PCNSE COMPUTER SKILL EXAM ALL ANSWERS 100% CORRECT SPRING FALL-2023/24 LATEST EDITION GUARANTEED GRADE A+

Document Content and Description Below

AutoFocus The AutoFocus threat intelligence service enables security teams to prioritize their response to unique, targeted attacks and gain the intelligence, analytics and context needed to protect ... your organization. It provides context around an attack spotted in your traffic and threat logs, such as the malware family, campaign, or malicious actor targeting your organization. AutoFocus correlates and gains intelligence from: o WildFire® service - the industry's largest threat analysis environment o PAN-DB URL filtering service o MineMeld application for AutoFocus, enabling aggregation and correlation of any third-party threat intelligence source directly in AutoFocus o Traps advanced endpoint protection o Aperture SaaS-protection service o Unit 42 threat intelligence and research team o Intelligence from technology partners o Palo Alto Networks global passive DNS network GlobalProtect Secure Mobile Workforce GlobalProtect cloud service reduces the operational burden associated with securing your remote networks and mobile users by leveraging a cloud-based security infrastructure managed by Palo Alto Networks.Uses client software to build secure personal VPN tunnels to the firewall. URL Filtering Web Security A firewall subscription/license. Most attacks and exposure to malicious content occurs during the normal course of web browsing activities, which requires the ability to allow safe, secure web access for all users. URL Filtering with PAN-DB automatically prevents attacks that leverage the web as an attack vector, including phishing links in emails, phishing sites, HTTP-based command and control, malicious sites and pages that carry exploit kits. Focuses on preventing access to PHISHING WEBSITES!!! Active/Active HA Both Active, used in specific circumstances, such as asynchronous routing setups. Both individually maintain routing and session tables, sync'd to the other. HIGHER RISK! Active/Passive HA One active, one standby firewall. Easiest to manage. Network, Objects, Policies Certificates and Session Table changes are synced. Single Pass Architecture (SP3) How a Palo Alto FW processes a packet with different variables which include: SRC/DST Zones, SRC/DST IPs, App-ID, User-ID, Content ID. User-ID Matching of a user to an IP address (or multiple IP addresses) allowing your Security policy to be based on who is behind the traffic, not the device. Can utilize Active Directory, a Captive Portal, etc. Content-ID Scanning of traffic for security threats (e.g., data leak prevention and URL filtering. virus, spyware, unwanted file transfers, specific data patterns, vulnerability attacks, and appropriate browsing access App-ID Scanning of traffic to identify the application that is involved, regardless of the protocol or port number used. Port number is used as secondary enforcement. ALWAYS ON and will show up in Traffic logs regardless of Security Policy settings. Security Policies ACLs that determine the firewall's ability to enable or block sessions. Security zones, source and destination IP address, application (App-ID), source user (User-ID), service (port), HIP match, and URL categories in the case of web traffic all can serve as traffic matching criteria for allow/block decision-making. Security Zones Zones designate a network segment that has similar security classification (i.e., Users, Data Center, DMZ Servers, Remote Users). All traffic must have a SRC/DST Zone. Panorama Panorama is the Palo Alto Networks enterprise management solution. Once Panorama and firewalls are linked, Panorama is the single interface to manage the entire enterprise. Should be implemented as a high availability cluster consisting of 2 identical platforms. HA Monitoring • During Boot, a FW looks for an HA Peer; after 60 seconds, if a peer hasn't been discovered, the FW will boot as Active. • If a peer is found, it will negotiate with the peer. If Preempt is active, determine who has highest priority - this FW becomes active. •When a HA pair is stood up, a manual sync will need need to be done by a "sync to peer" push. HA Monitoring Status Colors Green: Good Yellow: Warning (normal state for a standby firewall in an A/P pair) Red: Error to be resolved HA States ○ Initial - Transient state when it joins an HA pair ○ Active - normal state, primary and processing traffic ○ Passive - normal traffic is discarded, may process LLDP and LACP traffic ○ Suspended - administratively disabled ○ Non-functional - FW is non-functional and will need to have the issues resolved before it can return to service. Which two firewall features support Floating IP Addresses in an active/active HA pair? Source NAT and VPN Endpoints How do firewalls in an Active/Passive HA pair synchronize their configurations? An administrator commits changes to one and it automatically synchronizes with the other Layer 2 Interface -When your organization wants to divide a LAN into separate virtual LANs (VLANs) to keep traffic and policies for different departments separate, you can logically group Layer 2 hosts into VLANs and thus divide a Layer 2 network segment into broadcast domains. For example, you can create VLANs for the Finance and Engineering departments - VLAN interface required for each VLAN. - Inline and can block traffic. Virtual Wire Interface - "Bump on the wire" - Inline Mode - Can block traffic - Good transition from legacy to NGFW. Tap Interface - Copy traffic from your network using port mirroring. - Cannot Block traffic, just reporting. - Visibility into network applications, vulnerabilities and threats. Layer 3 Interface - Firewall is acting as a L3 router. - Looks at traffic as it traverses inbound and outbound. - Inline and can block traffic. - Routing between interfaces. Decryption Mirror Provides the capability to create a copy of decrypted traffic from a firewall and send it to a traffic collection tool that is capable of receiving raw packet captures such as WireShark. RECORDS ALL DECRYPTED TRAFFIC. Interface VLANs Logical interfaces specifically serving as interconnects between on-board virtual switches (VLANs) and virtual routers, which allows traffic to move from Layer 2 to Layer 3 within the firewall. (SVI in Cisco Terms) Loopback Interfaces L3 Interfaces that can be used for various purposes such as DNS sinkholes, GlobalProtect service interfaces (portals and gateways), routing identification, etc. etc. Tunnel Interfaces Serve VPN tunnels (both point to point and large-scale VPN solutions such as GlobalProtect) and are Layer 3 only. Max 10 IPsec tunnels per tunnel interface. Must be assigned to a Virtual-Router and Security Zone to apply policy. Panorama Templates Give you the ability to layer multiple templates and create a combined/baseline configuration for all devices attached to the template stack. Firewalls inherit the settings based on the order of the templates in the stack. The stack's data is pushed to its assigned firewalls with a Panorama push function. The stack can be an individual template or a collection of up to 16 individual templates. Panorama Template Stack Settings (Stored by Device Groups) User Identification Configuration Traffic Interface Configurations Zone Protection Profiles Server Profile for an external LDAP server Device Groups Store firewall settings from Template stacks. Defined by a parent and ancestor. Firewalls are assigned to an individual Device Group from which the FW receives settings. Store App-ID, User-ID, or service. VM-Series Firewalls Support all modes that normal hardware FWs do: Tap, L2, L3 and VWire. Authentication Types • Multi-Factor • SAML • Single Sign-On • Kerberos • TACACS+ • RADIUS • LDAP • Local Multi-Factor Authentication Requirements Server Profile Captive Portal Authentication Enforcement Profile Authentication Policy Authentication Profile Zone Protection Profiles Defend the zone at the inbound zone edge against various types of attacks by limiting the number of connections-per-second of different packet types. Don't control traffic between zones, only at the ingress zone. DOS Protection Policy Rules Defend individual IP addresses in a zone. DOS Protection Profile Combines with DOS Protection Policy Rules to protect specific areas of your network against ONLY packet-flood attacks and to protect INDIVIDUAL resources against session floods. SYN Flood Protection Protection against TCP Floods. Content Inspection Use decryption on a firewall to prevent malicious content from entering your network or sensitive content from leaving your network concealed as encrypted traffic. Mitigation Tasks for decryption: -Preparing the Keys and Certificates required for decryption -Configuring Decryption Port Mirroring Decryption Policy Can be used to decrypt, inspect, and control both inbound and outbound SSL and SSH connections. Allow you to specify traffic for decryption according to destination, source, or URL category and to block or restrict the specified traffic according to your security settings. SSL Forward Proxy Decryption of outbound SSL traffic. The FW acts as a "man-in-the-middle" to authenticate the SSL exchange bi-directionally. Decryption Broker Decrypting traffic and then passing it through a designated interface to external security services providing access to the clear text contents. Application Override Allows traffic identified from an existing App-ID can BYPASS layer-7 scanning (App-ID and Content-ID). Use Cases for Application Override ▪ To identify "Unknown" App-IDs with a different or custom application signature ▪ To re-identify an existing application signature ▪ To bypass the Signature Match Engine (within the SP3 architecture) to improve processing times Signature Database Used by the App-ID scanning engine is updated periodically by Palo Alto Networks through the Applications and Threat Updates. Security Profile Help you define an allow but scan rule, which scans allowed applications for threats, such as viruses, malware, spyware, and DDoS attacks. Not used in the criteria match (SP3) for traffic flow. Applied to scan traffic after the application or category is allowed by the Security policy. Credential phishing prevention Scanning username and password submissions to websites and comparing those submissions against valid corporate credentials. URLs can be filtered by you for which ones you want to allow/deny. Group Mapping User credential detection method used if multiple users share the same client IP address. Services How Palo Alto FWs define port-numbers for Security Policies. The equivalent to "Service-objects" on Cisco ASAs. Supports both TCP and UDP. Default Palo Alto Settings IP: 192.168.1.1 User/Pass: Admin/Admin These must be changed via the Management Interface or via direct serial connection to the console port. URL Category uses Can be used as a match condition for security, QOS, decryption or captive portal rules URL Filtering Log Entries - Alert - Block - Continue - Override Service-object HTTP Allows TCP-80 and TCP-8080 NAT Types Source and Destination NAT Source NAT Types Source NAT Types - Static IP (1-to-1 fixed translation), Dynamic IP(1-to-next available IP in pool translation of src IP only), Dynamic IP & Port (many-to-1 using different ports) -NAT Policy uses Pre-NAT zones and addresses -Security Policy uses Pre-NAT addresses and Post-NAT destination zone Destination NAT Static IP (1-to-1 fixed translation), Port forwarding translation App-ID Identification Can ID applications in UDP data in as little as 1 packet. TCP traffic will need AT LEAST 5 packets. Management Interface Can be configured as a L3 interface or managed via direction connection in the Console Port. Certificates Palo Alto Networks firewalls and Panorama use digital certificates. Each certificate contains a cryptographic key to encrypt plaintext or decrypt ciphertext. Each certificate also includes a digital signature to authenticate the identity of the issuer. The issuer must be in the list of trusted certificate authorities (CAs) of the authenticating party. Optionally, the authenticating party verifies the issuer did not revoke the certificate. Certificate Use Cases - User authentication for Captive Portal, GlobalProtect™, Mobile Security Manager, and web interface access to a firewall or Panorama. - Device authentication for GlobalProtect VPN (remote user-to-site or large scale). - Device authentication for IPSec site-to-site VPN with Internet Key Exchange (IKE). - Decrypting inbound and outbound SSL traffic. Replacing the default certificate on a Palo Alto with one generated by your own CA (Certificate Authority) The CN (Common Name) must be set to the management port of the firewall Virtual-Router Supports BGP, OSPF, RIP and Multicast. A virtual router is a function of the firewall that participates in Layer 3 routing. The firewall uses virtual routers to obtain routes to other subnets by you manually defining static routes or through participation in one or more Layer 3 routing protocols (dynamic routes). The routes that the firewall obtains through these methods populate the IP routing information base (RIB) on the firewall. Can 2 different L3 Interfaces share the same IP? Yes, as long as they are on 2 different virtual-routers. Virtual-Router Connection Types - Layer 3 traffic interface - Loopback Interface - Tunnel Interface IPSec VPNs Terminated on Layer 3 interfaces. Tunnel interfaces can be put into different zones to segregate traffic. Require IPSec and Crypto profiles for Phase 1 and 2 connectivity. Deploying IPSec VPN Tunnels Basis of site-to-site IPSec tunnels: Configuring the GlobalProtect Satellite settings of the campus and remote firewalls. GLOBALPROTECT IS ALWAYS FOR REMOTE PEOPLE!!! Global Protect Details - The GlobalProtect Portal must be enabled on a Layer 3 interface with a reachable IP address. - The GlobalProtect Gateway creates/maintains the VPN tunnels for user traffic in SSL or IPsec forms. - The GlobalProtect Gateway distributes an IP address to each authenticated user. (This IP-to-username address mapping can be used for effective User-ID in Security policy.) Host Information Profile (HIP) Enables you to collect information about the security status of your endpoints—such as whether they have the latest security patches and antivirus definitions installed, whether they have disk encryption enabled, whether the endpoint is jailbroken or rooted, or whether it is running specific software you require within your organization—and base the decision as to whether to allow or deny access to a specific host based on adherence to the host policies you define HIP Objects Provide the matching criteria for filtering the raw data reported by an agent or app that you want to use to enforce policy. For example, if the raw host data includes information about several antivirus packages on a client, you might be interested in a particular application because your organization requires that package. For this scenario, you create a HIP object to match the specific application you want to enforce. GlobalProtect Gateway Functions - Authenticating GlobalProtect users - Managing and updating GlobalProtect client configurations App-ID Classification - App Signature - updated via weekly content updates - Unknown protocol decoder - heuristics looks at patterns and network behavior - Known protocol decoders - understands syntax and commands of common applications - Protocol decryption - SSL and SSH - Multiple application SHIFTS can occur during a SINGLE session. NAT type can be used to translate between IPv4 and IPv6 nat64 NAT Policy Check As with Security Policies, NAT policy rules are compared against incoming traffic in sequence, and the first rule that matches the traffic is applied. NAT Security Policy Check Security policies that are filtering NAT'd traffic will filter by the original DST IP address, Pre-NAT Zone and Post-NAT Zone. Which protocol is supported for decryption? IPSec Where do you specify that a certificate is to be used for SSL Forward Proxy? Certificate Properties [Show More]

Last updated: 2 years ago

Preview 1 out of 52 pages