PNCSE - Next-Generation Firewall Setup and Management Connection

When creating a custom admin role, which four types of privileges can be defined? (Choose four.)

"WebUI, REST API, Command Line , XML API

Firewall Factory Reset

- (Admin acct PW known)CLI - request system private-data-reset - (Admin acct PW NOT known) - 'maint mode' via serial, type maint during bootup

VSYS Segmentation

- Administrative Access - Management of all policies(Security, NAT, QOS, Policy-Based Forwarding, Decryption, Application Override, Authentication, and DoS Protection) - All Objects: Address Objects, Application Groups, Filters, External Dynamic Lists, Security Profiles, Decryption Profiles, and Custom Objects) - User-ID - Certificate Management - Server Profiles - Logging, Reporting, and Visibility Functions

Configure Authentication to the Firewall

1) One option is to configure each user individually on the firewall with their own Authentication Profile that points to an authentication service. 2) The other option is to configure all users on a firewall to use the same Authentication Profile and authentication service.

Dynamic Admin Roles

1)Superuser 2)Superuser (read-only) 3)Device administrator 4)Device administrator (read-only) IF VSYS Capable: 5)Virtual system administrator 6)Virtual system administrator (read-only)

K2-Series Firewall

A K2-Series firewall was introduced in PAN-OS 9.0. The K2-Series is a 5G-ready firewall designed for service provider mobile network deployments with 5G and internet of things (IoT) security requirements.

VM-Series

A VM-Series firewall can be deployed on either Alibaba Cloud, Amazon Web Services, Google Cloud Platform, Microsoft Azure, or Oracle Cloud to protect your cloud perimeter and your east-west traffic. All VM-Series firewalls use a unified licensing system that is platform-agnostic.

Authentication Sequence

A firewall can consult multiple external services to authenticate an account. You specify an ordered list of Authentication Profiles by adding them to an optional Authentication Sequence on the firewall. If you have created an Authentication Sequence, then specify the Authentication Sequence instead of an Authentication Profile when you add a user account on the firewall.

Service Route

A service route enables the firewall to access external services through an in-band port. Configure an in-band port to access external services. This optional configuration is called a "service route."

Virtual System(VSYS)

A virtual system (vsys) is a separate, logical firewall instance within a single physical Palo Alto Networks firewall.

Supported authentication

Active Directory, Kerberos, LDAP, RADIUS, TACACS+, and SAML. It supports remote role assignment in RADIUS or TACACS+ using Vendor-Specific Attributes (VSAs).

Authentication Profile

An Authentication Profile contains the information necessary to authenticate an administrator account with an external authentication service after one of the service's servers has been located. Only those authentication services that use an Authentication Profile can authenticate user traffic flowing through the firewall. Every authentication service except the local-without-a-database service requires an Authentication Profile.

Server Profile

An Authentication Profile uses a Server Profile, which you have created, to locate an external authentication service's servers. You configure a Server Profile with a list of an external authentication service's servers.

Configure Authentication Through the Firewall

Assign an Authentication Profile to an Authentication policy via an authentication enforcement object. Uses Policy Rule>Authentication Policy Rule>Authentication Enforcement>Authentication Profile

WildFire

Basic WildFire support is included as part of the Threat Prevention license. The WildFire subscription service provides enhanced services for organizations that require immediate coverage for threats, frequent WildFire signature updates, advanced file-type forwarding (APK, PDF, Microsoft Office, and Java Applet), and the ability to upload files using the WildFire API. A WildFire subscription is also required if your firewalls will be forwarding files to a WF-500 appliance.

Prisma SaaS:

Brings data protection, governance, and compliance together to safely enable SaaS application adoption

Panorama:

Centralized next-generation firewall management and logging

When committing changes to a firewall, what is the result of clicking the Preview Changes link?

Compares the candidate configuration to the running configuration

There are four key elements of the Palo Alto Networks approach to cybersecurity.

Complete Visibility, Reduce Attack Surface Area, Prevent All Known Threats, Detect and Prevent New Threats

Cortex

Detection and Response Automation and Orchestration Network Traffic and Behavioral Analytics Threat Intelligence

Authorization to Manage the Firewall Controlled by Admin Role Profiles

Dynamic Admin Role Profiles permissions(PREDEFINED) control what a user can or cannot do on a firewall using the web interface, CLI commands, XML API, or the REST API. Role-Based Admin Role Profiles are sets of CUSTOM permissions. These profiles also control user activities on a firewall when the web interface, CLI commands, or the XML API are used.

Cortex XSOAR:

Enables security teams to accelerate response across people, processes, and technology

URL Filtering

Enables you to create security policies to enforce web access based on dynamic URL categories. To set up URL Filtering, you must purchase and install a subscription for the supported URL filtering database, PAN-DB. With PAN-DB, you can set up access to the PAN-DB public cloud or to the PAN-DB private cloud.

SD-WAN

Enables you to use multiple internet and private services to create an intelligent and dynamic WAN, which helps lower costs and maximize application quality and usability. The SD-WAN overlay supports dynamic, intelligent path selection based on applications and services and the conditions of links that each application or service is allowed to use.

GlobalProtect:

Extends the enterprise perimeter to remote offices and mobile users

External Authentication Services

Five external authentication services are supported: Kerberos, LDAP, RADIUS, TACACS+, and SAML. The firewall can use all these services to authenticate logins to the firewall and user traffic flowing through the firewall.

Parallel Processing

Function-specific parallel processing hardware engines Separate data planes and control planes

Strata

Hybrid Data Center Internet Perimeter Branch and Mobile 5G and IoT

Which three MGT port configuration settings must be configured before you can remotely access the web interface? (Choose three.)

IP Address, Default Gateway, Netmask

Container Native Series firewall (CN-Series firewall)

Introduced in PAN-OS 10.0. It is a containerized next-generation firewall that provides visibility and security for containerized application workloads on Kubernetes clusters. The containerized form factor of the NGFW requires Panorama and the Kubernetes plugin on Panorama to enable centralized management, licensing, and security policy enforcement.

Which two statements are true regarding the candidate configuration? (Choose two.)

It contains possible changes to the current configuration. It can be reverted to the current configuration.

Panorama Hardware

M-200 M-500/600 WF-500/600

Which two separate firewall planes comprise the PAN-OS architecture? (Choose two.)

MGMT(Control)Plane, Data Plane

Which object cannot be segmented using virtual systems on a firewall?

MGT Interface

WildFire®:

Malware detection service that automatically detects and prevents unknown threats.

Control Plane

On the higher-end hardware models, the control plane has its own dual-core processor, RAM, and hard drive. This processor is responsible for tasks such as managing the UI, logging, and updating routes.

Data Plane

On the higher-end hardware models, the data plane contains three types of processors that are connected by high-speed 1Gbps buses: Signature Match Processor scans traffic and detects: Vulnerability exploits (intrusion protection system) -Viruses -Spyware -Credit card numbers -Social Security numbers - Security Processors: Multicore processors that handle security tasks such as Secure Sockets Layer decryption - Network Processor: Responsible for routing, network address translation, and network-layer communication

Single Pass

Operations per packet: - Traffic classification with App-ID technologyUser or group mapping - Content scanning: threats, URLs, confidential data One single policy (per type)

NGFW Hardware

PA-220 PA-800 PA-3200 Series PA-5200 Series

Chassis Architecture

PA-7050 PA-7080

Management Interface

Palo Alto Networks firewalls are built with a dedicated out-of-band Ethernet network management interface labeled MGT. This interface passes only management traffic for the firewall and cannot be configured as a standard traffic interface. It is used for direct connectivity to the management plane of the firewall. You can configure the firewall to allow management traffic over the normal, in-band traffic interfaces. - For most models of firewalls, the MGT port has a factory default IP address of 192.168.1.1/24. - For VM-Series firewalls starting with PAN-OS 8.0, the MGT port is configured as a DHCP client. - You also can configure the MGT port of any firewall model to use DHCP.

Cortex XDR:

Prevents malware, blocks exploits, and analyzes suspicious patterns through behavioral threat protection

Prisma Access:

Provides SD-WAN-based secure access to the cloud from remote sites and for mobile users, globally and without compromising the users' experience

AutoFocus

Provides a graphical analysis of firewall Traffic logs and identifies potential risks to your network by using threat intelligence from the AutoFocus portal. With an active license, you can also open an AutoFocus search based on logs recorded on the firewall.

Threat Prevention

Provides antivirus, anti-spyware, and vulnerability protection

Cortex Data Lake:

Provides cloud-based, centralized log storage and aggregation for your enterprise security data

Cortex Data Lake

Provides cloud-based, centralized log storage and aggregation. In earlier versions of the PAN-OS software, Cortex Data Lake was called the Logging Service.

Prisma Cloud:

Provides continuous security monitoring, compliance validation, and cloud storage security capabilities across multi-cloud environments

DNS Security

Provides enhanced DNS sinkholing capabilities by querying DNS Security, an extensible cloud-based service capable of generating DNS signatures by using advanced predictive analytics and machine learning

GlobalProtect

Provides mobility solutions and/or large-scale VPN capabilities. By default, you can deploy GlobalProtect portals and gateways (without HIP checks) without a license. If you want to use HIP checks, you will also need gateway licenses (subscription) for each gateway.

Role-Based Privileges on the Command Line

Role-based privileges on the Command Line tab are predefined. No customization is possible.

Global user authentication is supported by which three authentication services? (Choose three.)

SAML, RADIUS, TACACS+

Prisma

Secure Access SaaS Public Cloud

Admin Acct Creation

Specify administrative privileges by creating one or more Admin Role Profiles with specific sets of privileges, and then assign an Admin Role Profile to each administrator account.

Predefined Admin Account

Starting with PAN-OS 9.0.3, the firewall requires you to change the predefined admin account password at first login. The local admin password is stored in the firewall's XML configuration file, but is encrypted using the firewall's master key. The predefined factory default for each firewall is: account name: admin password: admin Admin PW Change Requirement: Min 8 characters At least one uppercase charater At least one lowercase character At lease one numeral or special character

Creating a Non-Local Administrator Account(5-Steps)

Step 1 Create an Admin Role Profile Step 2 Create a Server Profile Step 3 Create an Authentication Profile Step 4 Create an Authentication Sequence (optional) Step 5 Create a non-local administrator account

Creating a Local Administrator Account(2-Steps)

Step 1 Create an Admin Role Profile Step 2 Create a local administrator account

FW Activation

Step 1: Register with Palo Alto Networks Support Hardware firewall: Use serial number from Dashboard VM-based firewall: Use emailed authorization codes and purchase or order number Step 2: Activate licenses at Device > Licenses Hardware Firewall: Retrieve license keys from license server VM-Based Firewall: Activate feature using authorization code Step 3: Verify update and DNS servers Hardware and VM-based firewall: Use correct update and DNS server in Device > Setup > Services Step 4: Manage content updates Hardware and VM-based firewall: Get latest application and threat signatures and URL filtering database Step 5: Install software updates Hardware and VM-based firewall: Verify OS version and install recommended version

Commit Status Window

The Commit Status window displays results of commit operation. Starting in PAN-OS 9.1, the Commit Status window has two tabs. The Commit tab displays any warnings or errors detected during a commit operation. The Rule Shadow tab displays a list of any policy rules that shadow another policy rule.

Dedicated Logging Card(Chassis Card)

The Dedicated Logging Card creates a dedicated subsystem to manage the high volume of logs that the PA-7000 Series generates. There are two available two log cards: Log Processing Card (LPC): Offloads logging-related activities Log Forwarding Card (LFC): Dedicated card for exporting log messages

Export

The Export operations transfer configurations as XML-formatted files from the firewall to the host running the web interface browser. From your local machine you can save the files as configuration backups. Exported files also can be edited, which means that you could configure a firewall for your environment, export its configuration as an XML file, and then use slightly edited versions of the file as configuration templates for other firewalls. However, note that the Panorama appliance makes the building and distribution of template configurations easier than manually exporting, copying, editing, and importing XML files.

Import

The Import operations transfer XML configuration files from the host running the web interface browser to the firewall. From there the XML file can be loaded as the candidate configuration or even be committed to become the running configuration.

NPC(Chassis Card)

The NPC is dedicated to executing all packet-processing tasks, including networking, traffic classification, and threat prevention.

Palo Alto Networks Single-Pass Architecture(SP3)

The Palo Alto Networks firewall enables you to specify Security policy rules based on more accurate identification of each application seeking access to your network. It is unlike legacy firewalls that identify applications only by protocol and port number. It uses packet inspection and a library of application signatures to distinguish between applications that have the same protocol and port and to identify potentially malicious applications that use non-standard ports. The advantage of providing a stream-based engine is that the traffic is scanned with a minimal amount of buffering as it traverses the firewall.

Preview and Validate Config Changes

The Preview Changes link opens a window that displays a side-by-side comparison of the running and candidate configurations before you commit. Differences in the configurations are color-coded to indicate which information has been added, deleted, or modified.

Revert, Save, and Load

The Revert, Save, and Load operations all work with firewall configurations that are local to the firewall. If you load or revert to a configuration from Configuration Management in the web interface and then commit, only a full commit is possible. A full commit writes all changes by all administrators to the running configuration.

SMC(Chassis Card)

The SMC oversees all traffic and executes all management functions.

What is the result of performing a firewall Commit operation?

The candidate configuration becomes the running configuration.

ML-Powered Next-Generation Firewalls:

The foundation of the Palo Alto Networks product portfolio.

Running Config/Candidate Config

The running configuration is the actual configuration controlling the operation of the firewall. It is maintained in a file on the firewall named running-config.xml. The running configuration is copied to a candidate configuration during firewall startup. All your in-progress edits are made to the candidate configuration. After you click Commit at the top of the web interface or type commit in the CLI, the candidate configuration overwrites the current running configuration, which activates all configuration changes. The firewall saves previous running configurations and labels these configurations by date and timestamps. The web interface includes a set of operations that are used to manage the running and candidate configurations. For example, you can use the web interface to switch to a previously running configuration.

Per-Administrator Save and Revert

This capability enables you to save your current progress and continue your work later without your having to commit a partially completed configuration change. Saved changes made by any administrator are written to the same default XML file. Starting with PAN-OS 8.0, you can save just your changes or the changes of a select group of other administrators to the default XML file. Each change is tagged with information about the administrator that made the change.

Virtual Systems

This license is required to enable support for multiple virtual systems on PA-2000 and PA-3000 Series firewalls. In addition, you also must purchase a Virtual Systems license if you want to increase the number of virtual systems beyond the base number provided by default on PA-4000 Series, PA-5000 Series, and PA-7000 Series firewalls (the base number varies by platform). The PA-800, PA-500, PA-200, and VM-Series firewalls do not support virtual systems.

Chassis Cards

Three chassis cards were introduced in PAN-OS 9.0: Network Processing Card (NPC) Switch Management Card (SMC) Dedicated Logging Card

True or false? Certificate-based authentication replaces all other forms of either local or external authentication.

True

Local Authentication Services

Two Types: 1) Local without a database: In local authentication without a database, username and password information is stored on the firewall in the XML configuration file of the firewall. User accounts stored in the XML configuration file can be used only to authenticate logins to the firewall. The firewall cannot use this type of authentication service to authenticate user traffic flowing through the firewall. 2) Local with a database: In local authentication with a database, username and password information is stored on the firewall in a local user database. The firewall can use this service to authenticate logins to the firewall and user traffic flowing through the firewall.

FW Access Methods

WEB/UI Panorama SSH/Console CLI REST/XML API

Data Processing Card

With the release of PAN-OS 10.0 a data processing card (DPC) was introduced. Each DPC adds four instances of the PAN-OS data plane, providing 133% of the computing capacity compared to the three data planes on the NPC-A.

Create Custom Role-Based Admin Roles

You can define Role-Based Profiles that specify sets of custom privileges that you assign to administrative user accounts on the firewall. You define four types of privileges in a Role-Based Profile: - Web UI - XML API - Command Line - REST API

Authentication Services

local, external, and multi-factor authentication (MFA). PAN-OS software supports four MFA vendors.

The Palo Alto Networks Cybersecurity Portfolio focuses on which three principle technologies? (Choose three.)

securing operations response, securing the enterprise, securing the cloud