PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Question and Answers

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-the-rule-hierarchy#idfb9e2593-a7f1-4e0d-aab5-a2903d654c99 https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-policies#id671977ca-1041-4605-8a80-fbc10f3f5d7b

The Advanced Routing Engine in Palo Alto Networks firewalls enhances the capabilities of routing functionalities, allowing for more complex and robust routing configurations. To enable the Advanced Routing Engine on a Palo Alto Networks firewall, an administrator needs to navigate to the Network tab, select Virtual Routers, and then access the settings for the specific virtual router they wish to configure. Within the Router Settings under the General tab, there's an option to enable Advanced Routing features. After enabling this option, the administrator must commit the changes and perform a system reboot for the changes to take effect. This process allows the firewall to utilize advanced routing protocols and features, enhancing its ability to manage and route traffic more efficiently across different network segments.

The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms. If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12. References: HA Timers, Layer 3 High Availability with Optimal Failover Times Best Practices

When implementing an application override in a Palo Alto Networks firewall, the primary goal is to explicitly define how specific traffic is identified and processed by the firewall, bypassing the regular App-ID process. This is particularly useful for traffic that might be misidentified by App-ID or for applications that require special handling for performance reasons.

To successfully implement application override, the following items must be configured:

B. Application override policy rule:This is a specialized policy rule that you create to specify the criteria for the traffic you want to override. In this rule, you define the source and destination zones, addresses, and ports. Instead of relying on the App-ID engine to identify the application, the firewall uses the criteria defined in the application override policy to classify the traffic.

C. Security policy rule:After defining an application override policy, you must also configure a security policy rule to allow the overridden traffic through the firewall. This rule specifies the action (allow, deny, drop, etc.) for the traffic that matches the application override policy. It's essential to ensure that the security policy rule matches the traffic defined in the application override policy to ensure that the intended traffic is allowed through the firewall.

For detailed guidance on configuring application override and the necessary security policies, refer to the official Palo Alto Networks documentation. This resource provides step-by-step instructions and best practices for effectively managing traffic using application overrides.

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/app-id/disable-the-sip-application-level-gateway-alg

A, C, and D are the correct answers because they are the parts of a template that an engineer can configure in Panorama. A template is a collection of device and network settings that can be pushed to multiple firewalls from Panorama1. A template can contain settings such as2:

A: NTP Server Address: This is the address of the Network Time Protocol server that synchronizes the time on the firewall.

C: Authentication Profile: This is the profile that defines how the firewall authenticates users and administrators.

D: Service Route Configuration: This is the configuration that specifies which interface and source IP address the firewall uses to access external services, such as DNS, email, syslog, etc.

The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.

C. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:

If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.

This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.

When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.

The template stack should consist of four templates arranged according to the diagram. The template values that will be configured on the firewall if each template has an SSL/TLS Service profile configured named Management will be the values in Chicago. This is because the SSL/TLS Service profile is configured in the Chicago template, which is the highest priority template in the stack. The firewall will inherit the settings from the highest priority template that has the setting configured, and ignore the settings from the lower priority templates that have the same setting configured. Therefore, the values in Datacenter, efwOlab.chi, and Global Settings will not be applied to the firewall. References:

[Manage Templates and Template Stacks]

[Template Stack Configuration]

[Template Stack Priority]

https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-anti-spyware-profile

The Palo Alto Networks Best Practices for Anti-Spyware Profiles recommend enabling single-packet captures (PCAP) for medium, high, and critical severity threats. This allows for capturing the first packet of the malicious traffic for further analysis and investigation. PCAP should not be enabled for low and informational severity threats, as they generate a relatively high volume of traffic and are not particularly useful compared to potential threats2. References: Create the Data Center Best Practice Anti-Spyware Profile, Security Profile: Anti-Spyware, PCNSE Study Guide (page 57)

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management/configure-an-ssltls-service-profile

The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUcCAK

"A "heartbeat-interval" CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link." https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping#iddb1a7744-17c6-4900-a2cb-5f3511fef60f

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS

The engineer should review the legal compliance regulations and acceptable usage policies with their leadership before implementing SSL Forward Proxy decryption for their organization. SSL Forward Proxy decryption allows the firewall to decrypt and inspect the traffic from internal users to external servers. This can raise privacy and legal concerns for the users and the organization. Therefore, the engineer should ensure that the leadership is aware of the implications and benefits of SSL Forward Proxy decryption and that they have a clear policy for informing and obtaining consent from the users. Option A is incorrect because browser-supported cipher documentation is not relevant for SSL Forward Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the external server, regardless of the browser settings. Option B is incorrect because cipher documentation supported by the endpoint operating system is not relevant for SSL Forward Proxy decryption. The firewall uses its own cipher suite to negotiate encryption with the external server, regardless of the endpoint operating system. Option C is incorrect because URL risk-based category distinctions are not relevant for SSL Forward Proxy decryption. The firewall can decrypt and inspect traffic based on any URL category, not just risk-based ones.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/decryption-concepts "Understand local laws and regulations about the traffic you can legally decrypt and user notification requirements."

The cause of the unsecured website warnings is that the forward trust certificate has not been signed by the self-signed root CA certificate. The forward trust certificate is used by the firewall to generate a copy of the server certificate for outbound SSL decryption (SSL Forward Proxy). The firewall signs the copy with the forward trust certificate and presents it to the client. The client then verifies the signature using the public key of the CA that issued the forward trust certificate. If the client does not trust the CA, it will display a warning message. Therefore, the forward trust certificate must be signed by a CA that is trusted by the client. In this case, the administrator has installed the self-signed root CA certificate in all client systems, so this CA should be used to sign the forward trust certificate. However, as shown in the screenshot, the forward trust certificate has a different issuer than the self-signed root CA certificate, which means it has not been signed by it. This causes the client to reject the signature and show a warning message. To fix this issue, the administrator should generate a new forward trust certificate and sign it with the self-signed root CA certificate12. References: Keys and Certificates for Decryption Policies, How to Configure SSL Decryption

https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000PMiD

A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752

D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking

If some sites cannot be decrypted due to technical reasons, such as unsupported ciphers, and blocking them is not an option, then the engineer should add the sites to the SSL Decryption Exclusion list to exempt them from decryption. The SSL Decryption Exclusion list is a predefined list of sites that are not subject to SSL decryption by the firewall. The list includes sites that use certificate pinning, mutual authentication, or unsupported cipher suites. The engineer can also add custom sites to the list if they have a valid business reason or technical limitation for not decrypting them34. Adding the sites to the SSL Decryption Exclusion list will allow the traffic to pass through without being decrypted or blocked by the firewall. References: SSL Decryption Exclusion, Troubleshoot Unsupported Cipher Suites

To determine which sources an engineer can use to gather information about application patterns for creating custom signatures, let’s analyze each option based on PAN-OS 11.0 documentation and typical network troubleshooting practices.

A. Traffic Logs

Why It’s Correct:

Traffic logs in PAN-OS provide details about all traffic flowing through the firewall, including:

Application details.

Source and destination IPs.

Ports used.

This data is essential for identifying patterns, such as specific ports, protocols, or behaviors associated with an application.

How to Use:

Navigate to Monitor > Logs > Traffic in the web interface.

Look for the relevant application traffic and note recurring patterns.

Documentation Reference:

PAN-OS 11.0 Admin Guide, Logging and Reporting Section: Discusses traffic logs as a resource for application and behavior analysis.

B. Data Filtering Logs

Why It’s Incorrect:

Data filtering logs focus on inspecting files, data patterns, or sensitive information such as credit card numbers. These logs are not designed for gathering application-specific traffic patterns.

Documentation Reference:

PAN-OS 11.0 Admin Guide: Details how data filtering logs are used for content inspection, not for creating application signatures.

C. Policy Optimizer

Why It’s Incorrect:

Policy Optimizer helps refine security policies by identifying unused or overly permissive rules. It does not provide information about traffic patterns for applications.

Documentation Reference:

PAN-OS 11.0 Admin Guide, Policy Optimization Section: Focuses on rule management rather than traffic pattern analysis.

D. Wireshark

Why It’s Correct:

Wireshark is a powerful network protocol analyzer that captures and analyzes traffic at a granular level. Engineers can:

Identify application-specific headers or payloads.

Examine protocol behaviors.

Spot unique signatures in application traffic.

How to Use:

Capture traffic flowing to/from the application using a span or mirrored port on the switch or firewall.

Analyze the captured packets for recurring patterns (e.g., specific headers or payload data).

Documentation Reference:

While not directly mentioned in PAN-OS documentation, Wireshark is commonly recommended as a tool for packet analysis in custom application signature creation.

Summary of Correct Choices

Traffic Logs:

Provides a high-level view of application behavior and network patterns.

Wireshark:

Allows deep packet inspection and analysis for identifying unique application behaviors.

PAN-OS 11.0 Study Guide References

PCNSA Study Guide:

Domain 3: Policy Evaluation and Management:

Discusses using traffic logs to refine policies and understand application behavior.

PCNSE Study Guide:

Domain 4: Securing Traffic:

Emphasizes tools like Wireshark for advanced traffic and application analysis.

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnse-study-guide.pdf page 83

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/panorama-overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-hierarchy

When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.

A. Destination IP addresses of selected unwanted traffic are blocked:

When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.

This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.

Virtual Desktop Infrastructure (VDI) and Virtual Machine (VM) environments, such as Citrix XenApp and XenDesktop or VMWare Horizon and Vcenter, support access natively through HTML5. You can RDP, VNC, or SSH to these machines through Clientless VPN without requiring additional third-party middleware. In environments that do not include native support for HTML5 or other web application technologies supported by Clientless VPN, you can use third-party vendors, such as Thinfinity, to RDP through Clientless VPN. Reference: https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/globalprotect-clientless-vpn/supported-technologies

https://networkwiki.blogspot.com/2017/03/palo-alto-networks-clientless-vpn-and.html

The SSL Forward Proxy rule type is designed to control and inspect SSL traffic from internal users to external websites. When an internal user attempts to access an HTTPS site, the Palo Alto Networks firewall, acting as an SSL Forward Proxy, intercepts the SSL request. It then establishes an SSL connection with the requested website on behalf of the user. Simultaneously, the firewall establishes a separate SSL connection with the user. This setup allows the firewall to decrypt and inspect the traffic for threats and compliance with security policies before re-encrypting and forwarding the traffic to its destination.

This process is transparent to the end user and ensures that potentially harmful content delivered over encrypted SSL connections can be identified and blocked. SSL Forward Proxy is a critical component of a comprehensive security strategy, allowing organizations to enforce security policies and protect against threats in encrypted traffic.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/virtual-systems/customize-service-routes-for-a-virtual-system/customize-service-routes-to-services-for-virtual-systems

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/prevent- credential-phishing/set-up-credential-phishing-prevention#idc77030dc-6022-4458-8c50-1dc0fe7cffe4

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/prevent-credential-phishing/set-up-credential-phishing-prevention

The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications. The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12. References: New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)

An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button. The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1. By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.

An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts. An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.

An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc. An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.

Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons. Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.

References: Configure an Authentication Portal, Redirect Users Through an Authentication Portal, SSL Decryption Profile, Decryption Policy, Comfort Pages

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0

To prevent the import from affecting ongoing traffic when you import the configuration of an HA pair into Panorama, you should disable config sync on both firewalls. Config sync is a feature that enables the firewalls in an HA pair to synchronize their configurations and maintain consistency. However, when you import the configuration of an HA pair into Panorama, you want to avoid any changes to the firewall configuration until you verify and commit the imported configuration on Panorama. Therefore, you should disable config sync before importing the configuration, and re-enable it after committing the changes on Panorama12. References: Migrate a Firewall HA Pair to Panorama Management, PCNSE Study Guide (page 50)

If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat-dns-rewrite-use-cases#id0d85db1b-05b9-4956-a467-f71d558263bb

Schedule content updates so that they download-and-install automatically. Then, set a Threshold that determines the amount of time the firewall waits before installing the latest content. In a security-first network, schedule a six to twelve hour threshold. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/best-practices-for-content-and-threat-content-updates/best-practices-security-first.html#id184AH00F06E

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-upgrade/software-and-content-updates/best-practices-for-app-and-threat-content-updates/best-practices-security-first

https://live.paloaltonetworks.com/t5/panorama-discussions/panorama-force-template-value-option/td-p/496620 "- Force Template Value will as the name suggest remove any local configuratio and apply the value define the panorama template. But this is valid only for overlapping configuration" "You need to be careful, what is actually defined in the template. For example - if you decide to enable HA in the template, but after that you decide to not push it with template and just disable it again (remove the check from the "Enable HA" checkbox). This still will be part of the template, because now your template is explicitely defining HA disabled. If you made a change in the template, and later decide that you don't want to control this setting with template, you need to revert the config by clicking the green bar next to the changed value"

'Implicitly Uses' has web-browsing listed. This means that if you allow facebook-posting, that it will also be allowing the web-browsing application implicitly.. In our case, we dont know which APP the question referes too but 'Implicitly means already uses HTTP.

IP flood thresholds, you can also use DoS Protection profiles to detect and prevent session exhaustion attacks in which a large number of hosts (bots) establish as many sessions as possible to consume a target’s resources. On the profile’s Resources Protection tab, you can set the maximum number of concurrent sessions that the device(s) defined in the DoS Protection policy rule to which you apply the profile can receive. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles.html

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-profiles#ida42d52fa-3366-4695-bb4a-d39ebf3b6a5f

Device Group Hierarchy

Shared

DATACENTER_DG

DC_FW_DG

REGIONAL_DG

OFFICE_FW_DG

FW-1_DG

Analysis

Considerations:

FW-1 is assigned to the FW-1_DG device group.

FW-2 is assigned to the OFFICE_FW_DG device group.

There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups.

The address object Server-1 appears in multiple device groups with different IP addresses. The device groups have a hierarchy, which means objects can be inherited from parent groups unless overridden in the child group.

FW-1_DG:

Server-1 has IP 4.4.4.4, which will be pushed to FW-1 because it is in the FW-1_DG device group.

OFFICE_FW_DG (for FW-2):

Since there are no objects in OFFICE_FW_DG and REGIONAL_DG, FW-2 will inherit from Shared.

In the Shared group, Server-1 has IP 1.1.1.1.

The table displays NAT rules configured on the firewall. The key points are:

Source Zone and Destination Zone define the traffic flow.

Source Address and Destination Address specify the IP addresses involved.

Service indicates the type of traffic (e.g., any, ping).

Source Translation and Destination Translation show the translated IP addresses for NAT.

Issue and Resolution Options

The application server at 192.168.197.40 can establish outbound connections but faces issues with inbound connections due to the shared NAT IP 198.51.100.88. The external database server cannot establish a secure connection back to 192.168.197.40.

Options to Resolve the Issue:

Replace the Two NAT Rules with a Single Rule:

Combining both DMZ servers into one NAT rule might simplify configuration but could cause issues in distinguishing inbound traffic for each server.

Pros: Simplifies rule management.

Cons: Might not address the inbound traffic issue properly.

New Public IP Address:

Obtaining a new public IP address for the new server (192.168.197.40) ensures dedicated inbound and outbound NAT.

Pros: Clear separation of traffic, resolves inbound connectivity issues.

Cons: Requires additional public IP.

Separate Source NAT and Destination NAT Rules:

Configuring distinct NAT rules for source and destination addresses without using the bidirectional option.

Pros: Clear and distinct rules for each direction of traffic.

Cons: More complex to manage, might require more firewall resources.

Move the NAT Rule:

Adjusting the order of NAT rules to prioritize the new server’s rule.

Pros: Simple reordering might resolve prioritization conflicts.

Cons: Might not fully resolve the inbound connection issue.

Set the Action to take when matching a packet:

Forward—Directs the packet to the specified Egress Interface.

Forward to VSYS (On a firewall enabled for multiple virtual systems)—Select the virtual system to which to forward the packet.

Discard—Drops the packet.

No PBF—Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/use-the-cli/use-secure-copy-to-import-and-export-files/export-and-import-a-complete-log-database-logdb

To address the question about the Device Telemetry feature in PAN-OS and its compliance with privacy and data storage laws, let’s examine the details thoroughly.

Understanding Device Telemetry in PAN-OS

Device Telemetry is a feature in Palo Alto Networks’ PAN-OS that collects data from the firewall to provide insights for:

Product usage trends.

Threat analysis.

Operational optimizations.

Telemetry may include:

Configuration data.

Threat logs.

Performance metrics.

However, specific aspects of this feature require attention to ensure compliance with local privacy laws.

Explanation of Options

A. Telemetry feature is automatically enabled during PAN-OS installation

Why It Requires Action:

Telemetry may be enabled by default when upgrading or installing PAN-OS. Local privacy laws (e.g., GDPR in Europe, CCPA in California) often require explicit user consent before enabling data collection.

Relevant Action:

Administrators must review and disable telemetry if required or configure it to align with local compliance laws.

References:

PAN-OS 11.0 Admin Guide: Telemetry configuration is detailed under the "Device Telemetry" section.

PCNSA Study Guide (Domain 1: Device Management): Covers the importance of managing device settings, including Telemetry.

B. Telemetry data is uploaded into Strata Logging Service

Why It Does Not Require Immediate Action:

Data sent to the Strata Logging Service is anonymized and typically adheres to Palo Alto Networks' privacy guidelines. Administrators can disable Strata Logging uploads if necessary.

Optional Action:

Ensure the data is anonymized or disable the service if the organization does not agree with external data storage.

References:

PAN-OS 11.0 Admin Guide: Details on Strata Logging and its integration with telemetry.

C. Telemetry feature is using Traffic logs and packet captures to collect data

Why It Requires Action:

If the telemetry feature collects detailed Traffic Logs or Packet Captures, it could include sensitive user data (e.g., IP addresses, URLs). Many privacy laws prohibit sharing this type of identifiable information unless anonymized.

Relevant Action:

Administrators should ensure traffic logs are anonymized or exclude sensitive data fields to meet privacy requirements.

References:

PAN-OS 11.0 Admin Guide: Outlines telemetry data collection and traffic log inclusion.

PNSE Study Guide (Domain 3: Logging and Reporting): Emphasizes securing and managing logs in compliance with privacy standards.

D. Telemetry data is shared in real time with Palo Alto Networks

Why It Does Not Require Immediate Action:

While data is shared in real time, this process is often anonymized and only includes operational and diagnostic data. Administrators can configure or disable real-time sharing if deemed non-compliant.

References:

PAN-OS 11.0 Admin Guide: Covers real-time telemetry sharing configuration.

Key Objectives in PCNSA and PCNSE Study Guides

PCNSA Study Guide:

Domain 1: Device Management:

Emphasizes understanding and configuring administrative functions such as telemetry and privacy settings.

Domain 4: Securing Traffic:

Stresses compliance with local laws when collecting and forwarding logs.

PCNSE Study Guide:

Domain 2: Logging and Reporting:

Highlights secure log collection and forwarding to external services.

Domain 5: Security Operations:

Focuses on privacy and regulatory compliance in operational activities.

Actions to Ensure Compliance

Review Privacy Regulations:

Check local laws like GDPR (Europe) or CCPA (California) to identify restrictions on data collection and sharing.

Disable Default Telemetry:

During installation or upgrade, explicitly review telemetry settings in Device > Setup > Telemetry.

Customize Data Collection:

Use the PAN-OS telemetry interface to include/exclude sensitive data like packet captures or detailed traffic logs.

Educate Administrators:

Ensure staff managing firewalls are familiar with compliance requirements through PCNSA and PCNSE training.

PAN-OS 11.0 Documentation References

Device Telemetry Overview:PAN-OS 11.0 Admin Guide - Device Telemetry

Telemetry Configuration Settings:PAN-OS 11.0 Admin Guide - Telemetry Configuration

Logging and Privacy Compliance:PAN-OS Logging Configuration

For a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain, the most effective method is to use an Authentication policy targeting users not yet identified by the system.

A. an Authentication policy with 'unknown' selected in the Source User field:

An Authentication policy allows the firewall to challenge unidentified users for credentials. By selecting 'unknown' in the Source User field, the policy targets users who have not yet been identified by the firewall, which would include users on new BYOD devices not joined to the domain.

Once the user provides valid credentials, the firewall can authenticate the user and map their identity to subsequent sessions, enabling the application of user-based policy rules and monitoring.

This approach ensures that new and unknown devices can be properly authenticated and identified without compromising security or requiring the device to be part of the corporate domain.

traffic log would list an application as “not-applicable” if the firewall denied the traffic before the application match could be performed. This can happen if the traffic matches a security rule that is set to deny based on any parameter other than the application, such as source, destination, port, service, etc1. In this case, the firewall does not inspect the application data and discards the traffic, resulting in a “not-applicable” entry in the application field of the traffic log1.

The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:

Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.

Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.

NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.

For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long periods, creating a custom application and using an application override rule is the most time-efficient solution.

C. The process involves:

Creating a custom application in the Palo Alto Networks firewall and configuring it with specific timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does not prematurely close the application's sessions due to inactivity.

Next, creating an application override rule that references the custom application. This rule directs the firewall to identify traffic matching the rule criteria (such as source, destination, and port information) as the custom application, bypassing the App-ID engine's regular identification process.

This approach allows for the quick implementation of a solution that ensures the application is properly identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification and reporting.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy

To collect User-ID information from third-party proxies, Palo Alto Networks supports several methods of integrating user information. Syslog parsing allows the firewall to receive syslog messages from external services, parse them, and extract user information. X-Forwarded-For (XFF) headers, which are used in HTTP requests and proxies, can carry the original IP address of a client connecting through a proxy, and this information can be used by the firewall to map the user IDs.

Syslog is commonly used for integrating third-party devices like proxies with User-ID, and XFF headers are specifically mentioned in the context of integrating user mappings from HTTP traffic. Client probing and Server Monitoring are not the correct methods for pulling data from third-party proxies.For further details, refer to the Palo Alto Networks documentation on User-ID integration and the "PAN-OS® Administrator’s Guide".

To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default. This command performs a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table and the associated forwarding information to determine the next-hop and the egress interface for the given IP address. This command is instrumental for troubleshooting and verifying routing decisions made by the firewall to ensure that traffic is routed as expected through the network infrastructure.

https://docs.paloaltonetworks.com/wildfire/10-2/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts

Each WildFire cloud—global (U.S.), regional, and private—analyzes samples and generates WildFire verdicts independently of the other WildFire clouds. With the exception of WildFire private cloud verdicts, WildFire verdicts are shared globally, enabling WildFire users to access a worldwide database of threat data. https://docs.paloaltonetworks.com/wildfire/10-1/wildfire-admin/wildfire-overview/wildfire-concepts/verdicts.html