PSE-Strata-Pro-24 Questions and Answers

The most effective way to reduce the risk of exploitation bynewly announced vulnerabilitiesis throughAdvanced Threat Prevention (ATP). ATP usesinline deep learningto identify and block exploitation attempts, even for zero-day vulnerabilities, in real time.

Why "Advanced Threat Prevention’s command injection and SQL injection functionsuse inline deep learning against zero-day threats" (Correct Answer B)?Advanced Threat Prevention leveragesdeep learning modelsdirectly in the data path, which allows it to analyze traffic in real time and detect patterns of exploitation, including newly discovered vulnerabilities being actively exploited in the wild. It specifically targets advanced tactics like:

Command injection.

SQL injection.

Memory-based exploits.

Protocol evasion techniques.

This functionality lowers the risk of exploitation byactively blocking attack attemptsbased on their behavior, even when a signature is not yet available. This approach makes ATP the most valuable solution for addressing new and actively exploited vulnerabilities.

Why not "Advanced URL Filtering uses machine learning (ML) to learn which malicious URLs are being utilized by the attackers, then block the resulting traffic" (Option A)?While Advanced URL Filtering is highly effective at blocking access to malicious websites, it does not provide the inline analysis necessary to prevent direct exploitation of vulnerabilities. Exploitation often happens within the application or protocol layer, which Advanced URL Filtering does not inspect.

Why not "Single Pass Architecture and parallel processing ensure traffic is efficiently scanned against any enabled Cloud-Delivered Security Services (CDSS) subscription" (Option C)?Single Pass Architecture improves performance by ensuring all enabled services (like Threat Prevention, URL Filtering, etc.) process traffic efficiently. However, it is not a feature that directly addresses vulnerability exploitation or zero-day attack detection.

Why not "WildFire loads custom OS images to ensure that the sandboxing catches any activity that would affect the customer's environment" (Option D)?WildFire is a sandboxing solution designed to detect malicious files and executables. While it is useful for analyzing malware, it does not provide inline protection against exploitation of newly announced vulnerabilities, especially those targeting network protocols or applications.

Panorama is Palo Alto Networks’ centralized management solution for managing multiple firewalls. It supports multiple deployment options to suit different infrastructure needs. The valid deployment options are as follows:

Why "As a virtual machine (ESXi, Hyper-V, KVM)" (Correct Answer A)?Panorama can be deployed as a virtual machine on hypervisors like VMware ESXi, Microsoft Hyper-V, and KVM. This is a common option for organizations that already utilize virtualized infrastructure.

Why "With a cloud service provider (AWS, Azure, GCP)" (Correct Answer B)?Panorama is available for deployment in the public cloud on platforms like AWS, Microsoft Azure, and Google Cloud Platform. This allows organizations to centrally manage firewalls deployed in cloud environments.

Why "As a dedicated hardware appliance (M-100, M-200, M-500, M-600)" (Correct Answer E)?Panorama is available as a dedicated hardware appliance with different models (M-100, M-200, M-500, M-600) to cater to various performance and scalability requirements. This is ideal for organizations that prefer physical appliances.

Why not "As a container (Docker, Kubernetes, OpenShift)" (Option C)?Panorama is not currently supported as a containerized deployment. Containers are more commonly used for lightweight and ephemeral services, whereas Panorama requires a robust and persistent deployment model.

Why not "On a Raspberry Pi (Model 4, Model 400, Model 5)" (Option D)?Panorama cannot be deployed on low-powered hardware like Raspberry Pi. The system requirements for Panorama far exceed the capabilities of Raspberry Pi hardware.

Palo Alto Networks Next-Generation Firewalls (NGFWs) provide robust security features across a variety of use cases. Let’s analyze each option:

A. Code-embedded NGFWs provide enhanced IoT security by allowing PAN-OS code to be run on devices that do not support embedded VM images.

This statement is incorrect. NGFWs do not operate as "code-embedded" solutions for IoT devices. Instead, they protect IoT devices through advanced threat prevention, device identification, and segmentation capabilities.

B. Serverless NGFW code security provides public cloud security for code-only deployments that do not leverage VM instances or containerized services.

This is not a valid use case. Palo Alto NGFWs provide security for public cloud environments using VM-series firewalls, CN-series (containerized firewalls), and Prisma Cloud for securing serverless architectures. NGFWs do not operate in "code-only" environments.

C. IT/OT segmentation firewalls allow operational technology (OT) resources in plant networks to securely interface with IT resources in the corporate network.

This is a valid use case. Palo Alto NGFWs are widely used in industrial environments to provide IT/OT segmentation, ensuring that operational technology systems in plants or manufacturing facilities can securely communicate with IT networks while protecting against cross-segment threats. Features like App-ID, User-ID, and Threat Prevention are leveraged for this segmentation.

D. PAN-OS GlobalProtect gateways allow companies to run malware and exploit prevention modules on their endpoints without installing endpoint agents.

This is incorrect. GlobalProtect gateways provide secure remote access to corporate networks and extend the NGFW’s threat prevention capabilities to endpoints, but endpoint agents are required to enforce malware and exploit prevention modules.

Key Takeaways:

IT/OT segmentation with NGFWs is a real and critical use case in industries like manufacturing and utilities.

The other options describe features or scenarios that are not applicable or valid for NGFWs.

References:

Palo Alto Networks NGFW Use Cases

Industrial Security with NGFWs

LDAP Query (Answer B):

Palo Alto Networks NGFWs can queryLDAP directories(such as Active Directory) to validate whether submitted credentials match the corporate directory.

Domain Credential Filter (Answer C):

TheDomain Credential Filterfeature ensures that submitted credentials are checked against valid corporate credentials, preventing credential misuse.

Why Not A:

Group mappingis used to identify user groups for policy enforcement but does not validate submitted credentials.

Why Not D:

WMI client probingis used for user identification but is not a method for validating submitted credentials.

References from Palo Alto Networks Documentation:

Credential Theft Prevention

A. Discuss the PAN-OS Policy Optimizer feature as a means to safely migrate port-based rules to application-based rules.

PAN-OS includes thePolicy Optimizertool, which helps migrate legacy port-based rules to application-based policies incrementally and safely. This tool identifies unused, redundant, or overly permissive rules and suggests optimized policies based on actual traffic patterns.

Why Other Options Are Incorrect

B:The migration wizard does not automatically convert port-based rules to application-based rules. Migration must be carefully planned and executed using tools like the Policy Optimizer.

C:Running two firewalls in parallel adds unnecessary complexity and is not a best practice for migration.

D:While port-based rules are supported, relying on them defeats the purpose of transitioning to application-based security.

References:

Palo Alto Networks Policy Optimizer

The question asks about the policies where Device-ID, a feature of Palo Alto Networks NGFWs, can be applied. Device-ID enables the firewall to identify and classify devices (e.g., IoT, endpoints) based on attributes like device type, OS, or behavior, enhancing policy enforcement. Let’s evaluate its use across the specified policy types.

Step 1: Understand Device-ID

Device-ID leverages the IoT Security subscription and integrates with the Strata Firewall to provide device visibility and control. It uses data from sources like DHCP, HTTP headers, and machinelearning to identify devices and allows policies to reference device objects (e.g., “IP Camera,” “Medical Device”). This feature is available on PA-Series firewalls running PAN-OS 10.0 or later with the appropriate license.

To prevent malicious actors from abusing file-sharing applications for data exfiltration,App-IDprovides a granular approach to managing application traffic. Palo Alto Networks'App-IDis a technology that identifies applications traversing the network, regardless of port, protocol, encryption (SSL), or evasive tactics. By leveraging App-ID, security engineers can implement policies that restrict the use of specific applications or functionalities based on job functions, ensuring that only authorized users or groups can use file-sharing applications while blocking unauthorized or malicious usage.

Here’s why the options are evaluated this way:

Option A:DNS Security focuses on identifying and blocking malicious domains. While it plays a critical role in preventing certain attacks (like command-and-control traffic), it is not effective for managing application usage. Hence, this is not the best approach.

Option B (Correct):App-ID provides the ability to identify file-sharing applications (such as Dropbox, Google Drive, or OneDrive) and enforce policies to restrict their use. For example, you can create a security rule allowing file-sharing apps only for specific job functions, such as HR or marketing, while denying them for other users. This targeted approach ensures legitimate business needs are not disrupted, which aligns with the requirement of not impacting valid users.

Option C:Blocking all file-sharing applications outright using DNS Security is a broad measure that will indiscriminately impact legitimate users. This does not meet the requirement of allowing specific users to continue using file-sharing applications.

Option D:While App-ID can block file-sharing applications outright, doing so will prevent legitimate usage and is not aligned with the requirement to allow usage based on job functions.

How to Implement the Solution (Using App-ID):

Identify the relevant file-sharing applications using App-ID in Palo Alto Networks’ predefined application database.

Create security policies that allow these applications only for users or groups defined in your directory (e.g., Active Directory).

Use custom App-ID filters or explicit rules to control specific functionalities of file-sharing applications, such as uploads or downloads.

Monitor traffic to ensure that only authorized users are accessing the applications and that no malicious activity is occurring.

References:

Palo Alto Networks Admin Guide: Application Identification and Usage Policies.

Best Practices for App-ID Configuration: https://docs.paloaltonetworks.com

In this scenario, the company does not use on-premises Active Directory and manages devices with Entra ID and Jamf, which implies a cloud-native and modern management setup. Below is the evaluation of each option:

Option A: Captive portal

Captive portal is typically used in environments where identity mapping is needed for unmanaged devices or guest users. It provides a mechanism for users to authenticate themselves through a web interface.

However, in this case, the company is managing devices using Entra ID and Jamf, which means identity information can already be centralized through other means. Captive portal is not an ideal solution here.

This option is not appropriate.

Option B: User-ID agents configured for WMI client probing

WMI (Windows Management Instrumentation) client probing is a mechanism used to map IP addresses to usernames in a Windows environment. This approach is specific to on-premises Active Directory deployments and requires direct communication with Windows endpoints.

Since the company does not have an on-premises AD and is using Entra ID and Jamf, this method is not applicable.

This option is not appropriate.

Option C: GlobalProtect with an internal gateway deployment

GlobalProtect is Palo Alto Networks' VPN solution, which allows for secure remote access. It also supports identity-based mapping when deployed with internal gateways.

In this case, GlobalProtect with an internal gateway can serve as a mechanism to provide user and device visibility based on the managed devices connecting through the gateway.

This option is appropriate.

Option D: Cloud Identity Engine synchronized with Entra ID

The Cloud Identity Engine provides a cloud-based approach to synchronize identity information from identity providers like Entra ID (formerly Azure AD).

In a cloud-native environment with Entra ID and Jamf, the Cloud Identity Engine is a natural fit as it integrates seamlessly to provide identity visibility for applicationsand data.

This option is appropriate.

References:

Palo Alto Networks documentation on Cloud Identity Engine

GlobalProtect configuration and use cases in Palo Alto Knowledge Base

Step 1: Understand the Requirement and Context

Customer Need: Segregate the internal network into unique BGP environments, suggesting multiple isolated or semi-isolated routing domains within a single organization.

BGP Basics:

BGP is a routing protocol used to exchange routing information between autonomous systems (ASes).

eBGP: External BGP, used between different ASes.

iBGP: Internal BGP, used within a single AS, typically requiring a full mesh of peers unless mitigated by techniques like confederations or route reflectors.

Palo Alto NGFW: Supports BGP on virtual routers (VRs) within PAN-OS, enabling advanced routing capabilities for Strata hardware firewalls (e.g., PA-Series).

References: "PAN-OS supports BGP for dynamic routing and network segmentation" (docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/bgp).

Step 2: Evaluate Each Option

Option A: It cannot be addressed because PAN-OS does not support it

Analysis:

PAN-OS fully supports BGP, including eBGP, iBGP, confederations, and route reflectors, configurable under "Network > Virtual Routers > BGP."

Features like multiple virtual routers and BGP allow network segregation and routing policy control.

This statement contradicts documented capabilities.

Verification:

"Configure BGP on a virtual router for dynamic routing" (docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/bgp/configure-bgp).

Conclusion: Incorrect—PAN-OS supports BGP and segregation techniques.Not Applicable.

Option B: It can be addressed by creating multiple eBGP autonomous systems

Analysis:

eBGP: Used between distinct ASes, each with a unique AS number (e.g., AS 65001, AS 65002).

Within a single organization, creating multiple eBGP ASes would require:

Assigning unique AS numbers (public or private) to each internal segment.

Treating each segment as a separate AS, peering externally with other segments via eBGP.

Challenges:

Internally, this isn’t practical for a single network—it’s more suited to external peering (e.g., with ISPs).

Requires complex management and public/private AS number allocation, not ideal for internal segregation.

Doesn’t leverage iBGP or confederations, which are designed for internal AS management.

PAN-OS supports eBGP, but this approach misaligns with the intent of internal network segregation.

Verification:

"eBGP peers connect different ASes" (docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/bgp/bgp-concepts).

Conclusion: Possible but impractical and not the intended BGP solution for internal segregation.Not Optimal.

Option C: It can be addressed with BGP confederations

Description: BGP confederations divide a single AS into sub-ASes (each with a private Confederation Member AS number), reducing the iBGP full-mesh requirement while maintaining a unified external AS.

Analysis:

How It Works:

Single AS (e.g., AS 65000) is split into sub-ASes (e.g., 65001, 65002).

Within each sub-AS, iBGP full mesh or route reflectors are used.

Between sub-ASes, eBGP-like peering (confederation EBGP) connects them, but externally, it appears as one AS.

Segregation:

Each sub-AS can represent a unique BGP environment (e.g., department, site) with its own routing policies.

Firewalls within a sub-AS peer via iBGP; across sub-ASes, they use confederation EBGP.

PAN-OS Support:

Configurable under "Network > Virtual Routers > BGP > Confederation" with a Confederation Member AS number.

Ideal for large internal networks needing segmentation without multiple public AS numbers.

Benefits:

Simplifies internal BGP management.

Aligns with the customer’s need for unique internal BGP environments.

Verification:

"BGP confederations reduce full-mesh burden by dividing an AS into sub-ASes" (docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/bgp/bgp-confederations).

"Supports unique internal routing domains" (knowledgebase.paloaltonetworks.com).

Conclusion: Directly addresses the requirement with a supported, practical solution.Applicable.

Option D: It cannot be addressed because BGP must be fully meshed internally to work

Analysis:

iBGP Full Mesh: Traditional iBGP requires all routers in an AS to peer with each other, scaling poorly (n(n-1)/2 connections).

Mitigation: PAN-OS supports alternatives:

Route Reflectors: Centralize iBGP peering.

Confederations: Divide the AS into sub-ASes (see Option C).

This statement ignores these features, falsely claiming BGP’s limitation prevents segregation.

Verification:

"Confederations and route reflectors eliminate full-mesh needs" (docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/bgp/bgp-confederations).

Conclusion: Incorrect—PAN-OS overcomes full-mesh constraints.Not Applicable.

Step 3: Recommendation Justification

Why Option C?

Alignment: Confederations allow the internal network to be segregated into unique BGP environments (sub-ASes) while maintaining a single external AS, perfectly matching the customer’s need.

Scalability: Reduces iBGP full-mesh complexity, ideal for large or segmented internal networks.

PAN-OS Support: Explicitly implemented in BGP configuration, validated by documentation.

Why Not Others?

A: False—PAN-OS supports BGP and segregation.

B: eBGP is for external ASes, not internal segregation; less practical thanconfederations.

D: Misrepresents BGP capabilities; full mesh isn’t required with confederations or route reflectors.

Step 4: Verified References

BGP Confederations: "Divide an AS into sub-ASes for internal segmentation" (docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/bgp/bgp-confederations).

PAN-OS BGP: "Supports eBGP, iBGP, and confederations for routing flexibility" (paloaltonetworks.com, PAN-OS Networking Guide).

Use Case: "Confederations suit large internal networks" (knowledgebase.paloaltonetworks.com).

A large deployment of 500 firewalls requires a scalable, centralized logging and reporting infrastructure. Here's the analysis of each option:

Option A: Combine Panorama for firewall management with Palo Alto Networks' cloud-based Strata Logging Service to offer scalability for the company's logging and reporting infrastructure

TheStrata Logging Service(or Cortex Data Lake) is a cloud-based solution that offers massive scalability for logging and reporting. Combined with Panorama, it allows for centralized log collection, analysis, and policy management without the need for extensive on-premises infrastructure.

This approach is ideal for large-scale environments like the one described in the scenario, as it ensures cost-effectiveness and scalability.

This is the correct recommendation.

Option B: Use Panorama for firewall management and to transfer logs from the 500 firewalls directly to a third-party SIEM for centralized logging and reporting

While third-party SIEM solutions can be integrated with Palo Alto Networks NGFWs, directly transferring logs from 500 firewalls to a SIEM can lead to bottlenecks and scalability issues. Furthermore, relying on third-party solutions may not provide the same level of native integration as the Strata Logging Service.

This is not the ideal recommendation.

Option C: Highlight the efficiency of PAN-OS, which employs AI to automatically extract critical logs and generate daily executive reports, and confirm that the purchase of 500 NGFWs is sufficient

While PAN-OS provides AI-driven insights and reporting, this option does not address the requirement for centralized logging and reporting. It also dismisses the need for additional infrastructure to handle logs from 500 firewalls.

This is incorrect.

Option D: Deploy a pair of M-1000 log collectors in the customer data center, and route logs from all 500 firewalls to the log collectors for centralized logging and reporting

The M-1000 appliance is an on-premises log collector, but it has limitations in terms of scalability and storage capacity when compared to cloud-based options like the Strata Logging Service. Deploying only two M-1000 log collectors for 500 firewalls would result in potential performance and storage challenges.

This is not the best recommendation.

References:

Palo Alto Networks documentation on Panorama

Strata Logging Service (Cortex Data Lake) overview in Palo Alto Networks Docs

After a customer has concluded an evaluation of Palo Alto Networks solutions, it is critical to provide a detailed analysis of the results and benefits gained during the evaluation. The following two tools are most appropriate:

Why "Best Practice Assessment (BPA)" (Correct Answer A)?The BPA evaluates the customer's firewall configuration against Palo Alto Networks' recommended best practices. It highlights areas where the configuration could be improved to strengthen security posture. This is an excellent tool to showcase how adopting Palo Alto Networks' best practices aligns with industry standards and improves security performance.

Why "Security Lifecycle Review (SLR)" (Correct Answer B)?The SLR provides insights into the customer's security environment based on data collected during the evaluation. It identifies vulnerabilities, risks, and malicious activities observed in the network and demonstrates how Palo Alto Networks' solutions can address these issues. SLR reports use clear visuals and metrics, making it easier to showcase the benefits of the evaluation.

Why not "Firewall Sizing Guide" (Option C)?The Firewall Sizing Guide is a pre-sales tool used to recommend the appropriate firewall model based on the customer's network size, performance requirements, and other criteria. It is not relevant for showcasing the benefits of an evaluation.

Why not "Golden Images" (Option D)?Golden Images refer to pre-configured templates for deploying firewalls in specific use cases. While useful for operational efficiency, they are not tools for demonstrating the outcomes or benefits of a customer evaluation.

When sizing a Palo Alto Networks NGFW appliance, it's crucial to consider variables that affect its performance and capacity. These include the network's traffic characteristics, application requirements, and expected workloads. Below is the analysis of each option:

Option A: Connections per second

Connections per second (CPS) is a critical metric for determining how many new sessions the firewall can handle per second. High CPS requirements are common in environments with high traffic turnover, such as web servers or applications with frequent session terminations and creations.

This is an important sizing variable.

Option B: Max sessions

Max sessions represent the total number of concurrent sessions the firewall can support. For environments with a large number of users or devices, this metric is critical to prevent session exhaustion.

This is an important sizing variable.

Option C: Packet replication

Packet replication is used in certain configurations, such as TAP mode or port mirroring for traffic inspection. While it impacts performance, it is not a primary variable for firewall sizing as it is a specific use case.

This is not a key variable for sizing.

Option D: App-ID firewall throughput

App-ID throughput measures the firewall's ability to inspect traffic and apply policies based on application signatures. It directly impacts the performance of traffic inspection under real-world conditions.

This is an important sizing variable.

Option E: Telemetry enabled

While telemetry provides data for monitoring and analysis, enabling it does not significantly impact the sizing of the firewall. It is not a core variable for determining firewall performance or capacity.

This is not a key variable for sizing.

References:

Palo Alto Networks documentation on Firewall Sizing Guidelines

Knowledge Base article on Performance and Capacity Sizing

To help a customer understand how Palo Alto Networks can bring value when adopting a Zero Trust architecture, the systems engineer must focus on understanding the customer's specific needs and explaining how the Zero Trust strategy aligns with their business goals. Here’s the detailed analysis of each option:

Option A: Ask the customer about their internal business flows, such as how their users interact with applications and data across the infrastructure

Understanding the customer's internal workflows and how their users interact with applications and data is a critical first step in Zero Trust. This information allows the systems engineer to identify potential security gaps and suggest tailored solutions.

This is correct.

Option B: Explain how Palo Alto Networks can place virtual NGFWs across the customer's network to ensure assets and traffic are seen and controlled

While placing NGFWs across the customer's network may be part of the implementation, this approach focuses on the product rather than the customer's strategy. Zero Trust is more about policies and architecture than specific product placement.

This is incorrect.

Option C: Use the Zero Trust Roadshow package to demonstrate to the customer how robust Palo Alto Networks capabilities are in meeting Zero Trust

While demonstrating capabilities is valuable during the later stages of engagement, the initial focus should be on understanding the customer's business requirements rather than showcasing products.

This is incorrect.

Option D: Ask the customer about their approach to Zero Trust, explaining that it is astrategy more than it is something they purchase

Zero Trust is not a product but a strategy that requires a shift in mindset. By discussing their approach, the systems engineer can identify whether the customer understands Zero Trust principles and guide them accordingly.

This is correct.

References:

Palo Alto Networks documentation on Zero Trust

Zero Trust Architecture Principles inNIST 800-207