PSE-Strata Palo Alto Networks System Engineer Professional - Strata Questions and Answers

Having WildFire machine learning (ML) capability inline on the firewall provides significant advantages in real-time threat prevention.

Inline ML Capability:

The firewall can analyze and block unknown malicious files in real-time, preventing the first instance of infection (patient zero).

This enhances security without disrupting business productivity, as threats are mitigated immediately.

When sizing the Cortex Data Lake for Traps Management Service, two key factors must be considered:

Retention Requirements: It is essential to determine how long the logs and data need to be retained in the Cortex Data Lake. This affects the overall storage capacity required, as longer retention periods will necessitate more storage space​ (Palo Alto Networks)​​ (Palo Alto Networks)​.

The Number of Traps Agents: The total number of Traps agents deployed will directly impact the volume of data being generated and sent to the Cortex Data Lake. More agents mean more data, which in turn requires a larger data lake capacity to handle the increased load​ (Palo Alto Networks)​​ (Palo Alto Networks)​.

Decryption Broker on a Next-Generation Firewall (NGFW) provides two primary benefits:

Offloading SSL decryption: The NGFW decrypts traffic once and then forwards it to multiple security devices for inspection, avoiding the need to decrypt and re-encrypt traffic multiple times, thus improving efficiency.

Reducing third-party devices: By handling SSL decryption within the NGFW, the need for separate, dedicated SSL decryption devices is eliminated, reducing the complexity and number of devices required for network security.

These features streamline traffic analysis and enforcement while maintaining robust security.

References: Palo Alto Networks Decryption Broker documentation.

 To protect against port scans from the internet, a Zone Protection Profile should be applied to the zone of the ingress interface. This profile helps defend the network by setting thresholds for various types of scans and attacks, including port scans, thus reducing the risk of reconnaissance activities that precede actual attacks​ (Palo Alto Networks)​​ (Palo Alto Networks)​.QUESTION NO: 43

When log sizing is factored for the Cortex Data Lake on the NGFW, what is the average log size used in calculation?

A. 8MB

B. depends on the Cortex Data Lake tier purchased

C. 18 bytes

D. 1500 bytes

Answer: D

When calculating log sizing for the Cortex Data Lake on the NGFW, the average log size used is 1500 bytes. This size helps in estimating storage requirements and planning for log retention policies efficiently, ensuring that there is adequate storage capacity to handle the volume of logs generated by the network firewalls​ (Palo Alto Networks)​​ (Palo Alto Networks)​.QUESTION NO: 44

What can be applied to prevent users from unknowingly downloading malicious file types from the internet?

A. A vulnerability profile to security policy rules that deny general web access

B. An antivirus profile to security policy rules that deny general web access

C. A zone protection profile to the untrust zone

D. A file blocking profile to security policy rules that allow general web access

Answer: D

To prevent users from unknowingly downloading malicious file types from the internet, a File Blocking Profile should be applied to security policy rules that allow general web access. This profile can be configured to block or alert on downloads of specific file types that are commonly used to deliver malware, providing an additional layer of protection against threats​ (Palo Alto Networks)​​ (Palo Alto Networks)​.

Checking for Corporate Credential Submissions involves monitoring and validating credential usage within the network.

Doman Credentialiter (Option A):

Monitors the use of corporate credentials and alerts on suspicious activity.

For the User-ID Agent to perform WMI (Windows Management Instrumentation) Authentication on a Windows Server, the following domain permissions are required:

Domain Administrators: This group has the highest level of privileges in the domain and can perform any action within the Active Directory domain.

Distributed COM Users: This group allows members to launch, activate, and use Distributed COM objects on the server.

Event Log Readers: This group provides read access to the event logs, which is crucial for the User-ID Agent to collect security events necessary for user identification​ (Palo Alto Networks)​​ (Palo Alto Networks)​.

WildFire signatures are generated based on the analysis of unknown files submitted to the WildFire cloud. These signatures are updated and pushed to the antivirus database every 24 hours. This frequent update cycle ensures that the firewall can detect and block the latest threats quickly and effectively, minimizing the window of exposure to new malware.

Choosing between the hardware and virtual offerings of Panorama depends on specific use cases and requirements.

Dedicated Logger Mode is Required: Hardware Panorama can be configured in Dedicated Logger Mode, which is not available in the virtual offering. This mode is crucial for environments needing dedicated, high-capacity log collection and storage.

Logs per Second Exceed 10,000: Hardware Panorama is designed to handle high log rates more efficiently than the virtual offering. When the log rate exceeds 10,000 logs per second, the hardware version can manage the load more effectively, ensuring better performance and reliability.

To trigger a known spyware threat signature based on a rate of occurrence (e.g., 10 hits in 5 seconds), you need to add a correlation object that tracks the occurrences and triggers an alert or action when the specified threshold is met. This correlation object monitors the frequency of the spyware signatures and ensures that action is taken only when the threshold is exceeded, providing more granular control over threat detection and response.

References: Palo Alto Networks Threat Prevention and Correlation Objects documentation.

The Best Practice Assessment (BPA) tool by Palo Alto Networks identifies tasks related to improving device management access. This includes evaluating the current state of management access configurations and providing recommendations to enhance security, such as implementing multi-factor authentication, using secure management interfaces, and restricting access based on roles.

References: Palo Alto Networks Best Practice Assessment tool documentation.

The following platform components can identify and protect against malicious email links:

WildFire hybrid cloud solution (A): This solution integrates on-premises and cloud-based threat intelligence to detect and prevent malware, including malicious email links.

WildFire public cloud (B): This component leverages the power of the cloud to provide real-time updates and protection against the latest threats, including those found in email links.

WF-500 (C): This appliance is designed to analyze files and links to detect malware and prevent it from spreading within the network.

These components work together to provide comprehensive protection against email-based threats, ensuring that organizations can identify and block malicious links before they cause harm.

The CLI command that allows you to view latency, jitter, and packet loss on a virtual SD-WAN interface is:

show sdwan path-monitor stats vif

This command displays the statistics related to the virtual SD-WAN interface, including important metrics such as latency, jitter, and packet loss. These metrics are crucial for monitoring the performance and quality of the SD-WAN connections to ensure optimal network performance and quick identification of issues.

References:

Palo Alto Networks SD-WAN Configuration Guide

Palo Alto Networks CLI Reference

Using Panorama for managing virtual firewalls in a data center deployment provides several advantages:

Automated Correlation Engine Functionality: Panorama offers an Automated Correlation Engine that can aggregate and analyze logs from multiple firewalls, including virtual ones, to identify patterns and threats that individual firewalls might not detect. This centralized analysis capability is crucial for comprehensive threat detection and response​ (Palo Alto Networks)​​ (Palo Alto Networks)​.

Bootstrapping Virtual Firewalls: Panorama can automate the deployment of virtual firewalls by using bootstrapping configurations. This allows for dynamic and rapid deployment of firewalls in cloud environments, ensuring that security policies are consistently applied from the moment the virtual firewalls are launched​ (Palo Alto Networks)​​ (Palo Alto Networks)​.

For a price-sensitive customer needing to secure a Windows Virtual Server with a maximum throughput of 100Mbps and requiring up to 45,000 sessions, the VM-200 instance is the appropriate choice. The VM-200 is designed to handle up to 100Mbps of throughput and supports a sufficient number of sessions to meet the customer's requirements, making it a cost-effective and suitable option for this use case​ (Palo Alto Networks)​​ (Palo Alto Networks)​.

Palo Alto Networks' Threat Intelligence Cloud sources malware sample data from various significant inputs:

Next-generation firewalls deployed with WildFire Analysis Security Profiles: These firewalls are equipped with WildFire Analysis Security Profiles, which analyze unknown files and email links to detect zero-day threats and malware. This provides a rich source of real-time threat data.

WF-500 configured as private clouds for privacy concerns: The WF-500 appliance is used by organizations that prefer to maintain privacy and have stringent data control requirements. It serves as a private cloud for malware analysis, adding another layer of data collection.

Third-party data feeds: Partnerships with organizations like ProofPoint and the Cyber Threat Alliance enable Palo Alto Networks to integrate additional threat intelligence feeds. These third-party collaborations expand the breadth and depth of threat data available for analysis and defense​ (Palo Alto Networks)​​ (Palo Alto Networks)​​ (Palo Alto Networks)​.

The SIA (Scan It All) Processing Engine in a Next-Generation Firewall (NGFW) is responsible for handling multiple security functions such as file proxy solutions, virus and spyware scanning, vulnerability scanning, and HTTP decoding for URL filtering. This engine ensures comprehensive security coverage by performing deep inspection and analysis of network traffic to detect and mitigate various types of threats, ensuring robust protection for the network.

To prevent attacks involving malicious files such as .doc and .pdf types, the customer should enable WildFire.

WildFire: This feature analyzes files to detect and prevent zero-day threats by running the files in a virtual environment to observe their behavior. If a file is deemed malicious, WildFire generates signatures and updates the firewall to block such threats in the future. Enabling WildFire provides advanced protection against undetectable sources of malicious files.

File Blocking Profiles can help prevent drive-by downloads by blocking certain types of file downloads that are commonly associated with malware. This allows web-browsing traffic to continue but prevents potentially harmful files from being downloaded automatically, thus protecting against malicious software that could be installed without user consent.

References:

Palo Alto Networks' documentation on File Blocking Profiles

OWASP (Open Web Application Security Project) guidelines on preventing drive-by downloads

To support MineMeld indicators on PAN-OS External Dynamic Lists (EDLs), you must configure the Prototype setting. The prototype defines the type of node and its configuration in MineMeld, which is essential for generating the correct feed format that the firewall can consume. This allows the EDL to dynamically pull in threat intelligence data from MineMeld and apply it to security policies​ (LIVEcommunity | Palo Alto Networks)​​ (LIVEcommunity | Palo Alto Networks)​.

When configuring Prisma Cloud to scan your Amazon S3 account, the service requires specific permissions to access your S3 resources. This is achieved by providing the access key ID, which, along with the secret access key, allows Prisma Cloud to authenticate and authorize the necessary access to your S3 buckets. This method ensures secure and efficient management of permissions and access within your AWS environment​ (Palo Alto Networks)​​ (Palo Alto Networks)​.

To provide access for 5500 mobile users and 10 remote locations (100Mbps each) for one year with Base Support and minimal logging, the following Bill of Materials (BOM) should be selected:

5500x PAN-GPCS-USER-C-BAS-1YR: This covers the license for 5500 mobile users for one year.

1000x PAN-GPCS-NET-B-BAS-1YR: This covers the network license for 10 remote locations.

1x PAN-LGS-1TB-1YR: This provides minimal logging capability.

1x PAN-PRA-25: This includes the Prisma Access license.

1x PAN-SVC-BAS-PRA-25: This includes the Base Support service for Prisma Access.

These components ensure that the customer has the necessary licenses and support to meet their requirements.

Palo Alto Networks' platform addresses concerns regarding SSL decryption by offering the ability to define a list of websites or URL categories that can be excluded from decryption. This feature allows organizations to comply with privacy and regulatory requirements while still gaining visibility into encrypted traffic where necessary. By creating exceptions for specific websites or URL categories, organizations can strike a balance between security needs and privacy concerns. This method ensures that sensitive data remains confidential while still allowing the firewall to inspect other traffic for threats.

When a packet associated with an existing session arrives at the firewall, it is processed through the fast path because the session establishment has already occurred, so the session lookup can be quickly determined. If the packet is subject to content inspection, it will then be processed through a single stream-based content inspection engine before it is allowed to egress. This approach ensures efficient packet handling and minimizes latency while maintaining necessary security inspections.

Palo Alto Networks Zero Touch Provisioning (ZTP) offers significant business value by automating and simplifying the process of adding new firewalls to the network, specifically the Panorama management server.

Automation and Simplification:

ZTP automates the initial configuration and deployment of new firewalls, reducing the need for manual intervention.

This leads to faster deployment times and reduces the potential for human error.

WildFire can analyze various script types to detect and mitigate potential threats.

JScript (Option C):

JScript files can be used in web-based attacks and are commonly analyzed by WildFire.

The command show mlav cloud-status is used to verify that the machine learning-based antivirus (MLAV) for portable executable (PE) files is functioning correctly within the Palo Alto Networks WildFire environment. This command provides the status of the machine learning model updates and their integration with the antivirus profile. If the model is working properly, this command will return information indicating that the MLAV service is active and synchronized with the cloud-based threat intelligence. This ensures that the firewall is effectively leveraging machine learning to identify and block malicious PE files.

To receive weekly dynamic updates to the correlation objects on the firewall and Panorama, the required licenses are:

Threat Prevention on the firewall (B): This license enables the firewall to receive and apply the latest threat signatures and updates.

Support on Panorama (B): This license ensures that Panorama can receive the necessary updates to maintain up-to-date correlation objects and manage the security infrastructure effectively.

These licenses together ensure that both the firewall and Panorama are equipped with the latest security intelligence to protect against emerging threats​ (Palo Alto Networks)​​ (Palo Alto Networks)​.

The Palo Alto Networks platform approach to security offers several key benefits:

Operational Efficiencies: By automating incident review and response, the platform reduces the need for manual intervention, thereby decreasing the mean time to resolution (MTTR). This streamlines security operations and allows teams to focus on more strategic tasks.

Increased Security: The scalable cloud-delivered security services (CDSS) provided by Palo Alto Networks ensure that security measures can be dynamically scaled to meet the needs of the organization, offering robust protection against evolving threats.

Cost Savings: The platform reduces the overall IT management effort and device requirements, leading to significant cost savings. This is achieved through integrated solutions that minimize the need for multiple disparate security products and simplify management.

Information about Command-and-Control (C2) hosts can be found in the following items:

Threat logs (A): These logs contain detailed information about detected threats, including C2 activities.

WildFire analysis reports (B): WildFire reports provide insights into malicious files and their behaviors, including any C2 communication attempts.

Botnet reports (C): These reports identify infected hosts within the network that are communicating with known botnet C2 servers.

These sources collectively provide comprehensive visibility into C2 activities within the network, aiding in the detection and mitigation of compromised hosts​ (Palo Alto Networks)​​ (Palo Alto Networks)​​ (Palo Alto Networks)​.

When deploying User-ID, it's crucial to specify included and excluded networks to ensure that only relevant traffic is monitored, reducing unnecessary load and potential privacy concerns. Enabling User-ID only on trusted zones minimizes the risk of exposing sensitive user information. Using a dedicated service account with minimal permissions necessary for User-ID services enhances security by limiting the potential damage if the account is compromised.

References:

Palo Alto Networks' User-ID Best Practices

NIST Special Publication 800-53 on Access Control

Logs from various products can be sent to the Cortex Data Lake, which serves as a centralized logging and data repository:

PA-3260 firewall: This next-generation firewall (NGFW) is capable of forwarding comprehensive logs, including threat, traffic, and user activity data, to the Cortex Data Lake for centralized analysis and response.

Prisma Access: This cloud-delivered security service ensures secure access to applications and data from anywhere. It integrates with Cortex Data Lake to provide consistent security across all users, irrespective of their location, by logging security events and user activities​ (Palo Alto Networks)​​ (Palo Alto Networks)​​ (Palo Alto Networks)​.

In the context of XYZ Corporation's legacy environment with asymmetric routing, enabling redundancy while supporting asymmetric routing can be effectively managed with Palo Alto Networks firewalls. Asymmetric routing occurs when the path the traffic takes to reach a destination is different from the path it takes to return. To handle this scenario, the following two features must be enabled:

HA Active/Active (B): High Availability (HA) in an active/active configuration allows both firewalls in the pair to process traffic simultaneously. This is essential for handling asymmetric routing as both firewalls can process and route packets independently, ensuring that the traffic can flow correctly even if it comes back via a different path.

Policy-Based Forwarding (D): Policy-Based Forwarding (PBF) enables the firewall to make routing decisions based on policies that match traffic to specific interfaces, rather than relying solely on the routing table. This is crucial for asymmetric routing because it allows the firewall to direct return traffic along a specific path, aligning with the asymmetric nature of the traffic flow.

References:

Palo Alto Networks, High Availability Concepts, and Policy-Based Forwarding documentation.

To configure the Decryption Broker, the following two steps are required:

Activate the Decryption Broker license: Ensure that the appropriate license is activated to enable the decryption broker feature.

Enable SSL Forward Proxy decryption: Configure SSL Forward Proxy decryption on the firewall to intercept, decrypt, and inspect SSL/TLS traffic. This setup allows the decrypted traffic to be forwarded to other security devices for further analysis.

These steps are essential to leverage the Decryption Broker functionality, which facilitates deeper inspection and security analysis of encrypted traffic.

References:

Palo Alto Networks Decryption Broker Configuration Guide

Palo Alto Networks SSL Decryption Documentation

Dynamic User Groups (DUGs) in Palo Alto Networks are determined using tags. Tags are metadata assigned to users based on various criteria, such as behavior, location, or other attributes. These tags are used to dynamically update group memberships without manual intervention. For instance, if a user meets certain conditions defined by the administrator, they are automatically tagged and included in the respective DUG. This feature enhances the flexibility and automation of security policies, ensuring that the right policies are applied to the right users in real-time.

The Palo Alto Networks Cloud Identity Engine (CIE) includes services such as Directory Sync and Cloud Authentication Service. These services support identity providers (IdP) using standards like SAML 2.0 and OAuth2. Directory Sync ensures that user and group information from on-premises directories are available in the cloud, while Cloud Authentication Service facilitates secure authentication and single sign-on (SSO) for users.

Expedition is a tool provided by Palo Alto Networks to help streamline the migration and optimization of security policies. Two key presales selling advantages of using Expedition are:

Streamline & Migrate to Layer7 Policies Using Policy Optimizer: Policy Optimizer helps in converting traditional Layer 3/4 policies into more granular Layer 7 application-based policies. This migration ensures more precise control and better security by focusing on the actual applications rather than just IP addresses and ports.

Reduce Effort to Implement Policies Based on App-ID and User-ID: Expedition facilitates the implementation of security policies based on Palo Alto Networks' App-ID and User-ID technologies. This reduces the complexity and effort required to manage security policies, as policies can be applied based on specific applications and user identities, leading to more effective and efficient security management.