Palo Alto
How many ports does the TCP protocol recognize?
(16 header bits for source port yields 65,536 total - 1,024 well known = 64,512
What is the 5 step flow when an SSL session is initiated?
1) A client requests an SSL connection 2) The server responds w/ its certificate that contains its identity and public key 3) The client uses the PKI (Public Key Infrastructure) to validate the server's certificate and server's public key 4) If the certificate is valid the client uses the server's public key to encrypt a symmetric session key and send it to the server. 5) The server uses its private key to decrypt the session key. Both sides use the session key to encrypt communications.
What makes up a vsys or Virtual system?
1) A set of physical and logical interfaces and subinterfaces 2)Virtual routers 3) Security zones
What mechanisms are used to replace a port-base rule with an application-base rule?
1) Add to Rule 2) Match Usage 3) Clone a rule
What three methods are used to replace a port-based rule with an application-based rule.
1) Add to Rule (quick and easy but riskier) 2) Match Usage 3) Create Cloned rule
When using Virtual systems what are the segmentation possibilities?
1) Administrative access 2) Management of all policies 3) All objects 4) User- ID 5) Certificate management 6) Server Profiles 7) Logging, reporting, and visibility functions
What are the two types of DoS Protection Profiles?
1) Aggregate Profile- apply limits to all matching traffic 2) Classified Profile- Apply limits to a single IP address
What are the three thresholds that Zone protection looks to match with the collective rate?
1) Alarm Rate threshold 2) Activate 3) Maximum
What 4 actions will result in a URL Filtering log entry?
1) Alert 2) Block 3) Continue 4) Override
What does it mean that Palo Alto Networks firewalls are stateful firewalls?
1) All traffic passing through the firewall is matched against a session. 2) Each session is then matched against a Security policy rule.
In what two forms does the User-ID agent come?
1) An integrated agent resident on the firewall (this agent is included with PAN-OS software. 2) Windows-based agent (is available for download)
Name the options available when you select users for a Security policy.
1) Any -matches any value for user 2) Pre-logon -Used with certain GlobalProtect implementations 3) Known-user - Matches any user or group identified by User-ID 4) Unknown -Matches traffic where the user could not be identified by User-ID methods 5) Select -Matches a specific user or group identified by User-ID
What is Palo Alto's next-gen firewalls range of threat prevention functionalities?
1) App-ID & User- ID 2) URL Filtering 3) Vulnerability Protection 4) Anti-spyware 5) Antivirus 6) Traps 7) File Blocking 8) DoS and/or Zone protection 9) WildFire advanced malware protection
What are the 4 major technologies utilized by Palo Alto Networks App-ID to help identify applications?
1) Application Signatures 2) Unknown Protocol Decoder 3) Known Protocol Decoder 4) Protocol Decryption
What are 8 reasons for decryption failure?
1) Application is not RFC- compliant 2) The app uses a client cert 3) The SNI or CN matched a username in the exclusion list 4) The firewall does not support the SSL version required 5) The server does not support a compatible cipher suite 6) An SSH app error occurs 7) The firewall does not support the SSH version required 8) App-level gateway support is not supported.
What are the two main categories that an application can be classified?
1) Applications known to App-ID 2) Applications unknown to App-ID
What are the 5 pieces of information that are passed during IKE Phase 1?
1) Authentication method 2) Diffie-Hellman key exchange 3) Symmetric Key Algorithm- Bulk Data Encryption 4) Hashing algorithm 5) Lifetime
What are the selectable attributes used in an Application filter?
1) Category 2) Subcategory 3) Technology 4) Risk 5) Characteristic
What are the 8 steps for MGT Interface Config: Web Interface
1) Config your system or laptop Ethernet interface in the 192.168.1.0/24 subnet 2) Connect to the MGT port w/ an Ethernet cable. 3) Launch a web-browser connection to 192.168.1.1 4) Log in using the default FW username and PW. 5) Select Device>Setup>Interfaces 6) Click Management 7) In the window that opens, config the network settings for the MGT interface 8) Reconnect to the web interface using the new network.
Name 3 types of traffic that flow across HA Control link.
1) Configuration synchronization 2) Heartbeats 3) Hellos
What are the 3 phases used in a migration from port-based firewall policies to application-based firewall policies?
1) Consolidate, Customize, and Reduce Risk 2) Application Visibility 3) Next-Generation Policies
What are the three methods available to the firewall for processing traffic identified only as unknown-tcp, unknown-udp, or we-browsing?
1) Create a custom application with a custom signature 2) Configure an Application Override policy 3) Block unknown-tcp or unknown-udp traffic
What are the two steps to the iterative process of identifying network traffic.
1) Create rules to allow or block applications known to be traversing the firewall. 2) Create a temporary rule to detect unidentified applications traversing the firewall.
What are the two predefined vulnerability profiles?
1) Default 2) Strict
Name three valid source NAT translation types.
1) Dynamic IP 2) Dynamic IP/Port 3) Static
Name two things for which Global Find does not search.
1) Dynamic content such as logs, address ranges, or allocated DHCP addresses. 2) Individual username or group names identified by User-ID.
What are the 4 general steps to configure User-ID technology?
1) Enable User-ID by zone 2) Configure user mapping methods 3) Configure group mapping (optional) 4) Modify firewall policy rules to use username or group names
Where are the three regional WildFire clouds located?
1) Europe 2) Japan 3) Singapore
What are the two Gateways used in GlobalProtect and their functions?
1) External gateways: provide security enforcement and VPN access for remote users. 2) Internal gateways: apply Security policy for access to internal resources
Name the 7 Mapping methods for User-ID.
1) GlobalProtect 2) Captive Portal 3) Syslog listener 4) User-ID agent: Session monitoring 5) Terminal Services agent 6) User-ID agent: Client probing 7) XML API
What are the three major components of GlobalProtect deployment?
1) GlobalProtect Portal 2) GlobalProtect Gateways 3) GlobalProtect client software
What Admin Mgt Services are checked by default in the configuration?
1) HTTPS- is required to access and manage the firewall through the MGT interface using the web interface 2) SSH- to enable CLI connection to the MGT interface 3) Ping- enables you to check connectivity to the MGT interface or to support heartbeats between FWs deployed as a pair for HA.
Name 4 failure-detection methods is a firewall HA cluster.
1) Heartbeats and hellos 2) Internal health checks 3) Link groups 4) Path groups
What is the importance of BPA summaries?
1) Helps the customer focus on where they want to improve one step at a time. 2) Helps the company understand where they are in terms of their security posture. 3) Provides insight into the company's strengths and weaknesses without going through each check manually.
In active/active configuration what must VM-Series firewalls have the same?
1) Hypervisor 2) Number of CPU cores
What 5 pieces of information are passed during IKE Phase 2?
1) IPsec type/mode 2) Diffie-Hellman: PFS 3) Symmetric Key Algorithm-Bulk Data Encryption 4) Hashing algorithm 5) Lifetime (before rekey)
Protocol protection does not allow you to block what 4 types of ethertypes?
1) IPv4 2) ARP 3) VLAN Tag frames 4) IPv6
Name 3 attributes of the Policy Rule Hit Count.
1) Identify rules that are used frequently and determine which rules are unused and should be removed. 2) Validate rule additions or changes, and to monitor the time frame of when a specific rule was used 3) Includes the number of traffic matches, the timestamps, the number of applications seen, and the number of days with no new applications seen.
What are the two possibly three steps taken in the creation of an SSL Inbound Inspection policy.
1) Import the internal server's certificate and private key into the firewall. This enables the firewall to decrypt and inspect traffic going to the internal server.
What are the two phases in the creationof the IPsec tunnel?
1) In the first phase, the IKE protocol authenticates the firewall to each other and sets up a secure control channel. It uses the IKE- Crypto Profile for IKE negotiation. 2) In IKE phase 2 the tunnel that will encapsulate data traffic will be created. This phase is concerned with data traffic that crosses the tunnel.
What are the 5 states that a Firewall in an active/passive pair can be in?
1) Initial 2) Active 3) Passive 4) Suspended 5) Non-functional
What three types of rules can be defined in a Security policy?
1) Intrazone 2) Interzone 3) Universal
Give two functions of User-ID.
1) It identifies the user on the network and the IP addresses of the computers the user is logged in to. 2) Retrieves user group information from a connected LDAP directory.
What are three attributes of the dedicated out-of-band management port of the Palo Alto Network FW?
1) Labeled MGT by default 2) Passes only management traffic for the device and cannot be configured as a standard traffic port. 3) Administrators use the out-of-band management port for direct connectivity to the management plane of the firewall
In the ACC, what are the two filters available to parse information?
1) Local filters 2) Global filters
Before HA can be enabled, both firewalls must have the same what, when dealing with an active/active configuration.
1) Model 2) PAN-OS version: except during software upgrades 3) Up-to-date application, URL, and threat databases 4) HA interface types 5) Licenses 6) Matching slot configuration (multi-slot firewall models)
What is the default MGT IP addressing with Palo Alto NGFW?
1) Most firewall models use 192.168.1.1 2) VM-Series Firewalls utilize the DHCP client
When using the CLI to reset the FW to its factory config, what is required?
1) Need to know the Admin acct PW 2) use cmd: request system private-data-reset
What is needed to pass traffic between 2 different VLANs?
1) Needs to be done at the IP layer through a virtual router. 2) Appropriate Security policy rules and a virtual router are also needed.
Name to Traffic collection tools.
1) NetWitness 2) Solera
Name 3 attributes of HA interfaces.
1) Not used to control normal network traffic 2) Used for synchronization of a pair of firewalls deployed in a High Availability configuration 3) Not placed in a security zone
Name the 6 steps to configure a PAN-OS integrated User-ID agent to connect to monitored servers.
1) On the domain controller, create a service account with the required permissions to run the agent. 2) On the firewall define the address of the server(s) to be monitored. 3) Add the service account to monitor the server(s). 4) Configure session monitoring (optional) 5) Configure WMI probing (optional). 6) Commit the configuration and verify agent connection status.
What are the three methods for client connections supported by GlobalProtect?
1) On-demand 2) User-logon 3) Pre-logon
Give 4 attributes that describe an active/passive HA firewall configuration.
1) Only one firewall actively processes traffic 2) no increase in session capacity 3) no increase in throughput 4) supports Virtual Wire, Layer 2, and Layer 3 deployments
Name 5 Next Generation hardware Firewalls provided by Palo Alto.
1) PA-220 2) PA-800 series 3) PA-3200 series 4) PA-5200 series 5) PA-7000 series
What are the four main components of User-ID technology?
1) Palo Alto Networks Firewall 2) PAN-OS integrated User-ID Agent 3) Window-based User-ID Agent 4)Palo Alto Networks Terminal Services Agent
Name 4 reasons to revoke certificates
1) Private key compromised 2) Hostname or username of owner changed 3) Host retired, user left company 4) Counterfeit key found
In selecting failover settings what two profiles will auto-populate the seven timers with optimum values for a specific firewall model.
1) Recommended 2) Aggressive
What steps are needed before you can activate your FW?
1) Register the FW w/ Palo Alto 2) Activate the support license 3) Activate the licenses for each subscription purchased.
Name three Firewall Decryption Types.
1) SSL Forward Proxy 2) SSL Inbound Inspection 3) SSH Decryption
Name the 7 authentication functions for which a firewall can utilize certificates.
1) SSL/TLS decryption 2) Management interface user authentication 3) GlobalProtect: Portal, Gateway, and Mobile Security Manager authentication 4) Captive Portal user authentication 5) IPsec VPN IKE authentication 6) High Availability authentication 7) Secure syslog authentication
Name the 7 steps to configure a Windows-based User-ID agent to connect to monitored servers.
1) Same as PAN-OS 2)Select a Windows domain member 3)Download and install User-ID agent software. 4) Run the User_ID agent installer. 5) Configure the User-ID agent 6) Configure the firewall to connect to the User-ID agent 7) Verify connection status
What are the three ways you can apply Global filters?
1) Set a global filter from a table 2) Promote a local filter to a global filter 3) Define a global filter
With Palo Alto Firewall Architecture what are the three processors used on the Data Plane?
1) Signature Matching 2) Security Processing 3) Network Processing
Each session is identified by a six tuple consisting of what?
1) Source IP address 2) Destination IP 3) Source port # 4) Destination port # 5) Protocol 6) Sorce security zone
NAT configurations can take what two forms?
1) Source NAT 2) Destination NAT
Name 4 items that are possible network traffic match criteria in a Security policy on a Palo Alto Networks firewall.
1) Source Zone 2) Username 3) URL 4) Application
What is used in DoS Protection policy rules match criteria?
1) Source zone or interface 2) Source IP address 3) Source user 4) Destination zone or interface 5) Destination IP address 6) Service names
Between the two firewalls in an HA pair, for what is the Data Link or Layer 2 link utilized?
1) Synchronize sessions 2) Synchronize forwarding tables 3) Synchronize IPsec security associations 4) Synchronize ARP tables
Give 4 Remote Logging Destinations to which logs can be forwarded.
1) Syslog 2) Panorama 3) Email 4) SNMP
Name 3 Deployment options for Ethernet interfaces with Palo Alto FWs.
1) Tap 2) Virtual Wire 3) Layer 3
What are the 5 zone types and their specific interface types they support?
1) Tap zone - Tap interfaces 2) Tunnel zone - No interfaces assigned 3) Layer 2 zone - Layer 2 interfaces 4) Virtual Wire zone - Virtual wire interfaces 5) Layer 3 zone - Layer 3, VLAN, Loopback and Tunnel interfaces
Give the GlobalProtect Connection Sequence.
1) The GlobalProtect client on the local system connects to the GlobalProtect Portal for authentication. 2) After authorization is confirmed, the portal sends the client configurations and a list of GlobalProtect Gateways. 3) The client connects to the best gateway (based on SSL response time and local priority) to respond to its connection request.
What does Application Override policy do?
1) This prevents the firewall from using App-ID to process the Layer 7 data 2) It disables Security Profiles
What are the two ways to initially config the FW?
1) Through the dedicated out-of-band management Ethernet interface (MGT) 2) Through the Serial console connection
By default the MGT port is used to access what external services?
1) Update services 2) DNS services 3) NTP services 4) Etc.
Name 8 Security Profile types.
1) Vulnerability Protection 2) URL Filtering 3) Anti-Spyware 4) Antivirus 5) File Blocking 6) Security Profile Group 7) WildFire Analysis 8) Data Filtering
Name 4 interfaces by which FW administration can be performed.
1) Web interface 2) XML API 3) Panorama 4) CLI
What is the two pronged approach to mitigate DoS threats?
1) Zone-based protection (1st line of defense) 2) End host protection
Give three aspects of the basic requirements to create a VPN in a PAN-OS release.
1) add a static route to the virtual router 2) create the tunnel interface 3)configure the IPsec tunnel
What encoding methods can be decoded by the Palo Alto firewall?
1) base64 2) gzip 3) HTTP 1.1 chunked encoding 4) pkzip 5) qpencode 6) uuencode
Name three file types that can be sent to WildFire without a WF license.
1) dll 2) exe 3) src
With the Certificate Management in the web interface name 6 types of operations that can be performed.
1) generate certificates 2) View certificates 3) Modify certificate use 4) Import and export certificates 5) Delete certificates 6) Revoke certificates
What is the HA Control link used to exchange?
1) hellos 2) heartbeats 3) HA state information 4) It is also used to synchronize routing and User-ID information between the management planes 5) For configuration changes with its peer firewall
Name three valid options when configuring the Source User field in a security policy rule.
1) known-user 2) any 3) unknown
In what two formats is the GlobalProtect client available?
1) msi 2) pkg
How do you enter maintenance mode in Palo Alto NGFWs?
1)Reboot the FW. 2) While rebooting use CLI cmd: maint 3) Choose Reset to Factory Default
Cyber Kill Chain (7 Steps)
1.Reconnaissance 2. Weaponization 3. Delivery 4. Exploitation 5. Installation 6. Command & Control 7. Act on the Objective
How many IPsec tunnels can each tunnel interface have?
10 IPsec tunnels
Up to how many domain controllers or exchange servers can an agent monitor?
100 domain controllers or Exchange Servers
How long does a user have access to a URL by default if they successfully use the "continue" or "override" response page before they need to reenter the Override PW?
15 minutes of access to the URL
How many IPv4 and IPv6 addresses can an FQDN support with Dynamic IP address Support for Destination NAT?
32 IPv4 addresses 32 IPv6 addresses
What is the max number of levels a Palo Alto firewall can decode?
4 levels
How many autogenerated predefined default reports are created each night by the firewall?
40 reports
What is required to use URL categories defined in the PAN-DB database.
A URL Filtering license is needed
What is required by the FW when the SSL/TLS setting is used?
A digital certificate that is trusted by the clients.
What is the Known Protocol Decoder?
A set of application decoders that understand the syntax and commands of common applications.
What type of certificate is required by the firewall to support features such as SSL Forward Proxy or GlobalProtect.
A signing certificate is required for the support of these features.
What is the primary function of any firewall?
Accurate traffic classification
You should set all category actions to which level when you create a new URL Filtering?
Alert actions should be set.
How is telemetry information shared?
All telemetry information is saved to the WildFire global cloud. Anonymity of participants is preserved and your data is not shared with other customers or 3rd party organizations.
What is the Unknown Protocol Decoder?
An App-ID heuristics engine used to look at patterns of communication. It attempts to identify the application based on its network behavior.
A Zone Protection Profile protects what kind of zone?
An ingress zone is protected by this profile.
What is the availability schedule for updated content through Palo Alto Networks?
Antivirus: Daily Applications & Threats: weekly, new applications added monthly WildFire: approximately every 5 min
What is Palo Alto Networks traffic classification mechanism that addresses the traffic classification limitations that plague traditional firewalls?
App-ID
With Virtual Routers what are the supported Dynamic routing protocols?
BGPv4 OSPFv2 OSPFv3 RIPv2
What is meant when a URL is matched to the "not-resolved" category?
Being matched to this category indicates that the URL was not found in the local URL filtering database and the firewall was unable to connect to the cloud database to check the category.
What is best practice for firewalls without dedicated HA ports?
Best practice is to use the management port for the Control link to allow for a direct connection between the management planes on the firewall.
How do traditional firewalls classify traffic?
By port and protocol
What format can a log be exported?
CSV format
In Config General Settings what are the FW domain name rules?
Can have a max of 31 characters, contain a mix of alphanumeric, hyphen, and dot characters. The default is left empty.
In Config General Settings what are the FW hostname rules?
Can have a max of 31 characters, contain a mix of alphanumeric, hyphen, and underscore characters. The default is the FW model name.
What Command is utilized to display websites that have been cached for 12 hours?
Cmd: show system setting ssl-decrypt exclude-cache
What command is used to verify current connectivity to the PAN-DB cloud service?
Cmd: show url-cloud status (it should report as "connected")
What command is use to initiate a tunnel manually?
Cmd: test vpn
How is connectivity between all parts of the GlobalProtect infrastructure authenticated?
Connectivity is authenticated using SSL certificates.
What anti-spyware feature enables an administrator to quickly identify a potentially infected host on the network?
DNS sinkhole
On a firewall with dedicated HA ports, name the function of the HA2 port.
Data link
For Safe Search Enforcement to function what must be enabled if SSL is used?
Decryption must be enabled for this function to work.
What types of connections can eliminate split brain?
Dedicated and redundant management plane Control link connections.
What is the default port for User-ID?
Default port is 5007
What is the path used to config service routes?
Device> Setup> Services> Service Route Configuration
Each FW interface supports what in the web interface?
Each supports multiple logical interfaces, called subinterfaces.
What is internal traffic that never leaves the gateway?
East-West Traffic
What is effectively the same thing as a Proxy ID?
Encryption Domain
What steps are needed before you can retrieve a license?
FW must be configured w/ an IP address, netmask, default gateway, and DNS server IP address.
True of False: When the firewall is configured to inspect SSL traffic going to an internal server for which the firewall has the private key, it functions as a forward proxy.
False
True or False: A VPN tunnel interface always requires an IP address
False
True or False: A VPN tunnel interface name "tunnel" ca be renamed to anything you want, up to 20 characters in length
False
True or False: GlobalProtect gateway authenticates users against a Server Profile.
False
True or False: If the user associated with an IP address cannot be determined, all traffic from that address will be dropped
False
True or False: Logging on intrazone-default and interzone-default Security policy rules is enabled by default.
False
True or False: NetBIOS is the only client probing method supported by the User-ID agent.
False
True or False: PKI relies on the manual distribution of shared keys
False
True or False: Roll back the candidate configuration by pressing the Undo button.
False
True or False: Safe search is a web server setting.
False
True or False: The Source IP and Source User fields cannot be used in the same policy.
False
True or False: The Source User field can match only users, not groups
False
True or False: The User-ID agent must be installed on the domain controller.
False
True or False: The intrazone-default and interzone-default rules cannot be modified.
False
True or False: URLs always are matched to a PAN-DB URL category before they match a custom URL category.
False
True or False: You must deploy the Windows-based User-ID agent to collect IP address-to-username mappings from a Windows AD domain controller.
False
True or False: A PEM file containing the certificate will contain the private key.
False: A PKCS12 file contains both the certificate and private key in the same file.
True or False: A URL license is required to create and use your own custom URL categories.
False: A license is only needed to use categories in the PAN-DB database
True or False: By default, a PAN-OS Security policy allows interzone traffic.
False: Interzone traffic is denied by default
True or False: PBF does apply to traffic that originates from the firewall itself.
False: It does not apply to this traffic
True or False: The App-ID database does not implicitly allow the required parent application, needing you to explicitly add the parent application to the Security policy.
False: It does sometimes implicitly allow required parent applications
True of False: Non-local account PWs do not need to be authenticated through their external authentication service
False: They must be authenticated through their external authentication service.
True or False: A Palo Alto Networks firewall cannot submit a CSR to a CA
False: it can submit CSRs
True or False: A firewall can have multiple URL Override passwords at a time.
False: there is only allowed one URL Override PW at a time.
True or False: External gateways do not require a tunnel.
False: they do require a tunnel
True or False: Portal, gateways, and agents can use certificates signed by the different CAs.
False: they must all use the same CA
How are security policy rules evaluated for a match?
From top to bottom
Explain the best way to convert rules to be application-aware.
Go rule by rule, look at which applications are being allowed or denied, clone the rule, and populate the App-ID field. Then you move the new rule above the original rule and let traffic run through it for another 30-90 days to verify that no traffic is still matching that original rule. You now can remove the original, port-based rule. The most important step is removing the port-based rule.
What defines the parameters associated with detecting failures and triggering failover?
HA timers
Where do you view FW logs?
In the Monitor tab
What does a virtual wire perform?
It binds two FW interfaces together. It is known as a bump in the wire or a transparent inline deployment.
What does the DNS Sinkhole capability do?
It enables you to quickly identify infected hosts on the network. It is the default action for the Palo Alto Networks DNS signatures.
What does a Tap interface do?
It is used to enable passive monitoring of switch traffic form the SPAN or mirror port.
How is an application filter useful?
It is useful in the way it enables access to applications that match filter criteria rather than match specific application names.
In IKE phase 2, what will each side of the tunnel have to identify the traffic it will be sending and what it expects to receive.
It will have a proxy ID.
What is the strength of the Palo Alto Networks firewall?
Its Single-Pass Parallel Processing (SP3)
What is the ultimate purpose of User-ID?
Its purpose is to give you the ability to write policy, display logs, and display reports using usernames instead of using just IP addresses and port numbers.
Who can remove Locks in FW configs?
Locks can be removed by the Admin who created them or by an admin with superuser privileges.
What tab in the ACC provides an overview of traffic and user activity on your network?
Network Activity tab
Which updates are available on Palo Alto Networks databases?
New antivirus and spyware definitions, new malicious domains and URLs, and new application signatures. This must be downloaded to the FW to maintain the most current protections. You must have a Threat Prevention license to download updates.
What is traffic entering and leaving the network?
North-South Traffic
On some platforms, the PAN-OS DIPP NAT implementation allows the reuse of port numbers by using destination IP address as an additional NAT session identifier. To what is this referred?
Oversubscription
What devices is Decryption port mirroring available?
PA-3000 series PA-5000 series PA-7000 series
What is the name of the Palo Alto Networks centralized management system?
Panorama
What is PPPoE?
Point-to-Point Protocol over Ethernet
How do clientless users log in to the portal?
Remote users can log in to the GlobalProtect portal using a web browser and launch the web applications published for the user.
What encryption methods can Palo Alto Networks firewall decrypt?
SSHv2 and SSL/TLS inbound and outbound network traffic.
To create a Heatmaps and BPA report, which type of file would you need to create and download from the firewall?
Tech Support File would be needed to download.
What function helps in mitigating Rule Shadowing?
The Commit Status window warns when one rule shadows one or more other rules.
What is different about a loopback interface?
The IP address is not assigned a subnet mask or a /32 netmask.
In the Control Plane of the Palo Alto firewall what processor is utilized?
The Management processor, which is responsible for tasks such as management UI, logging, and route updates.
What is the main difference between the PA-5260 and PA-5280 firewalls?
The PA-5280 has double the data-plane memory, which doubles the session capacity.
What user mapping method is most recommended by Palo Alto Networks?
The Server Monitoring method
After creating a rule, what tab is created in the security policy rule?
The Usage tab: this shows the usage statistics of the rule.
What is the advantage of the GlobalProtect clientless VPN?
The advantage is remote users have the advantage of secure access from SSL-enabled web browsers without installing the GlobalProtect client software.
What is required for the use of URL Filtering response pages in a Layer 3 environment?
The configuration of a Layer 3 interface on the firewall with an Interface Management Profile configured to allow response pages is required.
In a route-based VPN, what is the determining factor of which traffic will be tunneled?
The determining factor is the final destination of that traffic
Explain the process of the SSL Forward Proxy method of decryption with a Palo Alto firewall.
The firewall acts as an SSL proxy. A connection is formed between an internal user and the firewall, while a separate but related SSL connection is formed between the firewall and the external web server.
What happens when the firewall detects that a session has been broken as a result of the decryption process?
The firewall caches the session information and it does not decrypt the next session from that host to the same website. Decryption to that website is not attempted again for 12 hours after the first occurrence.
With URL Filtering if a URL is not found in the cache, the firewall will do what?
The firewall contacts the PAN-DB cloud servers for the lookup
How are DoS threats detected with a Palo Alto firewall?
The firewall uses packet header information rather than a signature such as the antivirus, anti-spyware, and vulnerability protections.
Which firewall in an HA pair is given Higher priority and considered the active firewall?
The firewall with the Lower Device Priority value.
What is Rule Shadowing?
The first rule matched is used, even though following rules are matches also. The first matched rule casts a shadow over the following matched rules.
What is the first step to configure SSL Forward Proxy decryption?
The first step is to configure a forward trust certificate on the firewall.
What license is required to enable Decryption port mirroring?
The free PAN-PA-DECRYPT license needs to be installed. Has no expiration date.
The GlobalProtect client will connect to either an internal gateway or an external gateway based on its location (inside or outside of the corporate network). How is this location determined?
The location is determined by reverse DNS lookup.
If the public and private cloud solutions are used together, which cloud analysis prevails when overlapping configurations exist?
The private-cloud analysis prevails with overlapping configurations
What is the Candidate configuration?
The running configuration is copied to a Candidate configuration during FW startup. In-progress edits are made to the candidate config.
What are the benefits of telemetry?
The threat intelligence gathered assists in delivering an enhanced intrusion prevention system and spyware signatures to you and other customers worldwide.
Zone Protection Profiles are applied to what?
These Profiles are applied to ingress ports.
What are tags?
These are color coded labels that you can create and assign to elements throughout the firewall configuration. They make it easier to identify items or sets of items.
What is the function of UUIDs or Universally Unique Identifiers?
These are created and assigned to a Security policy rule upon creation of the rule. They provide a complete audit trail that captures the entire operational history of a rule. It standardizes the tracking of policy modifications.
Where do Palo Alto Networks firewalls across the world automatically forward unknown files and URL links found in emails.
These are forwarded to the WildFire Threat Intelligence Global Cloud or to one of three WildFire regional clouds for analysis.
What are Security Profiles?
These are objects that are added to Security policy rules that are configured with an action of "allow". They are applied to all packets over the life of a session. They represent additional security checks and enable more granular control.
What are Virtual systems or vsys?
These are separate, logical firewall instances within a single physical Palo Alto Networks firewall.
What do Report Groups enable?
These enable you to create sets of reports that the firewall can compile and send as a single aggregate PDF report with an optional title page and all the constituent reports included.
What do URL Filtering Profiles enable?
These profiles enable you to monitor and control how users access the web over HTTP and HTTPS
DoS Protection policy and Profile provide protection for what?
These provide protection for a Destination zone or destination host.
What is Policy-based forwarding or PBF?
These rules allow traffic to take an alternative path from the next hop specified in the route table, and typically are used to specify an egress interface for security or performance reasons.
In IKE phase one how are devices identified to the other?
They are identified to each other by a peer ID, usually the public IP address of the device.
What communication protocol does the Windows-based agent use?
This agent uses the MS-RPC protocol, which requires the full Windows Security logs to be sent to the agent, Where they are filtered for the relevant User-ID information.
What is the purpose of the MGT port on the Palo Alto Networks firewall?
This allows for a dedicated out-of-band network management interface that passes only management traffic and cannot be configured as a standard traffic interface. It is used for direct connectivity to the management plane of the firewall.
What is Palo Alto's AutoFocus?
This application gives security operations and analysis teams direct access to all of the threat intelligence Palo Alto gathers from customers, open source feeds, and the Unit 42 threat research team.
What is MineMeld?
This application natively integrates with the Palo Alto Networks Security Operating Platform to automatically create new prevention-based controls for URLs, IP addresses, and domain intelligence derived from all sources providing data to it. This app can filter, unduplicate, and consolidate metadata across all sources.
What is Palo Alto's GlobalProtect?
This application safeguards the mobile workforce by inspecting all traffic using the organization's next-gen firewalls that are deployed as internet gateways. Devices with this app automatically establish a secure SSL/IPsec VPN connection to the next-generation firewall with the best performance for a given location, thus providing full visibility of all network traffic, for apps, and across all ports and protocols.
What does the Commit Lock selection do?
This blocks other admins from committing the candidate configuration.
What does a File Blocking Profile do?
This blocks prohibited, malicious, and suspect files from being downloaded to or uploaded from the network.
How can a redirection of clients to a standby portal on another firewall be facilitated in the case of a downed portal?
This can be executed by a change in the DNS record of the portal.
What are some attributes of the Cloud-based DNS signature database?
This database provides instant access to newly added DNS signatures without the need to download updates. It includes built-in domain detection logic that can identify potentially malicious domains.
What does a Decryption Broker do?
This enables the firewall to forward plain, cleartext traffic to security chain for additional enforcement, which provides complete visibility into network traffic.
What does GlobalProtect ensure?
This ensures basic levels of remote connectivity. It builds on familiar mobile security technology: the remote access VPN. It also ensures that the same secure application enablement policies that protect users at the corporate site are enforced for all users, independent of their location.
What is Symmetric return?
This ensures traffic to be forwarded out through the same interface through which traffic ingresses
What does the Decryption Port Mirroring feature enable?
This feature enables a firewall to forward packet captures of decrypted traffic to a traffic collection tool, for archiving and analysis.
In generating a certificate what must the Common Name field display?
This field must display the FQDN or IP address of the firewall.
What is Expedition's itent?
This fourth generation Migration Tool is intended to help reduce the time and effort to migrate configuration from one of the Supported vendors to Palo Alto Networks.
Where is information that is reported back to a firewall from WildFire recorded?
This information from WildFire is recorded by the firewall in the WildFire Submissions log.
What communication protocol does the PAN-OS integrated agent use?
This integrated agent uses either the Windows Management Instrumentation, or WMI, or the Windows Remote Management Protocol, or WinRM, which enables the agent to retrieve only the relevant User-ID information from the Windows Security logs.
What is Prisma Access?
This is Security delivered from the cloud.
What is Prisma SaaS?
This is a SaaS-based service that protects cloud-based applications such as Box, Salesforce, and Dropbox by managing permissions and scanning files for external exposure and sensitive information. This service focuses on DLP for PII, PCI and other sensitive datat.
What is the WF-500?
This is a WldFire private cloud solution. It supports Windows XP and Win 7 virtual environments.
What is Safe Search?
This is a best-effort setting in web browsers that is used to prevent sexually explicit content from appearing within search results. The search provider and not Palo Alto Networks determines what is considered explicit.
What is WildFire?
This is a cloud-based, virtual sandbox used to evaluate unknown files and URL links found in emails.
What is Palo Alto's Cortex?
This is a common application framework where apps can be created and developed to rapidly build and deliver cloud-based security services with no additional infrastructure or on-premises hardware changes.
What is telemetry?
This is a community-driven approach to threat prevention. It enables your firewall to periodically collect and share information about applications, threats, and device health with Palo Alto Networks. It also performs passive DNS monitoring.
What is a zone in a Palo Alto FW?
This is a logical grouping based on a particular type of traffic on your network
What is a Loopback interface?
This is a logical interface that can be reached through a physical interface or subinterface.
In Palo Alto firewalls what is Content-ID?
This is a real-time threat prevention engine with administrator-defined policies to inspect and control content traversing the firewall
A SaaS application that you formally approve for use on your network is what type of application?
This is a sanctioned application.
What is a security chain?
This is a set of inline, third-party appliances dedicated to perform a specific security function such as an IPS. A single FW can distribute decrypted sessions to a maximum of 64 security chains.
In Palo Alto networks terms what is meant by an Application?
This is a specific program or feature whose communication can be labeled, monitored, and controlled.
What is Syslog?
This is a standard log transport mechanism that enables the aggregation of log data from different network devices such as routers, firewalls, and printers form different vendors into a central repository for archive, analysis, and reporting.
What is an application group?
This is a static, administrator-defined set of applications that enable you to create a logical grouping of applications that can be applied to Security, QoS, and PBF policy rules. They can contain applications, filters, or other application groups.
How is telemetry enabled?
This is an Opt-in feature of telemetry.
Explain Zero Trust security models.
This is an alternative security model that addresses the shortcomings of failing perimeter-centric strategies by removing the assumption of trust. It promotes "never trust, always verify" as a guiding principle.
What is an Application filter?
This is an object that dynamically groups applications based on application attributes that you select from the App-ID database.
How does the firewall determine packet rates?
This is determined by tracking the packets per second sent from one or many hosts to one or many ingress interfaces in the zone.
What is Cortex Data Lake?
This is formerly known as the Logging Service. It provides cloud-based, centralized log storage and aggregation for your on-premises, virtual, private cloud, and public cloud firewalls, and for GlobalProtect cloud service.
For what is the portal responsible?
This is responsible for coordinating communications and interaction between all other GlobalProtect components.
What does the Change Summary page display?
This lists the individual settings for which you are committing changes.
What is Session monitoring used to maintain?
This method is used to maintain known IP address-to-username mappings
Where does most configuration for GlobalProtect take place.
This mostly happens on the portal.
What is Palo Altos Panorama network security management?
This network security management provides consolidated policy creation and centralized management. It allows for the implementation and control of firewalls centrally with an efficient rulebase, and it adds insight into network-wide traffic and threats.
What is Split-brain operations?
This occurs when a nonredundant Control link goes down, which causes the management plane to miss heartbeats, although the firewall is still functioning. The passive firewall concludes that the active firewall is down and attempts to start services that are already running on the active firewall.
What does the predefined, read-only default URL Filtering Profile block?
This profile blocks known malware sites, phishing sites, and adult content sites.
What does Zone Protection Profile protect against?
This protects against the most common SYN, UDP, and ICMP flood attacks.
What is GlobalProtect clientless VPN?
This provides secure remote access to common enterprise web applications that use HTML, HTML5, and Javascript technologies.
What does GlobalProtect Gateways provide?
This provides security enforcement for traffic from GlobalProtect agents and apps.
What does GlobalProtect Portal provide?
This provides the management functions for your GlobalProtect infrastructure.
With File blocking what does a "continue" action mean?
This requires user permission to complete the file transfer. This action only operates when paired with the application web-browsing.
What is a Universal rule type?
This rule applies to all matching interzone and intrazone traffic in the specified source and destination zones.
What is an Interzone rule type?
This rule applies to all matching traffic between the specified source and destination zones.
What is an Intrazone rule type?
This rule applies to all matching traffic within the specified source zones. You cannot specify a destination zone for an intrazone rule.
What is the function of GlobalProtect client software?
This runs on end-user systems and enables access to network resources via the deployed GlobalProtect portals and gateways.
What is the function of Global Find?
This searches the candidate configuration and content databases on a firewall for a particular string. Eg: IP address, Object name, Policy rule name, Threat ID, Application name
What does the Config Lock selection do?
This selection blocks other admins from changing the candidate configuration.
What does the Validate Commit link display?
This shows any error messages that would appear during a commit. It will display Warnings, which would not prevent a commit and Errors, which do prevent commits.
What is the Running configuration?
This the actual configuration controlling the operation of the firewall. It is maintained in a file on the FW named: running-config.xml
What does the Maximum threshold determine?
This threshold determines when all packets should be dropped.
What does the Activate threshold determine?
This threshold determines when the mitigation response should be triggered. At this point, Random Early Drop is initiated. RED is the default setting.
What does the Alarm rate threshold determine?
This threshold rate determines when an alert should be triggered. These alerts are then recorded in the Threat log and on the Dashboard.
What are the functions of PKI?
To create, manage, distribute, and revoke public keys and digital certificates through the use of hardware, software, policies, and standards.
True or False: A Backup Control link helps prevent split-brain operation in a firewall HA cluster.
True
True or False: A Layer 3 interface can be configured as dual stack with both IPv4 and IPv6 addresses?
True
True or False: A Report Group must be sent as a scheduled email. It cannot be downloaded directly.
True
True or False: A Security Profile attached to a Security policy rule is evaluated only if the Security policy rule matches traffic and the rule action is set to "Allow"
True
True or False: A URL Filtering license is not required to define and use custom URL categories.
True
True or False: A VPN tunnel interface is a logical Layer 3 interface
True
True or False: A VPN tunnel interface must be added to a Layer 3 security zone
True
True or False: A portal can act as a CA for the system.
True
True or False: A tap interface can not be used to block traffic or perform traffic shaping.
True
True or False: By default, a PAN-OS Security policy allows intrazone traffic.
True
True or False: Choose Commit updates the running configuration with the contents of the candidate configuration.
True
True or False: Click Save creates a copy of the current candidate configuration.
True
True or False: Communications between the firewall and the User-ID agent are sent over an encrypted SSL connection.
True
True or False: Data flow on the Data link is unidirectional and flows from the active to the passive firewall.
True
True or False: Each loopback is assigned an IP address and behaves as a host interface. It is used to provide access to FW services.
True
True or False: For Palo Alto NGFW the OS is consistent across all platforms.
True
True or False: GlobalProtect gateway provides security enforcement for traffic from GlobalProtect clients.
True
True or False: GlobalProtect gateway requires a tunnel interface for external clients.
True
True or False: GlobalProtect gateway tunnel interfaces are optional for internal gateways.
True
True or False: Heatmaps and BPA are online tools available only to partners and employees.
True
True or False: IPsec is a set of protocols used to set up a secure tunnel for the VPN traffic.
True
True or False: If a GlobalProtect agent fails to establish an IPsec connection, the connection type falls back to SSL-VPN.
True
True or False: In terms of scheduled log export, after the first export, the system exports only logs collected since the last export.
True
True or False: Not all SSL traffic should be decrypted.
True
True or False: PKI has root and intermediate certificate authorities.
True
True or False: PKI solves the problem of secure identification of public keys
True
True or False: PKI uses digital certificates to verify key owners
True
True or False: Palo Alto Networks firewalls support X.509-format certificates.
True
True or False: Policy rules are unidirectional.
True
True or False: Revert the candidate configuration to the running configuration.
True
True or False: SSH does not use certificates.
True
True or False: SSL decryption cannot be used when servers require client-side certificates.
True
True or False: Safe search is a best-effort setting.
True
True or False: Safe search is a web browser setting.
True
True or False: Safe search is designed to block sexually explicit web content.
True
True or False: Service routes can be used to configure an in-band port to access external services.
True
True or False: The Antivirus Security Profile defines actions to be taken if an infected file is detected as part of an application.
True
True or False: The Decryption broker feature is only supported with SSL Forward Proxy decryption enabled.
True
True or False: The DoS protections are not linked to Security policy.
True
True or False: The User Credential Detection tab can be used to block traffic when users submit their corporate credentials to a website.
True
True or False: The default URL Filtering Profile can not be deleted or modified.
True
True or False: The firewall implicitly allows intrazone traffic and implicitly denies interzone traffic.
True
True or False: The firewall needs to have information for every User-ID agent to which it will connect.
True
True or False: There is no direct communication among gateways or between gateways and portals.
True
True or False: Tunnels will be established only when relevant traffic attempts to cross.
True
True or False: WF provides the ability to identify malicious behaviors in executable files by running them in a virtual environment and observing their behaviors.
True
True or False: When the firewall is configured to decrypt SSL traffic going to external sites, it functions as a forward proxy.
True
True or False: When you create a static route for the VPN, no next hop IP address is required
True
True or False: WildFire identifies threats by signatures, which are available for download by Palo Alto Networks FWs in as little as 5 minutes
True
True or False: WildFire uploads files for analysis too a WildFire solution maintained in the customer's environment and/or a hosted public cloud environment.
True
True or False: You can configure and manage up to 20 WildFire appliances as a WildFire appliance cluster on a single network.
True
True or False: Zone names are case sensitive.
True
True or False: users can be used in policy rules only if they are known by the firewall.
True
Of the three types of Security policy rules that can be created which is the default rule type?
Universal
When incorrectly inputting a URL Override PW 3 times what happens?
User is locked out for 30 min by default.
What type of functionality can a GlobalProtect Gateway map IP addresses to the user?
User-ID
By default when is an IP address considered unreachable?
When 10 consecutive pings fail.
When is an authentication Profile specified?
When an administrator account is created.
To reduce the number of unnecessary Security policy lookups by the firewall, what is recommended in configuring?
When configuring minimize the use of "any" in the columns, when possible.
When are Virtual Wire interfaces typically used?
When no switching or routing is required.
When does the firewall consider any rule to be Port-based?
When the application field is set to Any.
If you have a WildFire and PAN-DB license, how quickly can your firewall block access to newly discovered malware and phishing sites?
You can block access to newly discovered malware and phishing sites in as little as 5 minutes.
How often does the FW check for updates?
You configure how frequently the FW checks for updates. Limits are: Antivirus: every hour Threats and Applications: every 30 min WildFire: every minute
What must you do if you do not want the MGT port to access external services?
You must configure an in-band port to access the external services.
With Layer 3 interfaces to support IPv6 addresses, what must be done?
You must enable IPv6 on the firewall configuration.
Why should you never enable User-ID for a zone that contains the internet?
You should never do this because your firewall will attempt to identify every user from outside your network.
What is a drive-by download?
a type of malware that installs itself without the user's knowledge when the user visits a website
