Protecting web servers from advanced threats like SQL injection, command injection, XSS attacks,

and IIS exploits requires a solution capable of deep packet inspection, behavioral analysis, and inline

prevention of zero-day attacks. The most effective solution here is Advanced Threat Prevention (ATP)

combined with PAN-OS 11.x.

Why "Advanced Threat Prevention and PAN-OS 11.x" (Correct Answer B)?

Advanced Threat Prevention (ATP) enhances traditional threat prevention by using inline deep

learning models to detect and block advanced zero-day threats, including SQL injection, command

injection, and XSS attacks. With PAN-OS 11.x, ATP extends its detection capabilities to detect

unknown exploits without relying on signature-based methods. This functionality is critical for

protecting web servers in scenarios where a dedicated WAF is unavailable.

ATP provides the following benefits:

Inline prevention of zero-day threats using deep learning models.

Real-time detection of attacks like SQL injection and XSS.

Enhanced protection for web server platforms like IIS.

Full integration with the Palo Alto Networks Next-Generation Firewall (NGFW).

Why not "Threat Prevention and PAN-OS 11.x" (Option A)?

Threat Prevention relies primarily on signature-based detection for known threats. While it provides

basic protection, it lacks the capability to block zero-day attacks using advanced methods like inline

deep learning. For zero-day SQL injection and XSS attacks, Threat Prevention alone is insufficient.

Why not "Threat Prevention, Advanced URL Filtering, and PAN-OS 10.2 (and higher)" (Option C)?

While this combination includes Advanced URL Filtering (useful for blocking malicious URLs

associated with exploits), it still relies on Threat Prevention, which is signature-based. This

combination does not provide the zero-day protection needed for advanced injection attacks or XSS

vulnerabilities.

Why not "Advanced WildFire and PAN-OS 10.0 (and higher)" (Option D)?

Advanced WildFire is focused on analyzing files and executables in a sandbox environment to identify

malware. While it is excellent for identifying malware, it is not designed to provide inline prevention

for web-based injection attacks or XSS exploits targeting web servers.

Reference: The Palo Alto Networks Advanced Threat Prevention documentation highlights its ability

to block zero-day injection attacks and web-based exploits by leveraging inline machine learning and

behavioral analysis. This makes it the ideal solution for the described scenario.

In this scenario, the company does not use on-premises Active Directory and manages devices with

Entra ID and Jamf, which implies a cloud-native and modern management setup. Below is the

evaluation of each option:

Option A: Captive portal

Captive portal is typically used in environments where identity mapping is needed for unmanaged

devices or guest users. It provides a mechanism for users to authenticate themselves through a web

interface.

However, in this case, the company is managing devices using Entra ID and Jamf, which means

identity information can already be centralized through other means. Captive portal is not an ideal

solution here.

This option is not appropriate.

Option B: User-ID agents configured for WMI client probing

WMI (Windows Management Instrumentation) client probing is a mechanism used to map IP

addresses to usernames in a Windows environment. This approach is specific to on-premises Active

Directory deployments and requires direct communication with Windows endpoints.

Since the company does not have an on-premises AD and is using Entra ID and Jamf, this method is

not applicable.

This option is not appropriate.

Option C: GlobalProtect with an internal gateway deployment

GlobalProtect is Palo Alto Networks' VPN solution, which allows for secure remote access. It also

supports identity-based mapping when deployed with internal gateways.

In this case, GlobalProtect with an internal gateway can serve as a mechanism to provide user and

device visibility based on the managed devices connecting through the gateway.

This option is appropriate.

Option D: Cloud Identity Engine synchronized with Entra ID

The Cloud Identity Engine provides a cloud-based approach to synchronize identity information from

identity providers like Entra ID (formerly Azure AD).

In a cloud-native environment with Entra ID and Jamf, the Cloud Identity Engine is a natural fit as it

integrates seamlessly to provide identity visibility for applications and data.

This option is appropriate.

Reference:

Palo Alto Networks documentation on Cloud Identity Engine

GlobalProtect configuration and use cases in Palo Alto Knowledge Base

A . Discuss the PAN-OS Policy Optimizer feature as a means to safely migrate port-based rules to

application-based rules.

PAN-OS includes the Policy Optimizer tool, which helps migrate legacy port-based rules to

application-based policies incrementally and safely. This tool identifies unused, redundant, or overly

permissive rules and suggests optimized policies based on actual traffic patterns.

Why Other Options Are Incorrect

B: The migration wizard does not automatically convert port-based rules to application-based rules.

Migration must be carefully planned and executed using tools like the Policy Optimizer.

C: Running two firewalls in parallel adds unnecessary complexity and is not a best practice for

migration.

D: While port-based rules are supported, relying on them defeats the purpose of transitioning to

application-based security.

Reference:

Palo Alto Networks Policy Optimizer

Thank you for your visit.

Panorama is Palo Alto Networks’ centralized management solution for managing multiple firewalls. It

supports multiple deployment options to suit different infrastructure needs. The valid deployment

options are as follows:

Why "As a virtual machine (ESXi, Hyper-V, KVM)" (Correct Answer A)?

Panorama can be deployed as a virtual machine on hypervisors like VMware ESXi, Microsoft Hyper-V,

and KVM. This is a common option for organizations that already utilize virtualized infrastructure.

Why "With a cloud service provider (AWS, Azure, GCP)" (Correct Answer B)?

Panorama is available for deployment in the public cloud on platforms like AWS, Microsoft Azure,

and Google Cloud Platform. This allows organizations to centrally manage firewalls deployed in cloud

environments.

Why "As a dedicated hardware appliance (M-100, M-200, M-500, M-600)" (Correct Answer E)?

Panorama is available as a dedicated hardware appliance with different models (M-100, M-200, M-

500, M-600) to cater to various performance and scalability requirements. This is ideal for

organizations that prefer physical appliances.

Why not "As a container (Docker, Kubernetes, OpenShift)" (Option C)?

Panorama is not currently supported as a containerized deployment. Containers are more commonly

used for lightweight and ephemeral services, whereas Panorama requires a robust and persistent

deployment model.

Why not "On a Raspberry Pi (Model 4, Model 400, Model 5)" (Option D)?

Panorama cannot be deployed on low-powered hardware like Raspberry Pi. The system

requirements for Panorama far exceed the capabilities of Raspberry Pi hardware.

Reference: Palo Alto Networks Panorama Admin Guide outlines the supported deployment options,

which include virtual machines, cloud platforms, and hardware appliances.

When configuring Advanced URL Filtering on a Palo Alto Networks firewall, the "Ransomware"

category should be explicitly blocked to protect customers from URLs associated with ransomware

activities. Ransomware URLs typically host malicious code or scripts designed to encrypt user data

and demand a ransom. By blocking the "Ransomware" category, systems engineers can proactively

prevent users from accessing such URLs.

Why "Ransomware" (Correct Answer A)?

The "Ransomware" category is specifically curated by Palo Alto Networks to include URLs known to

deliver ransomware or support ransomware operations. Blocking this category ensures that any URL

categorized as part of this list will be inaccessible to end-users, significantly reducing the risk of

ransomware attacks.

Why not "High Risk" (Option B)?

While the "High Risk" category includes potentially malicious sites, it is broader and less targeted. It

may not always block ransomware-specific URLs. "High Risk" includes a range of websites that are

flagged based on factors like bad reputation or hosting malicious content in general. It is less focused

than the "Ransomware" category.

Why not "Scanning Activity" (Option C)?

The "Scanning Activity" category focuses on URLs used in vulnerability scans, automated probing, or

reconnaissance by attackers. Although such activity could be a precursor to ransomware attacks, it

does not directly block ransomware URLs.

Why not "Command and Control" (Option D)?

The "Command and Control" category is designed to block URLs used by malware or compromised

systems to communicate with their operators. While some ransomware may utilize command-and-

control (C2) servers, blocking C2 URLs alone does not directly target ransomware URLs themselves.

By using the Advanced URL Filtering profile and blocking the "Ransomware" category, the firewall

applies targeted controls to mitigate ransomware-specific threats.

Reference: Palo Alto Networks documentation for Advanced URL Filtering confirms that blocking the

"Ransomware" category is a recommended best practice for preventing ransomware threats.

Discovering Applications on the Network (Answer A):

Policy Optimizer analyzes traffic logs to identify applications running on the network that are

currently being allowed by port-based or overly permissive policies.

It provides visibility into these applications, enabling administrators to transition to more secure,

application-based policies over time.

Converting Broad Rules into Narrow Rules (Answer B):

Policy Optimizer helps refine policies by converting broad application filters (e.g., rules that allow all

web applications) into narrower rules based on specific application groups.

This reduces the risk of overly permissive access while maintaining granular control.

Migrating from Port-Based Rules to Application-Based Rules (Answer C):

One of the primary use cases for Policy Optimizer is enabling organizations to migrate from legacy

port-based rules to application-based rules, which are more secure and aligned with Zero Trust

principles.

Policy Optimizer identifies traffic patterns and automatically recommends the necessary application-

based policies.

Why Not D:

5-tuple attributes (source IP, destination IP, source port, destination port, protocol) are used in

traditional firewalls. Simplifying these attributes to 4-tuple (e.g., removing the protocol) is not a use

case for Policy Optimizer, as Palo Alto Networks NGFWs focus on application-based policies, not just

5-tuple matching.

Why Not E:

Automating tagging of rules based on historical log data is not a specific feature of Policy Optimizer.

While Policy Optimizer analyzes log data to recommend policy changes, tagging is not its primary use

case.

Reference from Palo Alto Networks Documentation:

Policy Optimizer Overview

Transitioning to Application-Based Policies

The appropriate CDSS subscription to inspect and mitigate suspicious DNS traffic is Advanced DNS

Security. Here’s why:

Advanced DNS Security protects against DNS-based threats, including domain generation algorithms

(DGA), DNS tunneling (often used for data exfiltration), and malicious domains used in attacks. It

leverages machine learning to detect and block DNS traffic associated with command-and-control

servers or other malicious activities. In this case, unusually high DNS traffic to an unfamiliar IP

address is likely indicative of a DNS-based attack or malware activity, making this the most suitable

service.

Option A: Advanced Threat Prevention (ATP) focuses on identifying and blocking sophisticated

threats in network traffic, such as exploits and evasive malware. While it complements DNS Security,

it does not specialize in analyzing DNS-specific traffic patterns.

Option B: Advanced WildFire focuses on detecting and preventing file-based threats, such as

malware delivered via email attachments or web downloads. It does not provide specific protection

for DNS-related anomalies.

Option C: Advanced URL Filtering is designed to prevent access to malicious or inappropriate

websites based on their URLs. While DNS may be indirectly involved in resolving malicious websites,

this service does not directly inspect DNS traffic patterns for threats.

Option D (Correct): Advanced DNS Security specifically addresses DNS-based threats. By enabling this

service, the customer can detect and block DNS queries to malicious domains and investigate

anomalous DNS behavior like the high traffic observed in this scenario.

How to Enable Advanced DNS Security:

Ensure the firewall has a valid Advanced DNS Security license.

Navigate to Objects > Security Profiles > Anti-Spyware.

Enable DNS Security under the "DNS Signatures" section.

Apply the Anti-Spyware profile to the relevant Security Policy to enforce DNS Security.

Reference:

Palo Alto Networks Advanced DNS Security Overview: https://www.paloaltonetworks.com/dnssecurity

Best Practices for DNS Security Configuration.

Palo Alto Networks Next-Generation Firewalls (NGFWs) provide robust security features across a

variety of use cases. Let’s analyze each option:

A . Code-embedded NGFWs provide enhanced IoT security by allowing PAN-OS code to be run on

devices that do not support embedded VM images.

This statement is incorrect. NGFWs do not operate as "code-embedded" solutions for IoT devices.

Instead, they protect IoT devices through advanced threat prevention, device identification, and

segmentation capabilities.

B . Serverless NGFW code security provides public cloud security for code-only deployments that do

not leverage VM instances or containerized services.

This is not a valid use case. Palo Alto NGFWs provide security for public cloud environments using

VM-series firewalls, CN-series (containerized firewalls), and Prisma Cloud for securing serverless

architectures. NGFWs do not operate in "code-only" environments.

C . IT/OT segmentation firewalls allow operational technology (OT) resources in plant networks to

securely interface with IT resources in the corporate network.

This is a valid use case. Palo Alto NGFWs are widely used in industrial environments to provide IT/OT

segmentation, ensuring that operational technology systems in plants or manufacturing facilities can

securely communicate with IT networks while protecting against cross-segment threats. Features like

App-ID, User-ID, and Threat Prevention are leveraged for this segmentation.

D . PAN-OS GlobalProtect gateways allow companies to run malware and exploit prevention modules

on their endpoints without installing endpoint agents.

This is incorrect. GlobalProtect gateways provide secure remote access to corporate networks and

extend the NGFW’s threat prevention capabilities to endpoints, but endpoint agents are required to

enforce malware and exploit prevention modules.

Key Takeaways:

IT/OT segmentation with NGFWs is a real and critical use case in industries like manufacturing and

utilities.

The other options describe features or scenarios that are not applicable or valid for NGFWs.

Reference:

Palo Alto Networks NGFW Use Cases

Industrial Security with NGFWs

North-south traffic refers to the flow of data in and out of a network, typically between internal

resources and the internet. To secure this type of traffic, Palo Alto Networks recommends specific

CDSS subscriptions in addition to DNS Security:

A . SaaS Security

SaaS Security is designed for monitoring and securing SaaS application usage but is not essential for

handling typical north-south traffic.

B . Advanced WildFire

Advanced WildFire provides cloud-based malware analysis and sandboxing to detect and block zero-

day threats. It is a critical component for securing north-south traffic against advanced malware.

C . Enterprise DLP

Enterprise DLP focuses on data loss prevention, primarily for protecting sensitive data. While

important, it is not a minimum recommendation for securing north-south traffic.

D . Advanced Threat Prevention

Advanced Threat Prevention (ATP) replaces traditional IPS and provides inline detection and

prevention of evasive threats in north-south traffic. It is a crucial recommendation for protecting

against sophisticated threats.

E . Advanced URL Filtering

Advanced URL Filtering prevents access to malicious or harmful URLs. It complements DNS Security

to provide comprehensive web protection for north-south traffic.

Key Takeaways:

Advanced WildFire, Advanced Threat Prevention, and Advanced URL Filtering are minimum

recommendations for NGFWs handling north-south traffic, alongside DNS Security.

SaaS Security and Enterprise DLP, while valuable, are not minimum requirements for this use case.

Reference:

Palo Alto Networks NGFW Best Practices

Cloud-Delivered Security Services

Zero-day malware attacks are sophisticated threats that exploit previously unknown vulnerabilities or

malware signatures. To provide protection against such attacks, the appropriate Cloud-Delivered

Security Service subscription must be included.

Why "Advanced WildFire" (Correct Answer C)?

Advanced WildFire is Palo Alto Networks’ sandboxing solution that identifies and prevents zero-day

malware. It uses machine learning, dynamic analysis, and static analysis to detect unknown malware

in real time.

Files and executables are analyzed in the cloud-based sandbox, and protections are shared globally

within minutes.

Advanced WildFire specifically addresses zero-day threats by dynamically analyzing suspicious files

and generating new signatures.

Why not "AI Access Security" (Option A)?

AI Access Security is designed to secure SaaS applications by monitoring and enforcing data

protection and compliance. While useful for SaaS security, it does not focus on detecting or

preventing zero-day malware.

Why not "Advanced Threat Prevention" (Option B)?

Advanced Threat Prevention (ATP) focuses on detecting zero-day exploits (e.g., SQL injection, buffer

overflows) using inline deep learning but is not specifically designed to analyze and prevent zero-day

malware. ATP complements Advanced WildFire, but WildFire is the primary solution for malware

detection.

Why not "App-ID" (Option D)?

App-ID identifies and controls applications on the network. While it improves visibility and security

posture, it does not address zero-day malware detection or prevention.

Reference: Palo Alto Networks Advanced WildFire documentation confirms its role in detecting and

preventing zero-day malware through advanced analysis techniques.