PSE Foundation - Assessment (2023/1/3)

Special thanks the people from India !

you are my good friend and supporter !

thank you people from : Andhra Pradesh, Telangana, Madhya Pradesh, Tamil Nadu, Maharashtra, Delhi, Odisha, Uttar Pradesh, West Bengal, Bihar, Gujarat, Haryana, Karnataka, Chhattisgarh.

---

Question 1 of 23

Which security model specifically addresses the security of sensitive data and critical applications in an enterprise organization?

the Zero Trust posture

App-ID

decryption

The Kipling Method

(B)

---

Question 2 of 23

What is one difference between App-ID and User-ID?

App-ID depends on User-ID, but User-ID does not depend on App-ID.

App-ID identifies which application is associated with traffic; User-ID identifies which users are associated with traffic.

App-ID identifies the port to which packets should be sent; User-ID identifies the user to whom packets should be sent.

App-ID refers to security rule criteria; User-ID refers to traffic monitoring criteria.

(B)

---

Palo Alto Networks provides which three pillars? (Choose three.)

Select All Correct Responses

Prisma

Strata

Cortex

Cybersecurity

AutoFocus

(A)(B)(C)

---

Question 4 of 23

Which security operations product applies machine learning at cloud scale to rich network, endpoint, and cloud data?

Cortex Data Lake

Security Lifecycle Review

Cortex XDR

Cortex XSOAR

(A)

---

Question 5 of 23

Which Prisma product secures access to the internet and business applications that are hosted in SaaS, a corporate data center, or public clouds?

Prisma Cloud

Prisma Access (SASE)

Prisma SaaS

Prisma Secure Network

(D)

---

Which Prisma product provides comprehensive visibility and threat detection across an organization’s hybrid, multi-cloud infrastructure?

Prisma Cloud

Prisma Access (SASE)

Prisma SaaS

Cloud Network Security Platform

(A)

---

Question 7 of 23

 

Which Prisma product is a multi-mode cloud access security broker (CASB) service that enables customers to manage sanctioned SaaS application usage across all users in the organization and reduce the risk of breaches and non-compliance?

Prisma Cloud

Prisma Access (SASE)

Prisma SaaS

Prisma Secure Network

(B)

---

Question 8 of 23

 

Which option describes the breadth of Palo Alto Networks offerings?

Palo Alto Networks provides consistent cybersecurity for networks, endpoints, and cloud environments.

Palo Alto Networks supplies routers, bridges, and firewalls, but no servers.

Palo Alto Networks focuses on protecting IoT endpoints from known viruses.

Palo Alto Networks provides consistent security for social networks and the AI necessary to prevent fake or distorted news, audio, and video content.

(A)

--- 

Question 9 of 23

 

What does automation in a security platform help provide?

a consistent security policy in a dynamically changing compute environment

visibility sensors throughout multiple deployment scenarios

a centralized, organized repository for accurate data that behavior analytics software can leverage

recognition of attack techniques that leverage known weaknesses in operating systems and applications

(A)

---

Question 10 of 23

 

What is the name of the Palo Alto Networks partner program?

NextWave Partner Program

CYBERFORCE

Managed Services Program

Partner Relationship Management

(A)

---

Question 11 of 23

 

What is CYBERFORCE?

partner technical recognition program

technical support team

partner portal name

authorized training partners program

(A)

---

Question 12 of 23

 

Which PSE training has a micro-credential as a Professional certification?

PSE SASE

PSE Cortex

PSE Strata

PSE Prisma Cloud

(D)

---

Question 13 of 23

 

Which platform function does Panorama perform?

early visibility into new features of the firewall's operating system

centralized management for multiple firewalls

execution of unknown malware in an isolated environment

identification of previously unknown malware and generation of signatures

(B)

---

Question 14 of 23

 

What service does WildFire provide?

to provide cloud-delivered malware analysis on submitted files

to perform general-purpose hash generation and matching

to provide an additional source of configuration rules for firewalls

to produce an Analysis Summary that summarizes a firewall’s ability to reduce the attack surface of an environment

(A)

---

Question 15 of 23

 

What is the definition of a security rule in a Strata firewall?

a legal compliance regulation downloaded to the Strata firewall

a filtering mechanism that specifies how the Monitor and ACC display data

an element of the Security policy that specifies the action to take based on a match of zones, users, applications, and other session criteria

a specification for whether the firewall is to provide prevention, remediation, or attack surface reduction

(C)

---

Question 16 of 23

 

What is the Palo Alto Networks preferred method of reducing the attack surface of an environment?

alerting when a known or unknown threat has entered a firewall

reporting on all sensitive data that has been made publicly available on the internet

identifying unusual traffic to a server with confidential information

allowing only traffic explicitly defined by the application, user, and content

(D)

---

Question 17 of 23

 

What is the core functional role of automation to convert the detection of a threat?

respond to alerts

record alerts

prevent a threat

promote trust

(C)

---

Question 18 of 23

 

Which Secure the Cloud architecture removes the requirement to backhaul data traffic?

Prisma Cloud

Prisma SaaS

Prisma Secure

Prisma Access

(D)

---

Question 19 of 23

 

Which feature allows policy to automatically adapt based on changes to servers?

User-ID

Content-ID

Dynamic Address Group

App-ID

(C)

---

Question 20 of 23

 

Which Palo Alto Networks technology uses machine learning and behavioral analytics for endpoint threat detection?

Cortex XDR

Prisma SaaS

Strata

advanced signatures

(A)

---

Question 21 of 23

 

Which Palo Alto Networks technology combines security orchestration, incident management, and interactive investigation?

Cortex XDR

Strata

Prisma Access

Cortex XSOAR

(D)

---

Question 22 of 23

 

Which Prisma product automatically assesses risk through content, activity, and security control policies for cloud-delivered applications?

Prisma Access

Prisma SaaS

Prisma Cloud

Prisma Delivery

(B)

---

Question 23 of 23

 

Which patented inspection process enables the firewall administrator to gain visibility and ensure that only those who have a business need have access to an application?

Content-ID

App-ID

User-ID

Dynamic Address Group

(B)

--- 

have fun !

PaloAlto Strata Little Quiz

 Question 1 of 10

Which type of cyberattack sends extremely high volumes of network traffic such as packets, data, or transactions that render the victim’s network unavailable or unusable? 

(V) distributed denial-of-service (DDoS)

phishing botnet

denial-of-service (DoS)

spamming botnet

Question 2 of 10

Which tactic, technique, or procedure (TTP) masks application traffic over port 443 (HTTPS)?  

hopping ports

using non-standard ports

(V) hiding within SSL encryption

tunneling

Question 3 of 10

Which specific technology is associated with Web 3.0? 

instant messaging

(V) blockchain

remote meeting software

social networks

Question 4 of 10

Which type of advanced malware has entire sections of code that serve no purpose other than to change the signature of the malware, thus producing an infinite number of signature hashes for even the smallest of malware programs? 

obfuscation

distributed

multi-functional

(V) polymorphism

Question 5 of 10

Which core component of Cortex combines security orchestration, incident management, and interactive investigation to serve security teams across the incident lifecycle?

Cortex XDR

(V) Cortex XSOAR

Cortex Data Lake

AutoFocus

Question 6 of 10

Which malware type is installed in the BIOS of a machine, which means operating system level tools cannot detect it? 

spyware

(V) rootkit

logic bomb

ransomware

Question 7 of 10

Which Zero Trust capability provides a combination of anti-malware and intrusion prevention technologies to protect against both known and unknown threats, including mobile device threats? 

inspection of all traffic

least privilege

secure access

(V) cyberthreat protection

Question 8 of 10

Which Wi-Fi attack leverages device information about which wireless networks it previously connected to?

(V) Jasager

evil twin

SSLstrip

man-in-the-middle

Question 9 of 10

Which type of phishing attack is specifically directed at senior executives or other high-profile targets within an organization? 

spear phishing

(V) whaling

watering hole

pharming

Question 10 of 10

Which wireless security protocol includes improved security for IoT devices, smart bulbs, wireless appliances, and smart speakers? 

WEP

WPA2

(V) WPA3

WPA1

Palo Alto PSE-Strata

 1) Which two profile types can block a C2 channel? (Choose two.)

a) Anti-Spyware

b) Certification

c) Command and Control

d) Decryption

e) URL Filtering

2) Which Prisma product can secure user network traffic against potential threats?

a) Next Generation Firewall

b) Security Subscriptions

c) Panorama

d) SD-WAN

3) Which Prisma product detects zero-day malware protection?

a) Next Generation Firewall

b) Security Subscriptions

c) Panorama

d) SD-WAN

4) Which Prisma products implements and manages software-defined networking?

a) Next Generation Firewall

b) Security Subscriptions

c) Panorama

d) SD-WAN

5) Which Palo Alto Networks product directly protects corporate laptops people use at work?

a) Strata next-generation firewall

b) Cortex XSOAR

c) Panorama

d) WildFire

6) Which NGFW feature detects zero-day malware?

a) GlobalProtect

b) WildFire

c) URL Filtering

d) Antivirus Security Profile

7) Which two steps are essential parts of the PPA process? (Choose two.)

a) a structured interview with the customer about their security prevention capabilities

b) upload of a file generated by the customer’s firewall capturing the threats they are facing

c) a report to the customer about how to improve their security posture

d) a discussion about expectations of threat prevention in a proof-of-concept

e) a head-to-head comparison of NGFW detected threats vs their current solution(s).

8) Which report provides compelling evidence for existing security gaps for Prospects?

a) BPA

b) PPA

c) BPA Heatmap

d) SLR

9) Which Panorama deployment mode collects forwarded log events without firewall management capability?

a) Panorama mode

b) Legacy mode

c) Management only mode

d) Log collector mode

10) Which deployment mode is supported only by a virtual Panorama?

e) Panorama mode

f) Legacy mode

g) Management only mode

h) Log collector mode

11) Which of the following determines Dynamic user group membership?

i) Security subscription feeds

j) XML API

k) group type

l) tags

12) Which of the following security profiles provides protection against documents containing zero-day malware?

a) Antivirus

b) Anti-spyware

c) Vulnerability protection

d) URL filtering

e) File blocking

f) Wildfire Analysis

g) Data filtering

13) Which of the following security profiles provides protection against a web connection to a known command and control site? (Choose two.)

a) Antivirus

b) Anti-spyware

c) Vulnerability protection

d) URL filtering

e) File blocking

f) Wildfire Analysis

g) Data filtering

14) Which of the following security profiles provides protection against transferring documents containing credit card numbers?

a) Antivirus

b) Anti-spyware

c) Vulnerability protection

d) URL filtering

e) File blocking

f) Wildfire Analysis

g) Data filtering

15) Which of the following security profiles provides control for the types of web sites a user can access?

a) Antivirus

b) Anti-spyware

c) Vulnerability protection

d) URL filtering

e) File blocking

f) Wildfire Analysis

g) Data filtering

16) Which technology identifies potentially infected hosts by correlating user and network activity data in Threat, URL, and Data Filtering logs?

a) Botnet report

b) Correlation object

c) DNS security

d) Autofocus

e) DNS Sinkhole

17) Which of the following processing tasks shows an advantage of a file proxy engine over a stream-based single-pass engine?

e) mapping IP addresses to users

a) using protocol decoders, decryption, and heuristics to identify applications

b) blocking data sent over traditional email protocols

c) scanning traffic for vulnerability exploits, viruses, and spyware

18) Real-time threat signatures used by the Strata firewall are generated by what service?

a) WildFire

b) AutoFocus

c) Expedition

d) Prisma Access

19) If a customer is interested in software-defined networking integrating with security services appropriately for specific use-cases, which reference architecture would be your best reference?

a) Public Cloud

b) Secure Access Service Edge

c) Security Operations

d) Private Data Center

e) Zero Trust

f) Automation

20) Which interface mode do you use to generate the Stats Dump file that can be converted into an SLR? Assume that you want to make the evaluation as non-intrusive as possible.

a) tap

b) virtual wire

c) Layer 2

d) Layer 3

21) Which two success tools are most appropriate for a prospective customer that is using a competitor’s offerings but has no security prevention strategy? (Choose two.)

a) Expedition

b) Prevention Posture Assessment

c) Security Lifecycle Review

d) Best Practice Assessment with Heatmaps

e) Data Center Segmentation Strategy Analyzer

22) Which file types are not supported as an upload sample for file upload by WildFire from the wildfire.paloaltonetworks.com/wildfire/upload page?

a) iOS applications

b) Android applications

c) Windows applications

d) Microsoft Excel files

23) Which kind of attack cannot be stopped by the Palo Alto Networks Security Operating Platform?

a) attacks through SaaS applications, such as exfiltration through Box

b) attacks that do not cross the firewall, regardless of source or destination

c) attacks based on social engineering that mimic normal user behavior

d) denial-of-service attacks from a trusted source

e) intrazone attacks, regardless of source or destination

24) WildFire functionality is like that of a sandbox. Is the statement an accurate description?

a) Yes, WildFire functionality is exactly that of a virtual sandbox in the cloud, provided to test files that customers upload or download.

b) No, WildFire does not supply sandbox functionality, although it competes with products that do.

c) No, WildFire provides dynamic analysis, machine learning, and other techniques along with sandbox functionality.

d) Yes, WildFire provides all its functionality as part of its virtual-physical hybrid sandbox environment

25) Which option is an example of how the next-generation firewall can provide visibility and enforcement around SaaS applications?

a) Through partnership with SaaS application vendors, special virtual firewalls that support a subset of full firewall functionality are used inside the SaaS applications themselves.

b) A built-in default security rule in the firewall blocks dangerous SaaS applications based on an automatically updated database of dangerous SaaS applications.

c) Built-in default functionality in the firewall sends all files sent or received by SaaS applications to WildFire.

d) The firewall can filter SaaS applications based on whether they comply with industry certifications such as SOC1, HIPAA, and FINRAA.

26) When a cloud deployment is secured, which role does the next-generation firewall play?

a) A member of the VM-Series is attached to each VM in the cloud environment, to stop malware, exploits, and ransomware before they can compromise the virtual systems they are attached to.

b) The NGFW exports its Security policy through Panorama, which in turn distributes that policy to the cloud based Prisma SaaS service that enforces the NGFW Security policy against each VM used in the cloud environment.

c) The NGFW exports its Security policy to WildFire, which lives in the cloud and enforces the NGFW Security policy throughout the cloud environment.

d) The NGFW is used to consistently control access to applications and data based on user credentials and traffic payload content for private or public cloud, internet, data center, or SaaS applications.

27) Which dedicated High Availability port is used for which plane in HA Pairs?

a) HA1 for the data plane, HA2 for the management plane

b) HA1 for the management plane, HA2 for the data plane

c) MGT for the management plane; HA2 as a backup

d) HA1 for the management plane, HA2 for the data plane in the PA-7000 Series

28) Which value should be used as a typical log entry size if no other information is available about log sizes?

a) 0.5KB

b) 0.5MB

c) 0.5GB

d) 0.5TB

29) Which feature is not supported in active/active (A/A) mode?

a) IPsec tunneling

b) DHCP client

c) link aggregation

d) configuration synchronization

30) Which two updates should be scheduled to occur once a day? (Choose two.)

a) Antivirus

b) PAN-DB URL Filtering

c) WildFire

d) Applications and Threats

e) SMS channel

31) What does the phrase “Prisma Access extends security to remote network locations and mobile users” mean in the context of the security that firewalls provide to a network?

a) Prisma Access independently provides the same type of protection as the firewalls, rebuilt for the various infrastructures used for remote network locations and mobile users.

b) Prisma Access independently provides the exact same protection as the firewalls, rebuilt for the various infrastructures used for remote network locations and mobile users.

c) Prisma Access securely routes traffic for remote network locations and mobile users through the same PAN-OS based firewalls used to protect the network.

d) Prisma Access leverages native cloud security and other security infrastructure to provide security to remote network locations and mobile users.

32) A customer’s interest in prevention, detection and response for Security Operations is best addressed by which reference architecture?

a) Public Cloud

b) Secure Access Service Edge

c) Security Operations

d) Private Data Center

e) Zero Trust

f) Automation

33) Which security posture is most likely to stop unknown attacks?

a) allow all the traffic that is not explicitly denied

b) deny all the traffic that is not explicitly allowed

c) deny all the traffic that is not explicitly allowed from the outside, and allow all the traffic that is not explicitly denied from the inside

d) deny all the traffic that is not explicitly allowed from the inside, and allow all the traffic that is not explicitly denied from the outside

34) Which profile type is used to protect against most protocol-based attacks?

a) Antivirus

b) URL Filtering

c) Vulnerability Protection

d) Anti-Spyware

35) How does an administrator specify in the firewall that certain credentials should not be sent to certain URLs?

a) with a URL Filtering Profile

b) with User-ID

c) with App-ID

d) with a Credential Theft Profile

36) Which SD-WAN configuration element contains data used to trigger a new path selection based on excessive latency?

a) SD-WAN Interface Profile

b) SD-WAN Interface

c) Path Quality Profile

d) Traffic Distribution Profile

37) Which Panorama screen provides an overall status display of SD-WAN Errors and their impacts?

a) SD-WAN Traffic Characteristics

b) SD-WAN Link Characteristics

c) SD-WAN Monitoring

d) SD-WAN Impacted Clusters

38) In Panorama, which policy gets evaluated first?

a) device group pre-rules

b) device group post-rules

c) shared pre-rules

d) shared post-rules

e) local firewall rules

39) Can the same rule allow traffic from different sources on different firewalls?

a) No, rules mean the same on all firewalls that receive the same policy.

b) No, because device groups are pushed from Panorama to all firewalls.

c) Yes, because different firewalls can have different zone definitions.

d) Yes, because there could be clauses in a rule with effects limited to a specific device group.

40) Which is not an advantage of using Panorama?

a) centralized management

b) higher throughput on the firewalls

c) centralized view of collected logs

d) automatic event correlation

41) How is the Cortex Data Lake integration with Panorama facilitated?

a) No integration is necessary; data flows from Panorama to the Cortex data lake and vice versa.

b) A Panorama plugin is installed in the Cortex Data Lake.

c) A Cloud Services plugin is installed in Panorama.

d) Agents run in both the Cortex Data Lake and Panorama.

42) What is the maximum number of servers supported by a single User-ID agent?

a) 10

b) 50

c) 100

d) 500

43) How does the firewall know that a specific connection comes from a specific user?

a) Every connection has a user ID encoded in it.

b) User-ID is supported only in protocols that use user authentication, which provides the user identity to the firewall and the back end.

c) The firewall always uses the IP address in the IP header to locate the user ID, but this initial identification is overridden by additional techniques such as HTTP proxies that provide the client’s IP address in the HTTP header.

d) Usually the firewall uses the IP address in the IP header to locate the user ID, but additional techniques are available as alternatives such as HTTP proxies providing the client’s IP address in the HTTP header.

44) A customer has a proprietary user authentication system that is not supported by User-ID. Can you provide User-ID information to their firewall, and if so, how?

a) It is impossible. The customer will need to upgrade to something more standard.

b) It can be done, but only for HTTP applications because HTTP supports XFF headers.

c) It can be done using the XML API.

d) It can be done, but it requires programming that can be performed only by the Palo Alto Networks Professional Services organization.

45) Should you limit the permission of the user who runs the User-ID agent? If so, why?

a) Yes, because of the principle of least privilege. You should give processes only those permissions that are necessary for them to work.

b) Yes, to an extent. You can give it most privileges, but there is no actual user, so you should not let it start an interactive login.

c) Yes, to an extent. You can give it most privileges, but there is no actual user, so you should not let it have remote access.

d) No, there is nothing wrong with using the administrator’s account.

46) Which types of file does WildFire analyze as executables? (Choose three.)

a) JAR

b) Portable Document Format

c) MP4

d) Portable Executable

e) Office Open XML (.docx)

f) Executable and Linkable Format

g) BMP

47) Which reasons could cause a firewall that is fully configured, including decryption, to not recognize an application? (Choose three.)

a) The application is running over SSL.

b) There is no App-ID signature for an unanticipated application.

c) The application is running over ICMP.

d) The application is running over UDP.

e) A TCP handshake completed but no application traffic reached the firewall.

f) Payload reached the firewall, but not enough data packets to identify the application.

48) Which decryption mode or modes require(s) the private key of the destination server? (Choose a single answer.)

a) Forward Proxy

b) Inbound Inspection

c) Both Forward Proxy and Inbound Inspection

d) SSH Proxy

49) Which parameter cannot be used in a Decryption policy rule?

a) User-ID

b) App-ID

c) Source Zone

d) Destination Zone

[PSE-Strata] Palo Alto Networks System Engineer Professional – Strata Exam

 NO.1 Which two features are found in a Palo Alto Networks NGFW but are absent in a legacy firewall product? (Choose two.)

A. Policy match is based on application

B. Traffic is separated by zones

C. Traffic control is based on IP port, and protocol

D. Identification of application is possible on any port 

Answer: A,D

NO.2 When log sizing is factored for the Cortex Data Lake on the NGFW, what is the average log size used in calculation?

A. 18 bytes

B. 8MB

C. 1500 bytes

D. depends on the Cortex Data Lake tier purchased

Answer: C

Explanation:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVMCA0

NO.3 Which license is required to receive weekly dynamic updates to the correlation objects on the firewall and Panorama?

A. URL Filtering on the firewall, and MineMeld on Panorama

B. WildFire on the firewall, and AutoFocus on Panorama

C. GlobalProtect on the firewall, and Threat Prevention on Panorama

D. Threat Prevention on the firewall, and Support on Panorama 

Answer: D

NO.4 An endpoint, inside an organization, is infected with known malware that attempts to make a command-and-control connection to a C2 server via the destination IP address Which mechanism prevents this connection from succeeding?

A. DNS Proxy

B. Anti-Spyware Signatures

C. Wildfire Analysis

D. DNS Sinkholing 

Answer: D

NO.5 A service provider has acquired a pair of PA-7080s for its data center to secure its customer base's traffic. The server provider's traffic is largely generated by smart phones and averages 6.000,000 concurrent sessions.

Which Network Processing Card should be recommended in the Bill of Materials?

A. PA-7000-40G-NPC

B. PA-7000-20GQ-NPC

C. PA-7000-20GQXM-NPC

D. PA-7000-20G-NPC

Answer: C

NO.6 Which three methods used to map users to IP addresses are supported in Palo Alto Networks firewalls? (Choose three.)

A. eDirectory monitoring

B. Active Directory monitoring

C. TACACS

D. Lotus Domino

E. SNMP server

F. RADIUS

G. Client Probing

Answer: C,F,G

Explanation:

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/user-id/user-id-concepts/user-mapping

3 Palo Alto Networks 平台規格和功能摘要 - 2019 年 4 月 (PAN-OS 9.0)

• 新世代防火牆
• 對數千個應用程式的深入可視性和精細控制；能夠建立自訂應用程式；能夠根據政策管理未知流量
• 使用者識別與控制：VPN、WLAN 控制器、認證登入控制的入口網站、Proxy、Active Directory、eDirectory、Exchange、Terminal Services、syslog 剖析、XML API
• 精細的 SSL 解密與檢驗 (傳入和傳出)；根據政策進行 SSH 控制 (傳入和傳出)
• 網路：動態路由 (RIP、OSPF、BGP、多重通訊協定 BGP)、DHCP、DNS、NAT、路由重新分配、ECMP、LLDP、BFD、通道內容檢驗
• QoS：依照 DSCP 分類，根據應用程式、使用者、通道等進行政策式流量調整 (優先、保證、最大)
• 虛擬系統：單一實體防火牆之內單獨管理的邏輯防火牆執行個體，每個虛擬系統的流量保持獨立
• 以區域為基礎的網路區隔和區域保護；新工作階段流量泛濫的 DoS 保護

• Threat Prevention (需要訂閱)
• 內嵌式惡意軟體防禦自動透過每天更新的承載式特徵碼強制執行
• 針對網路層和應用程式層的入侵和迴避技術 (包括連接埠掃描、緩衝區溢出，封包分段和混淆) 提供基於弱點的保護
• 發現透過 DNS sinkholing 感染主機后，阻止命令與控制 (C2) 活動外洩數據或傳遞次要惡意軟體承載

• URL Filtering (需要訂閱)
• 自動防禦 Web 型攻擊，包括電子郵件中的網路釣魚連結、網路釣魚網站、HTTP 式命令與控制與含有入侵套件的網頁
• 能夠阻止程序內憑證網路釣魚
• 自訂 URL 類別、警示和通知頁面

• WildFire 惡意軟體防禦 (需要訂閱)
• 使用互補的分層分析技術偵測零時差惡意軟體和入侵
• 在整個網路、端點和雲端中，短短五分鐘內即可提供自動化防禦
• 藉助社群數據提供防護，該社群擁有超過 29,000 位訂戶

• AutoFocus 威脅情報 (需要訂閱)
• 掌握攻擊脈絡並進行分類，包括惡意軟體系列、攻擊者和活動，以加速處理分類和回應工作
• WildFire 提供大量情境豐富的全球威脅分析
• 提供第三方威脅情報用於自動化防禦

• DNS Security (需要訂閱)
• 透過即時分析以及不斷增加的全球威脅情報進行識別，自動防禦數千萬個惡意網域
• 使用由機器學習驅動的分析，快速偵測透過 DNS 通道進行的命令與控制或數據竊取
• 將動態回應自動化以找出受感染的機器並依據政策迅速回應

• 檔案與數據篩選
• 針對檔案類型以及社會安全號碼、信用卡號碼和自訂數據模式的未授權傳輸進行雙向控制

• 用於端點的 GlobalProtect 網路安全 (需要訂閱)
• 遠端存取 VPN (SSL、IPsec、無用戶端)；以應用、使用者、內容、裝置和裝置狀態為基礎的行動威脅防禦和政策實施
• BYOD：用於保護使用者隱私的應用層級 VPN

• Panorama 網路安全管理 (管理多個防火牆時需要訂閱)
• 針對應用程式、使用者、威脅、進階惡意軟體防禦、URL、檔案類型和數據模式進行直覺式政策控制，全部採用相同的政策
• 透過應用程式控管中心 (ACC)，對網路流量和威脅提供具有高度價值的分析；可完全自訂的報告
• 彙總的記錄和事件關聯
• 對多達 30,000 個硬體以及所有 VM-Series 防火牆進行一致的可擴充管理；角色型存取控制；邏輯和階層式裝置群組；以及範本
• GUI、CLI、基於 XML 的 REST API

20200523 - 20200525 Firewall Session Summary and TopN Threat ID

Session During 2 Days

Threat Activity

Threat Signatures

This Source: 

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/threat-prevention/threat-signatures

There are three types of Palo Alto Networks threat signatures, each designed to detect different types of threats as the firewall scans network traffic:

Antivirus signatures—Detect viruses and malware found in executables and file types.
Anti-spyware signatures—Detects command-and-control (C2) activity, where spyware on an infected client is collecting data without the user's consent and/or communicating with a remote attacker.
Vulnerability signatures—Detects system flaws that an attacker might otherwise attempt to exploit.

A signature's severity indicates the risk of the detected event, and a signature's default action (for example, block or alert) is how Palo Alto Networks recommends that you enforce matching traffic.

You must Set Up Antivirus, Anti-Spyware, and Vulnerability Protection to tell the firewall what action to take when it detects a threat, and you can easily use the default security profiles to start blocking threats based on Palo Alto Networks recommendations. For each signature type, category, and even specific signatures you can continue to modify or create new profiles to more granularly enforce potential threats.

The following table lists all possible signature categories by type—Antivirus, Spyware, and Vulnerability—and includes the content update (Applications and Threats, Antivirus, or WildFire) that provides the signatures in each category. You can also go to the Palo Alto Networks Threat Vault to Learn More About Threat Signatures.

THREAT CATEGORY	CONTENT UPDATE THAT PROVIDES THESE SIGNATURES	DESCRIPTION
Antivirus Signatures
apk	Antivirus WildFire or WildFire Private	Malicious Android Application (APK) files.
dmg	Antivirus Wildfire or WildFire Private	Malicious Apple disk image (DMG) files, that are used with Mac OS X.
flash	Antivirus Wildfire or WildFire Private	Adobe Flash applets and Flash content embedded in web pages.
java-class	Antivirus	Java applets (JAR/class file types).
macho	Antivirus Wildfire or WildFire Private	Mach object files (Mach-O) are executables, libraries, and object code that are native to Mac OS X.
office	Antivirus Wildfire or WildFire Private	Microsoft Office files, including documents (DOC, DOCX, RTF), workbooks (XLS, XLSX), and PowerPoint presentations (PPT, PPTX).
openoffice	Antivirus Wildfire or WildFire Private	Office Open XML (OOXML) 2007+ documents.
pdf	Antivirus Wildfire or WildFire Private	Portable Document Format (PDF) files.
pe	Antivirus Wildfire or WildFire Private	Portable executable (PE) files can automatically execute on a Microsoft Windows system and should be only allowed when authorized. These files types include: Object code. Fonts (FONs). System files (SYS). Driver files (DRV). Windows control panel items (CPLs). DLLs (dynamic-link libraries). OCXs (libraries for OLE custom controls, or ActiveX controls). SCRs (scripts that can be used to execute other files). Extensible Firmware Interface (EFI) files, which run between an OS and firmware in order to facilitate device updates and boot operations. Program information files (PIFs).
pkg	Antivirus Wildfire or WildFire Private	Apple software installer packages (PKGs), used with Mac OS X.
Spyware Signatures
adware	Applications and Threats	Detects programs that display potentially unwanted advertisements. Some adware modifies browsers to highlight and hyperlink the most frequently searched keywords on web pages-these links redirect users to advertising websites. Adware can also retrieve updates from a command-and-control (C2) server and install those updates in a browser or onto a client system. Newly-released protections in this category are rare.
autogen	Antivirus	These payload-based signatures detect command-and-control (C2) traffic and are automatically-generated. Importantly, autogen signatures can detect C2 traffic even when the C2 host is unknown or changes rapidly.
backdoor	Applications and Threats	Detects a program that allows an attacker to gain unauthorized remote access to a system.
botnet	Applications and Threats	Indicates botnet activity. A botnet is a network of malware-infected computers (“bots”) that an attacker controls. The attacker can centrally command every computer in a botnet to simultaneously carry out a coordinated action (like launching a DoS attack, for example).
browser-hijack	Applications and Threats	Detects a plugin or software that is modifying browser settings. A browser hijacker might take over auto search or track users’ web activity and send this information to a C2 server. Newly-released protections in this category are rare.
data-theft	Applications and Threats	Detects a system sending information to a known C2 server. Newly-released protections in this category are rare.
dns	Antivirus	Detects DNS requests to connect to malicious domains. dns and dns-wildfire signatures detect the same malicious domains; however, dns signatures are included in the daily Antivirus content update and dns-wildfire signatures are included in the WildFire updates that release protections every 5 minutes.
dns-wildfire	Wildfire or WildFire Private	Detects DNS requests to connect to malicious domains. dns and dns-wildfire signatures detect the same malicious domains; however, dns signatures are included in the daily Antivirus content update and dns-wildfire signatures are included in the WildFire updates that release protections every 5 minutes.
keylogger	Applications and Threats	Detects programs that allow attackers to secretly track user activity, by logging keystrokes and capturing screenshots. Keyloggers use various C2 methods to periodically sends logs and reports to a predefined e-mail address or a C2 server. Through keylogger surveillance, an attacker could retrieve credentials that would enable network access.
networm	Applications and Threats	Detects a program that self-replicates and spreads from system to system. Net-worms might use shared resources or leverage security failures to access target systems.
phishing-kit	Applications and Threats	Detects when a user attempts to connect to a phishing kit landing page (likely after receiving an email with a link to the malicious site). A phishing website tricks users into submitting credentials that an attacker can steal to gain access to the network. In addition to blocking access to phishing kit landing pages, enable Multi-Factor Authentication and Credential Phishing Prevention to prevent phishing attacks at all stages.
post-exploitation	Applications and Threats	Detects activity that indicates the post-exploitation phase of an attack, where an attacker attempts to assess the value of a compromised system. This might include evaluating the sensitivity of the data stored on the system, and the system’s usefulness in further compromising the network.
web shell	Applications and Threats	Detects systems that are infected with a web shell. A web shell is a script that enables remote administration of a web server; attackers can use web shell-infected web servers (the web servers can be both internet-facing or internal systems) to target other internal systems.
spyware	Applications and Threats	Detect outbound C2 communication. These signatures are either auto-generated or are manually created by Palo Alto Networks researchers. Spyware and autogen signatures both detect outbound C2 communication; however, autogen signatures are payload-based and can uniquely detect C2 communications with C2 hosts that are unknown or change rapidly.
Vulnerability Signatures
brute force	Applications and Threats	A brute-force signature detects multiple occurrences of a condition in a particular time frame. While the activity in isolation might be benign, the brute-force signature indicates that the frequency and rate at which the activity occurred is suspect. For example, a single FTP login failure does not indicate malicious activity. However, many failed FTP logins in a short period likely indicate an attacker attempting password combinations to access an FTP server. You can tune the action and trigger conditions for brute force signatures.
code execution	Applications and Threats	Detects a code execution vulnerability that an attacker can leverage to run code on a system with the privileges of the logged-in user.
code-obfuscation	Applications and Threats	Detects code that has been transformed to conceal certain data while retaining its function. Obfuscated code is difficult or impossible to read, so it’s not apparent what commands the code is executing or with which programs its designed to interact. Most commonly, malicious actors obfuscate code to conceal malware. More rarely, legitimate developers might obfuscate code to protect privacy, intellectual property, or to improve user experience. For example, certain types of obfuscation (like minification) reduce file size, which decreases website load times and bandwidth usage.
dos	Applications and Threats	Detects a denial-of-service (DoS) attack, where an attacker attempts to render a targeted system unavailable, temporarily disrupting the system and dependent applications and services. To perform a DoS attack, an attacker might flood a targeted system with traffic or send information that causes it to fail. DoS attacks deprive legitimate users (like employees, members, and account holders) of the service or resource to which they expect access.
exploit-kit	Applications and Threats	Detects an exploit kit landing page. Exploit kit landing pages often contain several exploits that target one or many common vulnerabilities and exposures (CVEs), for multiple browsers and plugins. Because the targeted CVEs change quickly, exploit-kit signatures trigger based on the exploit kit landing page, and not the CVEs. When a user visits a website with an exploit kit, the exploit kit scans for the targeted CVEs and attempts to silently deliver a malicious payload to the victim’s computer.
info-leak	Applications and Threats	Detects a software vulnerability that an attacker could exploit to steal sensitive or proprietary information. Often, an info-leak might exist because comprehensive checks do not exist to guard the data, and attackers can exploit info-leaks by sending crafted requests.
overflow	Applications and Threats	Detects an overflow vulnerability, where a lack of proper checks on requests could be exploited by an attacker. A successful attack could lead to remote code execution with the privileges of the application, server or operating system.
phishing	Applications and Threats	Detects when a user attempts to connect to a phishing kit landing page (likely after receiving an email with a link to the malicious site). A phishing website tricks users into submitting credentials that an attacker can steal to gain access to the network. In addition to blocking access to phishing kit landing pages, enable Multi-Factor Authentication and Credential Phishing Prevention to prevent phishing attacks at all stages.
protocol-anomaly	Applications and Threats	Detects protocol anomalies, where a protocol behavior deviates from standard and compliant usage. For example, a malformed packet, poorly-written application, or an application running on a non-standard port would all be considered protocol anomalies, and could be used as evasion tools. It is a best practice to block protocol anomalies of any severity.
sql-injection	Applications and Threats	Detects a common hacking technique where an attacker inserts SQL queries into an application’s requests, in order to read from or modify a database. This type of technique is often used on websites that do not comprehensively sanitize user input.