Cloud NGFW for AWS

Question 1

What is the Cloud NGFW Tenant?

Answer 1

instantiation of the Cloud NGFW service associated with an AWS customer account

Question 2

When is the tenant created?

Answer 2

when an AWS user associated with the AWS customer account subscribes to the Cloud NGFW service

Question 3

Cloud NGFW designates what as the administrator of the Cloud NGFW tenant?

Answer 3

1. subscribing AWS Identity
2. Access Management (IAM) user

Question 4

Cloud NGFW can be deployed in which two different models?

Answer 4

1. distributed
2. centralized

Question 5

How is Cloud NGFW deployed in the Distributed Deployment workflow?

Answer 5

Cloud NGFW is deployed into each VPC that requires protection

Question 6

What are the benefits of Distributed Deployment?

Answer 6

• reduces the possibility of misconfiguration
• limits the scope of impact
• each VPC is protected individually, and the blast radius, or extent of the damage, is reduced through VPC isolation

Question 7

How is Cloud NGFW deployed in the Centralized Deployment workflow?

Answer 7

• the Cloud NGFW is behind a transit gateway (TGW) with a dedicated security VPC
• the model provides centralized security for all virtual networks and firewalls in central/hub virtual networks protect the application workloads on other spoke virtual networks

Question 8

What needs to be done on the application VPCs and TGW to redirect traffic to the security VPC for inspection?

Answer 8

configure route rules

Question 9

What are the use cases for securing traffic with the centralized deployment?

Answer 9

• east-west traffic inspection (VPC to VPC)
• VPC and On-Premises
• Outbound and Inbound

Question 10

What does FMS stand for?

Answer 10

Firewall Manager Service

Question 11

What automation tools can be used to deploy Cloud NGFW for AWS?

Answer 11

1. Terraform
2. CloudFormation Template (CFT)

Question 12

When onboarding an AWS account, a CloudFormation Template (CFT) is provided to help to enable what?

Answer 12

permissions

Question 13

When deploying a CFT, what does it create?

Answer 13

a cross-account IAM role in the AWS account

Question 14

What does the IAM role provide the Cloud NGFW with?

Answer 14

• permissions necessary to read VPC information required to create and manage endpoints
• send logs to logging destinations
• access certificates in the AWS Secrets Manager for traffic decryption

Question 15

Can you provision resources, such as rules and rule stacks with an AWS CFT?

Answer 15

yes

Question 16

What are the required conditions a tenant needs to meet in order to be able to provide a programmatic access?

Answer 16

1. onboard to console
2. enable programmatic access
3. create AWS IAM roles
4. assume AWS IAM roles
5. save credentials

Question 17

A tenant is onboarded through what?

Answer 17

1. AWS Marketplace
2. NGFWaaS Console

Question 18

Where does TenantAdmin enable programmatic access?

Answer 18

from UI

Question 19

AWS IAM roles are created with what?

Answer 19

AWS IAM principal tags assignd to Roles in customer AWS account

Question 20

What permissions need to be present for the roles?

Answer 20

APIGatewayInvoke

Question 21

When adding principle tags to IAM roles, what key-value pairs should be added under tag?

Answer 21

• Key=CloudNGFW, Value=CloudFirewallAdmin
• Key=CloudNGFW, Value=CloudRulestackAdmin

Question 22

What should be added under Trusted Relationship?

Answer 22

IAM user

Question 23

Which method produces a set of keys?

Answer 23

sts_client.asume_role(RoleArn=”arn:value”)

Question 24

Which APIs should be called to get a JWT Token?

Answer 24

• GET:/v1/mgmt/tokens/cloudfirewalladmin
• GET:/v1/mgmt/tokens/cloudrulestackadmin

Question 25

What needs to be used in the header to be able to do Firewall CRUD APIs or Rulestack APIs?

Answer 25

“Authorization”: “token-id”

Question 26

What does the NGFW endpoint in your VPC allow access to?

Answer 26

NGFW resources

Question 27

Which security services are available on the AWS Cloud FW?

Answer 27

• Threat Prevention
• Advanced URL filtering
• Decryption
• App-ID

Question 28

What is built-in to the AWS Cloud FW?

Answer 28

resiliency, scalability, and life-cycle management

Question 29

Does NGFW span multiple AWS availability zones?

Answer 29

yes

Question 30

Is Cloud NGFW an endpoint service?

Answer 30

yes

Question 31

How does each NGFW endpoint manifest_

Answer 31

as an AWS Elastic Network Interface (ENI) (with a private IP address) in the dedicated subnet that you specify

Question 32

How to use the NGFW resource?

Answer 32

1. create a dedicated subnet in your VPC for each desired availability zone
2. create NGFW endpoints on the subnets
3. update the VPC route tables to send the traffic through the NGFW endpoints

Question 33

What endpoints are NGFW endpoints?

Answer 33

Gateway Load Balancer endpoints

Question 34

What traffic does the east-west traffic include?

Answer 34

VPC-to-VPC traffic or the subnet-to-subnet traffic

Question 35

What is a rulestack?

Answer 35

a set of security rules, associated objects and Security profiles, for enabling advanced access control (App-ID, URL Filtering) and threat prevention features

Question 36

Can you associate a single rulestack to multiple firewalls?

Answer 36

yes

Question 37

A user’s ability to create and modify a local or global rulestack depends on their level of access. What are the 3 levels of access?

Answer 37

1. Local Administrator Access
2. Global Rulestack Administrator Access
3. Tenant Administrator Access

Question 38

What are the privileges of a Local Administrator Access?

Answer 38

• local administrator can create and modify rules on local rulestacks only
• can also associate the local rulestack with an NGFW resource

Question 39

What are the privileges of a Global Rulestack Administrator Access ?

Answer 39

• AWS Firewall Manager Administrator subscribes to the Cloud NGFW for AWS and becomes the Global Rulestack Administrator for cloud NGFW
• the Global Rulestack Administrator can create and modify global rulestacks

Question 40

What are the privileges of a Tenant Administrator Access?

Answer 40

• Cloud NGFW designates the subscribing AWS user as the administrator of the Cloud NGFW tenant
• can invite other users to use the tenant, onboard AWS accounts, create NGFWs, and configure NGFW rulestacks within the tenant

Question 41

What are the rulestack components?

Answer 41

• Objects
• Security Rules
• Security Profile

Question 42

What entities can be an object?

Answer 42

• IP addresses
• FQDNs
• intelligent feeds
• certificates

Question 43

To how many rulestacks can an object be applied to?

Answer 43

a single rulestack

Question 44

What are the two types of rulestacks?

Answer 44

1. Global Rulestacks
2. Local Rulestacks

Question 45

What type of rules can be configured in a rule stack?

Answer 45

1. pre-rules
2. post-rules

Question 46

How are the rules processed in a rulestack?

Answer 46

1. pre rules - global rulestack
2. local rules - local rulestack
3. post rules - global rulestack

Question 47

Can you use XFF HTTP header field to enforce security policy?

Answer 47

yes

Question 48

The XFF request header might contain multiple IP addresses that are separated by commas. Which IP addressed is used by the NGFW to enforce the policy?

Answer 48

the most recently added address

Question 49

How are certificates needed for TLS decryption provided to the firewall?

Answer 49

through a certificate list object

Question 50

What security profiles are predefined based on best security practices and cannot be modified?

Answer 50

1. IPS Vulnerability Threat Protection
2. Anti-Spyware Threat Protection
3. Antivirus Threat Protection

Question 51

Which security profiles are modifiable?

Answer 51

1. File Blocking
2. URL Categories and Filtering

Question 52

What must be done prior to using Panorama for policy management tasks?

Answer 52

Link your Cloud NGFW tenant to the Panorama virtual appliance

Question 53

What are the two configuration options?

Answer 53

1. AWS Firewall Manager Configuration Option
2. AWS Account Admin Configuration Option

Question 54

What does AWS Firewall Manager Configuration Option provide?

Answer 54

native AWS console/API support for management and operations

Question 55

How does AWS Firewall Manager Configuration Option work?

Answer 55

AWS Firewall Manager administrator subscribes to Cloud NGFW and deploys Cloud NGFW resources for use in multiple AWS accounts

Question 56

What is AWS Account Admin Configuration Option suitable for?

Answer 56

organizations using custom automation tools

Question 57

How does AWS Account Admin Configuration Option work?

Answer 57

Each AWS account administrator subscribes individually to Cloud NGFW and deploys Cloud NGFW resources for use in an AWS account

Question 58

To onboard the Cloud NGFW (AWS) firewall, what are the 4 areas to configure?

Answer 58

1. onboard an AWS account to the Cloud NGFW tenant
2. create rulestacks with rules
3. create the Cloud NGFW and endpoints
4. specify logging options

Question 59

Where are cloud NGFW endpoints created?

Answer 59

in each availability zone in specified VPC

Question 60

What is the role of Cloud NGFW endpoints?

Answer 60

intercept traffic and route it to the Cloud NGFW for inspection and policy enforcement

Question 61

What are the two management modes that can be used to create endpoints automatically or manually?

Answer 61

service-managed or customer-managed deployment

Question 62

How does Service-Managed Deployment Mode work?

Answer 62

• Cloud NGFW tenant creates an endpoint attached to specified subnets
• Cloud NGFW retrieves a list of subnets in the specified VPC, and from that list, choose the subnets that should have an endpoint
• these subnets might be associated with individual availability zones or deployed in a security VPC and receive traffic from a transit gateway

Question 63

What are the three choices of destination for your Cloud NGFW logs?

Answer 63

1. S3
2. Amazon CloudWatch
3. Amazon Kinesis

Question 64

How does the Customer-Managed Deployment Mode work?

Answer 64

• customer manually creates Cloud NGFW endpoints in each availability zone specified
• manually attach the Cloud NGFW endpoints to subnets in the chosen availability zones
• after the Cloud NGFW has been created, you must go to the AWS console to complete the Cloud NGFW endpoint-creation process

Question 65

The Cloud NGFW supports all availability zones (AZs) in us-east-1, except?

Answer 65

us-east-1e

Question 66

What needs to be used if you prefer to view logs in the Panorama console or use Application Command Center (ACC) to gain insight into Cloud NGFW traffic or generate reports?

Answer 66

Cortex Data Lake (CDL)

Question 67

What is the mandatory component of the integration between Panorama and AWS Cloud FW?

Answer 67

Panorama AWS plugin

Question 68

The Panorama AWS plugin internally uses which plugin to communicate with the Cloud NGFW resources?

Answer 68

Cloud Connector

Question 69

Which PAN-OS is required to be able to integrate Panorama with AWS Cloud FW?

Answer 69

10.2.3 (or higher)

Question 70

Which Cloud Connector plugin version is required to be able to integrate Panorama with AWS Cloud FW?

Answer 70

2.0.1 or later

Question 71

Which AWS plugin version is required to be able to integrate Panorama with AWS Cloud FW?

Answer 71

5.0.1 or later

Question 72

Which Panorama CLI command needs to be run after installing the Cloud Connector and AWS plugins?

Answer 72

request plugins cloudconnector enable cloudngfw

Question 73

Which command is used to verify that CloudConnector plugin and Cloud NGFW functionality are enabled?

Answer 73

show plugins aws cngfw-status

Question 74

There are two management modes that can be used to create endpoints. What are they?

Answer 74

1. service-managed mode
2. customer-managed mode

Question 75

How are firewall endpoints created in service-managed mode?

Answer 75

• Cloud NGFW tenant automatically creates an endpoint in each subnet specified
• NGFW service retrieves a list of subnets from the VPC specified; from that list, you need to choose the subnets that should have an endpoint

Question 76

How are firewall endpoints created in customer-managed mode?

Answer 76

• choose existing availability zones that need to be secured in specified VPC and then manually create the NGFW endpoints in existing subnets in the chosen zones
• after the NGFW has been created, use the AWS console to complete the process of creating NGFW endpoints

Question 77

What needs to be done after creating an NGFW and NGFW endpoints

Answer 77

update AWS route tables to ensure that traffic is sent to the NGFW

Question 78

When creating NGFW, what needs to be specified?

Answer 78

a VPC, local rulestack and how and where the associated NGFW endpoints are deployed