Palo Alto Networks PCNSA Practice Test - Questions Answers, Page 30

A DNS policy action is a setting in an Anti-Spyware security profile that defines how the firewall handles DNS queries to malicious domains.A malicious domain is a domain name that is associated with a known threat, such as malware, phishing, or botnet1.

There are four possible DNS policy actions: alert, allow, block, and sinkhole1.

The alert action logs the DNS query and allows it to proceed to the intended destination.This action does not prevent hacking attacks, but only notifies the administrator of the potential threat1.

The allow action allows the DNS query to proceed to the intended destination without logging it.This action does not prevent hacking attacks, but only bypasses the DNS security inspection2.

The block action blocks the DNS query and sends a response to the client with an NXDOMAIN (non-existent domain) error code.This action prevents hacking attacks by preventing the client from resolving the malicious domain1.

The sinkhole action redirects the DNS query to a predefined IP address (the sinkhole IP address) that is under the control of the administrator.This action prevents hacking attacks by isolating the client from the malicious domain and allowing the administrator to monitor and remediate the infected host1.

The override action is not a valid DNS policy action, but a setting in an Anti-Spyware security profile that allows the administrator to create exceptions for specific spyware signatures that they want to override the default action or log settings3.

Therefore, the two DNS policy actions that can prevent hacking attacks through DNS queries to malicious domains are block and sinkhole.

References:

1:Enable DNS Security - Palo Alto Networks2:How To Disable the DNS Security Feature from an Anti-Spyware Profile - Palo Alto Networks3:Security Profile: Anti-Spyware - Palo Alto Networks

A profile is a set of rules or settings that defines how the firewall performs a specific function, such as detecting and preventing threats, filtering URLs, or decrypting traffic1.

There are different types of profiles that can be applied to different types of traffic or scenarios, such as Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, Data Filtering, Decryption, or WildFire Analysis1.

The WildFire Analysis profile is a profile that enables the firewall to submit unknown files or email links to the cloud-based WildFire service for analysis and verdict determination2.WildFire is the industry's most advanced analysis and prevention engine for highly evasive zero-day exploits and malware3.WildFire uses a variety of malware detection techniques, such as static analysis, dynamic analysis, machine learning, and intelligent run-time memory analysis, to identify and protect against unknown threats34.

The Vulnerability Protection profile is a profile that protects the network from exploits that target known software vulnerabilities.It allows the administrator to configure the actions and log settings for each vulnerability severity level, such as critical, high, medium, low, or informational5.

Content-ID is not a profile, but a feature of the firewall that performs multiple functions to identify and control applications, users, content, and threats on the network. Content-ID consists of four components: App-ID, User-ID, Content Inspection, and Threat Prevention.

Advanced Threat Prevention is not a profile, but a term that refers to the comprehensive approach of Palo Alto Networks to prevent sophisticated and unknown threats. Advanced Threat Prevention includes WildFire, but also other products and services, such as DNS Security, Cortex XDR, Cortex XSOAR, and AutoFocus.

Therefore, the profile that should be used to obtain a verdict regarding analyzed files is the WildFire Analysis profile.

References:

1:Security Profiles - Palo Alto Networks2:WildFire Analysis Profile - Palo Alto Networks3:WildFire - Palo Alto Networks4:Advanced Wildfire as an ICAP Alternative | Palo Alto Networks5:Vulnerability Protection Profile - Palo Alto Networks: [Content-ID - Palo Alto Networks] : [Advanced Threat Prevention - Palo Alto Networks]

The best way to view a complete overview of the logs is to select the unified log entry in the side menu.The unified log is a single view that displays all the logs generated by the firewall, such as traffic, threat, URL filtering, data filtering, and WildFire logs1.The unified log allows the administrator to filter, sort, and export the logs based on various criteria, such as time range, severity, source, destination, application, or action1.

Modifying the number of columns visible on the page or the number of logs visible on each page does not provide a complete overview of the logs, but only changes the display settings of the current log view.Selecting the system logs entry in the side menu does not show all the logs generated by the firewall, but only shows the logs related to system events, such as configuration changes, system alerts, or HA status2.

References:

1:View Logs - Palo Alto Networks2:View and Manage Logs - Palo Alto Networks

Service routes are a feature of PAN-OS that allows the administrator to customize the interface that the firewall uses to send requests to external services, such as DNS, email, Palo Alto Networks updates, User-ID agent, syslog, Panorama, dynamic updates, URL updates, licenses, and AutoFocus1.

By default, the firewall uses the management interface for all service routes, unless the packet destination IP address matches the configured destination service route, in which case the source IP address is set to the source address configured for the destination1.

However, in some scenarios, the administrator may want to use a different interface for service routes, such as when the management interface does not have public internet access, or when the administrator wants to isolate or monitor the traffic for certain services23.

To configure service routes, the administrator can select Device > Setup > Services > Service Route Configuration and customize each service with a source interface and a source address.The administrator can also configure destination service routes to specify a destination IP address and a gateway for each service1.

Service routes are not related to routing protocols such as OSPF or BGP, which are used to exchange routing information between routers and determine the best path to reach a network destination. Service routes are only used to change the interface that the firewall uses to communicate with external services.

Therefore, service routes are used to route management plane services through data interfaces rather than the management interface.

References:

1:Configure Service Routes - Palo Alto Networks2:Setting a Service Route for Services to Use a Dataplane's Interface - Palo Alto Networks3:How to Perform Updates when Management Interface does not have Public Internet Access - Palo Alto Networks

The application characteristics can be found in three places on the PAN-OS interface: Objects tab > Application Filters, Objects tab > Application Groups, and Objects tab > Applications. These places allow you to view and manage the applications and application groups that are used in your Security policy rules.You can also create custom applications and application filters based on various attributes, such as category, subcategory, technology, risk, and behavior1. Some of the characteristics of these places are:

Objects tab > Application Filters: An application filter is a dynamic object that groups applications based on specific criteria. You can use an application filter to match multiple applications in a Security policy rule without having to list them individually. For example, you can create an application filter that includes all applications that have a high risk level or use peer-to-peer technology.

Objects tab > Application Groups: An application group is a static object that groups applications based on your custom requirements. You can use an application group to match multiple applications in a Security policy rule without having to list them individually. For example, you can create an application group that includes all applications that are related to a specific business function or project.

Objects tab > Applications: An application is an object that identifies and classifies network traffic based on App-ID, which is a technology that uses multiple attributes to identify applications. You can use an application to match a specific application in a Security policy rule and control its access and behavior. For example, you can use an application to allow web browsing but block file sharing or social networking.

To reference the same address object in Security policies on 100 Panorama-managed firewalls, across 10 device groups and five templates, the administrator should ensure that the Shared option is checked when creating the address object. This option allows the administrator to create a shared address object that is available to all device groups and templates on Panorama.The shared address object can then be used in multiple firewall policy rules, filters, and other functions1.This reduces the complexity and duplication of managing address objects across multiple firewalls2.Reference:Address Objects,Create a Shared Address Object,Certifications - Palo Alto Networks,Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)or [Palo Alto Networks Certified Network Security Administrator (PAN-OS 10.0)].

Three configurable interface types for a data-plane ethernet interface are Layer 3, VWire, and Layer 2. These interface types determine how the firewall processes traffic and applies security policies. Some of the characteristics of these interface types are:

Layer 3: A layer 3 interface allows the firewall to act as a router and participate in the network routing.The firewall can send and receive traffic from a layer 3 interface and apply security policies and inspect the traffic based on the source and destination IP addresses and zones of the interface1.

VWire: A virtual wire interface allows the firewall to transparently pass traffic between two network segments without modifying the packets or affecting the routing.The firewall can still apply security policies and inspect the traffic based on the source and destination zones of the virtual wire2.

Layer 2: A layer 2 interface allows the firewall to act as a switch and forward traffic based on MAC addresses.The firewall can send and receive traffic from a layer 2 interface and apply security policies and inspect the traffic based on the source and destination zones of the interface3.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/upgrade-panorama/deploy-updates-to-firewalls-log-collectors-and-wildfire-appliances-using-panorama/schedule-a-content-update-using-panorama

Sending a reset only to the client would ensure, for example, internal hosts receive a notification the session was reset and the browser is not left spinning or the application can close the established session while the remote server is left unaware. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClltCAC