Exam PCNSE topic 1 question 281 discussion

answer is C "Enable extended-capture for critical, high, and medium severity events and single-packet capture for low severity events. " https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection

answer is D

Option D is correct Option C is wrong This is internet Gateway Firewall. Packet captures on Internet gateway firewall does not make sense. Firewall would rather shut the session. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXCCA0 Notice that Anti-Spyware and Vulnerability Protection have more options Disabled Single Packet Select single-packet to capture one packet when a threat is detected. Extended-capture Select the extended-capture option to capture more packets. Extended-capture will provides much more context to the threat when analyzing the threat logs or when providing the captures for TAC to analyze.

Answer C, Enable extended-capture for critical, high, and medium severity events and single-packet capture for low severity events. Use the default extended-capture value of 5 packets, which provides enough information to analyze the threat in most cases.

Yup D. https://docs.paloaltonetworks.com/best-practices/9-1/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles

Correct answer is D. For inbound traffic aka internet traffic to the network behind paloalto firewall, the best practice is to use strict profile which uses *reset-both* action for critical/high sev events. For pcaps, use *single pcap* as the traffic volume is usually high. Can also use extended captures if the action is set to *alert*.

Clone the predefined strict Vulnerability Protection profile and edit it to create the best practice profile: Change the Action in the three brute force rules to reset-both and Packet Capture to single-packet to transition from alerting on brute-force attack events to blocking them. Consolidate critical, high, and medium severity events for servers and clients into one rule. Set the Action to reset-both and set Packet Capture to single-packet. This simplifies the profile and works because the profile uses the same action and the same packet capture settings for these severities.

C is the correct option: action 'reset-both' and packet capture 'extended-capture

Recommended Action "Reset-Both" Recommended Capture ? This General doc recommends "Enable extended-capture for critical, high, and medium severity" https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-web-interface-help/objects/objects-security-profiles-vulnerability-protection The Internet Gateway Specific Doc Recommends "Consolidate critical, high,…. Set the Action to reset-both and set Packet Capture to single-packet" Correct Answer is D

https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles#:~:text=end%20user%E2%80%99s%20device.-,Best%20Practice%20Internet%20Gateway%20Vulnerability%20Protection%20Profile,same%20action%20and%20the%20same%20packet%20capture%20settings%20for%20these%20severities.,-For%20profiles%20that

D is correct Question asks for Best Practice Internet Gateway Vulnerability Protection Profile. https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles Change the Action in the three brute force rules to reset-both and Packet Capture to single-packet to transition from alerting on brute-force attack events to blocking them. Consolidate critical, high, and medium severity events for servers and clients into one rule. Set the Action to reset-both and set Packet Capture to single-packet. This simplifies the profile and works because the profile uses the same action and the same packet capture settings for these severities.

Answer D is correct. Refer to https://docs.paloaltonetworks.com/best-practices/10-2/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles and read the following section: 'Best Practice Internet Gateway Vulnerability Protection Profile'

"For the best practice profile, for each rule except simple-client-informational and simple-server-informational, double-click the Rule Name and change Packet Capture from disable to single-packet to enable packet capture (PCAP) for each rule so you can track down the source of potential attacks." https://docs.paloaltonetworks.com/best-practices/10-2/data-center-best-practices/data-center-best-practice-security-policy/how-to-create-data-center-best-practice-security-profiles/create-the-data-center-best-practice-vulnerability-protection-profile

For the best security, set the Action for both client and server critical, high, and medium severity events to reset-both and use the default action for Informational and Low severity events.

"items of high severity and critical severity best matches Palo Alto Networks best practice" It is C

D. Just went through some BPA's and single-capture is the recommended.

For the best practice profile, for each rule except simple-client-informational and simple-server-informational, double-click the Rule Name and change Packet Capture from disable to single-packet to enable packet capture (PCAP) for each rule so you can track down the source of potential attacks. Don’t change the rest of the settings. Apply extended PCAP (as opposed to single PCAP) to high-value traffic to which you apply the alert Action We would not be setting an alert action on high severity and critical severity matches I think the answer is D https://docs.paloaltonetworks.com/best-practices/10-2/internet-gateway-best-practices/best-practice-internet-gateway-security-policy/create-best-practice-security-profiles