Palo Alto Networks PCNSE Practice Test - Questions Answers, Page 20

In the WildFire best practices linked below, the first step is to "... make sure that you have an active Threat Prevention subscription. Together, WildFireÆ and Threat Prevention enable comprehensivethreat detection and prevention." https:// docs.paloaltonetworks.com/wildfire/10-1/wildfire- admin/wildfire-deployment-best-practices/wildfire-best-practices.html

Short According to the Palo Alto Networks documentation, "To use a template stack for a device group, you must add the template stack as a reference template in the device group. This enables you to use zones and interfaces defined in the template stack when creating policies for the device group." Reference: https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-templates-and-template-stacks

The threat profile has the action set to "alert" which means that the traffic is allowed but logged. The profile also has the "Tag Source IP" option enabled with the tag name "BadGuys" and the timeout value of 180 minutes. This means that any source IP address that matches a threat signature will be tagged with "BadGuys" for 180 minutes. The tag can be used for dynamic address groups or external dynamic lists to enforce policy actions based on the tag. Reference: :https:// docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/set-up-antivirus- anti-spyware-and-vulnerability-protection/tag-source-ip-addresses-that-trigger-threat-signatures

The administrator should add the tool IP address to the reconnaissance protection source address exclusion in the Zone Protection profile to allow the tool to scan through the firewall. Reconnaissance protection is a feature of Zone Protection profiles that allows the firewall to detect and block network reconnaissance attempts, such as port scans. The source address exclusion list allows theadministrator to whitelist up to 20 IP addresses or netmask address objects that are exempt fromreconnaissance protection1. Option A is incorrect because removing the Zone Protection profile from the zone setting would disable all the zone protection features, not just reconnaissance protection.This would reduce the security of the zone and expose it to other types of attacks. Option C is incorrect because adding the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile would not have any effect. DoS Protection profiles are used to protect against excessive traffic volume, not network reconnaissance attempts. Option D is incorrect because changing the TCP port scan action from Block to Alert in the Zone Protection profile would only affect TCP port scans, not other types of scans. It would also affect all TCP port scans, not just those from the tool IP address.https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos- protection/configure-zone-protection-to-increase-network-security/configure-reconnaissance- protection

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClKQCA0 "Locally defined dynamic updates setting on a managed Palo Alto Networks firewall take preference over the Panorama pushed setting."

Read-only access to all firewall settings except password profiles (no access) and administratoraccounts (only the logged in account is visible). https://docs.paloaltonetworks.com/pan-os/10- 1/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-role-types

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/panorama- features/automatic-panorama-connection-recovery

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/authentication/authentication- policy/configure-authentication-policy