Security and NAT policies Assessment 1
PAN-OS software supports two destination NAT types. What are they?
1. static IP - one to one translation; port unchanged 2. port forwarding
When configuring destination NAT, translated address can be an _________ (3) to translate the original destination address to a destination host that has a DHCP-assigned IP address.
FQDN, address object or address group
_________ enables you to search the candidate configuration and content databases on a firewall for a particular string, such as an IP address, an object name, a policy rule name, a threat ID, or an application name
Global Find
Similar to source NAT, destination NAT uses the ___________tab to define the source and destination zones of the packets that the firewall will translate and optionally specify the destination interface and type of service.
Original Packet
__________allows the reuse of port numbers by using destination IP address as an additional NAT session identifier.
Oversubscription
To display your Security policy rules in the web interface, browse to __________
Policies > Security
With the release of PAN-OS 9.0, the _____________ can track all changes made to your Security policy rules
Rule Changes Archive
what does the "drop" action do?
Silently drops the traffic. For an application, it overrides the default "deny" action. A TCP reset is not sent to the host or application.
This type of source NAT is and 1-to-1 translation and is used to change the source IP address while leaving the source port unchanged
Static IP
difference between static IP and dynamic IP
Static IP - a single Original Packet IP address is mapped to a single Translated Packet IP address. Port is unchanged Dynamic IP - the next available address in the specified range is used, but the port number is unchanged
With the release of PAN-OS 9.0, you can use _______________ ensure that candidate configurations appropriately secure your network and maintain connectivity to important network resources
Test Security Policy Match
difference between Interface Address address type and Translated Address address type when configured the Translated Packet tab?
The Translated Address option uses a new address that is not on an external interface. It is used for interfaces that receive an IP address dynamically from a pool. The Interface Address option uses an existing address that is on an external interface
Before you can use source users or groups when creating security policy rules, you must enable the __________ feature that maps IP addresses to usernames.
User-ID
You configure 2 security policy rules: Rule A - allow inside to outside Rule B - allow guest to outside Could Rule A and B be combined?
Yes - place inside and guest together in source zone
Which three items are names of valid source NAT translation types? (Choose three.) a. dynamic IP b. dynamic IP/Port c. port forwarding d. static
a, b, d
Which four items are possible network traffic match criteria in a Security policy on a Palo Alto Networks firewall? (Choose four.) a. Source Zone b. Username c. DNS Domain d. URL e. Application
a, b, d, e
An ___________ is a name-value pair that can represent a single IP address, a range of IP addresses, an IP subnet or the FQDN.
address object
By default, the firewall implicitly (allow/deny) intrazone and (allows/denies) interzone traffic.
allows intrazone and denies interzone.
The default source zone or source address is ______
any
What are the 5 source user types when creating a security policy rule?
any pre-login known-user unknown select
When configuring Static NAT, we need to configure ___________ source NAT rule to translate the public address into the private address so that the firewall can route the packet to an IP address on your internal network
bidirectional
Which of the three types of Security policy rules that can be created is the default rule type? a. intrazone b. interzone c. universal
c
A session can consists of one or two flows. They are:
c2s flow (client-to-server) s2c flow
This type of NAT is used to provide hosts on the public network access to private servers
destination NAT
this type of NAT translates an original destination IP to an alternate destination IP
destination NAT
With this form of NAT, private source addresses are translated to the next available address in the specified address range
dynamic IP
this form of NAT allows multiple clients to use the same public IP addresses with different source port.
dynamic IP and port (DIPP)
True or false? Logging on intrazone-default and interzone-default Security policy rules is enabled by default
false
True or false? The intrazone-default and interzone-default rules cannot be modified.
false
By default the 2 default implicit rules are processed before all the explicit administration-defined rules on the firewall and match traffic that has not match any other Security policy rule. true or false?
false. By default the 2 default implicit rules are processed after all the explicit administration-defined rules on the firewall and match traffic that has not match any other Security policy rule.
The policy rule ____________ feature provides you the ability to validate rule additions or changes and to monitor the time frame of when a specific rule was used.
hit count
An _________ rule applies to all matching traffic between the specified source and destination zones.
interzone
An ___________ rule applies to all matching traffic within the specified zones. You cannot specify a destination zone for this type of rule.
intrazone
By default, the firewall logs to the Traffic log all traffic that is (matched/ not matched) to an administrator-defined security policy rule.
matched
By default, is the traffic defined by the implicit security policy rules logged on the firewall?
no
Earlier rule can hide later rule. This behavior is called _______
rule shadowing
all traffic traversing the data plane of the Palo Alto network firewalls is matched against a ________
security policy
___________ are assigned ports
service definitions
each session is assigned to a unique ________
session ID number
This type of NAT changes the source address of packets that match the NAT policy as the packets transit the firewall
source NAT
This type of NAT is used to private users to access the public internet
source NAT
You can define Security Policy rules to allow or deny traffic using fine-tune rules with more granular options such as ___________________ (6)
source and destination IP ports applications URL categories source users HIP profiles
each session is identified by a 6 tuple consisting of:
source and destination IP source and destination port numbers protocol source security zone
You can define Security Policy rules to allow or deny traffic starting with _______ and __________ as the basic/broad criteria.
source and destination zones
The Palo Alto Networks firewall is a _______ firewall, which means that all traffic passing through the firewall is matched against a _______; each is then matched to a _______________
stateful - session - Security policy rule
_______ enable you to group objects using keywords or phrases
tags
Security policy rules are evaluated for a match from __________ to __________. After a rule match is found, no other rules are evaluated.
top to bottom
By default, if the source address pool is larger than the translated address pool, new IP addresses seeking translation are blocked while the translated address pool is fully used. True or False?
true
We must configure a security policy rule to support the NAT traffic flow. true or false?
true
Policy rules are __________, which means that they allow only traffic that is initiated in the direction that the policy rule specifies.
unidirectional
A ______ rule applies to all matching interzone and intrazone traffic in the specified source and destination zones.
universal
What the default rule type when creating a new Security policy rule?
universal rule
