Cloud NGFW for AWS Flashcards

1
Q

What is the Cloud NGFW Tenant?

A

instantiation of the Cloud NGFW service associated with an AWS customer account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When is the tenant created?

A

when an AWS user associated with the AWS customer account subscribes to the Cloud NGFW service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Cloud NGFW designates what as the administrator of the Cloud NGFW tenant?

A
  1. subscribing AWS Identity
  2. Access Management (IAM) user
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Cloud NGFW can be deployed in which two different models?

A
  1. distributed
  2. centralized
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

How is Cloud NGFW deployed in the Distributed Deployment workflow?

A

Cloud NGFW is deployed into each VPC that requires protection

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are the benefits of Distributed Deployment?

A
  • reduces the possibility of misconfiguration
  • limits the scope of impact
  • each VPC is protected individually, and the blast radius, or extent of the damage, is reduced through VPC isolation
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

How is Cloud NGFW deployed in the Centralized Deployment workflow?

A
  • the Cloud NGFW is behind a transit gateway (TGW) with a dedicated security VPC
  • the model provides centralized security for all virtual networks and firewalls in central/hub virtual networks protect the application workloads on other spoke virtual networks
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What needs to be done on the application VPCs and TGW to redirect traffic to the security VPC for inspection?

A

configure route rules

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What are the use cases for securing traffic with the centralized deployment?

A
  • east-west traffic inspection (VPC to VPC)
  • VPC and On-Premises
  • Outbound and Inbound
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What does FMS stand for?

A

Firewall Manager Service

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What automation tools can be used to deploy Cloud NGFW for AWS?

A
  1. Terraform
  2. CloudFormation Template (CFT)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

When onboarding an AWS account, a CloudFormation Template (CFT) is provided to help to enable what?

A

permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

When deploying a CFT, what does it create?

A

a cross-account IAM role in the AWS account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What does the IAM role provide the Cloud NGFW with?

A
  • permissions necessary to read VPC information required to create and manage endpoints
  • send logs to logging destinations
  • access certificates in the AWS Secrets Manager for traffic decryption
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Can you provision resources, such as rules and rule stacks with an AWS CFT?

A

yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What are the required conditions a tenant needs to meet in order to be able to provide a programmatic access?

A
  1. onboard to console
  2. enable programmatic access
  3. create AWS IAM roles
  4. assume AWS IAM roles
  5. save credentials
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

A tenant is onboarded through what?

A
  1. AWS Marketplace
  2. NGFWaaS Console
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Where does TenantAdmin enable programmatic access?

A

from UI

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

AWS IAM roles are created with what?

A

AWS IAM principal tags assignd to Roles in customer AWS account

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What permissions need to be present for the roles?

A

APIGatewayInvoke

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

When adding principle tags to IAM roles, what key-value pairs should be added under tag?

A
  • Key=CloudNGFW, Value=CloudFirewallAdmin
  • Key=CloudNGFW, Value=CloudRulestackAdmin
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What should be added under Trusted Relationship?

A

IAM user

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Which method produces a set of keys?

A

sts_client.asume_role(RoleArn=”arn:value”)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Which APIs should be called to get a JWT Token?

A
  • GET:/v1/mgmt/tokens/cloudfirewalladmin
  • GET:/v1/mgmt/tokens/cloudrulestackadmin
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What needs to be used in the header to be able to do Firewall CRUD APIs or Rulestack APIs?

A

“Authorization”: “token-id”

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What does the NGFW endpoint in your VPC allow access to?

A

NGFW resources

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Which security services are available on the AWS Cloud FW?

A
  • Threat Prevention
  • Advanced URL filtering
  • Decryption
  • App-ID
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What is built-in to the AWS Cloud FW?

A

resiliency, scalability, and life-cycle management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

Does NGFW span multiple AWS availability zones?

A

yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Is Cloud NGFW an endpoint service?

A

yes

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

How does each NGFW endpoint manifest_

A

as an AWS Elastic Network Interface (ENI) (with a private IP address) in the dedicated subnet that you specify

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

How to use the NGFW resource?

A
  1. create a dedicated subnet in your VPC for each desired availability zone
  2. create NGFW endpoints on the subnets
  3. update the VPC route tables to send the traffic through the NGFW endpoints
33
Q

What endpoints are NGFW endpoints?

A

Gateway Load Balancer endpoints

34
Q

What traffic does the east-west traffic include?

A

VPC-to-VPC traffic or the subnet-to-subnet traffic

35
Q

What is a rulestack?

A

a set of security rules, associated objects and Security profiles, for enabling advanced access control (App-ID, URL Filtering) and threat prevention features

36
Q

Can you associate a single rulestack to multiple firewalls?

A

yes

37
Q

A user’s ability to create and modify a local or global rulestack depends on their level of access. What are the 3 levels of access?

A
  1. Local Administrator Access
  2. Global Rulestack Administrator Access
  3. Tenant Administrator Access
38
Q

What are the privileges of a Local Administrator Access?

A
  • local administrator can create and modify rules on local rulestacks only
  • can also associate the local rulestack with an NGFW resource
39
Q

What are the privileges of a Global Rulestack Administrator Access ?

A
  • AWS Firewall Manager Administrator subscribes to the Cloud NGFW for AWS and becomes the Global Rulestack Administrator for cloud NGFW
  • the Global Rulestack Administrator can create and modify global rulestacks
40
Q

What are the privileges of a Tenant Administrator Access?

A
  • Cloud NGFW designates the subscribing AWS user as the administrator of the Cloud NGFW tenant
  • can invite other users to use the tenant, onboard AWS accounts, create NGFWs, and configure NGFW rulestacks within the tenant
41
Q

What are the rulestack components?

A
  • Objects
  • Security Rules
  • Security Profile
42
Q

What entities can be an object?

A
  • IP addresses
  • FQDNs
  • intelligent feeds
  • certificates
43
Q

To how many rulestacks can an object be applied to?

A

a single rulestack

44
Q

What are the two types of rulestacks?

A
  1. Global Rulestacks
  2. Local Rulestacks
45
Q

What type of rules can be configured in a rule stack?

A
  1. pre-rules
  2. post-rules
46
Q

How are the rules processed in a rulestack?

A
  1. pre rules - global rulestack
  2. local rules - local rulestack
  3. post rules - global rulestack
47
Q

Can you use XFF HTTP header field to enforce security policy?

A

yes

48
Q

The XFF request header might contain multiple IP addresses that are separated by commas. Which IP addressed is used by the NGFW to enforce the policy?

A

the most recently added address

49
Q

How are certificates needed for TLS decryption provided to the firewall?

A

through a certificate list object

50
Q

What security profiles are predefined based on best security practices and cannot be modified?

A
  1. IPS Vulnerability Threat Protection
  2. Anti-Spyware Threat Protection
  3. Antivirus Threat Protection
51
Q

Which security profiles are modifiable?

A
  1. File Blocking
  2. URL Categories and Filtering
52
Q

What must be done prior to using Panorama for policy management tasks?

A

Link your Cloud NGFW tenant to the Panorama virtual appliance

53
Q

What are the two configuration options?

A
  1. AWS Firewall Manager Configuration Option
  2. AWS Account Admin Configuration Option
54
Q

What does AWS Firewall Manager Configuration Option provide?

A

native AWS console/API support for management and operations

55
Q

How does AWS Firewall Manager Configuration Option work?

A

AWS Firewall Manager administrator subscribes to Cloud NGFW and deploys Cloud NGFW resources for use in multiple AWS accounts

56
Q

What is AWS Account Admin Configuration Option suitable for?

A

organizations using custom automation tools

57
Q

How does AWS Account Admin Configuration Option work?

A

Each AWS account administrator subscribes individually to Cloud NGFW and deploys Cloud NGFW resources for use in an AWS account

58
Q

To onboard the Cloud NGFW (AWS) firewall, what are the 4 areas to configure?

A
  1. onboard an AWS account to the Cloud NGFW tenant
  2. create rulestacks with rules
  3. create the Cloud NGFW and endpoints
  4. specify logging options
59
Q

Where are cloud NGFW endpoints created?

A

in each availability zone in specified VPC

60
Q

What is the role of Cloud NGFW endpoints?

A

intercept traffic and route it to the Cloud NGFW for inspection and policy enforcement

61
Q

What are the two management modes that can be used to create endpoints automatically or manually?

A

service-managed or customer-managed deployment

62
Q

How does Service-Managed Deployment Mode work?

A
  • Cloud NGFW tenant creates an endpoint attached to specified subnets
  • Cloud NGFW retrieves a list of subnets in the specified VPC, and from that list, choose the subnets that should have an endpoint
  • these subnets might be associated with individual availability zones or deployed in a security VPC and receive traffic from a transit gateway
63
Q

What are the three choices of destination for your Cloud NGFW logs?

A
  1. S3
  2. Amazon CloudWatch
  3. Amazon Kinesis
64
Q

How does the Customer-Managed Deployment Mode work?

A
  • customer manually creates Cloud NGFW endpoints in each availability zone specified
  • manually attach the Cloud NGFW endpoints to subnets in the chosen availability zones
  • after the Cloud NGFW has been created, you must go to the AWS console to complete the Cloud NGFW endpoint-creation process
65
Q

The Cloud NGFW supports all availability zones (AZs) in us-east-1, except?

A

us-east-1e

66
Q

What needs to be used if you prefer to view logs in the Panorama console or use Application Command Center (ACC) to gain insight into Cloud NGFW traffic or generate reports?

A

Cortex Data Lake (CDL)

67
Q

What is the mandatory component of the integration between Panorama and AWS Cloud FW?

A

Panorama AWS plugin

68
Q

The Panorama AWS plugin internally uses which plugin to communicate with the Cloud NGFW resources?

A

Cloud Connector

69
Q

Which PAN-OS is required to be able to integrate Panorama with AWS Cloud FW?

A

10.2.3 (or higher)

70
Q

Which Cloud Connector plugin version is required to be able to integrate Panorama with AWS Cloud FW?

A

2.0.1 or later

71
Q

Which AWS plugin version is required to be able to integrate Panorama with AWS Cloud FW?

A

5.0.1 or later

72
Q

Which Panorama CLI command needs to be run after installing the Cloud Connector and AWS plugins?

A

request plugins cloudconnector enable cloudngfw

73
Q

Which command is used to verify that CloudConnector plugin and Cloud NGFW functionality are enabled?

A

show plugins aws cngfw-status

74
Q

There are two management modes that can be used to create endpoints. What are they?

A
  1. service-managed mode
  2. customer-managed mode
75
Q

How are firewall endpoints created in service-managed mode?

A
  • Cloud NGFW tenant automatically creates an endpoint in each subnet specified
  • NGFW service retrieves a list of subnets from the VPC specified; from that list, you need to choose the subnets that should have an endpoint
76
Q

How are firewall endpoints created in customer-managed mode?

A
  • choose existing availability zones that need to be secured in specified VPC and then manually create the NGFW endpoints in existing subnets in the chosen zones
  • after the NGFW has been created, use the AWS console to complete the process of creating NGFW endpoints
77
Q

What needs to be done after creating an NGFW and NGFW endpoints

A

update AWS route tables to ensure that traffic is sent to the NGFW

78
Q

When creating NGFW, what needs to be specified?

A

a VPC, local rulestack and how and where the associated NGFW endpoints are deployed