To determine which sources an engineer can use to gather information about application patterns for creating custom signatures, let’s analyze each option based on PAN-OS 11.0 documentation and typical network troubleshooting practices.
A. Traffic Logs
Why It’s Correct:
Traffic logs in PAN-OS provide details about all traffic flowing through the firewall, including:
Application details.
Source and destination IPs.
Ports used.
This data is essential for identifying patterns, such as specific ports, protocols, or behaviors associated with an application.
How to Use:
Navigate to Monitor > Logs > Traffic in the web interface.
Look for the relevant application traffic and note recurring patterns.
Documentation Reference:
PAN-OS 11.0 Admin Guide, Logging and Reporting Section: Discusses traffic logs as a resource for application and behavior analysis.
B. Data Filtering Logs
Why It’s Incorrect:
Data filtering logs focus on inspecting files, data patterns, or sensitive information such as credit card numbers. These logs are not designed for gathering application-specific traffic patterns.
Documentation Reference:
PAN-OS 11.0 Admin Guide: Details how data filtering logs are used for content inspection, not for creating application signatures.
C. Policy Optimizer
Why It’s Incorrect:
Policy Optimizer helps refine security policies by identifying unused or overly permissive rules. It does not provide information about traffic patterns for applications.
Documentation Reference:
PAN-OS 11.0 Admin Guide, Policy Optimization Section: Focuses on rule management rather than traffic pattern analysis.
D. Wireshark
Why It’s Correct:
Wireshark is a powerful network protocol analyzer that captures and analyzes traffic at a granular level. Engineers can:
Identify application-specific headers or payloads.
Examine protocol behaviors.
Spot unique signatures in application traffic.
How to Use:
Capture traffic flowing to/from the application using a span or mirrored port on the switch or firewall.
Analyze the captured packets for recurring patterns (e.g., specific headers or payload data).
Documentation Reference:
While not directly mentioned in PAN-OS documentation, Wireshark is commonly recommended as a tool for packet analysis in custom application signature creation.
Summary of Correct Choices
Traffic Logs:
Provides a high-level view of application behavior and network patterns.
Wireshark:
Allows deep packet inspection and analysis for identifying unique application behaviors.
PAN-OS 11.0 Study Guide References
PCNSA Study Guide:
Domain 3: Policy Evaluation and Management:
Discusses using traffic logs to refine policies and understand application behavior.
PCNSE Study Guide:
Domain 4: Securing Traffic:
Emphasizes tools like Wireshark for advanced traffic and application analysis.
