All Palo Alto Networks PCNSE certification exam dumps, study guide, training courses are prepared by industry experts. Palo Alto Networks PCNSE certification practice test questions and answers, exam dumps, study guide and training courses help candidates to study and pass hassle-free!

Threat Prevention

7. Wildfire Portal

The Wildfire setup involves you setting up the Wildfire Portal to alert you in the event of any malware, gray, or benign files. What you need to do is go to thewildfire.paloaltonetworks.com, log in with your support ID, and set your time zone. Set the type of notifications that you want to receive for the different files that you have. You can also look at the dashboard and see the different types of files that were seen by your firewalls. You can go to Reports and then generate reports. For example, in this report, we see the file that we just analyzed, and the verdict was benign. And the session information: what was the session and what Palo Alto Firewall received the traffic? So there is another step that will allow you to receive alerts and reports. And you need to associate your device with the Palo Alto portal and the Wildfire portal. When you register a device with Palo Alto, you need to go to the Wildfire portal, associate the device with the Wildfire portal, and then set up the type of alerts. Under settings, you specify what types of alerts you want to receive for malware, gray, war, and benign. And that completes your set-up for a Wildfire solution.

8. Configuring Data Filtering - Data Leakage Prevention

Now let's test this. We're going to do a search on some test credit card card numbers. And this is encrypted, so it's not going to work. I'm not able to access this site right now. So let's see. Let's find a site that's not encrypted. There you go. It reset, and it detected. I went to a website that provided test credit card numbers, and it was reset. So let's go to data filtering and see the details. Reset web browsing, or reset both. We look at the details of the traffic. We will see that it had the information, a data content credit card, repeat count one, and it detected the actual data. However, I don't see data capture. So please allow me to redo this on data filtering and data capture. So let's enable data capture. Okay, the connection was reset. Let's go back to monitor data filtering, and we'll see here that the credit card numbers were detected and the repeat count is one. Okay, so for data capture, I think it requires a password. So let me go here and specify a password. Content ID, content ID settings, and managing data protection You have to set a password. So I went to the device content ID/content ID feature and let's give it another shot. Go monitor the data filtering and refresh. And now I can see the data capture. So we have to put the password in. You must enter your password. Now you can see the content, so you can easily test. Most vendors provide test credit card numbers. So you can do a search on test credit card numbers, and you're going to come up with a whole bunch. Connection, reset, return, data filtering, refresh, and you're done. and we see it. So that's a good demonstration for you to understand the capabilities of the data filtering solution. You know, protect your credit card information, your social security number, your customer internal record numbers, and so on.

9. Denial Of Service Protection

Same with the UDP traffic. It's going to drop all ICMP traffic after the maximum is reached, and it's going to drop all UDP traffic after the UDP threshold is reached. The packets per second versus sessions per second With send requests, you don't have a complete session. So the reason why you can't send packets per second is because most of them are half sessions, not fully complete sessions. So that's why you need to count in packets per second. In the case of UDP, since it's not stateful, it's considered a session and will be counted as a session. However, if UDP traffic is hitting a deny rule, it's going to be counted as a packet-based problem. Reconnaissance protection allows you to protect your network from reconnaissance attacks like port scans and ICMP suites. The zoom protection profile is always applied to the ingress of traffic, irrespective of where the servers are located. So, if you apply zone protection to untrusted interfaces, it will perform reconnaissance protection against all traffic entering the untrusted interfaces. The interval is the time between successive probes of an open port by the host.

Sweep is the time between successive probes. The threshold is the number of scan ports sent to a destination host within the time frame of the answervault that will trigger the reconnaissance protection. And the actions that you can specify allow you to basically allow the scan attempt alert. You can send an alert, prevent it from dropping all traffic from the source to the destination, and block the IP address. You have two options: block the source, which will block the traffic from the source, or block the source destination, which will block the traffic between the source and that destination. The packet-based attacks check the packets for various types of attacks such as IP, spoof protection, fragmented traffic, which you can specify not to accept any fragmented traffic mismatch overlapping TCP segment, and then if someone tries to break into your web server, for example, they can send a nonsense TCP packet. Also, you can block IP options, ICMP, ping, IDs, and other packet-based anomalies.

You have the zone protection defense, and then you have the end point protection. And this is a subset of zone protection. It applies to your end point; it applies to the web server that you're trying to protect; it applies to your public service that you're trying to protect. The endpoint protection rule actions are then deny protect, which enforces the threshold, and allow with no protection. You have two ways of measuring the denial of service: aggregate and classified. The aggregate counts all matching traffic matching.It does not look at the source-destination pair in the classified; it groups the hosts that are protected and looks at the source IP, destination IP, or combination of source and destination IP. You can also specify the DUS protection, which protects against protection and resource-based protection, like maximum concurrent sessions. You can specify those types of web servers. I'm going to limit myself to about 1000 sessions; anything beyond that will be rejected.

10. Implementing Zone and Host Denial Of Service Protection

In this lecture, we will create zone protection and host-based protection, or endpoint protection. Under network zone protection, you can create a rule. So we're going to make RARE to protect untrust zones. I'm going to do the same thing that we talked about, so you can use sync cookies if you prefer. You can specify to alert if the incomplete send request exceeds 10,000 packets per second, and then activate if it exceeds 15,000, for example, or 20,000, and then the maximum package per second, after which it's going to start dropping the send requests. and that's going to be here. 100,000 ICMP packets are identical. You have the alert, and since the alert threshold is between alert and activate, it's just going to send an alert. So if it exceeds 10,000 packets, it's going to only send you an alert.

If it exceeds the activate, it will begin the random early drop. If it exceeds the maximum, it's going to drop. Icmpv six other IPs with other IP packets, followed by UDP reconnaissance protection; TCP port scanning is optional. What's the interval at which you cannot take your measurement, and what is the threshold number for a TCP port scan? So if somebody scans the port 100 times, do a port scan 100 times. Within 10 seconds, you can specify the action, whether it's alert, block, or block IP. The type of tracking to be blocked via IP can be specified. Check by origin and destination. If someone performs a port scan, it is reasonable to prevent them from reaching that destination. You can have multiple actions here, then enable, and then enable host sweep same.

What's the measurement interval? What are you going to do? Allow blocking IP source destination, then enable duration to block, and provide duration to proc. You can specify 300 seconds, 300 VDP port scam, and we're going to specify the same block for 300 seconds. Packet-based attack protection can prevent IP spoofing by performing a strict IP address check on fragmented traffic. IP option drop You should uncheck all of those options if you want to drop a timestamp recordroute security stream ID unknown malformed. ICMP dropped over a TCP drop. You can drop the mismatch overlapping split the handshake. You can specify that nonsense packets and an asymmetric path be rejected. If you have asymmetric traffic on your network, you can allow it to bypass if your network has an asymmetric path.

TCP options, you can remove the TCP timestamp. ICMP drop ID zero ICMP fragment ICMPping TTL expired, ICMP large packets, ICMP embedded with error messages, and so on. IPV six If you don't have IPV6, then you don't have to worry about that. So that's going to be your trust zone protection. Click okay, and then we're going to go to zones. Go to the untrust zone, and then choose the zone protection profile. That should cover you in that zone. So we're going to go ahead and commit. Okay? So now that it is active, the next thing we want to do is protect our web server from denial of service attacks. So we're going to create a policy for that web server. We'll go under "Objects," the US protection, and then create web server protection. And since this is a web server and I'm only allowing TCP, I'm going to focus on the synthetic. And since I have some protection with sin cookies, I can use a random early drop here.

Random early drop: it's going to start alarming at 10,000 packets per second. It's going to activate the random early drop after 10,000 packets. So basically, the alarm rate and the activity rate are the same. You can make this higher, say 11,000, and then the maximum rate of packets per second is going to be 40,000, and it's going to drop after 40,000. This can be based on an aggregate of all traffic or on classified traffic. If you make it based on classification, you can classify based on source, destination, or source only. So it's entirely up to you which way you want to go. We can specify classified, and since I don't have any other traffic, you can do UTP flooding. Let's say this is a server that's doing UDP traffic. ICMP flood. I'm going to let this get handled by the zone protection, and that basically takes care of your web server. Now we need to implement the policy to apply the US protection.

To implement the policy, go to policies and click "add." You cannot specify web server protection, and we're trying to protect it from traffic from the untrustworthy. The destination will be trust, followed by the destination address, which will include the public and private IP addresses, and then options protection, which will allow you to measure against all or specific services. In this case, I'll use HTTP and HTTPS services first, followed by RDP because the service provides all three. The action, which can be "deny," "allow," or "protect deny," would then deny all traffic. We want to provide security. So we're going to click "protect," and then you need to specify "classified," and then we're going to "choose," so if you specified "aggregate," you're going to see this under "aggregate." But since we didn't specify aggregate, it's not going to be there. So when you created the object, the US Protection object, if you specified that it was aggregate, it's going to show up here.

However, because we specified this classification, we'll appear here with web server protection, and we'll specify source, destination, and IP; both thinking about it, the parameter set is quite generous. So I'm going to reduce those parameters because if it's source or destination IP, I want to be very granular. So I'm going to go back to objects, and then under US protection, I'm going to reduce the number of alarms to maybe 10 000, 20 000, or 30 000 packets per second. Then there's another fantastic resource allocation. You can specify the maximum session.

So, if you wish to do so for your web server, We now categorise it based on the source and destination. We're going to specify that this user needs a maximum session of 300. For example, commit and then commit. So, after reviewing this, we classified it. We did a symphony because this is only HTTP, HTTPS, and RDP. We did the SIM flood protection for the number of packets per second. We used resource protection to limit the user to 300 sessions. After those 300 sessions, it's going to drop. And we applied this to the protection policy. So I hope this was a good, informative lecture on how to benefit from the US protection features in the Palo Alto firewall.

PCNSE certification practice test questions and answers, training course, study guide are uploaded in ETE files format by real users. Study and pass Palo Alto Networks PCNSE certification exam dumps & practice test questions and answers are the best available resource to help students pass at the first attempt.