In which two locations can a Best Practice Assessment (BPA) report be generated for review by a customer? (Choose two.)
PANW Partner Portal
Customer Support Portal
AIOps
Strata Cloud Manager (SCM)
Step 1: Understand the Best Practice Assessment (BPA)
Purpose: The BPA assesses NGFW (e.g., PA-Series) and Panorama configurations against best practices, including Center for Internet Security (CIS) Critical Security Controls, to enhance security and feature adoption.
Process: Requires a Tech Support File (TSF) upload or telemetry data from onboarded devices to generate the report.
Evolution: Historically available via the Customer Support Portal, the BPA has transitioned to newer platforms like AIOps and Strata Cloud Manager.
There are no Advanced Threat Prevention log events in a company's SIEM instance. However, the systems administrator has confirmed that the Advanced Threat Prevention subscription is licensed and that threat events are visible in the threat logs on the firewall.
Which action should the systems administrator take next?
Enable the company's Threat Prevention license.
Check with the SIEM vendor to verify that Advanced Threat Prevention logs are reaching the company's SIEM instance.
Have the SIEM vendor troubleshoot its software.
Ensure the Security policy rules that use Advanced Threat Prevention are set for log forwarding to the correct SIEM.
Understanding the Problem:
The issue is that Advanced Threat Prevention (ATP) logs are visible on the firewall but are not being ingested into the company’s SIEM.
This implies that the ATP subscription is working and generating logs on the firewall but the logs are not being forwarded properly to the SIEM.
Action to Resolve:
Log Forwarding Configuration:
Verify that the Security policy rules configured to inspect traffic using Advanced Threat Prevention are set to forward logs to the SIEM instance.
This is a common oversight. Even if the logs are generated locally, they will not be forwarded unless explicitly configured.
Configuration steps to verify in the Palo Alto Networks firewall:
Go to Policies > Security Policies and check the "Log Forwarding" profile applied.
Ensure the "Log Forwarding" profile includes the correct settings to forward Threat Logs to the SIEM.
Go to Device > Log Settings and ensure the firewall is set to forward Threat logs to the desired Syslog or SIEM destination.
Why Not the Other Options?
A (Enable the Threat Prevention license):
The problem does not relate to the license; the administrator already confirmed the license is active.
B (Check with the SIEM vendor):
While verifying SIEM functionality is important, the first step is to ensure the logs are being forwarded correctly from the firewall to the SIEM. This is under the systems administrator’s control.
C (Have the SIEM vendor troubleshoot):
This step should only be taken after confirming the logs are forwarded properly from the firewall.
References from Palo Alto Networks Documentation:
Log Forwarding and Security Policy Configuration
Advanced Threat Prevention Configuration Guide
A systems engineer should create a profile that blocks which category to protect a customer from ransomware URLs by using Advanced URL Filtering?
Ransomware
High Risk
Scanning Activity
Command and Control
When configuring Advanced URL Filtering on a Palo Alto Networks firewall, the "Ransomware" category should be explicitly blocked to protect customers from URLs associated with ransomware activities. Ransomware URLs typically host malicious code or scripts designed to encrypt user data and demand a ransom. By blocking the "Ransomware" category, systems engineers can proactively prevent users from accessing such URLs.
Why "Ransomware" (Correct Answer A)?The "Ransomware" category is specifically curated by Palo Alto Networks to include URLs known to deliver ransomware or support ransomware operations. Blocking this category ensures that any URL categorized as part of this list will be inaccessible to end-users, significantly reducing the risk of ransomware attacks.
Why not "High Risk" (Option B)?While the "High Risk" category includes potentially malicious sites, it is broader and less targeted. It may not always block ransomware-specific URLs. "High Risk" includes a range of websites that are flagged based on factors like bad reputation or hosting malicious content in general. It is less focused than the "Ransomware" category.
Why not "Scanning Activity" (Option C)?The "Scanning Activity" category focuses on URLs used in vulnerability scans, automated probing, or reconnaissance by attackers. Although such activity could be a precursor to ransomware attacks, it does not directly block ransomware URLs.
Why not "Command and Control" (Option D)?The "Command and Control" category is designed to block URLs used by malware or compromised systems to communicate with their operators. While some ransomware may utilize command-and-control (C2) servers, blocking C2 URLs alone does not directly target ransomware URLs themselves.
By using the Advanced URL Filtering profile and blocking the "Ransomware" category, the firewall applies targeted controls to mitigate ransomware-specific threats.
What is used to stop a DNS-based threat?
DNS proxy
Buffer overflow protection
DNS tunneling
DNS sinkholing
DNS-based threats, such as DNS tunneling, phishing, or malware command-and-control (C2) activities, are commonly used by attackers to exfiltrate data or establish malicious communications. Palo Alto Networks firewalls provide several mechanisms to address these threats, and the correct method is DNS sinkholing.
Why "DNS sinkholing" (Correct Answer D)?DNS sinkholing redirects DNS queries for malicious domains to an internal or non-routable IP address, effectively preventing communication with malicious domains. When a user or endpoint tries to connect to a malicious domain, the sinkhole DNS entry ensures the traffic is blocked or routed to a controlled destination.
DNS sinkholing is especially effective for blocking malware trying to contact its C2 server or preventing data exfiltration.
Why not "DNS proxy" (Option A)?A DNS proxy is used to forward DNS queries from endpoints to an upstream DNS server. While it can be part of a network's DNS setup, it does not actively stop DNS-based threats.
Why not "Buffer overflow protection" (Option B)?Buffer overflow protection is a method used to prevent memory-related attacks, such as exploiting software vulnerabilities. It is unrelated to DNS-based threat prevention.
Why not "DNS tunneling" (Option C)?DNS tunneling is itself a type of DNS-based threat where attackers encode malicious traffic within DNS queries and responses. This option refers to the threat itself, not the method to stop it.
Regarding APIs, a customer RFP states: "The vendor’s firewall solution must provide an API with an enforcement mechanism to deactivate API keys after two hours." How should the response address this clause?
Yes - This is the default setting for API keys.
No - The PAN-OS XML API does not support keys.
No - The API keys can be made, but there is no method to deactivate them based on time.
Yes - The default setting must be changed from no limit to 120 minutes.
Palo Alto Networks' PAN-OS supports API keys for authentication when interacting with the firewall’s RESTful and XML-based APIs. By default, API keys do not have an expiration time set, but the expiration time for API keys can be configured by an administrator to meet specific requirements, such as a time-based deactivation after two hours. This is particularly useful for compliance and security purposes, where API keys should not remain active indefinitely.
Here’s an evaluation of the options:
Option A: This is incorrect because the default setting for API keys does not include an expiration time. By default, API keys are valid indefinitely unless explicitly configured otherwise.
Option B: This is incorrect because PAN-OS fully supports API keys. The API keys are integral to managing access to the firewall's APIs and provide a secure method for authentication.
Option C: This is incorrect because PAN-OS does support API key expiration when explicitly configured. While the default is "no expiration," the feature to configure an expiration time (e.g., 2 hours) is available.
Option D (Correct): The correct response to the RFP clause is that the default API key settings need to be modified to set the expiration time to 120 minutes (2 hours). This aligns with the customer requirement to enforce API key deactivation based on time. Administrators can configure this using the PAN-OS management interface or the CLI.
How to Configure API Key Expiration (Steps):
Access the Web Interface or CLI on the firewall.
Navigate to Device > Management > API Key Lifetime Settings (on the GUI).
Set the desired expiration time (e.g., 120 minutes).
Alternatively, use the CLI to configure the API key expiration:
set deviceconfig system api-key-expiry
commit
Verify the configuration using the show command or by testing API calls to ensure the key expires after the set duration.
A systems engineer (SE) is working with a customer that is fully cloud-deployed for all applications. The customer is interested in Palo Alto Networks NGFWs but describes the following challenges:
"Our apps are in AWS and Azure, with whom we have contracts and minimum-revenue guarantees. We would use the built-in firewall on the cloud service providers (CSPs), but the need for centralized policy management to reduce human error is more important."
Which recommendations should the SE make?
Cloud NGFWs at both CSPs; provide the customer a license for a Panorama virtual appliance from their CSP's marketplace of choice to centrally manage the systems.
Cloud NGFWs in AWS and VM-Series firewall in Azure; the customer selects a PAYG licensing Panorama deployment in their CSP of choice.
VM-Series firewalls in both CSPs; manually built Panorama in the CSP of choice on a host of either type: Palo Alto Networks provides a license.
VM-Series firewall and CN-Series firewall in both CSPs; provide the customer a private-offer Panorama virtual appliance from their CSP’s marketplace of choice to centrally manage the systems.
The customer is seeking centralized policy management to reduce human error while maintaining compliance with their contractual obligations to AWS and Azure. Here's the evaluation of each option:
Option A: Cloud NGFWs at both CSPs; provide the customer a license for a Panorama virtual appliance from their CSP's marketplace of choice to centrally manage the systems
Cloud NGFW is a fully managed Next-Generation Firewall service by Palo Alto Networks, offered in AWS and Azure marketplaces. It integrates natively with the CSP infrastructure, making it a good fit for customers with existing CSP agreements.
Panorama, Palo Alto Networks' centralized management solution, can be deployed as a virtual appliance in the CSP marketplace of choice, enabling centralized policy management across all NGFWs.
This option addresses the customer's need for centralized management while leveraging their existing contracts with AWS and Azure.
This option is appropriate.
Option B: Cloud NGFWs in AWS and VM-Series firewall in Azure; the customer selects a PAYG licensing Panorama deployment in their CSP of choice
This option suggests using Cloud NGFW in AWS but VM-Series firewalls in Azure. While VM-Series is a flexible virtual firewall solution, it may not align with the customer’s stated preference for CSP-managed services like Cloud NGFW.
This option introduces a mix of solutions that could complicate centralized management and reduce operational efficiency.
This option is less appropriate.
Option C: VM-Series firewalls in both CSPs; manually built Panorama in the CSP of choice on a host of either type: Palo Alto Networks provides a license
VM-Series firewalls are well-suited for cloud deployments but require more manual configuration compared to Cloud NGFW.
Building a Panorama instance manually on a host increases operational overhead and does not leverage the customer’s existing CSP marketplaces.
This option is less aligned with the customer's needs.
Option D: VM-Series firewall and CN-Series firewall in both CSPs; provide the customer a private-offer Panorama virtual appliance from their CSP’s marketplace of choice to centrally manage the systems
This option introduces both VM-Series and CN-Series firewalls in both CSPs. While CN-Series firewalls are designed for Kubernetes environments, they may not be relevant if the customer does not specifically require container-level security.
Adding CN-Series firewalls may introduce unnecessary complexity and costs.
This option is not appropriate.
Which two statements clarify the functionality and purchase options for Palo Alto Networks AIOps for NGFW? (Choose two.)
It is offered in two license tiers: a commercial edition and an enterprise edition.
It is offered in two license tiers: a free version and a premium version.
It uses telemetry data to forecast, preempt, or identify issues, and it uses machine learning (ML) to adjust and enhance the process.
It forwards log data to Advanced WildFire to anticipate, prevent, or identify issues, and it uses machine learning (ML) to refine and adapt to the process.
Palo Alto Networks AIOps for NGFW is a cloud-delivered service that leverages telemetry data and machine learning (ML) to provide proactive operational insights, best practice recommendations, and issue prevention.
Why "It is offered in two license tiers: a free version and a premium version" (Correct Answer B)?AIOps for NGFW is available in two tiers:
Free Tier: Provides basic operational insights and best practices at no additional cost.
Premium Tier: Offers advanced capabilities, such as AI-driven forecasts, proactive issue prevention, and enhanced ML-based recommendations.
Why "It uses telemetry data to forecast, preempt, or identify issues, and it uses machine learning (ML) to adjust and enhance the process" (Correct Answer C)?AIOps uses telemetry data from NGFWs to analyze operational trends, forecast potential problems, and recommend solutions before issues arise. ML continuously refines these insights by learning from real-world data, enhancing accuracy and effectiveness over time.
Why not "It is offered in two license tiers: a commercial edition and an enterprise edition" (Option A)?This is incorrect because the licensing model for AIOps is based on "free" and "premium" tiers, not "commercial" and "enterprise" editions.
Why not "It forwards log data to Advanced WildFire to anticipate, prevent, or identify issues, and it uses machine learning (ML) to refine and adapt to the process" (Option D)?AIOps does not rely on Advanced WildFire for its operation. Instead, it uses telemetry data directly from the NGFWs to perform operational and security analysis.
Which two compliance frameworks are included with the Premium version of Strata Cloud Manager (SCM)? (Choose two)
Payment Card Industry (PCI)
National Institute of Standards and Technology (NIST)
Center for Internet Security (CIS)
Health Insurance Portability and Accountability Act (HIPAA)
Step 1: Understanding Strata Cloud Manager (SCM) Premium
Strata Cloud Manager is a unified management interface for Strata NGFWs, Prisma Access, and other Palo Alto Networks solutions. The Premium version (subscription-based) includes advanced features like:
AIOps Premium: Predictive analytics, capacity planning, and compliance reporting.
Compliance Posture Management: Pre-built dashboards and reports for specific regulatory frameworks.
Compliance frameworks in SCM Premium provide visibility into adherence to standards like PCI DSS and NIST, generating actionable insights and audit-ready reports based on firewall configurations, logs, and traffic data.