Anda di halaman 1dari 75

PALO ALTO

NETWORKS
PSE PLATFORM
PRO 8.0
STUDY GUIDE
February 2018
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2018 Palo Alto Networks – all rights reserved.
Aperture, AutoFocus, GlobalProtect, Palo Alto Networks, PAN-OS, Panorama, Traps, and WildFire are trademarks of Palo Alto Networks, Inc. All other
trademarks are the property of their respective owners.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 2


Welcome to the Palo Alto Networks PSE Platform Pro 8.0 Study Guide. The purpose of this guide is to
help you prepare for your PSE Platform Pro 8.0 exam and achieve your PSE credential. This study guide is
a summary of the key topic areas that you are expected to know to be successful at the exam. It is
organized based on the exam blueprint and key exam objectives.

Overview
This document is the Study Guide for the Palo Alto Networks Systems Engineer: Platform Professional
Certification Exam, abbreviated as PSE: Platform – P. This exam has been refreshed to reflect product
updates, and has increased in scope to encompass the former PSE: Cyber Security subdiscipline, which
has been deprecated.

This new exam is now better focused on the Palo Alto Networks Platform as a whole, and has been
carefully tuned to better evaluate an SE’s pre-sales capability.

Prerequisites
You should complete the following prerequisites before attempting this exam:

 You have passed the Palo Alto Networks Systems Engineer: Platform – Associate Accreditation
Exam, abbreviated as PSE: Platform – A.
 You have completed a year of full-time experience as a Palo Alto Networks SE, either as a Palo
Alto Networks employee SE or as a Partner employee SE.

Exam Format
The test format is 60 multiple-choice items. Native English speakers will have 10 minutes to complete
the Non-Disclosure Agreement (NDA) and 80 minutes to complete the questions. Non-native English
speakers will have 10 minutes for the NDA and 110 minutes to complete the questions.

How to Take This Exam


The exam is available through the third-party Pearson VUE testing platform at
http://www.pearsonvue.com/paloaltonetworks.

To access the PSE Professional exams, partners need to add the Private Access Code:
PSEPROFESSIONAL18

Full instructions can be found at http://go.paloaltonetworks.com/pseaccreditations.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 3


Table of Contents
Overview ....................................................................................................................................................... 3
Prerequisites ................................................................................................................................................. 3
Exam Format ................................................................................................................................................. 3
How to Take This Exam ................................................................................................................................. 3
Positioning: Platform .................................................................................................................................. 11
Identify the Architecture Components That Benefit from WildFire ....................................................... 11
References .......................................................................................................................................... 11
Sample Question ................................................................................................................................. 11
Identify the Impact of the Intelligence Coming from the Threat Intelligence Cloud .............................. 12
References .......................................................................................................................................... 12
Sample Questions ............................................................................................................................... 12
Identify the Sources of Data for the Threat Intelligence Cloud .............................................................. 13
References .......................................................................................................................................... 13
Sample Question ................................................................................................................................. 13
Identify the Core Values of the Palo Alto Networks Security Platform .................................................. 14
References .......................................................................................................................................... 14
Sample Question ................................................................................................................................. 15
Identify the Presale Benefits of the Migration Tool................................................................................ 15
References .......................................................................................................................................... 16
Sample Question ................................................................................................................................. 16
Identify How to Position the Value of a Next-Generation Firewall Over a Legacy Firewall ................... 16
References .......................................................................................................................................... 17
Sample Question ................................................................................................................................. 18
Positioning: Next-Generation Firewall ........................................................................................................ 18
Identify the Protections That the Next-Generation Firewall Uses to Prevent Command-and-Control
Traffic ...................................................................................................................................................... 18
References .......................................................................................................................................... 19
Sample Question ................................................................................................................................. 19
Identify the Reporting Capabilities of the Palo Alto Networks Firewall ................................................. 19
References .......................................................................................................................................... 20
Sample Questions ............................................................................................................................... 20

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 4


Identify the Process of Automated Report Distribution ......................................................................... 20
References .......................................................................................................................................... 20
Sample Question ................................................................................................................................. 20
Identify the Capabilities That Detect IOC ................................................................................................ 21
References .......................................................................................................................................... 21
Sample Question ................................................................................................................................. 21
Positioning: SLR and UTD ............................................................................................................................ 21
Given a Customer Description, Identify the Appropriate Section of an SLR (Security Lifecycle Review)
to Highlight During the Presentation ...................................................................................................... 21
References .......................................................................................................................................... 22
Sample Question ................................................................................................................................. 22
Identify How to Configure an NGFW for Evaluation Purposes ............................................................... 22
References .......................................................................................................................................... 22
Sample Question ................................................................................................................................. 22
Given a Customer Statdump File, Identify How to Generate an SLR Report .......................................... 23
References .......................................................................................................................................... 23
Sample Question ................................................................................................................................. 23
Identify the Characteristics and Best Practices of Ultimate Test Drive (UTD) Seminars ........................ 23
Reference ............................................................................................................................................ 23
Sample Question ................................................................................................................................. 24
Solution Design: Platform ........................................................................................................................... 24
Given a Palo Alto Networks Solution Scenario Including Products, Subscription Licenses, and Support,
Identify the Bill of Materials That Should Be Written ............................................................................. 24
References .......................................................................................................................................... 25
Sample Question ................................................................................................................................. 25
Given a Customer Environment, Identify the NGFW Model That Should Be Used to Secure the
Network .................................................................................................................................................. 25
References .......................................................................................................................................... 25
Sample Question ................................................................................................................................. 26
Given a Customer Environment, Identify How Aperture Should Be Used to Secure the Enterprise ..... 26
References .......................................................................................................................................... 26
Sample Question ................................................................................................................................. 26

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 5


Given a Customer Environment, Identify How Autofocus Should Be Used to Secure the Enterprise ... 27
References .......................................................................................................................................... 27
Sample Question ................................................................................................................................. 27
Given a Customer Environment, Identify How Traps Should Be Used to Secure the Endpoint ............. 28
References .......................................................................................................................................... 28
Sample Question ................................................................................................................................. 28
Given a Customer Environment, Identify How WildFire Should Be Used to Secure the Enterprise ...... 29
References .......................................................................................................................................... 29
Sample Question ................................................................................................................................. 29
Given a Customer Environment, Identify How NGFW, WildFire, and Traps Should Be Used to Secure
the Enterprise ......................................................................................................................................... 30
References .......................................................................................................................................... 30
Sample Question ................................................................................................................................. 31
Identify Which Firewall Models Support vsys and Its Common Uses ..................................................... 31
References .......................................................................................................................................... 32
Sample Question ................................................................................................................................. 32
Solution Design: Panorama ......................................................................................................................... 32
Identify How to Use Device Groups and Templates to Manage a Deployment ..................................... 32
References .......................................................................................................................................... 33
Sample Questions ............................................................................................................................... 33
Identify the Benefits of Panorama for Deploying Palo Alto Networks Products .................................... 34
References .......................................................................................................................................... 34
Sample Question ................................................................................................................................. 34
Given a Customer Scenario, Identify How to Design a Redundant Panorama Deployment .................. 35
References .......................................................................................................................................... 35
Sample Question ................................................................................................................................. 36
Identify how to License a Panorama Deployment .................................................................................. 36
References .......................................................................................................................................... 36
Sample Question ................................................................................................................................. 36
Identify the Differences in Licensing of Panorama as a Hardware Solution vs. as a Software Solution 37
References .......................................................................................................................................... 37
Sample Question ................................................................................................................................. 37

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 6


Solution Designs and NGFW Configuration: Custom .................................................................................. 37
Given Design Requirements, Identify the Recommended Method of High Availability......................... 37
References .......................................................................................................................................... 38
Sample Question ................................................................................................................................. 38
Identify the Functions of a Given HA Port .............................................................................................. 39
References .......................................................................................................................................... 39
Sample Question ................................................................................................................................. 39
Identify Deployment Best Practices for Scheduling Dynamic Updates .................................................. 40
References .......................................................................................................................................... 40
Sample Question ................................................................................................................................. 40
Given a Series of Designs, Choose the Design(s) That Would Require Virtual Systems (vsys) ............... 40
References .......................................................................................................................................... 41
Sample Question ................................................................................................................................. 41
Identify Best Practices for Tuning a Palo Alto Networks Firewall for Maximum Performance .............. 41
References .......................................................................................................................................... 42
Sample Question ................................................................................................................................. 42
Solution Design: NGFW Configuration: Security ......................................................................................... 43
Identify How to Protect Against Known Commodity Attacks ................................................................. 43
References .......................................................................................................................................... 43
Sample Question ................................................................................................................................. 44
Identify How to Protect Against Unknown Attacks ................................................................................ 44
References .......................................................................................................................................... 44
Sample Question ................................................................................................................................. 45
What Can Be Applied to Prevent Users from Unknowingly Downloading Malicious File Types from the
Internet? ................................................................................................................................................. 45
References .......................................................................................................................................... 46
Sample Question ................................................................................................................................. 46
NGFW Configuration: Visibility ................................................................................................................... 47
Identify Where to Configure User-ID in the UI ....................................................................................... 47
References .......................................................................................................................................... 47
Sample Question ................................................................................................................................. 48
Identify How to Obtain the Parameters to Configure User-ID ............................................................... 48

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 7


References .......................................................................................................................................... 48
Sample Question ................................................................................................................................. 49
Identify the Methods and Order of Precedence That User-ID Uses ....................................................... 49
References .......................................................................................................................................... 49
Sample Question ................................................................................................................................. 50
Identify User-ID Deployment Best Practices ........................................................................................... 50
References .......................................................................................................................................... 51
Sample Question ................................................................................................................................. 51
Identify the Parameters to Configure App-ID ......................................................................................... 51
References .......................................................................................................................................... 51
Learn by Doing .................................................................................................................................... 52
Sample Question ................................................................................................................................. 52
Identify App-ID Deployment Best Practices ............................................................................................ 52
References .......................................................................................................................................... 53
Sample Question ................................................................................................................................. 53
Solution Design: NGFW Configuration: Decryption .................................................................................... 54
Identify the Differences in Decryption Configuration Between Forward Proxy, Inbound Proxy, and SSH
Proxy ....................................................................................................................................................... 54
References .......................................................................................................................................... 55
Sample Question ................................................................................................................................. 55
Identify How to Overcome Privacy and Legal Objections to Decryption................................................ 55
References .......................................................................................................................................... 56
Sample Question ................................................................................................................................. 56
Identify the Different Types of Certificates Used in the SSL Decryption Process ................................... 56
References .......................................................................................................................................... 57
Sample Question ................................................................................................................................. 58
Sample Test ................................................................................................................................................. 59
Answers to Sample Questions .................................................................................................................... 64
Answers for Positioning: Platform .......................................................................................................... 64
Answer for Identify the Architecture Components that Benefit from WildFire ................................. 64
Answers for Identify the Impact of the Intelligence Coming from the Threat Intelligence Cloud ..... 64
Answer for Identify the Sources of Data for the Threat Intelligence Cloud ....................................... 64

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 8


Answer for Identify the Core Values of the Palo Alto Networks Security Platform ........................... 64
Answer for Identify the Presale Benefits of the Migration Tool ......................................................... 64
Answers for Identify How to Position the Value of a Next-Generation Firewall Over a Legacy Firewall
............................................................................................................................................................ 64
Answers for Positioning: Next-Generation Firewall................................................................................ 64
Answers for Identify the Protections That the Next-Generation Firewall Uses to Prevent Command-
and-Control Traffic .............................................................................................................................. 64
Answers for Identify the Reporting Capabilities of the Palo Alto Networks Firewall ......................... 64
Answers for Identify the Process of Automated Report Distribution ................................................. 64
Answer for Identify the Capabilities That Detect IOC ......................................................................... 64
Answers for Positioning: SLR and UTD .................................................................................................... 65
Answer for Given a Customer Description, Identify the Appropriate Section of an SLR (Security
Lifecycle Review) to Highlight During the Presentation ..................................................................... 65
Answer for Identify How to Configure an NGFW for Evaluation Purposes ........................................ 65
Answer for Given a Customer Statdump File, Identify How to Generate an SLR Report ................... 65
Answers for Identify the Characteristics and Best Practices of Ultimate Test Drive (UTD) Seminars 65
Answers for Solution Design: Platform ................................................................................................... 65
Answer for Given a Palo Alto Networks Solution Scenario Including Products, Subscription Licenses,
and Support, Identify the Bill of Materials That Should Be Written ................................................... 65
Answer for Given a Customer Environment, Identify the NGFW Model That Should Be Used to
Secure the Network ............................................................................................................................ 65
Answer for Given a Customer Environment, Identify How Aperture Should Be Used to Secure the
Enterprise ............................................................................................................................................ 65
Answer for Given a Customer Environment, Identify How Autofocus Should Be Used to Secure the
Enterprise ............................................................................................................................................ 65
Answer for Given a Customer Environment, Identify How Traps Should Be Used to Secure the
Endpoint .............................................................................................................................................. 65
Answer for Given a Customer Environment, Identify How WildFire Should Be Used to Secure the
Enterprise ............................................................................................................................................ 65
Answer for Given a Customer Environment, Identify How NGFW, WildFire, and Traps Should Be
Used to Secure the Enterprise ............................................................................................................ 65
Answer for Identify Which Firewall Models Support vsys and Its Common Uses .............................. 66
Answers for Solution Design: Panorama................................................................................................. 66
Answers for Identify How to Use Device Groups and Templates to Manage a Deployment ............. 66

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 9


Answer for Identify the Benefits of Panorama for Deploying Palo Alto Networks Products ............. 66
Answer for Given a Customer Scenario, Identify How to Design a Redundant Panorama Deployment
............................................................................................................................................................ 66
Answer for Identify how to License a Panorama Deployment ........................................................... 66
Answer for Identify the Differences in Licensing of Panorama as a Hardware Solution vs. as a
Software Solution................................................................................................................................ 66
Answers for Solution Designs and NGFW Configuration: Custom .......................................................... 66
Answer for Given Design Requirements, Identify the Recommended Method of High Availability .. 66
Answer for Identify the Functions of a Given HA Port ........................................................................ 66
Answers for Identify Deployment Best Practices for Scheduling Dynamic Updates .......................... 66
Answer for Given a Series of Designs, Choose the Design(s) That Would Require Virtual Systems
(vsys) ................................................................................................................................................... 66
Answer for Identify Best Practices for Tuning a Palo Alto Networks Firewall for Maximum
Performance ....................................................................................................................................... 66
Answers for Solution Design: NGFW Configuration: Security................................................................. 67
Answer for Identify How to Protect Against Known Commodity Attacks .......................................... 67
Answer for Identify How to Protect Against Unknown Attacks.......................................................... 67
Answers for What Can Be Applied to Prevent Users from Unknowingly Downloading Malicious File
Types from the Internet? .................................................................................................................... 67
Answers for Solution Design: NGFW Configuration: Visibility ................................................................ 67
Answer for Identify Where to Configure User-ID in the UI ................................................................. 67
Answer for Identify How to Obtain the Parameters to Configure User-ID ......................................... 67
Answer for Identify the Methods and Order of Precedence That User-ID Uses ................................ 67
Answer for Identify User-ID Deployment Best Practices .................................................................... 67
Answers for Identify the Parameters to Configure App-ID ................................................................. 67
Answer for Identify App-ID Deployment Best Practices ..................................................................... 67
Answers for Solution Design: NGFW Configuration: Decryption ............................................................ 67
Answer for Identify the Differences in Decryption Configuration Between Forward Proxy, Inbound
Proxy, and SSH Proxy .......................................................................................................................... 67
Answer for Identify How to Overcome Privacy and Legal Objections to Decryption ......................... 67
Answer for Identify the Different Types of Certificates Used in the SSL Decryption Process ............ 67
Answers for the Sample Test .................................................................................................................. 68
Glossary ....................................................................................................................................................... 69

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 10


Continuing Your Learning Journey with Palo Alto Networks ...................................................................... 75
E-Learning ............................................................................................................................................... 75
Instructor-Led Training ........................................................................................................................... 75
Learning Through the Community .......................................................................................................... 75

Positioning: Platform

Identify the Architecture Components That Benefit from WildFire


WildFire inspects millions of samples daily from its global network of customers and threat intelligence
partners, looking for new forms of previously unknown malware, exploits, malicious domains, and
outbound command-and-control (C2) activity. WildFire matches any forwarded samples against its
database of known files and designates never-before-seen items for further investigation, which covers
static and dynamic analysis against multiple operating systems and application versions.

References
 At a Glance: WildFire
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/faqs/at-a-glance-
wildfire.pdf
 Log in to WildFire (https://wildfire.paloaltonetworks.com/wildfire) and then click Upload
Sample and Account. Both pages contain relevant information.

Sample Question
1. Which file type is not supported by WildFire?
A. iOS applications

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 11


B. Android applications
C. Windows applications
D. Microsoft Excel files

Answers under the heading “Answer for Identify the Architecture Components that Benefit from
WildFire.”

Identify the Impact of the Intelligence Coming from the Threat Intelligence
Cloud
The firewall forwards unknown samples for WildFire analysis based on the configured WildFire Analysis
Profile settings. It detects links included in emails, files that are attached to emails, and browser‐based
file downloads, and also leverages the Palo Alto Networks App‐ID feature to detect file transfers within
applications. For samples that the firewall detects, the firewall checks the sample hash against WildFire
signatures to determine if WildFire has previously analyzed the sample. A sample that is identified as
malware is blocked. If the sample remains unknown after it is compared against existing WildFire
signatures, the firewall forwards the sample for WildFire analysis.

References
 WildFire 8.0 Administrator’s Guide:
• WildFire Concepts
https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/wildfire-
overview/wildfire-concepts
• WildFire Subscription
https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/wildfire-
overview/wildfire-subscription
• Firewall File Forwarding Capacity by Model
https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/submit-files-for-
wildfire-analysis/firewall-file-forwarding-capacity-by-model
 PAN-OS® 8.0 Administrator’s Guide:
• Install Content and Software Updates
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/getting-
started/install-content-and-software-updates

Sample Questions
1. Can you get WildFire functionality without an internet connection?
A. no
B. yes, using a WF-400 appliance
C. yes, using a WF-500 appliance

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 12


D. yes, using a WF-600 appliance

2. Which firewall has the highest file forwarding capacity?


A. VM-100
B. PA-200
C. PA-5200 Series
D. PA-7000 Series

The answers are under the heading “Answers for Identify the Impact of the Intelligence Coming
from the Threat Intelligence Cloud.”

Identify the Sources of Data for the Threat Intelligence Cloud


Every WildFire customer benefits from the collective security intelligence gathered from all customers. If
one customer encounters a previously unknown threat, WildFire can help protect hundreds of other
organizations or millions of endpoints from that threat.

References
Documentation about WildFire integration with third-party products follows:

 Airwatch:
https://my.airwatch.com/help/9.1/en/Content/Expert_Guides/App_Scan_Integration/WildFire/
C/Overview_Intro.htm
 ForeScout: https://www.forescout.com/forescout-integration-palo-alto-networks-wildfire-
combats-advanced-threats/
 Proofpoint: https://www.proofpoint.com/us/proofpoint-and-palo-alto-networks-partner-
integrate-automated-threat-protection
 Tanium: https://docs.tanium.com/connect/connect/paloalto.html
 Tripwire: http://www.tripwire.com/solutions/integrations/palo-alto/
 Trusteer: http://www.trusteer.com/sites/default/files/PANIntegration.pdf

Sample Question
1. Which information does Tanium get from WildFire?
A. none; it provides information to WildFire

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 13


B. indicators of compromise (IOCs)
C. hashes of malware for EXE and MSI files
D. hashes of malware, for APK files

The answer is under the heading “Answer for Identify the Sources of Data for the Threat
Intelligence Cloud.”

Identify the Core Values of the Palo Alto Networks Security Platform
The Palo Alto Networks next-generation security platform has four major features that enable the
prevention of successful cyberattacks:

1. Natively integrated technologies that leverage a single-pass prevention architecture to exert


positive control based on applications, users, and content to reduce the organizational attack
surface; that support open communication, orchestration, and visibility; and that enable
consistent security posture from the network, to the cloud, to the endpoint
2. Automated creation and delivery of protection mechanisms against new threats to network,
cloud, and endpoint environments
3. Extensibility and flexibility that allows for protection of customers as they expand, move off
their physical network, or adopt new technologies
4. Threat intelligence sharing that provides protection by taking advantage of the network effect
(information about threats identified at a customer site is propagated to all other customers).

References
 WildFire 8.0 Administrator’s Guide:
• WildFire Concepts
https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/wildfire-
overview/wildfire-concepts
 PAN-OS® 8.0 Administrator’s Guide:

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 14


• Segment Your Network Using Interfaces and Zones
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/getting-
started/segment-your-network-using-interfaces-and-zones
 GlobalProtect 8.0 Administrator’s Guide:
• What Features Does GlobalProtect Support?
https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-
guide/globalprotect-overview/what-features-does-globalprotect-support
 Traps Administrator’s Guide:
• About Traps https://www.paloaltonetworks.com/documentation/40/endpoint/endpoint-
admin-guide/traps-overview/about-traps
• Malware Protection
https://www.paloaltonetworks.com/documentation/40/endpoint/endpoint-admin-
guide/malware-protection.html
• Exploit Protection
https://www.paloaltonetworks.com/documentation/40/endpoint/endpoint-admin-
guide/exploit-protection.html

Sample Question
1. Which attack is the Palo Alto Networks security platform unable to stop?
A. Attacks that do not cross the firewall from a Linux server to a desktop client
B. Attacks that do not cross the firewall from a desktop client to a Linux server
C. Attacks that do not cross the firewall, regardless of source or destination
D. Interzone attacks, regardless of source or destination
E. Intrazone attacks, regardless of source or destination

The answer is under the heading “Answer for Identify the Core Values of the Palo Alto Networks
Security Platform.”

Identify the Presale Benefits of the Migration Tool


The Palo Alto Networks Migration Tool enables you to analyze an existing environment, convert existing
security policies to Palo Alto Networks next-generation firewalls, and assist with the transition from
proof-of-concept to production.

Primary functions of the Palo Alto Networks Migration Tool are as follows:

 Third-party migration
 Adoption of App-ID
 Optimization
 Consolidation
 Centralized management with Panorama
 Auto-zoning
 Customized response pages

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 15


Palo Alto Networks provides a combination of tools, expertise, and best practices to help you analyze an
existing environment, migrate policies and firewall settings to the next-generation firewall, and assist in
all phases of the transition.

References
 Migration tool datasheet
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/migration-tool

Sample Question
1. Which is not a feature of the migration tool?
A. policy migration
B. auto-zoning
C. adoption of App-ID
D. adoption of User-ID

The answer is under the heading “Answer for Identify the Presale Benefits of the Migration
Tool.”

Identify How to Position the Value of a Next-Generation Firewall Over a Legacy


Firewall
Legacy firewalls and unified threat management (UTM) solutions cannot enable the next generation of
applications, users, and infrastructures because they classify traffic based only on ports and protocols.
For example, traditional products identify most of your web traffic as simply HTTP coming through port
80, with no information about the specific applications associated with that port and protocol. But this
problem is not limited to port 80.

These applications increasingly are using encrypted SSL tunnels on port 443. They use clever evasive
tactics to disguise themselves or use port-hopping to find any entry point through your firewall. Legacy
firewalls and UTMs cannot safely enable these applications. At best, they can attempt to prevent the

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 16


application from entering the network, which stifles your business and restricts you from benefitting
from innovation.

Palo Alto Networks next-generation firewalls enables control of applications and content (by user, not
just IP address) at up to 20Gbps with no performance degradation. The App-ID technology enables
applications – regardless of port, protocol, evasive tactic, or SSL encryption. It scans content to stop
targeted threats and prevent data leakage. You can safely enable the use of applications, maintain
complete visibility and control.

References
 WildFire 8.0 Administrator’s Guide:
• WildFire Concepts
https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/wildfire-
overview/wildfire-concepts
 PAN-OS® 8.0 Administrator’s Guide:
• Segment Your Network Using Interfaces and Zones
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/getting-
started/segment-your-network-using-interfaces-and-zones
 GlobalProtect 8.0 Administrator’s Guide:
• What Features Does GlobalProtect Support?
https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-
guide/globalprotect-overview/what-features-does-globalprotect-support
 Traps 4.0 Administrator’s Guide:

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 17


• About Traps https://www.paloaltonetworks.com/documentation/40/endpoint/endpoint-
admin-guide/traps-overview/about-traps

Sample Question
1. Which Palo Alto Networks product directly protects corporate laptops when people use them
from home?
A. next-generation firewall
B. Traps
C. Panorama
D. WildFire

The answer is under the heading “Answers for Identify How to Position the Value of a Next-
Generation Firewall Over a Legacy Firewall.”

Positioning: Next-Generation Firewall


Identify the Protections That the Next-Generation Firewall Uses to Prevent
Command-and-Control Traffic
We know that there’s no perfect solution to prevent all threats from entering your network, which is
why we also focus on preventing multistage attacks, secondary downloads, and data from leaving
through attacker-controlled communication channels via command and control (C2).

We use content-based protections to stop attacks at the C2 stage, thus preventing attackers from
controlling infected endpoints, spreading laterally within your organization, and accomplishing their
objectives.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 18


References
 Command and Control https://www.paloaltonetworks.com/features/command-control
 PAN-OS® 8.0 Administrator’s Guide:
• Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-
prevention/set-up-antivirus-anti-spyware-and-vulnerability-protection
• DNS Sinkholing https://www.paloaltonetworks.com/documentation/80/pan-os/pan-
os/threat-prevention/use-dns-queries-to-identify-infected-hosts-on-the-network/dns-
sinkholing
• URL Filtering Overview https://www.paloaltonetworks.com/documentation/80/pan-os/pan-
os/url-filtering/url-filtering-overview

Sample Question
1. Which two profile types can block a C2 channel? (Choose two.)
A. Anti-Spyware Profile
B. Certification Profile
C. Command and Control Profile
D. Decryption Profile
E. URL Filtering Profile

The answer is under the heading “Answers for Identify the Protections That the Next-Generation
Firewall Uses to Prevent Command-and-Control Traffic.”

Identify the Reporting Capabilities of the Palo Alto Networks Firewall


The reporting capabilities on the firewall enable customers monitor their network, validate policies, and
focus their efforts on maintaining network security for keeping users safe and productive.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 19


References
 PAN-OS® 8.0 Administrator’s Guide:
• Custom Reports https://www.paloaltonetworks.com/documentation/80/pan-os/pan-
os/monitoring/view-and-manage-reports/custom-reports

Sample Questions
1. The customer wants a monthly report of the number of connections (of a particular application)
per day. Where do you specify that the report is by days?
A. Query Builder
B. Group By field
C. Order By field
D. Time Frame field

2. The customer wants the report to be in chronological order. Where is this setting specified?
A. Query Builder
B. Group By field
C. Order By field
D. Time Frame field

The answers are under the heading “Answers for Identify the Reporting Capabilities of the Palo
Alto Networks Firewall.”

Identify the Process of Automated Report Distribution


The firewall provides an assortment of more than 40 predefined reports that it generates every day. You
can view these reports directly on the firewall. You also can view custom reports and summary reports.
Reports can be scheduled for daily delivery or delivered weekly on a specified day. Scheduled reports
are executed starting at 2 a.m., and email delivery starts after all scheduled reports have been
generated.

References
 PAN-OS® 8.0 Administrator’s Guide:
• View Reports https://www.paloaltonetworks.com/documentation/80/pan-os/pan-
os/monitoring/view-and-manage-reports/view-reports
• Manage Report Groups https://www.paloaltonetworks.com/documentation/80/pan-
os/pan-os/monitoring/view-and-manage-reports/manage-report-groups
• Schedule Reports for Email Delivery
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/monitoring/view-
and-manage-reports/schedule-reports-for-email-delivery

Sample Question
1. In which two ways can you receive regularly scheduled reports? (Choose two.)
A. Retrieve the reports from the Palo Alto Networks web-based user interface
B. Upload the report to a document repository using FTP
C. Configure automatic email delivery for regularly scheduled reports

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 20


D. Configure automatic printing to the office printer
E. Upload the report to the domain’s document repository using a shared drive

The answer is under the heading “Answer for Identify the Process of Automated Report
Distribution.”

Identify the Capabilities That Detect IOC


The botnet report enables you to use heuristic and behavior‐based mechanisms to identify potential
malware‐ or botnet‐infected hosts in your network. To evaluate botnet activity and infected hosts, the
firewall correlates user and network activity data in Threat, URL, and Data Filtering logs with the list of
malware URLs in PAN‐DB; known dynamic DNS domain providers; and domains registered within the last
30 days. You can configure the report to identify hosts that visited those sites and hosts that
communicated with Internet Relay Chat (IRC) servers or that used unknown applications. Malware often
uses dynamic DNS to avoid IP blacklisting, and IRC servers often use bots for automated functions.

References
 PAN-OS® 8.0 Administrator’s Guide:
• Generate Botnet Reports https://www.paloaltonetworks.com/documentation/80/pan-
os/pan-os/monitoring/view-and-manage-reports/generate-botnet-reports

Sample Question
1. To disguise the C2 channel, the author of Vicious Worm (a new malware) buys five new domain
names each week and uses those domains for C2. How does that practice affect the botnet
report?
A. It helps disguise the malware.
B. It fails to disguise the malware because access to new domains (registered in the last
week) is counted as suspicious.
C. It fails to disguise the malware because access to new domains (registered in the last 30
days) is counted as suspicious.
D. It fails to disguise the malware because access to new domains (registered in the last 60
days) is counted as suspicious.

The answer is under the heading “Answer for Identify the Capabilities That Detect IOC.”

Positioning: SLR and UTD

Given a Customer Description, Identify the Appropriate Section of an SLR


(Security Lifecycle Review) to Highlight During the Presentation
Our Security Lifecycle Review (SLR) examines your network traffic and then generates a comprehensive
report unique to your organization. You’ll discover the applications and threats exposing vulnerabilities
in your security’s posture.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 21


References
 Security Lifecycle Review Quick Start Guide: https://intranet.paloaltonetworks.com/docs/DOC-
15462
 Executive Security Lifecycle Review Quick Start Guide for Partners:
https://www.paloaltonetworks.com/content/dam/pan/en_US/partners/nextwave/85132/execu
tive-slr-partners-quickstartguide.pdf

Sample Question
1. A company allows employees some personal use of the internet during work time. However, the
CEO is afraid that employees are using too much of the bandwidth for YouTube, thus causing a
performance problem. Which section of the SLR could confirm or allay this fear?
A. High-Risk Applications
B. Bandwidth Consumed by Applications
C. Categories Consuming the Most Bandwidth
D. Categories with the Most Applications

The answer is under the heading “Answer for Given a Customer Description, Identify the
Appropriate Section of an SLR (Security Lifecycle Review) to Highlight During the Presentation.”

Identify How to Configure an NGFW for Evaluation Purposes


To configure an NGFW for evaluation purposes, typically you put an interface in Tap mode and connect
it to the SPAN port of a centrally located switch. You then collect at least a week of traffic statistics and
get the statistics using statdump.

References
 PAN-OS® 8.0 Administrator’s Guide:
• Tap Interfaces https://www.paloaltonetworks.com/documentation/80/pan-os/pan-
os/networking/configure-interfaces/tap-interfaces
 https://live.paloaltonetworks.com/t5/Management-Articles/Changing-the-Time-Frame-for-a-
Report-Stats-Dump/ta-p/59208

Sample Question
1. Which interface mode do you use to generate the statdump file that can be converted into an
SLR? Assume that you want to make the evaluation as non-intrusive as possible.
A. Tap
B. Virtual Wire
C. L2
D. L3

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 22


The answer is under the heading “Answer for Answer for Identify How to Configure an NGFW for
Evaluation Purposes.”

Given a Customer Statdump File, Identify How to Generate an SLR Report


You upload the statdump file to a Palo Alto Networks partner website to generate an SLR report.

References
 Security Lifecycle Review Quick Start Guide https://intranet.paloaltonetworks.com/docs/DOC-
15462
 Security Lifecycle Review Quick Start Guide for Partners
https://www.paloaltonetworks.com/content/dam/pan/en_US/partners/nextwave/85132/execu
tive-slr-partners-quickstartguide.pdf
 PSE Platform Associate docs (Student Manual > Examining Customer Data, p. 356 in the current
version)

Sample Question
1. Which tool do you use to convert a statdump file to an SLR report?
A. Palo Alto Networks public website
B. Palo Alto Networks partner-only website
C. The generate_slr.py script, available for download from the Palo Alto Networks public
website
D. The generate_slr.py script, available for download from the Palo Alto Networks partner-
only website

The answer is under the heading “Answer for Given a Customer Statdump File, Identify How to
Generate an SLR Report.”

Identify the Characteristics and Best Practices of Ultimate Test Drive (UTD)
Seminars
The Palo Alto Networks Ultimate Test Drive program is designed to provide you with a guided hands-on
experience of Palo Alto Networks’ products. There are multiple test drives you can offer to prospective
customers:

 Next-Generation Firewall
 Threat Prevention
 Virtualized Data Center
 Migration Process
 Advanced Endpoint Protection
 VM-Series for Amazon Web Services (AWS)

Reference
 https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/ultimate-test-drive-brochure

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 23


Sample Question
1. Which two elements of the NGFW does the NGFW UTD show potential customers? (Choose
two.)
A. how to set up NGFW for the first time
B. how to modify the Security policy
C. how to view log entries and reports
D. how to migrate from a different firewall to NGFW
E. how to integrate with the Advanced Endpoint Protection

The answer is under the heading “Answer for Identify the Characteristics and Best Practices of
Ultimate Test Drive (UTD) Seminars.”

Solution Design: Platform

Given a Palo Alto Networks Solution Scenario Including Products, Subscription


Licenses, and Support, Identify the Bill of Materials That Should Be Written
Congratulations! The customer is convinced of the value of the Palo Alto Networks solution you
demonstrated. Now they are starting to ask about prices, how it would fit in the data center, etc.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 24


References
 PA-7000 Series
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/pa-7000-series
 PA-5200 Series
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/pa-5200-series-specsheet
 PA-3000 Series
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/pa-3000-series-specsheet

Sample Question
1. Which firewall appliances can you order with either an AC power supply or a DC power supply?
A. PA-7000 Series
B. PA-5200 Series and PA-7000 Series
C. PA-3000 Series, PA-5200 Series, and PA-7000 Series
D. All Palo Alto Networks appliances can be ordered with either an AC power supply or a
DC power supply

The answer is under the heading “Answer for Given a Palo Alto Networks Solution Scenario
Including Products, Subscription Licenses, and Support, Identify the Bill of Materials That Should
Be Written.”

Given a Customer Environment, Identify the NGFW Model That Should Be Used
to Secure the Network
If you select a model that is too weak, performance will suffer and the customer will return the firewall.
If you select a model that is too strong, it will also be too expensive. You must select the correct model
for the circumstances.

References
 Compare Firewalls https://www.paloaltonetworks.com/products/product-selection

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 25


Sample Question
1. A potential customer has many satellite offices, each of which is connected to the internet using
a 250Mbps link. The customer requirements include threat prevention for all the traffic. Which
model should be deployed in those offices to fulfill these requirements, assuming a reduction in
network capacity is unacceptable and cost is a concern?
A. PA-100
B. PA-500
C. PA-2020
D. PA-3020

The answer is under the heading “Answer for Given a Customer Environment, Identify the
NGFW Model That Should Be Used to Secure the Network.”

Given a Customer Environment, Identify How Aperture Should Be Used to


Secure the Enterprise
The use of SaaS (software-as-a-service) applications is creating new risks and gaps in security visibility
for malware propagation, data leakage, and regulatory non-compliance. Aperture delivers complete
visibility and granular enforcement across all user, folder and file activity within sanctioned SaaS
applications, thus providing detailed analysis and analytics about use without requiring any additional
hardware, software, or network changes.

References
 At a Glance Aperture
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/aperture-at-glance

Sample Question
1. An enterprise needs to use web storage to collaborate with business partners. Which step is
required to ensure that web storage is not used to exfiltrate sensitive data from the enterprise?

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 26


A. Disconnect from the internet
B. Configure a local shared drive and use that instead of web storage
C. Install Advanced Endpoint Protection
D. Use the firewall to forbid uploads to other web storage instances

The answer is under the heading “Answer for Given a Customer Environment, Identify How
Aperture Should Be Used to Secure the Enterprise.”

Given a Customer Environment, Identify How Autofocus Should Be Used to


Secure the Enterprise
AutoFocus, a Palo Alto Networks® threat intelligence service, accelerates analysis and response efforts
for the most damaging, unique, and targeted attacks. The hosted security service is natively integrated
with the Palo Alto Networks next-generation security platform, thus extending your threat analysis and
hunting capabilities without additional IT security resources. AutoFocus provides the visibility and threat
context required to respond more quickly to critical attacks.

References
 At a Glance: Autofocus
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/autofocus-at-a-glance

Sample Question
1. Which is not something AutoFocus can do?
A. Distinguish between attacks that attempt to exfiltrate data (violate confidentiality) and
attacks that attempt to modify it (violate integrity)
B. Display the processes started by specific malware
C. Display the network connections used by specific malware
D. Distinguish between commodity attacks and advanced persistent threats (APTs) directed
against the customer’s organization or industry

The answer is under the heading “Answer for Given a Customer Environment, Identify How
Autofocus Should Be Used to Secure the Enterprise.”

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 27


Given a Customer Environment, Identify How Traps Should Be Used to Secure
the Endpoint
The Traps solution, which comprises a central Endpoint Security Manager (an ESM Server, ESM Console,
and database) and the Traps agent protection software installed on each endpoint, takes a more
effective and efficient approach to preventing attacks. Rather than try to keep up with the ever-growing
list of known threats, Traps sets up a series of roadblocks that prevent the attacks at their initial entry
points: That point where legitimate executable files are about to unknowingly allow malicious access to
the system.

Traps targets software vulnerabilities in processes that open non-executable files using exploit
prevention techniques. Traps also uses malware prevention techniques to prevent malicious executable
files from running. The Traps solution uses this two-fold approach to prevent all types of attacks,
whether they are known or unknown threats.

References
 Traps Administrator’s Guide:
• About Traps https://www.paloaltonetworks.com/documentation/40/endpoint/endpoint-
admin-guide/traps-overview/about-traps

Sample Question
1. Should Advanced Endpoint Management be installed on desktop PCs that stay behind the
corporate firewall?
A. There is no reason to install Advanced Endpoint Management on those desktop PCs
they are protected by the firewall.
B. Yes, because sometimes people take those desktops home to work over the weekend
C. Yes, because there might be a network connection that bypasses the firewall
D. Yes, because malware and exploit files might be able to traverse the network until it
they are identified by WildFire, and there are file propagation methods that bypass the
firewall, such as USB drives.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 28


The answer is under the heading “Answer for Given a Customer Environment, Identify How
Traps Should Be Used to Secure the Endpoint.”

Given a Customer Environment, Identify How WildFire Should Be Used to


Secure the Enterprise
The Palo Alto Networks WildFire engine exposes zero-day and targeted malware through direct
observation in a virtual environment within the WildFire system. The WildFire feature also makes
extensive use of the Palo Alto Networks App-ID technology by identifying file transfers within all
applications, not just email attachments or browser-based file downloads.

References
 WildFire 8.0 Administrator’s Guide:
• WildFire Deployments
https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/wildfire-
overview/wildfire-deployments

Sample Question
1. The R&D network of the defense contractor is not connected to the internet. However, it is
connected to SIPRNet https://en.wikipedia.org/wiki/SIPRNet, which is used to transfer classified

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 29


information. The contractor is afraid of getting malware files and infected PDFs through that
network. Can they use WildFire for protection?
A. No, because there is no network path to the WildFire server
B. No, but no protection is needed because everybody with SIPRnet access has a security
clearance and is trustworthy.
C. Yes, but only if they can get approval to have a gateway to the public internet.
D. Yes. They can use a WF-500 appliance.

The answer is under the heading “Answer for Given a Customer Environment, Identify How
WildFire Should Be Used to Secure the Enterprise.”

Given a Customer Environment, Identify How NGFW, WildFire, and Traps


Should Be Used to Secure the Enterprise
To get optimal security, you must use a next-generation firewall, WildFire, and Traps.

References
 Firewall Overview
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/datasheets/firewall-feature-overview-datasheet)
 Traps Administrator’s Guide:
• About Traps https://www.paloaltonetworks.com/documentation/40/endpoint/endpoint-
admin-guide/traps-overview/about-traps
 WildFire 8.0 Administrator’s Guide:
• WildFire Concepts
https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/wildfire-
overview/wildfire-concepts

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 30


 Palo Alto Networks Expands the Preventive Strengths of Its Traps Advanced Endpoint Protection
Offering https://www.paloaltonetworks.com/company/press/2017/palo-alto-networks-
expands-the-preventive-strengths-of-its-traps-advanced-endpoint-protection-offering
 Prevent Patient Zero: A Closer Look at Traps 3.2
http://researchcenter.paloaltonetworks.com/2015/04/prevent-patient-zero-with-advanced-
endpoint-protection-3-2/

Sample Question
1. A company has no internal network and only a few people work from home and use public SaaS
services (such as Google Docs). Is there any component of the Palo Alto Networks security
platform that is not needed, and, if so, which one is it?
A. WildFire
B. Traps
C. NGFW
D. All the components are needed

The answer is under the heading “Answer for Given a Customer Environment, Identify How
NGFW, WildFire, and Traps Should Be Used to Secure the Enterprise.”

Identify Which Firewall Models Support vsys and Its Common Uses
Virtual systems provide the same basic functions as a physical firewall, along with additional benefits:

 Segmented administration: Different organizations (or customers or business units) can control
(and monitor) a separate firewall instance so that they have control over their own traffic
without interfering with the traffic or policies of another firewall instance on the same physical
device.
 Scalability: After the physical firewall is configured, addition or removal of customers or
business units can be done efficiently. An ISP, managed security service provider, or enterprise
can provide different security services to each customer.
 Reduced capital and operational expenses: Virtual systems eliminate the need to have multiple
physical firewalls at one location because virtual systems co-exist on one firewall. Because the
organization does not have to purchase multiple firewalls, it can save on the hardware expense,
electric bills, and rack space, and can reduce maintenance and management expenses.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 31


References
 PAN-OS® 8.0 Administrator’s Guide:
• Virtual Systems Overview https://www.paloaltonetworks.com/documentation/80/pan-
os/pan-os/virtual-systems/virtual-systems-overview
• Virtual System Components and Segmentation
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/virtual-
systems/virtual-systems-overview
• Use Case for Virtual Systems https://www.paloaltonetworks.com/documentation/80/pan-
os/pan-os/virtual-systems/virtual-systems-overview
• Platform Support and Licensing for Virtual Systems
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/virtual-
systems/virtual-systems-overview

Sample Question
1. Which is the least costly Palo Alto Networks series that supports vsys (virtual systems)?
A. PA-220
B. PA-500
C. PA-3000
D. PA-5200
E. PA-7000

The answer is under the heading “Answer for Identify Which Firewall Models Support vsys and
Its Common Uses.”

Solution Design: Panorama

Identify How to Use Device Groups and Templates to Manage a Deployment


To use Panorama effectively, you must group the firewalls in your network into logical units called
device groups. A device group enables grouping based on network segmentation, geographic location,

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 32


organizational function, or any other common aspect of firewalls that requires similar policy
configurations. You can use device groups to configure policy rules and the objects they reference. You
can organize device group hierarchically, with shared rules and objects at the top, and device group-
specific rules and objects at subsequent levels, which enables you to create a hierarchy of rules that
enforce how firewalls handle traffic.

You use templates to configure the settings that enable firewalls to operate on the network. Templates
enable you to define a common base configuration using the Network and Device tabs on Panorama. For
example, you can use templates to manage interface and zone configurations, server profiles for logging
and syslog access, and network profiles for controlling access to zones and IKE gateways. When you
define a template, consider assigning firewalls that are the same hardware model and require access to
similar network resources, such as gateways and syslog servers.

References
 Panorama 8.0 Administrator’s Guide:
• Templates and Template Stacks
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/
panorama-overview/templates-and-template-stacks
• Device Groups
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/
panorama-overview/device-groups
• Device Group Policies
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/
panorama-overview/device-groups#28984
• Device Group Objects
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/
panorama-overview/device-groups#57171

Sample Questions
1. In Panorama, which policy gets evaluated first?
A. device group pre-rules

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 33


B. device group post-rules
C. shared pre-rules
D. shared post-rules
E. local firewall rules
2. Can the same rule allow traffic from different sources on different firewalls?
A. No. Rules mean the same on all firewalls that receive the same policy.
B. Not exactly. However, a rule can allow traffic from a group of sources. If each of those
sources is behind a different firewall, then in practical terms on each firewall the rule is
applied to a different source.
C. Yes, because objects in a device group can override global objects. The same name
could mean different things in different device groups.
D. Yes, because there could be clauses in a rule with effects limited to a specific device
group.

The answers are under the heading “Answers for Identify How to Use Device Groups and
Templates to Manage a Deployment.”

Identify the Benefits of Panorama for Deploying Palo Alto Networks Products
Panorama network security management enables you to control your distributed network of our
firewalls from one central location. View all your firewall traffic, manage all aspects of device
configuration, push global policies, and generate reports on traffic patterns or security incidents — all
from a single console.

References
 https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/faqs/PAN_AAG_pano
rama_052615.pdf

Sample Question
1. Which is not an advantage of using Panorama?
A. centralized management

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 34


B. higher throughput on the firewalls
C. centralized view of collected logs
D. automatic event correlation

The answer is under the heading “Answer for Identify the Benefits of Panorama for Deploying
Palo Alto Networks Products.”

Given a Customer Scenario, Identify How to Design a Redundant Panorama


Deployment
Deployment of the Panorama virtual appliance or M-Series appliance in a redundant configuration has
the following benefits:

 Centralized management: Centralized policy and device management that allows for rapid
deployment and management of up to 1,000 firewalls
 Visibility: Centralized logging and reporting to analyze and report about user-generated traffic
and potential threats
 Role-based access control: Appropriate levels of administrative control at the firewall level or
global level for administration and management

References
 Panorama 8.0 Administrator’s Guide:
• Deploy Panorama with Dedicated Log Collectors
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/
manage-log-collection/log-collection-deployments/deploy-panorama-with-dedicated-log-
collectors
• Panorama High Availability
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/
panorama-high-availability
• Panorama HA Prerequisites
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/
panorama-high-availability/panorama-ha-prerequisites
• Logging Considerations in Panorama HA
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/
panorama-high-availability/logging-considerations-in-panorama-ha

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 35


 https://live.paloaltonetworks.com/t5/Management-Articles/Panorama-Sizing-and-Design-
Guide/ta-p/72181

Sample Question
1. A company has a physical data center on their premises and several applications protected by
virtual firewalls on AWS. Now they will install Panorama in high availability mode (one instance
in their data center, the other on AWS). Which configuration do they need in their physical data
center?
A. M-100
B. M-500
C. M-100 or M-500
D. Virtual appliance

The answer is under the heading “Answer for Given a Customer Scenario, Identify How to Design
a Redundant Panorama Deployment.”

Identify how to License a Panorama Deployment


Before you can begin using Panorama for centralized management, logging, and reporting, you must
register the Panorama appliance and retrieve the licenses.

Every instance of Panorama requires valid licenses that entitle you to manage the devices and to obtain
support. The device management license enforces the maximum number of devices that can be
managed by Panorama. The support license enables Panorama software updates and dynamic content
updates for the latest application and threat signatures, among other updates, that are published by
Palo Alto Networks.

References
 Panorama 8.0 Administrator’s Guide:
• Register Panorama and Install Licenses, including all the subsections
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/
set-up-panorama/register-panorama-and-install-licenses
• Manage Licenses and Updates
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/
manage-licenses-and-updates
• Manage Licenses of Firewalls Using Panorama
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/
manage-licenses-and-updates/manage-licenses-on-firewalls-using-panorama

Sample Question
1. How often does Panorama contact the Palo Alto Networks licensing server to look for new
licenses for its firewalls?
A. never; you need to check manually
B. once a week

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 36


C. every 24 hours
D. every 6 hours

The answer is under the heading “Answer for Identify how to License a Panorama Deployment.”

Identify the Differences in Licensing of Panorama as a Hardware Solution vs.


as a Software Solution
Panorama can be deployed on the M-100 or the M-500 management appliances, and individual
management and logging components can be separated in a distributed manner to accommodate large
volumes of log data.

Panorama also can be deployed as a virtual appliance on VMware ESXi, allowing organizations to
support their virtualization initiatives and consolidate rack space, which is sometimes limited or costly in
a data center.

References
 Panorama 8.0 Administrator’s Guide:
• Panorama Models
https://www.paloaltonetworks.com/documentation/80/panorama/panorama_adminguide/
panorama-overview/panorama-models

Sample Question
1. What is the maximum storage capacity of a single Panorama virtual appliance in Panorama
mode?
A. 2 TB
B. 12 TB
C. 18 TB
D. 24 TB

The answer is under the heading “Answer for Identify the Differences in Licensing of Panorama
as a Hardware Solution vs. as a Software Solution.”

Solution Designs and NGFW Configuration: Custom

Given Design Requirements, Identify the Recommended Method of High


Availability
High availability (HA) is when two firewalls are placed in a group and have their configuration
synchronized to prevent a single point of failure on your network. A heartbeat connection between the
firewall peers ensures seamless failover if a peer goes down. Set up two firewalls in an HA pair to
provide redundancy and allows you to ensure business continuity.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 37


References
 PAN-OS® 8.0 Administrator’s Guide:
• HA Concepts, with all the subtopics
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/ha-
concepts
• https://live.paloaltonetworks.com/t5/Learning-Articles/What-is-HA-Lite-on-Palo-Alto-
Networks-PA-200-and-VM-Series/ta-p/62553

Sample Question
1. Which feature is not supported in active/active (A/A) mode?
A. IPsec tunneling
B. DHCP client
C. link aggregation
D. configuration synchronization

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 38


The answer is under the heading “Answer for Given Design Requirements, Identify the
Recommended Method of High Availability.”

Identify the Functions of a Given HA Port


High-end systems have two high availability ports, one for management and one for data.

References
 PAN-OS® 8.0 Administrator’s Guide:
• HA Links and Backup Links https://www.paloaltonetworks.com/documentation/80/pan-
os/pan-os/high-availability/ha-concepts/ha-links-and-backup-links
• Set Up Active/Passive HA https://www.paloaltonetworks.com/documentation/80/pan-
os/pan-os/high-availability/set-up-activepassive-ha
• Set Up Active/Active HA https://www.paloaltonetworks.com/documentation/80/pan-
os/pan-os/high-availability/set-up-activeactive-ha

Sample Question
1. Which high availability port (or ports) is used for which plane?
A. HA1 for the dataplane, HA2 for the management plane.
B. HA1 for the management plane, HA2 for the dataplane.
C. If HA1 works, it is used for both data and management. HA2 is a backup.
D. HA1 for the management plane, HA2 for the dataplane in the 7000 Series. The less
costly models have only an HA1, which is used for both management and data.

The answer is under the heading “Answer for Identify the Functions of a Given HA Port.”

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 39


Identify Deployment Best Practices for Scheduling Dynamic Updates
Palo Alto Networks regularly posts updates for application detection, threat protection, and
GlobalProtect data files through dynamic updates.

References
 PAN-OS® 8.0 Administrator’s Guide:
• Install Content and Software Updates
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/getting-
started/install-content-and-software-updates

Sample Question
1. Which two updates should be scheduled to occur once a day? (Choose two.)
A. Antivirus
B. PAN-DB URL Filtering
C. WildFire
D. Applications and Threats
E. SMS channel

The answer is under the heading “Answer for Identify Deployment Best Practices for Scheduling
Dynamic Updates.”

Given a Series of Designs, Choose the Design(s) That Would Require Virtual
Systems (vsys)
Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks
firewall. Rather than use multiple firewalls, managed service providers and enterprises can use a single
pair of firewalls (for high availability) and enable virtual systems on them. Each virtual system (vsys) is an
independent, separately managed firewall with its traffic kept separate from the traffic of other virtual
systems.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 40


References
 PAN-OS® 8.0 Administrator’s Guide:
• Virtual Systems Overview, with all the subtopics
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/virtual-
systems/virtual-systems-overview

Sample Question
1. Which is not a reason to use virtual systems?
A. Multiple customers colocated in the same data center, and as the data center owner
you want to upsell a firewall service
B. The organization runs a virtualized firewall
C. A company’s business requirements are for a central IT department to manage the
firewall itself, but departments to manage their own Security policy.
D. An ISP wants to include a firewall service, with the firewall on their premises between
the customers’ connection and the internet.

The answer is under the heading “Answer for Given a Series of Designs, Choose the Design(s)
That Would Require Virtual Systems (vsys).”

Identify Best Practices for Tuning a Palo Alto Networks Firewall for Maximum
Performance
A best practice security policy is iterative. It is a tool for safely enabling applications, users, and content
by classifying all traffic, across all ports, all the time. As soon as you define the initial internet gateway
Security policy, you must begin to monitor the traffic that matches the temporary rules designed to
identify policy gaps, monitor alarming behavior, and tune your policy accordingly. By monitoring traffic
that is covered by these rules, you can make appropriate adjustments to your rules to either ensure that
all traffic is hitting your whitelist application or to allow rules or assess whether particular applications
should be allowed. As you tune your rulebase, you should see less and less traffic hitting these rules.
When you no longer see traffic encountering these rules, your positive enforcement whitelist rules are
complete and you can remove the temporary rules.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 41


References
 PAN-OS® 8.0 Administrator’s Guide:
• Create Best Practice Security Profiles
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/create-best-
practice-security-profiles
• Step 4: Create the Temporary Tuning Rules
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/best-
practice-internet-gateway-security-policy/define-the-initial-internet-gateway-security-
policy/step-4-create-the-temporary-tuning-rules
• Monitor and Fine Tune the Policy Rulebase
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/best-
practice-internet-gateway-security-policy/monitor-and-fine-tune-the-policy-rulebase

Sample Question
1. It is best practice to either block executables or send them to WildFire. Which file extension is
not an executable?
A. .jar
B. .rtf
C. .scr
D. .sys

The answer is under the heading “Answer for Identify Best Practices for Tuning a Palo Alto
Networks Firewall for Maximum Performance.”

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 42


Solution Design: NGFW Configuration: Security

Identify How to Protect Against Known Commodity Attacks


Vulnerability Protection Profiles stop attempts to exploit system flaws or gain unauthorized access to
systems. Although Anti‐Spyware Profiles help identify infected hosts as traffic leaves the network,
Vulnerability Protection Profiles protect against threats entering the network. For example, Vulnerability
Protection Profiles help protect against buffer overflows, illegal code execution, and other attempts to
exploit system vulnerabilities. The default Vulnerability Protection Profile protects clients and servers
from all known critical, high, and medium‐severity exploits.

References
 PAN-OS® 8.0 Administrator’s Guide:
• Use DNS Queries to Identify Infected Hosts on the Network
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-
prevention/use-dns-queries-to-identify-infected-hosts-on-the-network
• Vulnerability Protection Profiles
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/vulnerability-
protection-profiles
• Install Content and Software Updates
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/getting-
started/install-content-and-software-updates

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 43


Sample Question
1. Which profile type is used to protect against most protocol-based attacks?
A. Antivirus Profile
B. URL Filtering Profile
C. Vulnerability Protection Profile
D. WildFire Analysis Profile

The answer is under the heading” Answer for Identify How to Protect Against Known
Commodity Attacks.”

Identify How to Protect Against Unknown Attacks


The WildFire virtual environment identifies previously unknown malware and generates signatures that
Palo Alto Networks firewalls can use to then detect and block the malware. When a Palo Alto Networks
firewall detects an unknown sample (a file or a link included in an email), the firewall automatically can
forward the sample for WildFire analysis. WildFire determines the sample to be Benign, Grayware, or
Malicious based on the properties, behaviors, and activities that the sample displays when it is analyzed
and executed in the WildFire sandbox. WildFire then generates signatures to recognize the newly
discovered malware, and makes the latest signatures globally available every five minutes. All Palo Alto
Networks firewalls then can compare incoming samples against these signatures to automatically block
the malware first detected by a single firewall.

References
 WildFire 8.0 Administrator’s Guide:

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 44


• WildFire Concepts
https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/wildfire-
overview/wildfire-concepts
 A Hacker’s View of Antivirus https://www.paloaltonetworks.com/products/secure-the-
endpoint/traps
 Best Practices for Ransomware Prevention https://live.paloaltonetworks.com/t5/Featured-
Articles/Best-Practices-for-Ransomware-Prevention/ta-p/74148

Sample Question
1. Which security posture is most likely to stop unknown attacks?
A. allow all the traffic that is not explicitly denied
B. deny all the traffic that is not explicitly allowed
C. deny all the traffic that is not explicitly allowed from the outside, and allow all the traffic
that is not explicitly denied from the inside
D. deny all the traffic that is not explicitly allowed from the inside, and allow all the traffic
that is not explicitly denied from the outside

The answer is under the heading “Answer for Identify How to Protect Against Unknown
Attacks.”

What Can Be Applied to Prevent Users from Unknowingly Downloading


Malicious File Types from the Internet?
File Blocking Profiles allow you to identify specific file types that you want to want to block or monitor.
For most traffic (including traffic on your internal network) you will want to block files that are known to
carry threats or that have no real use case for upload/download. Currently, these files include batch
files, DLLs, Java class files, help files, Windows shortcuts (.lnk), and BitTorrent files. To provide drive‐by
download protection, you also should allow download/upload of executables and archive files (.zip and
.rar) but force users to acknowledge that they are transferring a file so that they will notice that a web
page is trying to sneak in a file without their knowledge or consent. For policy rules that allow general
web browsing, be stricter with your file blocking because the risk of users unknowingly downloading
malicious files is much higher. For this type of traffic you will want to attach a stricter file blocking profile
that also blocks Portable Executable (PE) files.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 45


References
 PAN-OS® 8.0 Administrator’s Guide:
• Create Best Practice Security Profiles
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/policy/create-best-
practice-security-profiles#_48239
 WildFire 8.0 Administrator’s Guide:
• WildFire File Type Support
https://www.paloaltonetworks.com/documentation/80/wildfire/wf_admin/wildfire-
overview/wildfire-file-type-support
 Distributing Malware Inside Adobe PDF Documents http://www.drchaos.com/distributing-
malware-inside-adobe-pdf-documents/

Sample Question
1. Which two features make a file potentially dangerous and cause the security platform to reject
it? (Choose two.)
A. Executable code (Windows code in PE files, Android code in APK files, etc.)
B. Offensive graphics
C. Financial information
D. Potentially dangerous source code
E. Malformed information that can exploit a vulnerability in a reader for that file type (for
example, a PDF file that runs a separate program)

The answer is under the heading “Answer for What Can Be Applied to Prevent Users from
Unknowingly Downloading Malicious File Types from the Internet?”

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 46


NGFW Configuration: Visibility

Identify Where to Configure User-ID in the UI


User and group information must be directly integrated into the technology platforms that secure
modern organizations. Knowledge of who is using the applications on your network, and who may have
transmitted a threat or is transferring files, strengthens security policies and reduces incident response
times. User-ID, a standard feature on Palo Alto Networks next-generation firewalls, enables you to
leverage user information stored in a wide range of repositories.

References
 PAN-OS® 8.0 Administrator’s Guide:
• Configure User Mapping Using the Windows User-ID Agent
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/configure-
user-mapping-using-the-windows-user-id-agent
• Configure User Mapping Using the PAN-OS Integrated User-ID Agent
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/configure-
user-mapping-using-the-pan-os-integrated-user-id-agent
• Configure User-ID to Monitor Syslog Senders for User Mapping
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-
addresses-to-users/configure-user-id-to-monitor-syslog-senders-for-user-mapping
• Map IP Addresses to Usernames Using Captive Portal
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-
addresses-to-users/map-ip-addresses-to-usernames-using-captive-portal
• Deploy User-ID for Numerous Mapping Information Sources
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/deploy-
user-id-in-a-large-scale-network/deploy-user-id-for-numerous-mapping-information-
sources

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 47


Sample Question
1. What is the maximum number of servers supported by a single User-ID agent?
A. 10
B. 50
C. 100
D. 500

The answer is under the heading “Answer for Identify Where to Configure User-ID in the UI.”

Identify How to Obtain the Parameters to Configure User-ID


Before you can define policy rules based on user or group, first you create an LDAP Server Profile that
defines how the firewall connects and authenticates to your directory server. The firewall supports a
variety of directory servers, including Microsoft Active Directory (AD), Novell eDirectory, and Sun ONE
Directory Server. The Server Profile also defines how the firewall searches the directory to retrieve the
list of groups and the corresponding list of members. If you are using a directory server that is not
natively supported by the firewall, you can integrate the group mapping function using the XML API.

References
 PAN-OS® 8.0 Administrator’s Guide:
• User-ID Concepts https://www.paloaltonetworks.com/documentation/80/pan-os/pan-
os/user-id/user-id-concepts
• Create a Dedicated Service Account for the User-ID Agent
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/map-ip-
addresses-to-users/create-a-dedicated-service-account-for-the-user-id-agent

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 48


Sample Question
1. How does the firewall know that a specific connection comes from a specific user?
A. Every connection has a user ID encoded in it.
B. User-ID is only supported in protocols that use user authentication, which provides the
user identity to the firewall and the back end.
C. The firewall always uses the IP address in the IP header to locate the user ID.
D. Usually the firewall uses the IP address in the IP header to locate the user ID, but there
are a few additional techniques (for example, HTTP proxies provide the client’s IP
address in the HTTP header).

The answer is under the heading “Answer for Identify How to Obtain the Parameters to
Configure User-ID.”

Identify the Methods and Order of Precedence That User-ID Uses


In support of business flexibility, many organizations have the need to support multiple types of end
users across a variety of locations and access technologies. In these environments, IP addresses are no
longer an effective proxy for end users. Instead, user and group information must be directly integrated
into the technology platforms that secure modern organizations.

References
 User-ID: Strengthen Security Posture and Improve Visibility by Mapping Network Traffic to Users
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/techbriefs/user-id-tech-brief

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 49


Sample Question
1. A customer has a proprietary user authentication system that is not supported by User-ID. Can
you provide User-ID information to their firewall, and if so how?
A. It is impossible. They’ll need to upgrade to something more standard.
B. It can be done, but only for HTTP applications because HTTP supports XFF headers.
C. It can be done using the XML API.
D. It can be done, but it requires programming that can be performed only by the Palo Alto
Networks professional services organization.

The answer is under the heading “Answer for Identify the Methods and Order of Precedence
That User-ID Uses.”

Identify User-ID Deployment Best Practices


When you enable User-ID on internal and trusted zones, there is no exposure of these services to the
internet, which helps to keep these services protected from any potential attacks. If User-ID and WMI
probing are enabled on an external untrusted zone (such as the internet), probes could be sent outside
your protected network, thus resulting in an information disclosure of the User-ID Agent service account
name, domain name, and encrypted password hash. This information can be cracked and exploited by
an attacker to gain unauthorized access to protected resources. For this important reason, User-ID
should never be enabled on an untrusted zone.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 50


References
 https://live.paloaltonetworks.com/t5/Learning-Articles/Best-Practices-for-Securing-User-ID-
Deployments/ta-p/61606

Sample Question
1. Should you limit the permission of the user that runs the User-ID agent? If so, why?
A. Yes, because of the principle of least privilege. You should give only processes those
permissions that are necessary for them to work.
B. Yes, to an extent. You can give it most privileges, but there is no actual user, so you
should not let it start an interactive login.
C. Yes, to an extent. You can give it most privileges, but there is no actual user, so you
should not let it have remote access.
D. No, there is nothing wrong with using the administrator’s account.

The answer is under the heading “Answer for Identify User-ID Deployment Best Practices.”

Identify the Parameters to Configure App-ID


App‐ID, a patented traffic classification system available only in Palo Alto Networks firewalls, identifies
applications regardless of port, protocol, encryption (SSH or SSL), or any other evasive tactic used by the
application. It applies multiple classification mechanisms (application signatures, application protocol
decoding, and heuristics) to your network traffic stream to accurately identify applications.

References
 PAN-OS® 8.0 Administrator’s Guide:
• App-ID Overview https://www.paloaltonetworks.com/documentation/80/pan-os/pan-
os/app-id/app-id-overview
• Manage Custom or Unknown Applications
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/manage-
custom-or-unknown-applications
• Create a Custom Application https://www.paloaltonetworks.com/documentation/80/pan-
os/pan-os/app-id/use-application-objects-in-policy/create-a-custom-application

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 51


 PAN-OS® Web Interface Reference Guide 8.0:
• Policies > Application Override https://www.paloaltonetworks.com/documentation/80/pan-
os/web-interface-help/policies/policies-application-override
• Defining Applications https://www.paloaltonetworks.com/documentation/80/pan-os/web-
interface-help/objects/objects-applications (scroll down)
 https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/p
an/en_US/resources/techbriefs/app-id-tech-brief

Learn by Doing
 Play with App-ID on the user interface:
• Attempt to define a custom application
• View the application information and characteristics for a Palo Alto Networks App-ID. See if
you can see the App-ID signature, timeouts, etc.

Sample Question
1. Which three reasons could cause a firewall that is fully configured, including decryption, not to
recognize an application? (Choose three.)
A. The application is running over SSL.
B. There is no App-ID signature for the application.
C. The application is running over ICMP.
D. The application is running over UDP.
E. Incomplete data, meaning that the TCP handshake happened but there had been no
application traffic.
F. Insufficient data, meaning that there had been some application traffic.

The answer is under the heading “Answer for Identify the Parameters to Configure App-ID.”

Identify App-ID Deployment Best Practices


Before you can safely enable applications, you must classify all traffic, across all ports, all the time. With
App‐ID, the only applications that typically are classified as unknown traffic—tcp, udp or non‐syn‐tcp—in
the ACC and the Traffic logs are commercially available applications that have not yet been added to
App‐ID, internal or custom applications on your network, or potential threats.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 52


References
 PAN-OS® 8.0 Administrator’s Guide:
• Manage Custom or Unknown Applications
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/manage-
custom-or-unknown-applications
• Create a Custom Application https://www.paloaltonetworks.com/documentation/80/pan-
os/pan-os/app-id/use-application-objects-in-policy/create-a-custom-application

Sample Question
1. Which two methods can you use to add an application that runs on TCP port 25 to the firewall?
(Choose two.)
A. Request an App-ID from Palo Alto Networks.
B. Create a custom application with a signature.
C. Create a custom application and define an Application Override policy.
D. Write JavaScript code to identify the application.
E. Write Python code to identify the application.

The answer is under the heading “Answer for Identify App-ID Deployment Best Practices.”

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 53


Solution Design: NGFW Configuration: Decryption

Identify the Differences in Decryption Configuration Between Forward Proxy,


Inbound Proxy, and SSH Proxy
With SSL Forward Proxy decryption, the firewall resides between the internal client and outside server.
The firewall uses Forward Trust or Forward Untrust certificates to establish itself as a trusted third party
to the session between the client and the server. When the client initiates an SSL session with the
server, the firewall intercepts the client’s SSL request and forwards the SSL request to the server. The
server sends a certificate intended for the client that is intercepted by the firewall. If the server’s
certificate is signed by a CA that the firewall trusts, the firewall creates a copy of the server’s certificate
signed by the Forward Trust certificate and sends the certificate to the client to authenticate. If the
server’s certificate is signed by a CA that the firewall does not trust, the firewall creates a copy of the
server’s certificate and signs it with the Forward Untrust certificate and sends it to the client. In this
case, the client sees a block page warning that the site they’re attempting to connect to is not trusted
and the client can choose to proceed or terminate the session. When the client authenticates the
certificate, the SSL session is established with the firewall functioning as a trusted forward proxy to the
site that the client is accessing.

Use SSL Inbound Inspection to decrypt and inspect inbound SSL traffic from a client to a targeted server
(any server you have the certificate for and can import onto the firewall). For example, if an employee is
remotely connected to a web server hosted on the company network and is attempting to add
restricted internal documents to a Dropbox folder (which uses SSL for data transmission), SSL Inbound
Inspection can be used to ensure that the sensitive data does not move outside the secure company
network by blocking or restricting the session.

In an SSH Proxy configuration, the firewall resides between a client and a server. When the client sends
an SSH request to the server, the firewall intercepts the request and forwards the SSH request to the
server. The firewall then intercepts the server’s response and forwards the response to the client,
establishing an SSH tunnel between the firewall and the client and an SSH tunnel between the firewall
and the server, with firewall functioning as a proxy. As traffic flows between the client and the server,
the firewall can distinguish whether the SSH traffic is being routed normally or if it is using SSH tunneling
(port forwarding). Content and threat inspections are not performed on SSH tunnels; however, if SSH
tunnels are identified by the firewall, the SSH tunneled traffic is blocked and restricted according to
configured security policies.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 54


References
 PAN-OS® 8.0 Administrator’s Guide:
• Decryption Overview https://www.paloaltonetworks.com/documentation/80/pan-os/pan-
os/decryption/decryption-overview
 Difference Between SSL Forward-Proxy and Inbound Inspection Decryption Mode
https://live.paloaltonetworks.com/t5/Learning-Articles/Difference-Between-SSL-Forward-Proxy-
and-Inbound-Inspection/ta-p/55553

Sample Question
1. Which decryption mode or modes require(s) the private key of the destination server? (Choose
the best answer.)
A. Forward Proxy
B. Inbound Inspection
C. Both Forward Proxy and Inbound Inspection
D. SSH Proxy

The answer is under the heading “Answer for Identify the Differences in Decryption
Configuration Between Forward Proxy, Inbound Proxy, and SSH Proxy.”

Identify How to Overcome Privacy and Legal Objections to Decryption


You can configure decryption exceptions to exclude applications, URL categories, and targeted server
traffic from decryption:

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 55


 Exclude certain URL categories or applications that either do not work properly with decryption
enabled or for any other reason, including for legal or privacy purposes. You can use a
Decryption policy to exclude traffic from decryption based on source, destination, URL category,
service (port or protocol), and TCP port numbers. For example, with SSL decryption enabled, you
can choose URL categories to exclude traffic that is categorized as financial or health‐related
from decryption.
 Exclude server traffic from SSL decryption based on the Common Name (CN) in the server
certificate. For example, if you have SSL decryption enabled but have certain servers for which
you do not want to decrypt traffic, such as the web services for your HR systems, exclude those
servers from decryption by importing the server certificate onto the firewall and modifying the
certificate to be an SSL Exclude certificate.

References
 PAN-OS® 8.0 Administrator’s Guide:
• Decryption Exclusions https://www.paloaltonetworks.com/documentation/80/pan-os/pan-
os/decryption/decryption-exclusions#93953, including all the subtopics
 PAN-OS® Web Interface Reference Guide 8.0:
• Policies > Decryption https://www.paloaltonetworks.com/documentation/80/pan-os/web-
interface-help/policies/policies-decryption
• Objects > Decryption Profile https://www.paloaltonetworks.com/documentation/80/pan-
os/web-interface-help/objects/objects-decryption-profile

Sample Question
1. Which parameter cannot be used in a Decryption policy rule?
A. User-ID
B. App-ID
C. Source Zone
D. Destination Zone

The answer is under the heading “Answer for Identify How to Overcome Privacy and Legal
Objections to Decryption.”

Identify the Different Types of Certificates Used in the SSL Decryption Process
With a Decryption policy configured, a session between the client and the server is established only if
the firewall trusts the CA that signed the server certificate. To establish trust, the firewall must have the
server root CA certificate in its certificate trust list (CTL) and use the public key contained in that root CA
certificate to verify the signature. The firewall then presents a copy of the server certificate signed by
the Forward Trust certificate for the client to authenticate. You also can configure the firewall to use an
enterprise CA as a forward trust certificate for SSL Forward Proxy. If the firewall does not have the
server root CA certificate in its CTL, the firewall will present a copy of the server certificate signed by the

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 56


Forward Untrust certificate to the client. The Forward Untrust certificate ensures that clients are
prompted with a certificate warning when they attempt to access sites hosted by a server with
untrusted certificates.

References
 PAN-OS® 8.0 Administrator’s Guide:
• Keys and Certificates for Decryption Policies
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-
os/decryption/decryption-concepts/keys-and-certificates-for-decryption-policies
• SSL Forward Proxy https://www.paloaltonetworks.com/documentation/80/pan-os/pan-
os/decryption/decryption-concepts/ssl-forward-proxy
• SSL Inbound Inspection https://www.paloaltonetworks.com/documentation/80/pan-
os/pan-os/decryption/decryption-concepts/ssl-inbound-inspection
• SSH Proxy https://www.paloaltonetworks.com/documentation/80/pan-os/pan-
os/decryption/decryption-concepts/ssh-proxy

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 57


Sample Question
1. Which decryption method requires the client to trust either the firewall’s own self-signed
certificate or a certificate authority that provided the firewall with a certificate?
A. Forward Proxy
B. Inbound Inspection
C. SSH Proxy
D. Reverse Proxy

The answer is under the heading “Answer for Identify the Different Types of Certificates Used in
the SSL Decryption Process.”

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 58


Sample Test

The answers are under the heading “Answers for the Sample Test.”

1. Which file type is not supported by WildFire?


A. Java applications in JAR files
B. Microsoft Word files
C. batch files
D. PDF files

2. Which two answers could you give a prospect who says that updating the WildFire malware list
twice a week is unacceptable? (Choose two.)
A. With a WildFire subscription you get an update every few minutes.
B. With the Threat subscription you get an update every few minutes.
C. With the Threat subscription you get an update every hour.
D. With the Threat subscription you get an update every 24 hours.
E. Twice a week is sufficient; malware does not propagate that quickly.

3. What information does IBM Trusteer get from WildFire?


A. none; it provides information to WildFire
B. indicators of compromise (IOCs)
C. hashes of malware for EXE and MSI files
D. hashes of malware, for APK files

4. Which Palo Alto Networks product directly protects corporate laptops when people use them
from home?
A. next-generation firewall
B. Panorama
C. WildFire
D. GlobalProtect

5. Which two C2 channels may be used when a computer tries to access the URL
http://part1.of.big.secret.i.am.exfiltrating.evil.com/part2/of/the/same/secret? (Choose two.)
A. email
B. DNS
C. URL
D. SMS
E. ICMP

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 59


6. Where in a report do you specify the application to which it applies?
A. Query Builder
B. Group By field
C. Order By field
D. Time Frame field

7. Which log type does not have five severity levels?


A. Threat log
B. WildFire Submission log
C. Correlation log
D. System log

8. Which two behaviors would fail to disguise the malware? (Choose two.)
A. Use domains known to be run by dynamic DNS providers.
B. Disguise the C2 traffic as email.
C. Browse directly to IP addresses without DNS resolution.
D. Infect multiple hosts before accessing the C2 channel, so that each time the C2 request
message comes from a different IP address.
E. Slow down C2 traffic to one packet in each direction each day.

9. Which element of the NGFW does the NGFW UTD show potential customers?
A. how to set up NGFW for the first time
B. how to migrate from a different firewall to NGFW
C. How to integrate with the Advanced Endpoint Protection
D. How to integrate with WildFire

10. Which firewall series (one or more) requires you to specify in the Bill of Materials the Network
Processing Cards (NPC) to include?
A. A Bill of Materials that specifies the NPC is never needed; Palo Alto Networks appliances
don’t support hardware customization
B. PA-7000
C. PA-5200 and PA-7000
D. PA-3000, PA-5200, and PA-7000

11. An enterprise needs to use web storage to collaborate with business partners. Which step is
required to ensure that web storage is not used to exfiltrate sensitive data from the enterprise?

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 60


A. Disconnect from the internet
B. Configure a local shared drive and use that instead of web storage
C. Use Aperture to ensure that the information shared to the web storage is not sensitive
D. Install Advanced Endpoint Protection

12. A company has no internal network and only a few people work from home and use public SaaS
services (such as Google Docs). Is there any component of the Palo Alto Networks security
platform that is not needed, and if so, which one is it?
A. WildFire
B. Traps
C. NGFW
D. All the components are needed

13. In Panorama, which policy gets evaluated last?


A. device group pre-rules
B. device group post-rules
C. shared pre-rules
D. shared post-rules
E. local firewall rules

14. What is the difference between templates and device groups?


A. Templates are used for network parameters and device groups are used for security
definitions (rules and objects).
B. Device groups are used for network parameters and templates are used for security
definitions (rules and objects).
C. Panorama has device groups, but there is no such thing as a template in Panorama.
D. Panorama has templates, but there is no such thing as a device group in Panorama.

15. Which is not an advantage of using Panorama?


A. ability to recognize more applications on the firewall
B. centralized management
C. centralized view of collected logs
D. automatic event correlation

16. Which three features are not supported by HA lite, but are available on higher-end models?
(Choose three.)
A. Link Aggregation
B. DHCP lease information synchronization

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 61


C. PPPoE lease information synchronization
D. Active/passive (A/P) high availability (without session synchronizations)
E. Active/passive (A/P) high availability (with session synchronizations)
F. Active/active (A/A) high availability

17. What could cause “split brain” in an active/passive (A/P) high availability setup?
A. Nothing; it is only a problem in active/active (A/A).
B. The connection between the dataplane ports is broken and there is no configured
backup, so no heartbeat.
C. The connection between the management plane ports is broken and there is no
configured backup, so no heartbeat.
D. The two ports, HA1 and HA2, are always backup connections to each other, so only if
both connections are broken would you get a “split brain.” problem

18. A best practice is to either block executables or to send them to WildFire. Which file extension is
not an executable?
A. .jar
B. .exe
C. .txt
D. .sys

19. Which action could disconnect a potentially infected host from the network?
A. Alert
B. Reset Client
C. Reset Server
D. Block IP

20. Which component of the security platform turns unknown attacks into known attacks?
A. Next-generation firewall
B. Advanced Endpoint Protection
C. WildFire
D. Autofocus

21. Is the maximum number of servers that a User-ID agent support?


A. 20
B. 100
C. 1,000
D. There is no limit.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 62


22. Must the agent account be a member of the Distributed COM Users group?
A. yes, always
B. only when using the Windows-based User-ID agent
C. only when using the PAN-OS® integrated User-ID agent
D. No, never

23. Which characteristic (or characteristics), if any, of a predefined application can be viewed and
modified by an administrator?
A. signature
B. timeout values
C. both the signature and the timeout values
D. neither the signature nor the timeout values

24. Which two decryption modes require an SSL certificate? (Choose two)
A. Forward Proxy
B. Inbound Inspection
C. Reverse Proxy
D. SSH Proxy
E. Outbound Inspection

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 63


Answers to Sample Questions

Answers for Positioning: Platform


Answer for Identify the Architecture Components that Benefit from WildFire
1. A

Answers for Identify the Impact of the Intelligence Coming from the Threat Intelligence
Cloud
1. C
2. D

Answer for Identify the Sources of Data for the Threat Intelligence Cloud
1. B

Answer for Identify the Core Values of the Palo Alto Networks Security Platform
1. B

Answer for Identify the Presale Benefits of the Migration Tool


1. D

Answers for Identify How to Position the Value of a Next-Generation Firewall Over a Legacy
Firewall
1. B

Answers for Positioning: Next-Generation Firewall


Answers for Identify the Protections That the Next-Generation Firewall Uses to Prevent
Command-and-Control Traffic
1. A, E

Answers for Identify the Reporting Capabilities of the Palo Alto Networks Firewall
1. B
2. C

Answers for Identify the Process of Automated Report Distribution


1. A, C

Answer for Identify the Capabilities That Detect IOC


1. C

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 64


Answers for Positioning: SLR and UTD
Answer for Given a Customer Description, Identify the Appropriate Section of an SLR
(Security Lifecycle Review) to Highlight During the Presentation
1. C

Answer for Identify How to Configure an NGFW for Evaluation Purposes


1. A

Answer for Given a Customer Statdump File, Identify How to Generate an SLR Report
1. B

Answers for Identify the Characteristics and Best Practices of Ultimate Test Drive (UTD)
Seminars
1. B, C

Answers for Solution Design: Platform


Answer for Given a Palo Alto Networks Solution Scenario Including Products, Subscription
Licenses, and Support, Identify the Bill of Materials That Should Be Written
1. B

Answer for Given a Customer Environment, Identify the NGFW Model That Should Be Used to
Secure the Network
1. D

Answer for Given a Customer Environment, Identify How Aperture Should Be Used to Secure
the Enterprise
1. D

Answer for Given a Customer Environment, Identify How Autofocus Should Be Used to
Secure the Enterprise
1. A

Answer for Given a Customer Environment, Identify How Traps Should Be Used to Secure the
Endpoint
1. D

Answer for Given a Customer Environment, Identify How WildFire Should Be Used to Secure
the Enterprise
1. D

Answer for Given a Customer Environment, Identify How NGFW, WildFire, and Traps Should
Be Used to Secure the Enterprise
1. C

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 65


Answer for Identify Which Firewall Models Support vsys and Its Common Uses
1. C

Answers for Solution Design: Panorama


Answers for Identify How to Use Device Groups and Templates to Manage a Deployment
1. C
2. C

Answer for Identify the Benefits of Panorama for Deploying Palo Alto Networks Products
1. B

Answer for Given a Customer Scenario, Identify How to Design a Redundant Panorama
Deployment
1. D

Answer for Identify how to License a Panorama Deployment


1. C

Answer for Identify the Differences in Licensing of Panorama as a Hardware Solution vs. as a
Software Solution
1. D

Answers for Solution Designs and NGFW Configuration: Custom


Answer for Given Design Requirements, Identify the Recommended Method of High
Availability
1. B

Answer for Identify the Functions of a Given HA Port


1. B

Answers for Identify Deployment Best Practices for Scheduling Dynamic Updates
1. A, B

Answer for Given a Series of Designs, Choose the Design(s) That Would Require Virtual
Systems (vsys)
1. B

Answer for Identify Best Practices for Tuning a Palo Alto Networks Firewall for Maximum
Performance
1. B

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 66


Answers for Solution Design: NGFW Configuration: Security
Answer for Identify How to Protect Against Known Commodity Attacks
1. C

Answer for Identify How to Protect Against Unknown Attacks


1. B

Answers for What Can Be Applied to Prevent Users from Unknowingly Downloading
Malicious File Types from the Internet?
1. A, E

Answers for Solution Design: NGFW Configuration: Visibility


Answer for Identify Where to Configure User-ID in the UI
1. C

Answer for Identify How to Obtain the Parameters to Configure User-ID


1. D

Answer for Identify the Methods and Order of Precedence That User-ID Uses
1. C

Answer for Identify User-ID Deployment Best Practices


1. A

Answers for Identify the Parameters to Configure App-ID


1. B, E, F

Answer for Identify App-ID Deployment Best Practices


1. A, B

Answers for Solution Design: NGFW Configuration: Decryption


Answer for Identify the Differences in Decryption Configuration Between Forward Proxy,
Inbound Proxy, and SSH Proxy
1. B

Answer for Identify How to Overcome Privacy and Legal Objections to Decryption
1. B

Answer for Identify the Different Types of Certificates Used in the SSL Decryption Process
1. A

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 67


Answers for the Sample Test
1. C
2. A, D
3. B
4. D
5. B, C
6. A
7. B
8. A, C
9. D
10. B
11. C
12. D
13. D
14. A
15. A
16. A, E, F
17. C
18. C
19. D
20. C
21. B
22. C
23. B
24. A, B

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 68


Glossary

Advanced Encryption Standard (AES): A symmetric block cipher based on the Rijndael cipher.

AES: See Advanced Encryption Standard (AES).

API: See application programming interface (API).

application programming interface (API): A set of routines, protocols, and tools for building software
applications and integrations.

bot: Individual endpoints that are infected with advanced malware that enables an attacker to take
control of the compromised endpoint. Also known as a zombie. See also botnet.

botnet: A network of bots (often tens of thousands or more) working together under the control of
attackers using numerous command and control (C2) servers. See also bot.

bring your own apps (BYOA): Closely related to BYOD, BYOA is a policy trend in which organizations
permit end users to download, install, and use their own personal apps on mobile devices, primarily
smartphones and tablets, for work-related purposes. See also bring your own device (BYOD).

bring your own device (BYOD): A policy trend in which organizations permit end users to use their own
personal devices, primarily smartphones and tablets, for work-related purposes. BYOD relieves
organizations from the cost of providing equipment to employees, but creates a management challenge
due to the vast number and type of devices that must be supported. See also bring your own apps
(BYOA).

BYOA: See bring your own apps (BYOA).

BYOD: See bring your own device (BYOD).

covered entity: Defined by HIPAA as a healthcare provider that electronically transmits PHI (such as
doctors, clinics, psychologists, dentists, chiropractors, nursing homes, and pharmacies), a health plan
(such as a health insurance company, health maintenance organization, company health plan, or
government program including Medicare, Medicaid, military and veterans’ healthcare), or a healthcare
clearinghouse. See also Health Insurance Portability and Accountability Act (HIPAA) and protected health
information (PHI).

data encapsulation: A process in which protocol information from the OSI layer immediately above is
wrapped in the data section of the OSI layer immediately below. See also open systems interconnection
(OSI) reference model.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 69


DDOS: See distributed denial-of-service (DDOS).

distributed denial-of-service (DDOS): A type of cyberattack in which extremely high volumes of network
traffic such as packets, data, or transactions are sent to the target victim’s network to make their
network and systems (such as an e-commerce website or other web application) unavailable or
unusable.

EHR: See electronic health record (EHR).

electronic health record (EHR): As defined by HealthIT.gov, an EHR “goes beyond the data collected in
the provider’s office and include[s] a more comprehensive patient history. EHR data can be created,
managed, and consulted by authorized providers and staff from across more than one healthcare
organization.”

electronic medical record (EMR): As defined by HealthIT.gov, an EMR “contains the standard medical
and clinical data gathered in one provider’s office.”

EMR: See electronic medical record (EMR).

endpoint: A computing device such as a desktop or laptop computer, handheld scanner, point-of-sale
(POS) terminal, printer, satellite radio, security or videoconferencing camera, self-service kiosk, server,
smart meter, smart TV, smartphone, tablet, or Voice over Internet Protocol (VoIP) phone. Although
endpoints can include servers and network equipment, the term is generally used to describe end user
devices.

extensible markup language (XML): A programming language specification that defines a set of rules for
encoding documents in a human- and machine-readable format.

false negative: In anti-malware, malware that is incorrectly identified as a legitimate file or application.
In intrusion detection, a threat that is incorrectly identified as legitimate traffic. See also false positive.

false positive: In anti-malware, a legitimate file or application that is incorrectly identified as malware.
In intrusion detection, legitimate traffic that is incorrectly identified as a threat. See also false negative.

favicon (“favorite icon”): A small file containing one or more small icons associated with a particular
website or webpage.

generic routing encapsulation (GRE): A tunneling protocol developed by Cisco Systems® that can
encapsulate various network layer protocols inside virtual point-to-point links.

GLBA: See Gramm-Leach-Bliley Act (GLBA).

Gramm-Leach-Bliley Act (GLBA): A U.S. law that requires financial institutions to implement privacy and
information security policies to safeguard the non-public personal information of clients and consumers.
Also known as the Financial Services Modernization Act of 1999.

GRE: See generic routing encapsulation (GRE).

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 70


hacker: Originally used to refer to anyone with highly specialized computing skills, without connoting
good or bad purposes. However, common misuse of the term has redefined a hacker as someone that
circumvents computer security with malicious intent, such as a cybercriminal, cyberterrorist, or
hacktivist.

hash signature: A cryptographic representation of an entire file or program’s source code.

Health Insurance Portability and Accountability Act (HIPAA): A U.S. law that defines data privacy and
security requirements to protect individuals’ medical records and other personal health information. See
also covered entity and protected health information (PHI).

HIPAA: See Health Insurance Portability and Accountability Act (HIPAA).

indicator of compromise (IOC): A network or operating system (OS) artifact that provides a high level of
confidence that a computer security incident has occurred.

IOC: See indicator of compromise (IOC).

least privilege: A network security principle in which only the permission or access rights necessary to
perform an authorized task are granted.

malware: Malicious software or code that typically damages, takes control of, or collects information
from an infected endpoint. Malware broadly includes viruses, worms, Trojan horses (including Remote
Access Trojans, or RATs), anti-AV, logic bombs, backdoors, rootkits, bootkits, spyware, and (to a lesser
extent) adware.

Network and Information Security (NIS) Directive: A European Union (EU) directive that imposes
network and information security requirements – to be enacted by national laws across the EU within
two years of adoption in 2016 – for banks, energy companies, healthcare providers and digital service
providers, among others.

NIS: See Network and Information Security (NIS) Directive.

one-way (hash) function: A mathematical function that creates a unique representation (a hash value)
of a larger set of data in a manner that is easy to compute in one direction (input to output), but not in
the reverse direction (output to input). The hash function can’t recover the original text from the hash
value. However, an attacker could attempt to guess what the original text was and see if it produces a
matching hash value.

open systems interconnection (OSI) reference model: Defines standard protocols for communication
and interoperability using a layered approach in which data is passed from the highest layer
(application) downward through each layer to the lowest layer (physical), then transmitted across the
network to its destination, then passed upward from the lowest layer to the highest layer. See also data
encapsulation.

OSI model: See open systems interconnection (OSI) reference model.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 71


packet capture (pcap): A traffic intercept of data packets that can be used for analysis.

Payment Card Industry Data Security Standards (PCI DSS): A proprietary information security standard
mandated and administered by the PCI Security Standards Council (SSC), and applicable to any
organization that transmits, processes, or stores payment card (such as debit and credit cards)
information. See also PCI Security Standards Council (SSC).

PCAP: See packet capture (PCAP).

PCI: See Payment Card Industry Data Security Standards (PCI DSS).

PCI DSS: See Payment Card Industry Data Security Standards (PCI DSS).

PCI Security Standards Council (SSC): Comprised of Visa, MasterCard, American Express, Discover, and
JCB, the SSC maintains, evolves, and promotes PCI DSS. See also Payment Card Industry Data Security
Standards (PCI DSS).

Personal Information Protection and Electronic Documents Act (PIPEDA): A Canadian privacy law that
defines individual rights with respect to the privacy of their personal information, and governs how
private sector organizations collect, use, and disclose personal information in the course of business.

Personally Identifiable Information (PII): Defined by the U.S. National Institute of Standards and
Technology (NIST) as “any information about an individual maintained by an agency, including (1) any
information that can be used to distinguish or trace an individual’s identity… and (2) any other
information that is linked or linkable to an individual….”

PHI: See protected health information (PHI).

PII: See Personally Identifiable Information (PII).

PIPEDA: See Personal Information Protection and Electronic Documents Act (PIPEDA).

PKI: See public key infrastructure (PKI).

protected health information (PHI): Defined by HIPAA as information about an individual’s health
status, provision of healthcare, or payment for healthcare that includes identifiers such as names,
geographic identifiers (smaller than a state), dates, phone and fax numbers, email addresses, Social
Security numbers, medical record numbers, or photographs, among others. See also Health Insurance
Portability and Accountability Act (HIPAA).

public key infrastructure (PKI): A set of roles, policies, and procedures needed to create, manage,
distribute, use, store, and revoke digital certificates and manage public key encryption.

QoS: See quality of service (QoS).

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 72


quality of service (QoS): The overall performance of specific applications or services on a network
including error rate, bit rate, throughput, transmission delay, availability, jitter, etc. QoS policies can be
configured on certain network and security devices to prioritize certain traffic, such as voice or video,
over other, less performance-intensive traffic, such as file transfers.

RADIUS: See Remote Authentication Dial-In User Service (RADIUS).

Remote Authentication Dial-In User Service (RADIUS): A client/server protocol and software that
enables remote access servers to communicate with a central server to authenticate users and authorize
access to a system or service.

representational state transfer (REST): An architectural programming style that typically runs over
HTTP, and is commonly used for mobile apps, social networking websites, and mashup tools.

REST: See representational state transfer (REST).

RPC: See remote procedure call (RPC).

SaaS: See Software as a Service (SaaS).

Sarbanes-Oxley (SOX) Act: A U.S. law that increases financial governance and accountability in publicly
traded companies.

script kiddie: Someone with limited hacking and/or programming skills that uses malicious programs
(malware) written by others to attack a computer or network.

Secure Sockets Layer (SSL): A cryptographic protocol for managing authentication and encrypted
communication between a client and server to protect the confidentiality and integrity of data
exchanged in the session.

Software as a Service (SaaS): A cloud computing service model, defined by the U.S. National Institute of
Standards and Technology (NIST), in which “the capability provided to the consumer is to use the
provider’s applications running on a cloud infrastructure. The applications are accessible from various
client devices through either a thin client interface, such as a web browser, or a program interface. The
consumer does not manage or control the underlying cloud infrastructure including network, servers,
operating systems, storage, or even individual application capabilities, with the possible exception of
limited user-specific application configuration settings.”

SOX: See Sarbanes-Oxley (SOX) Act.

spear phishing: A highly targeted phishing attack that uses specific information about the target to make
the phishing attempt appear legitimate.

SSL: See Secure Sockets Layer (SSL).

STIX: See structured threat information expression (STIX).

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 73


structured threat information expression (STIX): An XML format for conveying data about cybersecurity
threats in a standardized format. See also extensible markup language (XML).

threat vector: See attack vector.

TLS: See Transport Layer Security (TLS).

Transport Layer Security (TLS): The successor to SSL (although it is still commonly referred to as SSL).
See also Secure Sockets Layer (SSL).

uniform resource locator (URL): A unique reference (or address) to an internet resource, such as a
webpage.

URL: See uniform resource locator (URL).

vulnerability: A bug or flaw that exists in a system or software, and creates a security risk.

zero-day threat: The window of vulnerability that exists from the time a new (unknown) threat is
released until security vendors release a signature file or security patch for the threat.

zombie: See bot.

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 74


Continuing Your Learning Journey with Palo Alto Networks
Training from Palo Alto Networks and our Authorized Training Centers delivers the knowledge and
expertise to prepare you to protect our way of life in the digital age. Our trusted security certifications
give you the next-generation security platform knowledge necessary to prevent successful cyberattacks
and to safely enable applications.

E-Learning
For those of you who want to keep up-to-date on our technology, a learning library of FREE e-Learning is
available. These on-demand, self-paced e-Learning classes are a great way of reinforcing the key
information for those who have been to the formal hands-on classes. They also serve as a great
overview and introduction to working with our technology for those unable to travel to a hands-on,
instructor-led class.

Simply register in our Learning Center and you will be given access to our eLearning portfolio. These
online classes cover foundational material and contain narrated slides, knowledge checks, and, where
applicable, demos for you to access.

New courses are being added often, so check back to see new curriculum available.

Instructor-Led Training
Looking for a hands-on, instructor-led course in your area?

Palo Alto Networks Authorized Training Centers (ATCs) are located globally and offer a breadth of
solutions from onsite training to public, open environment classes. There are about 53 authorized
training centers at more than 80 locations worldwide. For class schedule, location, and training
offerings, see https://www.paloaltonetworks.com/services/education/atc-locations.

Learning Through the Community


You also can learn from peers and other experts in the field. Check out our communities site
https://live.paloaltonetworks.com where you can:

 Discover reference material


 Learn best practices
 See what is trending
 Ask your security questions and get help from 30,000+ security professionals

PALO ALTO NETWORKS PSE PLATFORM PRO 8.0 STUDY GUIDE 75