PCNSA Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Questions and Answers

Explanation/Reference:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-prevention

• Service routes are a feature of PAN-OS that allows the administrator to customize the interface that the firewall uses to send requests to external services, such as DNS, email, Palo Alto Networks updates, User-ID agent, syslog, Panorama, dynamic updates, URL updates, licenses, and AutoFocus1.
• By default, the firewall uses the management interface for all service routes, unless the packet destination IP address matches the configured destination service route, in which case the source IP address is set to the source address configured for the destination1.
• However, in some scenarios, the administrator may want to use a different interface for service routes, such as when the management interface does not have public internet access, or when the administrator wants to isolate or monitor the traffic for certain services23.
• To configure service routes, the administrator can select Device > Setup > Services > Service Route Configuration and customize each service with a source interface and a source address. The administrator can also configure destination service routes to specify a destination IP address and a gateway for each service1.
• Service routes are not related to routing protocols such as OSPF or BGP, which are used to exchange routing information between routers and determine the best path to reach a network destination. Service routes are only used to change the interface that the firewall uses to communicate with external services.

Therefore, service routes are used to route management plane services through data interfaces rather than the management interface.

References:

1: Configure Service Routes - Palo Alto Networks 2: Setting a Service Route for Services to Use a Dataplane’s Interface - Palo Alto Networks 3: How to Perform Updates when Management Interface does not have Public Internet Access - Palo Alto Networks

A dynamic address group populates its members dynamically using look ups for tags and tag-based filters. Tags are metadata elements or attribute-value pairs that are registered for each IP address. Tag-based filters use logical and and or operators to match the tags and determine the membership of the dynamic address group. For example, you can create a dynamic address group that includes all IP addresses that have the tags “web-server” and “linux”. You can also use static tags as part of the filter criteria. References: Policy Object: Address Groups, Use Dynamic Address Groups in Policy, Statics vs. Dynamic Address Objects Groups

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClTHCA0

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/use-application-objects-in-policy/create-a-custom-application

Text, application, table Description automatically generated with medium confidence

References:

Explanation/Reference:

References:

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/app-id/manage-new-app-ids-introduced-in-content-releases/review-new-app-id-impact-on-existing-policy-rules

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/management-interfaces

You can use the following user interfaces to manage the Palo Alto Networks firewall:

• Use the Web Interface to perform configuration and monitoring tasks with relative ease. This graphical interface allows you to access the firewall using HTTPS (recommended) or HTTP and it is the best way to perform administrative tasks.
• Use the Command Line Interface (CLI) to perform a series of tasks by entering commands in rapid succession over SSH (recommended), Telnet, or the console port. The CLI is a no-frills interface that supports two command modes, operational and configure, each with a distinct hierarchy of commands and statements. When you become familiar with the nesting structure and syntax of the commands, the CLI provides quick response times and administrative efficiency.
• Use the XML API to streamline your operations and integrate with existing, internally developed applications and repositories. The XML API is a web service implemented using HTTP/HTTPS requests and responses.
• Use Panorama to perform web-based management, reporting, and log collection for multiple firewalls. The Panorama web interface resembles the firewall web interface but with additional functions for centralized management.

The Revert, Save, and Load operations all work with firewall co nfigurations local to the firewall. The Export operations transfer configurations as XML-formatted files from the firewall to the host running the web interface browser. From your local machine, you can save the files as configuration backups. The Import operations transfer XML configuration files from the host running the web interface browser to the firewall. The XML file can be loaded as the candidate configuration or even be committed to becoming the running configuration. [Palo Alto Networks]

References:

• Palo Alto Networks Known Malicious IP Addresses

—Contains IP addresses that are verified malicious based on WildFire analysis, Unit 42 research, and data gathered from telemetry (Share Threat Intelligence with Palo Alto Networks). Attackers use these IP addresses almost exclusively to distribute malware, initiate command-and-control activity, and launch attacks.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-external-dynamic-list-in-policy/built-in-edls

Random Early Drop —The firewall uses an algorithm to progressively start dropping that type of packet. If the attack continues, the higher the incoming cps rate (above the Activate Rate) gets, the more packets the firewall drops. .. (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/dos-protection-against-flooding-of-new-sessions/configure-dos-protection-against-flooding-of-new-sessions)

References:

Microsoft Exchange – Server monitoring

Linux authentication – syslog monitoring

Windows Client – client probing

Citrix client – Terminal Services agent

The Security profile that should be applied in order to protect against illegal code execution is the Vulnerability Protection profile on allowed traffic. The Vulnerability Protection profile defines the actions that the firewall takes to protect against exploits and vulnerabilities in applications and protocols. The firewall can block or alert on traffic that matches a specific threat signature or a group of threats. The Vulnerability Protection profile can prevent illegal code execution by detecting and blocking attempts to exploit buffer overflows, format string vulnerabilities, or other code injection techniques1. To apply the Vulnerability Protection profile on allowed traffic, you need to:

• Create or modify a Vulnerability Protection profile on the firewall or Panorama and configure the rules and exceptions for the threats that you want to protect against2.
• Attach the Vulnerability Protection profile to a Security policy rule that allows traffic that you want to scan for vulnerabilities3.
• Commit the changes to the firewall or Panorama and the managed firewalls.

References: Vulnerability Protection Profile, Create a Vulnerability Protection Profile, Attach a Vulnerability Protection Profile to a Security Policy Rule, Certifications - Palo Alto Networks, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

Explanation/Reference:

The user will see a response page indicating that a password is required to allow access to websites in the given category. With this option, the security administrator or help-desk person would provide a password granting temporary access to all websites in the given category. A log entry is generated in the URL Filtering log. The Override webpage doesn’t display properly on client systems configured to use a proxy server.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-profiles/actions-in-security-profiles

To enable the firewall to scan the traffic that it allows based on a Security policy rule, you must also attach Security Profiles —including URL Filtering, Antivirus, Anti-Spyware, File Blocking, and WildFire Analysis—to each rule. To attach a Security Profile to a Security policy rule, you must select Profiles as the Profile Type in the Actions tab of the rule. This allows you to choose from the predefined or custom Security Profiles that you have configured. Group-Profiles, Default-Profiles, and Tagged-Profiles are not valid options for attaching Security Profiles to Security policy rules. References: Set Up a Basic Security Policy, Security Profiles, Updated Certifications for PAN-OS 10.1

Three types of entries that can be excluded from an external dynamic list (EDL) are IP addresses, domains, and URLs. An EDL is a text file that is hosted on an external web server and contains a list of objects, such as IP addresses, URLs, domains, International Mobile Equipment Identities (IMEIs), or International Mobile Subscriber Identities (IMSIs) that the firewall can import and use in policy rules. You can exclude entries from an EDL to prevent the firewall from enforcing policy on those entries. For example, you can exclude benign domains that applications use for background traffic from Authentication policy1. To exclude entries from an EDL, you need to:

• Select the EDL on the firewall and click Manual Exceptions.
• Add the entries that you want to exclude in the Manual Exceptions list. The entries must match the type and format of the EDL. For example, if the EDL contains IP addresses, you can only exclude IP addresses.
• Click OK to save the changes. The firewall will not enforce policy on the excluded entries.

References: Exclude Entries from an External Dynamic List, External Dynamic List, Certifications - Palo Alto Networks, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0).

Three valid source or destination conditions available as Security policy qualifiers are User, Application, and Zone. These qualifiers allow you to define the match criteria for a Security policy rule based on the identity of the user, the application used, and the zone where the traffic originates or terminates. You can use these qualifiers to enforce granular security policies that control access to network resources and prevent threats1. Some of the characteristics of these qualifiers are:

User: The User qualifier allows you to specify the source or destination user or user group for a Security policy rule. The firewall can identify users based on various methods, such as User-ID, Captive Portal, or GlobalProtect. You can use the User qualifier to apply different security policies for different users or user groups, such as allowing access to certain applications or resources based on user roles or privileges2.

Application: The Application qualifier allows you to specify the application or application group for a Security policy rule. The firewall can identify applications based on App-ID, which is a technology that classifies applications based on multiple attributes, such as signatures, protocol decoders, heuristics, and SSL decryption. You can use the Application qualifier to allow or deny access to specific applications or application groups, such as enabling web browsing but blocking social networking or file sharing3.

Zone: The Zone qualifier allows you to specify the source or destination zone for a Security policy rule. A zone is a logical grouping of one or more interfaces that have similar functions or security requirements. The firewall can apply security policies based on the zones where the traffic originates or terminates, such as intrazone, interzone, or universal. You can use the Zone qualifier to segment your network and isolate traffic based on different trust levels or network functions4.

References: Security Policy, Zones, User-ID, App-ID, Certifications - Palo Alto Networks, [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)] or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

Explanation/Reference:

First – Block List

Second – Allow List

Third – Custom URL Categories

Fourth – External Dynamic Lists

Fifth – Downloaded PAN-DB Files

Sixth - PAN-DB Cloud

The show system fqdn command displays the FQDN objects configured on the firewall and their resolved IP addresses. This can help confirm if the FQDN objects are resolved correctly and if they match the expected traffic. A shadow rule is a rule that is never matched because a preceding rule covers the same traffic. If a shadow rule uses FQDN objects, it is possible that the FQDN objects are not resolved or have different IP addresses than the traffic, causing the rule to be ineffective.

Step 1 – Select network tab

Step 2 – Select zones from the list of available items

Step 3 – Select Add

Step 4 – Specify Zone Name

Step 5 – Specify Zone Type

Step 6 – Assign interfaces as needed

The GlobalProtect Portal can be accessed by going to the IP address of the designated interface using https on port 443. The WebUI on the same interface can be accessed by going to the interface's IP address using https on port 4443. The port for WebUI management is changed because the tcp/443 socket used by GlobalProtect takes precedence

An application filter is an object that dynamically groups applications based on application attributes that you define, including category, subcategory, technology, risk factor, and characteristic. This is useful when you want to safely enable access to applications that you do not explicitly sanction, but that you want users to be able to access. For example, you may want to enable employees to choose their own office programs (such as Evernote, Google Docs, or Microsoft Office 365) for business use. To safely enable these types of applications, you could create an application filter that matches on the Category business-systems and the Subcategory office-programs. As new applications office programs emerge and new App-IDs get created, these new applications will automatically match the filter you defined; you will not have to make any additional changes to your policy rulebase to safely enable any application that matches the attributes you defined for the filter.

https://docs.paloaltonetworks.com/pan-os/9-0/pa n-os-admin/app-id/use-application-objects-in -policy/create-an-application-filter.html

When a security rule is configured as Intrazone, the destination zone field cannot be changed. This is because an intrazone rule applies to traffic that originates and terminates in the same zone. The destination zone is automatically set to the same value as the source zone and cannot be modified1. An intrazone rule allows you to control and inspect traffic within a zone, such as applying security profiles or logging options2. References: What are Universal, Intrazone and Interzone Rules?, Security Policy, Updated Certifications for PAN-OS 10.1, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/use-case-configure-firewalls-using-panorama/set-up-your-centralized-configuration-and-policies/use-templates-to-administer-a-base-configuration

The NAT Target tab is a table that allows you to specify the target firewalls or device groups for each NAT policy rule on Panorama. This tab is available only on Panorama and not on individual firewalls. The NAT Target tab enables you to create a single NAT policy rulebase on Panorama and then selectively push the rules to the firewalls or device groups that require them. This reduces the complexity and duplication of managing NAT policies across multiple firewalls1. References: NAT Target Tab, NAT Policy Overview, NPTv6 Overview, Updated Certifications for PAN-OS 10.1.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os -admin/url-filtering/url-filtering-concepts/url-filtering-profile-actions

A server profile identifies the external authentication service and instructs the firewall on how to connect to that authentication service and access the authentication credentials for your users. To configure SAML authentication, you must create a server profile and register the firewall and the identity provider (IdP) with each other. You can import a SAML metadata file from the IdP to automatically create a server profile and populate the connection, registration, and IdP certificate information. References: Configure SAML Authentication, Set Up SAML Authentication, Introduction to SAML

The IP Modulo session distribution method assigns sessions to dataplane processors (DPs) based on the modulo of the source and destination IP addresses. This method is suitable for environments that use NAT with a large number of translated IP addresses and ports. It ensures that sessions with the same source and destination IP addresses are processed by the same DP, regardless of the port numbers. This can improve performance and avoid out-of-order packets. 

To block hosts that use bulletproof hosts to provide malicious, illegal, and/or unethical content, use the bulletproof IP address list in policy.

https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-new-features/content-inspection-fea tures/edl-for-bulletproof-isps#:~:text=A%20new%20built%2Din%20external,%2C%20illegal%2C%20and%20unethical%20content.

 https://docs.paloaltonetwor ks.com/pan-os/9-0/pan-os-admin/user-id/map-ip-addresses-to-users/map-ip-addresses-to-usernames-using-captive-portal.html

Because new WildFire signatures are now available every five minutes, it is a best practice to use this setting to ensure the firewall retrieves these signatures within a minute of availability.

Anti-Spyware Security Profiles block spyware on compromised hosts from trying to communicate with external command-and-control (C2) servers, thus enabling you to detect malicious traffic leaving the network from infected clients.

https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-firewalls/manage -device-groups/create-objects-for-use-in-shared-or-device-group-policy

Explanation/Reference:

Explanation

Explanation/Reference:

DNS Security subscription enables users to access real-time protections using advanced predictive analytics. When techniques such as DGA/DNS tunneling detection and machine learning are used, threats hidden within DNS traffic can be proactively identified and shared through an infinitely scalable cloud service. Because the DNS signatures and protections are stored in a cloud-based architecture, you can access the full database of ever-expanding signatures that have been generated using a multitude of data sources. This list of signatures allows you to defend against an array of threats using DNS in real-time against newly generated malicious domains. To combat future threats, updates to the analysis, detection, and prevention capabilities of the DNS Security service will be available through content releases. To access the DNS Security service, you must have a Threat Prevention license and DNS Security license.

• A profile is a set of rules or settings that defines how the firewall performs a specific function, such as detecting and preventing threats, filtering URLs, or decrypting traffic1.
• There are different types of profiles that can be applied to different types of traffic or scenarios, such as Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, Data Filtering, Decryption, or WildFire Analysis1.
• The WildFire Analysis profile is a profile that enables the firewall to submit unknown files or email links to the cloud-based WildFire service for analysis and verdict determination2. WildFire is the industry’s most advanced analysis and prevention engine for highly evasive zero-day exploits and malware3. WildFire uses a variety of malware detection techniques, such as static analysis, dynamic analysis, machine learning, and intelligent run-time memory analysis, to identify and protect against unknown threats34.
• The Vulnerability Protection profile is a profile that protects the network from exploits that target known software vulnerabilities. It allows the administrator to configure the actions and log settings for each vulnerability severity level, such as critical, high, medium, low, or informational5.
• Content-ID is not a profile, but a feature of the firewall that performs multiple functions to identify and control applications, users, content, and threats on the network. Content-ID consists of four components: App-ID, User-ID, Content Inspection, and Threat Prevention.
• Advanced Threat Prevention is not a profile, but a term that refers to the comprehensive approach of Palo Alto Networks to prevent sophisticated and unknown threats. Advanced Threat Prevention includes WildFire, but also other products and services, such as DNS Security, Cortex XDR, Cortex XSOAR, and AutoFocus.

Therefore, the profile that should be used to obtain a verdict regarding analyzed files is the WildFire Analysis profile.

References:

1: Security Profiles - Palo Alto Networks 2: WildFire Analysis Profile - Palo Alto Networks 3: WildFire - Palo Alto Networks 4: Advanced Wildfire as an ICAP Alternative | Palo Alto Networks 5: Vulnerability Protection Profile - Palo Alto Networks : [Content-ID - Palo Alto Networks] : [Advanced Threat Prevention - Palo Alto Networks]