Practice Exams:

View All

PCNSE: Palo Alto Networks Certified Network Security Engineer

PDFs and exam guides are not so efficient, right? Prepare for your Palo Alto Networks examination with our training course. The PCNSE course contains a complete batch of videos that will provide you with profound and thorough knowledge related to Palo Alto Networks certification exam. Pass the Palo Alto Networks PCNSE test with flying colors.

Rating

4.43

Students

111

Duration

00:51:06 h

$16.49

$14.99

Curriculum for PCNSE Certification Video Course

Paloalto Intro and Deployment Options

11 Lectures

Time 01:59:30

Lab and AWS Palo Alto instance(s) Setup

6 Lectures

Time 00:55:37

Basic Administrative Tasks

7 Lectures

Time 00:42:01

Security Policy Configuration

11 Lectures

Time 01:18:54

User ID integration

11 Lectures

Time 01:22:14

Threat Prevention

10 Lectures

Time 01:25:52

SSL Decryption

6 Lectures

Time 00:56:27

Network Address Translation

10 Lectures

Time 02:03:56

Basic and Intermediate Networking

11 Lectures

Time 01:29:26

High Availability

10 Lectures

Time 02:24:44

IPv6 configuration

9 Lectures

Time 01:50:42

VPN IPSec configuration details

12 Lectures

Time 02:46:47

Global Protect

10 Lectures

Time 01:48:10

Azure Palo Alto VM Deployment

3 Lectures

Time 00:46:22

Panorama

3 Lectures

Time 00:43:48

QoS

9 Lectures

Time 01:30:53

Optional - Installing PaloAlto 8.1 In AWS

3 Lectures

Time 00:45:43

Name of Video	Time
1. Preview2	2:14
2. Palo Alto Firewalls overview	7:03
3. Deployment Options	2:41
4. Layer 2 deployment	25:15
5. Layer 3 deployment	12:29
6. Layer 2 deployment and spanning tree	9:14
7. Layer 2 Features and Limitations with demonstration	9:54
8. Virtual Wire deployment	18:35
9. Virtual Wire IP Classify	19:38
10. Tap Mode deployment	9:13
11. Initial Configuration	3:14

Name of Video	Time
1. Create an Amazon AWS instance to practice	10:01
2. Setup Amazon AWS for lab testing, add a windows AD server	12:12
3. AWS VPC setup, routing setup, route traffic through the AWS instance	19:02
4. Create a DMZ segment in Amazon AWS, add a server to DMZ segment	10:11
5. AWS routing issue to be aware of	4:11
6. Unetlab EVE-NG name change	0:00

Name of Video	Time
1. Basic Settings	5:46
2. Changes and Committing changes	6:51
3. Local Administrator Account with External Authentication	9:54
4. External Authentication Using Radius Server	7:33
5. System software Upgrade / Downgrade, global protect client install	4:27
6. Dynamic Updates	2:52
7. Interface Management Profile	4:38

Name of Video	Time
1. Security Zones and Traffic Processing	10:10
2. Packet Flow	9:33
3. Rules based on application using App-ID	10:04
4. Security Policy Rules for applications not running on application default ports	7:43
5. Application Override Policies - Custom Applications	8:01
6. URL Filtering Rules and Options	13:51
7. Custom URL Category	2:53
8. Using Address Objects	5:51
9. Using Service Objects	3:47
10. Using Dynamic Block Lists	4:42
11. Using Tags	2:19

Name of Video	Time
1. User ID integration	8:04
2. Installing User ID agent on AD	10:19
3. Configure the firewall to use user ID agent	9:03
4. Configuring integrated User ID agent	5:33
5. Group to User ID mapping	5:36
6. Making decisions based on user group membership example	5:05
7. Identifying Users using Captive Portal Redirect Mode	6:13
8. User ID mapping using CaptivePortal in Transparent Mode	5:17
9. Captive Portal using Broswer Challenge SSO example	16:51
10. Relaying UserID information using XML example	6:39
11. User ID mapping using Syslog Messages example	3:34

Name of Video	Time
1. AntiVirius configuration	8:19
2. Anti Spyware and DNS Sinkholing	11:36
3. Creating custom Anti-Spyware signatures	10:05
4. Configuring Vulnerability Protection and Custom Signatures	11:37
5. File Policies	7:02
6. Configuring Wildfire	8:35
7. Wildfire Portal	1:38
8. Configuring Data Filtering - Data Leakage Prevention	8:37
9. Denial Of Service Protection	8:21
10. Implementing Zone and Host Denial Of Service Protection	10:02

Name of Video	Time
1. Certificates, Certificate of Autorities, and Decryption Concepts	18:17
2. SSL Forward Proxy - Trust Certificate - Local Cert on PaloAlto	7:33
3. SSL Forward Proxy - Untrust Certificate - Local Cert on PaloAlto	6:16
4. SSL Forward Proxy Using an Internal PKI Subordinate CA	9:05
5. SSL Forward Proxy Blocking Threats in Encrypted Traffic - Demo	6:52
6. SSL Inbound Inspection	8:24

Name of Video	Time
1. Understanding Dynamic NAT and port	15:49
2. Dynamic NAT and port configuration examples	19:36
3. Dynamic NAT and port Egress Interface Multipe ISP consideration	14:08
4. What is the difference between Dynamic IP and Dynamic IP and port with examples	10:14
5. Static NAT concepts and example	14:41
6. Static NAT with Port Translation Use Case and scenario example	18:37
7. Static NAT with Port Translation Use Case and scenario example - part 2	5:35
8. Destination NAT and Destination NAT with Port Address Translation	7:31
9. UTurn NAT with port translation	7:15
10. Source and Destination NAT	10:30

Name of Video	Time
1. DHCP Services	6:26
2. Default Route	5:02
3. OSPF Routing	9:58
4. BGP Routing	4:51
5. BGP Advertise	2:46
6. Using Multiple Virtual Routers	9:06
7. Multiple Virtual Routers NAT and Security Policy Example	11:47
8. Multiple ISP Failover Scenario using BGP	16:39
9. Multiple ISP Failover using floating Static Route	9:35
10. Multiple ISP Failover using Policy Based Forwarding	8:07
11. Multiple ISP Load Sharing using Policy Based Forwarding	5:09

Name of Video	Time
1. High Availability Overview	13:22
2. Active Passive Configuration Configuration Example	14:55
3. High Availability Active / Passive different failure scenarios HA1 HA2 heartbeat	15:18
4. High Availability Active / Passive HA1-backup, HA2-backup configuration	15:08
5. High Availabilit active / passive link and path monitoring, HA operations	13:00
6. Active Active High availability intro, Floating IP	9:17
7. Active Active with Floating IP configuration example	22:23
8. Active Active session owner, session setup using IP modulus, failover example	19:38
9. Active Active Static Nat Configuration Example using NAT HA binding Primary	10:50
10. Active Active High Availability Arp Load Sharing Configuration Example	10:53

Name of Video	Time
1. IPv6 structure, addressing, unicast (link local, site local, global), multicast	14:31
2. IPv6 neighbor discovery, icmpv6, dhcpv6	12:48
3. IPv6 Stateles, Statefull DHCP, M Flag O Flag concepts	8:04
4. IPv6 basic firewall configuration example	12:49
5. IPv6 Network Prefix Translation NPTv6 configuration example	11:05
6. IPv6 NAT64 example connecting IPv6 only network to IPv4 Internet example	18:23
7. IPv6 NAT64 example connecting IPv4 only network to IPv6 only network	12:09
8. IPv6 issues related to Windows and policy based on IPv6 addresses, example	12:52
9. IPv6 dhcpv6 relay on PaloAlto firewall example	8:01

Name of Video	Time
1. VPN IPSEC L2L intro and configuration steps	17:38
2. VPN IPSEc L2L PaloAlto to PaloAlto Example	18:31
3. VPN IPSEc Site To Site Hub Spoke, Dynamic IP address example	10:44
4. VPN IPSEC L2L Paloalto to Cisco ASA configuration example	9:34
5. VPN IPSEC L2L Paloalto to Cisco ASA with Dynamic IP address	2:58
6. IPsec Quick mode negotiation understanding	8:49
7. IKE main mode more details, explanation	20:17
8. Understanding IPSec Quick mode with PFS	12:28
9. IKE security policies required and NAT-T explanation / example	15:07
10. IKEv1 main mode versus agressive mode, understand the difference	13:04
11. IKEv2 intro and differences between IKEv2 and IKEv1	17:03
12. IKEv2 Auth phase, IPsec associations, differences between Ikev1 and Ikev2	20:34

Name of Video	Time
1. Global Protect Setup example	14:09
2. Getting a free publicly trusted ssl certificate to test Global Protect	11:03
3. Setting up global protect for on-demand mode, discover agent settings	12:06
4. Dual Factor Authentication Using Open Source Solution PrivacyIdea - demo	16:53
5. Joining a windows PC to AWS windows domain - vpn tunnel to AWS	9:49
6. Installing CA services on windows, certificate enrollment policy service, OCSP	11:17
7. Global Protect Authentication using Dual Factor Token and Computer Certificate	6:33
8. Global Protect Always On User-Logon and Pre-Logon configuration	7:29
9. Global Protect Pre-Logon with User Logon (on demand) configuration example	7:52
10. Global Protect HIP Check	10:59

Name of Video	Time
1. Azure Networking Concepts	11:14
2. Setup Palo Alto VM In Azure	12:08
3. Protecting Virtual Machines in Azure behind Palo Alto firewall	23:00

Name of Video	Time
1. Panorama concepts, hardware, template and template stack	18:56
2. Panorama Device Group Concepts Part 1	12:06
3. Panorama Device Group and Object Iheritance	12:46

Name of Video	Time
1. QoS Introduction	13:07
2. QoS Download Upload Bandwidth Restriction	11:35
3. QoS Classification and Marking	12:27
4. QoS Classification and Markings Example	12:32
5. IPSec QoS lab setup overview	4:24
6. Bandwidth Throttling IPSEc tunnels demo	7:34
7. IPSec Tunnel QoS traffic classification	7:10
8. IPSec Tunnel QoS controlling traffic bidirectionaly	9:22
9. IPSec QoS Copy ToS Header Explanation and demo	12:42

Name of Video	Time
1. Palo Alto 8.1 Section Intro	7:08
2. Provisioning PaloAlto Firewall 8.1 in AWS - Part 1	15:35
3. Provisioning PaloAlto Firewall 8.1 in AWS - Part 2	23:00

Palo Alto Networks PCNSE Exam Dumps, Practice Test Questions

100% Latest & Updated Palo Alto Networks PCNSE Practice Test Questions, Exam Dumps & Verified Answers!
30 Days Free Updates, Instant Download!

$69.97

$49.99

PCNSE Premium Bundle

Premium File: 510 Questions & Answers. Last update: Mar 20, 2023
Training Course: 142 Video Lectures
Study Guide: 122 Pages

Latest Questions
100% Accurate Answers
Fast Exam Updates

PCNSE Premium Bundle

Premium File: 510 Questions & Answers. Last update: Mar 20, 2023
Training Course: 142 Video Lectures
Study Guide: 122 Pages

Latest Questions
100% Accurate Answers
Fast Exam Updates

$69.97

$49.99

Free PCNSE Exam Questions & PCNSE Dumps

File Name	Size	Votes
File Name palo alto networks.test-king.pcnse.v2023-01-21.by.violet.154q.vce	Size 1.62 MB	Votes 1
File Name palo alto networks.pass4sures.pcnse.v2021-11-25.by.marc.157q.vce	Size 3.61 MB	Votes 1
File Name palo alto networks.braindumps.pcnse.v2021-10-13.by.lyla.92q.vce	Size 1.73 MB	Votes 1
File Name palo alto networks.certkiller.pcnse.v2021-06-18.by.luka.103q.vce	Size 2.3 MB	Votes 1
File Name palo alto networks.pass4sureexam.pcnse.v2021-03-03.by.daniel.103q.vce	Size 1.58 MB	Votes 2
File Name palo alto networks.braindumps.pcnse.v2020-12-24.by.charlie.100q.vce	Size 3.07 MB	Votes 2

Palo Alto Networks PCNSE Training Course

Want verified and proven knowledge for Palo Alto Networks Certified Network Security Engineer? Believe it's easy when you have ExamSnap's Palo Alto Networks Certified Network Security Engineer certification video training course by your side which along with our Palo Alto Networks PCNSE Exam Dumps & Practice Test questions provide a complete solution to pass your exam Read More.

User ID integration

10. Relaying UserID information using XML example

In this lecture, we'll talk about the anti-spyware configuration. Palo Alto is another content ID feature that Palo Alto is able to provide chosen signatures to identify spyware on the network. The way it does this is by matching against signatures. It can also be done with DNS learning to determine if there are any machines affected by spyware on your network. By default, there are two anti-spy profiles. The default and then the strict profile Let's take a look at the difference between the two. The default profile For critical, it takes the defaultaction of the signature simple.It uses the default value for "high. So basically, it takes the default action of all the signatures. So if we take a look at all the signatures here, click on Show all signatures. You can see what the signature default is. If you are going to be using the default policy,you will be subject to the default action that's in the rules and you will not have any control over the action other than to take the default. If you're using the default policy, it will only alert on DNS signatures. So DNS signatures are basically your clients' attempts to reach command and control IP addresses, which is an indication of the machine infected with spyware. Let's take a look at the rules. The difference between the default and strict isstrict would be reset for both clients and servers in the event of a critical high medium. The exception tab allows you to make exceptions for signatures that might be false positives for your environment.

DNS signatures are configured to block So for DNS signatures, in the event of strict, it's set to block, and then you can create your own. So we're going to go ahead and create an outbound policy and then we're going to add rules. There are different categories as well. You can make your policy based on the different categories of malware. Is it Edwar, backdoor, botnet, browser,hijack, data theft, keylogger network, peer-to-peer communication, and spyware? So those are different categories. I basically see spyware as a risk no matter what. So I'd like to take action against the higher medium of reselling the connection. The actions that you can do are allow alert, drop,reset, client reset, server reset, reset both, and block IP. Block IP is the most intrusive because it's going to block the IP of the client that's infected by spyware. Either reset or remove. We'll go ahead and do both resets. You can packet capture the traffic this way. You can do some forensics on it to determine what the communication was between the client and the server.

You can do single packet capture or you can do extended packet capture. It's up to you. If you're going to do extended packet capture and you have a lot of traffic in your environment, you might underestimate the amount of disc space consumed on your firewall. I'm going to do extended packet capture, but we'll set this policy for critical high, medium, and low. It's better to make the action be alert. Maybe if you want to investigate further, maybe a single packet capture. This way, you can determine if this is a false positive or not. And then we'll call this low informational. Click "okay" under exceptions. This is where you can make exceptions for signatures that might be triggering falsely for your environment. You can show all the signatures, and you can make exceptions for signatures. You can see all the signatures here. 122 pages. There are quite a lot of them. You can click on any of them and see the details, or you can specify an exception for a signature to be allowed. For example, this is an exception you can make. Let's say this signature is falsely triggering, then you can make it allow DNS signatures. DNS signatures allow you to monitor DNS traffic that is leaving your network and determine if there is any spyware or malware command and controllookup from clients in your environment.

And then you can allow or block those signatures, you can block those DNSqueries, or you can sync hold them. What sync holds allows you to do is send traffic to a specific IP address in your environment, and this way you can do further investigation into which machine. Clients typically do not query the DNS public DNS directly in the environment; instead, they go through your DNS server. So because of that, you wouldn't know exactly which client was the one that did the DNS query because the DNS query would be coming from your internal DNS server. So in order to get around that, you can sync hold, which means it's going to send traffic to an internal IP address on maybe yourIRS server, an internal IRS server, or maybe an internal server that you can do intelligent things like determining the actual client IP address that is searching for this DNS query that points to spyware. So a sync call is a great way to accomplish this.

Enabling passive monitoring enables the firewall to passively monitor DNS traffic that passes through the firewall. Determine if there's any DNSmatching signature against spyware. You can also do single packet capture or extended packet capture. So we're going to sync hold IPV4 to an IP address and then we can sync hold to an IP address on the firewall. So ten one, and this is going to be the loopback address that we're going to create on the firewall. We're going to go to network loopback. We'll add a loopback address, loop back one, and then we'll specify this to be the virtual router default and then the security zone trust and give it an IP address of ten (132). We'll go ahead and put this in a new security zone. I will call this zone "the sinkhole". This way, we can create a rule or policy on the firewall. This rule can allow us to alert clients that are trying to reach the Sync Hall.

Okay, we went ahead and created a new zone called Sync Hall. And then if a client machine on the internal network is infected, it's going to try to reach this IP address, which is in the sinkhole security zone. So now we can create a policy. We'll call this policy something like Sinkhole DNS, and then we'll specify the source to be trusted and the destination to be sinkhole. And then we're going to specify the permit. This will allow us to log traffic that is trying to reach the sync hole. So basically, what's going to happen is that the firewall will log the communication between clients and the sync hole. You can configure logix in your sync log server to notify you if any traffic is received from the rule synchro. You can do some intelligent alerting and such. So this will allow us to take another level of action. If a client on the internal network attempts to connect to the Sync Hold IP address, this Sync Hold IP address is used. Which is an IP address that you send to clients in response to their trying to resolve malware or spyware sites.

It will basically send them to school. This client would ping the sync host IP address and then any such events that are seen on the monitoring logs on your firewall. You can turn it on. If you are falling back to a syslog server and you want to trigger an alert based on receiving such traffic or logs hitting such a rule,this creates the anti-spyware security profile. Now we need to apply for a policy. We're going to go to policies, and then we'll find all the outbound traffic and then add this profile to the list of profiles that the firewall would do content inspection against. So let's find a trust to untrust rules. Allow yourself to trust and untrust. So this one will go ahead and add the antipower profile and then when you add it, you will see it here. And then, since this is blocked, we don't need to URL filtering rules, but we also need to do the spyware protection. So as we progress through the lectures, we build this profile, and then I'll show you later on how to group them in an easy-to-manage way. Now that you've completed this, you should go ahead and commit, and then commit to the changes. In the next lecture, I'll show you how to create a custom spyware signature so you can make sure your anti-spyware is working correctly.

11. User ID mapping using Syslog Messages example

In this lecture we will see how to configure the Palo Alto Firewall to receive SYSLOGinformation and then map IP addresses to users. In our example here, this hypothetical scenario, we have users connect to the any connect VPN and all your traffic goes out to the Internet using the Palo Alto Firewall. So we want to make restrictions based on user ID on the Palo Alto firewall. So in this case, since the SA doesn't support agents from Palo Alto, we can use Syslog to send Syslog information from the SA to the Palato firewall. This way, it can get the user to IP mapping from the essay on the ASA itself. We just basically need to enable logging and send the information to the IP address of the Palo Alto Firewall. Two steps need to be in place to be able to The first step is the interface configuration. The management profile needs to have the UDP Syslog listener configured.

So if we look at the trust interface, we see that we have the management profile trust. So we need to go to the management profile and add user ID syslog Listener UDP. The next step we have to do is go to Device User Identification and then we're going to add it under server monitor.We can add it as a monitor and specify that the type is Syslog server. We're going to put in the IP address of the ASE interface that's sending the Syslog events and specify UDP. And in the filter we're going to specify Cisco, AC, and e-connect v1, which is an aSyslog filter that's been pre-created by Palo Alto. Click "okay." And then when you go ahead and commit, commit. So when users connect to the ASA, they will get an IP address and, basically, the AC will send this Syslog message to the Palo Alto Firewall. That Syslock message will assist Palo Alto in determining who is logging in from this IP address. Click on administrator here and we're going to put the domain name lab. We need to add that as well, so we know which domain to associate with that user ID. And then I'm going to go ahead and connect to the interconnect, and basically, when I connect to any connect, the AC will send a Systlog message to the Palo Alto Firewall. So if we do show user IP user mapping,we see that the IP address information came from the Sydney log event that was received. That basically helps identify which users are coming from which IP address.

Threat Prevention

1. AntiVirius configuration

In this lecture, we'll talk about the antivirus feature. The antivirus engine detects and blocks viruses, spyware, phone, home spyware, downloads,botnets, worms, and Trojans. Additional features above and beyond protect your network from a wide range of threats. include inline streambased malware protection against malware embedded within compressed files and web content, DNS-based botnet analysis to reveal rapidly evolving malware networks and malicious websites, and HTML and malicious JavaScript protection. You can also leverage the SSL decryption within the app ID to block viruses embedded in SSL traffic. The key advantage of the PaloAlto solution is that it's stream-based. It takes the stream of traffic and dynamically analyses it for antivirus signatures. The Palo Alto Network Antivirus engine uses tree-based scanning to inspect your traffic as soon as the first packet of a file is received. This eliminates the performance and latency issues associated with a traditional proxy or file-based approach.

As with IPS, a uniform signature format is used for virus scanning. The same process that is used by the IPS is also used by the antivirus scanner. It eliminates redundant processes common to multiple scanning engine solutions. Because the packet is looked at once, it's matched against IPS and it's matched against antivirus,and basically that gives it a more efficient way of processing the traffic. There's also the continuous research that Paul Alto does. It takes the information from the Wildfire solution that we're going to talk about in later lectures. The Wildfire solution allows Palo Alto users to dynamically analyse files in the cloud. In the Wildfire Cloud, this information is received by the Wildfire Cloud and is used to match the traffic for all the customers. So it's kind of a crowdsourcing solution for anti malware.under objects. There are security profiles and antivirus. There is a default policy that comes with the system. We're going to go ahead and create a policy for our environment. We're going to call this outbound. Ez. You can do a packet capture if the ML was spotted on the network and antivirus software was spotted.

There are different decoders that the Palo Alto Firewall uses to decode packets. SMB for file sharing, SMTP, IMAP, HTTP, and FTP. You can specify different actions. For example, you can allow, you can alert, you can drop,you can reset clients or reset servers, or reset both. If the Wildfire determines that there's malware, you can also determine what action you're going to take. Allow alert, drop, and reset. The Wildfire action allows the system to not only use the signature based on the third prevention, but also check the Wildfire database to see if there's any match for the file in question. I personally like to use the drop feature so that the traffic is dropped completely, and I'm going to specify to drop across all the protocols. And then you can make an application exception, so you can specify an exception for a specific application. For example, you can specify an application from the application list and change the action to "maybe alerts." You can also make a virus exception based on thread ID. So let's say there was a thread ID that is false positive and you know it's not correct and you need to pass the file across your environment.

You can make an exception based on threat ID. Typically, what happens is you see this in the logs and then you can make an exception for the threat ID. One crucial point is that you have to make sure that you are updating your system under Devices dynamic updates. There's an antivirus update that you can schedule. You can schedule this hourly, daily, weekly, or none. You can do a download and install or just download only.You can specify a download every x number of minutes from the start of the hour. You can do it ten minutes after the start of the hour. Let's say you have multiple schedules and you want to scatter them out. It's important to keep your system updated with the latest antivirus signatures. You can also make sure that you get updates on the wildfire. You can do this every 15 minutes, every 30 minutes, or every hour. Download and install it. So this way, your system is always up to date on the latest threats. Going back to our policy here,we saw two different actions.

You have the antivirus, the action antivirus, and the wildfire action. They do check different databases. The action checks the antivirus database, the wildfire action checks the wildfire database. You also have to make sure you have the proper licenses. In order for you to do the detection of viruses, you need to have a Threat Prevention License. The threat prevention licence gives you antivirus, anti-spyware, and vulnerability protection. So we created the antivirus and now we want to basically apply it to our traffic for it to detect any viruses going across the network. What you need to do is determine the type of traffic that you want to check and then add the profile for that traffic.

We'll go ahead and use pretty much all the traffic from trust to trust, and we are going to check for viruses. To do this, you open the firewall rule,go to action, and choose Profile, and specify the profile that you want to use. So we'll go ahead and since this is blocked, you don't need to check it. This rule here is blocked for URL filtering. Also, we want to make sure we check for viruses, so we'll select the interval profile we created. Also, for the general rule, we can now specify the antivirus that we created. antivirus profile that we created. So you see here a different icon popped under your profile and you can hover around it and see the name and that will basically give you coverage to protect you from viruses on your network. Of course you need to commit, and after committing,of course the traffic is protected from viruses.

2. Anti Spyware and DNS Sinkholing

In this lecture we'll talk about the anti-spyware configuration. Anti-Spyware is another content ID feature that Palo Alto is able to provide chooses signatures to identify spyware on the network. The way it does this is by matching against signatures. It can also be done with DNS learning to determine if there are any machines affected by spyware on your network. By default, there are two anti-spy profiles. The default and then the strict profile Let's take a look at the difference between the two. The default profile For critical, it takes the defaultaction of the signature simple.

It uses the default value for high. So basically, it takes the default action of all the signatures. So if we take a look at all the signatures here, click on Show all signatures. You can see what the signature default is. If you are going to be using the default policy,you will be subject to the default action that's in the rules and you will not have any control over the action other than to take the default.

If you're using the default policy, it will only alert on DNS signatures. So DNS signatures are basically your clients' trying to reach command and control IP addresses, which is an indication of the machine infected with spyware. Let's take a look at the rules. The difference between the default and strict isstrict would be reset for both clients and servers in the event of a critical high medium. The exception tab allows you to make exceptions for signatures that might be false positives for your environment. DNS signatures are configured to block. So for DNS signatures, in the event of strict, it's set to block, and then you can create your own. So we're going to go ahead and create an outbound policy and then we're going to add rules. There are different categories as well. You can make your policy based on the different categories of malware. Is it Edwar, backdoor, botnet, browser,hijack, data theft, keylogger network, peer-to-peer communication, and spyware? So those are different categories.

I basically see spyware as a risk no matter what. So I'd like to take action against the higher medium of reselling the connection. The actions that you can do are allow alert, drop,reset, client reset, server reset, reset both, and block IP. Block IP is the most intrusive because it's going to block the IP of the client that's infected by spyware. Either reset or drop. We'll go ahead and do both resets. You can packet capture the traffic this way. You can do some forensics on it to determine what the communication was between the client and the server. You can do single packet capture or you can do extended packet capture. It's up to you. If you're going to do extended packet capture and you have a lot of traffic in your environment, you might underestimate the amount of disc space consumed on your firewall. I'm going to do extended packet capture, but we'll set this policy for critical high, medium, and low.

It's better to make the action be alert. Maybe if you want to investigate further, maybe a single packet capture. This way, you can determine if this is a false positive or not. And then we'll call this low informational. Click "okay" under exceptions. This is where you can make exceptions for signatures that might be triggering falsely for your environment. You can show all signatures and you can make exceptions for signatures. You can see all the signatures here. 122 pages. There are quite a lot of them. You can click on any of them and see the details, or you can specify an exception for a signature to be allowed. For example, this is an exception you can make. Let's say this signature is falsely triggering, then you can make it allow DNS signatures. DNS signatures allow you to monitor DNS traffic that is leaving your network and determine if there is any spyware or malware command and controllookup from clients in your environment. And then you can allow or block those signatures, you can block those DNSqueries, or you can sync hold them. What sync holds allows you to do is send traffic to a specific IP address in your environment, and this way you can do further investigation into which machine.

Clients typically do not query the DNS public DNS directly in the environment; instead, they go through your DNS server. So because of that, you wouldn't know exactly which client was the one that did the DNS query because the DNS query would be coming from your internal DNS server. So in order to get around that, you can sync hold, which means it's going to send traffic to an internal IP address on maybe yourIRS server, an internal IRS server, or maybe an internal server that you can do intelligent things like determining the actual client IP address that wassearching for this DNS query that points to spyware. So a sync call is a great way to accomplish this. Enabling passive monitoring enables the firewall to passively monitor DNS traffic that passes through the firewall. Determine if there's any DNSmatching signature against spyware. You can also do single packet capture or extended packet capture. So we're going to sync hold IPV four to an IP address and then we can sync hold to an IP address on the firewall. So ten one, and this is going to be the loopback address that we're going to create on the firewall.

We're going to go to network loopback. We'll add a loopback address, loop back one, and then we'll specify this to be the virtual router default and then the security zone trustand give it an IP address of ten (132).We'll go ahead and put this in a new security zone. I will call this zone "sinkhole".This way, we can create a rule or policy on the firewall. This rule can allow us to alert clients that are trying to reach the Sync Hall. Okay, we went ahead and created a new zone called Sync Hall. And then if a client machine on the internal network is infected, it's going to try to reach this IP address, which is in the sinkhole security zone. So now we can create a policy. We'll call this policy something like Sinkhole DNS, and then we'll specify the source to be trusted and the destination to be sinkhole. And then we're going to specify to permit. This will allow us to log traffic that is trying to reach the sync hole. So basically, what's going to happen is the firewall will log the communication between clients and the sync hole. You can make logix in your sync log server to alert you if any of the traffic gets received from the rule synchall. You can do some intelligent alerting and such. So this will allow us to take another level of action.

If a client on the internal network attempts to connect to the Sync Hold IP address, this Sync Hold IP address is used. Which is an IP address that you send to clients in response to their trying to resolve malware or spyware sites. It will basically send them to the sychole. This client would ping the sync host IP address and then any such events that are seen on the monitoring logs on your firewall. You can turn it on. If you are falling to a syslog server and you want to trigger an alert based on receiving such traffic or logs hitting such a rule,this creates the anti-spyware security profile.

Now we need to apply to a policy. We're going to go to policies, and then we'll find all the outbound traffic and then add this profile to the list of profiles that the firewall would do content inspection against. So let's find a trust to untrust rules. Allow yourself to trust and untrust. So this one will go ahead and add the antipower profile and then when you add it, you will see it here. And then, since this is blocked, we don't need to URL filtering rules, but we also need to do the spyware protection. So as we progress through the lectures, we build this profile and then I'll show you later on how to group them in an easy to manage way. Now that you've completed this, you should go ahead and commit, and then commit to the changes. In the next lecture, I'll show you how to create a custom spyware signature so you can make sure your anti-spyware is working correctly.

Prepared by Top Experts, the top IT Trainers ensure that when it comes to your IT exam prep and you can count on ExamSnap Palo Alto Networks Certified Network Security Engineer certification video training course that goes in line with the corresponding Palo Alto Networks PCNSE exam dumps, study guide, and practice test questions & answers.

Comments (5)

Add Comment

Please post your comments about PCNSE Exams. Don't share your email address asking for PCNSE braindumps or PCNSE exam pdf files.

angel
France
Mar 10, 2023

I have just managed to deploy Palo-Alto networks without any difficulty. It is actually because of the effective training I go here. thank you so much for simplifying the complex.

samson
Mexico
Feb 23, 2023

The certification has opened so many doors for me. Currently, the hiring managers are always asking me to attend their interviews because there are limited professionals.

norah
Netherlands
Feb 06, 2023

I am so happy that I have passed the exam. It was so easy mainly because I had go the best training ever. Never do an exam with insufficient knowledge. You might fail terribly.

gladwell
Singapore
Jan 19, 2023

The introduction of this course is so perfect. It let you know what is featured in the whole training even before you start learning the basics. It actually made me prepared for the topics properly.

harry
Chile
Dec 28, 2022

Here is the best training I have ever wanted to attend to. All the concepts are covered based on the exam objectives and no single topic is even omitted.