Professional Documents
Culture Documents
Study Guide
February 2022
Recommended Training 7
You can read through this study guide from start to finish, or you may jump straight to topics you
would like to study. Hyperlinked cross-references will help you locate important definitions and
background information from earlier sections.
More information is available from the Palo Alto Networks Loop page at:
https://theloop.paloaltonetworks.com/loop/se-pse-certifications-page-for-se-leaders?contentV1Fall
back=true
Exam Format
The exam format is 60 multiple-choice questions. Candidates will have five minutes to complete
the Non-Disclosure Agreement, 80 minutes (one hour, 20 minutes) to complete the exam
questions, and five minutes to complete an exit survey.
The approximate distribution of items by topic (Exam Domain) and topic weightings are
shown in the following table.
TOTAL 100%
The exam is available through the third-party Pearson VUE testing platform.
To register for the exam, visit: https://home.pearsonvue.com/paloaltonetworks
To register for PSE Professional exams on the Pearson VUE website, candidates need to add one of
the following private access codes:
1. PSE-PAC (if you are taking the exam at a testing center)
2. PSE-OP (if you are taking the exam at home or in the office)
Disclaimer
This study guide is intended to provide information about the objectives covered by this exam,
related resources, and recommended courses. The material contained within this study guide is
not intended to guarantee that a passing score will be achieved on the exam. Palo Alto Networks
recommends that candidates thoroughly understand the objectives indicated in this guide and
use the resources and courses recommended in this guide where needed to gain that
understanding.
Skills Required
● You can effectively and independently position the Palo Alto Networks network security
solution.
● You can match common network security use cases to customer requirements.
● You can overcome customer technical objections, up to and including showcasing feature
functionality.
● You can proficiently deploy and configure a proof of concept (POC).
● You have six months Palo Alto Networks SE field experience with mentoring.
Recommended Training
Palo Alto Networks strongly recommends that you attend the following instructor-led training
courses or equivalent digital-learning courses:
● PSE Foundation
● PSE Strata Associate
● SE Boot Camp (internal only)
1.1.1 Describe how the Palo Alto Networks strategic approach to cybersecurity secures an
organization by eliminating implicit trust and continuously validating every stage of a digital
interaction
Palo Alto Networks, the global cybersecurity leader, is shaping the cloud-centric future with
technology that is transforming the way people and organizations operate. Our mission is to be the
cybersecurity partner of choice, protecting our digital way of life. We help address the world’s
greatest security challenges with continuous innovation that seizes the latest breakthroughs in
artificial intelligence, analytics, automation, and orchestration. By delivering an integrated platform
and empowering a growing ecosystem of partners, we are at the forefront of protecting tens of
thousands of organizations across clouds, networks, and mobile devices. Our vision is a world
where each day is safer and more secure than the one before.
Palo Alto Networks next-generation firewalls (NGFWs) detect known and unknown threats,
including in encrypted traffic, using intelligence generated across many thousands of customer
deployments to reduce risks and prevent a broad range of attacks. For example, they enable users
to access data and applications based on business requirements, and they stop credential theft
and an attacker’s ability to use stolen credentials.
Palo Alto Networks Next-Generation Security Platform enables you to empower your business
using a single-pass software engine that provides full contextual awareness for the application,
content within, and the user. When our platform first sees network traffic, the single-pass software
immediately determines three critical elements that drive your Security policy: the application
identity, regardless of port; the content, malicious or otherwise; and the user identity. With these
three elements as the basis for your Security policy, you can reduce your threat footprint, prevent
attacks, and map policies to users.
● Reduce the threat footprint. Classify all traffic, across all ports, all the time. Today,
applications and their associated content can easily bypass a port-based firewall. Our
security platform natively applies multiple classification mechanisms to the traffic stream to
identify applications, threats, and malware. All traffic is classified, regardless of port,
encryption (Secure Sockets Layer [SSL] or Secure Shell [SSH]), or evasive techniques
employed. Unidentified applications—typically a small percentage of traffic, yet high in
potential risk—are automatically categorized for systematic management. Using a positive
control model, a design unique to our platform, you can set policies based on applications
● Prevent known and unknown attacks. Once the threat footprint is reduced by allowing
specific applications and denying all others, coordinated cyberattack prevention can then
be applied to block known malware sites and prevent vulnerability exploits, viruses, spyware,
and malicious Domain Name System (DNS) queries. Any custom or unknown malware is
analyzed and identified by executing the files and directly observing their malicious
behavior in a virtualized sandbox environment. When new malware is discovered, a
signature for the infecting file and related malware traffic is automatically generated and
delivered to you. Threat prevention policies are uniquely applied to specific application
flows, not globally to specific ports.
● Tie policies to users. To improve your security posture and reduce incident response times,
it’s critical to map application usage to user and device type—and to be able to apply that
context to your Security policy. Integration with a wide range of enterprise user repositories
provides the identity of the Microsoft, Windows, Mac, OS, Linux, Android, or iOS user and
device accessing the application. The combined visibility and control over both users and
devices mean you can safely enable the use of any application traversing your network, no
matter where the user is or what type of device they are using. Establishing the context of
the specific applications in use, the content or threat they may carry, and the associated
user or device helps you streamline policy management, improve your security posture, and
accelerate incident investigation.
1.1.2 Contrast the technical business value of NGFWs with traditional stateful firewalls
Stateful firewalls
Early on, stateful inspection firewalls classified traffic by looking only at the destination port (e.g.,
tcp/80 = HTTP). As the need for application awareness arose, many vendors added application
visibility and other software or hardware “blades” into their stateful inspection firewalls. They then
sold this offering as a Unified Threat Management (UTM) solution. UTM systems did not improve
security, since the functions were retrofitted into the firewall and not natively integrated.
Unlike UTM systems, a NGFW is application aware and makes decisions based on application, user,
and content. Its natively integrated design simplifies operation and improves security. Given its
success, the term “NGFW” has now become synonymous with “firewall.”
App-ID
App-ID™ is a traffic-classification technology that identifies applications traversing the network,
irrespective of port, protocol, evasive characteristic, or encryption (SSL or SSH).
Content-ID™ combines a real-time threat prevention engine with a comprehensive URL database
and elements of application identification to limit unauthorized data and file transfers and detect
and block a wide range of exploits, malware, dangerous web surfing, and targeted and unknown
threats. The application visibility and control delivered by App-ID, combined with the content
inspection enabled by Content-ID, means that IT departments can regain control over application
traffic and related content.
Enterprises of all sizes are at risk from increasingly sophisticated network-borne threats. Content-ID
delivers a new approach based on the complete analysis of all allowed traffic using multiple threat
prevention and data loss prevention techniques in a single, unified engine. Unlike traditional
solutions, Palo Alto Networks actually controls the threat vectors themselves through the granular
management of all types of applications. This immediately reduces the attack surface of the
Threat prevention
Enterprise networks are facing a rapidly evolving threat landscape full of modern applications,
exploits, malware, and attack strategies that are capable of avoiding traditional methods of
detection. Threats are delivered via applications that dynamically hop ports, use nonstandard ports,
tunnel within other applications, routinely avoid proxies, and hide behind SSL or other types of
encryption. These techniques can prevent traditional security solutions such as IPS and firewalls
Content-ID addresses these challenges with unique threat prevention abilities not found in other
security solutions. First, the NGFW removes the methods that threats use to hide from security
through the complete analysis of all traffic, on all ports, regardless of evasion, tunneling, or
circumvention techniques. Simply put, no threat prevention solution will be effective if it does not
have visibility into the traffic. Only Palo Alto Networks ensures that visibility through the
identification and control of all traffic.
User-ID
User-ID enables you to identify all users on your network, across locations, access methods, and
operating system. Knowing who your users are instead of just their IP addresses enables:
● Visibility. Improved visibility into application usage based on users gives you a more
relevant picture of network activity. The power of User-ID becomes evident when you notice
a strange or unfamiliar application on your network. Using either the Application Command
Center (ACC) or the log viewer, your security team can discern what the application is, who
the user is, bandwidth and session consumption, and the source and destination of the
application traffic, as well as any associated threats.
● Policy control. Tying user information to Security policy rules improves safe enablement of
applications traversing the network and ensures that only users who have a business need
for an application have access. For example, some applications must be available to any
known user on your network, such as human resources applications like Workday or
ServiceNow. However, for more sensitive applications, you can reduce your attack surface by
ensuring that only users who need these applications can access them. For example, while
● Logging, reporting, forensics. If a security incident occurs, forensics analysis and reporting
based on user information rather than IP address provides a more complete picture of the
incident. For example, you can use the predefined User/Group Activity report to see a
summary of the web activity of individual users or user groups. The SaaS Application Usage
report reveals which users are transferring the most data over unsanctioned software as a
service (SaaS) applications.
To enforce user- and group-based policies, the firewall must be able to map IP addresses to
usernames in the packets it receives. User-ID provides many mechanisms to collect this user
mapping information. For example, the User-ID agent monitors server logs for login events and
listens for syslog messages from authenticating services. To identify mappings for IP addresses that
the agent did not map, you can configure an Authentication policy to redirect HTTP requests to a
Captive Portal login. You can tailor the user mapping mechanisms to suit your environment and
even use different mechanisms at different sites to ensure that you are safely enabling access to
applications for all users, in all locations, all the time.
User-ID technology has four main components. The following table lists each component’s name
and primary characteristics.
Component Characteristics
Palo Alto Networks NGFW ● Maps IP addresses to usernames
● Maps usernames to group names
Palo Alto Networks Terminal Services The amount of time in which additional alerts for the same
agent activity or behavior are suppressed before Cortex XDR raises
another Analytics alert.
The User-ID agent comes in two forms: an integrated agent resident on the firewall and a
Windows-based agent:
To enable user-and group-based policy enforcement, the firewall requires a list of all available users
and their corresponding group memberships. This allows you to select groups when defining your
policy rules. The firewall collects group mapping information by connecting directly to your
Lightweight Directory Access Protocol (LDAP) directory server or by using XML application
programming interface (API) integration with your directory server. The user identity, as opposed to
an IP address, is an integral component of an effective security infrastructure. Knowing who is
using each of the applications on your network—and who may have transmitted a threat or is
transferring files—can strengthen your Security policy and reduce incident response times. User-ID
enables you to leverage user information stored in a wide range of repositories for visibility, user-
and group-based policy control, and improved logging, reporting, and forensics:
● Enable User-ID on source zones with users who will require user-based access controls for
their requests.
● Enable User-ID on internal zones only. If you enable User-ID and client probing on an
external zone (such as the internet), probes could be sent outside your protected network.
This could result in an information disclosure of the User-ID agent service account name,
domain name, and encrypted password hash, which could allow an attacker to gain
unauthorized access to protected services and applications.
● Create a dedicated service account for the User-ID agent. This is required if you plan to use
the Windows-based User-ID agent or the PAN-OS integrated User-ID agent to monitor
domain controllers, Microsoft Exchange servers, or Windows clients for user login and
logout events.
● Map IP addresses to users. How you do this depends on where your users are located and
which types of systems they are using, as well as which systems on your network are
collecting login and logout events for your users. You must configure one or more User-ID
agents to enable user mapping.
Device-ID
Whether or not your environment supports a Bring Your Own Device (BYOD) policy, you likely
already have a large number of devices in your network—maybe even more than you realize. The
number of devices supported on a network, the need for scalability as the number of users and
devices grows, and the expanding infrastructure of the Internet of Things (IoT) present an
ever-evolving area of risk with many possibilities for exploitation by malicious users. Additionally,
once you identify these devices, how do you secure them from vulnerabilities such as outdated
operating software? Using Device-ID™ on your firewall or to push policy from Panorama™ lets you
get device context for events on your network, obtain policy rule recommendations for those
devices, write policies based on devices, and enforce Security policy based on the
recommendations.
Device-ID provides policy rules that are based on a device, regardless of changes to its IP address or
location. By providing traceability for devices and associating network events with specific devices,
Device-ID allows you to gain context for how events relate to devices and write policies that are
associated with devices instead of users, locations, or IP addresses, which can change over time.
You can use Device-ID in Security, Decryption, Quality of Service (QoS), and Authentication policies.
If you use PAN-OS version 8.1.0 through PAN-OS 9.1.x on a firewall, the IoT Security license provides
device classification, behavior analysis, and threat analysis for your devices. If you use PAN-OS 10.0
or later, you can use Device-ID to obtain IP address-to-device mappings to view device context for
network events, use IoT Security to obtain policy rule recommendations for these devices, and gain
visibility for devices in reports and the ACC.
To identify and classify devices, the IoT Security app uses metadata from logs, network protocols,
and sessions on the firewall. This does not include private or sensitive information or data that is
not relevant for device identification. Metadata also forms the basis of the expected behavior for
the device, which then establishes the criteria for the policy rule recommendation that defines
what traffic and protocols to allow for that device.
1.1.5 Explain how Palo Alto Networks efficiencies lead to platform and process consolidation
Palo Alto Networks consolidates multiple, complementary security functions into a single, natively
integrated platform that safely enables users, applications, and traffic across endpoints, networks,
cloud environments, and SaaS environments. The many benefits of this platform approach include:
● A NGFW that classifies all traffic—including encrypted traffic—and enforces policies based
on applications, users, and content without sacrificing performance. It can selectively
decrypt encrypted traffic for analysis and segment networks based on users or groups.
● WildFire® cloud-based threat analysis service to dynamically analyze suspicious content in
a virtual environment to discover zero-day threats.
● Threat Prevention, including IPS, malware protection, DNS sinkhole, and command and
control (C2) protection.
● URL Filtering continually updates with new phishing and malware sites, as well as sites
associated with attacks—even blocking malicious links in emails.
● GlobalProtect™ network security for endpoints extends a virtual private network (VPN) and
the protection of the Palo Alto Networks platform to mobile staff, employees with mobile
devices, and third-party contractors.
● Cortex XDR blocks exploits and malware on critical assets, such as point of sale devices,
unpatched servers, and corporate endpoints.
● AutoFocus™ service provides contextual threat intelligence analysis on all Palo Alto
Networks threat data.
● Prisma™ SaaS service provides security for SaaS applications.
● Panorama provides network security management via a virtual or physical appliance.
Next-Generation Security Platform users benefit from the most comprehensive library of collective
threat data in the world. Palo Alto Networks customers share threat data to minimize the spread of
attacks and raise the costs to attackers. The detection of a new threat in one customer
environment sharing threat information triggers the automatic creation and dissemination of
prevention mechanisms across thousands of customers.
● Aggregated logging with central oversight for analysis and reporting. Collect
information on activity across all the managed firewalls on the network and centrally
analyze, investigate, and report on the data. This comprehensive view of network traffic, user
activity, and the associated risks empowers you to respond to potential threats using the
rich set of policies to securely enable applications on your network.
Four Panorama models are available: The Panorama virtual appliance, M-600 appliance, M-500
appliance, and M-200 appliance. All of these appliances are supported in PAN-OS 10.0. Panorama’s
centralized management structure, illustrated in the following image, allows you to deploy
Panorama in a high availability (HA) configuration to manage firewalls.
Templates/template stacks
Panorama manages common device and network configuration through templates, which can be
used to manage configuration centrally and push changes to managed firewalls. This approach
avoids the need to make the same individual firewall changes repeatedly across many devices. To
make things even easier, templates can be stacked and used like building blocks during device and
network configuration.
You can use shared policies for global control while still allowing your regional firewall
administrators autonomy to make specific adjustments for their requirements. At the device group
level, you can create shared policies that are defined as the first set of rules and the last set of
rules—the pre-rules and post-rules, respectively—to be evaluated against match criteria. Pre- and
post-rules can be viewed on a managed firewall, but they can only be edited from Panorama within
the context of the administrative roles that have been defined. The device rules—those between
pre-and post-rules—can be edited by either your regional firewall administrator or a Panorama
administrator who has switched to a firewall device context. In addition, an organization can use
shared objects defined by a Panorama administrator, which can be referenced by regionally
managed device rules.
1.2.2 Explain the business value of Panorama for centralized logging and reporting
Panorama aggregates logs from all managed firewalls and provides visibility across all traffic on the
network. It also provides an audit trail for all policy modifications and configuration changes made
to the managed firewalls. In addition to aggregating logs, Panorama can forward logs as Simple
Network Management Protocol traps, email notifications, syslog messages, and HTTP payloads to
an external server.
For centralized logging and reporting, you can also use the cloud-based Cortex Data Lake, which is
architected to work seamlessly with Panorama. Cortex Data Lake allows your managed firewalls to
forward logs to the Cortex Data Lake infrastructure instead of Panorama or the managed log
collectors, so you can augment your existing distributed log collection setup or scale your current
logging infrastructure without investing time and effort yourself.
If you do not configure log forwarding to Panorama or Cortex Data Lake, you can schedule reports
to run on each managed firewall and forward the results to Panorama for a combined view of user
activity and network traffic. Although reports do not provide a granular drill-down view of specific
information and activities, they still provide a unified monitoring approach.
1.2.3 References
2.1.1 Emphasize the competitive advantage of inline machine learning and its ability to prevent
unknown threats
With inline machine learning (ML) powered by intelligence from the WildFire and URL Filtering
services, the time from visibility to prevention of unknown network traffic becomes effectively zero.
With this real-time analysis, organizations can:
● Stop new threats instantly, preventing initial infection and potential spread
● Maintain their speed of business while stopping weaponized files, credential phishing, and
malicious scripts without sacrificing user experience
● Leverage existing investments in Palo Alto Networks NGFWs, WildFire, and URL Filtering
● Enjoy seamless, native integration between NGFW and security subscriptions, eliminating
the need for independent security tools while providing consistent protection and
management
● Future-proofdefenses to evolve with the latest attacks
Attackers have two critical advantages: speed of proliferation and polymorphism. A polymorphic
attack can spread across networks quickly, generating unique variants for each target.
Palo Alto Networks has delivered the world’s first ML-powered NGFW, providing inline ML to block
unknown file-based and web-based threats. Using a patented signatureless approach, WildFire
and URL Filtering proactively prevent weaponized files, credential phishing, and malicious scripts
without compromising business productivity.
2.1.2 Describe the value of the Palo Alto Networks application-first approach
Networks have become more vulnerable because of fundamental shifts in the application
landscape, user behavior, cybersecurity dynamics, and infrastructure. SaaS, Web 2.0, social media,
and cloud-based applications are everywhere. Mobile devices, cloud, and virtualization are
fundamentally changing network architectures. Organizations are highly susceptible to security
Legacy firewalls and UTM systems are incapable of enabling the next generation of applications,
users, and infrastructures because they classify traffic based only on ports and protocols. For
example, traditional products identify most web traffic as simply HTTP coming through port 80,
with no information on the specific applications associated with that port and protocol. But this
problem is not limited to port 80.
Malicious applications are increasingly using encrypted SSL tunnels on port 443, clever evasive
tactics to disguise themselves, or port-hopping to find any entry point through firewalls. Legacy
firewalls and UTM systems cannot safely enable these applications. At best, they can attempt to
prevent the application from entering the network—stifling business and hampering innovation in
the process.
2.1.3 References
● ML-Powered NGFW,
https://www.paloaltonetworks.com/network-security/next-generation-firewall
● Palo Alto Networks Approach,
https://www.paloaltonetworks.com/company/what-we-do
These approaches share a common problem: a lack of consistent and predictable performance
when security services are enabled. Specifically, base firewall functions can perform at high
throughput and low latency, but when the added security functions are enabled, performance
decreases while latency increases.
More importantly, these traditional approaches to integration limit security capability. This is
because a sequence of functions approach is inherently less flexible than one in which all functions
share information and enforcement mechanisms.
Implemented in a variety of form factors (both physical and virtual), Palo Alto Networks NGFWs
based on SP3 are the high-performance foundation of a security platform that stops modern
threats.
The Palo Alto Networks SP3 addresses performance and flexibility challenges with a unique
single-pass approach to packet processing. This approach increases:
● Performance. By performing operations once per packet, the SP3 eliminates many
redundant functions that plagued previous integration attempts. Networking, policy
lookup, application and decoding, and signature matching for all threats and content are
performed only once as packets are processed. This significantly reduces the amount of
processing overhead required to perform multiple functions in one security device. For
content inspection and threat prevention, the SP3 uses a stream-based, uniform signature
matching engine. Instead of using separate engines and signature sets (requiring multiple
passes) or proxies (requiring download prior to scanning), the SP3 scans traffic for all
signatures once—avoiding the introduction of latency.
● Flexibility. The SP3 also supports superior security posture relative to traditional integration
attempts. This is because the architecture performs full-stack inspection upfront and then
makes all resulting context available to all security enforcement options (including threat
prevention). With traditional integration approaches, full context is not shared between all
enforcement options.
The ingress stage receives packets from the physical layer interfaces. In this stage, multiple actions
are performed:
The session setup stage (also called slow path) is executed if the received packet is related to a new
network connection. In the session setup stage, the following actions are performed:
The security processing stage (also called fast path) receives the packet from the ingress stage
(existing sessions) or session setup stage (new session’s packets) and applies the Layer 7 controls
(App-ID, Content-ID) and policy enforcements.
The egress stage manages the QoS traffic shaping and the packet forwarding process. See
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0.) For
specific kinds of traffic, the packets that belong to existing sessions can be offloaded.
Only PA‐3050, PA-3060, PA‐3250, PA-3260, PA‐5000 Series, PA-5200 Series, PA-5450, and PA‐7000
Series firewalls include hardware support for session offloading.
2.2.4 References
● Single-Pass Architecture,
https://www.paloaltonetworks.com/resources/whitepapers/single-pass-parallel-processing-a
rchitecture
● Packet Flow Sequence in PAN-OS,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0
● Disable Firewall Offloading Traffic,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm8cCAC
2.3 Compare and contrast the benefits of Advanced URL Filtering and DNS Security
2.3.1 Identify where in the inspection process Advanced URL Filtering and DNS Security are used
and how they differ
Malicious URLs can be updated or introduced before URL filtering databases have an opportunity
to analyze the content; this lag time gives attackers an opening to launch precision attack
campaigns. Advanced URL Filtering compensates for the coverage gaps inherent in database
solutions by providing real-time URL analysis on a per-request basis. When a user visits a URL
designated as risky, the firewall submits the URL to the Advanced URL Filtering service for analysis
using ML and queries PAN-DB for the site’s category (information for recently visited websites are
cached for fast retrieval). The analysis data is used to generate a verdict that the firewall retrieves to
enforce the web-access rules based on your policy configuration. If there is a verdict mismatch
while the data is being analyzed in the cloud, the more severe categorization takes precedence.
Advanced URL Filtering is enabled through the URL Filtering profile and uses the same
configuration settings. If you already have an operational URL filtering deployment, no additional
configuration is necessary to take advantage of Advanced URL Filtering—all web requests
designated as risky are automatically forwarded for analysis. URLs analyzed using Advanced URL
Filtering are displayed in the logs using the category real-time-detection, in addition to the threat
type.
To enable advanced URL filtering security subscription, follow the steps outlined below:
Step 1: Install the Advanced URL Filtering license and verify the installation.
Step 2: Download and install the latest PAN-OS content release.
DNS Security
DNS Security is a continuously evolving threat prevention service designed to protect and defend
your network from advanced threats using DNS. By leveraging advanced ML and predictive
analytics, the service provides real-time DNS request analysis and rapidly produces and distributes
DNS signatures that are specifically designed to defend against malware using DNS for C2 and
data theft. Combined with an extensible cloud architecture, it provides access to a scalable threat
intelligence system to keep your network protections up to date.
With an active Threat Prevention license, customers can configure their firewalls to sinkhole DNS
requests using a list of domains generated by Palo Alto Networks. These locally accessed,
customizable DNS signature lists are packaged with antivirus and WildFire updates and include
the most relevant threats for policy enforcement and protection at the time of publication. For
improved coverage against threats using DNS, the DNS Security subscription enables users to
access real-time protections using advanced predictive analytics. Using techniques such as domain
generation algorithm (DGA)/DNS tunneling detection and ML, threats hidden within DNS traffic
can be proactively identified and shared through an infinitely scalable cloud service. Because the
DNS signatures and protections are stored in a cloud-based architecture, you can access the full
database of ever-expanding signatures that have been generated using a multitude of data
sources. This allows you to defend against an array of threats using DNS in real time against newly
generated malicious domains that deploy with a DGA. (See
https://unit42.paloaltonetworks.com/threat-brief-understanding-domain-generation-algorithms-dg
a.) To combat future threats, updates to the analysis, detection, and prevention capabilities of the
DNS Security service will be available through content releases.
To access the DNS Security service, you must have a valid Threat Prevention and DNS Security
license.
The following DNS categories are supported with the licensed DNS Security service:
● C2
● Phishing domains
● Malware-hosted domains
● Dynamic DNS-hosted domains
● Newly registered domains
● Grayware domains
● Parked domains
● Proxy avoidance and anonymizers
The following workflow illustrates how DNS Security uses data sources to generate DNS signatures:
“Cloud security” refers to a broad set of control-based technologies and policies deployed to protect
information, data, applications, and infrastructure associated with cloud computing. As with
on-premises applications and data, those stored in the cloud must be just as vigilantly protected.
The following Palo Alto Networks subscriptions unlock firewall features or enable the firewall to
leverage a Palo Alto Networks cloud-delivered service (or both). The table describes each service or
feature that requires a subscription to work with the firewall. To enable a subscription, you must
first activate subscription licenses; once active, most subscription services can use dynamic content
updates to provide new and updated functionality to the firewall.
SUBSCRIPTIONS
IoT Security The IoT Security solution works with NGFWs to dynamically discover and
maintain a real-time inventory of the IoT devices on your network. Through
artificial intelligence and ML algorithms, the IoT Security solution achieves a
high level of accuracy, even classifying IoT device types encountered for the
first time. And because it’s dynamic, your IoT device inventory is always up
to date. IoT Security also provides the automatic generation of policy
recommendations to control IoT device traffic, as well as the automatic
creation of IoT device attributes for use in firewall policies.
Cortex Data Lake Provides cloud-based, centralized log storage and aggregation. Cortex Data
Lake is required or highly recommended to support several other
cloud-delivered services, including Cortex XDR, IoT Security, and Prisma
Access.
GlobalProtect Provides mobility solutions or large-scale VPN capabilities. By default, you
can deploy GlobalProtect portals and gateways (without HIP checks)
without a license. If you want to use advanced GlobalProtect features (such
as HIP checks and related content updates, the GlobalProtect Mobile App,
IPv6 connections, or a GlobalProtect Clientless VPN), you will need a
GlobalProtect license for each gateway. There are lots of other things that
need the license, including Linux client, split tunneling based on domain,
split DNS. Refer to
https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/g
2.3.3 Identify the dependencies of Advanced URL Filtering and DNS Security
● Superior protection against web-based attacks with the combined power of our URL
database stopping known threats and our industry-first inline web protection engine
categorizing as well as blocking new malicious URLs in real time, even when content is
cloaked from crawlers. Advanced URL Filtering prevents more than 200,000 attacks per day
that traditional databases cannot, in real time.
● Industry-leading phishing protections that tackle the most common causes of breaches.
● Total control of your web traffic through fine-grained controls and policy settings that
enable you to automate security actions based on users, risk ratings, and content
categories.
● Maximum operational efficiency by enabling web protection through the Palo Alto
Networks platform.
FEATURE DESCRIPTION
Inline Real-Time Web Uses cloud-based inline ML to analyze real web traffic,
Threat Prevention categorizing and blocking malicious URLs in real time. ML
models are retrained frequently, ensuring protection against
DNS Security
The DNS Security service operates real-time DNS request analysis using predictive analytics and
machine learning on multiple DNS data sources. This is used to generate protections for
DNS-based threats, which are accessible in real-time through configuration of the Anti-Spyware
Security profile attached to a Security policy rule. Each DNS threat category (the DNS Signature
Source) allows you to define separate policy actions as well as a log severity level for a specific
signature type. This enables you to create specific security policies based on the nature of the
threat, according to your network security protocols. Palo Alto Networks also generates and
maintains a list of explicitly allowable domains based on metrics from PAN-DB and Alexa. These
allow list domains are frequently accessed and known to be free of malicious content. The DNS
Security categories and the allow list are updated and extensible through PAN-OS content releases.
You can view your organization’s DNS statistics data generated by the DNS Security Cloud service
using AutoFocus. This provides a fast, visual assessment describing the breakdown of DNS requests
passing through your network based on the available DNS categories. Alternatively, you can
retrieve domain information, as well as the transaction details, such as latency and TTL using the
test dns-proxy dns-signature fqdn <domain> command.
The DNS Security service currently supports detection of the following DNS threat categories:
● Command and Control Domain. C2 includes URLs and domains used by malware and/or
compromised systems to surreptitiously communicate with an attacker’s remote server to
receive malicious commands or exfiltrate data (this includes DNS tunneling detection and
DGA detection) or deplete resources on a target authoritative DNS server (such as
NXNSattack).
● Dynamic DNS Hosted Domains. Dynamic DNS (DDNS) services provide mapping between
hostnames and IP addresses in near real-time to keep changing IP addresses linked to a
specific domain, when static IPs are unavailable. This provides attackers a method of
infiltrating networks by using DDNS services to change the IP addresses that host
command-and-control servers. Malware campaigns and exploit kits can utilize DDNS
services as part of their payload distribution strategy. By utilizing DDNS domains as part of
their hostname infrastructure, adversaries can change the IP address associated with given
DNS records and more easily avoid detection. DNS Security detects exploitative DDNS
● Malware Domains. Malicious domains host and distribute malware and can include
websites that attempt to install various threats (such as executables, scripts, viruses, drive-by
downloads). Malicious domains are distinguishable from C2 domains in that they deliver
malicious payloads into your network via an external source, whereas with C2, infected
endpoints typically attempt to connect to a remote server to retrieve additional instructions
or other malicious content.
● Newly Registered Domains. Newly registered domains are new, never registered domains,
that have been recently added by a TLD operator or entity. While new domains can be
created for legitimate purposes, the vast majority are often used to facilitate malicious
activities, such as operating as C2 servers or used to distribute malware, spam, PUP/adware.
Palo Alto Networks detects newly registered domains by monitoring specific feeds (domain
registries and registrars) and using zone files, passive DNS, WHOIS data to detect
registration campaigns.
● Phishing Domains. Phishing domains attempt to lure users into submitting sensitive data,
such as personal information or user credentials, by masquerading as legitimate websites
through phishing or pharming. These malicious activities can be conducted through social
engineering campaigns (whereby a seemingly trusted source manipulates users into
submitting personal information via email or other forms of electronic communications) or
through web traffic redirection, which directs users to fraudulent sites that appear
legitimate.
● Grayware Domains. (Available with installation of PAN-OS content release 8290 and later).
Grayware domains generally do not pose a direct security threat, however, they can facilitate
vectors of attack, produce various undesirable behaviors, or might simply contain
questionable/offensive content. These can include websites and domains that:
● Proxy Avoidance and Anonymizers. (Available with installation of PAN-OS content release
8340 and later) Proxy Avoidance and Anonymizers is traffic to services that are used to
bypass content filtering policies. Users who attempt to circumvent an organization’s
content filtering policies via anonymizer proxy services are blocked at the DNS level.
2.3.5 References
● Advanced URL Filtering,
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content
/pan/en_US/resources/datasheets/advanced-url-filtering
● Content Inspection Features,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/set-up-data-
filtering/predefined-data-filtering-patterns.html
● DNS Security Analytics,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/dns-security
/dns-security-analytics.html
3.1.2 Demonstrate understanding of the design elements that relate to applications, users, and
infrastructure
The Palo Alto Networks approach provides a strong preventive strategy for reducing risk,
preventing the threats you can, and detecting and investigating the threats you can’t. Our
approach also allows organizations to automate responses while gaining intelligence with each
incident.
Palo Alto Networks offers an intelligent network security platform, Strata, to provide consistent and
integrated security controls for your users—whether they are on your network or remote, accessing
applications on-premises or in the cloud. The Strata network security platform provides security
management, cloud-delivered security services, and NGFWs with ML and analytics to identify new
types of threats and devices.
The security strategy for Palo Alto Networks NGFWs is to focus on flexible deployment that protects
all locations with simple and consistent management of the following:
● Users. Identify users and leverage user information as an attribute in policy controls.
● Applications. Identify applications, regardless of port, protocol, or evasive techniques, and
block malicious activity pretending to be legitimate traffic.
● Content. Identify and inspect content to keep the network and users safe from malicious
software.
● Devices. Discover, inventory, and gain visibility into all the devices in your network to apply
policy based on a device type, rather than attempting to track dynamically changing IP
addresses.
The NGFWs inspect all traffic flows to look for potential threats, malicious content, and
unauthorized applications, regardless of device location or type.
The NGFWs come in physical, virtual, and containerized form factors, and all form factors provide
an SP3. The SP3 increases performance by performing multiple operations only once on a packet.
You can manage NGFWs through Panorama™, a scalable and centralized management platform.
NGFW capabilities are leveraged as a cloud-delivered network security platform called Prisma
Access. Prisma Access provides secure internet access at the service edge for branch, retail, and
mobile users. Prisma Access provides the same consistent networking and security as the physical,
virtualized, and containerized NGFWs to secure your users and data in transit.
In addition to Strata, Palo Alto Networks also offers comprehensive cloud security with the Prisma
Cloud suite of products and offers advanced detection and response capabilities with the Cortex™
suite of products. Strata, Prisma, and Cortex are fully integrated, providing security teams and
security operations (including security operations centers [SOCs]) consistent protection and
visibility from the endpoint to the cloud.
WildFire
The cloud-delivered WildFire® malware analysis service uses data and threat intelligence from the
industry’s largest global community and applies advanced analysis to automatically identify
unknown threats and stop attackers in their tracks.
Threat Prevention
Threat Prevention defends your network against both commodity threats—which are pervasive but
not sophisticated—and targeted, advanced threats perpetuated by organized cyber adversaries.
Threat Prevention includes comprehensive exploit, malware, and command-and-control
protection, and Palo Alto Networks frequently publishes updates that equip the firewall with the
very latest threat intelligence. You can use the Threat Vault to research the latest threats that Palo
Alto Networks next-generation firewalls can detect and prevent.
Visit Test A Site to see how PAN-DB categorizes a URL, and to learn about all available URL
categories. Review the Advanced URL Filtering datasheet for a high-level summary of how
Advanced URL Filtering enables safe web access; protect your users from dangerous websites,
malware sites, credential-phishing pages and attacks attempting to leverage web browsing to
deliver threats.
SaaS Security
SaaS Security is an integrated CASB (Cloud Access Security Broker) solution that helps Security
teams like yours meet the challenges of protecting the growing availability of sanctioned and
unsanctioned SaaS applications and maintaining compliance consistently in the cloud while
stopping threats to sensitive information, users, and resources. SaaS Security options include SaaS
Security API (formerly Prisma SaaS) and the SaaS Security Inline add-on.
Use SaaS Security Inline to discover and manage risks posed by unsanctioned SaaS apps while you
rely on SaaS Security API to scan assets in the cloud space for at-rest detection, inspection, and
remediation across all users, folder, and file activity within sanctioned SaaS applications. With both
IoT Security
The IoT Security solution works with next-generation firewalls to dynamically discover and maintain
a real-time inventory of the IoT devices on your network. Through AI and machine-learning
algorithms, the IoT Security solution achieves a high level of accuracy, even classifying IoT device
types encountered for the first time. And because it’s dynamic, your IoT device inventory is always
up to date. IoT Security also provides the automatic generation of policy recommendations to
control IoT device traffic, as well as the automatic creation of IoT device attributes for use in firewall
policies. You need an IoT Security subscription to access this solution.
Palo Alto Networks® Cortex Data Lake provides cloud-based, centralized log storage and
aggregation for your on premise, virtual (private cloud and public cloud) firewalls, for Prisma
Access, and for cloud-delivered services such as Cortex XDR.
Cortex Data Lake is secure, resilient, and fault-tolerant, and it ensures your logging data is
up-to-date and available when you need it. It provides a scalable logging infrastructure that
alleviates the need for you to plan and deploy Log Collectors to meet your log retention needs. If
you already have on premise Log Collectors, the new Cortex Data Lake can easily complement your
existing setup. You can augment your existing log collection infrastructure with the cloud-based
Cortex Data Lake to expand operational capacity as your business grows, or to meet the capacity
needs for new locations.
Perform the following steps to determine the approximate log storage that Panorama requires.
Step 1: Determine the log retention requirements of your organization. Factors that affect log
retention requirements include:
Do this multiple times each day at peak and nonpeak times to estimate the average. The more
often you sample the rates, the more accurate your estimate.
○ If Panorama is already collecting logs, run the following command at the CLI of each
appliance that receives logs (Panorama management server or Dedicated Log
Collector) and calculate the total rates. This command gives the average logging rate
for the last 5 minutes:
The average log size varies considerably by log type. However, you can use 500 bytes as an
approximate average log size. For example, if Panorama must store logs for 30 days and the
average total logging rate for all firewalls is 21,254,400 logs per day, then the required log storage
capacity is: 30 x 500 x 21,254,400 = 318,816,000,000 bytes (approximately 318GB).
Palo Alto Networks firewalls across the world automatically forward unknown files and URL links
found in emails to the WildFire global threat intelligence cloud or to one of three WildFire regional
clouds in Europe, Japan, and Singapore for analysis. Each WildFire cloud analyzes samples and
generates malware signatures and verdicts independently of the other WildFire clouds. WildFire
signatures and verdicts then are shared globally, which enables WildFire users worldwide to
benefit from malware coverage regardless of the location where the malware was first detected.
Licensed WildFire users worldwide also can use the WildFire XML API or WildFire Dashboard to
manually upload files to WildFire for analysis.
3.1.6 References
● Network Security,
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content
/pan/en_US/resources/guides/network-security-overview
● Panorama Administrator's Guide—Determine Panorama Log Storage Requirements,
https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/set-up-panorama/deter
mine-panorama-log-storage-requirements.html
3.2.1 Explain the use and value of the different deployment modes
The interface configurations of firewall data ports enable traffic to enter and exit the firewall. A Palo
Alto Networks firewall can operate in multiple deployments simultaneously because you can
configure interfaces to support different deployments. For example, you can configure the
Ethernet interfaces on a firewall for virtual wire, Layer 2, Layer 3, and tap mode. The interfaces that
the firewall supports are:
● Logical interfaces. These include VLAN interfaces, loopback interfaces, tunnel interfaces,
and software-defined wide area network (SD-WAN) interfaces. You must set up the physical
interface before defining a VLAN, SD-WAN, or tunnel interface.
● Deploy the VM-Series firewall to secure the EC2 instances hosted in the AWS VPC.
If you host your applications in the AWS cloud, deploy the VM-Series firewall to protect and
safely enable applications for users who access these applications over the internet. For
example, the following diagram shows the VM-Series firewall deployed in the edge subnet
to which the internet gateway is attached. The application(s) are deployed in the private
subnet, which does not have direct access to the internet.
● When users need to access the applications in the private subnet, the firewall receives the
request and directs it to the appropriate application, after verifying Security policy and
performing destination network address translation (NAT). On the return path, the firewall
receives the traffic, applies Security policy, and uses source NAT to deliver the content to the
user.
● Deploy the VM-Series firewall for VPN access between the corporate network and the EC2
instances within the AWS VPC.
● To connect your corporate network with the applications deployed in the AWS cloud, you
can configure the firewall as a termination point for an IPSec VPN tunnel. This VPN tunnel
allows users on your network to securely access the applications in the cloud.
● Deploy the VM-Series firewall as a GlobalProtect gateway to secure access for remote users
using laptops. The GlobalProtect agent on the laptop connects to the gateway, and based
on the request, the gateway either sets up a VPN connection to the corporate network or
routes the request to the internet. To enforce security compliance for users on mobile
devices (using the GlobalProtect App), the GlobalProtect gateway is used in conjunction
with the GlobalProtect Mobile Security Manager. The GlobalProtect Mobile Security
Manager ensures that mobile devices are managed and configured with the device settings
and account information for use with corporate applications and networks.
● Deploy the VM-Series firewall with the Amazon Elastic Load Balancing (ELB) service,
whereby the firewall can receive data plane traffic on the primary interface in the following
scenarios where the VM-Series firewall is behind the Amazon ELB:
○ The VM-Series firewall(s) is securing traffic outbound directly to the internet without
the need for using a VPN link or a Direct Connect link back to the corporate network.
○ The VM-Series firewall secures an internet-facing application when there is exactly
one back-end server, such as a web server, for each firewall. The VM-Series firewalls
and web servers can scale linearly, in pairs, behind ELB.
If you want to automatically scale VM-Series firewalls with the Amazon ELB service, use the
CloudFormation template available in the GitHub\-repository. This template will allow you to deploy
the VM-Series firewall in an ELB sandwich topology with an internet-facing classic ELB and either
an internal classic load balancer or an internal application load balancer (internal ELB).
Virtual firewalls can secure public cloud services from providers such as Google Cloud Platform
(GCP), AWS, and Microsoft Azure. These firewalls typically act as guest virtual machines within
public cloud environments. Some can provide visibility across multiple CSP deployments.
● Meet public cloud user security obligations. CSPs are typically responsible for lift-and-shift
applications, SaaS applications, and cloud infrastructure (database, storage, and
networking). However, organizations using these services are usually responsible for the
security of the operating systems, platforms, access control, data, intellectual property,
source code, and customer-facing content that typically sit on top of the infrastructure.
● Boost the built-in security features unique to each public cloud platform. Some virtual
firewalls provide inline threat prevention, which helps secure the flow of traffic moving
laterally within a cloud environment and augments the basic, built-in security unique to
each CSP.
A network tap is a device that provides a way to access data flowing across a computer network.
Tap mode deployment allows you to passively monitor traffic flows across a network by way of a
network tap and Switched Port Analyzer or mirror port.
By deploying the firewall in tap mode, you can get visibility into which applications are running on
your network without having to make any changes to your network design. When in tap mode, the
firewall can also identify threats on your network. Keep in mind that because the traffic is not
running through the firewall when in tap mode, it cannot take any action on the traffic, such as
blocking traffic with threats or applying QoS traffic control.
Advantages:
Disadvantage:
● Device cannot take actions, such as blocking traffic or applying QoS traffic control.
● You cannot perform forward decryption.
The vWire deployment mode binds any two Ethernet ports together, placing the firewall inline on
the wire, and can be configured to block or allow traffic based on VLAN tags (VLAN tag “0” is
untagged traffic). Multiple subinterfaces can be added to different security zones to classify traffic
according to a VLAN tag or a combination of a VLAN tag with IP classifiers (i.e., address, range, or
subnet). This allows for granular policy control of the traffic traversing the two vWire interfaces for
specific VLAN tags or for VLAN tags from a specific source IP address, range, or subnet.
Advantages:
Disadvantages:
Layer 2 deployments
Advantages:
Disadvantage:
Layer 3 deployments
In a Layer 3 deployment, the firewall routes traffic between multiple interfaces. An IP address must
be assigned to each interface, and a virtual router must be defined to route the traffic. Choose this
option when routing or NAT is required.
Advantage:
● Provides full firewall functionality, such as traffic visibility, blocking traffic, rate-limiting traffic,
NAT, and routing, including support for common routing protocols.
● Acts as VPN tunnel termination point.
● Allows decryption.
● Inserting the device into the network will require IP configuration changes on adjacent
devices.
3.2.5 References
● Plan Your Data Center Best Practice Deployment,
https://docs.paloaltonetworks.com/best-practices/10-1/data-center-best-practices/data-cente
r-best-practices-checklist/plan-data-center-best-practices-deployment-checklist.html
● 3 Virtual Firewall Use Cases,
https://www.paloaltonetworks.com/cyberpedia/3-virtual-firewall-use-cases
3.3 Describe the flexibility of Palo Alto Networks platform networking capabilities
A virtual router is a function of the firewall that participates in Layer 3 routing. The firewall uses
virtual routers to obtain routes to other subnets through manually defined static routes or through
participation in one or more Layer 3 routing protocols (dynamic routes). The routes that the firewall
obtains through these methods populate the IP routing information base (RIB) on the firewall.
When a packet is destined for a different subnet than the one it arrived on, the virtual router
obtains the best route from the RIB, places it in the forwarding information base (FIB), and
forwards the packet to the next hop router defined in the FIB. The firewall uses Ethernet switching
to reach other devices on the same IP subnet. (An exception to one best route going in the FIB
occurs if you are using equal-cost multi-path routing, in which case all equal-cost routes go in the
FIB.)
The Ethernet, VLAN, and tunnel interfaces defined on the firewall receive and forward Layer 3
packets. The destination zone is derived from the outgoing interface based on the forwarding
criteria, and the firewall consults policy rules to identify the Security policy rules that it applies to
each packet. In addition to routing to other network devices, virtual routers can route to other
virtual routers within the same firewall if a next hop is specified to point to another virtual router.
You can configure Layer 3 interfaces on a virtual router to participate with dynamic routing
protocols (Border Gateway Protocol [BGP], Open Shortest Path First [OSPF], Open Shortest Path
First routing protocol [OSPFv3], or Routing Information Protocol [RIP]) as well as add static routes.
You can also create multiple virtual routers, each maintaining a separate set of routes that aren’t
shared between virtual routers, enabling you to configure different routing behaviors for different
interfaces.
You can configure dynamic routing from one virtual router to another by configuring a loopback
interface in each virtual router, creating a static route between the two loopback interfaces, and
then configuring a dynamic routing protocol to peer between these two interfaces.
Each Layer 3 Ethernet, loopback, VLAN, and tunnel interface defined on the firewall must be
associated with a virtual router. While each interface can belong to only one virtual router, you can
configure multiple routing protocols and static routes for a virtual router. Regardless of the static
The firewall comes with a virtual router named “default.” You can edit the default virtual router or
add a new virtual router.
Set administrative distances for types of routes as required for your network. When the virtual
router has two or more different routes to the same destination, it uses administrative distance
(preferring a lower distance) to choose the best path from different routing protocols and static
routes. Administrative distances for types of routes include:
You can configure Layer 3 interfaces on a virtual router to participate with dynamic routing
protocols (e.g., BGP, OSPF, OSPFv3, or RIP) as well as add static routes. You can also create multiple
virtual routers, each maintaining a separate set of routes that are not shared between virtual
routers, enabling you to configure different routing behaviors for different interfaces.
OSPF. OSPF is an IGP that is most often used to dynamically manage network routes in large
enterprise networks. It determines routes dynamically by obtaining information from other routers
and advertising routes to other routers by way of Link State Advertisements (LSAs). The information
gathered from the LSAs is used to construct a topology map of the network. This topology map is
shared across routers in the network and used to populate the IP routing table with available
routes.
Changes in the network topology are detected dynamically and used to generate a new topology
map within seconds. A shortest path tree of each route is computed. Metrics associated with each
routing interface are used to calculate the best route. These can include distance, network
throughput, link availability, etc. Additionally, these metrics can be configured statically to direct
the outcome of the OSPF topology map.
The Palo Alto Networks implementation of OSPF fully supports the following RFCs:
BGP. BGP is the primary internet routing protocol. BGP determines network reachability based on
IP prefixes that are available within an autonomous system, or a set of IP prefixes that a network
provider has designated to be part of a single routing policy.
3.3.3 References
● Virtual Routers,
3.4 Identify the most effective tools, resources, and reference guides for sizing
The choice of the right NGFW appliance model depends upon many parameters, but those
parameters are not always sufficient. For a given customer scenario, parameters alone are not
sufficient to correctly size an appliance.
Avoid relying solely on datasheets and other performance on paper summaries, as they are
inaccurate points of comparison for firewalls. There are fundamental differences in features and
offerings from one firewall vendor to the next. For example, one vendor might measure
consolidated threat prevention features (e.g., IPSs, antivirus, C2, URL filtering) in terms of
performance impact, while another might highlight performance impact based solely on
best-of-breed IPS capabilities in a standalone box. To ensure accurate firewall comparisons,
organizations should size capabilities to their real-world environment requirements (e.g., IPS,
application control, advanced malware detection) in addition to the traffic mix. When doing so, it is
critical to account for performance impacts from any future additions to the firewall system.
In addition, advanced capabilities, such as SSL decryption, will vary in performance impact
depending on processing logistics. Some vendors decrypt using the hardware form factor, while
others decrypt using software—each with varying degrees of performance effect. Further, threat
response performance should only be compared with all required signatures activated. Carefully
read the documentation for out-of-the-box collections of signatures to determine actual coverage.
Performance often continues to degrade with the introduction of additional signatures. Other
considerations include:
● Avoid trade-offs between security and performance. You should never have to decide
between enabling a feature or signature and crippling your performance.
● Accurately map to your requirements for throughput and traffic composition. It is
difficult to argue against testing the actual traffic to be secured.
Simulators cannot represent custom applications, real-world usage scenarios, or shadow IT. To
correctly size your next NGFW while also ensuring maximum performance, security, and return on
investment, you can run a PoC in your organization.
Decryption overview. The SSL and SSH encryption protocols secure traffic between two entities,
such as a web server and a client. SSL and SSH encapsulate traffic, encrypting data so that it is
meaningless to entities other than the client and server with the certificates to affirm trust
between the devices and the keys to decode the data. Decrypt SSL and SSH traffic to do the
following:
● Prevent malware concealed as encrypted traffic from being introduced into your network.
For example, an attacker compromises a website that uses SSL encryption. Employees visit
that website and unknowingly download an exploit or malware. The malware then uses the
infected employee endpoint to move laterally through the network and compromise other
systems.
● Prevent sensitive information from moving outside the network.
● Ensure the appropriate applications are running on a secure network.
● Selectively decrypt traffic. For example, create a Decryption policy and profile to exclude
traffic for financial or healthcare sites from decryption.
Palo Alto Networks firewall decryption is policy-based and can decrypt, inspect, and control
inbound and outbound SSL and SSH connections. A Decryption policy enables you to specify traffic
to decrypt by destination, source, service, or URL category and to block, restrict, or forward the
specified traffic according to the security settings in the associated Decryption profile. A Decryption
profile controls SSL protocols, certificate verification, and failure checks to prevent traffic that uses
weak algorithms or unsupported modes from accessing the network. The firewall uses certificates
and keys to decrypt traffic to plaintext and then enforces App-ID and security settings on the
plaintext traffic, including Decryption, Antivirus, Vulnerability, Anti-Spyware, URL Filtering, WildFire,
and File Blocking profiles. After decrypting and inspecting traffic, the firewall re-encrypts the
plaintext traffic as the traffic exits the firewall to ensure privacy and security.
● Leverage information from existing customer sources. Many customers use a third-party
logging solution such as Splunk, ArcSight, or QRadar. The number of logs sent from a
customer’s existing firewall solution can be pulled from those systems. When using this
method, get a log count from the third-party solution for a full day and divide by 86,400 (the
number of seconds in a day). Do this for several days to get an average. Be sure to include
both business and non-business days, as there is usually a large variance in log rate
between the two.
● Use data from an evaluation device. This information can give a useful starting point for
sizing purposes. With input from the customer, data can be extrapolated for other sites in
the same design. This method has the advantage of yielding an average over several days.
Two scripts can assist with gathering and calculating this information. The TS_LPS script can
be run against a tech support file pulled from an evaluation device. This script will calculate
the average connections per second (with 10 minute granularity), which can then be used to
estimate the log rate. The Device_LPS script can be run while the evaluation device is in use
and will pull the actual logging numbers based on the traffic that the evaluation device is
seeing. To use these scripts, download the script you want to use from the Palo Alto
Networks Sizing Storage for the Logging Service Knowledgebase article attachments,
unpack the zip file, and reference the README.txt file for instructions.
If no information is available, use the Device Log Forwarding table as a reference point. This
will be the least accurate method.For existing customers, we can leverage data gathered from their
existing firewalls and log collectors:
● To check the log rate of a single firewall, download the file named “device_lps.zip” from the
Palo Alto Networks Sizing Storage for the Logging Service Knowledgebase article
attachments, unpack the zip file, and reference the README.txt file for instructions. This
package will query a single firewall over a specified period of time (you can choose how
many samples) and give an average number of logs per second for that period. If the
customer does not have a log collector, this process will need to be run against each firewall
in the environment.
● If the customer has a log collector (or log collectors), download the file named “lc_lps.zip”
from the Palo Alto Networks Sizing Storage for the Logging Service Knowledgebase article
attachments, unpack the zip file, and reference the README.txt file for instructions This
package will query the log collector management information base to take a sample of the
incoming log rate over a specified period.
3.4.4 Identify tools and capabilities available for customer best practice review
The Customer Success Team at Palo Alto Networks has developed a prevention architecture with
tools and resources to help you review and assess the security risks of your network and how well
you have used the capabilities of the firewall and other tools to secure your network. Contact your
Palo Alto Networks representative to schedule assessments and reviews (a Palo Alto Networks sales
Prevention Posture Assessment (PPA). The PPA is a set of questionnaires that help uncover
security risk prevention gaps across all areas of network and security architecture. The PPA not only
helps to identify all security risks, it also provides detailed suggestions on how to prevent the risks
and close the gaps. The assessment, guided by an experienced Palo Alto Networks sales engineer,
helps determine the areas of greatest risk where you should focus prevention activities. You can
run the PPA on firewalls and on Panorama.
Best Practice Assessment (BPA) Tool. The BPA for next-generation firewalls and Panorama
evaluates a device’s configuration by measuring the adoption of capabilities, validating whether
the policies adhere to best practices, and providing recommendations and instructions for how to
remediate failed best practice checks.
The Security Policy Adoption Heatmap component filters the information by device groups, serial
numbers, zones, areas of architecture, and other categories. The results include trending data,
which shows the rate of security improvement as you adopt new capabilities, fix gaps, and progress
toward a Zero-Trust network.
The BPA component performs more than 200 security checks on a firewall or Panorama
configuration and provides a pass/fail score for each check. Each check is a best practice identified
by Palo Alto Networks security experts. If a check returns a failing score, the tool provides the
justification for the failing score and how to fix the issue.
3.4.5 References
● PAN-OS Administrator’s Guide—Decryption,
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption.html
● Sizing Storage for the Logging Service,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVMCA0
4.1.1 Describe the value of the Palo Alto Networks consolidated Security policy
By leveraging the Palo Alto Networks platform to consolidate several security functions, all
organizations can reap the following benefits:
Business Benefits:
● Decrease capital and operations costs with fewer devices to deploy and manage.
● Simplify compliance with a consolidated set of logs and reports on a variety of security
threats.
Operational Benefits:
● Minimize network disruption with the ability to add new security functions as needed on
the same platform.
● Reduce manual work of correlating threats across multiple devices and platforms.
● Simplify and speed report creation process for management.
● Free up security teams to work on high-value work.
Security Benefits:
● Get better visibility into threats through a single pane of glass, with context and analysis.
● Use a positive enforcement model for tighter control of application traffic.
● Reduce the attack surface by eliminating unknown or unexpected applications.
● Enable faster time to threat prevention with automated updates pushed regularly to
devices.
4.1.2 Describe the NGFW’s ability to enforce application-default behavior and prevent misuse of
nonstandard ports
Applications running on unusual ports can indicate an attacker that is attempting to circumvent
traditional port-based protections. Application-default is a feature of Palo Alto Networks firewalls
that gives you an easy way to prevent this type of evasion and safely enable applications on their
most commonly used ports. Application-default is a best practice for application-based Security
policy rules—it reduces administrative overhead and closes security gaps that port-based policy
introduces. Application-default also enables:
● Less overhead. Write simple application-based Security policy rules based on your business
needs, instead of researching and maintaining application-to-port mappings. We’ve defined
the default ports for all applications with an App-ID.
● Stronger security. Enabling applications to run only on their default ports is a security best
practice. Application-default helps you to make sure that critical applications are available
without compromising security if an application is behaving in an unexpected way.
Additionally, the default ports an application uses can sometimes depend on whether the
application is encrypted or cleartext. Port-based policy requires you to open all the default ports an
application might use to account for encryption. Open ports introduce security gaps that an
attacker can leverage to bypass your Security policy. However, application-default differentiates
For example, without application-default, you would need to open ports 80 and 443 to enable
web-browsing traffic—you’d be allowing both clear-text and encrypted web browsing traffic on
both ports. With application-default turned on, the firewall strictly enforces clear-text web
browsing traffic only on port 80 and SSL-tunneled traffic only on port 443.
To see the ports that an application uses by default, you can visit Applipedia or select Objects >
Applications. Application details include the application’s standard port—the port it most
commonly uses when in clear-text. For web browsing traffic, SMTP, FTP, LDAP, POP3, and IMAP
details also include the application’s secure port—the port the application uses when encrypted.
Select Policy > Security and add or a modify a rule to enforce applications only on their default
port(s):
Converting port-based rules to application-based rules improves your security posture because you
select the applications you want to allow and deny all other applications, so you eliminate
unwanted and potentially malicious traffic from your network. Combined with restricting
application traffic to its default ports (set the Service to application-default), converting to
application-based rules also prevents evasive applications from running on nonstandard ports.
You can use this feature on firewalls that run PAN-OS version 9.0. You do not have to upgrade
firewalls that Panorama manages to use Policy Optimizer. However, to use Rule Usage (monitor
policy rule usage), managed firewalls must run PAN-OS 8.1 or later. If managed firewalls connect to
log collectors, those log collectors must also run PAN-OS version 9.0. Managed PA-7000 Series
firewalls that have an LPC can also run PAN-OS 8.1 (or later).
You can also use Policy Optimizer feature to migrate port-based rules to application-based rules.
Instead of combing through traffic logs and manually mapping applications to port-based rules,
use Policy Optimizer to identify port-based rules and list the applications that matched each rule.
Then, you can select the applications you want to allow and safely enable them. Converting your
legacy port-based rules to application-based allow rules supports your business applications and
enables you to block any applications associated with malicious activity.
Finally, you can use this feature to identify over-provisioned application-based rules. Rules that are
too broad allow applications that you do not use on your network, which increases the attack
surface and the risk of inadvertently allowing malicious traffic.
4.1.4 Demonstrate knowledge of the Cloud Identity Engine’s ability to simplify deployment of
cloud-based services to provide user authentication
The Cloud Identity Engine consists of two components: Directory Sync, which provides user
information, and the Cloud Authentication Service, which authenticates users. For a more
comprehensive identity solution, Palo Alto Networks recommends using both components, but
you can configure the components independently.
The Cloud Authentication Service uses a cloud-based service to provide user authentication using
Security Assertion Markup Language 2.0-based Identity Providers (IdPs). When the user attempts
to authenticate, the authentication request is redirected to the Cloud Authentication Service,
which redirects the request to the IdP. After the IdP authenticates the user, the firewall maps the
user and applies the Security policy. By using a cloud-based solution, you can reallocate the
resources required for authentication from the firewall or Panorama to the cloud. The Cloud
Step 1: Prepare to deploy the Cloud Identity Engine so that it can provide user mappings to the
firewall.
● If you have not already done so, install the device certificate for your firewall or Panorama.
● Activate the Cloud Identity Engine app. You can activate CIE in the application portal/Hub at
https://apps.paloaltonetworks.com/apps
Step 2: Configure Azure Active Directory as your identity source in the Cloud Identity Engine app.
● For the Group Attributes, select the format for the Group Name.
Step 4: Configure Security policy rules for your users (for example, by specifying one or more users
or groups that the firewall retrieves from the Cloud Identity Engine as the Source User).
The firewall collects attributes only for the users and groups that you use in Security policy rules,
not all users and groups in the directory.
Step 5: Verify that the firewall has the mapping information from the Cloud Identity Engine:
● On the client device, use the browser to access a webpage that requires authentication.
● Enter your credentials to log in.
● On the firewall, use the show user ip-user-mapping all command to verify that the mapping
information is available to the firewall.
By default, the Cloud Identity Engine syncs changes every 5 minutes. If you want to instantly sync
your directory updates, you can sync just the changes to your Azure AD or on-premises AD. This is
much faster than a full sync of your directory.
Step 7: Configure an IdP for the Cloud Identity Engine for user authentication.
Step 10: Verify that the firewall redirects authentication requests to the Cloud Authentication
Service:
● On the client device, use the browser to access a webpage that requires authentication.
● Enter your credentials to log in.
● Confirm that the access request redirects to the Cloud Authentication Service.
Dynamic user groups (DUGs) help you to create policy that provides auto-remediation for
anomalous user behavior and malicious activity while maintaining user visibility. Previously,
without DUGs, quarantining users in response to suspicious activity meant making time- and
resource-consuming updates for all members of the group, updating the IP address-to-username
mapping to a label to enforce policy at the cost of user visibility, and having to wait until the firewall
checked the traffic. Now, with DUGs, you can configure a DUG to automatically include users as
members without having to manually create and commit policy or group changes and still
maintain user-to-data correlation at the device level before the firewall even scans the traffic.
To determine what users to include as members, a DUG uses tags as filtering criteria. As soon as a
user matches the filtering criteria, that user becomes a member of the DUG. The tag-based filter
uses logical and or operators. Each tag is a metadata element or attribute-value pair that you
After you create the group and commit the changes, the firewall registers the users and associated
tags and then automatically updates the DUG’s membership. Because updates to DUG
membership are automatic, using DUGs instead of static group objects allows you to respond to
changes in user behavior or potential threats without manual policy changes.
The firewall redistributes the tags for the DUG to the listening redistribution agents, which includes
other firewalls, Panorama, or a Dedicated Log Collector, as well as Cortex applications.
4.1.6 References
● PAN-OS Administrator’s Guide Security Policy,
https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/policy/security-policy
● Policy Optimizer,
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/app-id-features/policy-o
ptimizer.html
● Dynamic User Groups,
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/user-id-features/dynamic
-user-groups.html
4.2 Identify NGFW features that can protect against unknown threats
WildFire identifies files with potential malicious behaviors and then delivers verdicts based on their
actions by applying threat intelligence, analytics, and correlation alongside advanced capabilities,
including:
● Complete malicious behavior visibility. Identifies threats in all traffic across hundreds of
applications, including web traffic; email protocols like Simple Mail Transfer Protocol (SMTP),
Internet Message Access Protocol (IMAP), and Post Office Protocol (POP); and file-sharing
protocols like Server Message Block protocol (SMB) and File Transfer Protocol (FTP),
regardless of ports or encryption.
● Suspicious network traffic analysis. Monitors all network activity produced by a suspicious
file, including backdoor creation, downloading of next-stage malware, visiting
low-reputation domains, network reconnaissance, and more.
The powerful discovery and analysis capabilities of WildFire are seamlessly integrated with
numerous products across the Palo Alto Networks portfolio as well as within leading partner
solutions.
4.2.2 Explain how App-ID prevents malicious use of services and ports
App-ID, a patented traffic classification system only available in Palo Alto Networks firewalls,
identifies applications regardless of port, protocol, encryption (SSH or SSL), or any other evasive
tactic used by the application. It applies multiple classification mechanisms—application
signatures, application protocol decoding, and heuristics—to your network traffic stream to
accurately identify applications.
● Signatures are then applied to allowed traffic to identify the application based on unique
application properties and related transaction characteristics. The signature also determines
● If App-ID determines that encryption (SSL or SSH) is in use, and a Decryption policy rule is in
place, the session is decrypted and application signatures are applied again on the
decrypted flow.
● Decoders for known protocols are then used to apply additional context-based signatures to
detect other applications that may be tunneling inside of the protocol (for example,
Hangouts used across HTTP). Decoders validate that the traffic conforms to the protocol
specification and provide support for NAT traversal and opening dynamic pinholes for
applications such as Session Initiation Protocol (SIP) and File Transfer Protocol (FTP).
● For applications that are particularly evasive and cannot be identified through advanced
signature and protocol analysis, heuristics or behavioral analysis may be used to determine
the identity of the application.
When the application is identified, the policy check determines how to treat the application—for
example, block, allow and scan for threats, inspect for unauthorized file transfer and data patterns,
or shape using QoS.
4.2.3 Describe the benefits of URL Filtering in protecting against unknown threats
We strongly recommend that you block the URL categories that identify malicious or exploitive
content. To get started, you can clone the default URL Filtering profile that blocks malware,
phishing, and C2 URL categories by default. The default URL Filtering profile also blocks the abused
drugs, adult, gambling, hacking, questionable, and weapons URL categories. Whether to block
these URL categories depends on your business requirements. For example, a university probably
will not want to restrict student access to most of these sites because availability is important, but a
business that values security first may block some or all of them.
● C2. URLs and domains that are used by malware or compromised systems to surreptitiously
communicate with an attacker’s remote server to receive malicious commands or exfiltrate
data.
● Malware. Sites known to host malware or to be used for C2 traffic. May also exhibit exploit
kits.
● Phishing. URLs or domains known to host credential phishing pages or phish for personal
identification information.
● Grayware. Websites and services that do not meet the definition of a virus or pose a direct
security threat but display obtrusive behavior. These sites may influence users to grant
remote access or perform other unauthorized actions. Grayware includes scams, criminal
activities, adware, and other unwanted or unsolicited applications, such as embedded
crypto miners or hijackers that change the elements of the browser. Typo squatting
● Dynamic DNS. Hosts and domain names for systems with dynamically assigned IP
addresses that are oftentimes used to deliver malware payloads or C2 traffic. Dynamic DNS
domains do not go through the same vetting process as domains that are registered by a
reputable domain registration company and are therefore less trustworthy.
● Unknown sites. Sites that have not yet been identified by PAN-DB. If availability is critical to
your business and you must allow the traffic, then alert on unknown sites, apply the best
practice Security profiles to the traffic, and investigate the alerts.
● Newly registered-domains. Domains often generated purposely or by DGAs that are used
for malicious activity.
● Copyright infringement. Domains with illegal content, such as content that allows illegal
download of software or other intellectual property, that poses a potential liability risk. This
category was introduced to enable adherence to child protection laws required in the
education industry as well as laws in countries that require internet providers to prevent
users from sharing copyrighted material through their services.
● Proxy avoidance and anonymizers. URLs and services often used to bypass content
filtering products.
● Parked domains. Domains registered by individuals, often times later found to be used for
credential phishing. These domains may be similar to legitimate domains—for example,
pal0alt0netw0rks.com—with the intent of phishing for credentials or personally identifiable
information. Or, they may be domains that an individual purchases rights to in hopes that it
may be valuable someday, such as panw.net.
Configure your DNS policies to protect your network from DNS queries to malicious domains. You
can configure your Anti-Spyware profile to use locally available, downloadable DNS signature sets
(packaged with the Antivirus and WildFire updates) or, optionally, access DNS Security, a
cloud-based service that provides real-time access to DNS signatures and protections against
4.2.5 References
● WildFire,
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content
/pan/en_US/resources/datasheets/wildfire
● PAN-OS Administrator’s Guide—DNS Security,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin.html
4.3 Identify NGFW features that can protect against known threats
The Palo Alto Networks NGFW protects and defends your network from commodity threats and
advanced persistent threats (APTs). The firewall’s multipronged detection mechanisms include:
Commodity threats are exploits that are less sophisticated. They are more easily detected and
prevented using a combination of antivirus, anti-spyware, and vulnerability protection features
combined with URL filtering and application identification capabilities on the firewall.
Advanced threats are perpetuated by organized cyber adversaries who use sophisticated attack
vectors to target your network, most commonly for intellectual property theft and financial data
theft. These threats are more evasive and require intelligent monitoring mechanisms for detailed
host and network forensics on malware. The Palo Alto Networks NGFW, together with WildFire and
Panorama, provides a comprehensive solution that intercepts and breaks the attack chain and
provides visibility to prevent security infringement on your network infrastructure—including
mobile and virtualized.
● Antivirus signatures. Detect viruses and malware found in executables and file types
● Anti-spyware signatures. Detect C2 activity, where spyware on an infected client is
collecting data without the user’s consent and/or communicating with a remote attacker
● Vulnerability signatures. Detect system flaws that an attacker might otherwise attempt to
exploit. A signature’s severity indicates the risk of the detected event, and a signature’s
default action (e.g., block or alert) is how Palo Alto Networks recommends that you enforce
matching traffic.
A correlation object can connect isolated network events and look for patterns that indicate a more
significant event. These objects identify suspicious traffic patterns and network
anomalies—including suspicious IP activity, known C2, known vulnerability exploits, or botnet
activity—that, when correlated, indicate with a high probability that a host on the network has
been compromised. Correlation objects are defined and developed by the Palo Alto Networks
Threat Research team and are delivered with the weekly dynamic updates to the firewall and
Panorama. To obtain new correlation objects, the firewall must have a Threat Prevention license.
Panorama requires a support license for updates.
Configure your DNS policies to protect your network from DNS queries to malicious domains. You
can configure your Anti-Spyware profile to use locally available, downloadable DNS signature sets
(packaged with the Antivirus and WildFire updates) or, optionally, access DNS Security, a
cloud-based service that provides real-time access to DNS signatures and protections against
advanced threats. These are configurable as individual signature sources; additionally, DNS Security
allows you to configure each domain category separately. It is a best practice to override the default
settings and to reconfigure each category with a log severity, policy action, and packet capture
setting that reflects the risks associated with a given domain type.
Advanced URL Filtering provides real-time URL analysis and malware prevention. In addition to
PAN-DB access, the Palo Alto Networks URL filtering database for high-performance URL lookups,
Advanced URL Filtering also offers coverage against malicious URLs and IP addresses. This
multilayered protection solution is configured through your URL Filtering profile.
Step 1: Obtain and install an Advanced URL Filtering license and confirm that it is installed. The
Advanced URL Filtering license includes access to PAN-DB; if the license expires, the firewall ceases
to perform all URL filtering functions, URL category enforcement, and URL cloud lookups.
Additionally, all other cloud-based updates will not function until you install a valid license.
● Select Device > Licenses. In the License Management section, select the license installation
method:
○ Retrieve license keys from license server.
○ Activate feature using authorization code.
● After installing the license, confirm that the Date Expires field in the Advanced URL Filtering
section displays a valid date.
Step 2: Download and install the latest PAN-OS content release. PAN-OS Applications and Threats
content release 8390-6607 and later allows firewalls operating PAN-OS 9.x and later to identify
URLs that have been categorized using the real-time-detection category, identifying URLs
classified by Advanced URL Filtering. For more information about the update, refer to the
Applications and Threat Content Release Notes. You can also review content release notes for apps
and threats on the Palo Alto Networks Support Portal or directly in the firewall web interface: Select
Device > Dynamic Updates and open the release note for a specific content release version.
Step 3: Schedule the firewall to download dynamic updates for applications and threats.
● Select Device > Dynamic Updates.
● In the Schedule field in the Applications and Threats section, click the None link to schedule
periodic updates.
● Applications and threats updates sometimes contain updates for URL filtering related to
safe search enforcement.
4.3.4 Explain how adopting external dynamic lists with threat intelligence protects against
known threats
An EDL is a text file that is hosted on an external web server so that the firewall can import
objects—IP addresses, URLs, and domains—included in the list and enforce policy. To enforce policy
on the entries included in the EDL, you must reference the list in a supported policy rule or profile.
As you modify the list, the firewall dynamically imports the list at the configured interval and
● IP address. The firewall typically enforces policy for a source or destination IP address that is
defined as a static object on the firewall. If you need agility in enforcing policy for a list of
source or destination IP addresses that emerge ad hoc, you can use an EDL of type IP
address as a source or destination address object in policy rules, and then configure the
firewall to deny or allow access to the IP addresses included in the list (e.g., IPv4 and IPv6
addresses, IP range, and IP subnets). The firewall treats an EDL of type IP address as an
address object; all the IP addresses included in a list are handled as one address object.
● Predefined IP address. A predefined IP address list is a type of IP address list that refers to
any Palo Alto Networks Malicious IP Address Feeds that have fixed or predefined contents.
These feeds are automatically added to your firewall if you have an active Threat Prevention
license. A predefined IP address list can also refer to any EDL that you create that uses a
Palo Alto Networks IP address feed as a source.
● URL. An EDL of type URL gives you the agility to protect your network from new threat
sources or malware. The firewall handles an EDL with URLs like a custom URL category. You
can use this list in two ways:
○ As a match criterion in Security policy rules, Decryption policy rules, and QoS policy
rules to allow, deny, decrypt, not decrypt, or allocate bandwidth for the URLs in the
custom category.
○ In a URL Filtering profile to define more granular actions, such as continue, alert, or
override, before you attach the profile to a Security policy rule.
● Domain. An EDL of type domain allows you to import custom domain names into the
firewall to enforce policy using an Anti-Spyware profile. This capability is particularly useful if
you subscribe to third-party threat intelligence feeds and want to protect your network
from new threat sources or malware as soon as you learn of a malicious domain. For each
domain that you include in the EDL, the firewall creates a custom DNS-based spyware
signature so that you can enable DNS sinkholing. The DNS-based spyware signature is of
type spyware with medium severity, and each signature is named “Custom Malicious DNS
Query <domain name>.”
4.3.5 References
● Activate The Advanced URL Filtering Subscription,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/enable-advanced-
url-filtering.html
● PAN-OS Administrator’s Guide—External Dynamic List,
Phishing sites are sites that attackers disguise as legitimate websites to steal user information,
especially network access credentials. When a phishing email enters a network, it takes just a
single user to click the link and enter credentials to set a breach into motion. You can detect and
prevent in-progress phishing attacks, thereby preventing credential theft, by controlling sites to
which users can submit corporate credentials based on the site’s URL category. This allows you to
block users from submitting credentials to untrusted sites while allowing users to continue to
submit credentials to corporate and sanctioned sites.
To enable credential phishing prevention, you must configure User-ID to detect when users submit
valid corporate credentials to a site (as opposed to personal credentials) and URL Filtering to
specify the URL categories in which you want to prevent users from entering their corporate
credentials. The following topics describe the different methods you can use to detect credential
submissions and provide instructions for configuring credential phishing protection.
Add a decryption policy rule to decrypt the traffic you want to monitor for user credential
submissions. Create a decryption policy rule to define traffic for the firewall to decrypt and the type
of decryption you want the firewall to perform: SSL Forward Proxy, SSL Inbound Inspection, or SSH
Proxy decryption. You can also use a decryption policy rule to define Decryption Mirroring.
4.4.2 Identify the components required to demonstrate and architect credential phishing
prevention
In this example, Bob requests access to an application server through the firewall. The firewall
checks its Authentication policy and finds a rule that matches Bob’s traffic. The Authentication
policy rule invokes multifactor authentication (MFA) to challenge Bob. Bob then enters the
additional authentication factor. After Bob is fully authenticated, the firewall checks its Security
policy to verify whether Bob is authorized to access the application server. If there is a matching
Security policy rule that grants Bob access, then Bob can access the application server.
An Authentication policy enables an administrator to selectively issue MFA challenges based on the
sensitivity of the information stored on the network resource. A firewall administrator also can
configure the number and strength of the factors of authentication based on the sensitivity of the
information on each network resource. For example, you could require all corporate users to
authenticate using MFA once a day but require IT administrators to use MFA each time they use
remote desktop protocol to access an AD server.
The diagram shows how credential phishing prevention identifies and blocks credential phishing
attacks. If an attacker can gain access to valid corporate credentials, such access typically can go
unnoticed for some time because the attacker is using a valid username and password.
In this example, an attacker has compromised a web server to steal user credentials.
Next, Bob receives a phishing email from an attacker that contains a link to the compromised web
server. Phishing emails typically describe some urgent or important action that must be taken or
an important document to be viewed.
Bob clicks the link in his email and connects to a phishing website that requests his credentials for
login. A phishing page can be specifically crafted to look like a legitimate banking site, a corporate
intranet login, Outlook Web Access page, or other application. Bob is tricked by the website and
enters his corporate credentials.
The firewall notices credential information in the web traffic and uses User-ID to detect whether
they are valid corporate credentials. You can configure User-ID to use one of three different
methods to detect corporate credentials in web traffic.
If User-ID detects valid corporate credentials, then the firewall consults its URL filtering
configuration to determine the URL categories for which users should be prevented from entering
their corporate credentials. In this case, Bob is trying to enter his corporate credentials to a blocked
website, so the firewall blocks his credentials from being submitted.
4.4.3 References
● PAN-OS Administrator’s Guide—Prevent Credential Phishing,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/prevent-credential
-phishing.html
Customers need to access data and services that are hosted from a wide range of locations (e.g.,
data centers, internet, and public cloud). Users need to be able to access data and services using
different devices (e.g., laptops, smartphones, and tablets) that can be owned by the company or by
the user (BYOD devices). Users must operate in various locations: private homes, company
headquarters, branch offices, public locations, and even during travel.
● Visibility into who is accessing which service, in which way, to gather what information, even
through encrypted channels.
● Protection against known threats.
● Protection against unknown zero-day threats.
Palo Alto Networks addresses these security requirements with multiple services and capabilities,
as described in the following table. Some capabilities require a specific subscription.
Palo Alto Networks privacy practices are informed by the following key principles:
● Accountability. We are responsible for the protection of the personal information entrusted
to us.
● Transparency and control. We inform customers when we collect their personal
information, and we honor their preferences for contacting them.
More and more corporate environments support a BYOD policy, in addition to the growing
infrastructure of IoT devices, network printers, security cameras, and other devices connecting to
their networks. Leaders are presented with both a constantly growing area of risk with many
possibilities for exploitation by malicious users and the need for scalability as the number of users
and the number of accompanying devices on their network increases. And after identifying these
devices, how do leaders secure them from vulnerabilities such as an outdated operating software?
By using Device-ID on firewalls or to push policy from Panorama, organizations can identify
devices, obtain policy rule recommendations for those devices, and enforce Security policy rules
based on these recommendations.
Device-ID operates similarly to how User-ID provides user-based policy and App-ID provides
app-based policy. It provides policy rules that are based on a device, regardless of changes to its IP
address or location. Device-ID provides traceability for devices and associating network events with
specific devices, allowing security teams to gain context for how events relate to devices and write
policies that are associated with devices, instead of users, locations, or IP addresses, which can
change over time.
Device-ID can be used with Security, Decryption, QoS, and Authentication policies. An IP
address-to-MAC address mapping is required by the IoT Security application before any device
classification or analysis can happen. Before the IP address-to-MAC address mapping can be
obtained, the firewall must be able to observe Dynamic Host Configuration Protocol (DHCP)
unicast and broadcast traffic on the network to identify devices. The more traffic the firewall can
observe, the more accurate the policy rule recommendations will be.
Because the firewall needs to both detect the devices based on their traffic and then enforce
Security policy for those devices, the firewall acts as both a sensor to detect the traffic from the
devices and an enforcer by enforcing Security policy for the devices. The firewall automatically
detects new devices as soon as they send DHCP traffic.
● Device classification
● Behavior analysis
● Threat analysis
In addition to the PAN-OS 9.1 features, PAN-OS 10.0 will provide the following on the firewall:
● The ability to consume IP address-to-device mapping verdicts from the IoT application
● Enforcement by using a device as source or destination match criteria in policies
● The ability to consume policy recommendations from the IoT application
● Reporting visibility in reports and the ACC
Testing a next-generation firewall in your environment— with your traffic and data, for your specific
use cases—will demonstrate whether that firewall is the right choice for your organization’s unique
needs. With that in mind, here are five critical mistakes to avoid when evaluating a new next
generation firewall and selecting the perfect fit.
To ensure accurate “apples to apples” firewall comparisons, you should size capabilities to your
organization’s real-world environments’ requirements (e.g., IPS, application control, advanced
malware detection) and your traffic mix. When doing so, it’s critical to account for performance
impact that may result from enabling other features in the future. In addition, advanced
capabilities, such as TLS/SSL decryption, will vary in performance impact depending on processing
logistics. Some vendors decrypt using the hardware form factor while others decrypt using
● Avoid trade-offs between security and performance. You should never have to decide
between enabling a feature or signature and crippling your performance.
● Accurately map to your requirements for throughput and traffic composition. It is difficult
for anyone to argue against testing the actual traffic to be secured. Simulators can’t
represent custom applications, real-world usage scenarios, or shadow IT.
● Networking teams prioritize hassle-free integration with current architecture, ease of use
and deployment, and network performance and uptime.
● Security teams focus on seamless integration with existing security controls, better overall
security, and threat prevention versus detect-and-respond tactics.
● Security operations teams work best with single-pane management and automation for
security features and capabilities.
● Data center teams need automated features and capabilities,
segmentation/microsegmentation of hybrid cloud environments, scalability to meet
evolving needs, and single-pane management.
● Application teams want simple, fast, and secure application development and deployment.
In a typical evaluation scenario, the firewall vendor works directly with the networking team to
evaluate and implement a firewall. Accounting only for the needs of the networking team is a
critical mistake, though—one with potentially dire results for other teams that rely on the firewall.
For example, the networking team usually isn’t concerned with security and may very well prefer
an option that doesn’t account for the scope of security your business demands. Both the security
and security operations teams should be engaged early to provide input on the level of threat
prevention and other security capabilities required. For the sake of overall business efficiency and
success, your organization should account for the varying needs of all key stakeholders when
choosing a new firewall.
You can avoid the age-old vendor lock-in hook by choosing a firewall vendor with a strong
community of technology partners to ensure seamless integration with your ecosystem from both
networking and security perspectives. In addition, you should not be forced to manage the
integration efforts of a new security platform—that should be the vendor’s responsibility.
Scalability as business requirements change is also a key factor when choosing a new firewall. A
vendor that uses cloud architecture for innovation and design can scale much more quickly
without the need to frequently update hardware on the network edge. In addition, the on-demand
nature of the cloud inherently offers greater agility, higher performance, and much faster access to
innovative technologies. This results in a higher likelihood of compatibility with future technology
and new applications, better overall support, and easier integration with your network.
Avoid the compounding effects of maintaining multiple management interfaces during phased
hardware refreshes. This way, if you choose to migrate to a single vendor, integration and
management will be easy. If you choose not to, make sure the firewall vendor you choose offers a
vast ecosystem of strategic technology partners who can offer expert help in terms of manpower
and knowledge.
4.5.5 References
● Privacy,
https://www.paloaltonetworks.com/legal-notices/privacy
● 5 Critical Mistakes When Evaluating a Next Generation Firewall,
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content
/pan/en_US/resources/whitepapers/five-critical-mistakes-to-avoid-when-evaluating-a-ngfw
5.1 Define the Palo Alto Networks best practice methodology using a Zero Trust approach to
network security
As an industry, we’ve reached a tipping point: Many users and apps now reside outside of the
traditional perimeter. A hybrid workforce is a new reality—businesses must provide access from
anywhere and deliver an optimal user experience. The days of managing implied trust by relying
on a static, on-premises workforce are gone. At the same time, application delivery has firmly tilted
in favor of the cloud—public or private—and has enabled development teams to deliver at an
unprecedented pace. However, new architectures, delivery, and consumption models create more
instances of implied trust, and an expanding catalog of applications creates a broader attack
surface, while implied trust granted to microservices yields new opportunities for attackers to move
laterally. Infrastructure can be anywhere, and everything is increasingly interconnected, making
the elimination of implicit trust even more critical. You can no longer simply trust IT equipment
such as printers or vendor-supplied hardware and software because IT and workplace
infrastructure are increasingly connected to internet-facing applications that centrally command
and orchestrate them. Anything internet-facing is a risk to your organization. Physical locations are
increasingly run by connected things, including IoT, which typically have more access than they
need. Traditional IT patching and maintenance strategies do not apply here—cyber adversaries
know this is ripe for exploitation.
As a pioneer in Zero Trust with thousands of customers and deployments, no one in security has
more experience than Palo Alto Networks across the entire security ecosystem, including network,
endpoint, IoT, and more. We know security is never one size fits all. Here’s what makes our Zero
Trust enterprise approach different:
● Comprehensive. Zero Trust should never focus on a narrow technology. Instead, it should
consider the full ecosystem of controls that many organizations rely on for protection.
● Actionable. Comprehensive Zero Trust isn’t easy, but getting started shouldn’t be hard. For
example, what current set of controls can be implemented using security tools you have
today?
● Users. Step one of any Zero Trust effort requires strong authentication of user identity,
application of least access policies, and verification of user device integrity.
● Applications. Applying Zero Trust to applications removes implicit trust with various
components of applications when they talk to each other. A fundamental concept of Zero
Trust is that applications cannot be trusted and that continuous monitoring at runtime is
necessary to validate their behavior.
● Infrastructure. Everything infrastructure-related—routers, switches, cloud, IoT, and supply
chain—must be addressed with a Zero Trust approach.
5.1.1 Identify best practice for eliminating implicit user trust, regardless of user location
Step one of any Zero Trust effort requires strong authentication of user identity, application of “least
access” policies, and verification of user device integrity.
5.1.2 Identify best practice for eliminating implicit trust within applications
Applying Zero Trust to applications removes implicit trust with various components of applications
when they talk to each other. A fundamental concept of Zero Trust is that applications cannot be
trusted and that continuous monitoring at runtime is necessary to validate their behavior.
● Secure the access. Enterprises need to ensure users only have access to the minimal
amount of resources they need to conduct an activity, restricting access to, for example,
data and applications. Even after authentication and checking for a clean device, you still
need to ensure least privilege.
● Secure all transactions. To prevent malicious activity, all content exchanged must be
continuously inspected to verify that it is legitimate, safe, and secure. Data transactions
must be fully examined to prevent enterprise data loss and attacks on the organization
through malicious activity.
5.1.4 References
● Architecting the Zero Trust Enterprise,
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content
/pan/en_US/resources/whitepapers/architecting-zero-trust-enterprise
5.2 Demonstrate understanding of the best practices of the five-step methodology for
implementing the Zero Trust model
The five-step methodology for implementing a Zero Trust strategy presents a logical, clear path to
protecting your environment, data, applications, assets, services, and users. The way you apply the
methodology depends on what you’re protecting and your business requirements—what’s critical
to your business—but the outcomes you’re working toward are the same:
The five-step methodology works whether you’re implementing a Zero Trust strategy in the cloud,
on a private network, or on endpoints, regardless of infrastructure.
5.2.1 Explain customer-sensitive data discovery as defined in the Zero Trust model
Working tirelessly to reduce the attack surface is not viable in today’s evolving threat landscape.
The attack surface is always expanding, making it difficult to define, shrink, or defend against.
However, with Zero Trust, rather than focusing on the macro level of the attack surface, you
determine your protect surface. The protect surface encompasses the critical data, applications,
assets, and services (DAAS) most valuable for your company to protect.
Here are some examples of DAAS you might include in your protect surface:
Once defined, you can move your controls as close as possible to that protect surface to create a
microperimeter with policy statements that are limited, precise, and understandable.
Most malware sneaks onto the network in legitimate applications or services. Therefore, to safely
enable applications, you must scan all traffic allowed into the network for threats. To do this, attach
Security profiles to all Security policy rules that allow traffic so that you can detect threats—both
The Antivirus profile has protocol decoders that detect and prevent viruses and malware from
being transferred over seven protocols: FTP, HTTP, HTTP2, IMAP, POP3, SMB, and SMTP. You can set
WildFire actions for all seven protocols because the Antivirus profile also enforces actions based on
WildFire signatures.
To create a best practice Vulnerability Protection profile, clone the predefined strict Vulnerability
Protection profile. For each rule except simple-client-informational and
simple-server-informational, double-click the Rule Name and change Packet Capture from disable
to single-packet to enable packet capture (PCAP). This will let you track down the source of
potential attacks. Do not change the rest of the settings. Download content updates automatically
and install them as soon as possible so that the signature set is always up to date.
To create a best practice Anti-Spyware profile, clone the predefined strict Anti-Spyware profile and
edit it to enable DNS sinkhole and packet capture. This will let you track down the endpoint that
attempted to resolve the malicious domain. The best practice Anti-Spyware profile retains the
default action to reset the connection when the firewall detects a medium-, high-, or
critical-severity threat, and it enables single PCAP for those threats.
Configure your DNS policies to protect your network from DNS queries to malicious domains. You
can configure your Anti-Spyware profile to use locally available, downloadable DNS signature sets
(packaged with the Antivirus and WildFire updates) or, optionally, access DNS Security, a
cloud-based service that provides real-time access to DNS signatures and protections against
advanced threats. These are configurable as individual signature sources; additionally, DNS Security
allows you to configure each domain category separately. It is a best practice to override the default
settings and to reconfigure each category with a log severity, policy action, and packet capture
setting that reflects the risks associated with a given domain type.
Using the sinkhole setting identifies potentially compromised hosts that attempt to access
suspicious domains. The setting tracks the hosts and prevents them from accessing those
domains. Palo Alto Networks recommends using the sinkhole policy action instead of block to
maintain optimum protection while providing a mechanism to help identify compromised
endpoints. For domain categories that pose a greater threat, a higher log severity level or PCAP
The best practice URL Filtering profile sets all known dangerous URL categories to block. These
include C2, copyright infringement, dynamic DNS, extremism, malware, phishing, proxy avoidance
and anonymizers, unknown domains, newly registered domains, grayware, and parked domains.
Failure to block these dangerous categories puts you at risk for exploit infiltration, malware
download, C2 activity, and data exfiltration.
In addition to blocking known bad categories, alert on all other categories so you have visibility into
the sites your users are visiting. If you need to phase in a block policy, set categories to continue
and create a custom response page to educate users about your acceptable use policies and alert
them to the fact they are visiting a site that may pose a threat. This paves the way for you to block
the categories after a monitoring period.
Allowing traffic to a recommended block category poses exposure to the following threats:
● Phishing. Domains or URLs known to host credential phishing pages or phish for personal
identification.
● Dynamic DNS. Hosts and domain names for systems with dynamically assigned IP
addresses that are oftentimes used to deliver malware payloads or C2 traffic. Dynamic DNS
domains do not go through the same vetting process as domains that are registered by a
reputable domain registration company and are therefore less trustworthy.
● Unknown. Sites that have not yet been identified by PAN-DB. If availability is critical to your
business and you must allow the traffic, alert on unknown sites, apply the best practice
Security profiles to the traffic, and investigate the alerts.
● Newly registered domains. Domains often generated purposely or by DGAs for malicious
activity.
● Copyright infringement. Domains with illegal content, such as content that allows illegal
download of software or other intellectual property, that poses a potential liability risk. This
category was introduced to enable adherence to child protection laws required in the
education industry as well as laws in countries that require internet providers to prevent
users from sharing copyrighted material through their service.
● Proxy avoidance and anonymizers. URLs and services often used to bypass content
filtering products.
● Grayware. Websites and services that do not meet the definition of a virus but are malicious
or questionable and may degrade device performance and cause security risks. If you are
unsure about whether to block grayware, start by alerting on grayware, investigate the
alerts, and then decide whether to block grayware or continue to alert on grayware.
● Parked domains. Domains registered by individuals, oftentimes later found to be used for
credential phishing. These domains may be similar to legitimate domains—for example,
pal0alt0netw0rks.com—with the intent of phishing for credentials or personally identifiable
information. Or, they may be domains that an individual purchases rights to in hopes that it
may be valuable someday, such as panw.net.
Zero Trust networks are completely customized and not derived from a single, universal design.
Instead, the architecture is constructed around the protect surface. Once you’ve defined the
protect surface and mapped flows relative to the needs of your business, you can map out the Zero
Trust architecture, starting with an NGFW. The NGFW acts as a segmentation gateway and creates
a microperimeter around the protect surface. With a segmentation gateway, you can enforce
additional layers of inspection and access control, all the way to Layer 7, for anything trying to
access resources within the protect surface.
Once the network is architected, you will need to create Zero Trust policies using the Kipling
Method to define which resources should have access to others. Kipling, well known to novelists,
introduced the concept of “who, what, when, where, why, and how” in his poem “I Keep Six Honest
Serving Men.” Using this method, we are able to define the following:
With this level of granular policy enforcement, you can be sure that only known allowed traffic or
legitimate application communication is permitted.
5.2.5 Explain how Palo Alto Networks validates each transaction in a Zero Trust model
This final step includes reviewing all logs—internal and external, and all the way through Layer
7—and focusing on the operational aspects of Zero Trust. Since Zero Trust is an iterative process,
inspecting and logging all traffic will provide valuable insights into how to improve the network
overtime.
Once you have completed the five-step methodology for implementing a Zero Trust network for
your first protect surface, you can expand to iteratively move other DAAS from your legacy network
to a Zero Trust network in a way that is cost-effective and nondisruptive.
5.2.6 References
● Architecting the Zero Trust Enterprise,
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content
/pan/en_US/resources/whitepapers/architecting-zero-trust-enterprise
● The Five-Step Methodology,
https://docs.paloaltonetworks.com/best-practices/10-1/zero-trust-best-practices/zero-trust-be
st-practices/the-five-step-methodology.html
The SSL and SSH encryption protocols secure traffic between two entities, such as a web server and
a client. SSL and SSH encapsulate traffic, encrypting data so that it is meaningless to entities other
than the client and server with the certificates to affirm trust between the devices and the keys to
decode the data. Decrypt SSL and SSH traffic to:
● Prevent malware concealed as encrypted traffic from being introduced into your network.
For example, an attacker compromises a website that uses SSL encryption. Employees visit
that website and unknowingly download an exploit or malware. The malware then uses the
infected employee endpoint to move laterally through the network and compromise other
systems.
● Prevent sensitive information from moving outside the network.
● Ensure that the appropriate applications are running on a secure network.
● Selectively decrypt traffic. For example, create a Decryption policy and profile to exclude
traffic for financial or healthcare sites from decryption.
Palo Alto Networks firewall decryption is policy-based and can decrypt, inspect, and control
inbound and outbound SSL and SSH connections. A Decryption policy enables you to specify traffic
to decrypt by destination, source, service, or URL category and to block, restrict, or forward the
specified traffic according to the security settings in the associated Decryption profile. A Decryption
profile controls SSL protocols, certificate verification, and failure checks to prevent traffic that uses
weak algorithms or unsupported modes from accessing the network. The firewall uses certificates
and keys to decrypt traffic to plaintext and then enforces App-ID and security settings on the
plaintext traffic, including Decryption, Antivirus, Vulnerability, Anti-Spyware, URL Filtering, WildFire,
and File Blocking profiles. After decrypting and inspecting traffic, the firewall re-encrypts the
plaintext traffic as the traffic exits the firewall to ensure privacy and security.
The firewall provides three types of Decryption policy rules: SSL Forward Proxy to control outbound
SSL traffic, SSL Inbound Inspection to control inbound SSL traffic, and SSH Proxy to control
tunneled SSH traffic. You can attach a Decryption profile to a policy rule to apply granular access
settings to traffic, such as checks for server certificates, unsupported modes, and failures.
SSL decryption (both forward proxy and inbound inspection) requires certificates to establish the
firewall as a trusted third party and to establish trust between a client and a server to secure an
SSL/Transport Layer Security (TLS) connection. You can also use certificates when excluding servers
from SSL decryption for technical reasons (the site breaks decryption for reasons such as certificate
pinning, unsupported ciphers, or mutual authentication). SSH decryption does not require
certificates.
You can integrate a hardware security module (HSM) with a firewall to enable enhanced security for
the private keys used in SSL forward proxy and SSL inbound inspection decryption. You can also
use decryption mirroring to forward decrypted traffic as plaintext to a third-party solution for
additional analysis and archiving.
● Traffic that you choose not to decrypt because of business, regulatory, personal, or other
reasons, such as financial services, health and medicine, or government traffic. You can
choose to exclude traffic based on source, destination, URL category, and service.
You can use asterisks (*) as wildcards to create decryption exclusions for multiple hostnames
associated with a domain. Asterisks behave the same way that carets (^) behave for URL category
exceptions—each asterisk controls one variable subdomain (label) in the hostname. This enables
you to create both very specific and very general exclusions. For example:
For example, to use wildcards to exclude video-stats.video.google.com from decryption but not to
exclude video.google.com from decryption, exclude *.*.google.com.
To increase visibility into traffic and reduce the attack surface as much as possible, don’t make
decryption exceptions unless you must.
The firewall provides a predefined SSL Decryption Exclusion list to exclude from decryption
commonly used sites that break decryption because of technical reasons such as pinned
certificates and mutual authentication. The predefined decryption exclusions are enabled by
default, and Palo Alto Networks delivers new and updated predefined decryption exclusions to the
firewall as part of the Applications and Threats content update (or the Applications content update,
if you do not have a Threat Prevention license). The firewall does not decrypt traffic that matches
predefined exclusions and allows the encrypted traffic based on the Security policy that governs
that traffic. However, the firewall can’t inspect the encrypted traffic or enforce Security policy on it.
Because the traffic of sites on the SSL Decryption Exclusion list remains encrypted, the firewall does
not inspect or provide further security enforcement of the traffic. You can disable a predefined
exclusion. For example, you may choose to disable predefined exclusions to enforce a strict Security
policy that allows only applications and services that the firewall can inspect and on which the
You can view and manage all Palo Alto Networks predefined SSL decryption exclusions directly on
the firewall (Device > Certificate Management > SSL Decryption Exclusions).
The Hostname field displays the name of the host that houses the application or service that
breaks decryption technically. You can also add hosts to exclude a server from decryption for
technical reasons if it is not on the predefined list.
The Description field displays the reason the firewall can’t decrypt the site’s traffic—for example,
pinned-cert (a pinned certificate) or client-cert-auth (client authentication).
The firewall automatically removes enabled predefined SSL decryption exclusions from the list
when they become obsolete (the firewall removes an application that decryption previously caused
to break when the application becomes supported with decryption). The Show obsoletes function
checks if any disabled predefined exclusions remain on the list and are no longer needed. The
firewall does not remove disabled predefined decryption exclusions from the list automatically, but
you can select and delete obsolete entries.
You can select a hostname’s checkbox and then click Disable to remove predefined sites from the
list. Use the SSL Decryption Exclusion list only for sites that break decryption for technical reasons.
Do not use it for sites that you choose not to decrypt.
The most time-consuming part of deploying decryption isn’t configuring the decryption policies
and profiles. It’s preparing for the deployment by working with stakeholders to decide what traffic
to decrypt and not to decrypt, educating your user population about changes to website access,
developing a private key infrastructure (PKI) strategy, and planning a staged, prioritized rollout.
Identify and prioritize the traffic you want to decrypt. The best practice is to decrypt as much traffic
as you can to gain visibility into potential threats in encrypted traffic and prevent those threats. If
incorrect firewall sizing prevents you from decrypting all of the traffic you want to decrypt, prioritize
the most critical servers, the highest-risk traffic categories, and the least-trusted segments and IP
subnets. To help prioritize, ask yourself questions such as, “What happens if this server is
compromised?” and, “How much risk am I willing to take in relation to the level of performance I
want to achieve?”
Next, identify traffic that you can’t decrypt because the traffic breaks decryption for technical
reasons. Decrypting sites that break decryption technically results in blocking that traffic. Evaluate
the websites that break decryption technically and ask yourself if you need access to those sites for
business reasons. If you don’t need access, allow decryption to block them. If you need access to
any of those sites for business purposes, add them to the SSL Decryption Exclusion list to except
them from decryption. The SSL Decryption Exclusion list is exclusively for sites that break
decryption technically.
Identify sensitive traffic that you choose not to decrypt for legal, regulatory, personal, or other
reasons, such as financial, health, or government traffic, or the traffic of certain executives. This is
not traffic that breaks decryption technically, so you don’t use the SSL Decryption Exclusion list to
except this traffic from decryption. Instead, you create a policy-based decryption exclusion to
identify and control traffic you choose not to decrypt and apply the No Decryption profile to the
policy to prevent servers with certificate issues from accessing the network. Policy-based
decryption exclusions are only for traffic you choose not to decrypt.
When you plan decryption policy, consider your company’s security compliance rules, computer
usage policy, and business goals. Extremely strict controls can impact the user experience by
preventing access to non-business sites the user was formerly able to access, but these controls
may be required for government or financial institutions. There is always a tradeoff between
usability, management overhead, and security. The tighter the decryption policy, the greater the
chance that a website will become unreachable, which may result in user complaints and possibly
modifying the rulebase.
Similarly to different groups of users, decide which devices and applications to decrypt. Today’s
networks support not only corporate devices but also BYOD, mobile, remote user, and other
devices, including contractor, partner, and guest devices. Today’s users attempt to access many
sites, both sanctioned and unsanctioned, and you should decide how much of that traffic you want
to decrypt.
Decide what traffic you want to log, and investigate what traffic you can log. Be aware of local laws
regarding what types of data you can log and store and where you can log and store the data. For
example, local laws may prevent logging and storing personal information such as health and
financial data.
Decide how to handle bad certificates. For example, will you block or allow sessions for which the
certificate status is unknown? Understanding how you want to handle bad certificates determines
how you configure the Decryption profiles and which sessions you allow based on the server
certificate verification status.
● The amount of SSL traffic you want to decrypt. This varies from network to network. For
example, some applications must be decrypted to prevent the injection of malware or
exploits into the network or unauthorized data transfers. Some applications can’t be
decrypted due to local laws and regulations or business reasons, and other applications are
cleartext (unencrypted) and don’t need to be decrypted. The more traffic you want to
decrypt, the more resources you need.
● The TLS protocol version. Higher versions are more secure but consume more resources.
Use the highest TLS protocol version to maximize security.
● The key size. The larger the key size, the better the security but also the more resources the
key processing consumes.
● The key exchange algorithm. Perfect Forward Secrecy (PFS) ephemeral key exchange
algorithms such as Diffie-Hellman Ephemeral Elliptic-Curve Diffie-Hellman Exchange
(ECDHE) consume more processing resources than Rivest-Shamir-Adleman (RSA)
algorithms. PFS key exchange algorithms provide greater security than RSA key exchange
algorithms because the firewall has to generate a new cipher key for each session—but
generating the new key consumes more firewall resources. However, if an attacker
compromises a session key, PFS prevents the attacker from using it to decrypt any other
sessions between the same client and server, while RSA does not.
● The encryption algorithm. The key exchange algorithm determines whether the
encryption algorithm is PFS or RSA.
● The certificate authentication method. RSA (not the RSA key exchange algorithm)
consumes less resources than Elliptic Curve Digital Signature Algorithm (ECDSA), but
ECDSA is more secure.
● Average transaction sizes. For example, small average transaction sizes consume more
processing power to decrypt. Measure the average transaction size of all traffic and then
measure the average transaction size of traffic on port 443 (the default port for HTTPS
encrypted traffic) to understand the proportion of encrypted traffic going to the firewall in
relation to your total traffic, as well as average transaction sizes. Eliminate anomalous
outliers such as unusually large transactions to get a truer measurement of average
transaction size.
● The firewall model and resources. Newer firewall models have more processing power
than older models.
The combination of these factors determines how decryption consumes firewall processing
resources. To best use the firewall’s resources, understand the risks of the data you’re protecting. If
firewall resources are an issue, use stronger decryption for higher-priority traffic and less
Measure firewall performance so that you understand the currently available resources, which
helps you understand whether you need more firewall resources to decrypt the traffic you want to
decrypt. Measuring firewall performance also sets a baseline for performance comparisons after
deploying decryption.
When you size the firewall deployment, base it not only on your current needs, but also on your
future needs. Include headroom for the growth of decryption traffic.
Educating stakeholders, employees, and other users such as contractors and partners is critical
because decryption settings may change their ability to access some websites. Users should
understand how to respond to situations in which previously reachable websites become
unreachable and what information to give technical support. Support should understand what is
being rolled out when, as well as how to help users who encounter issues. Before you roll out
decryption to the general population:
● Identify early adopters. They can help champion decryption and will be able to help other
employees who have questions during the full rollout. Enlist the help of department
managers and help them understand the benefits of decrypting traffic.
● Set up PoC trials in each department. Include early adopters and other employees who
understand why decrypting traffic is important. Educate PoC participants about the
changes and how to contact technical support if they run into issues. In this way, decryption
PoC trials become an opportunity to work with technical support to develop the most
painless method for implementing the general rollout. The interaction between PoC users
and technical support also allows you to fine-tune policies and communication strategies.
● Use lessons learned from PoC trials to prioritize decryption. PoC trials help you
experiment with decryption prioritization strategies. When you phase in decryption in the
general population, your PoC experience can help you understand how to phase in
decrypting different URL categories. Measure how decryption affects firewall CPU and
memory utilization to evaluate your firewall sizing. PoC trials can also reveal applications
that break decryption technically and should be added to the Decryption Exclusion list.
● Educate the user population before the general rollout, and plan to educate new users
as they join the company. This is a critical phase of deploying decryption because the
deployment may affect unsafe websites that users previously visited that are no longer
reachable. The PoC experience helps identify the most important points to communicate.
● Phase in decryption. You can accomplish this several ways. You can decrypt the highest
priority traffic first (for example, the URL categories most likely to harbor malicious traffic)
and then decrypt more as you gain experience. Alternatively, you can take a more
conservative approach and first decrypt the URL categories that don’t affect your business
(e.g., news feeds), so if something goes wrong, no issues occur that affect business. In all
cases, the best way to phase in decryption is to decrypt a few URL categories, take user
feedback into account, run reports to ensure that decryption is working as expected, and
then gradually decrypt a few more URL categories and verify, and so on. Plan to make
decryption exclusions to exclude sites from decryption if you can’t decrypt them for
technical reasons or because you choose not to decrypt them.
● Educate users about decryption in real time. If you enable users to opt out of SSL
decryption (users see a response page that allows them either to opt out of decryption and
end the session without going to the site or to proceed to the site and agree to have the
traffic decrypted), educate them about what it is, why they’re seeing it, and what their
options are.
● Schedule realistically. Create deployment schedules that allow time to evaluate each stage
of the rollout.
5.3.4 References
● Decryption Exclusions,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-exclusi
ons
● Prepare to Deploy Decryption,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/prepare-to-deploy-
decryption.html
2. Which two answers could be used to handle a prospect’s objection that updating the
WildFire malware list twice a week is unacceptable? (Choose two.)
a. With a WildFire subscription, you get an update every few minutes.
b. With the Threat subscription, you get an update every few minutes.
c. With the Threat subscription, you get an update every hour.
d. With the Threat subscription, you get an update every 24 hours.
3. Which Palo Alto Networks product directly protects corporate laptops when people use
them from home?
a. NGFW
b. Panorama
c. WildFire
d. Prisma Access
4. Which two C2 channels may be used when a computer tries to access the URL
http://part1.of.big.secret.i.am.exfiltrating.evil.com/part2/of/the/same/secret? (Choose two.)
a. Email
b. DNS
c. URL
d. SMS
e. ICMP
7. Which two behaviors would fail to disguise malware from a firewall? (Choose two.)
a. Use domains known to be run by dynamic DNS providers.
b. Disguise C2 traffic as email.
8. Which element of the NGFW does the NGFW UTD show potential customers?
a. How to set up the NGFW for the first time
b. How to migrate from a different firewall to the NGFW
c. How to integrate with Advanced Endpoint Protection
d. How to integrate with WildFire
9. Which firewall series (one or more) requires you to specify in the Bill of Materials what NPCs
to include?
a. A Bill of Materials that specifies the NPC is never needed; Palo Alto Networks
appliances don’t support hardware customization.
b. PA-7000
c. PA-5200 and PA-7000
d. PA-3000, PA-5200, and PA-7000
10. Which step is required to ensure that web storage is not used to exfiltrate sensitive data
from an enterprise that must use web storage to collaborate with business partners?
a. Disconnect from the internet.
b. Configure a local shared drive and use that instead of web storage.
c. Use Prisma SaaS to ensure that the information shared to the web storage is not
sensitive.
d. Install Advanced Endpoint Protection.
15. A best practice is to either block executables or to send them to WildFire. Which three file
types are analyzed as executables by WildFire? (Choose three.)
a. JAR
b. PDF
c. Python script
d. Office Open XML (.docx)
e. IPhone apps
16. Which action could disconnect a potentially infected host from the network?
a. Alert
b. Reset Client
c. Reset Server
d. Block IP
17. Which component of the Security Operating Platform turns unknown attacks into known
attacks?
a. NGFW
b. Advanced Endpoint Protection
c. WildFire
d. AutoFocus
18. What is the maximum number of servers that a User-ID agent supports?
a. 20
b. 100
c. 1,000
d. There is no limit.
19. Must the agent account be a member of the Distributed COM Users group?
a. Yes, always
b. Only when using the Windows-based User-ID agent
c. Only when using the PAN-OS integrated User-ID agent
d. No, never
22. Which two profile types can block a C2 channel? (Choose two.)
a. Anti-Spyware
b. Certification
c. Command and Control
d. Decryption
e. URL Filtering
23. Which Strata product can secure user network traffic against potential threats?
a. NGFW
b. PAN-OS
c. Panorama
d. SD-WAN
24. Which Palo Alto Networks solution provides zero-day malware protection?
a. NGFW
b. WildFire
c. Panorama
d. SD-WAN
26. Which Palo Alto Networks product directly protects corporate laptops people use at work?
a. Strata NGFW
b. Cortex XSOAR
c. Panorama
d. WildFire
28. Which two steps are essential parts of the PPA process? (Choose two.)
a. Hold a structured interview with the customer about their security prevention
capabilities.
29. Which report provides compelling evidence for existing security gaps for prospects?
a. Best Practice Assessment (BPA)
b. Prevention Posture Assessment (PPA)
c. BPA Heatmap
d. Security Lifecycle Review (SLR)
30. Which Panorama deployment mode collects forwarded log events without firewall
management capability?
a. Panorama mode
b. Legacy mode
c. Management Only mode
d. Log Collector mode
33. Which of the following Security profiles provides protection against documents containing
zero-day malware?
a. Antivirus
b. Anti-Spyware
c. Vulnerability Protection
d. Wildfire Analysis
34. Which two of the following Security profiles provide protection against a web connection to
a known C2 site?
a. Antivirus
b. Anti-Spyware
c. Vulnerability Protection
d. URL Filtering
e. File Blocking
36. Which of the following Security profiles provides control for the types of websites a user can
access?
a. Antivirus
b. Anti-Spyware
c. Vulnerability Protection
d. URL Filtering
37. Which technology identifies potentially infected hosts by correlating user and network
activity data in Threat, URL, and Data Filtering logs?
a. Botnet report
b. Correlation object
c. DNS Security
d. AutoFocus
38. Which of the following processing tasks shows an advantage of a file proxy engine over a
stream-based, single-pass engine?
a. Mapping IP addresses to users
b. Using protocol decoders, decryption, and heuristics to identify applications
c. Blocking data sent over traditional email protocols
d. Scanning traffic for vulnerability exploits, viruses, and spyware
39. Real-time threat signatures used by the Strata firewall are generated by what service?
a. WildFire
b. AutoFocus
c. Expedition
d. Prisma Access
41. Which interface mode do you use to generate the Stats Dump file that can be converted
into an SLR? Assume that you want to make the evaluation as nonintrusive as possible.
a. Tap
b. Virtual wire
c. Layer 2
d. Layer 3
43. Which file types are not supported as an upload sample for file upload by WildFire from the
wildfire.paloaltonetworks.com/wildfire/upload page?
a. IOS applications
b. Android applications
c. Windows applications
d. Microsoft Excel files
44. Which kind of attack cannot be stopped by the Palo Alto Networks Security Operating
Platform?
a. Attacks through SaaS applications, such as exfiltration through Box
b. Attacks that do not cross the firewall, regardless of source or destination
c. Attacks based on social engineering that mimic normal user behavior
d. DOS attacks from a trusted source
45. WildFire functionality is like that of a sandbox. Is the statement an accurate description?
a. Yes. WildFire functionality is exactly that of a virtual sandbox in the cloud, provided to
test files that customers upload or download.
b. No. WildFire does not supply sandbox functionality, although it competes with
products that do.
c. No. WildFire provides dynamic analysis, ML, and other techniques along with
sandbox functionality.
d. Yes. WildFire provides all its functionality as part of its virtual-physical hybrid sandbox
environment.
46. Which option is an example of how the NGFW can provide visibility and enforcement
around SaaS applications?
a. Through partnership with SaaS application vendors, special virtual firewalls that
support a subset of full firewall functionality are used inside the SaaS applications
themselves.
b. A built-in default security rule in the firewall blocks dangerous SaaS applications
based on an automatically updated database of dangerous SaaS applications.
c. Built-in default functionality in the firewall sends all files sent or received by SaaS
applications to WildFire.
d. The firewall can filter SaaS applications based on whether they comply with industry
certifications such as SOC1, HIPAA, and FINRA.
47. When a cloud deployment is secured, which role does the NGFW play?
49. Which value should be used as a typical log entry size if no other information is available
about log sizes?
a. 0.5KB
b. 0.5MB
c. 0.5GB
d. 0.5TB
51. Which two updates should be scheduled to occur once a day? (Choose two.)
a. Antivirus
b. PAN-DB URL Filtering
c. WildFire
d. Applications and Threats
e. SMS channel
52. What does the phrase “Prisma Access extends security to remote network locations and
mobile users” mean in the context of the security that firewalls provide to a network?
a. Prisma Access independently provides the similar type of protection as the firewalls,
rebuilt for the various infrastructures used for remote network locations and mobile
users.
b. Prisma Access independently provides the exact same protection as the firewalls,
rebuilt for the various infrastructures used for remote network locations and mobile
users.
53. A customer’s interest in prevention, detection, and response for security operations is best
addressed by which reference architecture?
a. Public Cloud
b. Secure Access Service Edge
c. Security Operations
d. Automation
55. Which profile type is used to protect against most protocol-based attacks?
a. Antivirus
b. URL Filtering
c. Vulnerability Protection
d. Anti-Spyware
56. How does an administrator specify in the firewall that certain credentials should not be sent
to certain URLs?
a. With a URL Filtering profile
b. With User-ID
c. With App-ID
d. With a Credential Theft profile
57. Which SD-WAN configuration element contains data used to trigger a new path selection
based on excessive latency?
a. SD-WAN Interface profile
b. SD-WAN Interface
c. Path Quality profile
d. Traffic Distribution profile
58. Which Panorama screen provides an overall status display of SD-WAN errors and their
impacts?
a. SD-WAN Traffic Characteristics
b. SD-WAN Link Characteristics
c. SD-WAN Monitoring
d. SD-WAN Impacted Clusters
60. Can the same rule allow traffic from different sources on different firewalls?
a. No. Rules mean the same on all firewalls that receive the same policy.
b. No, because device groups are pushed from Panorama to all firewalls.
c. Yes, because different firewalls can have different zone definitions.
d. Yes, because there could be clauses in a rule with effects limited to a specific device
group.
62. How is the Cortex Data Lake integration with Panorama facilitated?
a. No integration is necessary; data flows from Panorama to Cortex Data Lake and vice
versa.
b. A Panorama plugin is installed in Cortex Data Lake.
c. A cloud services plugin is installed in Panorama.
d. Agents run in both Cortex Data Lake and Panorama.
63. What is the maximum number of servers supported by a single User-ID agent?
a. 10
b. 50
c. 100
d. 500
64. How does the firewall know that a specific connection comes from a specific user?
a. Every connection has a user ID encoded in it.
b. User-ID is supported only in protocols that use user authentication, which provides
the user identity to the firewall and the backend.
c. The firewall always uses the IP address in the IP header to locate the user ID, but this
initial identification is overridden by additional techniques, such as HTTP proxies that
provide the client’s IP address in a HTTP header.
d. Usually, the firewall uses the IP address in the IP header to locate the user ID, but
additional techniques are available as alternatives, such as HTTP proxies providing
the client’s IP address in a HTTP header.
65. A customer has a proprietary user authentication system that is not supported by User-ID.
Can you provide User-ID information to their firewall, and if so, how?
a. It is impossible. The customer will need to upgrade to something more standard.
b. It can be done, but only for HTTP applications, because HTTP supports XFF headers.
66. Should you limit the permission of the user who runs the User-ID agent? If so, why?
a. Yes, because of the principle of least privilege. You should give processes only those
permissions that are necessary for them to work.
b. Yes, to an extent. You can give it most privileges, but there is no actual user, so you
should not let it start an interactive login.
c. Yes, to an extent. You can give it most privileges, but there is no actual user, so you
should not let it have remote access.
d. No. There is nothing wrong with using the administrator’s account.
67. Which three types of file does WildFire analyze as executables? (Choose three.)
a. JAR
b. PDF
c. Portable Executable
d. Executable and Linkable Format
e. BMP
68. Which three reasons could cause a firewall that is fully configured, including decryption, to
not recognize an application? (Choose three.)
a. The application is running over SSL.
b. There is no App-ID signature for an unanticipated application.
c. The application is running over UDP.
d. A TCP handshake completed, but no application traffic reached the firewall.
e. The payload reached the firewall but did not have enough data packets to identify
the application.
69. Which decryption mode(s) require(s) the private key of the destination server?
a. Forward Proxy
b. Inbound Inspection
c. Both Forward Proxy and Inbound Inspection
d. SSH Proxy
2. Which two answers could be used to handle a prospect’s objection that updating the
WildFire malware list twice a week is unacceptable? (Choose two.)
a. With a WildFire subscription, you get an update every few minutes.
b. With the Threat subscription, you get an update every few minutes.
c. With the Threat subscription, you get an update every hour.
d. With the Threat subscription, you get an update every 24 hours.
3. Which Palo Alto Networks product directly protects corporate laptops when people use
them from home?
a. NGFW
b. Panorama
c. WildFire
d. Prisma Access
4. Which two C2 channels may be used when a computer tries to access the URL
http://part1.of.big.secret.i.am.exfiltrating.evil.com/part2/of/the/same/secret? (Choose two.)
a. Email
b. DNS
c. URL
d. SMS
e. ICMP
7. Which two behaviors would fail to disguise malware from a firewall? (Choose two.)
a. Use domains known to be run by dynamic DNS providers.
b. Disguise C2 traffic as email.
8. Which element of the NGFW does the NGFW UTD show potential customers?
a. How to set up the NGFW for the first time
b. How to migrate from a different firewall to the NGFW
c. How to integrate with Advanced Endpoint Protection
d. How to integrate with WildFire
9. Which firewall series (one or more) requires you to specify in the Bill of Materials what NPCs
to include?
a. A Bill of Materials that specifies the NPC is never needed; Palo Alto Networks
appliances don’t support hardware customization.
b. PA-7000
c. PA-5200 and PA-7000
d. PA-3000, PA-5200, and PA-7000
10. Which step is required to ensure that web storage is not used to exfiltrate sensitive data
from an enterprise that must use web storage to collaborate with business partners?
a. Disconnect from the internet.
b. Configure a local shared drive and use that instead of web storage.
c. Use Prisma SaaS to ensure that the information shared to the web storage is not
sensitive.
d. Install Advanced Endpoint Protection.
15. A best practice is to either block executables or to send them to WildFire. Which three file
types are analyzed as executables by WildFire? (Choose three.)
a. JAR
b. PDF
c. Python script
d. Office Open XML (.docx)
e. IPhone apps
16. Which action could disconnect a potentially infected host from the network?
a. Alert
b. Reset Client
c. Reset Server
d. Block IP
17. Which component of the Security Operating Platform turns unknown attacks into known
attacks?
a. NGFW
b. Advanced Endpoint Protection
c. WildFire
d. AutoFocus
18. What is the maximum number of servers that a User-ID agent supports?
a. 20
b. 100
c. 1,000
d. There is no limit.
19. Must the agent account be a member of the Distributed COM Users group?
a. Yes, always
b. Only when using the Windows-based User-ID agent
c. Only when using the PAN-OS integrated User-ID agent
d. No, never
22. Which two profile types can block a C2 channel? (Choose two.)
a. Anti-Spyware
b. Certification
c. Command and Control
d. Decryption
e. URL Filtering
23. Which Strata product can secure user network traffic against potential threats?
a. NGFW
b. PAN-OS
c. Panorama
d. SD-WAN
24. Which Palo Alto Networks solution provides zero-day malware protection?
a. NGFW
b. WildFire
c. Panorama
d. SD-WAN
26. Which Palo Alto Networks product directly protects corporate laptops people use at work?
a. Strata NGFW
b. Cortex XSOAR
c. Panorama
d. WildFire
28. Which two steps are essential parts of the PPA process? (Choose two.)
a. Hold a structured interview with the customer about their security prevention
capabilities.
29. Which report provides compelling evidence for existing security gaps for prospects?
a. Best Practice Assessment (BPA)
b. Prevention Posture Assessment (PPA)
c. BPA Heatmap
d. Security Lifecycle Review (SLR)
30. Which Panorama deployment mode collects forwarded log events without firewall
management capability?
a. Panorama mode
b. Legacy mode
c. Management Only mode
d. Log Collector mode
33. Which of the following Security profiles provides protection against documents containing
zero-day malware?
a. Antivirus
b. Anti-Spyware
c. Vulnerability Protection
d. Wildfire Analysis
34. Which two of the following Security profiles provide protection against a web connection to
a known C2 site?
a. Antivirus
b. Anti-Spyware
c. Vulnerability Protection
d. URL Filtering
e. File Blocking
36. Which of the following Security profiles provides control for the types of websites a user can
access?
a. Antivirus
b. Anti-Spyware
c. Vulnerability Protection
d. URL Filtering
37. Which technology identifies potentially infected hosts by correlating user and network
activity data in Threat, URL, and Data Filtering logs?
a. Botnet report
b. Correlation object
c. DNS Security
d. AutoFocus
38. Which of the following processing tasks shows an advantage of a file proxy engine over a
stream-based, single-pass engine?
a. Mapping IP addresses to users
b. Using protocol decoders, decryption, and heuristics to identify applications
c. Blocking data sent over traditional email protocols
d. Scanning traffic for vulnerability exploits, viruses, and spyware
39. Real-time threat signatures used by the Strata firewall are generated by what service?
a. WildFire
b. AutoFocus
c. Expedition
d. Prisma Access
41. Which interface mode do you use to generate the Stats Dump file that can be converted
into an SLR? Assume that you want to make the evaluation as nonintrusive as possible.
a. Tap
b. Virtual wire
c. Layer 2
d. Layer 3
43. Which file types are not supported as an upload sample for file upload by WildFire from the
wildfire.paloaltonetworks.com/wildfire/upload page?
a. IOS applications
b. Android applications
c. Windows applications
d. Microsoft Excel files
44. Which kind of attack cannot be stopped by the Palo Alto Networks Security Operating
Platform?
a. Attacks through SaaS applications, such as exfiltration through Box
b. Attacks that do not cross the firewall, regardless of source or destination
c. Attacks based on social engineering that mimic normal user behavior
d. DOS attacks from a trusted source
45. WildFire functionality is like that of a sandbox. Is the statement an accurate description?
a. Yes. WildFire functionality is exactly that of a virtual sandbox in the cloud,
provided to test files that customers upload or download.
b. No. WildFire does not supply sandbox functionality, although it competes with
products that do.
c. No. WildFire provides dynamic analysis, ML, and other techniques along with
sandbox functionality.
d. Yes. WildFire provides all its functionality as part of its virtual-physical hybrid sandbox
environment.
46. Which option is an example of how the NGFW can provide visibility and enforcement
around SaaS applications?
a. Through partnership with SaaS application vendors, special virtual firewalls that
support a subset of full firewall functionality are used inside the SaaS applications
themselves.
b. A built-in default security rule in the firewall blocks dangerous SaaS applications
based on an automatically updated database of dangerous SaaS applications.
c. Built-in default functionality in the firewall sends all files sent or received by SaaS
applications to WildFire.
d. The firewall can filter SaaS applications based on whether they comply with
industry certifications such as SOC1, HIPAA, and FINRA.
47. When a cloud deployment is secured, which role does the NGFW play?
49. Which value should be used as a typical log entry size if no other information is available
about log sizes?
a. 0.5KB
b. 0.5MB
c. 0.5GB
d. 0.5TB
51. Which two updates should be scheduled to occur once a day? (Choose two.)
a. Antivirus
b. PAN-DB URL Filtering
c. WildFire
d. Applications and Threats
e. SMS channel
52. What does the phrase “Prisma Access extends security to remote network locations and
mobile users” mean in the context of the security that firewalls provide to a network?
a. Prisma Access independently provides the similar type of protection as the firewalls,
rebuilt for the various infrastructures used for remote network locations and mobile
users.
b. Prisma Access independently provides the exact same protection as the
firewalls, rebuilt for the various infrastructures used for remote network
locations and mobile users.
53. A customer’s interest in prevention, detection, and response for security operations is best
addressed by which reference architecture?
a. Public Cloud
b. Secure Access Service Edge
c. Security Operations
d. Automation
55. Which profile type is used to protect against most protocol-based attacks?
a. Antivirus
b. URL Filtering
c. Vulnerability Protection
d. Anti-Spyware
56. How does an administrator specify in the firewall that certain credentials should not be sent
to certain URLs?
a. With a URL Filtering profile
b. With User-ID
c. With App-ID
d. With a Credential Theft profile
57. Which SD-WAN configuration element contains data used to trigger a new path selection
based on excessive latency?
a. SD-WAN Interface profile
b. SD-WAN Interface
c. Path Quality profile
d. Traffic Distribution profile
58. Which Panorama screen provides an overall status display of SD-WAN errors and their
impacts?
a. SD-WAN Traffic Characteristics
b. SD-WAN Link Characteristics
c. SD-WAN Monitoring
d. SD-WAN Impacted Clusters
60. Can the same rule allow traffic from different sources on different firewalls?
a. No. Rules mean the same on all firewalls that receive the same policy.
b. No, because device groups are pushed from Panorama to all firewalls.
c. Yes, because different firewalls can have different zone definitions.
d. Yes, because there could be clauses in a rule with effects limited to a specific device
group.
62. How is the Cortex Data Lake integration with Panorama facilitated?
a. No integration is necessary; data flows from Panorama to Cortex Data Lake and vice
versa.
b. A Panorama plugin is installed in Cortex Data Lake.
c. A cloud services plugin is installed in Panorama.
d. Agents run in both Cortex Data Lake and Panorama.
63. What is the maximum number of servers supported by a single User-ID agent?
a. 10
b. 50
c. 100
d. 500
64. How does the firewall know that a specific connection comes from a specific user?
a. Every connection has a user ID encoded in it.
b. User-ID is supported only in protocols that use user authentication, which provides
the user identity to the firewall and the backend.
c. The firewall always uses the IP address in the IP header to locate the user ID, but this
initial identification is overridden by additional techniques, such as HTTP proxies that
provide the client’s IP address in a HTTP header.
d. Usually, the firewall uses the IP address in the IP header to locate the user ID,
but additional techniques are available as alternatives, such as HTTP proxies
providing the client’s IP address in a HTTP header.
66. Should you limit the permission of the user who runs the User-ID agent? If so, why?
a. Yes, because of the principle of least privilege. You should give processes only
those permissions that are necessary for them to work.
b. Yes, to an extent. You can give it most privileges, but there is no actual user, so you
should not let it start an interactive login.
c. Yes, to an extent. You can give it most privileges, but there is no actual user, so you
should not let it have remote access.
d. No. There is nothing wrong with using the administrator’s account.
67. Which three types of file does WildFire analyze as executables? (Choose three.)
a. JAR
b. PDF
c. Portable Executable
d. Executable and Linkable Format
e. BMP
68. Which three reasons could cause a firewall that is fully configured, including decryption, to
not recognize an application? (Choose three.)
a. The application is running over SSL.
b. There is no App-ID signature for an unanticipated application.
c. The application is running over UDP.
d. A TCP handshake completed, but no application traffic reached the firewall.
e. The payload reached the firewall but did not have enough data packets to
identify the application.
69. Which decryption mode(s) require(s) the private key of the destination server?
a. Forward Proxy
b. Inbound Inspection
c. Both Forward Proxy and Inbound Inspection
d. SSH Proxy
Digital Learning
For those of you who want to keep up to date on our technology, a learning library of free digital
learning is available. These on-demand, self-paced digital-learning classes are a helpful way to
reinforce the key information for those who have been to the formal hands-on classes. They also
serve as a useful overview and introduction to working with our technology for those unable to
attend a hands-on, instructor-led class.
Simply register in Beacon and you will be given access to our digital-learning portfolio. These online
classes cover foundational material and contain narrated slides, knowledge checks, and, where
applicable, demos for you to access.
New courses are being added often, so check back to see new curriculum available.
Instructor-Led Training
Looking for a hands-on, instructor-led course in your area?
Palo Alto Networks Authorized Training Partners (ATPs) are located globally and offer a breadth of
solutions from onsite training to public, open-environment classes. About 42 authorized training
centers are delivering online courses in 14 languages and at convenient times for most major
markets worldwide. For class schedule, location, and training offerings, see
https://www.paloaltonetworks.com/services/education/atc-locations.