PCNSA Questions and Answers

The policy set that should be used to ensure that a policy is applied just before the default security rules is the shared post-rulebase. The shared post-rulebase is a set of Security policy rules that are defined on Panorama and apply to all firewalls or device groups. The shared post-rulebase is evaluated after the local firewall policy and the child device-group post-rulebase, but before the default security rules. The shared post-rulebase can be used to enforce common security policies across multiple firewalls or device groups, such as blocking high-risk applications or traffic1. References: Security Policy Rule Hierarchy, Security Policy Rulebase, Certifications - Palo Alto Networks, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

Weaponization and Delivery: Attackers will then determine which methods to use in order to deliver malicious payloads. Some of the methods they might utilize are automated tools, such as exploit kits, spear phishing attacks with malicious links, or attachments and malvertizing.

• Gain full visibility into all traffic, including SSL, and block high-risk applications. Extend those protections to remote and mobile devices.
• Protect against perimeter breaches by blocking malicious or risky websites through URL filtering.
• Block known exploits, malware and inbound command-and-control communications using multiple threat prevention disciplines, including IPS, anti-malware, anti-CnC, DNS monitoring and sinkholing, and file and content blocking.
• Detect unknown malware and automatically deliver protections globally to thwart new attacks.
• Provide ongoing education to users on spear phishing links, unknown emails, risky websites, etc.

https://www .paloaltonetworks.com/cyberpedia/how-to-break-the-cyber-attack-lifecycle

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/use-application-objects-in-policy/create-a-custom-application

In the FW you define an Auth sequence which specifies the Auth Profile. If you click add on an Auth Profile and define one named TACACS for example, the Auth Profile calls in the TACACS+ Server Profile.

URL filtering technology protects users from web-based threats by providing granular control over user access and interaction with content on the Internet. You can develop a URL filtering policy that limits access to sites based on URL categories, users, and groups. For example, you can block access to sites known to host malware and prevent end users from entering corporate credentials to sites in certain categories.

The precedence is from the top down; First Match Wins: 1) Block list: Manually entered blocked URLs Objects - 2) Allow list: Manually entered allowed URLs Objects - 3) Custom URL Categories - 4) Cached Cached: URLs learned from External Dynamic Lists (EDLs) - 5) Pre-Defined Categories: PAN-DB or Brightcloud categories.

You can’t filter or sort rules in PoliciesSecurity because that would change the order of the policy rules in the rulebase. Filtering and sorting PoliciesSecurityPolicy OptimizerNo App Specified, PoliciesSecurityPolicy OptimizerUnused Apps, and PoliciesSecurityPolicy OptimizerNew App Viewer (if you have a SaaS Inline Security subscription) does not change the order of the rules in the rulebase. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/security-policy-rule-optimization/policy-optimizer-concepts/sorting-and-filtering-security-policy-rules

GlobalProtect: GlobalProtect safeguards your mobile workforce by inspecting all traffic using your next-generation firewalls deployed as internet gateways, whether at the perimeter, in the Demilitarized Zone (DMZ), or in the cloud.

Explanation/Reference:

The size of the NAT pool should be equal to the number of internal hosts that require address translations. By default, if the source address pool is larger than the NAT address pool and eventually all of the NAT addresses are allocated, new connections that need address translation are dropped. To override this default behavior, use Advanced (Dynamic IP/Port Fallback) to enable the use of DIPP addresses when necessary

Reverting to the running configuration will undo the changes made to the candidate configuration since the last commit. This operation will replace the settings in the current candidate configuration with the settings from the running configuration. The firewall provides the option to revert all the changes or only specific changes by administrator or location1. References: Revert Firewall Configuration Changes, How to Revert to a Previous Configuration, How to revert uncommitted changes on the firewall?.

References:

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os -admin/url-filtering/url-filtering-concepts/url-filtering-profile-actions

URL Filtering profiles are configured in the Objects section of the PAN-OS GUI. A URL Filtering profile defines the actions that the firewall takes for different URL categories, such as allow, block, alert, continue, or override. You can also configure settings for credential phishing prevention, URL filtering inline machine learning, and safe search enforcement in a URL Filtering profile1. To create or modify a URL Filtering profile, you need to go to Objects > Security Profiles > URL Filtering2. References: URL Filtering Profile, Create a URL Filtering Profile, Updated Certifications for PAN-OS 10.1, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

References:

To enable the firewall to scan the traffic that it allows based on a Security policy rule, you must also attach Security Profiles —including URL Filtering, Antivirus, Anti-Spyware, File Blocking, and WildFire Analysis—to each rule. To attach a Security Profile to a Security policy rule, you must select Profiles as the Profile Type in the Actions tab of the rule. This allows you to choose from the predefined or custom Security Profiles that you have configured. Group-Profiles, Default-Profiles, and Tagged-Profiles are not valid options for attaching Security Profiles to Security policy rules. References: Set Up a Basic Security Policy, Security Profiles, Updated Certifications for PAN-OS 10.1

Three configurable interface types for a data-plane ethernet interface are Layer 3, VWire, and Layer 2. These interface types determine how the firewall processes traffic and applies security policies. Some of the characteristics of these interface types are:

Layer 3: A layer 3 interface allows the firewall to act as a router and participate in the network routing. The firewall can send and receive traffic from a layer 3 interface and apply security policies and inspect the traffic based on the source and destination IP addresses and zones of the interface1.

VWire: A virtual wire interface allows the firewall to transparently pass traffic between two network segments without modifying the packets or affecting the routing. The firewall can still apply security policies and inspect the traffic based on the source and destination zones of the virtual wire2.

Layer 2: A layer 2 interface allows the firewall to act as a switch and forward traffic based on MAC addresses. The firewall can send and receive traffic from a layer 2 interface and apply security policies and inspect the traffic based on the source and destination zones of the interface3.

References: Ethernet Interface Types, Virtual Wire Interfaces, Layer 2 Interfaces, Layer 3 Interfaces, [Certifications - Palo Alto Networks], [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)] or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

Explanation/Reference:

The show system fqdn command displays the FQDN objects configured on the firewall and their resolved IP addresses. This can help confirm if the FQDN objects are resolved correctly and if they match the expected traffic. A shadow rule is a rule that is never matched because a preceding rule covers the same traffic. If a shadow rule uses FQDN objects, it is possible that the FQDN objects are not resolved or have different IP addresses than the traffic, causing the rule to be ineffective.

By default, the maximum number of templates that can be added to a template stack is 8. This is the recommended limit for performance reasons, as adding more templates may result in sluggish responses on the user interface. However, starting from PAN-OS 8.1.10 and 9.0.4, you can use a debug command to increase the maximum number of templates per stack to 16. This command requires a commit operation to take effect.

A template stack is a collection of templates that you can use to push common settings to multiple firewalls or Panorama managed collectors. A template contains the network and device settings that you want to share across devices, such as interfaces, zones, virtual routers, DNS, NTP, and login banners. You can create multiple templates for different device groups or locations and add them to a template stack in a hierarchical order. The settings in the lower templates override the settings in the higher templates if there are any conflicts. You can then assign a template stack to one or more devices and push the configuration changes.

Explanation/Reference:

To see how new and modified App-IDs impact your Security policy, you need to follow the path Device > Dynamic Updates > Review App-IDs on PAN-OS 11.x. This option allows you to perform a content update policy review for both downloaded and installed content. You can view the list of new and modified App-IDs and their descriptions, and see which Security policy rules are affected by them. You can also modify the rules or create new ones to adjust your Security policy as needed1. References: See How New and Modified App-IDs Impact Your Security Policy, Updated Certifications for PAN-OS 10.1, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

System logs display entries for each system event on the firewall.

1. Critical - Hardware failures, including high availability (HA) failover and link failures.

2. High - Serious issues, including dropped connections with external devices, such as LDAP and RADIUS servers.

3. Medium - Mid-level notifications, such as antivirus package upgrades.

4. Low - Minor severity notifications, such as user password changes.

5. Informational - Log in/log off, administrator name or password change, any configuration change, and all other events not covered by the other severity levels.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/system-logs#id8edbfdae-ed92-4d8e-ab76-6a38f96e8cb1

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/configure-an-authentication-profile-and-sequence

The application characteristics can be found in three places on the PAN-OS interface: Objects tab > Application Filters, Objects tab > Application Groups, and Objects tab > Applications. These places allow you to view and manage the applications and application groups that are used in your Security policy rules. You can also create custom applications and application filters based on various attributes, such as category, subcategory, technology, risk, and behavior1. Some of the characteristics of these places are:

Objects tab > Application Filters: An application filter is a dynamic object that groups applications based on specific criteria. You can use an application filter to match multiple applications in a Security policy rule without having to list them individually. For example, you can create an application filter that includes all applications that have a high risk level or use peer-to-peer technology.

Objects tab > Application Groups: An application group is a static object that groups applications based on your custom requirements. You can use an application group to match multiple applications in a Security policy rule without having to list them individually. For example, you can create an application group that includes all applications that are related to a specific business function or project.

Objects tab > Applications: An application is an object that identifies and classifies network traffic based on App-ID, which is a technology that uses multiple attributes to identify applications. You can use an application to match a specific application in a Security policy rule and control its access and behavior. For example, you can use an application to allow web browsing but block file sharing or social networking.

References: Objects, [Application Filters], [Application Groups], [Applications], Updated Certifications for PAN-OS 10.1, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-prevention

• Enter the route and netmask
• Enter the IP address for the specific next hop
• Specify the outgoing interface for packets to use to go to the next hop
• Add an IPv4 or IPv6 route by name Comprehensive Explanation: This is the correct order of steps to create a static route in a virtual router on the firewall. The first step is to enter the route and netmask for the destination network, such as 192.168.2.2/24 for an IPv4 address or 2001:db8:123:1::1/64 for an IPv6 address. The second step is to enter the IP address for the specific next hop, such as 192.168.56.1 or 2001:db8:49e:1::1. The third step is to specify the outgoing interface for packets to use to go to the next hop, such as ethernet1/1. The fourth step is to add an IPv4 or IPv6 route by name, such as route11. References:

• Configure a Static Route - Palo Alto Networks

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/panorama-web-interface/defining-policies-on-panorama

Explanation/Reference:

References:

Three types of entries that can be excluded from an external dynamic list (EDL) are IP addresses, domains, and URLs. An EDL is a text file that is hosted on an external web server and contains a list of objects, such as IP addresses, URLs, domains, International Mobile Equipment Identities (IMEIs), or International Mobile Subscriber Identities (IMSIs) that the firewall can import and use in policy rules. You can exclude entries from an EDL to prevent the firewall from enforcing policy on those entries. For example, you can exclude benign domains that applications use for background traffic from Authentication policy1. To exclude entries from an EDL, you need to:

• Select the EDL on the firewall and click Manual Exceptions.
• Add the entries that you want to exclude in the Manual Exceptions list. The entries must match the type and format of the EDL. For example, if the EDL contains IP addresses, you can only exclude IP addresses.
• Click OK to save the changes. The firewall will not enforce policy on the excluded entries.

References: Exclude Entries from an External Dynamic List, External Dynamic List, Certifications - Palo Alto Networks, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0).

An application filter is an object that dynamically groups applications based on application attributes that you define, including category, subcategory, technology, risk factor, and characteristic. This is useful when you want to safely enable access to applications that you do not explicitly sanction, but that you want users to be able to access. For example, you may want to enable employees to choose their own office programs (such as Evernote, Google Docs, or Microsoft Office 365) for business use. To safely enable these types of applications, you could create an application filter that matches on the Category business-systems and the Subcategory office-programs. As new applications office programs emerge and new App-IDs get created, these new applications will automatically match the filter you defined; you will not have to make any additional changes to your policy rulebase to safely enable any application that matches the attributes you defined for the filter.

https://docs.paloaltonetworks.com/pan-os/9-0/pa n-os-admin/app-id/use-application-objects-in -policy/create-an-application-filter.html

References:

Because new WildFire signatures are now available every five minutes, it is a best practice to use this setting to ensure the firewall retrieves these signatures within a minute of availability.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/url-filtering/url-filtering-concepts/url-filtering-profile-actions

https://docs.paloaltonetworks.com/panorama/9-0/panorama-admin/manage-firewalls/manage -device-groups/create-objects-for-use-in-shared-or-device-group-policy

The user will see a response page indicating that a password is required to allow access to websites in the given category. With this option, the security administrator or help-desk person would provide a password granting temporary access to all websites in the given category. A log entry is generated in the URL Filtering log. The Override webpage doesn’t display properly on client systems configured to use a proxy server.

The Security profile that should be applied in order to protect against illegal code execution is the Vulnerability Protection profile on allowed traffic. The Vulnerability Protection profile defines the actions that the firewall takes to protect against exploits and vulnerabilities in applications and protocols. The firewall can block or alert on traffic that matches a specific threat signature or a group of threats. The Vulnerability Protection profile can prevent illegal code execution by detecting and blocking attempts to exploit buffer overflows, format string vulnerabilities, or other code injection techniques1. To apply the Vulnerability Protection profile on allowed traffic, you need to:

• Create or modify a Vulnerability Protection profile on the firewall or Panorama and configure the rules and exceptions for the threats that you want to protect against2.
• Attach the Vulnerability Protection profile to a Security policy rule that allows traffic that you want to scan for vulnerabilities3.
• Commit the changes to the firewall or Panorama and the managed firewalls.

References: Vulnerability Protection Profile, Create a Vulnerability Protection Profile, Attach a Vulnerability Protection Profile to a Security Policy Rule, Certifications - Palo Alto Networks, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].