Network Security Fundamentals

Question 1

What is the foundation of the PAN security portfolio?

Answer 1

NGFW

Question 2

How is the firewall available?

Answer 2

Physical
Virtual
Cloud Delivered

Question 3

What are the subscription services available?

Answer 3

TP - Threat Prevention

UF - URL Filtering

DNS - DNS Security

WF - Wildfire malware prevention

Question 4

What provides centrailized network security management?

Answer 4

Panorama

Question 5

The next-generation firewall functions as a ____________ in a Zero Trust architecture.

Answer 5

Segmentation Gateway

Question 6

Single-Pass Architecture

Answer 6

a unique integration of software and hardware that simplifies management, streamlines processing, and maximizes performance.

Question 7

Stream based Engine vs File Proxies

Answer 7

file proxies need to download the entire file before they can scan the traffic

a stream-based engine scans traffic in real time, only reassembling packets as needed and only in very small amounts.

Question 8

The foundational element of our enterprise security platform is

Answer 8

identification

Question 9

Goals of IAM

Answer 9

1. Compliance
2. Least Privilege
3. Protect Data and Systems

Question 10

PoLP

Answer 10

Principle of Least Privilege

Question 11

ABAC

Answer 11

Attribute-based access control

a way to provide and manage user access to IT

services to support areas that require more contextual awareness than simple user-focused

parameters as an assigned role

Question 12

DAC

Answer 12

Discretionary Access Control

The app owner has complete control over who can access a particular service. An application can be a file, directory, or any other, which can be

accessed via the network. Can grant permission to other users to access the app.

Question 13

MAC

Answer 13

Mandatory Access Control

a restrictive type of access control. In MAC, access to resources is controlled by a security policy that is enforced by the operating system. MAC is more secure than DAC, but it is also more difficult to implement and manage.

Question 14

__________ a standard feature on Palo Alto Networks next-generation firewalls, enables you to leverage user information stored in a wide range of repositories.

Answer 14

User-ID

Question 15

______ accurately identifies applications regardless of port, protocol, evasive techniques, or encryption. It provides application visibility and granular, policy-based control.

Answer 15

App-ID

Question 16

What is the first step in application identification?

Answer 16

Establishing Port and Protocol information

Question 17

What are the advantages of using App-ID?

Answer 17

Granular Control
Visibility
Postitive Enforcement

Question 18

What are the advantages of User-ID?

Answer 18

Visibilty
Policy Control
Logging and Reporting

Question 19

________ controls traffic based on complete analysis of all allowed traffic. It uses multiple threat prevention and data loss prevention techniques in a single-pass architecture that fully integrates all security functions.

Answer 19

Content Identification (Content-ID)

Question 20

Application Decoders

Answer 20

enables the firewall to detect and prevent threats tunneled within approved applications that would bypass traditional IPS or proxy solutions.

Question 21

Uniform Threat Signature Format

Answer 21

uniform threat engine and signature format to detect and block a wide range of malware C2 activity and vulnerability exploits in a single pass.

Question 22

Vulnerability Attack Protection (IPS)

Answer 22

Robust routines for traffic normalization and defragmentation, boosted by protocol-anomaly, behavior-anomaly, and heuristic detection mechanisms, provide protection from the widest range of both known and unknown threats.

Question 23

PA-Series Firewalls Use cases

Answer 23

Data center and remote branch deployments

Question 24

_______ Series M-Powered NGFWs ensure top-notch security for high-speed data centers and service providers. These ML-powered systems deliver dependable performance, robust threat prevention, and high-throughput decryption capabilities.

Answer 24

PA-7000

Question 25

----------Series next-generation firewall is crafted to fulfill the demanding necessities of hyperscale data centers, internet edges, and campus segmentation implementations. The ________ boasts remarkable performance, providing 150Gbps of threat protection with security services activated.

Answer 25

PA-5450

Question 26

_______Series effectively halts both known and zero-day attacks across all network traffic, including encrypted data. These potent ML-Powered NGFWs are ideally suited for securing high-speed internet edge, data center, and extensive campus segmentation scenarios.

Answer 26

PA-5400

Question 27

______ Series boasts impressive performance in a compact 1RU design. As an energy-efficient ML-powered NGFW, it serves as the preferred firewall for internet edge and campus settings.

Answer 27

PA-3400

Question 28

______ Series is perfect for safeguarding expansive branch locations and smaller enterprise campuses. It supports Power over Ethernet (PoE), virtual systems (VSYS), high-speed 5G copper ports (mGig ports), and fiber ports, making it an ideal choice for comprehensive protection.

Answer 28

PA-1400

Question 29

______ offers inline, real-time threat protection for enterprise branches. With its compact design, this fourth-generation series delivers enterprise-level security that is easy to implement. These ML-powered NGFWs effectively prevent both known and unknown threats in real time while swiftly decrypting branch traffic.

Answer 29

PA-400

Question 30

______ is a durable ML-Powered NGFW designed to provide strong security in challenging conditions. Common applications include utility substations, power plants, manufacturing facilities, oil and gas installations, and building management systems.

Answer 30

PA-220R

Question 31

________ firewall provides threat protection for inbound, outbound, and east-west traffic between container trust zones and other workload types without slowing the speed of development.

Answer 31

CN-Series

Question 32

Palo Alto Networks CN-Series next-generation firewalls deploy as two sets of pods

Answer 32

CN-MGMT (Management) CN-NGFW (Firewall Dataplace)

Question 33

The dataplane pods can be deployed in two modes: (and define)

Answer 33

Distributed - In distributed mode, the firewall dataplane runs as a daemon set on each node. CLustered MOde - the firewall dataplane runs as a Kubernetes service in a dedicated security node.

Question 34

_________ firewalls are 5G-ready next-generation firewalls designed to prevent successful cyberattacks from targeting mobile network services. The _______ firewalls are designed to handle growing throughput needs due to increased application,user, and device-generated data.

Answer 34

K2-Series

Question 35

Advantages of K2-Series FWs

Answer 35

Scalable Secure and Fast

Question 36

________ is a set of day-one, next-generation firewall configuration templates for PAN-OS that are based on security best practice recommendations.

Answer 36

IronSkillet

Question 37

IronSkillet Benefits

Answer 37

Faster time to implement Fewer configuration errors Improved security posture

Question 38

__________ enables organizations to analyze their existing environment, convert existing Security policies to Palo Alto Networks Next-Generation Firewalls, and assist with the transition from proof of concept to production.

Answer 38

PAN Expedition Migration Tool

Question 39

______ transfers the various firewall rules, addresses, and service objects to a PAN-OS XML configuration file that can be imported into a Palo Alto Networks next-generation firewall.

Answer 39

Third-Party Migration

Question 40

______ a free tool used to quickly identify the most critical security controls for an organization to focus on.

Answer 40

PAN Best Practice Assessment (BPA)

Question 41

List the parts of a BPA

Answer 41

1. Best Practice Assessment 2. Security Policy Capability Adoption Heatmap 3. BPA Executive Summary

Question 42

ZTNA Implementation Steps.

Answer 42

1. Define your protect surface 2. Map the transaction flows 3. Architect the ZTNA 4. Create the ZT Policy 5. Monitor and maintain the network

Question 43

Types of Subscription Services

Answer 43

IoT Security Services SD-Wan Service DNS Security SErvice URL Filtering Service Advanced URL Filtering Service

Question 44

URL Filtering database

Answer 44

PAN-DB

Question 45

________ is a cyberthreat prevention service that identifies unknown malware, zero-day exploits, and advanced persistent threats (APTs) through static and dynamic analysis in a scalable, virtual environment.

Answer 45

Wildfire Cloud based malware analysis environment

Question 46

_______ is included as part of the Threat Prevention license.

Answer 46

Basic Wildfire Support

Question 47

Wildfire Verdicts

Answer 47

Bengin - Safe Grayware - No risk, but odd behavior Malware - pose security threat Phishing - attempt to trick

Question 48

What happen is Wildfire has never seen the file?

Answer 48

Submits the file for analysis.

Question 49

Provides a graphical analysis of firewall traffic logs and identifies potential risks to your network using threat intelligence from the Threat Intel Management portal.

Answer 49

Cortex XSOAR TIM

Question 50

Provides cloud-based, centralized log storage and aggregation. The _________ is required or highly-recommended to support several other cloud-delivered services, including Cortex XDR, IoT Security, and Prisma Access, and Traps management service.

Answer 50

Cortex Data Lake

Question 51

Provides mobility solutions and/or large-scale VPN capabilities.

Answer 51

Global Protect Gateway

Question 52

Provides cloud-based protection against unauthorized access, misuse, extraction, and sharing of sensitive information.

Answer 52

Enterprise DLP

Question 53

works with Cortex Data Lake to discover all of the SaaS applications in use on your network.

Answer 53

SaaS Security Inline

Question 54

______ enables you to manage all key features of Palo Alto Networks Next-Generation Firewalls by using a model that provides central oversight and local control.

Answer 54

Panorama

Question 55

Deployment Modes for Panorama

Answer 55

Panorama Mode Management Only Mode Log Collector Mode

Question 56

Why separate management and log collection modes on Panorama?

Answer 56

enables Panorama to scale to meet organizational and geographical requirements.

Question 57

Panorama Mode

Answer 57

Panorama mode controls both policy and log management functions for all managed devices.

Question 58

Management Only

Answer 58

In management only mode, Panorama manages configurations for managed devices but does not collect or manage logs.

Question 59

Log Collector Mode

Answer 59

In log collector mode, one or more log collectors collect and manage logs from managed devices. This assumes that another deployment of Panorama is operating in management only mode.

Question 60

Panorama manages common policies and objects through _______

Answer 60

hierarchical device groups

Question 61

Which step of implementing a Zero Trust model includes scanning and mapping the transaction flows inside your network to determine how various data, applications, assets, and service components interact with other resources on your network?

Answer 61

Map the transaction flows

Question 62

Which next-generation firewall deployment option prevents successful cyberattacks from targeting mobile network services?

Answer 62

K2

Question 63

Which WildFire verdict is given for a submission that is malicious in nature and intent and can pose security threats?

Answer 63

Malware

Question 64

Which PAN-OS Next-Generation Firewall configuration templates are based on security best practice recommendations instead of extensive how-to documentation?

Answer 64

IronSkillet

Question 65

Which option shows the three deployment mode options available for Panorama, which (if necessary) allows for the separation of management and log collection?

Answer 65

Panorama Managment ONly Log Collector

Question 66

Role-Based Access Control (RBAC) is part of which area of Strata protection?

Answer 66

IAM

Question 67

Which Palo Alto Networks product provides all the capabilities of next-generation hardware firewalls in a virtual machine form?

Answer 67

VM-Series

Question 68

Which Palo Alto Networks product is a free tool used to identify the most critical security controls for an organisation to focus on?

Answer 68

BPA (Best Practice Assessment

Question 69

_____ provides access and security for all users and apps while providing protection against all threat vectors, not just web-based apps and threats.

Answer 69

Prisma SASE

Question 70

3 Key Pillars of Prisma SASE

Answer 70

1. Security aaS 2. Network aaS 3. Digital Experience aaS

Question 71

______ is Palo Alto Networks cloud-delivered security platform that seamlessly connects and secures any user, from any device, accessing any app.

Answer 71

Prisma Access

Question 72

_____ as part of the SASE solution to not only provide a great experience but also deliver segment-wise insights with auto-remediation so IT can scale to alleviate the tension between security and usability.

Answer 72

Autonomous Digital Experience Management (ADEM)

Question 73

PAN's SASE SD-Wan Solution

Answer 73

Prisma SD-WAN

Question 74

______ can either be on-premises or cloud-based services that provide security policy enforcement points between those who use or consume the cloud service from those who provide the cloud services.

Answer 74

Cloud Access Security Broker (CASBs)

Question 75

______ capabilities of Prisma Access are stateful and continuously gathers information about the TCP session, the application handshakes, the application behavior, the stateful protocols, and more.

Answer 75

App-ID

Question 76

_____ provide deep packet inspections that are beyond legacy port and protocol inspections and/or blocking to add an application inspection.

Answer 76

NGFW

Question 77

Issse with MPLS?

Answer 77

Expensive

Question 78

Issue with IPSec

Answer 78

Often adds unnecessary latency

Question 79

GlobalProtect app update.

Answer 79

Prisma Access updates the app 7-10 after GA

Question 80

Antivirus Protection Update

Answer 80

Every hour, 10 minutes after the hour

Question 81

Wildfire Update

Answer 81

Every 15 minutes

Question 82

GLobal PRotect data file update

Answer 82

every hour

Question 83

Clientless VPN application signatures update

Answer 83

Every hour

Question 84

Node that provide connectivity to the data center.

Answer 84

SC-CAN Corporate access node

Question 85

Node for when mobile users are onboarded

Answer 85

MU-SPNs Security processing node

Question 86

Node for When remote networks are onboarded,

Answer 86

RN-SPNs Remote Network Security Processing Nodes

Question 87

The Palo Alto Networks Prisma SASE solution is architectured around which three key pillars? (Choose three.)

Answer 87

Security aaS Network aaS ADEM

Question 88

Which three are components of Prisma SASE? (Choose three.)

Answer 88

SDWAN CASB ZTNA

Question 89

What does Palo Alto Networks provide as a SD-WAN solution that also includes a secure web gateway?

Answer 89

Prisma SD WAN

Question 90

Which three are considered problems for a traditional security approach for remote networks and mobile users? (Choose three.)