References

• PAN-OS 10.0 Administration Guide – Monitoring

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/monitoring.html

4.3.3 Articulate the use of URL filtering.

We strongly recommend that you block the URL categories that identify malicious or exploitive content.
To get started, you can clone the default URL Filtering profile that blocks malware, phishing, and
command-and-control URL categories by default. The default URL Filtering profile also blocks the
abused-drugs, adult, gambling, hacking, questionable, and weapons URL categories. Whether to block
these URL categories depends on your business requirements. For example, a university probably will
not want to restrict student access to most of these sites because availability is important, but a
business that values security first may block some or all of them.

• Command-and-Control—Command-and-control URLs and domains are used by malware and/or

compromised systems to surreptitiously communicate with an attacker's remote server to receive
malicious commands or exfiltrate data.

• Malware—Sites known to host malware or to be used for command-and-control (C2) traffic. May
also exhibit exploit kits.

• Phishing—Known to host credential phishing pages or phishing for personal identification.

• Grayware—Websites and services that do not meet the definition of a virus or pose a direct security
threat but display obtrusive behavior and influence users to grant remote access or perform other

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 82

 unauthorized actions. Grayware includes scams, illegal activities, criminal activities, get rich quick
sites, adware, and other unwanted or unsolicited applications, such as embedded crypto miners or
hijackers that change the elements of the browser. Typo squatting domains that do not exhibit
maliciousness and are not owned by the targeted domain will be categorized as grayware.
Previously, the firewall placed grayware in either the malware or questionable URL category. If you
are unsure about whether to block grayware, start by alerting on grayware, investigate the alerts,
and then decide whether to block grayware or continue to alert on grayware.

• Dynamic-DNS—Hosts and domain names for systems with dynamically assigned IP addresses and
which are oftentimes used to deliver malware payloads or C2 traffic. Also, dynamic DNS domains do
not go through the same vetting process as domains that are registered by a reputable domain
registration company and are therefore less trustworthy.

• Unknown Sites—Sites that have not yet been identified by PAN-DB. If availability is critical to your
business and you must allow the traffic, then alert on unknown sites, apply the best practice
Security profiles to the traffic, and investigate the alerts.

• newly-registered-domain—Newly registered domains are often generated purposely or by domain

generation algorithms and used for malicious activity.

• copyright-infringement—Domains with illegal content, such as content that allows illegal download
of software or other intellectual property, which poses a potential liability risk. This category was
introduced to enable adherence to child protection laws required in the education industry as well
as laws in countries that require internet providers to prevent users from sharing copyrighted
material through their services.

• Extremism—Websites promoting terrorism, racism, fascism, or other extremist views discriminating

against people or groups of different ethnic backgrounds, religions, or other beliefs. This category
was introduced to enable adherence to child protection laws required in the education industry. In
some regions, laws and regulations may prohibit allowing access to extremist sites and allowing
access may pose a liability risk.

• proxy-avoidance-and-anonymizers—URLs and services often used to bypass content-filtering

products.

• Questionable Websites—containing tasteless humor, offensive content targeting specific

demographics of individuals, or groups of people.

• Parked—Domains registered by individuals, oftentimes later found to be used for credential

phishing. These domains may be similar to legitimate domains, for example,
pal0alto0netw0rks.com, with the intent of phishing for credentials or personal identify information.
Or they may be domains that an individual purchases rights to in hopes that it may be valuable
someday, such as panw.net.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 83

4.3.4 Use EDLs to protect against known bad addresses.

An External Dynamic List (EDL) is a text file that is hosted on an external web server so that the firewall
can import objects—IP addresses, URLs, domains—included in the list and enforce policy. To enforce
policy on the entries included in the external dynamic list, you must reference the list in a supported
policy rule or profile. As you modify the list, the firewall dynamically imports the list at the configured
interval and enforces policy without the need to make a configuration change or a commit on the
firewall. If the web server is unreachable, the firewall uses the last successfully retrieved list for
enforcing policy until the connection is restored with the web server. In cases where authentication to
the EDL fails, the security policy stops enforcing the EDL. To retrieve the external dynamic list, the
firewall uses the interface configured with the Palo Alto Networks Services service route, which is the
management interface by default. You can also customize the service routes that you would like the
firewall to use.

The firewall supports four types of external dynamic lists:

• IP Address—The firewall typically enforces policy for a source or destination IP address that is
defined as a static object on the firewall. If you need agility in enforcing policy for a list of source or
destination IP addresses that emerge ad hoc, you can use an external dynamic list of type IP address
as a source or destination address object in policy rules. And configure the firewall to deny or allow
access to the IP addresses (e.g., IPv4 and IPv6 address, IP range, and IP subnets) included in the list.
The firewall treats an external dynamic list of type IP address as an address object; all the IP
addresses included in a list are handled as one address object.

• Predefined IP Address—A predefined IP address list is a type of IP address list that refers to any of
the two Palo Alto Networks Malicious IP Address Feeds that have fixed or predefined contents.
These feeds are automatically added to your firewall if you have an active Threat Prevention license.
A predefined IP address list can also refer to any external dynamic list that you create that uses a
Palo Alto Networks IP address feed as a source.

• URL—An external dynamic list of type URL gives you the agility to protect your network from new
threat sources or malware. The firewall handles an external dynamic list with URLs like a custom URL
category, and you can use this list in two ways:

o As a match criterion in Security policy rules, Decryption policy rules, and QoS policy rules
to allow, deny, decrypt, not decrypt, or allocate bandwidth for the URLs in the custom
category

o In a URL Filtering profile where you can define more granular actions, such as continue,
alert, or override, before you attach the profile to a Security policy rule

• Domain—An external dynamic list of type domain allows you to import custom domain names into
the firewall to enforce policy using an Anti-Spyware profile. This capability is particularly useful if
you subscribe to third-party threat intelligence feeds and want to protect your network from new

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 84

 threat sources or malware as soon as you learn of a malicious domain. For each domain that you
include in the external dynamic list, the firewall creates a custom DNS-based spyware signature so
that you can enable DNS sinkholing. The DNS-based spyware signature is of type spyware with
medium severity, and each signature is named Custom Malicious DNS Query <domain name>.

Task 4.4 Identify how NGFWs can prevent credential theft.

4.4.1 Understand which license is required to deploy the solution.

To enable credential phishing prevention, you must configure User-ID to detect when users submit valid
corporate credentials to a site (as opposed to personal credentials) and URL filtering to specify the URL
categories in which you want to prevent users from entering their corporate credentials. To set up URL
filtering, you must purchase and install a subscription for the supported URL filtering database, PAN-DB.
With PAN-DB, you can set up access to the PAN-DB public cloud or to the PAN-DB private cloud.

References

• PAN-OS 10.1 Administration Guide – Prevent Credential Phishing

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/url-filtering/prevent-credential-
phishing.html

4.4.2 Identify which configuration artifacts are required.

How do you prevent an attack if an attacker has stolen user credentials? A common prevention method
is to configure multi-factor authentication (MFA). MFA relies on two concepts. It relies on something the
user knows—such as username and password—and something the user has—such as a security key fob,
smartphone, or MFA application running on a laptop.

When MFA is enabled, a user or an attacker must present two or more forms of user credentials, called
factors, to gain access to a network resource. The first factor commonly is a username and password.
The additional factors often are some type of numerical code that is generated on a mobile phone app,
on a dedicated security key fob, or by software installed on the user’s laptop or deskside system.

For end-user authentication through the firewall via Authentication policy, the firewall directly
integrates with the four MFA platforms shown here. The firewall accesses each MFA platform by using
the vendor API.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 85

If you add any other MFA platforms to your firewall administrator accounts, you must use RADIUS to
authenticate your administrator accounts. The firewall can integrate with RADIUS, and RADIUS then can
integrate with many MFA vendors. To use MFA for remote user authentication to GlobalProtect portals
and gateways, the firewall integrates with MFA vendors using only RADIUS or SAML.

Addition of a second authentication factor typically requires communication with the user. The firewall
supports four types of authentication factors: Voice, SMS, Push, and PIN Code.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 86

Prevent against phishing attacks

Phishing sites are sites that attackers disguise as legitimate websites with the aim to steal user
information, especially the credentials that provide access to your network. When a phishing email
enters a network, it takes just a single user to click the link and enter credentials to set a breach into
motion. You can detect and prevent in-progress phishing attacks, thereby preventing credential theft, by
controlling sites to which users can submit corporate credentials based on the site’s URL category. This
allows you to block users from submitting credentials to untrusted sites while allowing users to continue
to submit credentials to corporate and sanctioned sites.

Credential phishing prevention works by scanning username and password submissions to websites and
comparing those submissions against valid corporate credentials. You can choose which websites you
want to either allow or block corporate credential submissions based on the URL category of the
website. When the firewall detects a user attempting to submit credentials to a site in a category you
have restricted, it either displays a block response page that prevents the user from submitting
credentials or presents a continue page that warns users against submitting credentials to sites classified
in certain URL categories, but still allows them to continue with the credential submission. You can
customize these block pages to educate users against reusing corporate credentials, even on legitimate,
non-phishing sites.

To enable credential phishing prevention, you must configure User-ID to detect when users submit valid
corporate credentials to a site (as opposed to personal credentials) and URL Filtering to specify the URL
categories in which you want to prevent users from entering their corporate credentials. The following
topics describe the different methods you can use to detect credential submissions and provide
instructions for configuring credential phishing protection.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 87

4.4.3 Identify the types of use cases of credential phishing protection.

In this example, Bob requests access to an application server through the firewall. The firewall checks its
Authentication policy and finds a rule that matches Bob’s traffic. The Authentication policy rule invokes
MFA to challenge Bob. Bob then enters the additional authentication factor. After Bob is fully
authenticated, the firewall checks its Security policy to verify whether Bob is authorized to access the
application server. If there is a matching Security policy rule that grants Bob access, then Bob can access
the application server.

The example also shows how an attacker with Bob’s stolen username and password is denied access to
the application server. The attacker submits Bob’s stolen username and password to the firewall. The
firewall checks its Authentication policy for a rule that matches the access requested by the attacker.
The firewall locates a matching rule and invokes MFA to challenge the attacker. Because the attacker
does not know and cannot enter the second authentication factor, the firewall blocks access to the
requested network resource.

An Authentication policy enables an administrator to selectively issue MFA challenges based on the
sensitivity of the information stored on the network resource. A firewall administrator also can
configure the number and strength of the factors of authentication based on the sensitivity of the
information on each network resource. For example, you could require all corporate users to
authenticate using MFA once a day but require IT administrators to use MFA each time they use RDP to
access an Active Directory server.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 88

Protect against phishing attacks

The diagram shows how credential phishing prevention identifies and blocks credential phishing attacks.
If an attacker can gain access to valid corporate credentials, such access typically can go unnoticed for
some time because the attacker is using a valid username and password.

In the example, an attacker has compromised a web server to use it to steal user credentials.

Next, Bob receives a phishing email from an attacker that contains a link to the compromised web
server. Phishing emails typically describe some urgent or important action that must be taken or an
important document to be viewed.

Bob clicks the link in his email and connects to a phishing website that requests his credentials for login.
A phishing page can be specifically crafted to look like a legitimate banking site, a corporate intranet
login, Outlook Web Access, or other application. Bob is tricked by the website and enters his corporate
credentials.

The firewall notices credential information in the web traffic and uses User-ID to detect whether they
are valid corporate credentials. You can configure User-ID to use one of three different methods to
detect corporate credentials in web traffic. These methods are described later in the module.

If User-ID detects valid corporate credentials, then the firewall consults its URL filtering configuration to
determine the URL categories for which users should be prevented from entering their corporate
credentials. In this case, Bob is trying to enter his corporate credentials to a blocked website, and the
firewall blocks his credentials from being submitted.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 89

Block is not the only action that you can configure. You also can configure the firewall to allow
credential submission or to present a response page that warns users against submitting credentials to
websites. You can customize your response page to educate users against reusing corporate credentials,
even on legitimate, non-phishing sites.

Task 4.5 Identify the components of SD-WAN deployment.

4.5.1 Articulate the value integration of CloudGenix and Pan-OS SD-WAN,

CloudGenix provides a software-defined, wide-area network (SD-WAN) solution that transforms legacy
wide-area networks (WANs) into a radically simplified, secure, application fabric (AppFabric), virtualizing
heterogeneous underlying transports into a unified hybrid WAN. Its cloud-delivered branch capability
and application-defined approach accelerate the Palo Alto Networks vision for the Secure Access Service
Edge (SASE).

Palo Alto Networks provides organizations with two recommended design models for deploying SD-
WAN:

• CloudGenix SD-WAN with Prisma Access

• PAN-OS Secure SD-WAN

Before addressing these two offerings, we will first show you the advantages of the CloudGenix SD-WAN
solution.

The CloudGenix SD-WAN delivered by CloudGenix Instant-On Network (ION) devices allows you to
enforce policies based on business intent, enables dynamic path selection, and provides visibility into
performance and availability for applications and networks.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 90

After deployed at your sites, CloudGenix ION devices automatically establish a VPN to the data centers
over every internet circuit. Additionally, the ION devices establish VPNs over private WAN circuits that
share a common service provider. You can then define application policies for performance, security,
and compliance that are aligned with your organization’s business intent. ION devices automatically
choose the best WAN path for your applications. ION devices use the business policy and real-time
analysis of the application performance metrics and WAN links to determine the appropriate path.

You perform all aspects of configuration, management, and monitoring of CloudGenix ION hardware and
software devices from the multi-tenant, CloudGenix cloud management portal, thereby eliminating the
need to individually configure devices at each location. The ION devices are preconfigured to
authenticate to the portal and support zero-touch provisioning and deployment.

4.5.2 Identify the value of CloudGenix integration with Prisma Access.

Prisma Access for networks provides security services and threat prevention for your remote networks,
safely enabling commonly used applications and web access. You connect remote networks to Prisma
Access via an industry-standard IPsec VPN-capable device. You use Panorama to manage Prisma Access
for consistency and to enable the full suite of PAN-OS features.

CloudGenix SD-WAN has a strong integration with Prisma Access. The combination of these two
technologies allows you to have a lightweight remote-site footprint while still being able to provide
comprehensive security.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 91

As shown in the following model, each site connects to the CloudGenix SD-WAN, which is the primary
WAN for the organization and provides access to the headquarters and data center locations. This
model assumes that the central sites are already interconnected through an existing public or private
WAN connection. At all sites, you must use an ION device as an on-premises device. After the basic
device configuration is complete, you transition the site to control mode. One key difference from the
PAN-OS Secure SD-WAN model is that you use Prisma Access to secure DIA traffic, and each remote site
connects directly to Prisma Access by using third-party VPN connections.

The SD-WAN protects your internal user traffic by using secure fabric links, which use IPsec tunnels over
the public networks to ensure data privacy through strong encryption. ION devices automatically choose
the best WAN path for your applications based on business policy and real-time analysis of the
application performance metrics and WAN links. This model assumes that other (not shown) security
infrastructure devices provide internet access at the central sites.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 92

4.5.3 Understand the capabilities of Pan-OS SD-WAN deployments.

Palo Alto Networks next-generation firewalls running PAN-OS natively include a rich set of security and
SD-WAN features that provide the highest level of security, visibility, and control for your organization.

PAN-OS version 9.1 introduces a native SD-WAN subscription to provide intelligent and dynamic path
selection in addition to the industry-leading security that PAN-OS already delivers. Beginning with this
release, your organization can avoid the growing complexity of a multivendor, multifunction approach
by consolidating multiple functions into a single, integrated multifunction security device that includes
Palo Alto Networks Introduction 7 SD-WAN.

As shown in the following model, at all locations, the next-generation firewall provides full visibility of
the users, applications, and content for all network traffic. At your remote sites, you can also use the
next-generation firewall to reduce the attack surface through segmentation.

The PAN-OS Secure SD-WAN solution is orchestrated by Panorama, which you use to configure and
monitor the central-site and remote-site devices. You use templates for network and device
configuration and device groups for policy and object configuration, including the new PAN-OS version
9.1 SD-WAN specific features. Panorama includes an SD-WAN plugin, which you use to build the IPsec
tunnel-based overlay network, configure the dynamic routing between the sites, and provide centralized
visibility of the SD-WAN.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 93

References

• PAN DOCS – Prisma SD-WAN Solution Guide:

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-
integration/secure-sdwans-with-prisma-access/cloudgenix-sdwan-solution-guide.html

• PAN DOCS – Prisma SD-WAN Administrator’s Guide:

https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cloudgenix/getting-
started/CloudGenix-Getting-Started-Guide.pdf

• PAN Deployment Guide – CloudGenix SD-WAN with Prisma Access:

https://www.paloaltonetworks.com/resources/guides/deployment-guide-cloudgenix-sd-wan.html

• PAN Architecture Guide – Palo Alto Networks SD-WAN:

https://www.paloaltonetworks.com/resources/guides/sd-wan-architecture-guide

Task 4.6 Identify capabilities of path selection and session management.

4.6.1 Articulate the business value of CloudGenix and Pan-OS session failover.

The key business drivers toward SD-WAN solutions are as follows:

• Apps are moving to the cloud, driving the need for direct internet access to improve user
experience.

• More apps and devices demand greater bandwidth in the branch.

• MPLS services tend to backhaul traffic and are slow and costly to provision. Also, connectivity
options are limited in certain locations.

A next-generation SD-WAN solution addresses these requirements operating at Layer 7.

The session failover is a mechanism that allows the SD-WAN controller (in case of link failure) to select
the best link for each connection based not only on Layer 3 performances indicators but also on Layer 7
traffic characteristics.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 94

This approach enables customers to optimize the user experience accessing HQ hosted applications or
cloud native applications.

References

• PAN NextWave Partner – Prisma SD-WAN:

https://www.paloaltonetworks.com/partners/nextwave-partner-portal/help-me-sell/cloudgenix

• PAN NextWave Partner – PAN-OS SD-WAN:

https://www.paloaltonetworks.com/partners/nextwave-partner-portal/help-me-sell/sd-wan

4.6.2 Identify the capabilities of CloudGenix path selection.

The CloudGenix dynamic path selection algorithms leverage true Layer 7 application reachability and
end-user application performance metrics along with traditional link-level metrics.

What is CloudGenix dynamic path selection?

With CloudGenix, there are three policy types: performance, security, and compliance. CloudGenix'
approach to networking is to have one consistent application definition for all three policy types. By
incorporating an accurate detection of the application, policy enforcement is far more accurate, and
more intelligent decisions are made based on actual application metrics rather than low-level,
inaccurate packet details. CloudGenix uses a superset of packet-based platforms (such as, link statistics,
latency, bandwidth, reachability, packet loss, jitter) in addition to transaction response times, server

response time, and application goodput (application-level throughput). Further, mean opinion scores
(MOS) are calculated for each link and media applications, which helps keep service providers honest
when it comes to negotiated service level agreements (SLAs).

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 95

Dynamic path selection decisions are made on a per-application transaction and per-session basis in
real-time to account for changes in application reachability, network conditions, and application
performance.

References

• PAN DOCS – Prisma SD-WAN Administrator’s Guide:

https://docs.paloaltonetworks.com/content/dam/techdocs/en_US/pdf/cloudgenix/getting-
started/CloudGenix-Dynamic-Path-Selection.pdf

4.6.3 Identify the capabilities of Pan-OS path selection.

A next-generation firewall already performs many of the difficult functions of SD-WAN.

The main capability we need to add to develop our own SD-WAN solution is to measure latency of paths
to make that initial forwarding selection. Then monitor the paths and dynamically move the session if
the path is no longer suitable for that application.

To do SD-WAN, you must do the following:

• Path metrics

• Dynamic path selection

• Path bonding

Palo Alto Networks SD-WAN lets you measure and monitor specific paths as well as dynamically move
sessions to the optimal path, guaranteeing the best branch user experience. You can simply enable the
SD-WAN subscription on your next-generation firewalls and begin intelligently, securely routing branch
traffic to your cloud applications.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 96

Path Quality Profile

Path Quality Profile specifies maximum latency, jitter, and packet loss thresholds. Exceeding a threshold
indicates that the path has deteriorated, and the firewall needs to select a new path to the target. A
sensitivity setting of high, medium, or low lets you indicate to the firewall which path monitoring
parameter is more important for the applications to which the profile applies. The green arrow indicates
that you reference a Path Quality Profile in one or more SD-WAN Policy Rules; thus, you can specify
different thresholds for rules applied to packets having different applications, services, sources,
destinations, zones, and users.

References

• PAN DOCS – SD-WAN Configuration Elements:

https://docs.paloaltonetworks.com/sd-wan/2-1/sd-wan-admin/sd-wan-overview/sd-wan-
configuration-elements.html

Task 4.7 Identify how to configure NGFWs for evaluation purposes.

4.7.1 Understand how to export data from NGFWs for SLR.

Security Lifecycle Review (SLR) is a cloud-based application that summarizes the risks your organization
faces and how exposed you are to threats. An SLR report can be used as part of an initial product
evaluation or during regular security check-ups. Plus, SLR reports are highly customizable—you can
choose to include only the information that is most important to you and make summaries, findings, and
recommendations more targeted.

SLR reports summarize the security and operational risks your organization faces and breaks this data
down so that you can quickly and easily identify how to reduce your attack surface. Each section of the
SLR report focuses on different types of network activity—application usage, web browsing, data
transfer, and threat prevalence—and surfaces the greatest risks in each area. SLR reports display your
organization’s statistics alongside the averages for your industry peers, so you can best understand your
results in context.

After you generate an SLR report or open an existing SLR report, you can more closely examine the
report. Select the Take a Tour option to walk through and learn about each section of an SLR report.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 97

Executive Summary Provides a bird’s-eye view of the state of your network. Statements on the total number of threats
detected on your network and the number of applications in use (including high-risk and SaaS
applications) allow you to quickly assess how exposed you are to risk and focus areas for more strict
or granular security policy control.

Applications Gives you a view into the applications traversing your network, especially highlighting applications
that are commonly non-compliant and/or can introduce operational or security risks. Application
findings also include total and application-level bandwidth consumption and the applications in use
according to type (like media or collaboration). This application visibility allows you to weigh the
business value of applications in use on your network, against the risk that applications can introduce
(such as malware delivery, data exfiltration, or excessive bandwidth consumption).

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 98

SaaS Applications Highlights the SaaS applications in use on your network, including the SaaS apps that are transferring
the most data and those that have risky hosting characteristics (frequent data breaches, poor terms
of service, etc.) Understanding the presence of SaaS apps on your network can help you work toward
safely enabling the apps that are critical to your business, while providing threat protection and
preventing data leaks.

URL Activity Summarizes the web browsing activity on your network. Uncontrolled web access can result in
exposure to malware, phishing attacks, and data loss. URL activity findings particularly highlight the

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 99

 malicious URL categories that your users are accessing, and the most highly-trafficked URL categories.

Threats Summarizes your organization’s risk exposure by breaking down the attacks detected in your
network:

● Detected viruses and malware

● System flaws that an attacker might attempt to exploit

● Command-and-control (C2) activity, where spyware is collecting data and/or

communicating with a remote attacker

● Vulnerable, unpatched applications that attackers can leverage to gain access to or further
infiltrate your network

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 100

DNS Security Analysis Summarizes your exposure to threats hidden within DNS traffic. DNS is an often-overlooked attack
vector. Advanced attackers in particular use DNS-based techniques like DNS tunneling and domain
generation algorithms (DGAs) to exfiltrate data and to set up command-and-control (C2) channels,
respectively. To give you a view into malicious DNS activity on your network, the DNS Security
Analysis section also reveals:

● How much of your DNS traffic is malicious, and then categorizes the malicious DNS traffic as
C2, DGA, or DNS tunneling

● The domains and destination IP addresses that are most requested from within your
network

● The top malicious domains accessed from your network, and the countries hosting most of
these malicious domains

● The malware families most associated with the malicious domains being accessed from
inside your network

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 101

4.7.2 Understand how to run reports.

You can generate any number of SLR reports, at any time. An SLR report summarizes up to 90 days of
network activity, for any date and time range of your choosing. Past reports are saved on the SLR
homepage and list additional details, including the report creator and the creation date.

You can generate an SLR report in the following languages:

• Chinese (both simplified and traditional)

• English (US and UK)

• French

• German

• Italian

• Japanese

• Korean

• Polish

• Portuguese

• Russian

• Spanish

After you have generated an SLR report, you can customize the report to include only the information
that is most important to you, and to make summaries and recommendations that are targeted to your
organization.

Follow these steps to generate a report:

Step 1: Log in to the Palo Alto Networks hub and open the Security Lifecycle Review (SLR) app.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 102

Step 2: Select Generate New Report.

Step 3: Define the scope of the report that you want to generate.

• Date Range: Enter the date range for which you would like SLR to summarize your network activity
and threat exposure. You can select a date range up to 90 days, and for the first and last days of the
date range, you can select the time of day.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 103

• Prepared By: Enter the name of the individual or organization preparing this report. The name you
enter here will appear on the report title page.

• Language: Choose the report language.

• Region: Select the region where Cortex Data Lake stores the logs that SLR examines to generate the
report.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 104

Step 4: Select Generate Report.

Step 5: When report generation is complete, the new report is displayed for your review.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 105

You can now choose to do the following:

• Customize the sections that the report includes or go directly to a specific section.

• Go directly to a specific section of the report to add and remove.

• Walk through the report to learn about the type of information provided in each section.

• Download the report in PDF format, for easy sharing.

4.7.3 Understand how to pivot from ACC to the FW logs.

During an NGFW demo session, it is critical to highlight the NGFW features that help to address the
customer’s pain points.

The information categories shown in the Application Control Center interface allow you to focus on
many security elements.

A Prevention Posture Assessment is a good compass with which to determine a customer’s main
concerns about network security, for example:

ACC Tab ACC Sections

Advance Persistent Threats Threat

Data Exfiltration Network - Applications

External Threats Threat and Blocked Traffic Tabs

Unknown Traffic Network

After completing the description of information presented in the ACC, the SE can switch to the logs using
the same filter applied to the ACC view.

The selection of the specific log type (Traffic, Threat, URL filtering) depends on the questions raised from
the customer. In the log view, it is important to highlight the availability of IOC that can be used to
improve the security controls applied.

References

• PAN NextWave Partner – Prevention Posture Assessment

https://www.paloaltonetworks.com/partners/nextwave-partner-portal/help-me-learn/prevention-
posture-assesment

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 106

4.7.4 Understand how security profiles work.

Security profiles represent additional security checks to be performed on allowed network traffic.
Security profiles are objects that are added to Security policy allow rules. Security Profiles are not
necessary for Security policy deny rules, because packets are blocked from delivery. As with Security
policy rules, Security Profiles are applied to all packets over the life of a session.

Security profiles check allowed traffic for viruses, spyware, software exploits, malicious URLs, malicious
file transfers, sensitive data transfers, and zero-day malware. They also apply administrator-defined
actions to traffic. Security profiles can allow or block traffic, can ask for user permission before
continuing an activity, and can log threats to log files. Security profiles log detected threats to the logs
found at Monitor > Logs.

Security profiles enable you to have more granular control over allowed traffic. For example, even
though web browsing might be allowed by a Security policy rule, there still might be a concern that
users could download a virus from a website. An Antivirus Security profile can be attached to the
Security policy rule to detect, block, and log a virus in allowed traffic.

Security profiles protect your environment against known and unknown threats.

The Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, Data Filtering, and File Blocking
profiles protect against known threats. Antivirus, Anti-Spyware, and Vulnerability Protection profiles use
signature matching to detect known threats. Updated signatures are distributed in daily Antivirus
content updates and in weekly Applications and Threats content updates. You also can create custom
signatures for Anti-Spyware and Vulnerability Protection profiles. URL Filtering and Data Filtering
profiles use pattern matching to detect known threats. File Blocking profiles use file type and transfer
direction to detect unauthorized file transfer.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 107

A WildFire Analysis profile helps protect against unknown threats. WildFire analysis is conducted
through examination of files and URLs in a virtual sandbox environment. WildFire creates new
signatures for any newly discovered threats and distributes these new signatures to Palo Alto Networks
firewalls around the world. The benefit is that, after WildFire discovers a zero-day threat anywhere, in a
matter of minutes it distributes new protection worldwide to all firewalls with a WildFire subscription.

You can assign either individual Security profiles or a Security profile group to a Security policy rule. To
assign individual Security profiles to a Security policy rule, select Profiles as the Profile Type. To assign a
Security profile group to a Security policy rule, select Group as the Profile Type.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 108

The firewall supports the ability to create Security profile groups, which specify sets of Security profiles
that you can add in one step to a Security policy rule. For example, you can create a Security profile
group that includes Security profiles for Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering,
and File Blocking, and then assign that Security profile group to a Security policy rule. Use of Security
profile groups simplifies Security policy rule administration.

4.7.5 Understand how to manipulate policies.

Security policies allow you to enforce rules and take action and can be as general or specific as needed.
The policy rules are compared against the incoming traffic in sequence, and because the first rule that
matches the traffic is applied, the more specific rules must precede the more general ones to avoid rule
shadowing. For example, a rule for a single application must precede a rule for all applications if all other
traffic-related settings are the same.

For traffic that does not match any user-defined rules, the default rules apply. The default rules—
displayed at the bottom of the security rulebase—are predefined to allow all intrazone traffic (within
the zone) and deny all interzone traffic (between zones). Although these rules are part of the predefined
configuration and are read-only by default, you can override them and change a limited number of
settings, including the tags, action (allow or deny), log settings, and security profiles.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 109

To display your Security policy rules in the web interface, first browse to Policies > Security. Each logged-
in admin can customize the web interface display. Modify the number of columns displayed by clicking
any column header and selecting from the list that the web interface displays. The order in the list
matches the order in which the columns are displayed in the web interface. For example, notice that the
Group column is deselected in the list and that the corresponding column is missing in the web interface
display. The Group column would have been displayed between the Tags and Type columns.

After rules are created, they are listed and numbered. The numbers in the first column are not part of
the rules and never move when a rule is moved. The tool bar below the rules helps you to manage the
rules and enables you to perform actions on your rules.

To add a rule, click Add. To delete a rule, select it and click Delete. To use an existing rule as a template
to create a new rule, select it and click Clone.

To modify an implicit intrazone-default or interzone-default rule, select it and click Override. To revert it
to its original state, click Revert.

To disable a rule without removing it, click Disable. You can disable a rule to stage it or temporarily
make it inactive to troubleshoot a problem. A disabled rule appears in a gray italic font.

Remember that the firewall matches traffic to rules from the top down, so arrange the rules in the
proper order to yield the desired behavior. The web interface provides multiple methods to reorder
rules. To use the Move option, first select the rule that you want to re-order and then click Move. You
can then see the options to move the rule up, down, to the top, or to the bottom. You also can use the
mouse pointer to drag and drop a rule to the desired location within your ruleset.

PALO ALTO NETWORKS PSE: Strata Professional Study Guide 110