PSE-Strata Palo Alto Networks System Engineer Professional - Strata Questions and Answers

To enable Credential Phishing Prevention on a Palo Alto Networks firewall, three key settings must be configured:

Define an SSL Decryption Rulebase : SSL decryption is necessary to inspect encrypted traffic for credential submission attempts. Without decryption, the firewall cannot see the contents of SSL/TLS encrypted traffic.

Enable User-ID : User-ID is needed to associate traffic with specific users, which is crucial for applying user-specific security policies, including credential phishing prevention.

Define URL Filtering Profile : A URL filtering profile is used to identify and block access to phishing websites. This profile can be configured to enforce strict controls over websites that users are allowed to access, thus preventing credential submission to malicious sites.

These configurations ensure that the firewall can effectively monitor and prevent phishing attempts by inspecting traffic, associating it with users, and controlling access to potentially harmful websites.

Prisma SaaS and VM-300 firewalls can send logs to the Cortex Data Lake (now called Strata Logging Service). Prisma SaaS logs user activity and data access within SaaS applications and forwards these logs to the Strata Logging Service for centralized analysis and monitoring. Similarly, VM-300 firewalls deployed in AWS can send various types of logs, including traffic and threat logs, to the Strata Logging Service through Panorama or directly​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks ) ​.

When configuring Prisma Cloud to scan your Amazon S3 account, the service requires specific permissions to access your S3 resources. This is achieved by providing the access key ID, which, along with the secret access key, allows Prisma Cloud to authenticate and authorize the necessary access to your S3 buckets. This method ensures secure and efficient management of permissions and access within your AWS environment​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks ) ​.

To receive weekly dynamic updates to the correlation objects on the firewall and Panorama, the required licenses are:

Threat Prevention on the firewall (B) : This license enables the firewall to receive and apply the latest threat signatures and updates.

Support on Panorama (B) : This license ensures that Panorama can receive the necessary updates to maintain up-to-date correlation objects and manage the security infrastructure effectively.

These licenses together ensure that both the firewall and Panorama are equipped with the latest security intelligence to protect against emerging threats​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks ) ​.

An Anti-Spyware profile on Palo Alto Networks firewalls can be configured to address command-and-control (C2) traffic from compromised hosts using the following actions:

Reset (C) : This action resets the connection, disrupting the communication between the compromised host and the C2 server.

Redirect (D) : This action redirects the traffic to a different destination, which can be used to analyze or block the traffic.

Drop (E) : This action drops the packets, effectively blocking the communication attempt.

Alert (F) : This action generates an alert, notifying administrators of the detected C2 traffic without taking immediate action against the packets.

These actions provide flexible options for responding to and mitigating the risks associated with C2 traffic​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks ) ​.

With a WildFire subscription, email links contained in SMTP and POP3 messages can be submitted for WildFire analysis if they are either HTTP or HTTPS links. WildFire is a cloud-based threat analysis service that dynamically analyzes these links to detect malicious content. By submitting HTTP and HTTPS links, the system can effectively identify and block threats before they reach the end user, enhancing overall email security.

In Panorama, the centralized management tool for Palo Alto Networks firewalls, WildFire analysis reports, threat logs, and botnet reports are essential for identifying the inclusion of a host source in a command-and-control (C2) incident. WildFire analysis reports provide detailed insights into malware behavior and characteristics. Threat logs record events related to security threats, such as attempted intrusions or malware detections. Botnet reports specifically track botnet activity, identifying compromised hosts that communicate with known botnet servers. By reviewing these reports and logs, administrators can accurately identify and mitigate C2 incidents.

When a Palo Alto Networks next-generation firewall (NGFW) is unable to retrieve a DNS verdict from the DNS cloud service within the configured lookup time, it will allow the request and all subsequent responses. This is to ensure that legitimate traffic is not disrupted due to the inability to obtain a verdict in a timely manner.

Default Behavior:

The firewall is designed to maintain network availability and reliability. If it cannot retrieve a DNS verdict, it defaults to allowing the traffic to prevent unnecessary disruption.

For large-scale deployments of Next-Generation Firewalls (NGFWs) with multiple Panorama Management Servers, the Panorama Interconnect plugin is essential. This plugin enables the interconnection and management of multiple Panorama instances, allowing for centralized policy management and configuration across a distributed network environment. It ensures scalability and efficient management in large deployments.

The metric health baseline for devices is typically calculated by taking the average performance of a specific metric over a period (such as seven days) and then adding the standard deviation to account for variability. This helps in identifying deviations from normal performance, which can indicate potential issues or anomalies in device behavior.

References:

Network Performance Monitoring and Diagnostics (NPMD) methodologies

ITIL (Information Technology Infrastructure Library) standards for performance baselines

To prevent the abuse of stolen credentials, two effective configuration elements are:

Multi-Factor Authentication (MFA) (C): Implementing MFA adds an additional layer of security by requiring users to provide two or more verification factors to gain access to a resource such as an application or online account. This significantly reduces the risk of credential abuse because even if the credentials are stolen, the attacker would still need the second factor to gain access.

URL Filtering Profiles (D): URL Filtering Profiles help prevent access to malicious or inappropriate websites. By restricting access to known phishing and malicious sites, URL filtering can prevent users from inadvertently entering their credentials on fraudulent websites, thereby reducing the chances of credential theft and misuse.

References:

Palo Alto Networks, Multi-Factor Authentication Setup and URL Filtering Profiles documentation.

WildFire, a cloud-based threat analysis service from Palo Alto Networks, is capable of detecting zero-day malware across several types of traffic, including SMTP, HTTPS, and FTP. By analyzing files transmitted over these protocols, WildFire can identify malicious activities that traditional security measures might miss. SMTP (Simple Mail Transfer Protocol) is used for email transmission, HTTPS (HyperText Transfer Protocol Secure) secures web traffic, and FTP (File Transfer Protocol) is used for file transfers. These protocols are commonly exploited by attackers to distribute malware, making WildFire’s ability to monitor and analyze them critical for comprehensive network security.

The three tabs available in the Detailed Device Health on Panorama for hardware-based firewalls are:

Environments: This tab provides information about the environmental conditions of the firewall, such as temperature and power status.

Interfaces: This tab displays the status and statistics of the network interfaces on the firewall.

Sessions: This tab shows session information, including session counts and details about active sessions.

These tabs allow administrators to monitor the health and performance of their firewalls effectively, ensuring optimal operation and quick identification of issues.

Before deploying a firewall evaluation unit in a customer environment, it is essential to take certain preparatory actions to ensure a smooth evaluation process and accurate results.

Upgrade the evaluation unit to the most current recommended firmware, unless a demo of the upgrade process is planned (Option C):

Ensures that the evaluation unit is running the latest and most secure firmware, providing the best performance and security features available.

Users with an active Threat Prevention subscription but without a WildFire license still have access to some WildFire-related functionalities. Specifically, they can upload PE (Portable Executable) files to WildFire for analysis. This allows the firewall to leverage WildFire ' s capabilities to detect and prevent malware by analyzing and generating threat signatures for submitted files, even without a full WildFire subscription​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks ) ​.

Palo Alto Networks Next-Generation Firewalls (NGFWs) offer advanced features that are not typically found in legacy firewall products, including:

Policy Match is Based on Application : Unlike legacy firewalls that base policies primarily on IP addresses, ports, and protocols, Palo Alto Networks NGFWs can create policies based on specific applications (App-ID). This allows for more precise control over network traffic, ensuring that only legitimate application traffic is allowed while blocking unwanted or malicious applications.

Identification of Application is Possible on Any Port : Traditional firewalls often rely on static port numbers to identify traffic, which can be easily bypassed by applications using non-standard ports. Palo Alto Networks NGFWs can identify applications regardless of the port they use, providing more accurate application identification and better security enforcement.

These features enhance the ability to manage and secure network traffic effectively, providing superior protection compared to legacy firewall solutions.

The command show mlav cloud-status is used to verify that the machine learning-based antivirus (MLAV) for portable executable (PE) files is functioning correctly within the Palo Alto Networks WildFire environment. This command provides the status of the machine learning model updates and their integration with the antivirus profile. If the model is working properly, this command will return information indicating that the MLAV service is active and synchronized with the cloud-based threat intelligence. This ensures that the firewall is effectively leveraging machine learning to identify and block malicious PE files.

A WildFire subscription is required for forwarding advanced file types from the firewall to the WildFire cloud for analysis. This includes various file formats that may not be natively supported by basic firewall capabilities. Additionally, using the WildFire API to submit website links for analysis also requires a subscription. These activities leverage WildFire ' s advanced threat detection capabilities to analyze and detect potential threats in files and URLs, providing enhanced security for the network.

When sizing the Cortex Data Lake for Prisma Access mobile users, the valid log size range per day per user is typically between 1MB to 5MB. This estimation accounts for the logs generated from various user activities, including web browsing, application usage, and security events. Properly sizing the log storage is essential for ensuring adequate space and optimal performance of the Cortex Data Lake.

References:

Palo Alto Networks Cortex Data Lake Sizing Guide

Palo Alto Networks Prisma Access Documentation

The Palo Alto Networks Security Operating Platform is designed to prevent various stages of the cyberattack lifecycle. Specifically, it effectively prevents the following four stages:

Breach the Perimeter : By using advanced threat prevention mechanisms, the platform can stop initial attempts to penetrate the network perimeter.

Lateral Movement : Once inside the network, attackers often try to move laterally to access more systems. The platform uses network segmentation and advanced monitoring to detect and prevent such movements.

Exfiltrate Data : Data exfiltration is the process of unauthorized data transfer out of the network. The platform employs data loss prevention (DLP) technologies to detect and block such attempts.

Deliver the Malware : The platform can prevent malware delivery through its threat prevention capabilities, including anti-malware, anti-spyware, and sandboxing technologies.

These steps cover critical phases where the platform can intervene to stop attacks before they cause significant damage.

Dynamic user groups (DUGs) provide flexibility in managing user access and security policies.

Tagging Users via Panorama or Web UI (Option B):

Administrators can manually add or remove users from DUGs using the graphical interface provided by Panorama or the firewall’s Web UI.

Decryption Broker on a Next-Generation Firewall (NGFW) provides two primary benefits:

Offloading SSL decryption : The NGFW decrypts traffic once and then forwards it to multiple security devices for inspection, avoiding the need to decrypt and re-encrypt traffic multiple times, thus improving efficiency.

Reducing third-party devices : By handling SSL decryption within the NGFW, the need for separate, dedicated SSL decryption devices is eliminated, reducing the complexity and number of devices required for network security.

These features streamline traffic analysis and enforcement while maintaining robust security.

References : Palo Alto Networks Decryption Broker documentation.

  To protect against port scans from the internet, a Zone Protection Profile should be applied to the zone of the ingress interface. This profile helps defend the network by setting thresholds for various types of scans and attacks, including port scans, thus reducing the risk of reconnaissance activities that precede actual attacks​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks ) ​. QUESTION NO: 43

When log sizing is factored for the Cortex Data Lake on the NGFW, what is the average log size used in calculation?

A. 8MB

B. depends on the Cortex Data Lake tier purchased

C. 18 bytes

D. 1500 bytes

Answer: D

When calculating log sizing for the Cortex Data Lake on the NGFW, the average log size used is 1500 bytes. This size helps in estimating storage requirements and planning for log retention policies efficiently, ensuring that there is adequate storage capacity to handle the volume of logs generated by the network firewalls​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks ) ​. QUESTION NO: 44

What can be applied to prevent users from unknowingly downloading malicious file types from the internet?

A. A vulnerability profile to security policy rules that deny general web access

B. An antivirus profile to security policy rules that deny general web access

C. A zone protection profile to the untrust zone

D. A file blocking profile to security policy rules that allow general web access

Answer: D

To prevent users from unknowingly downloading malicious file types from the internet, a File Blocking Profile should be applied to security policy rules that allow general web access. This profile can be configured to block or alert on downloads of specific file types that are commonly used to deliver malware, providing an additional layer of protection against threats​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks ) ​.

The Vulnerability Protection profile on Palo Alto Networks Next-Generation Firewall includes signatures to protect against a variety of threats, including brute force attacks.

Vulnerability Protection Profile:

This profile contains specific signatures designed to detect and block attempts to exploit vulnerabilities, including those used in brute force attacks.

Palo Alto Networks Single Pass Parallel Processing (SP3) architecture is designed to handle traffic efficiently and securely. The key aspect of SP3 is:

Single Pass Processing (C): This means that all traffic is processed in a single pass through the firewall, regardless of the number of security features enabled. There is no additional performance impact for each feature because the firewall processes all security functions (such as threat prevention, URL filtering, and application control) simultaneously in a single pass. This architecture ensures high performance and low latency while maintaining robust security.

References:

Palo Alto Networks, Single Pass Parallel Processing (SP3) Whitepaper.

Palo Alto Networks, Firewall Performance and Architecture Documentation.

An administrator needing a PDF summary report that compiles information from existing reports based on data for the top five in each category has the options to send this report on a daily or weekly basis. These timeframe options provide flexibility in monitoring and reviewing critical network and security metrics regularly, ensuring timely insights and actions.

References:

Palo Alto Networks Report Configuration Guide

Palo Alto Networks Reporting and Logging Documentation

Anti-Spyware Signatures are designed to detect and block known malware, including those that attempt to establish command-and-control (C2) connections with external servers. When an endpoint inside an organization is infected with known malware, the anti-spyware signatures on the firewall can recognize the malicious traffic and prevent the connection from being established. This mechanism works by inspecting traffic against a database of known spyware and malware signatures, thereby stopping the malware from communicating with its C2 server.

When access to a business site is blocked by URL Filtering inline machine learning (ML) and it is identified as a false positive, the appropriate way to resolve this is to create a custom URL category and add the site to the exceptions list of the inline ML profile. This ensures that the specific URL is no longer subjected to the filtering rules applied by the inline ML, thereby allowing access to the site.

Creating a custom URL category and adding it to the exceptions of the inline ML profile ensures that the legitimate business site is accessible without completely disabling the URL Filtering inline ML feature, which would reduce overall security effectiveness.

References:

Palo Alto Networks, URL Filtering Administration Guide.

Deploying Panorama in a High Availability (HA) configuration provides significant advantages, especially for maintaining the management layer and ensuring robust log collection. Here are the key reasons:

Ensure Management Continuity : By deploying a second Panorama appliance in an HA setup, you can ensure continuous management of your firewall environment. In the event that the primary Panorama appliance fails, the secondary appliance can take over, ensuring that there is no interruption in management capabilities. This is crucial for maintaining operational stability and uninterrupted administrative functions​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks ) ​.

Improve Log Collection Redundancy : An HA setup improves the redundancy and reliability of log collection. If the primary Panorama appliance that is collecting logs from various firewalls becomes unavailable, the secondary appliance can continue the log collection process. This ensures that all security events and network activities are recorded without gaps, which is essential for effective monitoring and incident response​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks Knowledge Base ) ​.

When configuring the NGFW to act as a decryption broker for multiple transparent bridge security chains, the following items are required:

A unique Transparent Bridge Decryption Forwarding Profile to a single Decryption policy rule (B) : Each decryption policy rule must be associated with a unique Transparent Bridge Decryption Forwarding Profile. This ensures that decrypted traffic is forwarded appropriately to the specific security chain.

A unique Decryption policy rule is required per security chain (C) : You need to create a separate decryption policy rule for each security chain. This allows you to distribute the decrypted traffic among multiple security chains based on policy criteria.

These configurations enable the firewall to effectively manage and distribute the load across multiple security chains, ensuring optimal performance and security​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks )

The customer currently lacks visibility into the Layer 7 application traffic on port 53, which is typically used for DNS. Palo Alto Networks ' App-ID technology can identify applications traversing the network irrespective of the port, protocol, or encryption (SSL or SSH). By using App-ID, the customer can gain visibility into the specific applications being used, even if they are running over standard ports such as 53. This capability not only identifies the applications but also allows for granular control over them, enabling the customer to block unsanctioned applications if necessary.

DNS sinkholing is a technique used to intercept and redirect malicious traffic to a designated IP address (sinkhole) to identify and prevent further malicious activity. When a compromised host attempts to connect to a known malicious domain, it is instead directed to the sinkhole IP address. This allows security administrators to identify infected hosts by examining traffic logs, where connections to the sinkhole IP address are recorded. DNS sinkholing does not require a separate license, and the relevant signatures are typically included in the Threat Prevention package.

When sizing the Cortex Data Lake for Traps Management Service, two key factors must be considered:

Retention Requirements: It is essential to determine how long the logs and data need to be retained in the Cortex Data Lake. This affects the overall storage capacity required, as longer retention periods will necessitate more storage space​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks ) ​.

The Number of Traps Agents: The total number of Traps agents deployed will directly impact the volume of data being generated and sent to the Cortex Data Lake. More agents mean more data, which in turn requires a larger data lake capacity to handle the increased load​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks ) ​.

WildFire, Palo Alto Networks ' advanced threat analysis service, has expanded its capabilities to analyze the following new script types:

VBScript: A scripting language commonly used in Windows environments for automation and administrative tasks, which can be exploited for malicious purposes.

JScript: A Microsoft implementation of JavaScript, used in various applications and often targeted by attackers for script-based exploits.

PowerShell Script: A powerful scripting language used for task automation and configuration management in Windows, which has become a common target for advanced attacks due to its capabilities.

By analyzing these script types, WildFire enhances its ability to detect and prevent sophisticated attacks that leverage scripting languages.

References:

Palo Alto Networks WildFire Datasheet

Palo Alto Networks WildFire Administration Guide

Using Panorama for managing virtual firewalls in a data center deployment provides several advantages:

Automated Correlation Engine Functionality: Panorama offers an Automated Correlation Engine that can aggregate and analyze logs from multiple firewalls, including virtual ones, to identify patterns and threats that individual firewalls might not detect. This centralized analysis capability is crucial for comprehensive threat detection and response​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks ) ​.

Bootstrapping Virtual Firewalls: Panorama can automate the deployment of virtual firewalls by using bootstrapping configurations. This allows for dynamic and rapid deployment of firewalls in cloud environments, ensuring that security policies are consistently applied from the moment the virtual firewalls are launched​ ( Palo Alto Networks ) ​​ ( Palo Alto Networks ) ​.

Multi-factor authentication (MFA) significantly enhances security by requiring multiple forms of verification to access accounts, reducing the risk of abuse from stolen credentials. URL Filtering Profiles block access to malicious or high-risk websites that might be used to harvest credentials or facilitate phishing attacks. SSL decryption rules allow security systems to inspect encrypted traffic, ensuring that malicious content is not being hidden within encrypted sessions, thereby preventing the use of stolen credentials on secure sites. These measures collectively help in reducing the risk of credential theft and misuse.

References:

National Institute of Standards and Technology (NIST) guidelines on authentication

Palo Alto Networks ' Best Practices for URL Filtering

SSL Decryption in Network Security (SANS Institute)

In an HA (High Availability) pair running in Active/Passive mode, the dataplanes communicate over the HA3 interface. This interface is used for the synchronization of session information and other runtime data between the active and passive firewalls, ensuring stateful failover and seamless transition in case of a failure.

Dynamic User Groups (DUGs) in Palo Alto Networks are determined using tags. Tags are metadata assigned to users based on various criteria, such as behavior, location, or other attributes. These tags are used to dynamically update group memberships without manual intervention. For instance, if a user meets certain conditions defined by the administrator, they are automatically tagged and included in the respective DUG. This feature enhances the flexibility and automation of security policies, ensuring that the right policies are applied to the right users in real-time.