lesson 5

Question 1

app-id

Answer 1

• identifies apps

- rules can be created for specific apps not just ports

Question 2

app-id traffic identification

Answer 2

• only known apps can traverse the firewall
• often only needs to examine one udp packet to identify the app
• requires more packets to identify apps that use tcp (3 way handshake is insufficient)
• if traffic is encrypted the firewall references the decryption policy to determine if the traffic should be allowed, blocked or decrypted and inspected

Question 3

app-id identification technologies

Answer 3

• application signatures
• unknown protocol decoder
• known protocol decoder
• protocol decryption

Question 4

application signatures

Answer 4

-database of signatures that is regularly updated

Question 5

unknown protocol decoder

Answer 5

-heuristics engine that attempts to identify apps based on network behaviour

Question 6

known protocol decoder

Answer 6

-decoders that understand the syntax and commands of common apps

Question 7

protocol decryption

Answer 7

-ssl/tls decryption

Question 8

app-id operation

Answer 8

• extract ip/port
• check security policy
• if traffic is allowed, it is processed by the unknown protocol decoder, known protocol decoder, or the decryption policy
• application signature
• check security policy
• allow or block

Question 9

application shifts

Answer 9

-since security policy rules are examined for every packet, firewall can detect protocol changes within a session

Question 10

application dependencies

Answer 10

-when creating a security policy to allow an app you must also allow its’ dependencies

Question 11

application filters

Answer 11

• object that dynamically groups apps based on attributes selected from the app-id database
• used when creating rules based on match criteria instead of specific apps

Question 12

app groups

Answer 12

-static admin defined set of apps that can be used to define a single policy for all of them

Question 13

application block page

Answer 13

• notifies the user that their session is denied if they try to use a blocked web based application
• can be enabled or disabled

Question 14

updating app-id

Answer 14

• app-id database is part of the application and threat content update packages
• it is best practice to schedule download and install of application and threat content updates automatically
• released on the third tuesday of each month
• review period for app-id updates can be scheduled for manual review

Question 15

content-id

Answer 15

• combines real time threat prevention engine with policies to inspect and control content
• provides threat prevention and data loss prevention
• occurs after app-id

Question 16

security profiles

Answer 16

• applied to all traffic with an allow action in the security policy rule
• represent additional checks that the allowed traffic must pass
• events related to security profiles are recorded in the firewall threat log

Question 17

available security profiles

Answer 17

• vulnerability protection
• url filtering
• anti spyware
• antivirus
• file blocking
• data filtering
• wildfire analysis
• security profile group

Question 18

vulnerability protection security profiles

Answer 18

• collections of vulnerability protection signatures grouped into rules
• grouped by type (client/server)
• grouped by severity (informational, low, medium, high, critical)
• custom profiles can be added
• exceptions allow legitimate network traffic that has triggered a false positive to pass

Question 19

antivirus security profiles

Answer 19

• protects against common forms of viruses
• scans files and transmission channel protocols
• exceptions allow legitimate network traffic that has triggered a false positive to pass

Question 20

anti spyware security profiles

Answer 20

• organized by severity (informational, low, medium, high, critical)
• exceptions allow legitimate network traffic that has triggered a false positive to pass

Question 21

file blocking security profiles

Answer 21

• blocks prohibited and suspicious files from being downloaded or uploaded
• blocks based on file name extension and file contents

Question 22

file blocking actions

Answer 22

• alert, logs and allows
• continue, logs and allows with user permission
• block, logs and blocks

Question 23

data filtering security profiles

Answer 23

• patterns of data can be blocked

- useful for data loss prevention ex. credit card number

Question 24

denial of service protection

Answer 24

• packet based

- mitigates layer 3 and 4 attacks designed to disrupt network operation

Question 25

dos protection types

Answer 25

• zone protection profile

- end host protection profile

Question 26

zone protection profile

Answer 26

• protects the internet edge (ingress)

- protects against syn, udp, and icmp floods by monitoring the number of new session requests per second

Question 27

url filtering

Answer 27

• pan-db groups urls into categories
• pan-os can access this db to filter access to the urls
• custom url filtering rules and categories can be created
• can be used for authentication, decryption, qos, and security policies

Question 28

url filtering user responses

Answer 28

• html block pages are displayed

- if user is allowed to use the continue option they are time on the page is restricted for 15 minutes by default

Question 29

user credential detection

Answer 29

-blocks users from submitting their credentials to phishing sites

Question 30

http header insertion

Answer 30

-allows admins to enable the enterprise version of saas platforms

Question 31

http header insertion supported platforms

Answer 31

• dropbox
• google
• office 365
• youtube

Question 32

unkown urls

Answer 32

• an unknown url indicates that the url has not yet been categorized by palo alto
• best practice to configure exceptions for all known good unknown urls and then block access to all unknown urls