Paloalto Networks PSE-Strata - Palo Alto Networks System Engineer Professional - Strata

The three tabs available in the Detailed Device Health on Panorama for hardware-based firewalls are:

Environments: This tab provides information about the environmental conditions of the firewall, such as temperature and power status.

Interfaces: This tab displays the status and statistics of the network interfaces on the firewall.

Sessions: This tab shows session information, including session counts and details about active sessions.

These tabs allow administrators to monitor the health and performance of their firewalls effectively, ensuring optimal operation and quick identification of issues.

For the User-ID Agent to perform WMI (Windows Management Instrumentation) Authentication on a Windows Server, the following domain permissions are required:

Domain Administrators: This group has the highest level of privileges in the domain and can perform any action within the Active Directory domain.

Distributed COM Users: This group allows members to launch, activate, and use Distributed COM objects on the server.

Event Log Readers: This group provides read access to the event logs, which is crucial for the User-ID Agent to collect security events necessary for user identification​ (Palo Alto Networks)​​ (Palo Alto Networks)​.

Palo Alto Networks updates Command-and-Control (C2) signatures frequently to ensure the latest threats are detected and blocked. The recommended schedule for updating C2 signatures is once a day. This daily update ensures that the firewall has the most current threat intelligence, providing robust protection against C2 traffic.

GlobalProtect is the Palo Alto Networks security component designed to extend next-generation firewall (NGFW) policies to remote users. It provides comprehensive security by ensuring that all network traffic from remote devices is inspected and secured, just as if the users were on the corporate network. This helps maintain consistent security policies and protections regardless of user location.

To support asymmetric routing with redundancy in a legacy environment using Palo Alto Networks firewalls, the following two features must be enabled:

Policy-based forwarding (PBF): This feature allows you to direct traffic to a specific interface or next-hop IP address, bypassing the normal routing table. PBF is crucial for managing asymmetric routing scenarios where inbound and outbound traffic might take different paths.

HA active/active: High Availability (HA) active/active configuration enables two firewalls to simultaneously manage traffic, providing redundancy and failover capabilities. This setup is essential for maintaining network availability and performance in environments with asymmetric routing, as it ensures that both firewalls can actively handle traffic.

References:

Palo Alto Networks High Availability (HA) Guide

Palo Alto Networks Policy-Based Forwarding Documentation

WildFire, Palo Alto Networks' advanced threat analysis service, has expanded its capabilities to analyze the following new script types:

VBScript: A scripting language commonly used in Windows environments for automation and administrative tasks, which can be exploited for malicious purposes.

JScript: A Microsoft implementation of JavaScript, used in various applications and often targeted by attackers for script-based exploits.

PowerShell Script: A powerful scripting language used for task automation and configuration management in Windows, which has become a common target for advanced attacks due to its capabilities.

By analyzing these script types, WildFire enhances its ability to detect and prevent sophisticated attacks that leverage scripting languages.

References:

Palo Alto Networks WildFire Datasheet

Palo Alto Networks WildFire Administration Guide

The Palo Alto Networks Cloud Identity Engine (CIE) includes services such as Directory Sync and Cloud Authentication Service. These services support identity providers (IdP) using standards like SAML 2.0 and OAuth2. Directory Sync ensures that user and group information from on-premises directories are available in the cloud, while Cloud Authentication Service facilitates secure authentication and single sign-on (SSO) for users.

Correlation objects in Palo Alto Networks' security solutions are designed to identify and highlight potential security risks. Two key network events that are flagged as potential security risks include:

Identified Vulnerability Exploits: These are attempts to exploit known vulnerabilities within the network. By correlating various data points, the system can identify patterns that suggest an exploit attempt is in progress, allowing for timely intervention and mitigation​ (Marks4Sure)​.

Suspicious Host Behavior: This includes any activity that deviates from normal behavior patterns for hosts within the network. Such behaviors might indicate compromised systems or malicious insiders. By analyzing and correlating these anomalies, the system helps in identifying potential security breaches early​ (Marks4Sure)​.

To prevent attacks involving malicious files such as .doc and .pdf types, the customer should enable WildFire.

WildFire: This feature analyzes files to detect and prevent zero-day threats by running the files in a virtual environment to observe their behavior. If a file is deemed malicious, WildFire generates signatures and updates the firewall to block such threats in the future. Enabling WildFire provides advanced protection against undetectable sources of malicious files.