All Palo Alto Networks PCNSE certification exam dumps, study guide, training courses are Prepared by industry experts. PrepAway's ETE files povide the PCNSE Palo Alto Networks Certified Network Security Engineer practice test questions and answers & exam dumps, study guide and training courses help you study and pass hassle-free!

Threat Prevention

3. Creating custom Anti-Spyware signatures

In this lecture, we'll learn how to create custom anti-spyware signatures. If you go under Objects, spyware, custom objects, and then spyware, you can create your own custom signature. Let's go ahead and create a custom signature here, and the custom signature will allow us to verify and check that functionality is at least working. So threat ID is custom for your custom spyware signatures from 15,000 to 18,000. So we're going to create 15,001.

I'm going to call this a suspicious URI, and basically what we're going to be doing in the signature is matching a client trying to request an HTTP page with a specific URI path. So we'll go ahead and specify this as critical. We can choose the direction from client to server that's going to be mainly the direction of the traffic the client is trying to reach the server. Default Action, we're going to specify default action as "alert," and then under "Signatures," Here is where we can create our signatures. So you have a way of either creating a standard signature or a combination signature. Combination signatures allow you to combine different signatures, and this will allow you to combine multiple signatures and specify if those two signatures trigger within a specific time window. Then do this aggregation. You can aggregate the traffic based on source, destination, or both source and destination. We can use the standard to create our own custom signature. We click Add, and this will allow us to get into the configuration of the signature. What is this signature going to trigger against?

Give it the name suspicious URI, and then you can specify whether this is scoped as a transaction or session. We can specify this as the scope of transaction ads. So you have a way of specifying different content matches. If it's going to be any parameter that looks at a number, you're going to use the operators less than, less than, equal to, or greater than. In our case, we're going to use a pattern match because the pattern match will allow us to match it or an expression against different content inside the packet. So when you choose this criteria, you can inspect all those different fields. DNS Request Answer: This will allow you to do DNS-based anti-spyware. DNSRequest Answer section, DNS Response Authority section You can also look at the file HTMLbody and the file Java Body. You can also take a look at the FTP Request Parameter and the FTP Response Banner. In our case, we're going to use the HTTP parameters.

So here is what you can do: HTTP request header host header We're going to do Uri path (http: // Request URL path) and we're going to be looking for the pattern asterisk, which means anything followed by virus path asterisk. So this will basically be a pattern that it's going to be looking for. This is pretty simple, but it shows you the power of the tool for creating your own custom signature. You can expand on this and use multiple criteria. For example, you can do transactions "this" and "that," "this" and "that," and "this" or "that" can build a pretty powerful signature based on using different criteria and ending them or owing them. So go ahead and click okay. And then click okay. Since that's done, now we're going to go ahead and commit okay. Now that it's committed, let's open the backup again and verify the signature pattern. We're looking at a virus bath. So go ahead and open another tab here and specify that basically I triggered this and put that pattern.

Let's go ahead and find out if we triggered anything here under "Monitor" and then "threat." It basically triggered, right, it's looking for a virus path test, the firewall blocks it, and it says, "Okay, this is virus spyware; please contact your system administrator." This is pretty good here. Let's go back to monitoring threats; refresh. And we see here that it's triggered in the name of the suspicious Uri signature and reset both the server and the client side. So let's go ahead and create another signature for DNS or add a suspicious signature for DNS called 15,002 Severity Critical Alert. Since this is DNS, we're going to just do alert directions both and then the signature. We're going to use the same method we used last time. We're going to call this suspicious DNS, and then we're going to add a condition. We'll choose pattern match, and then we're going to specify DNS. The DNS request from the client would be in the DNS request section, and then the pattern would be "malware is bad, test dot asterisks." So. Malware is bad. Test dot asterisk So. That's what we're going to be looking for. It's set up now. Let's go ahead and click okay. And then commit okay.

Now we're going to go ahead and open a command prompt at dot malware. There you go. We see it now, here. It's a suspicious DNS, and it's dropping it. And also, we checked for critical to do a packet capture. So we see the packet capture here, and we see what the client is seeing. And then you can export this and then pretty much open it up in your Wireshark. Go ahead and open it up in Wireshark so we can see the export and the packets. And this is the package that shows you that the client did this query. So it's a pretty powerful tool that you can use to customise for your environment. If you have a suspicion that some traffic patterns are indicative of spyware and there's no signature for it, you can do it. We use this here for testing, verifying that the anti-spyware functionality is working correctly, but this also shows you the power of the solution. Also, the sync hole is a pretty powerful feature. You can use this feature to identify if there are any clients infected with spyware on your network and send them to a specific internal web server or maybe zone them on the firewall like we did and do some intelligent alerting around it.

4. Configuring Vulnerability Protection and Custom Signatures

So the vulnerability protection is provided by the IPS functionality on the Palo Alto Firewall. Same as these anti-spyware configurations, you have by default two profiles, default and strict. And by default, you basically specify different signatures. So client-critical means if it's impacting the client, the default action would be used. client high, client medium server critical server High-medium depends on the direction of the traffic; if it's from client to server, then those are the rules that will be looked at if the signature is client-impacting. If it's critical, the default action would be taken.

However, most default actions are alerts. So if we go to "exceptions" here and look at all the signatures, You can do a search on CVE or CVE contains. So you can do a search based on the CVECVEs it contains and the CVE numbers, but unfortunately you cannot do a search based on the threat name unfortunately. Or some of them default to alert, and some of them are reset both, depending on the criticality of the signature currently in the system.

There are 7516 threads, so there's quite a lot to look at. If you are curious about the different signatures, you can look at them here. And this is also the place where, if there's a signature that's triggering and it's really falsely positive for your environment, you can go in here and change the default. Let's say the default is to reset both and that this signature is false for your environment. You can change this to something else. You can change this setting to alert. The options for the actions are alert, block IP default reset, drop reset, both reset client, and reset server. So blocking IP makes more sense if you're looking at your signature from the outside in. And this is a good place where you can use block IP. This trick steps up the action and archfor client critical; it's going to be resetboth, client high, reset both client informational, defaultclient low, default action specified in the signature server critical, reset both, and so on. However, we can go ahead and add our own policy here. We're going to call this outbound IPS, and then we're going to create rules.

You can specify the rules based on CV numbers or the host type, whether it's client or server. So since this is our bond, we're going to choose client, and then the action would be reset client because this is client criticality, high criticality, and we're going to reset client and packet capture. We're going to do a single packet capture since this is a medium client. So the categories here are: brute force code, execution, command execution, DOS info, leak, overflow scan, and SQL injection. We're doing all of that, and then we're going to add another rule here. low-information client, the action would be the default action, and then package capture is disabled, and then any, and this is going to be load information. So for the loan information, we're using the recommendation from the signature itself.

Click okay. So this creates your IPS policy, the same thing we did with the spyware. You can do it with your vulnerability. So you can create a custom signature. We're going to create a custom signature here. Car threat ID 41,001–45,000 So we're going to create a custom threat ID, and then we're going to call this custom IPS client Uri. We're going to use the same method we used last time. We're going to specify this to be critical, and then the action would be to reset the client, and then the client would send the direction signature. We can also do the same thing we did last time: create a custom Uri signature. And then we're going to add a condition to do pattern matching. The context would be that we are looking for the HTTP request Uri path, and then the pattern would be Palo Alto rules with an asterisk.

Click okay. And then the configuration is like that. So this is a custom signature we created. Now that they've created the profile, the vulnerability protection profile, we need to apply it to the user traffic. We go under policies, we'll find the outbound traffic, add this to our profiles, allow business apps here, and we're going to add that profile. Okay, so go ahead and commit and commit. Go back and remind ourselves with the signature custom objects, vulnerability, client Uri, and then all right, so let's go here and we'll do a www.google.com testing connection reset. So basically, that triggered the rules. So let's go back to monitor pretty much all the anticipation that shows up under the threat monitor logs, threads, and we see here that the vulnerability, the customer vulnerability, that we specified triggered, and we can look at the extended capture that will show us the packets, and then we can export it also to Wireshark and look at it, and we see here that it matched on this.

For the most part, the maintenance of the intrusion prevention system is pretty straight forward. What you have to do is also make sure that you have the proper license. You go under licenses. You just have to make sure you have threat prevention and then also dynamic updates. You have to make sure that your system is updated. And here are the applications and threats that we're going to download and install daily. This way, it stays up to date with the threads, then click okay. So you have to make sure that this is downloaded and installed. And then we can do a check somewhere to make sure it's updated. The latest thread, and then we see here that there is one. So we're going to go ahead and download, then install. When you do the download and install, in the bottom right corner, you see Tasks. You can click on tasks to see the current tasks that are running. give you an idea.

So I downloaded it and went ahead and installed it. Click on "install action" and let's commit. So the applications and threats, this downloads any new applications and also the vulnerability signatures. Okay, we're going to go ahead and try this again. Continue installation. It's going to do the installation. So if you set this schedule for every day, midnight is 2:00 a.m. Or something like that, you can have it automatically download and install the latest application information, application signatures, and then threads.

5. File Policies

In this lecture, we'll talk about file blocking. So Palo Alto allows you to control the files that are uploaded and downloaded by your users. also allows you to control what files can be uploaded or downloaded from your systems by public users. It all depends on the file blocking policy. So under objects, security policies, security profiles, file blocking, you can click on "add," and then we're going to start by creating an outbound file policy.

You can basically create multiple policies and then base your policy on applications. So by default, the application is any, but you can add specific applications. So, for example, we can specify that a "four shared" application is blocked from downloading and uploading as an example. So let's take a look at something else. Google. So between the Google search engine, the Google app engine, and Google Play, you have a pretty wide variety of applications that you can control. You can control it based on applications, right? And then you can also control based on file types. If we look at the file types here, pretty much a lot of file types are available. You can choose to do any filetypes or you can be more specific.

So we're going to start by trying to figure out why our users cannot download PDF files. So PDF block and then any application, any, and then file type, PDF direction, download, and then action block. We'll start with something as simple as this policy as this. So we need to apply the policy to our traffic. We're going to also do the same as we did with the anti-spyware, the vulnerability protection, and everything else. We're going to go to the rules and then add this to our file blocking. And then we'll do our bound file policy, your filtering rule. Also, we need to add trust in general. And then we'll specify the file block, and then we'll go ahead and commit. So now that we've done that, we're going to go to Google and do a search for file type PDF, and then we'll try to download any PDF file here. File transfer is blocked. You cannot download any PDF files. So this shows you an example of how to do this. You can also add to this list, add additional files to block, and then also do alerts. So most of the time, you don't want to block downloads.

You can alert us on downloads, and then we can apply this to any and prevent any uploads. We'll call this policy alert, download, and then block upload and commit that under monitor data filtering. We see here the event of the PDF that was blocked. So now that it's not blocked, we can download any PDF file. It's going to be alert. So we'll go back here to our powerwall, and we'll see shortly that the files downloaded and alerted on are here. Now it changed from block to alert. So it really depends on your environment and how you want to control your users. You can, for example, base your decision on active directory group membership. Customer service, for example, can not only download documents; it can also download and upload them, and so on. So this is another powerful feature for the Palo Alto Firewall that you can benefit from. And next week, we'll talk about how to dynamically analyse files in the cloud using the Wildfire clouds, return the verdict, and block any malware using the Wildfire.

6. Configuring Wildfire

In the last lecture, I showed you file blocking. There's a difference between the 6.1 and 7.0 codes and the 6.1. The file blocking is in the same place where you set up the Wildfire action. When you create a policy, you can specify that the traffic will go to the Wildfire for inspection. I'm on a 6.1 firewall right now. I'm going to go ahead and create an outbound policy here to show you the difference. Click on Add can specify different applications, different file types, and doaler block Continue if you want to ask the user, "Are you sure you want to proceed with downloading this file?" or "Forward" is the action that sends the file to Wildfire for analysis. Continuing forward will basically ask the user, "Are you sure you want to continue downloading this file or uploading this file?" and then it's going to also forward this file to the Wildfire. There's a difference between the Palo Alto 6.1 and the 7.0. In the 7.0 code, there is a different profile for analysis, for Wildfire analysis. If you want to send a file for Wildfire Analysis, you have to create an action to do that, and what you need to do is specify outbound Wildfire, give it a name, outbound Wildfire.

You can choose any application or any file types and the direction—whether it's download or upload—to analyse the file using either the Public Cloud or the Private Cloud. The public cloud is an analysis of the file in the Wildfire Cloud systems hosted by Palo Alto Private. If you have an internal Wildfire solution in place, this is equivalent to the forward in the 6.1 quote. When you specify analysis on the public cloud, what happens is the firewall would take the file, send it to the cloud for analysis, and investigate whether this file has malware activity and acts like malware. And when that's identified, what happens is you get the Wildfire update under when we did the antivirus, you get the antivirus update, which is hourly. We specify it to do it every hour, followed by the Wildfire update, and that will give you protection against that malware for both you and pretty much everybody else. So it's a crowdsourcing type of solution where if one customer gets malware, pretty much all other customers will get the same signature and will be able to defend themselves against the malware. That's part of the solution. The Wildfire announces that means the file was not malware and did not trigger any signatures on the malware side or the antivirus side.

It did not trigger any signatures on the Wildfire side. The Wildfire signatures weren't aware of it. You are doing an additional step, which is sending that file to the Wildfire Cloud for analysis. This is the third level of steps to further check that file and verify that it doesn't have malware. It goes to the Wildfire Cloud, it gets analyzed, and then if it is identified as malware later on, you will get that signature along with everybody else. Just to repeat, just to make sure you get the point, let's create an outbound file here. And we're going to specify to forward all the files to the cloud, all files, and then to the public cloud. And then we need to attach this to the security rules. We'll go ahead and commit, okay? And then we're going to go ahead and repeat that. Download the file from the Internet. Testing ones, twos, and threes File type: PDF. I'm just downloading any file here. So we downloaded the file. We go to the monitor. We see "Wildfire Submission." Let's see what this means for the data filtering we created. We created this before to specify and alert us if any file was downloaded. So we see here the testing: one, two, three. We see this file, and shortly you should see the Wildfire submission. Let's download another file here.

I'm downloading pretty much any file. We'll go to data filtering. We see the file was downloaded under "Device setup." There's a wildfire tab. Let's verify that everything is there correctly. General settings, file size limits There are different file size limits here. And you can specify different file size limits. Report a benign file. Let's go back to monitoring wildfires. I've seen this before, where it doesn't show up on the Wildfire. Sometimes this is a bug. It doesn't show up on the Wildfire submission. I'm going to try to find another file in Microsoft Office. So it takes a little bit of time to get forwarded. Now we see the Wildfire submissions. It was sent on to Wildfire for testing in the cloud. It's a pretty powerful tool because you don't imagine this. You get a virus that gets sent to the cloud, gets analyzed, and then everybody else gets the signature within the next couple of hours. So the potential is pretty, pretty big.

Palo Alto Networks PCNSE practice test questions and answers, training course, study guide are uploaded in ETE Files format by real users. Study and Pass PCNSE Palo Alto Networks Certified Network Security Engineer certification exam dumps & practice test questions and answers are to help students.