NetSec-Pro Palo Alto Networks Network Security Professional Questions and Answers

Protecting against malicious and misconfigured domains requires two critical services:

Advanced Threat Prevention

Provides signature-based and advanced analysis to identify threats, including DNS-based attacks.

“Advanced Threat Prevention enables the NGFW to detect and prevent exploits and malware-based communications, including those leveraging DNS.”

(Source: Advanced Threat Prevention)

Advanced DNS Security

Specifically designed to detect and sinkhole malicious and misconfigured DNS queries.

“DNS Security uses real-time intelligence to block DNS-based threats, protect against data exfiltration, and automatically sinkhole suspicious domain lookups.”

(Source: DNS Security)

By combining these services in security policies, NGFWs ensure robust protection against domain-based threats and misconfigurations.

Strata Cloud Manager (SCM) offers a cloud-based unified management plane for both NGFWs and Prisma Access, enabling consistent policy enforcement, simplified management, and AI-driven operational insights.

“Strata Cloud Manager provides a single interface for unified management of NGFWs and Prisma Access, leveraging AI to optimize security operations and streamline workflows.”

(Source: Strata Cloud Manager Overview)

Unlike Panorama, which is an on-premises management solution, SCM delivers cloud-based, AI-driven capabilities for centralized oversight.

CASB integration should focus on comprehensive data protection, which includes encryption for data-at-rest and in transit , frequent key updates , and using strong encryption algorithms to ensure confidentiality and data integrity.

“CASB solutions should enforce encryption for data-at-rest and in transit, implement key rotation policies, and leverage robust encryption algorithms to protect sensitive SaaS application data.”

(Source: CASB Deployment Best Practices)

Enterprise DLP uses cloud analysis to inspect and classify sensitive data in non-file-based formats (e.g., in-line data streams, SaaS communications).

“Enterprise DLP inspects data in non-file-based traffic flows, forwarding suspicious data patterns to the cloud for classification and verdicts.”

(Source: Enterprise DLP Overview)

The other services focus on file-based scanning (WildFire), URL access control (Advanced URL Filtering), or inline SaaS application controls (SaaS Security Inline).

Negated source addresses exclude traffic from the specified region . To avoid accidental connectivity loss for traffic from that region , create a separate Security policy to explicitly permit it .

“When you use a negated region in a Security policy rule, ensure to create an additional Security policy to permit traffic from the excluded (negated) region to avoid unintentional drops.”

(Source: Prisma Access Policy Best Practices)

This ensures explicit inclusivity for the excluded region , maintaining reliable connectivity.

In cloud environments like Azure, the VM-Series NGFW is deployed to create Layer 3 segmentation zones closest to the application workloads.

“In Azure, deploy VM-Series firewalls in Layer 3 mode to enforce security policies closest to private applications, meeting strict compliance and segmentation requirements.”

(Source: VM-Series in Public Clouds)

Layer 3 segmentation ensures security policies are enforced at the right boundary to isolate traffic within Azure’s virtual networks.

An ALG is designed to inspect and modify the payload of application-layer protocols (like SIP, FTP, etc.) to manage dynamic port allocations and session information.

“Application Layer Gateways (ALGs) inspect the payload of certain protocols to dynamically manage sessions that use dynamic port assignments. By modifying payloads, the ALG ensures that NAT and security policies are correctly applied.”

(Source: ALG Support)

Enterprise DLP Profile is specifically designed to detect and log data exfiltration attempts , including those involving confidential or sensitive data.

“Enterprise DLP logs capture incidents involving potential data exfiltration. They help identify sensitive data transfers, even in seemingly legitimate traffic.”

(Source: Enterprise DLP Logging and Alerts)

File Blocking and Vulnerability Protection handle files or exploit detection, while WildFire focuses on malware analysis—not direct data exfiltration.

The VM-Series NGFWs are designed to integrate seamlessly with both Panorama and Strata Cloud Manager (SCM), allowing administrators to manage physical and virtual firewall deployments from either interface.

“You can manage VM-Series Next-Generation Firewalls using either Panorama for centralized management of all firewalls or Strata Cloud Manager for cloud-based management, giving flexibility across hybrid environments.”

(Source: VM-Series Management Options)

Unified management flexibility is key for enterprises with hybrid or multi-cloud deployments.

Client-based VPN solutions like GlobalProtect provide full coverage for the mobile workforce by extending the enterprise security stack to remote endpoints. It establishes a secure tunnel, allowing consistent security policies across the enterprise perimeter and the mobile workforce.

“GlobalProtect is a client-based VPN that provides secure, consistent protection for mobile users by extending the security capabilities of Prisma Access to remote endpoints, covering all network protocols.”

(Source: GlobalProtect Admin Guide)

Cloud NGFW Security Policies in the AWS Console are evaluated in the exact creation order – they do not have explicit rule priority fields.

“In AWS, security rules are evaluated in the order they are created. To ensure the correct evaluation logic, create them in the desired order from top to bottom.”

(Source: Cloud NGFW for AWS Policy Evaluation)

Unlike Panorama, AWS-native management of Cloud NGFWs uses creation order as the evaluation sequence.

Dynamic Address Groups enable the firewall to automatically adjust security policies based on tags assigned dynamically (via log events, API, etc.). This eliminates the need for manual updates to policies when server roles or IPs change.

“Dynamic Address Groups allow you to create policies that automatically adapt to changes in the environment. These groups are populated dynamically based on tags, enabling automated security policy updates without manual intervention.”

(Source: Dynamic Address Groups)

Applications and threats

Panorama can push application and threat signature updates to managed firewalls, ensuring consistent application and threat visibility.

“Panorama uses dynamic updates to distribute the latest application and threat signature packs to all managed firewalls.”

(Source: Manage Content Updates in Panorama)

WildFire

Panorama also distributes WildFire signature updates to firewalls for real-time malware detection.

“WildFire updates provide the latest malware signatures to enhance detection and prevention, and can be deployed to all managed firewalls via Panorama.”

(Source: WildFire and Dynamic Updates)

Blocking non-compliant SSH versions and failing certificate validations are fundamental security measures:

Block sessions when certificate validation fails

“The SSH Proxy profile should block sessions that fail certificate validation to ensure that only trusted hosts are allowed.”

(Source: SSH Proxy Decryption Best Practices)

Block connections using non-compliant SSH versions

Older SSH versions may have vulnerabilities or lack modern encryption algorithms.

“To enforce stronger security, block SSH sessions that use older or deprecated versions of the SSH protocol that do not comply with your security posture.”

(Source: SSH Decryption and Best Practices)

Together, these measures minimize the risk of MITM attacks and secure SSH traffic.

A security profile group named “default” is automatically applied to all new security rules unless a specific profile group is explicitly configured.

“If a security profile group named ‘default’ exists, it will be automatically applied to any newly created security policy rules to ensure consistent protection.”

(Source: Security Profile Groups)

This behavior ensures that newly created policies are always protected by default security profiles, minimizing human error.