PCNSA Practice Exam Questions with Answers Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) Certification

Oversubscription is a feature that allows you to use more private IP addresses than public IP addresses for NAT. This means that multiple private IP addresses can share the same public IP address, as long as they use different ports. Oversubscription can be used in two types of NAT: Dynamic IP and Port (DIPP) and Dynamic IP. DIPP NAT translates both the source IP address and the source port number of the outgoing packets, and can have an oversubscription rate greater than 1. Dynamic IP NAT translates only the source IP address of the outgoing packets, and can have an oversubscription rate of 1 or less. Static IP and Destination NAT do not support oversubscription, as they require a one-to-one mapping between the private and public IP addresses. References: Source NAT, Configure NAT, NAT

Anti-Spyware Security Profiles block spyware on compromised hosts from trying to communicate with external command-and-control (C2) servers, thus enabling you to detect malicious traffic leaving the network from infected clients.

Explanation/Reference:

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-panorama/deploy-updates-to-firewalls-log-collectors-and-wildfire-appliances-using-panorama/schedule-a-content-update-using-panorama

• An Anti-Spyware security profile is a set of rules that defines how the firewall detects and prevents spyware from compromising hosts on the network. Spyware is a type of malware that collects information from the infected system, such as keystrokes, browsing history, or personal data, and sends it to an external command-and-control (C2) server1.
• An Anti-Spyware security profile consists of four tabs: Signature Policies, Signature Exceptions, Machine Learning Policies, and Inline Cloud Analysis1.
• The Signature Policies tab allows you to configure the actions and log settings for each spyware signature category, such as adware, botnet, keylogger, phishing, or worm. You can also enable DNS Security to block malicious DNS queries and responses1.
• The Signature Exceptions tab allows you to create exceptions for specific spyware signatures that you want to override the default action or log settings. For example, you can allow a signature that is normally blocked by the profile, or block a signature that is normally alerted by the profile1.
• The Machine Learning Policies tab allows you to configure the actions and log settings for machine learning based signatures that detect unknown spyware variants. You can also enable WildFire Analysis to submit unknown files to the cloud for further analysis1.
• The Inline Cloud Analysis tab allows you to enable machine learning based engines that detect unknown spyware variants in real time. These engines use cloud-based models to analyze the behavior and characteristics of network traffic and identify malicious patterns. You can enable inline cloud analysis for HTTP/HTTPS traffic, SMTP/SMTPS traffic, or IMAP/IMAPS traffic1.

Therefore, the tab that is used to enable machine learning based engines is the Inline Cloud Analysis tab.

References:

1: Security Profile: Anti-Spyware - Palo Alto Networks

Policy Optimizer provides a simple workflow to migrate your legacy Security policy rulebase to an App-ID based rulebase, which improves your security by reducing the attack surface and gaining visibility into applications so you can safely enable them. Policy Optimizer can also identify unused rules, duplicate rules, and rules that can be merged or reordered to optimize your rulebase. You can use Policy Optimizer to review the usage statistics of your rules and take actions to clean up or modify your rulebase as needed1. References: Security Policy Rule Optimization, Updated Certifications for PAN-OS 10.1, Free PCNSE Questions for Palo Alto Networks PCNSE Exam

DNS Security subscription enables users to access real-time protections using advanced predictive analytics. When techniques such as DGA/DNS tunneling detection and machine learning are used, threats hidden within DNS traffic can be proactively identified and shared through an infinitely scalable cloud service. Because the DNS signatures and protections are stored in a cloud-based architecture, you can access the full database of ever-expanding signatures that have been generated using a multitude of data sources. This list of signatures allows you to defend against an array of threats using DNS in real-time against newly generated malicious domains. To combat future threats, updates to the analysis, detection, and prevention capabilities of the DNS Security service will be available through content releases. To access the DNS Security service, you must have a Threat Prevention license and DNS Security license.

Explanation/Reference:

Explanation/Reference:

Palo Alto Networks firewalls can map IP addresses to usernames using various methods, such as User-ID agents, Captive Portal, GlobalProtect, XML API, and HTTP headers. These methods allow the firewall to enforce security policies based on user identity, rather than just IP address. Some of these methods are:

• Using the XML API: The XML API allows external systems to send user mapping information to the firewall using HTTPS requests. The firewall can then use this information to identify the users behind the IP addresses and apply the appropriate policies1.
• A user connecting into a GlobalProtect gateway using a GlobalProtect Agent: GlobalProtect provides secure remote access to the network by establishing a VPN tunnel between the user’s device and the firewall. When a user connects to a GlobalProtect gateway using a GlobalProtect agent, the firewall can authenticate the user and map the user’s IP address to the username1.
• Usernames inserted inside HTTP Headers: The firewall can also extract usernames from HTTP headers in web traffic. This method requires the web server or proxy server to insert the username into a custom HTTP header that the firewall can read. The firewall can then use this information to map the IP address to the username1.

References: Map IP Addresses to Users, Certifications - Palo Alto Networks, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0).

Explanation/Reference:

Random Early Drop —The firewall uses an algorithm to progressively start dropping that type of packet. If the attack continues, the higher the incoming cps rate (above the Activate Rate) gets, the more packets the firewall drops. .. (https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/zone-protection-and-dos-protection/dos-protection-against-flooding-of-new-sessions/configure-dos-protection-against-flooding-of-new-sessions)

You can’t filter or sort rules in PoliciesSecurity because that would change the order of the policy rules in the rulebase. Filtering and sorting PoliciesSecurityPolicy OptimizerNo App Specified, PoliciesSecurityPolicy OptimizerUnused Apps, and PoliciesSecurityPolicy OptimizerNew App Viewer (if you have a SaaS Inline Security subscription) does not change the order of the rules in the rulebase. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/security-policy-rule-optimization/policy-optimizer-concepts/sorting-and-filtering-security-policy-rules

Explanation

Explanation/Reference:

Static IP and Dynamic IP and Port (DIPP) are two features that implement one-to-one translation of a source IP address while allowing the source port to change. Static IP translates a single source address to a specific public address, and allows the source port to change dynamically1. Dynamic IP and Port (DIPP) translates the source IP address or range to a single IP address, and uses the source port to differentiate between multiple source IPs that share the same translated address2. Both of these features provide a one-to-one translation of IP addresses, but do not restrict the source port. References:

• Static IP - Palo Alto Networks
• Dynamic IP and Port - Palo Alto Networks

References:

Dynamic Address Groups: A dynamic address group populates its members dynamically using looks ups for tags and tag-based filters. Dynamic address groups are very useful if you have an extensive virtual infrastructure where changes in virtual machine location/IP address are frequent. For example, you have a sophisticated failover setup or provision new virtual machines frequently and would like to apply policy to traffic from or to the new machine without modifying the configuration/rules on the firewall.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/objects/objects-addres s-groups

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-profiles-data-filtering

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/panorama-web-interface/defining-policies-on-panorama

To see how new and modified App-IDs impact your Security policy, you need to follow the path Device > Dynamic Updates > Review App-IDs on PAN-OS 11.x. This option allows you to perform a content update policy review for both downloaded and installed content. You can view the list of new and modified App-IDs and their descriptions, and see which Security policy rules are affected by them. You can also modify the rules or create new ones to adjust your Security policy as needed1. References: See How New and Modified App-IDs Impact Your Security Policy, Updated Certifications for PAN-OS 10.1, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

References:

Three types of entries that can be excluded from an external dynamic list (EDL) are IP addresses, domains, and URLs. An EDL is a text file that is hosted on an external web server and contains a list of objects, such as IP addresses, URLs, domains, International Mobile Equipment Identities (IMEIs), or International Mobile Subscriber Identities (IMSIs) that the firewall can import and use in policy rules. You can exclude entries from an EDL to prevent the firewall from enforcing policy on those entries. For example, you can exclude benign domains that applications use for background traffic from Authentication policy1. To exclude entries from an EDL, you need to:

• Select the EDL on the firewall and click Manual Exceptions.
• Add the entries that you want to exclude in the Manual Exceptions list. The entries must match the type and format of the EDL. For example, if the EDL contains IP addresses, you can only exclude IP addresses.
• Click OK to save the changes. The firewall will not enforce policy on the excluded entries.

References: Exclude Entries from an External Dynamic List, External Dynamic List, Certifications - Palo Alto Networks, Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0) or Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0).

By default, the firewall uses the management (MGT) interface to access external services, such as DNS servers, external authentication servers, Palo Alto Netw orks services such as soft ware, URL updates, licenses, and AutoFocus. An alternative to using the MGT interface is configuring a data port (a standard interface) to access these services. The path from the interface to th e service on a server is aservice route. [Palo Alto Networks]

PAN-OS 10 -> Device -> Setup -> Services -> Service Features -> Service Route Configuration

When the destination NAT translation is selected as Dynamic IP (with session distribution), the firewall uses a round-robin algorithm to distribute sessions among the available IP addresses that are resolved from the FQDN. This option allows you to load-balance traffic to multiple servers that have dynamic IP addresses1. References: Destination NAT, NAT, Getting Started: Network Address Translation (NAT).

Deny is a policy action, random early drop is part of the inner workings of DoS protection

Explanation/Reference:

The block IP feature can be configured in two Security Profiles: Vulnerability Protection and Anti-spyware. The block IP feature allows the firewall to block traffic from a source IP address for a specified period of time after detecting a threat. This feature can help prevent further attacks from the same source and reduce the load on the firewall1. The block IP feature can be enabled in the following Security Profiles:

Vulnerability Protection: A Vulnerability Protection profile defines the actions that the firewall takes to protect against exploits and vulnerabilities in applications and protocols. You can configure a rule in the Vulnerability Protection profile to block IP connections for a specific threat or a group of threats2.

Anti-spyware: An Anti-spyware profile defines the actions that the firewall takes to protect against spyware and command-and-control (C2) traffic. You can configure a rule in the Anti-spyware profile to block IP addresses for a specific spyware or C2 signature.

References: Monitor Blocked IP Addresses, Block IP Addresses, Vulnerability Protection Profile, [Anti-Spyware Profile], Certifications - Palo Alto Networks, [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)] or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

Policy Optimizer policy view differs from the Security policy view in several ways. One of them is that it indicates rules with App-ID that are not configured as port-based. These are rules that have the application set to “any” instead of a specific application or group of applications. These rules are overly permissive and can introduce security gaps, as they allow any application traffic on the specified ports. Policy Optimizer helps you convert these rules to application-based rules that follow the principle of least privilege access12. You can use Policy Optimizer to discover and convert port-based rules to application-based rules, and also to remove unused applications, eliminate unused rules, and discover new applications that match your policy criteria3. References:

• Policy Optimizer Best Practices - Palo Alto Networks
• Manage: Policy Optimizer - Palo Alto Networks | TechDocs
• Why use Security Policy Optimizer and what are the benefits?

System logs display entries for each system event on the firewall.

1. Critical - Hardware failures, including high availability (HA) failover and link failures.

2. High - Serious issues, including dropped connections with external devices, such as LDAP and RADIUS servers.

3. Medium - Mid-level notifications, such as antivirus package upgrades.

4. Low - Minor severity notifications, such as user password changes.

5. Informational - Log in/log off, administrator name or password change, any configuration change, and all other events not covered by the other severity levels.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/view-and-manage-logs/log-types-and-severity-levels/system-logs#id8edbfdae-ed92-4d8e-ab76-6a38f96e8cb1

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent-credential-phishing/set-up-credential-phishing-prevention

By default, the maximum number of templates that can be added to a template stack is 8. This is the recommended limit for performance reasons, as adding more templates may result in sluggish responses on the user interface. However, starting from PAN-OS 8.1.10 and 9.0.4, you can use a debug command to increase the maximum number of templates per stack to 16. This command requires a commit operation to take effect.

A template stack is a collection of templates that you can use to push common settings to multiple firewalls or Panorama managed collectors. A template contains the network and device settings that you want to share across devices, such as interfaces, zones, virtual routers, DNS, NTP, and login banners. You can create multiple templates for different device groups or locations and add them to a template stack in a hierarchical order. The settings in the lower templates override the settings in the higher templates if there are any conflicts. You can then assign a template stack to one or more devices and push the configuration changes.

To enable DNS sinkholing for domain queries using DNS security, you must activate your DNS Security subscription, create (or modify) an Anti-Spyware policy to reference the DNS Security service, configure the log severity and policy settings for each DNS signature category, and then attach the profile to a security policy rule.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/dns-security/enable-dns-security