Which three tools are available to customers to facilitate the simplified and/or best-practice configuration of Palo Alto Networks Next-Generation Firewalls (NGFWs)? (Choose three.)

Which three tools are available to customers to facilitate the simplified and/or best-practice configuration of Palo Alto Networks Next-Generation Firewalls (NGFWs)? (Choose three.)

A. Telemetry to ensure that Palo Alto Networks has full visibility into the firewall configuration

B. Day 1 Configuration through the customer support portal (CSP)

C. Policy Optimizer to help identify and recommend Layer 7 policy changes

D. Expedition to enable the creation of custom threat signatures

E. Best Practice Assessment (BPA) in Strata Cloud Manager (SCM)

Answer: CDE

Explanation:

Palo Alto Networks provides several tools to simplify NGFW configuration and ensure best practices are followed:

A. Telemetry to ensure that Palo Alto Networks has full visibility into the firewall configuration: While telemetry is crucial for monitoring and threat intelligence, it doesn’t directly facilitate configuration in a simplified or best-practice manner. Telemetry provides data about the configuration and its performance, but it doesn’t guide the configuration process itself.

B. Day 1 Configuration through the customer support portal (CSP): The CSP offers resources and documentation, but it doesn’t provide a specific "Day 1 Configuration" tool that automates or simplifies initial setup in a guided way. The initial configuration is typically done through the firewall’s web interface or CLI.

C. Policy Optimizer to help identify and recommend Layer 7 policy changes: This is a key tool for simplifying and optimizing security policies. Policy Optimizer analyzes traffic logs and provides recommendations for refining Layer 7 policies based on application usage. This helps reduce policy complexity and improve security posture by ensuring policies are as specific as possible.

D. Expedition to enable the creation of custom threat signatures: Expedition is a migration tool that can also be used to create custom App-IDs and threat signatures. While primarily for migrations, its ability to create custom signatures helps tailor the firewall’s protection to specific environments and applications, which is a form of configuration optimization.

E. Best Practice Assessment (BPA) in Strata Cloud Manager (SCM): The BPA is a powerful tool that analyzes firewall configurations against Palo Alto Networks best practices. It provides detailed reports with recommendations for improving security, performance, and compliance. This is a direct way to ensure configurations adhere to best practices.

Reference: Palo Alto Networks documentation highlights these tools:

Policy Optimizer documentation: Search for "Policy Optimizer" on the Palo Alto Networks support portal. This documentation explains how the tool analyzes traffic and provides policy recommendations.

Expedition documentation: Search for "Expedition" on the Palo Alto Networks support portal. This documentation describes its migration and custom signature creation capabilities.

Strata Cloud Manager documentation: Search for "Strata Cloud Manager" or "Best Practice Assessment" within the SCM documentation on the support portal. This will provide details on how the BPA works and the types of recommendations it provides.

These references confirm that Policy Optimizer, Expedition (for custom signatures), and the BPA in SCM are tools specifically designed to facilitate simplified and best-practice configuration of Palo Alto Networks NGFWs.