innovation and design can scale much more quickly
without the need to frequently update hardware on the network edge. In addition, the on-demand
nature of the cloud inherently offers greater agility, higher performance, and much faster access to
innovative technologies. This results in a higher likelihood of compatibility with future technology
and new applications, better overall support, and easier integration with your network.
Choosing a Firewall with Multiple Management Experiences

Some firewall vendors promise your networking and security teams will be able to “leverage the
same skill set” if you switch to their firewall. Unfortunately, this is often not true even when
switching between products from the same vendor (e.g., stateful inspection firewall to
next-generation firewall). When it comes to networking and security, resources and expertise are
often scarce. It’s counterproductive to choose a firewall vendor that employs completely different
design frameworks and management user interfaces from one product generation to another,
complicating deployment and introducing steep learning curves.
Avoid the compounding effects of maintaining multiple management interfaces during phased
hardware refreshes. This way, if you choose to migrate to a single vendor, integration and
management will be easy. If you choose not to, make sure the firewall vendor you choose offers a
vast ecosystem of strategic technology partners who can offer expert help in terms of manpower
and knowledge.
4.5.5 References
● Privacy,
https://www.paloaltonetworks.com/legal-notices/privacy
● 5 Critical Mistakes When Evaluating a Next Generation Firewall,
/pan/en_US/resources/whitepapers/five-critical-mistakes-to-avoid-when-evaluating-a-ngfw

Domain 5: Network Security Best Practices
5.1 Define the Palo Alto Networks best practice methodology using a Zero Trust approach to
network security
Zero Trust is a strategic approach to cybersecurity that secures an organization by eliminating

implicit trust and continuously validating every stage of digital interaction. The Zero Trust model
has become increasingly top of mind for executives who need to keep up with digital
transformation and adapt to the ever-changing security landscape. Unfortunately, many
organizations are still struggling with a poorly integrated, loose assembly of point products that do
not align with the strategic approach expected by board members and C-level executives.
Deployed properly, the Zero Trust enterprise is a strategic approach to cybersecurity that simplifies
and unifies risk management under one important goal: to remove all implicit trust in every digital
transaction. This means regardless of the situation, user, user location, device, source of connection,
or access method, cybersecurity must be built in by design in every network, connection, and
endpoint to address the modern threat landscape. By becoming a true Zero Trust enterprise,
organizations enjoy more consistent, improved security and simplified security operations that
effectively lower costs.
As an industry, we’ve reached a tipping point: Many users and apps now reside outside of the
traditional perimeter. A hybrid workforce is a new reality—businesses must provide access from
anywhere and deliver an optimal user experience. The days of managing implied trust by relying
on a static, on-premises workforce are gone. At the same time, application delivery has firmly tilted
in favor of the cloud—public or private—and has enabled development teams to deliver at an
unprecedented pace. However, new architectures, delivery, and consumption models create more
instances of implied trust, and an expanding catalog of applications creates a broader attack
surface, while implied trust granted to microservices yields new opportunities for attackers to move
laterally. Infrastructure can be anywhere, and everything is increasingly interconnected, making
the elimination of implicit trust even more critical. You can no longer simply trust IT equipment
such as printers or vendor-supplied hardware and software because IT and workplace
infrastructure are increasingly connected to internet-facing applications that centrally command
and orchestrate them. Anything internet-facing is a risk to your organization. Physical locations are
increasingly run by connected things, including IoT, which typically have more access than they
need. Traditional IT patching and maintenance strategies do not apply here—cyber adversaries
know this is ripe for exploitation.
As a pioneer in Zero Trust with thousands of customers and deployments, no one in security has
more experience than Palo Alto Networks across the entire security ecosystem, including network,
endpoint, IoT, and more. We know security is never one size fits all. Here’s what makes our Zero
Trust enterprise approach different:
● Comprehensive. Zero Trust should never focus on a narrow technology. Instead, it should
consider the full ecosystem of controls that many organizations rely on for protection.
● Actionable. Comprehensive Zero Trust isn’t easy, but getting started shouldn’t be hard. For
example, what current set of controls can be implemented using security tools you have
today?

● Intelligible. Convey your Zero Trust approach to nontechnical executives in a concise,
easy-to-understand summary, both in business and technical terms.
● Ecosystem-friendly. In addition to having one of the most comprehensive portfolios in the
market, we work with a broad ecosystem of partners.
Building the Zero Trust enterprise

Although Zero Trust is typically associated with securing users or use cases such as Zero Trust
Network Access (ZTNA), a comprehensive Zero Trust approach encompasses users, applications,
and infrastructure.
● Users. Step one of any Zero Trust effort requires strong authentication of user identity,
application of least access policies, and verification of user device integrity.
● Applications. Applying Zero Trust to applications removes implicit trust with various
components of applications when they talk to each other. A fundamental concept of Zero
Trust is that applications cannot be trusted and that continuous monitoring at runtime is
necessary to validate their behavior.
● Infrastructure. Everything infrastructure-related—routers, switches, cloud, IoT, and supply
chain—must be addressed with a Zero Trust approach.
5.1.1 Identify best practice for eliminating implicit user trust, regardless of user location
Step one of any Zero Trust effort requires strong authentication of user identity, application of “least
access” policies, and verification of user device integrity.
5.1.2 Identify best practice for eliminating implicit trust within applications
Applying Zero Trust to applications removes implicit trust with various components of applications
when they talk to each other. A fundamental concept of Zero Trust is that applications cannot be
trusted and that continuous monitoring at runtime is necessary to validate their behavior.
5.1.3 Identify best practice for eliminating implicit trust of infrastructure
Everything infrastructure-related—routers, switches, cloud, IoT, and supply chain—must be

addressed with a Zero Trust approach.
For each of the three pillars, it is critical to consistently:

● Establish identity using the strongest possible authentication. The request is
authenticated and authorized to verify identity before granting access. This identity is
continuously monitored and validated throughout the transaction.
● Verify the device/workload. Identifying the enterprise laptop, a server, a personal

smartphone, or a mission-critical IoT device requesting access; determining the device’s
identity; and verifying its integrity is integral to Zero Trust. The integrity of the device or host
requesting access must be verified. This integrity is continuously monitored and validated
for the lifetime of the transaction. Or, in the case of applications and cloud infrastructure,
the identity of the requested device or microservices, storage or compute resources, or
partner or third-party app should be verified before granting access.
● Secure the access. Enterprises need to ensure users only have access to the minimal
amount of resources they need to conduct an activity, restricting access to, for example,
data and applications. Even after authentication and checking for a clean device, you still
need to ensure least privilege.
● Secure all transactions. To prevent malicious activity, all content exchanged must be
continuously inspected to verify that it is legitimate, safe, and secure. Data transactions
must be fully examined to prevent enterprise data loss and attacks on the organization
through malicious activity.
5.1.4 References
● Architecting the Zero Trust Enterprise,
/pan/en_US/resources/whitepapers/architecting-zero-trust-enterprise
5.2 Demonstrate understanding of the best practices of the five-step methodology for
implementing the Zero Trust model
Organizations have acknowledged Zero Trust as a means to successfully prevent cyberattacks.

However, traditional security models and the concept of “all or nothing” has left companies
hesitant to begin the Zero Trust journey. Fortunately, building a Zero Trust architecture is much
simpler than it appears. Because Zero Trust is an augmentation of your existing architecture, it
does not require a complete technology overhaul. Rather, it can be deployed iteratively while
allowing you to take advantage of the tools and technologies you already have.

Using a five-step model for implementing and maintaining Zero Trust, you can understand where
you are in your implementation process and where to go next.
The five-step methodology for implementing a Zero Trust strategy presents a logical, clear path to
protecting your environment, data, applications, assets, services, and users. The way you apply the
methodology depends on what you’re protecting and your business requirements—what’s critical
to your business—but the outcomes you’re working toward are the same:
● Segment the network effectively and efficiently to prevent lateral movement.

● Protect business-critical data and systems from unauthorized applications and users.
● Protect business-critical applications from unauthorized access and usage.
● Enforce policy seamlessly across networks, cloud, and endpoints to simplify management
and apply consistent policy everywhere.
The five-step methodology works whether you’re implementing a Zero Trust strategy in the cloud,
on a private network, or on endpoints, regardless of infrastructure.
Step 1: Define Your Protect Surface

Step 2: Map the Protect Surface Transaction Flows
Step 3: Architect a Zero Trust Network
Step 4: Create the Zero Trust Policy
Step 5: Monitor and Maintain the Network
5.2.1 Explain customer-sensitive data discovery as defined in the Zero Trust model
Working tirelessly to reduce the attack surface is not viable in today’s evolving threat landscape.
The attack surface is always expanding, making it difficult to define, shrink, or defend against.
However, with Zero Trust, rather than focusing on the macro level of the attack surface, you
determine your protect surface. The protect surface encompasses the critical data, applications,
assets, and services (DAAS) most valuable for your company to protect.
Here are some examples of DAAS you might include in your protect surface:
● Data. Credit card information, protected health information, personally identifiable

information and intellectual property
● Applications. Off-the-shelf or custom software
● Assets. Supervisory control and data acquisition (SCADA) controls, point of sale terminals,
medical equipment, manufacturing assets, and IoT devices
● Services. DNS, DHCP, and AD
Once defined, you can move your controls as close as possible to that protect surface to create a
microperimeter with policy statements that are limited, precise, and understandable.
5.2.2 Define best practices for network security
Most malware sneaks onto the network in legitimate applications or services. Therefore, to safely
enable applications, you must scan all traffic allowed into the network for threats. To do this, attach
Security profiles to all Security policy rules that allow traffic so that you can detect threats—both

known and unknown—in your network traffic. The following are the recommended best practice
settings for each of the Security profiles. You should attach these profiles to every Security policy
rule on your internet gateway policy rulebase.
Best practice File Blocking profile

Use the predefined strict file blocking profile to block files that are commonly included in malware
attack campaigns and that have no real use case for upload/download. Blocking these files reduces
the attack surface. The predefined strict profile blocks batch files, DLLs, Java class files, help files,
Windows shortcuts (.lnk), BitTorrent files, .rar files, .tar files, encrypted-rar and encrypted-zip files,
multilevel encoded files (files encoded or compressed up to four times), .hta files, and Windows
Portable Executable files, which include .exe, .cpl, .dll, .ocx, .sys, .scr, .drv, .efi, .fon, and .pif files. The
predefined strict profile alerts on all other file types for visibility into other file transfers so that you
can determine if you need to make policy changes.
Why do I need this profile?

Attackers can deliver malicious files in many ways: as attachments or links in corporate email or
webmail, as links or messages in social media, in exploit kits, through file sharing applications (such
as FTP, Google Drive, or Dropbox), or on USB drives. Attaching the strict file blocking profile reduces
your attack surface by preventing these types of attacks.
Best practice Antivirus profile

To ensure availability for business-critical applications, clone the default Antivirus profile and edit it
to match the best practice profile, as shown here. Then, attach it to all Security policy rules that
allow traffic.
The Antivirus profile has protocol decoders that detect and prevent viruses and malware from
being transferred over seven protocols: FTP, HTTP, HTTP2, IMAP, POP3, SMB, and SMTP. You can set
WildFire actions for all seven protocols because the Antivirus profile also enforces actions based on
WildFire signatures.

By attaching Antivirus profiles to all Security rules, you can block known malicious files (malware,
ransomware bots, and viruses) as they are coming into the network. Common ways for users to
receive malicious files include malicious attachments in email, links to download malicious files, or
silent compromise facilitated by exploit kits that exploit a vulnerability and then automatically
download malicious payloads to the end user’s device.
Best practice Vulnerability Protection profile

Attach a Vulnerability Protection profile to all allowed traffic to protect against buffer overflows,
illegal code execution, and other attempts to exploit client- and server-side vulnerabilities.
To create a best practice Vulnerability Protection profile, clone the predefined strict Vulnerability
Protection profile. For each rule except simple-client-informational and
simple-server-informational, double-click the Rule Name and change Packet Capture from disable
to single-packet to enable packet capture (PCAP). This will let you track down the source of
potential attacks. Do not change the rest of the settings. Download content updates automatically
and install them as soon as possible so that the signature set is always up to date.

Without strict vulnerability protection, attackers can leverage client- and server-side vulnerabilities
to compromise end users. For example, an attacker could leverage a vulnerability to install
malicious code on client systems or use an exploit kit (Angler, Nuclear, Fiesta, or KaiXin) to
automatically deliver malicious payloads to the end user. Vulnerability Protection profiles also
prevent an attacker from using vulnerabilities on internal hosts to move laterally within your
network.
Best practice Anti-Spyware profile

Attach an Anti-Spyware profile to all allowed traffic to detect C2 traffic initiated from malicious code
running on a server or endpoint and to prevent compromised systems from establishing an
outbound connection from your network.
To create a best practice Anti-Spyware profile, clone the predefined strict Anti-Spyware profile and
edit it to enable DNS sinkhole and packet capture. This will let you track down the endpoint that
attempted to resolve the malicious domain. The best practice Anti-Spyware profile retains the
default action to reset the connection when the firewall detects a medium-, high-, or
critical-severity threat, and it enables single PCAP for those threats.

Do not enable PCAP for informational activity; it generates a relatively high volume of that traffic
and is not particularly useful compared to potential threats. Apply extended PCAP (as opposed to
single PCAP) to high-value traffic to which you apply the alert action. Apply PCAP using the same
logic you use to decide what traffic to log—take PCAPs of the traffic you log. Apply single PCAP to
traffic you block. The default number of packets that extended PCAP records and sends to the
management plane is five packets, which is the recommended value. In most cases, capturing five
packets provides enough information to analyze the threat. If too much PCAP traffic is sent to the
management plane, then capturing more than five packets may result in dropping PCAPs.
Using the sinkhole setting identifies potentially compromised hosts that attempt to access
suspicious domains. The setting tracks the hosts and prevents them from accessing those
domains. Palo Alto Networks recommends using the sinkhole policy action instead of block to
maintain optimum protection while providing a mechanism to help identify compromised
endpoints. For domain categories that pose a greater threat, a higher log severity level or PCAP

setting is used. This can help determine if the attack was successful, identify the attack methods,
and provide better overall context.
Best practice URL Filtering profile

Use PAN-DB URL filtering to prevent access to web content at high risk for being malicious. Attach
a URL Filtering profile to all rules that allow access to web-based applications to protect against
URLs that Palo Alto Networks has observed hosting malware or exploitive content.
The best practice URL Filtering profile sets all known dangerous URL categories to block. These
include C2, copyright infringement, dynamic DNS, extremism, malware, phishing, proxy avoidance
and anonymizers, unknown domains, newly registered domains, grayware, and parked domains.
Failure to block these dangerous categories puts you at risk for exploit infiltration, malware
download, C2 activity, and data exfiltration.
In addition to blocking known bad categories, alert on all other categories so you have visibility into
the sites your users are visiting. If you need to phase in a block policy, set categories to continue
and create a custom response page to educate users about your acceptable use policies and alert
them to the fact they are visiting a site that may pose a threat. This paves the way for you to block
the categories after a monitoring period.
What if I cannot block all of the recommended categories?

If users need access to sites in the blocked categories, consider creating an allow list for just the
specific sites, if you feel the risk is justified. Be aware of local laws and regulations that govern the
types of sites you can block, cannot block, and must block. On categories you decide to allow, make
sure you set up credential phishing prevention to ensure that users aren’t submitting their
corporate credentials to a site that may be hosting a phishing attack.
Allowing traffic to a recommended block category poses exposure to the following threats:

● Malware. Sites known to host malware or used for C2 traffic. May also exhibit exploit jits.
● Phishing. Domains or URLs known to host credential phishing pages or phish for personal
identification.
● Dynamic DNS. Hosts and domain names for systems with dynamically assigned IP
addresses that are oftentimes used to deliver malware payloads or C2 traffic. Dynamic DNS
domains do not go through the same vetting process as domains that are registered by a
reputable domain registration company and are therefore less trustworthy.
● Unknown. Sites that have not yet been identified by PAN-DB. If availability is critical to your
business and you must allow the traffic, alert on unknown sites, apply the best practice
Security profiles to the traffic, and investigate the alerts.
● Newly registered domains. Domains often generated purposely or by DGAs for malicious
activity.
● C2. URLs and domains used by malware or compromised systems to surreptitiously

communicate with an attacker’s remote server to receive malicious commands or exfiltrate
data.
● Copyright infringement. Domains with illegal content, such as content that allows illegal
download of software or other intellectual property, that poses a potential liability risk. This
category was introduced to enable adherence to child protection laws required in the
education industry as well as laws in countries that require internet providers to prevent
users from sharing copyrighted material through their service.
● Extremism. Websites promoting terrorism, racism, fascism, or other extremist views

discriminating against people or groups of different ethnic backgrounds, religions, or other
beliefs. This category was introduced to enable adherence to child protection laws required
in the education industry. In some regions, laws and regulations may prohibit allowing
access to extremist sites, and allowing access may pose a liability risk.
● Proxy avoidance and anonymizers. URLs and services often used to bypass content
filtering products.
● Grayware. Websites and services that do not meet the definition of a virus but are malicious
or questionable and may degrade device performance and cause security risks. If you are
unsure about whether to block grayware, start by alerting on grayware, investigate the
alerts, and then decide whether to block grayware or continue to alert on grayware.
● Parked domains. Domains registered by individuals, oftentimes later found to be used for
credential phishing. These domains may be similar to legitimate domains—for example,
pal0alt0netw0rks.com—with the intent of phishing for credentials or personally identifiable
information. Or, they may be domains that an individual purchases rights to in hopes that it
may be valuable someday, such as panw.net.

5.2.3 Define a customer’s architecture in a Zero Trust network
Zero Trust networks are completely customized and not derived from a single, universal design.
Instead, the architecture is constructed around the protect surface. Once you’ve defined the
protect surface and mapped flows relative to the needs of your business, you can map out the Zero
Trust architecture, starting with an NGFW. The NGFW acts as a segmentation gateway and creates
a microperimeter around the protect surface. With a segmentation gateway, you can enforce
additional layers of inspection and access control, all the way to Layer 7, for anything trying to
access resources within the protect surface.
5.2.4 Define Zero Trust policies and controls
Once the network is architected, you will need to create Zero Trust policies using the Kipling
Method to define which resources should have access to others. Kipling, well known to novelists,
introduced the concept of “who, what, when, where, why, and how” in his poem “I Keep Six Honest
Serving Men.” Using this method, we are able to define the following:
● Who should be accessing a resource?

● What application is being used to access a resource inside the protect surface?
● When is the resource being accessed?
● Where is the packet destination?
● Why is this packet trying to access this resource within the protect surface?
● How is the packet accessing the protect surface via a specific application?
With this level of granular policy enforcement, you can be sure that only known allowed traffic or
legitimate application communication is permitted.
5.2.5 Explain how Palo Alto Networks validates each transaction in a Zero Trust model
This final step includes reviewing all logs—internal and external, and all the way through Layer
7—and focusing on the operational aspects of Zero Trust. Since Zero Trust is an iterative process,
inspecting and logging all traffic will provide valuable insights into how to improve the network
overtime.
Once you have completed the five-step methodology for implementing a Zero Trust network for
your first protect surface, you can expand to iteratively move other DAAS from your legacy network
to a Zero Trust network in a way that is cost-effective and nondisruptive.
5.2.6 References
● Architecting the Zero Trust Enterprise,
/pan/en_US/resources/whitepapers/architecting-zero-trust-enterprise
● The Five-Step Methodology,
https://docs.paloaltonetworks.com/best-practices/10-1/zero-trust-best-practices/zero-trust-be
st-practices/the-five-step-methodology.html
5.3 Identify best practices for implementing SSL decryption

5.3.1 Identify decryption requirements
The SSL and SSH encryption protocols secure traffic between two entities, such as a web server and
a client. SSL and SSH encapsulate traffic, encrypting data so that it is meaningless to entities other
than the client and server with the certificates to affirm trust between the devices and the keys to
decode the data. Decrypt SSL and SSH traffic to:
● Prevent malware concealed as encrypted traffic from being introduced into your network.
For example, an attacker compromises a website that uses SSL encryption. Employees visit
that website and unknowingly download an exploit or malware. The malware then uses the
infected employee endpoint to move laterally through the network and compromise other
systems.
● Prevent sensitive information from moving outside the network.
● Ensure that the appropriate applications are running on a secure network.
● Selectively decrypt traffic. For example, create a Decryption policy and profile to exclude
traffic for financial or healthcare sites from decryption.
Palo Alto Networks firewall decryption is policy-based and can decrypt, inspect, and control
inbound and outbound SSL and SSH connections. A Decryption policy enables you to specify traffic
to decrypt by destination, source, service, or URL category and to block, restrict, or forward the
specified traffic according to the security settings in the associated Decryption profile. A Decryption
profile controls SSL protocols, certificate verification, and failure checks to prevent traffic that uses
weak algorithms or unsupported modes from accessing the network. The firewall uses certificates
and keys to decrypt traffic to plaintext and then enforces App-ID and security settings on the
plaintext traffic, including Decryption, Antivirus, Vulnerability, Anti-Spyware, URL Filtering, WildFire,
and File Blocking profiles. After decrypting and inspecting traffic, the firewall re-encrypts the
plaintext traffic as the traffic exits the firewall to ensure privacy and security.
The firewall provides three types of Decryption policy rules: SSL Forward Proxy to control outbound
SSL traffic, SSL Inbound Inspection to control inbound SSL traffic, and SSH Proxy to control
tunneled SSH traffic. You can attach a Decryption profile to a policy rule to apply granular access
settings to traffic, such as checks for server certificates, unsupported modes, and failures.
SSL decryption (both forward proxy and inbound inspection) requires certificates to establish the
firewall as a trusted third party and to establish trust between a client and a server to secure an
SSL/Transport Layer Security (TLS) connection. You can also use certificates when excluding servers
from SSL decryption for technical reasons (the site breaks decryption for reasons such as certificate
pinning, unsupported ciphers, or mutual authentication). SSH decryption does not require
certificates.
You can integrate a hardware security module (HSM) with a firewall to enable enhanced security for
the private keys used in SSL forward proxy and SSL inbound inspection decryption. You can also
use decryption mirroring to forward decrypted traffic as plaintext to a third-party solution for
additional analysis and archiving.
5.3.2 Explain the value of SSL default decryption exclusion lists
You can exclude two types of traffic from decryption:

● Traffic that breaks decryption for technical reasons, such as using a pinned certificate, an
incomplete certificate chain, unsupported ciphers, or mutual authentication (decrypting
blocks the traffic). Palo Alto Networks provides a predefined SSL Decryption Exclusion list
(Device > Certificate Management > SSL Decryption Exclusion) that excludes hosts with
applications and services that are known to break decryption technically from SSL
Decryption by default. If you encounter sites that break decryption technically and are not
on the SSL Decryption Exclusion list, you can add them to the list manually by server
hostname. The firewall blocks sites whose applications and services break decryption
technically unless you add them to the SSL Decryption Exclusion list.
● Traffic that you choose not to decrypt because of business, regulatory, personal, or other
reasons, such as financial services, health and medicine, or government traffic. You can
choose to exclude traffic based on source, destination, URL category, and service.
You can use asterisks (*) as wildcards to create decryption exclusions for multiple hostnames
associated with a domain. Asterisks behave the same way that carets (^) behave for URL category
exceptions—each asterisk controls one variable subdomain (label) in the hostname. This enables
you to create both very specific and very general exclusions. For example:
● mail.*.com matches mail.company.com, but it does not match mail.company.sso.com.

● *.company.com matches tools.company.com, but it does not match eng.tools.company.com.
● *.*.company.com matches eng.tools.company.com, but it does not match
eng.company.com.
● *.*.*.company.com matches corp.exec.mail.company.com, but it does not match
corp.mail.company.com.
● mail.google.* matches mail.google.com, but it does not match mail.google.uk.com.
● mail.google.*.* matches mail.google.co.uk, but it does not match mail.google.com.
For example, to use wildcards to exclude video-stats.video.google.com from decryption but not to
exclude video.google.com from decryption, exclude *.*.google.com.
To increase visibility into traffic and reduce the attack surface as much as possible, don’t make
decryption exceptions unless you must.
The firewall provides a predefined SSL Decryption Exclusion list to exclude from decryption
commonly used sites that break decryption because of technical reasons such as pinned
certificates and mutual authentication. The predefined decryption exclusions are enabled by
default, and Palo Alto Networks delivers new and updated predefined decryption exclusions to the
firewall as part of the Applications and Threats content update (or the Applications content update,
if you do not have a Threat Prevention license). The firewall does not decrypt traffic that matches
predefined exclusions and allows the encrypted traffic based on the Security policy that governs
that traffic. However, the firewall can’t inspect the encrypted traffic or enforce Security policy on it.
Because the traffic of sites on the SSL Decryption Exclusion list remains encrypted, the firewall does
not inspect or provide further security enforcement of the traffic. You can disable a predefined
exclusion. For example, you may choose to disable predefined exclusions to enforce a strict Security
policy that allows only applications and services that the firewall can inspect and on which the

firewall can enforce Security policy. However, the firewall blocks sites whose applications and
services break decryption technically if they are not enabled on the SSL Decryption Exclusion list.
You can view and manage all Palo Alto Networks predefined SSL decryption exclusions directly on
the firewall (Device > Certificate Management > SSL Decryption Exclusions).
The Hostname field displays the name of the host that houses the application or service that
breaks decryption technically. You can also add hosts to exclude a server from decryption for
technical reasons if it is not on the predefined list.
The Description field displays the reason the firewall can’t decrypt the site’s traffic—for example,
pinned-cert (a pinned certificate) or client-cert-auth (client authentication).
The firewall automatically removes enabled predefined SSL decryption exclusions from the list
when they become obsolete (the firewall removes an application that decryption previously caused
to break when the application becomes supported with decryption). The Show obsoletes function
checks if any disabled predefined exclusions remain on the list and are no longer needed. The
firewall does not remove disabled predefined decryption exclusions from the list automatically, but
you can select and delete obsolete entries.
You can select a hostname’s checkbox and then click Disable to remove predefined sites from the
list. Use the SSL Decryption Exclusion list only for sites that break decryption for technical reasons.
Do not use it for sites that you choose not to decrypt.
5.3.3 Identify the decryption deployment methods
The most time-consuming part of deploying decryption isn’t configuring the decryption policies
and profiles. It’s preparing for the deployment by working with stakeholders to decide what traffic
to decrypt and not to decrypt, educating your user population about changes to website access,
developing a private key infrastructure (PKI) strategy, and planning a staged, prioritized rollout.

Set goals for decryption and review the decryption planning best practices checklist to ensure that
you understand the recommended best practices. The best practice goals are to decrypt as much
traffic as your firewall resources permit and to decrypt the most important traffic first.
To prepare to deploy decryption:
● Work with stakeholders to develop a decryption deployment strategy

● Develop a PKI Rollout Plan
● Size the decryption firewall deployment
● Plan a staged, prioritized deployment
Work with stakeholders to develop a decryption deployment strategy

Work with stakeholders such as legal, finance, human resources, executives, security, and
IT/support to develop a decryption deployment strategy. Start by getting the required approvals to
decrypt traffic to secure the corporation. Decrypting traffic involves understanding how legal
regulations and business needs affect what you can and cannot decrypt.
Identify and prioritize the traffic you want to decrypt. The best practice is to decrypt as much traffic
as you can to gain visibility into potential threats in encrypted traffic and prevent those threats. If
incorrect firewall sizing prevents you from decrypting all of the traffic you want to decrypt, prioritize
the most critical servers, the highest-risk traffic categories, and the least-trusted segments and IP
subnets. To help prioritize, ask yourself questions such as, “What happens if this server is
compromised?” and, “How much risk am I willing to take in relation to the level of performance I
want to achieve?”
Next, identify traffic that you can’t decrypt because the traffic breaks decryption for technical
reasons. Decrypting sites that break decryption technically results in blocking that traffic. Evaluate
the websites that break decryption technically and ask yourself if you need access to those sites for
business reasons. If you don’t need access, allow decryption to block them. If you need access to
any of those sites for business purposes, add them to the SSL Decryption Exclusion list to except
them from decryption. The SSL Decryption Exclusion list is exclusively for sites that break
decryption technically.
Identify sensitive traffic that you choose not to decrypt for legal, regulatory, personal, or other
reasons, such as financial, health, or government traffic, or the traffic of certain executives. This is
not traffic that breaks decryption technically, so you don’t use the SSL Decryption Exclusion list to
except this traffic from decryption. Instead, you create a policy-based decryption exclusion to
identify and control traffic you choose not to decrypt and apply the No Decryption profile to the
policy to prevent servers with certificate issues from accessing the network. Policy-based
decryption exclusions are only for traffic you choose not to decrypt.
When you plan decryption policy, consider your company’s security compliance rules, computer
usage policy, and business goals. Extremely strict controls can impact the user experience by
preventing access to non-business sites the user was formerly able to access, but these controls
may be required for government or financial institutions. There is always a tradeoff between
usability, management overhead, and security. The tighter the decryption policy, the greater the
chance that a website will become unreachable, which may result in user complaints and possibly
modifying the rulebase.

Different groups of users and even individual users may require different decryption policies, or you
may want to apply the same Decryption policy to all users. For example, executives may be
exempted from decryption policies that apply to other employees. You may want to apply different
decryption policies to employee groups, contractors, partners, and guests. Prepare updated legal
and human resources computer usage policies and distribute them to all employees, contractors,
partners, guests, and any other network users. This way, when you roll out decryption, users
understand that their data can be decrypted and scanned for threats.
Similarly to different groups of users, decide which devices and applications to decrypt. Today’s
networks support not only corporate devices but also BYOD, mobile, remote user, and other
devices, including contractor, partner, and guest devices. Today’s users attempt to access many
sites, both sanctioned and unsanctioned, and you should decide how much of that traffic you want
to decrypt.
Decide what traffic you want to log, and investigate what traffic you can log. Be aware of local laws
regarding what types of data you can log and store and where you can log and store the data. For
example, local laws may prevent logging and storing personal information such as health and
financial data.
Decide how to handle bad certificates. For example, will you block or allow sessions for which the
certificate status is unknown? Understanding how you want to handle bad certificates determines
how you configure the Decryption profiles and which sessions you allow based on the server
certificate verification status.
Develop a PKI Rollout Plan

Plan how to roll out your PKI. Network devices need an SSL Forward Trust Certificate Authority (CA)
certificate for trusted sites and an SSL Forward Untrust CA certificate for untrusted sites. Generate
separate Forward Trust and Forward Untrust certificates (do not sign the Forward Untrust
certificate with the Enterprise Root CA, because you want the Forward Untrust certificate to warn
users that they are trying to access potentially unsafe sites). Palo Alto Networks NGFWs have two
methods of generating CA certificates for SSL decryption:
● Generate the SSL CA certificates from your Enterprise Root CA as subordinate

certificates. If you have an existing Enterprise PKI, this is the best practice. Generating a
subordinate certificate from your Enterprise Root CA makes the rollout easier and smoother.
Network devices already trust the Enterprise Root CA, so you avoid any certificate issues
when you begin the deployment phase. If you don’t have an Enterprise Root CA, consider
getting one.
● Generate a self-signed Root CA certificate on the firewall and create subordinate CA

certificates on that firewall. If you don’t have an Enterprise Root CA, this method provides
a self-signed Root CA certificate and the subordinate Forward Trust and Forward Untrust CA
certificates. With this method, you need to install the self-signed certificates on all of your
network devices so that those devices recognize the firewall’s self-signed certificates.
Because the certificates must be deployed to all devices, this method is better for small
deployments and PoC trials than for large deployments.
Size the decryption firewall deployment

Decrypting encrypted traffic consumes firewall CPU resources and can affect throughput. In
general, the tighter the security (the more SSL traffic you decrypt combined with the more
stringent your protocol settings), the more firewall resources decryption consumes. Factors that
affect decryption resource consumption and how much traffic the firewall can decrypt include:
● The amount of SSL traffic you want to decrypt. This varies from network to network. For
example, some applications must be decrypted to prevent the injection of malware or
exploits into the network or unauthorized data transfers. Some applications can’t be
decrypted due to local laws and regulations or business reasons, and other applications are
cleartext (unencrypted) and don’t need to be decrypted. The more traffic you want to
decrypt, the more resources you need.
● The TLS protocol version. Higher versions are more secure but consume more resources.
Use the highest TLS protocol version to maximize security.
● The key size. The larger the key size, the better the security but also the more resources the
key processing consumes.
● The key exchange algorithm. Perfect Forward Secrecy (PFS) ephemeral key exchange
algorithms such as Diffie-Hellman Ephemeral Elliptic-Curve Diffie-Hellman Exchange
(ECDHE) consume more processing resources than Rivest-Shamir-Adleman (RSA)
algorithms. PFS key exchange algorithms provide greater security than RSA key exchange
algorithms because the firewall has to generate a new cipher key for each session—but
generating the new key consumes more firewall resources. However, if an attacker
compromises a session key, PFS prevents the attacker from using it to decrypt any other
sessions between the same client and server, while RSA does not.
● The encryption algorithm. The key exchange algorithm determines whether the
encryption algorithm is PFS or RSA.
● The certificate authentication method. RSA (not the RSA key exchange algorithm)
consumes less resources than Elliptic Curve Digital Signature Algorithm (ECDSA), but
ECDSA is more secure.
● Average transaction sizes. For example, small average transaction sizes consume more
processing power to decrypt. Measure the average transaction size of all traffic and then
measure the average transaction size of traffic on port 443 (the default port for HTTPS
encrypted traffic) to understand the proportion of encrypted traffic going to the firewall in
relation to your total traffic, as well as average transaction sizes. Eliminate anomalous
outliers such as unusually large transactions to get a truer measurement of average
transaction size.
● The firewall model and resources. Newer firewall models have more processing power
than older models.
The combination of these factors determines how decryption consumes firewall processing
resources. To best use the firewall’s resources, understand the risks of the data you’re protecting. If
firewall resources are an issue, use stronger decryption for higher-priority traffic and less

processor-intensive decryption to decrypt and inspect lower-priority traffic until you can increase
the available resources. For example, you could use RSA instead of ECDHE and ECDSA for traffic
that isn’t sensitive or high priority, preserving firewall resources for PFS-based decryption for
higher-priority, sensitive traffic. (You’re still decrypting and inspecting the lower-priority traffic, but
trading off consuming fewer computational resources with using algorithms that aren’t as secure
as PFS.) The key is to understand the risks of different types of traffic and treat them accordingly.
Measure firewall performance so that you understand the currently available resources, which
helps you understand whether you need more firewall resources to decrypt the traffic you want to
decrypt. Measuring firewall performance also sets a baseline for performance comparisons after
deploying decryption.
When you size the firewall deployment, base it not only on your current needs, but also on your
future needs. Include headroom for the growth of decryption traffic.
Plan a staged, prioritized deployment

Plan to roll out decryption in a controlled manner, piece by piece. Don’t roll out your entire
decryption deployment at one time. Test and ensure that decryption is working as planned and
that users understand what you are doing and why. Rolling out decryption in this manner makes it
easier to troubleshoot in case anything doesn’t work as expected, and it helps users adjust to the
changes.
Educating stakeholders, employees, and other users such as contractors and partners is critical
because decryption settings may change their ability to access some websites. Users should
understand how to respond to situations in which previously reachable websites become
unreachable and what information to give technical support. Support should understand what is
being rolled out when, as well as how to help users who encounter issues. Before you roll out
decryption to the general population:
● Identify early adopters. They can help champion decryption and will be able to help other
employees who have questions during the full rollout. Enlist the help of department
managers and help them understand the benefits of decrypting traffic.
● Set up PoC trials in each department. Include early adopters and other employees who
understand why decrypting traffic is important. Educate PoC participants about the
changes and how to contact technical support if they run into issues. In this way, decryption
PoC trials become an opportunity to work with technical support to develop the most
painless method for implementing the general rollout. The interaction between PoC users
and technical support also allows you to fine-tune policies and communication strategies.
● Use lessons learned from PoC trials to prioritize decryption. PoC trials help you
experiment with decryption prioritization strategies. When you phase in decryption in the
general population, your PoC experience can help you understand how to phase in
decrypting different URL categories. Measure how decryption affects firewall CPU and
memory utilization to evaluate your firewall sizing. PoC trials can also reveal applications
that break decryption technically and should be added to the Decryption Exclusion list.

● Set up a user group when you set up PoC trials. The user group can certify the
operational readiness and procedures prior to the general rollout.
● Educate the user population before the general rollout, and plan to educate new users
as they join the company. This is a critical phase of deploying decryption because the
deployment may affect unsafe websites that users previously visited that are no longer
reachable. The PoC experience helps identify the most important points to communicate.
● Phase in decryption. You can accomplish this several ways. You can decrypt the highest
priority traffic first (for example, the URL categories most likely to harbor malicious traffic)
and then decrypt more as you gain experience. Alternatively, you can take a more
conservative approach and first decrypt the URL categories that don’t affect your business
(e.g., news feeds), so if something goes wrong, no issues occur that affect business. In all
cases, the best way to phase in decryption is to decrypt a few URL categories, take user
feedback into account, run reports to ensure that decryption is working as expected, and
then gradually decrypt a few more URL categories and verify, and so on. Plan to make
decryption exclusions to exclude sites from decryption if you can’t decrypt them for
technical reasons or because you choose not to decrypt them.
● Educate users about decryption in real time. If you enable users to opt out of SSL
decryption (users see a response page that allows them either to opt out of decryption and
end the session without going to the site or to proceed to the site and agree to have the
traffic decrypted), educate them about what it is, why they’re seeing it, and what their
options are.
● Schedule realistically. Create deployment schedules that allow time to evaluate each stage
of the rollout.
5.3.4 References
● Decryption Exclusions,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-exclusi
ons
● Prepare to Deploy Decryption,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/prepare-to-deploy-
decryption.html

Appendix A: Sample Questions
These questions are intended to simulate taking the Strata Professional Certification exam.
1. Which file type is not supported by WildFire?

a. Java applications in JAR
b. Microsoft Word
c. Batch
d. PDF
2. Which two answers could be used to handle a prospect’s objection that updating the
WildFire malware list twice a week is unacceptable? (Choose two.)
a. With a WildFire subscription, you get an update every few minutes.
b. With the Threat subscription, you get an update every few minutes.
c. With the Threat subscription, you get an update every hour.
d. With the Threat subscription, you get an update every 24 hours.
3. Which Palo Alto Networks product directly protects corporate laptops when people use
them from home?
a. NGFW
b. Panorama
c. WildFire
d. Prisma Access
4. Which two C2 channels may be used when a computer tries to access the URL
http://part1.of.big.secret.i.am.exfiltrating.evil.com/part2/of/the/same/secret? (Choose two.)
a. Email
b. DNS
c. URL
d. SMS
e. ICMP
5. Where in a custom report do you specify the application to which it applies?

a. Query Builder
b. Group By field
c. Order By field
d. Time Frame field
6. Which log type does not have five severity levels?

a. Threat
b. WildFire Submission
c. Correlation
d. System
7. Which two behaviors would fail to disguise malware from a firewall? (Choose two.)
a. Use domains known to be run by dynamic DNS providers.
b. Disguise C2 traffic as email.

c. Browse directly to IP addresses without DNS resolution.
d. Infect multiple hosts before accessing the C2 channel so the C2 request message
comes from a different IP address each time.
e. Slow down C2 traffic to one packet in each direction each day.
8. Which element of the NGFW does the NGFW UTD show potential customers?
a. How to set up the NGFW for the first time
b. How to migrate from a different firewall to the NGFW
c. How to integrate with Advanced Endpoint Protection
d. How to integrate with WildFire
9. Which firewall series (one or more) requires you to specify in the Bill of Materials what NPCs
to include?
a. A Bill of Materials that specifies the NPC is never needed; Palo Alto Networks
appliances don’t support hardware customization.
b. PA-7000
c. PA-5200 and PA-7000
d. PA-3000, PA-5200, and PA-7000
10. Which step is required to ensure that web storage is not used to exfiltrate sensitive data
from an enterprise that must use web storage to collaborate with business partners?
a. Disconnect from the internet.
b. Configure a local shared drive and use that instead of web storage.
c. Use Prisma SaaS to ensure that the information shared to the web storage is not
sensitive.
d. Install Advanced Endpoint Protection.
11. In Panorama, which policy gets evaluated last?

a. Device group pre-rules
b. Device group post-rules
c. Shared pre-rules
d. Shared post-rules
e. Local firewall rules
12. What is the difference between templates and device groups?

a. Templates are used for network parameters, and device groups are used for security
definitions (policies and objects).
b. Device groups are used for network parameters, and templates are used for security
definitions (rules and objects).
c. Panorama has device groups, but there is no such thing as a template in Panorama.
d. Panorama has templates, but there is no such thing as a device group in Panorama.
13. Which is not an advantage of using Panorama?

a. Ability to recognize more applications on the firewall
b. Centralized management
c. Centralized view of collected logs
d. Automatic event correlation

14. Which scenario could cause “split brain” operation in an active/passive (A/P) HA setup?
a. The connection between the management plane ports is encrypted.
b. The connection between the data plane ports is broken and there is no configured
backup, so there is no heartbeat.
c. The connection between the management plane ports is broken and there is no
configured backup, so there is no heartbeat.
d. Only if both connections are broken would you get a “split brain” problem.
15. A best practice is to either block executables or to send them to WildFire. Which three file
types are analyzed as executables by WildFire? (Choose three.)
a. JAR
b. PDF
c. Python script
d. Office Open XML (.docx)
e. IPhone apps
16. Which action could disconnect a potentially infected host from the network?
a. Alert
b. Reset Client
c. Reset Server
d. Block IP
17. Which component of the Security Operating Platform turns unknown attacks into known
attacks?
a. NGFW
b. Advanced Endpoint Protection
c. WildFire
d. AutoFocus
18. What is the maximum number of servers that a User-ID agent supports?
a. 20
b. 100
c. 1,000
d. There is no limit.
19. Must the agent account be a member of the Distributed COM Users group?
a. Yes, always
b. Only when using the Windows-based User-ID agent
c. Only when using the PAN-OS integrated User-ID agent
d. No, never
20. Which characteristic of a predefined application can be viewed and modified by an

administrator?
a. Timeout values
b. Name
c. Hash
d. Dependencies

21. Which two decryption modes require an SSL certificate? (Choose two.)
a. Forward Proxy
b. Inbound Inspection
c. Reverse Proxy
d. SSH Proxy
e. Outbound Inspection
22. Which two profile types can block a C2 channel? (Choose two.)
a. Anti-Spyware
b. Certification
c. Command and Control
d. Decryption
e. URL Filtering
23. Which Strata product can secure user network traffic against potential threats?
a. NGFW
b. PAN-OS
c. Panorama
d. SD-WAN
24. Which Palo Alto Networks solution provides zero-day malware protection?
a. NGFW
b. WildFire
c. Panorama
d. SD-WAN
25. Which Prisma products implement and manage software-defined networking?

a. NGFW
b. Security subscriptions
c. Panorama
d. Prisma SD-WAN
26. Which Palo Alto Networks product directly protects corporate laptops people use at work?
a. Strata NGFW
b. Cortex XSOAR
c. Panorama
d. WildFire
27. Which NGFW feature detects zero-day malware?

a. GlobalProtect
b. WildFire
c. URL Filtering
d. Antivirus profile
28. Which two steps are essential parts of the PPA process? (Choose two.)
a. Hold a structured interview with the customer about their security prevention
capabilities.

b. Upload a file generated by the customer’s firewall capturing the threats they are
facing.
c. Give a report to the customer about how to improve their security posture.
d. Have a discussion about expectations of threat prevention in a PoC.
e. Provide a head-to-head comparison of NGFW detected threats versus their current
solution(s).
29. Which report provides compelling evidence for existing security gaps for prospects?
a. Best Practice Assessment (BPA)
b. Prevention Posture Assessment (PPA)
c. BPA Heatmap
d. Security Lifecycle Review (SLR)
30. Which Panorama deployment mode collects forwarded log events without firewall
management capability?
a. Panorama mode
b. Legacy mode
c. Management Only mode
d. Log Collector mode
31. Which deployment mode is supported only by a virtual Panorama?

a. Panorama mode
b. Legacy mode
32. Which of the following determines dynamic user group membership?

a. Security subscription feeds
b. XML API
c. Group type
d. Tags
33. Which of the following Security profiles provides protection against documents containing
zero-day malware?
a. Antivirus
b. Anti-Spyware
c. Vulnerability Protection
d. Wildfire Analysis
34. Which two of the following Security profiles provide protection against a web connection to
a known C2 site?
a. Antivirus
b. Anti-Spyware
d. URL Filtering
e. File Blocking

35. Which of the following Security profiles provides protection against transferring documents
containing credit card numbers?
a. Data Filtering
b. Anti-Spyware
d. URL Filtering
36. Which of the following Security profiles provides control for the types of websites a user can
access?
a. Antivirus
b. Anti-Spyware
d. URL Filtering
37. Which technology identifies potentially infected hosts by correlating user and network
activity data in Threat, URL, and Data Filtering logs?
a. Botnet report
b. Correlation object
c. DNS Security
d. AutoFocus
38. Which of the following processing tasks shows an advantage of a file proxy engine over a
stream-based, single-pass engine?
a. Mapping IP addresses to users
b. Using protocol decoders, decryption, and heuristics to identify applications
c. Blocking data sent over traditional email protocols
d. Scanning traffic for vulnerability exploits, viruses, and spyware
39. Real-time threat signatures used by the Strata firewall are generated by what service?
a. WildFire
b. AutoFocus
c. Expedition
d. Prisma Access
40. If a customer is interested in software-defined networking integrating with security services

appropriately for specific use cases, which reference architecture would be your best
reference?
a. Public Cloud
b. Secure Access Service Edge
c. Security Operations
d. Private Data Center
41. Which interface mode do you use to generate the Stats Dump file that can be converted
into an SLR? Assume that you want to make the evaluation as nonintrusive as possible.
a. Tap
b. Virtual wire
c. Layer 2
d. Layer 3

42. Which two success tools are most appropriate for a prospective customer who is using a
competitor’s offerings but has no security prevention strategy? (Choose two.)
a. Expedition
b. Prevention Posture Assessment
c. Security Lifecycle Review
d. Best Practice Assessment with Heatmaps
e. Data Center Segmentation Strategy Analyzer
43. Which file types are not supported as an upload sample for file upload by WildFire from the
wildfire.paloaltonetworks.com/wildfire/upload page?
a. IOS applications
b. Android applications
c. Windows applications
d. Microsoft Excel files
44. Which kind of attack cannot be stopped by the Palo Alto Networks Security Operating
Platform?
a. Attacks through SaaS applications, such as exfiltration through Box
b. Attacks that do not cross the firewall, regardless of source or destination
c. Attacks based on social engineering that mimic normal user behavior
d. DOS attacks from a trusted source
45. WildFire functionality is like that of a sandbox. Is the statement an accurate description?
a. Yes. WildFire functionality is exactly that of a virtual sandbox in the cloud, provided to
test files that customers upload or download.
b. No. WildFire does not supply sandbox functionality, although it competes with
products that do.
c. No. WildFire provides dynamic analysis, ML, and other techniques along with
sandbox functionality.
d. Yes. WildFire provides all its functionality as part of its virtual-physical hybrid sandbox
environment.
46. Which option is an example of how the NGFW can provide visibility and enforcement
around SaaS applications?
a. Through partnership with SaaS application vendors, special virtual firewalls that
support a subset of full firewall functionality are used inside the SaaS applications
themselves.
b. A built-in default security rule in the firewall blocks dangerous SaaS applications
based on an automatically updated database of dangerous SaaS applications.
c. Built-in default functionality in the firewall sends all files sent or received by SaaS
applications to WildFire.
d. The firewall can filter SaaS applications based on whether they comply with industry
certifications such as SOC1, HIPAA, and FINRA.
47. When a cloud deployment is secured, which role does the NGFW play?

a. A VM-Series firewall is attached to each virtual machine in the cloud environment to
stop malware, exploits, and ransomware before they can compromise the virtual
systems they are attached to.
b. The NGFW exports its Security policy through Panorama, which in turn distributes
that policy to the cloud-based Prisma SaaS service that enforces the NGFW Security
policy against each virtual machine used in the cloud environment.
c. The NGFW exports its Security policy to WildFire, which lives in the cloud and
enforces the NGFW Security policy throughout the cloud environment.
d. The NGFW is used to consistently control access to applications and data based on
user credentials and traffic payload content for private or public cloud, internet, data
center, or SaaS applications.
48. Which dedicated HA port is used for which plane in HA pairs?

a. HA1 for the data plane, and HA2 for the management plane
b. HA1 for the management plane, and HA2 for the data plane
c. MGT for the management plane and HA2 as a backup
d. HA1 for the management plane and HA2 for the data plane in the PA-7000 Series
49. Which value should be used as a typical log entry size if no other information is available
about log sizes?
a. 0.5KB
b. 0.5MB
c. 0.5GB
d. 0.5TB
50. Which feature is not supported in active/active (A/A) mode?

a. IPsec tunneling
b. DHCP client
c. Link aggregation
d. Configuration synchronization
51. Which two updates should be scheduled to occur once a day? (Choose two.)
a. Antivirus
b. PAN-DB URL Filtering
c. WildFire
d. Applications and Threats
e. SMS channel
52. What does the phrase “Prisma Access extends security to remote network locations and
mobile users” mean in the context of the security that firewalls provide to a network?
a. Prisma Access independently provides the similar type of protection as the firewalls,
rebuilt for the various infrastructures used for remote network locations and mobile
users.
b. Prisma Access independently provides the exact same protection as the firewalls,
users.

c. Prisma Access securely routes traffic for remote network locations and mobile users
through the same PAN-OS-based firewalls used to protect the network.
d. Prisma Access leverages native cloud security and other security infrastructure to
provide security to remote network locations and mobile users.
53. A customer’s interest in prevention, detection, and response for security operations is best
addressed by which reference architecture?
a. Public Cloud
d. Automation
54. Which security posture is most likely to stop unknown attacks?

a. Allow all the traffic that is not explicitly denied.
b. Deny all the traffic that is not explicitly allowed.
c. Deny all the traffic that is not explicitly allowed from the outside, and allow all the
traffic that is not explicitly denied from the inside.
d. Deny all the traffic that is not explicitly allowed from the inside, and allow all the
traffic that is not explicitly denied from the outside.
55. Which profile type is used to protect against most protocol-based attacks?
a. Antivirus
b. URL Filtering
d. Anti-Spyware
56. How does an administrator specify in the firewall that certain credentials should not be sent
to certain URLs?
a. With a URL Filtering profile
b. With User-ID
c. With App-ID
d. With a Credential Theft profile
57. Which SD-WAN configuration element contains data used to trigger a new path selection
based on excessive latency?
a. SD-WAN Interface profile
b. SD-WAN Interface
c. Path Quality profile
d. Traffic Distribution profile
58. Which Panorama screen provides an overall status display of SD-WAN errors and their
impacts?
a. SD-WAN Traffic Characteristics
b. SD-WAN Link Characteristics
c. SD-WAN Monitoring
d. SD-WAN Impacted Clusters

59. In Panorama, which policy gets evaluated first?
c. Shared pre-rules
60. Can the same rule allow traffic from different sources on different firewalls?
a. No. Rules mean the same on all firewalls that receive the same policy.
b. No, because device groups are pushed from Panorama to all firewalls.
c. Yes, because different firewalls can have different zone definitions.
d. Yes, because there could be clauses in a rule with effects limited to a specific device
group.

a. Centralized management
b. Higher throughput on the firewalls
62. How is the Cortex Data Lake integration with Panorama facilitated?
a. No integration is necessary; data flows from Panorama to Cortex Data Lake and vice
versa.
b. A Panorama plugin is installed in Cortex Data Lake.
c. A cloud services plugin is installed in Panorama.
d. Agents run in both Cortex Data Lake and Panorama.
63. What is the maximum number of servers supported by a single User-ID agent?
a. 10
b. 50
c. 100
d. 500
64. How does the firewall know that a specific connection comes from a specific user?
a. Every connection has a user ID encoded in it.
b. User-ID is supported only in protocols that use user authentication, which provides
the user identity to the firewall and the backend.
c. The firewall always uses the IP address in the IP header to locate the user ID, but this
initial identification is overridden by additional techniques, such as HTTP proxies that
provide the client’s IP address in a HTTP header.
d. Usually, the firewall uses the IP address in the IP header to locate the user ID, but
additional techniques are available as alternatives, such as HTTP proxies providing
the client’s IP address in a HTTP header.
65. A customer has a proprietary user authentication system that is not supported by User-ID.
Can you provide User-ID information to their firewall, and if so, how?
a. It is impossible. The customer will need to upgrade to something more standard.
b. It can be done, but only for HTTP applications, because HTTP supports XFF headers.

c. It can be done using the XML API or a syslog listener with custom Regular
Expressions defined.
d. It can be done, but it requires programming that can be performed only by the Palo
Alto Networks Professional Services organization.
66. Should you limit the permission of the user who runs the User-ID agent? If so, why?
a. Yes, because of the principle of least privilege. You should give processes only those
permissions that are necessary for them to work.
b. Yes, to an extent. You can give it most privileges, but there is no actual user, so you
should not let it start an interactive login.
c. Yes, to an extent. You can give it most privileges, but there is no actual user, so you
should not let it have remote access.
d. No. There is nothing wrong with using the administrator’s account.
67. Which three types of file does WildFire analyze as executables? (Choose three.)
a. JAR
b. PDF
c. Portable Executable
d. Executable and Linkable Format
e. BMP
68. Which three reasons could cause a firewall that is fully configured, including decryption, to
not recognize an application? (Choose three.)
a. The application is running over SSL.
b. There is no App-ID signature for an unanticipated application.
c. The application is running over UDP.
d. A TCP handshake completed, but no application traffic reached the firewall.
e. The payload reached the firewall but did not have enough data packets to identify
the application.
69. Which decryption mode(s) require(s) the private key of the destination server?
a. Forward Proxy
c. Both Forward Proxy and Inbound Inspection
d. SSH Proxy
70. Which parameter cannot be used in a Decryption policy rule?

a. User-ID
b. App-ID
c. Source Zone
d. Destination Zone

Appendix B: Answers to Sample Questions
Below are the answers to the sample test from Appendix A.
1. Which file type is not supported by WildFire?

a. Java applications in JAR
b. Microsoft Word
c. Batch
d. PDF
2. Which two answers could be used to handle a prospect’s objection that updating the
WildFire malware list twice a week is unacceptable? (Choose two.)
a. With a WildFire subscription, you get an update every few minutes.
b. With the Threat subscription, you get an update every few minutes.
c. With the Threat subscription, you get an update every hour.
d. With the Threat subscription, you get an update every 24 hours.
3. Which Palo Alto Networks product directly protects corporate laptops when people use
them from home?
a. NGFW
b. Panorama
c. WildFire
d. Prisma Access
4. Which two C2 channels may be used when a computer tries to access the URL
http://part1.of.big.secret.i.am.exfiltrating.evil.com/part2/of/the/same/secret? (Choose two.)
a. Email
b. DNS
c. URL
d. SMS
e. ICMP
5. Where in a custom report do you specify the application to which it applies?

a. Query Builder
b. Group By field
c. Order By field
d. Time Frame field
6. Which log type does not have five severity levels?

a. Threat
b. WildFire Submission
c. Correlation
d. System
7. Which two behaviors would fail to disguise malware from a firewall? (Choose two.)
a. Use domains known to be run by dynamic DNS providers.
b. Disguise C2 traffic as email.

c. Browse directly to IP addresses without DNS resolution.
d. Infect multiple hosts before accessing the C2 channel so the C2 request message
comes from a different IP address each time.
e. Slow down C2 traffic to one packet in each direction each day.
8. Which element of the NGFW does the NGFW UTD show potential customers?
a. How to set up the NGFW for the first time
b. How to migrate from a different firewall to the NGFW
c. How to integrate with Advanced Endpoint Protection
d. How to integrate with WildFire
9. Which firewall series (one or more) requires you to specify in the Bill of Materials what NPCs
to include?
a. A Bill of Materials that specifies the NPC is never needed; Palo Alto Networks
appliances don’t support hardware customization.
b. PA-7000
c. PA-5200 and PA-7000
d. PA-3000, PA-5200, and PA-7000
10. Which step is required to ensure that web storage is not used to exfiltrate sensitive data
from an enterprise that must use web storage to collaborate with business partners?
a. Disconnect from the internet.
b. Configure a local shared drive and use that instead of web storage.
c. Use Prisma SaaS to ensure that the information shared to the web storage is not
sensitive.
d. Install Advanced Endpoint Protection.
11. In Panorama, which policy gets evaluated last?

c. Shared pre-rules
e. Local firewall rules
12. What is the difference between templates and device groups?

a. Templates are used for network parameters, and device groups are used for
security definitions (policies and objects).
b. Device groups are used for network parameters, and templates are used for security
definitions (rules and objects).
c. Panorama has device groups, but there is no such thing as a template in Panorama.
d. Panorama has templates, but there is no such thing as a device group in Panorama.

a. Ability to recognize more applications on the firewall
b. Centralized management

14. Which scenario could cause “split brain” operation in an active/passive (A/P) HA setup?
a. The connection between the management plane ports is encrypted.
b. The connection between the data plane ports is broken and there is no configured
backup, so there is no heartbeat.
c. The connection between the management plane ports is broken and there is no
configured backup, so there is no heartbeat.
d. Only if both connections are broken would you get a “split brain” problem.
15. A best practice is to either block executables or to send them to WildFire. Which three file
types are analyzed as executables by WildFire? (Choose three.)
a. JAR
b. PDF
c. Python script
d. Office Open XML (.docx)
e. IPhone apps
16. Which action could disconnect a potentially infected host from the network?
a. Alert
b. Reset Client
c. Reset Server
d. Block IP
17. Which component of the Security Operating Platform turns unknown attacks into known
attacks?
a. NGFW
b. Advanced Endpoint Protection
c. WildFire
d. AutoFocus
18. What is the maximum number of servers that a User-ID agent supports?
a. 20
b. 100
c. 1,000
d. There is no limit.
19. Must the agent account be a member of the Distributed COM Users group?
a. Yes, always
b. Only when using the Windows-based User-ID agent
c. Only when using the PAN-OS integrated User-ID agent
d. No, never
20. Which characteristic of a predefined application can be viewed and modified by an

administrator?
a. Timeout values
b. Name
c. Hash
d. Dependencies

21. Which two decryption modes require an SSL certificate? (Choose two.)
a. Forward Proxy
c. Reverse Proxy
d. SSH Proxy
e. Outbound Inspection
22. Which two profile types can block a C2 channel? (Choose two.)
a. Anti-Spyware
b. Certification
c. Command and Control
d. Decryption
e. URL Filtering
23. Which Strata product can secure user network traffic against potential threats?
a. NGFW
b. PAN-OS
c. Panorama
d. SD-WAN
24. Which Palo Alto Networks solution provides zero-day malware protection?
a. NGFW
b. WildFire
c. Panorama
d. SD-WAN
25. Which Prisma products implement and manage software-defined networking?

a. NGFW
b. Security subscriptions
c. Panorama
d. Prisma SD-WAN
26. Which Palo Alto Networks product directly protects corporate laptops people use at work?
a. Strata NGFW
b. Cortex XSOAR
c. Panorama
d. WildFire
27. Which NGFW feature detects zero-day malware?

a. GlobalProtect
b. WildFire
c. URL Filtering
d. Antivirus profile
28. Which two steps are essential parts of the PPA process? (Choose two.)
a. Hold a structured interview with the customer about their security prevention
capabilities.

b. Upload a file generated by the customer’s firewall capturing the threats they are
facing.
c. Give a report to the customer about how to improve their security posture.
d. Have a discussion about expectations of threat prevention in a PoC.
e. Provide a head-to-head comparison of NGFW detected threats versus their current
solution(s).
29. Which report provides compelling evidence for existing security gaps for prospects?
a. Best Practice Assessment (BPA)
b. Prevention Posture Assessment (PPA)
c. BPA Heatmap
d. Security Lifecycle Review (SLR)
30. Which Panorama deployment mode collects forwarded log events without firewall
management capability?
a. Panorama mode
b. Legacy mode
31. Which deployment mode is supported only by a virtual Panorama?

a. Panorama mode
b. Legacy mode
32. Which of the following determines dynamic user group membership?

a. Security subscription feeds
b. XML API
c. Group type
d. Tags
33. Which of the following Security profiles provides protection against documents containing
zero-day malware?
a. Antivirus
b. Anti-Spyware
d. Wildfire Analysis
34. Which two of the following Security profiles provide protection against a web connection to
a known C2 site?
a. Antivirus
b. Anti-Spyware
d. URL Filtering
e. File Blocking

35. Which of the following Security profiles provides protection against transferring documents
containing credit card numbers?
a. Data Filtering
b. Anti-Spyware
d. URL Filtering
36. Which of the following Security profiles provides control for the types of websites a user can
access?
a. Antivirus
b. Anti-Spyware
d. URL Filtering
37. Which technology identifies potentially infected hosts by correlating user and network
activity data in Threat, URL, and Data Filtering logs?
a. Botnet report
b. Correlation object
c. DNS Security
d. AutoFocus
38. Which of the following processing tasks shows an advantage of a file proxy engine over a
stream-based, single-pass engine?
a. Mapping IP addresses to users
b. Using protocol decoders, decryption, and heuristics to identify applications
c. Blocking data sent over traditional email protocols
d. Scanning traffic for vulnerability exploits, viruses, and spyware
39. Real-time threat signatures used by the Strata firewall are generated by what service?
a. WildFire
b. AutoFocus
c. Expedition
d. Prisma Access
40. If a customer is interested in software-defined networking integrating with security services

appropriately for specific use cases, which reference architecture would be your best
reference?
a. Public Cloud
d. Private Data Center
41. Which interface mode do you use to generate the Stats Dump file that can be converted
into an SLR? Assume that you want to make the evaluation as nonintrusive as possible.
a. Tap
b. Virtual wire
c. Layer 2
d. Layer 3

42. Which two success tools are most appropriate for a prospective customer who is using a
competitor’s offerings but has no security prevention strategy? (Choose two.)
a. Expedition
b. Prevention Posture Assessment
c. Security Lifecycle Review
d. Best Practice Assessment with Heatmaps
e. Data Center Segmentation Strategy Analyzer
43. Which file types are not supported as an upload sample for file upload by WildFire from the
wildfire.paloaltonetworks.com/wildfire/upload page?
a. IOS applications
b. Android applications
c. Windows applications
d. Microsoft Excel files
44. Which kind of attack cannot be stopped by the Palo Alto Networks Security Operating
Platform?
a. Attacks through SaaS applications, such as exfiltration through Box
b. Attacks that do not cross the firewall, regardless of source or destination
c. Attacks based on social engineering that mimic normal user behavior
d. DOS attacks from a trusted source
45. WildFire functionality is like that of a sandbox. Is the statement an accurate description?
a. Yes. WildFire functionality is exactly that of a virtual sandbox in the cloud,
provided to test files that customers upload or download.
b. No. WildFire does not supply sandbox functionality, although it competes with
products that do.
c. No. WildFire provides dynamic analysis, ML, and other techniques along with
sandbox functionality.
d. Yes. WildFire provides all its functionality as part of its virtual-physical hybrid sandbox
environment.
46. Which option is an example of how the NGFW can provide visibility and enforcement
around SaaS applications?
a. Through partnership with SaaS application vendors, special virtual firewalls that
support a subset of full firewall functionality are used inside the SaaS applications
themselves.
b. A built-in default security rule in the firewall blocks dangerous SaaS applications
based on an automatically updated database of dangerous SaaS applications.
c. Built-in default functionality in the firewall sends all files sent or received by SaaS
applications to WildFire.
d. The firewall can filter SaaS applications based on whether they comply with
industry certifications such as SOC1, HIPAA, and FINRA.
47. When a cloud deployment is secured, which role does the NGFW play?

a. A VM-Series firewall is attached to each virtual machine in the cloud environment to
stop malware, exploits, and ransomware before they can compromise the virtual
systems they are attached to.
b. The NGFW exports its Security policy through Panorama, which in turn distributes
that policy to the cloud-based Prisma SaaS service that enforces the NGFW Security
policy against each virtual machine used in the cloud environment.
c. The NGFW exports its Security policy to WildFire, which lives in the cloud and
enforces the NGFW Security policy throughout the cloud environment.
d. The NGFW is used to consistently control access to applications and data based
on user credentials and traffic payload content for private or public cloud,
internet, data center, or SaaS applications.
48. Which dedicated HA port is used for which plane in HA pairs?

a. HA1 for the data plane, and HA2 for the management plane
b. HA1 for the management plane, and HA2 for the data plane
c. MGT for the management plane and HA2 as a backup
d. HA1 for the management plane and HA2 for the data plane in the PA-7000 Series
49. Which value should be used as a typical log entry size if no other information is available
about log sizes?
a. 0.5KB
b. 0.5MB
c. 0.5GB
d. 0.5TB
50. Which feature is not supported in active/active (A/A) mode?

a. IPsec tunneling
b. DHCP client
c. Link aggregation
d. Configuration synchronization
51. Which two updates should be scheduled to occur once a day? (Choose two.)
a. Antivirus
b. PAN-DB URL Filtering
c. WildFire
d. Applications and Threats
e. SMS channel
52. What does the phrase “Prisma Access extends security to remote network locations and
mobile users” mean in the context of the security that firewalls provide to a network?
a. Prisma Access independently provides the similar type of protection as the firewalls,
users.
b. Prisma Access independently provides the exact same protection as the
firewalls, rebuilt for the various infrastructures used for remote network
locations and mobile users.

c. Prisma Access securely routes traffic for remote network locations and mobile users
through the same PAN-OS-based firewalls used to protect the network.
d. Prisma Access leverages native cloud security and other security infrastructure to
provide security to remote network locations and mobile users.
53. A customer’s interest in prevention, detection, and response for security operations is best
addressed by which reference architecture?
a. Public Cloud
d. Automation
54. Which security posture is most likely to stop unknown attacks?

a. Allow all the traffic that is not explicitly denied.
b. Deny all the traffic that is not explicitly allowed.
c. Deny all the traffic that is not explicitly allowed from the outside, and allow all the
traffic that is not explicitly denied from the inside.
d. Deny all the traffic that is not explicitly allowed from the inside, and allow all the
traffic that is not explicitly denied from the outside.
55. Which profile type is used to protect against most protocol-based attacks?
a. Antivirus
b. URL Filtering
d. Anti-Spyware
56. How does an administrator specify in the firewall that certain credentials should not be sent
to certain URLs?
a. With a URL Filtering profile
b. With User-ID
c. With App-ID
d. With a Credential Theft profile
57. Which SD-WAN configuration element contains data used to trigger a new path selection
based on excessive latency?
a. SD-WAN Interface profile
b. SD-WAN Interface
c. Path Quality profile
d. Traffic Distribution profile
58. Which Panorama screen provides an overall status display of SD-WAN errors and their
impacts?
a. SD-WAN Traffic Characteristics
b. SD-WAN Link Characteristics
c. SD-WAN Monitoring
d. SD-WAN Impacted Clusters

59. In Panorama, which policy gets evaluated first?
c. Shared pre-rules
60. Can the same rule allow traffic from different sources on different firewalls?
a. No. Rules mean the same on all firewalls that receive the same policy.
b. No, because device groups are pushed from Panorama to all firewalls.
c. Yes, because different firewalls can have different zone definitions.
d. Yes, because there could be clauses in a rule with effects limited to a specific device
group.

a. Centralized management
b. Higher throughput on the firewalls
62. How is the Cortex Data Lake integration with Panorama facilitated?
a. No integration is necessary; data flows from Panorama to Cortex Data Lake and vice
versa.
b. A Panorama plugin is installed in Cortex Data Lake.
c. A cloud services plugin is installed in Panorama.
d. Agents run in both Cortex Data Lake and Panorama.
63. What is the maximum number of servers supported by a single User-ID agent?
a. 10
b. 50
c. 100
d. 500
64. How does the firewall know that a specific connection comes from a specific user?
a. Every connection has a user ID encoded in it.
b. User-ID is supported only in protocols that use user authentication, which provides
the user identity to the firewall and the backend.
c. The firewall always uses the IP address in the IP header to locate the user ID, but this
initial identification is overridden by additional techniques, such as HTTP proxies that
provide the client’s IP address in a HTTP header.
d. Usually, the firewall uses the IP address in the IP header to locate the user ID,
but additional techniques are available as alternatives, such as HTTP proxies
providing the client’s IP address in a HTTP header.

65. A customer has a proprietary user authentication system that is not supported by User-ID.
Can you provide User-ID information to their firewall, and if so, how?
a. It is impossible. The customer will need to upgrade to something more standard.
b. It can be done, but only for HTTP applications, because HTTP supports XFF headers.
c. It can be done using the XML API or a syslog listener with custom Regular
Expressions defined.
d. It can be done, but it requires programming that can be performed only by the Palo
Alto Networks Professional Services organization.
66. Should you limit the permission of the user who runs the User-ID agent? If so, why?
a. Yes, because of the principle of least privilege. You should give processes only
those permissions that are necessary for them to work.
b. Yes, to an extent. You can give it most privileges, but there is no actual user, so you
should not let it start an interactive login.
c. Yes, to an extent. You can give it most privileges, but there is no actual user, so you
should not let it have remote access.
d. No. There is nothing wrong with using the administrator’s account.
67. Which three types of file does WildFire analyze as executables? (Choose three.)
a. JAR
b. PDF
c. Portable Executable
d. Executable and Linkable Format
e. BMP
68. Which three reasons could cause a firewall that is fully configured, including decryption, to
not recognize an application? (Choose three.)
a. The application is running over SSL.
b. There is no App-ID signature for an unanticipated application.
c. The application is running over UDP.
d. A TCP handshake completed, but no application traffic reached the firewall.
e. The payload reached the firewall but did not have enough data packets to
identify the application.
69. Which decryption mode(s) require(s) the private key of the destination server?
a. Forward Proxy
c. Both Forward Proxy and Inbound Inspection
d. SSH Proxy
70. Which parameter cannot be used in a Decryption policy rule?

a. User-ID
b. App-ID
c. Source Zone
d. Destination Zone

Continuing Your Learning Journey with Palo Alto Networks
Training from Palo Alto Networks and our Authorized Training Partners delivers the knowledge and
expertise to prepare you to protect our way of life in the digital age. Our trusted security
certifications give you the Palo Alto Networks product portfolio knowledge necessary to prevent
successful cyberattacks and to safely enable applications. A full description of offerings can be
found at the Palo Alto Networks Education Services main site.
Digital Learning
For those of you who want to keep up to date on our technology, a learning library of free digital
learning is available. These on-demand, self-paced digital-learning classes are a helpful way to
reinforce the key information for those who have been to the formal hands-on classes. They also
serve as a useful overview and introduction to working with our technology for those unable to
attend a hands-on, instructor-led class.
Simply register in Beacon and you will be given access to our digital-learning portfolio. These online
classes cover foundational material and contain narrated slides, knowledge checks, and, where
applicable, demos for you to access.
New courses are being added often, so check back to see new curriculum available.
Instructor-Led Training
Looking for a hands-on, instructor-led course in your area?
Palo Alto Networks Authorized Training Partners (ATPs) are located globally and offer a breadth of
solutions from onsite training to public, open-environment classes. About 42 authorized training
centers are delivering online courses in 14 languages and at convenient times for most major
markets worldwide. For class schedule, location, and training offerings, see
https://www.paloaltonetworks.com/services/education/atc-locations.
Learning Through the Community

You also can learn from peers and other experts in the field. Check out our communities site at
https://live.paloaltonetworks.com, where you can:
● Discover reference material

● Learn best practices
● Learn what is trending

Pse Strata P Studyguide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pse Strata P Studyguide

Uploaded by

Copyright:

Available Formats

PSE Strata Professional

PSE Strata Professional by Palo Alto Networks

About the ACRONYM Exam 6

Audience and Qualifications 7

Domain 1: Business Value 8

Domain 2: Competitive Differentiators 21

PSE Strata Professional by Palo Alto Networks 2

Domain 3: Architecture and Planning 37

Domain 4: Demonstration and Evaluation 57

PSE Strata Professional by Palo Alto Networks 3

Domain 5: Network Security Best Practices 81

Appendix A: Sample Questions 100

PSE Strata Professional by Palo Alto Networks 4

Appendix C: What’s Different in This Study Guide 122

Continuing Your Learning Journey with Palo Alto Networks 123

PSE Strata Professional by Palo Alto Networks 5

About the PSE: Strata Professional Exam

PSE Strata technical documentation for partners is located at:

For employees, technical documentation can be found here:

Exam Domain Weight (%)

Business Value 11%

Competitive Differentiators 15%

Architecture and Planning 25%

PSE Strata Professional by Palo Alto Networks 6

Network Security Best Practices 18%

How to Take This Exam

Full instructions on how to schedule the exam can be found at

Audience and Qualifications

PSE Strata Professional by Palo Alto Networks 7

PSE Strata Professional by Palo Alto Networks 8

Complementing the single-pass, parallel processing architecture (SP3)—and further enabling

The Next-Generation Security Platform enables organizations to:

PSE Strata Professional by Palo Alto Networks 9

PSE Strata Professional by Palo Alto Networks 10

1.1.3 Explain the technical business value of Content-ID

PSE Strata Professional by Palo Alto Networks 11

Content-ID is built on a single-pass, parallel processing architecture that uniquely integrates

PSE Strata Professional by Palo Alto Networks 12

1.1.4 Explain the technical business value of User-ID and Device-ID

PSE Strata Professional by Palo Alto Networks 13

PAN-OS integrated User-ID agent ● Runs on the firewall

PSE Strata Professional by Palo Alto Networks 14

Windows-based User-ID agent ● Runs on a domain member

● The PAN-OS integrated agent is included with PAN-OS software.

PSE Strata Professional by Palo Alto Networks 15

● Faster time to threat prevention. Automatically correlated insights between security

PSE Strata Professional by Palo Alto Networks 16

Palo Alto Networks Next-Generation Security Platform automatically correlates insights on

PSE Strata Professional by Palo Alto Networks 17

1.2 Identify the business value of Panorama

1.2.1 Explain the business value of Panorama for unified management

● Centralized configuration and deployment. Simplify central management and rapid

● Distributed administration. Delegate or restrict access to global and local firewall

PSE Strata Professional by Palo Alto Networks 18

Hierarchical device groups

PSE Strata Professional by Palo Alto Networks 19

Role-based administration is used to delegate feature-level administrative access, including the

Software, license updates, and content management

PSE Strata Professional by Palo Alto Networks 20

● PAN-OS Release Notes,

PSE Strata Professional by Palo Alto Networks 21

PSE Strata Professional by Palo Alto Networks 22

The Palo Alto Networks approach