PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile

The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation. PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2. References: Create the Data Center Best Practice Anti-Spyware Profile, Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/manage-software-and-content-updates

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/panorama-dynamic-updates-revert-content

The SSL Forward Proxy rule type is designed to control and inspect SSL traffic from internal users to external websites. When an internal user attempts to access an HTTPS site, the Palo Alto Networks firewall, acting as an SSL Forward Proxy, intercepts the SSL request. It then establishes an SSL connection with the requested website on behalf of the user. Simultaneously, the firewall establishes a separate SSL connection with the user. This setup allows the firewall to decrypt and inspect the traffic for threats and compliance with security policies before re-encrypting and forwarding the traffic to its destination.

This process is transparent to the end user and ensures that potentially harmful content delivered over encrypted SSL connections can be identified and blocked. SSL Forward Proxy is a critical component of a comprehensive security strategy, allowing organizations to enforce security policies and protect against threats in encrypted traffic.

The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.

If you not believed, then login the firewall go to Vulnerability > Exceptions and select "Show all signatures". From there you will see all threat information including specific actions.

More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC

https://live.paloaltonetworks.com/t5/general-topics/wildfire-submission-entries-with-severity-high-showing-action/td-p/143516

The best decryption best practice that the administrator should consider is A: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted. This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1. Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html

GlobalProtect is a VPN solution that provides secure remote access to corporate networks. When a user connects to GlobalProtect, their identity is verified against an LDAP server. This ensures that all IP address-to-user mappings are explicitly known.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols

The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms. If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12. References: HA Timers, Layer 3 High Availability with Optimal Failover Times Best Practices

How to Configure Ping Interval/Timeout Settings ... - Palo Alto Networks

Traffic didnt match any other policies and so landed at the implicit "deny all" policy. If it's deny all, the traffic was dropped before the application could be determined. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

Log Forwarding profiles in Palo Alto Networks firewalls are used to specify the log types that should be forwarded to external services like syslog servers, Panorama, HTTP(S) servers, or email. These profiles enable granular control over which logs are forwarded and where they are sent, facilitating centralized logging and analysis.

B. GlobalProtect:Among the log types supported for forwarding in a Log Forwarding profile, GlobalProtect logs are particularly relevant for organizations using the GlobalProtect VPN solution. These logs contain detailed information about VPN connections, including user authentication, connection establishment, and disconnection events. Forwarding GlobalProtect logs can be crucial for security analysis, troubleshooting VPN issues, and monitoring user access.

For organizations that rely on GlobalProtect for remote access, configuring log forwarding for GlobalProtect logs is essential for maintaining visibility into remote access activities and ensuring secure and efficient VPN operations.

To configure log forwarding for GlobalProtect and other supported log types, administrators can refer to the Palo Alto Networks documentation, which provides detailed instructions on creating and applying Log Forwarding profiles to capture and forward the desired logs for external analysis and storage.

When facing high packet buffer utilization due to flood attacks, enabling packet buffer protection is a strategic step. However, simply enabling it globally might not be sufficient. The additional step needed is:

D. Add a Zone Protection profile to the affected zones:Zone Protection profiles provide a set of protections against various flood types, reconnaissance attempts, packet-based attacks, and protocol anomalies. By adding a Zone Protection profile to the zones that are experiencing high packet buffer utilization, the firewall can apply specific thresholds and actions to mitigate flood attacks, thus preventing the packet buffers from being overwhelmed.

It's important to configure the Zone Protection profile with appropriate thresholds and actions for flood protection, taking into consideration the normal traffic patterns and the capacity of the network and firewall. This proactive approach ensures that legitimate traffic is allowed while mitigating potential attacks that could consume excessive resources.

For comprehensive instructions on setting up Zone Protection profiles and configuring them for optimal protection against flood and other types of attacks, refer to the Palo Alto Networks knowledge base and official documentation. These resources provide valuable insights into best practices and recommendations for securing your network infrastructure.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEiCAK

The best way for the administrator to meet the requirement of managing all configuration from Panorama and preventing local overrides is B: Perform a template commit push from Panorama using the “Force Template Values” option. This option allows the administrator to overwrite any local configuration on the firewall with the values defined in the template1. This way, the administrator can ensure that the interface configuration and any other

To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama. Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12. References: Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)

traffic log would list an application as “not-applicable” if the firewall denied the traffic before the application match could be performed. This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1. In this case, the firewall does not inspect the application data and discards the traffic, resulting in a “not-applicable” entry in the application field of the traffic log1.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0

A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys. This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1. References: Device Group Push to a Multi-VSYS Firewall, Configure Virtual Systems, PCNSE Study Guide (page 50)

When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.

To enable XML API access to a firewall for automation from a network segment routed through a Layer 3 sub-interface, the most straightforward approach is to use an Interface Management profile.

C. This can be achieved by:

• Configuring an Interface Management profile and enabling HTTPS access on it. This profile defines management services that are permitted on the interface, including HTTPS, which is required for XML API access.
• Applying this Interface Management profile to the desired Layer 3 sub-interface. This action enables HTTPS access (and thus XML API access) on the sub-interface, allowing devices on the connected network segment to communicate with the firewall for automation purposes.

This solution allows for the secure extension of management capabilities to network segments without direct access to the dedicated management interface, facilitating automation and operational efficiency without necessitating changes to existing access configurations.

In order to see what is in a template, the device-group needs the template referenced. Even if you add the firewall to both the template and device-group, the device-group will not see what is in the template. The following link has a video that demonstrates that B is the correct answer. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNfeCAG

In a High Availability (HA) configuration, particularly in an active-passive setup, it's crucial that the passive unit is kept up to date with the current state of the active unit. This ensures a seamless transition in the event of a failover. The HA4 interface is dedicated to this synchronization task.

D. Perform synchronization of sessions, forwarding tables, and IPSec security associations between firewalls in an HA pair:

• The HA4 interface is responsible for the synchronization of critical stateful information between the active and passive units in an HA pair. This includes session information, ensuring that the passive unit can continue existing sessions without interruption if it needs to become active.
• In addition to session information, HA4 also synchronizes forwarding tables, which contain information on how to route packets, and IPSec security associations, which are necessary for maintaining secure VPN tunnels.

This synchronization ensures that both units in an HA pair have identical information regarding the current state of the network, sessions, and security associations, enabling a smooth and immediate transition to the passive unit in case the active unit fails.

In Palo Alto Networks firewalls, the order of rule evaluation is critical for traffic enforcement. To ensure high priority evaluation, rules should be configured at the top of the rulebase so they are matched before others. The Security Pre-Rules are designed for shared policies across multiple device groups in Panorama, and by placing the block action rules at the top of the Pre-Rules, it guarantees that these rules are evaluated first, before any device-specific or post-rules.For verification, please refer to the Palo Alto Networks "PAN-OS® Administrator’s Guide" or the official configuration documentation for Panorama and device group rules.

When dealing with a false positive, particularly for a spyware threat detected through DNS queries (as indicated by the category "dns-c2"), the correct course of action involves creating an exception in the Anti-Spyware profile, not the Vulnerability Protection profile. This is because the Anti-Spyware profile in Palo Alto Networks firewalls is designed to detect and block spyware threats, which can include command and control (C2) activities often signaled by DNS queries.

The steps to configure an exception for this specific spyware signature (threat ID: 1000011111) are as follows:

• Navigate to Objects > Security Profiles > Anti-Spyware. This is where all the Anti-Spyware profiles are listed.
• Select the related Anti-Spyware profile that is currently applied to the security policy which is generating the false positive.
• Within the profile, go to the DNS Exceptions tab. This tab allows you to specify exceptions based on DNS signatures.
• Search for the related threat ID (in this case, 1000011111) and click enable to create an exception for it. By doing this, you instruct the firewall to bypass the detection for this specific signature, effectively treating it as a false positive.
• Commit the changes to make the exception active.

By following these steps, the administrator can effectively address the false positive without disabling the overall spyware protection capabilities of the firewall.

https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts

Each WildFire cloud—global (U.S.), regional, and private—analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html

An administrator should configure proxy IDs to route interesting traffic through the VPN tunnel when the peer device is a policy-based VPN device. Proxy IDs are used to identify the traffic that belongs to a particular IPSec VPN and to direct it to the appropriate tunnel. Proxy IDs consist of a local IP address, a remote IP address, and an application (protocol and port numbers). Each proxy ID is considered to be a VPN tunnel and is counted towards the IPSec VPN tunnel capacity of the firewall. Proxy IDs are required for IKEv1 VPNs and optional for IKEv2 VPNs. If the proxy ID is not configured, the firewall uses the default values of source IP: 0.0.0.0/0, destination IP: 0.0.0.0/0, and application: any, which may not match the peer’s policy and result in a failure to establish the VPN connection. References:

• Proxy ID for IPSec VPN
• Set Up an IPSec Tunnel

The firewall can use three multi-factor authentication methods to authenticate access to the firewall: SMS, user certificate, and one-time password. These methods can be used in combination with other authentication factors, such as username and password, to provide stronger security for accessing the firewall web interface or CLI. The firewall can integrate with various MFA vendors that support these methods through RADIUS or SAML protocols5. Voice and fingerprint are not supported by the firewall as MFA methods. References: MFA Vendor Support, PCNSE Study Guide (page 48)

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application

The template stack should consist of four templates arranged according to the diagram. The template values that will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management will be the values in Chicago. This is because the SSL/TLS Service profile is configured in the Chicago template, which is the highest priority template in the stack. The firewall will inherit the settings from the highest priority template that has the setting configured, and ignore the settings from the lower priority templates that have the same setting configured. Therefore, the values in Datacenter, efwOlab.chi, and Global Settings will not be applied to the firewall. References:

• [Manage Templates and Template Stacks]
• [Template Stack Configuration]
• [Template Stack Priority]

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK

When configuring Quality of Service (QoS) policies, particularly for traffic going to or from specific IP addresses and involving NAT, it's important to base the rule on how the firewall processes the traffic. For QoS, the firewall evaluates traffic using pre-NAT IP addresses and zones because QoS policies typically need to be applied before the NAT action occurs. This is especially true for inbound traffic, where the goal is to limit bandwidth before the destination IP is translated.

The correct combination for a QoS rule in this scenario, where the aim is to limit bandwidth for downloads from a specific server (implying inbound traffic to the server), would be:

D. Pre-NAT source IP address Pre-NAT source zone:

• Pre-NAT source IP address: This refers to the original IP address of the client or source device before any NAT rules are applied. Since QoS policies are evaluated before NAT, using the pre-NAT IP address ensures that the policy applies to the correct traffic.
• Pre-NAT source zone: This is the zone associated with the source interface before NAT takes place. Using the pre-NAT zone ensures that the QoS policy is applied to traffic as it enters the firewall, before any translations or routing decisions are made.

By configuring the QoS rule with pre-NAT information, the firewall can accurately apply bandwidth limitations to the intended traffic, ensuring efficient use of network resources and mitigating the impact of large file downloads from the specified server.

For detailed guidelines on configuring QoS policies, refer to the Palo Alto Networks documentation, which provides comprehensive instructions and best practices for managing bandwidth and traffic priorities on the network.

SSL/TLS profile is only the TLS versions, not ciphers. Decryption Profile is for SSL Inbound and Forward Proxy applications, not mgmt of the PANW Firewall. There's also KB articles to strengthen SSH, but I couldn't find any for HTTPS, on the mgmt interface: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OOQCA2 &lang=en_US%E2%80%A9

A close-up of a computer screen Description automatically generated

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnse-study-guide.pdf page 83

>Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs. >Configure an HTTP server profile to forward logs to a remote User-ID agent. > Select the log forwarding profile you created then select this server profile as the HTTP server profile https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions

Palo Alto Networks' WildFire service is designed to perform advanced analysis on files to identify and protect against new and evolving threats. When a WildFire analysis profile is configured to forward any file type to the WildFire public cloud, the service analyzes files that pass through the firewall based on the policy configuration.

D. Does not perform malicious content analysis on the linked page, but performs it on the corresponding PE file:

• When a user clicks on an unknown link that downloads a Portable Executable (PE) file, WildFire's primary focus is on the file itself rather than the webpage from which it originated. The service analyzes the PE file to determine if it contains malicious content. This analysis includes static and dynamic inspection techniques to uncover any malicious behavior.
• The webpage hosting the link may not be analyzed as part of this process unless specific protections or URL filtering policies are in place that trigger such an analysis. The primary concern in this scenario is the PE file, which is directly analyzed by WildFire for malicious content.

By focusing on the files that could pose a direct threat to the network, WildFire provides a robust mechanism for identifying and mitigating potential security risks associated with file downloads.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-networking-admin/nat/nat-configuration-examples/destination-nat-exampleone-to-one-mapping

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhzCAC

• D is the correct answer because the threat log type would provide information about traffic blocked by a Zone Protection profile. This is because Zone Protection profiles are used to protect the network from attacks, including common flood, reconnaissance attacks, and other packet-based attacks1. These attacks are classified as threats by the firewall and are logged in the threat log2. The threat log displays information such as the source and destination IP addresses, ports, zones, applications, threat types, actions, and severity of the threats2.

Verified References:

• 1: Zone protection profiles - Palo Alto Networks Knowledge Base
• 2: Threat Log Fields - Palo Alto Networks

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/ha-concepts/ha-timers

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy

If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat-dns-rewrite-use-cases#id0d85db1b-05b9-4956-a467-f71d558263bb

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS

In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:

D. Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls:

• The engineer first uploads the downloaded PAN-OS images to Panorama. This is done through the "Device Deployment" section, specifically under the "Software" menu. This area of Panorama's interface is designed for managing PAN-OS versions and software updates for the managed devices.
• Once the PAN-OS images are uploaded to Panorama, the engineer can then deploy these images to the firewalls directly from Panorama. This process allows for centralized management of software updates, ensuring that all firewalls can be updated to the latest PAN-OS version in a consistent and controlled manner, even without direct internet access.

This method streamlines the update process for environments with strict security requirements, allowing for the efficient deployment of necessary PAN-OS updates to maintain security and functionality.

For HIP match logs to be visible on the data center firewall, the following conditions must be met:

• HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.
• User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.

The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-monitor.html

When deploying User-ID in environments with diverse directory services, Palo Alto Networks firewalls have the capability to monitor several types of servers to gather user mapping information. Among the options provided:

C. Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange:

• Red Hat Linux: Palo Alto Networks User-ID can monitor Linux systems to gather user information, typically by integrating with services like syslog or by using an agent that reads user login events.
• Microsoft Active Directory: This is one of the most common sources for User-ID, as Active Directory is widely used for user management and authentication. User-ID can directly integrate with Active Directory to read security event logs, capturing user login and logout events.
• Microsoft Exchange: While not directly monitored for user login events, Microsoft Exchange can be a source of IP-to-user mapping information, especially for users accessing email services. This can be achieved by parsing Exchange logs for client access information.

These platforms can provide valuable data for User-ID, enabling the firewall to apply policies based on user identity across diverse network environments.