NetSec-Pro Palo Alto Networks Network Security Professional Questions and Answers

Threat logs for Prisma Access mobile users can be reviewed in bothStrata Cloud Manager (SCM)andStrata Logging Service. Prisma Cloud and service connection firewalls are not directly tied to mobile user traffic logs.

“Prisma Access logs are available in the Strata Cloud Manager and can also be sent to the Strata Logging Service for detailed analysis and threat visibility.”

(Source: Prisma Access Administration Guide)

Single floating IP address(also known as a floating IP or shared IP) is supported only in anactive/passiveHA pair. In active/active HA, both firewalls are forwarding traffic simultaneously and thus do not share a single floating IP.

“In active/passive HA, a single floating IP address is used for seamless failover. Active/active HA requires separate IP addresses and does not support a single floating IP.”

(Source: Active/Passive vs. Active/Active HA)

Thissimplifies failoverin active/passive deployments by using a single shared IP that moves to the active peer upon failover.

Negated source addressesexclude traffic from the specified region. To avoid accidental connectivity loss for trafficfrom that region, create a separate Security policy toexplicitly permit it.

“When you use a negated region in a Security policy rule, ensure to create an additional Security policy to permit traffic from the excluded (negated) region to avoid unintentional drops.”

(Source: Prisma Access Policy Best Practices)

This ensuresexplicit inclusivity for the excluded region, maintaining reliable connectivity.

Protecting againstmaliciousandmisconfigured domainsrequires two critical services:

Advanced Threat Prevention

Provides signature-based and advanced analysis to identify threats, including DNS-based attacks.

“Advanced Threat Prevention enables the NGFW to detect and prevent exploits and malware-based communications, including those leveraging DNS.”

(Source: Advanced Threat Prevention)

Advanced DNS Security

Specifically designed to detect and sinkhole malicious and misconfigured DNS queries.

“DNS Security uses real-time intelligence to block DNS-based threats, protect against data exfiltration, and automatically sinkhole suspicious domain lookups.”

(Source: DNS Security)

Bycombiningthese services in security policies, NGFWs ensure robust protection against domain-based threats and misconfigurations.

To fully manage a firewall from Strata Cloud Manager (SCM), it’s essential to establish trust and ensure reliable connectivity:

Configure NTP and DNS servers

The firewall must have accurate time (NTP) and name resolution (DNS) to securely communicate with SCM and related cloud services.

“To ensure successful management, configure the firewall’s NTP and DNS settings to synchronize time and resolve domain names such as stratacloudmanager.paloaltonetworks.com.”

(Source: SCM Onboarding Requirements)

Install a device certificate

A device certificate authenticates the firewall’s identity when connecting to SCM.

“The device certificate authenticates the firewall to Palo Alto Networks cloud services, including SCM. It’s a fundamental requirement to establish secure connectivity.”

(Source: Device Certificates)

These steps ensuretrust, secure communication, and successful onboarding into SCM.

Blocking non-compliant SSH versionsandfailing certificate validationsare fundamental security measures:

Block sessions when certificate validation fails

“The SSH Proxy profile should block sessions that fail certificate validation to ensure that only trusted hosts are allowed.”

(Source: SSH Proxy Decryption Best Practices)

Block connections using non-compliant SSH versions

Older SSH versions may have vulnerabilities or lack modern encryption algorithms.

“To enforce stronger security, block SSH sessions that use older or deprecated versions of the SSH protocol that do not comply with your security posture.”

(Source: SSH Decryption and Best Practices)

Together, these measuresminimize the risk of MITM attacksand secure SSH traffic.

Prisma Access for secure remote access

“Prisma Access extends consistent security and optimized connectivity to branch locations, enabling secure access for mobile and branch users.”

(Source: Prisma Access Overview)

Centralized management for consistent policy enforcement

“Centralized management using Strata Cloud Manager or Panorama ensures security policies and updates are uniformly applied across distributed locations, preventing policy drift and security gaps.”

(Source: Strata Cloud Manager Best Practices)

These two practices are foundational for modern, distributed enterprise networks to maintain security posture and performance.

Enterprise DLP Profileis specifically designed to detect and logdata exfiltration attempts, including those involving confidential or sensitive data.

“Enterprise DLP logs capture incidents involving potential data exfiltration. They help identify sensitive data transfers, even in seemingly legitimate traffic.”

(Source: Enterprise DLP Logging and Alerts)

File Blocking and Vulnerability Protection handle files or exploit detection, while WildFire focuses on malware analysis—not direct data exfiltration.

Content-IDis the core of Palo Alto Networks' prevention architecture, providingsingle-pass application layer inspectionto deliver real-time threat prevention across all traffic.

“Content-ID uses a single-pass architecture to perform application-layer (Layer 7) traffic inspection and real-time threat prevention. Unlike traditional firewalls that rely on multiple scans, Content-ID inspects traffic once to enforce multiple security controls simultaneously.”

(Source: Content-ID Overview)

By consolidating security functions in a single pass, it ensures both efficiency and comprehensive security.

When usingAWS centralized deploymentsfor Cloud NGFW, the service deploys NGFW instances intoselected VPCsas additional workloads to secure that traffic.

“In centralized deployments, Cloud NGFW instances are deployed as security appliances within the selected VPCs, ensuring consistent traffic inspection and protection.”

(Source: Cloud NGFW Deployment Models)

This approach minimizes complexity and ensures direct security policy enforcement within AWS.

Applications and threats

Panorama can push application and threat signature updates to managed firewalls, ensuring consistent application and threat visibility.

“Panorama uses dynamic updates to distribute the latest application and threat signature packs to all managed firewalls.”

(Source: Manage Content Updates in Panorama)

WildFire

Panorama also distributes WildFire signature updates to firewalls for real-time malware detection.

“WildFire updates provide the latest malware signatures to enhance detection and prevention, and can be deployed to all managed firewalls via Panorama.”

(Source: WildFire and Dynamic Updates)

Cloud NGFW for AWS can be configured usingPanoramafor centralized management, as well as theAWS management consolefor native integration and configuration.

“You can configure Cloud NGFW for AWS using Panorama for centralized security management, or directly through the AWS management console to deploy and manage security services for your AWS resources.”

(Source: Cloud NGFW for AWS Guide)

Virtual systems providelogical separationin a single physical firewall, allowing different customers (or tenants) to have isolatedcontrolandsecurity policies.

“Virtual systems enable service providers to offer logically separated, independent environments on a single firewall. Each virtual system can have its own security policies, interfaces, and administrators.”

(Source: Virtual Systems)

This ensures secure, tenant-specific segmentation within multi-tenant environments.

A security profile group named“default”is automatically applied to all new security rules unless a specific profile group is explicitly configured.

“If a security profile group named ‘default’ exists, it will be automatically applied to any newly created security policy rules to ensure consistent protection.”

(Source: Security Profile Groups)

This behavior ensures that newly created policies are always protected by default security profiles, minimizing human error.

An ALG is designed toinspect and modify the payloadof application-layer protocols (like SIP, FTP, etc.) to manage dynamic port allocations and session information.

“Application Layer Gateways (ALGs) inspect the payload of certain protocols to dynamically manage sessions that use dynamic port assignments. By modifying payloads, the ALG ensures that NAT and security policies are correctly applied.”

(Source: ALG Support)