PSE-SoftwareFirewall Palo Alto Networks Systems Engineer (PSE): Software Firewall Professional Questions and Answers

Identifying Unknown Vulnerabilities:

Network runtime security is beneficial because it can identify unknown vulnerabilities that are not listed in known CVE lists. This type of security focuses on monitoring the behavior of applications and containers in real-time, which helps detect anomalies and potential threats that static analysis might miss.

Dynamic address groups in Palo Alto Networks firewalls provide flexibility by allowing network resources to be added without requiring changes to existing policies and rules:

Dynamic address group: These groups automatically update based on tags and attributes assigned to network objects. When new resources are added with the appropriate tags, they are dynamically included in the address group, and the associated policies automatically apply to them without manual intervention.

Intrusion Prevention System (IPS):The CN-Series firewalls incorporate an Intrusion Prevention System to detect and prevent exploits and attacks on applications and systems. This feature is essential for securing east-west traffic, as it can identify and block threats within the data center traffic between pods in different trust zones.

Layer 7 Visibility:CN-Series firewalls provide Layer 7 (application layer) visibility, enabling deep inspection of application traffic. This allows the firewall to understand and enforce policies based on the application and its behavior, rather than just ports and protocols, ensuring comprehensive security for east-west traffic within a Kubernetes environment.

References:

Palo Alto Networks CN-Series Datasheet: CN-Series Datasheet

Palo Alto Networks CN-Series Documentation: CN-Series Documentation

Address Group:

Address groups in Palo Alto Networks firewalls allow for the grouping of multiple addresses or address objects. This capability enables the sharing of cloud-learned tags with on-premises firewalls, facilitating the consistent application of security policies across hybrid cloud environments.

When using Terraform templates with a Cloud next-generation firewall (NGFW) for Amazon Web Services (AWS), you must enable access to the Cloud NGFW for AWS console to manage and deploy firewall resources effectively:

Access to the Cloud NGFW for AWS console: This access is crucial for the initial setup, configuration, and ongoing management of the Cloud NGFW resources. Terraform templates automate the provisioning and management of these resources, but initial access to the console is necessary to configure and retrieve necessary information (such as API keys and configuration details) for the Terraform scripts.

Within a Cisco ACI architecture, Palo Alto Networks Next-Generation Firewalls (NGFWs) are deployed using service graphs. Service graphs in Cisco ACI define the sequence of network services that traffic must pass through. By configuring service graphs, administrators can seamlessly integrate Palo Alto Networks firewalls into the fabric to inspect and secure traffic flows.

References:

Palo Alto Networks and Cisco ACI Integration Guide: Service Graphs Integration

Cisco ACI Service Graph Documentation: Service Graphs

TLS decryption is the feature that inspects encrypted outbound traffic. By decrypting TLS/SSL traffic, the firewall can inspect the content for threats and enforce security policies. This is crucial for preventing malware and other threats that might hide within encrypted traffic.

References:

Palo Alto Networks TLS Decryption Documentation: TLS Decryption

Palo Alto Networks Security Subscriptions: TLS Decryption

In Kubernetes, configuration files are typically written in YAML (.yaml) format. YAML (Yet Another Markup Language) is preferred due to its readability and ease of use for defining complex data structures like those required for Kubernetes deployments. Kubernetes uses these YAML files to define resources such as pods, services, and deployments.

References:

Kubernetes Documentation on YAML: Kubernetes YAML

Kubernetes Getting Started Guide: YAML Basics

VM-Series qcow2 image:

The qcow2 image format is commonly used in OpenStack environments. The VM-Series firewalls are provided in the qcow2 format for compatibility with OpenStack.

VM-Series Auto Scaling:

The VM-Series firewalls are designed to integrate with cloud environments like AWS and support auto-scaling. This allows for the deployment of a single auto-scaling group (ASG) of VM-Series firewalls to secure inbound traffic from the internet to AWS application workloads.

For deploying VM-Series firewalls in high availability (HA), it is crucial to ensure that both firewalls in the HA pair have identical licenses and subscriptions to ensure feature parity and uninterrupted service during failover. Additionally, both firewalls must be deployed on the same type of hypervisor to ensure compatibility and proper synchronization of state and configurations between the active and passive units.

References:

Palo Alto Networks High Availability Guide: HA Requirements

Palo Alto Networks VM-Series Deployment Guide: High Availability

Data-plane vCPU Licensing:

The CN-Series firewalls are licensed based on the number of data-plane vCPUs. This licensing model reflects the processing power dedicated to handling traffic and security enforcement within the containerized environment.

In Cisco ACI, traffic is directed to a Palo Alto Networks firewall by creating contracts between endpoint groups (EPGs) that send traffic to the firewall. These contracts define the policy for communication between EPGs, ensuring that traffic is inspected and secured by the firewall before reaching its destination.

References:

Cisco ACI and Palo Alto Networks Integration Guide: Contracts and Policies

Cisco ACI Fundamentals: ACI Contracts

Enabling Threat Prevention on Palo Alto Networks firewalls provides comprehensive protection against inbound threats by inspecting traffic for exploits, malware, and other malicious activities.

Reference: The Threat Prevention service is detailed in the PAN-OS documentation, highlighting its role in securing inbound traffic by leveraging various threat detection and prevention techniques.

Palo Alto Networks Threat Prevention Documentation

Containers are typically designed to run a specific application or service, meaning they have a limited and well-defined set of processes. This makes it easier to implement and manage runtime security based on allow lists, as any deviation from the expected processes can be quickly identified and mitigated.

Reference: Security best practices for container environments emphasize the use of allow lists to enforce runtime security, leveraging the predictable nature of container processes.

Palo Alto Networks Container Security Guide

VM-Series firewalls provide advanced application-level security for web-server instances on AWS. These virtual firewalls leverage Palo Alto Networks’ next-generation firewall capabilities to offer features like application identification, threat prevention, and URL filtering, ensuring comprehensive security for web applications hosted on AWS.

References:

Palo Alto Networks VM-Series on AWS: VM-Series on AWS

AWS Security Best Practices:AWS Security Best Practices