In Strata Cloud Manager (SCM), the creation of custom reports is fundamentally linked to the dashboard functionality. To generate a custom report for Prisma Access, an administrator must first create a custom dashboard. This dashboard is populated with the specific widgets that display the desired data (e.g., threats, traffic, user activity). Once the dashboard is configured to present the required information, it can then be used as a template to schedule the generation and distribution of a custom report. This process ensures that the report's content and layout precisely match the curated view established in the dashboard.

A. Open a support ticket: This is a reactive step for troubleshooting or requesting assistance, not a standard procedural requirement for creating a custom report within the SCM interface.

B. Set up Cloud Identity Engine: While Cloud Identity Engine provides valuable user context for reports, it is not a mandatory prerequisite for the creation of the report template itself, which can be based on other data like traffic or threats.

C. Generate a PDF summary report: This is an output action performed after a report has been configured. It is a result of the process, not a necessary step in its creation.

1. Palo Alto Networks. (2024). Manage Custom Reports. Strata Cloud Manager Administrator's Guide. Retrieved from Palo Alto Networks TechDocs.

Reference Details: In the "Monitor > Reports" section

the documentation explicitly states: "To create a custom report

you must first create a custom dashboard that contains the widgets you want to include in the report. After you create the custom dashboard

you can create a report based on it." This directly establishes that configuring a dashboard is a necessary prerequisite.

To control access based on user identity and time, a Security policy rule must leverage the User-ID and Schedule components. The User-ID feature allows the firewall to identify specific users or groups, such as "third-party contractors," by integrating with directory services. This addresses the "who" part of the requirement. The Schedule object allows the administrator to define specific time windows, such as "outside business hours," during which the policy rule will be active. This addresses the "when" part of the requirement. Combining these two components in a single rule enforces the specified access control.

A. App-ID: This component identifies the application (the "what") being accessed, not the user initiating the connection or the time of the connection.

B. Service: This component defines the transport protocol and port number (the "how") for the traffic, not the user or the time of access.

1. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2

"Security Policy Rule Components": This section details the building blocks of a Security policy rule. It explicitly lists "Source User" and "Schedule" as distinct components for controlling access.

Source User: "The user or group that is the source of the traffic. The firewall must be configured to map IP addresses to usernames for this setting to be effective." This directly corresponds to using User-ID to identify the contractors.

Schedule: "The schedule that specifies the days and times the rule is enforced. Select a predefined schedule or select None (the default) to have the rule enforced at all times." This directly corresponds to the Schedule component for time-based control.

2. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2

"Objects > Schedules": This section describes the creation and application of Schedule objects. It states

"You can apply schedules to security policy rules to control when the rules are active." This confirms the function of the Schedule component for time-based enforcement.

3. Palo Alto Networks

PAN-OS® Administrator’s Guide 10.2

"User-ID": The overview of the User-ID feature explains its purpose: "The User-ID feature of Palo Alto Networks firewalls allows you to configure and enforce firewall policies based on users and groups of users rather than on IP addresses." This confirms User-ID is the correct component for identifying the "third-party contractors" group.

Palo Alto Networks IoT Security relies on deep traffic analysis to discover, classify, and secure IoT devices. To achieve this, it requires two fundamental types of logs from the firewall. Enhanced Application Logs provide granular data on traffic, including application metadata, which is essential for device profiling and behavior baselining. Threat Logs are mandatory for detecting malicious activities, vulnerabilities, and threats targeting the IoT devices. These two log types provide the foundational data set upon which the IoT Security service builds its analysis and security posture recommendations.

A. WildFire: WildFire logs are specific to malware analysis verdicts. While valuable, they are not a foundational requirement for the core device profiling and behavior analysis functions of IoT Security.

D. URL Filtering: While URL Filtering logs are highly recommended to improve the accuracy of device identification and policy recommendations, they are not strictly mandatory for the basic functionality of the IoT Security service.

1. Palo Alto Networks IoT Security Administrator's Guide: In the "Set Up IoT Security" section

under "Prerequisites for IoT Security

" the documentation explicitly states the required log types. It specifies: "To enable IoT Security to analyze your network traffic and identify IoT devices

you must configure your firewalls to forward the following log types to Cortex Data Lake [now Strata Logging Service]: Threat and Enhanced Application Logs." It further clarifies that "Forwarding URL Filtering logs is highly recommended for better device identification and security policy recommendations."

Source: Palo Alto Networks. (2024). Get Started with IoT Security > Set Up IoT Security. IoT Security Administrator's Guide. Retrieved from the Palo Alto Networks Technical Documentation portal.

2. Palo Alto Networks PAN-OS® Administrator's Guide: This guide details the configuration of log forwarding and describes the contents of each log type

reinforcing the distinct and critical information provided by Threat and Enhanced Application logs for security analysis platforms like IoT Security.

Source: Palo Alto Networks. (2024). Monitor > Logs. PAN-OS® Administrator's Guide. Retrieved from the Palo Alto Networks Technical Documentation portal.

SSL Inbound Inspection allows the firewall to decrypt incoming encrypted traffic to internal servers

(e.g., web servers) by acting as a man-in-the-middle (MITM). The firewall uses the private key of the

server to decrypt the session and apply security policies before re-encrypting the traffic.

“SSL Inbound Inspection requires you to import the server’s private key and certificate into the

firewall. The firewall then acts as a man-in-the-middle (MITM) to decrypt inbound sessions from

external clients to internal servers for inspection.”

(Source: SSL Inbound Inspection)

The scenario requires deploying a firewall within Microsoft Azure to segment private applications. The VM-Series is the virtualized form-factor of the Palo Alto Networks NGFW designed specifically for deployment in public cloud environments like Azure. To achieve logical segmentation between different network segments (e.g., subnets for web, application, and database tiers), the standard and most robust method is to deploy the firewall in Layer 3 (routed) mode. In this configuration, the VM-Series firewall has Layer 3 interfaces assigned to different security zones, and it acts as the gateway, routing and inspecting all traffic that flows between these segmented subnets. This design places security enforcement directly in the traffic path and close to the applications, fulfilling the stated requirements.

A. On a VM-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network.

While VM-Series is the correct platform, Layer 3 mode is the standard and more scalable method for routing-based segmentation between subnets in Azure.

B. On a PA-Series NGFW, configure several Layer 2 zones with Layer 2 interfaces assigned to logically segment the network.

PA-Series firewalls are physical hardware appliances and cannot be deployed directly within the Azure cloud environment to protect hosted applications.

D. On a PA-Series NGFW, configure several Layer 3 zones with Layer 3 interfaces assigned to logically segment the network.

PA-Series firewalls are physical hardware appliances. The correct form-factor for deployment within a public cloud like Azure is the VM-Series.

1. Palo Alto Networks

"VM-Series Deployment Guide for Azure

" Version 11.0. This guide explicitly details the deployment of the VM-Series virtualized firewall in Azure. The reference architectures

such as the "Basic deployment with a single VM-Series firewall

" show the firewall with multiple virtual network interfaces (vNICs) connected to different subnets (e.g.

Untrust

Trust

Management)

operating in Layer 3 to route and inspect traffic between them. This is the fundamental model for segmentation. (See: Chapter 2: Plan the VM-Series Firewall Deployment in Azure

Section: "Reference Architecture: Basic Deployment with a Single VM-Series Firewall").

2. Palo Alto Networks

"VM-Series on Azure

" Datasheet. This document specifies that the VM-Series is the virtual NGFW for Azure

designed to "protect your applications and data with next-generation security features that are deployed in a virtualized form factor." It contrasts with the PA-Series

which are hardware appliances. (See: "Product Overview" section).

3. Palo Alto Networks

"Firewall Interface Types

" PAN-OS® Administrator's Guide 11.0. This documentation describes the different interface types. It clarifies that Layer 3 interfaces "participate in Layer 3 routing" and are assigned to security zones

which is the mechanism for applying policy to traffic between different network segments. This is the core concept behind Layer 3 segmentation. (See: Networking > Network Interfaces > Firewall Interface Types > Layer 3 Interfaces).