PCNSE Study Guide

User Manual:

Open the PDF directly: View PDF .
Page Count: 196 [warning: Documents this large are best viewed by clicking the View PDF Link!]

PALO ALTO

NETWORKS

PCNSE

STUDY GUIDE

July 2018

Palo Alto Networks, Inc. www.paloaltonetworks.com

Networks, PAN-OS, Panorama, Traps, and WildFire are trademarks of Palo Alto Networks, Inc. All

other trademarks are the property of their respective owners.

Contents

Overview ............................................................................................................................................................. 10

Exam Details ...................................................................................................................................................... 10

Intended Audience ............................................................................................................................................ 10

Qualifications ..................................................................................................................................................... 10

Skills Required ................................................................................................................................................... 11

Recommended Training .................................................................................................................................... 11

Palo Alto Networks strongly recommends that you attend the following instructor-led training courses or

equivalent virtual e-Learning courses: ............................................................................................................... 11

• Firewall Essentials: Configuration and Management (EDU-210) or e-Learning (EDU-110) ....................... 11

• Panorama: Managing Firewalls at Scale (EDU-220) or e-Learning (EDU-120) ........................................... 11

• Optional training: Firewall: Debug and Troubleshoot (EDU-311) .............................................................. 11

When you have completed the courses, practice on the platform to master the basics. Use the following

resources to prepare for the exam. All resources can be found here:

https://www.paloaltonetworks.com/services/education/pcnse ...................................................................... 11

• Cybersecurity Skills Practice Lab ................................................................................................................ 11

• PCNSE Study Guide and Practice Exam ..................................................................................................... 11

• Administrator’s Guide: specific configuration information and “best practice” settings .......................... 11

• Prep videos and tutorials ........................................................................................................................... 11

About This Document ........................................................................................................................................ 11

Disclaimer .......................................................................................................................................................... 11

Preliminary Score Report ................................................................................................................................... 11

Exam Domain 1 – Plan ......................................................................................................................................... 13

Identify how the Palo Alto Networks products work together to detect and prevent threats ......................... 13

Preventing Successful Cyber-attacks ............................................................................................................ 13

Sample questions .......................................................................................................................................... 17

Given a scenario, identify how to design an implementation of the firewall to meet business

requirements

leveraging the Palo Alto Networks Security Operating Platform. ...................................................................... 17

Choosing the Appropriate Firewall ............................................................................................................... 17

Sample question ........................................................................................................................................... 22

Given a scenario, identify how to design an implementation of firewalls in High Availability to

meet business

requirements leveraging the Palo Alto Networks Security Operating Platform ................................................. 22

High Availability ............................................................................................................................................ 22

Sample questions .......................................................................................................................................... 24

Identify the appropriate interface type and configuration for a specified network deployment. .................... 25

Sample questions .......................................................................................................................................... 24

Identify how to use template stacks for administering Palo Alto Networks firewalls as a

scalable solution

using Panorama. ................................................................................................................................................ 24

Sample questions .......................................................................................................................................... 27

Identify how to use device group hierarchy for administering Palo Alto Networks firewalls as

a scalable

solution using Panorama. .................................................................................................................................. 27

Sample questions .......................................................................................................................................... 32

Identify options to deploy Palo Alto Networks firewalls in a private or public cloud (VM-Series).................... 32

Sample questions .......................................................................................................................................... 33

Identify methods for Authorization, Authentication, and Device Administration ............................................ 33

Sample questions .......................................................................................................................................... 37

Given a scenario, identify ways to mitigate resource exhaustion (because of denial-of-service)

in application

servers ............................................................................................................................................................... 37

Sample questions .......................................................................................................................................... 40

Identify decryption deployment strategies ....................................................................................................... 41

Sample questions .......................................................................................................................................... 45

Identify the impact of application override to the overall functionality of the firewall .................................... 46

Sample questions .......................................................................................................................................... 47

Identify the methods of User--ID redistribution ................................................................................................ 47

Sample question ........................................................................................................................................... 48

Exam Domain 2 – Deploy and Configure ............................................................................................................. 49

Identify the application meanings in the Traffic log (incomplete, insufficient data, non-syn

TCP, not

applicable, unknown TCP, unknown UDP, and unknown P2P). ......................................................................... 49

Sample questions .......................................................................................................................................... 51

Given a scenario, identify the set of Security Profiles that should be used ...................................................... 52

Sample questions .......................................................................................................................................... 53

Identify the relationship between URL filtering and credential theft prevention ............................................. 53

Sample questions .......................................................................................................................................... 54

Identify differences between services and applications.................................................................................... 54

Sample question ........................................................................................................................................... 55

Identify how to create security rules to implement App-ID without relying on port-based

rules ................... 55

Sample questions .......................................................................................................................................... 56

Identify the required settings and steps necessary to provision and deploy a next-generation

firewall. ....... 56

Sample questions .......................................................................................................................................... 57

Identify various methods for Authentication, Authorization, and Device Administration within

a firewall. ... 58

Identify how to configure and maintain certificates to support firewall features ............................................ 58

Sample questions .......................................................................................................................................... 58

Identify how to configure a virtual router ......................................................................................................... 59

Sample questions .......................................................................................................................................... 60

Identify the configuration settings for site-to-site VPN .................................................................................... 61

Sample questions .......................................................................................................................................... 62

Identify the configuration settings for GlobalProtect ........................................................................................ 62

Sample questions .......................................................................................................................................... 65

Identify how to configure items pertaining to denial-of-service protection and zone protection .................. 65

Identify how to configure features of the NAT rulebase ................................................................................... 66

Sample questions .......................................................................................................................................... 66

Given a configuration example including DNAT, identify how to configure security rules ............................... 66

Sample questions .......................................................................................................................................... 67

Identify how to configure decryption ................................................................................................................ 67

Sample questions .......................................................................................................................................... 68

Given a scenario, identify an application override configuration and use case ................................................ 69

Sample questions .......................................................................................................................................... 69

Identify how to configure VM-Series firewalls for deployment ........................................................................ 69

Sample questions .......................................................................................................................................... 70

Exam Domain 3 – Operate ................................................................................................................................... 70

Identify considerations for configuring external log forwarding ....................................................................... 70

Sample questions .......................................................................................................................................... 75

Interpret log files, reports, and graphs to determine traffic and threat trends ................................................ 76

Sample questions .......................................................................................................................................... 81

Identify scenarios in which there is a benefit from using custom signatures .................................................... 82

Sample questions .......................................................................................................................................... 82

Given a scenario, identify the process to update a Palo Alto Networks system to the latest

version of the

software. ........................................................................................................................................................... 83

Sample questions .......................................................................................................................................... 84

Identify how configuration management operations are used to ensure desired operational

state of stability

and continuity .................................................................................................................................................... 85

Sample questions .......................................................................................................................................... 85

Identify the settings related to critical HA functions (link monitoring; path monitoring; HA1,

HA2, and HA3

functionality; HA backup links; and differences between A/A and A/P). .......................................................... 86

Sample question ........................................................................................................................................... 86

Identify the sources of information pertaining to HA functionality. ................................................................. 87

Sample question ........................................................................................................................................... 87

Identify how to configure the firewall to integrate with AutoFocus and verify its functionality ...................... 87

Sample question ........................................................................................................................................... 88

Identify the impact of deploying dynamic updates ........................................................................................... 88

Sample question ........................................................................................................................................... 89

Identify the relationship between Panorama and devices as it pertains to dynamic updates versions and

policy implementation and/or HA peers. .......................................................................................................... 89

Sample questions .......................................................................................................................................... 90

Exam Domain 4 – Configuration Troubleshooting ............................................................................................... 90

Identify system and traffic issues using WebUI and CLI tools. ........................................................................... 90

Sample questions .......................................................................................................................................... 97

Given a session output, identify the configuration requirements used to perform a packet capture ............. 98

Sample question ......................................................................................................................................... 100

Given a scenario, identify how to troubleshoot and configure interface components ................................... 100

Sample question ......................................................................................................................................... 103

Identify how to troubleshoot SSL decryption failures ..................................................................................... 103

Sample questions ........................................................................................................................................ 104

Identify certificate chain of trust issues ........................................................................................................... 104

Sample questions ........................................................................................................................................ 105

Given a scenario, identify how to troubleshoot traffic routing issues. ............................................................ 106

Sample questions ........................................................................................................................................ 107

Exam Domain 5 – Core Concepts ...................................................................................................................... 108

Identify the correct order of the policy evaluation based on the packet flow architecture ........................... 108

Sample questions ........................................................................................................................................ 109

Given an attack scenario, identify the Palo Alto Networks appropriate threat prevention

component to

prevent/mitigate the attack. ........................................................................................................................... 109

Sample questions ........................................................................................................................................ 110

Identify methods for identifying users ............................................................................................................ 110

Sample questions ........................................................................................................................................ 112

Identify the fundamental functions residing on the management and data planes of a Palo

Alto Networks

firewall ............................................................................................................................................................. 112

Sample questions ........................................................................................................................................ 115

Given a scenario, determine how to control bandwidth use on a per-application basis ................................ 115

Sample questions ........................................................................................................................................ 118

Identify the fundamental functions and concepts of WildFire ........................................................................ 119

Sample questions ........................................................................................................................................ 122

Identify the purpose of and use case for MFA and the Authentication policy ................................................ 122

Sample questions ........................................................................................................................................ 123

Identify the dependencies for implementing MFA .......................................................................................... 124

Sample questions ........................................................................................................................................ 126

Given a scenario, identify how to forward traffic ............................................................................................ 127

Sample question ......................................................................................................................................... 128

Given a scenario, identify how to configure policies and related objects. ...................................................... 128

Sample questions ........................................................................................................................................ 133

Identify the methods for automating the configuration of a firewall .............................................................. 134

Sample questions ........................................................................................................................................ 135

Further Resources ............................................................................................................................................. 136

Appendix A: Sample test ................................................................................................................................... 137

Appendix B: Answers to sample questions ....................................................................................................... 145

Exam Domain 1 – Plan ..................................................................................................................................... 145

Identify how the Palo Alto Networks products work together to detect and prevent threats ................... 145

Given a scenario, identify how to design an implementation of the firewall to meet business

requirements leveraging the Palo Alto Networks Security Operating Platform. ......................................... 146

Given a scenario, identify how to design an implementation of firewalls in High Availability to meet

business requirements leveraging the Palo Alto Networks Security Operating Platform .......................... 146

Identify the appropriate interface type and configuration for a specified network deployment. .............. 147

Identify how to use template stacks for administering Palo Alto Networks firewalls as a

scalable solution

using Panorama. .......................................................................................................................................... 147

Identify how to use device group hierarchy for administering Palo Alto Networks firewalls as

a scalable

solution using Panorama ............................................................................................................................. 148

Identify options to deploy Palo Alto Networks firewalls in a private or public cloud (VM-Series) ............. 149

Identify methods for Authorization, Authentication, and Device Administration ..................................... 149

Given a scenario, identify ways to mitigate resource exhaustion (because of denial-of-service)

application servers ...................................................................................................................................... 150

Identify decryption deployment strategies ................................................................................................. 151

Identify the impact of application override to the overall functionality of the firewall .............................. 152

Identify the methods of User--ID redistribution ......................................................................................... 152

Exam Domain 2 – Deploy and Configure .......................................................................................................... 153

Identify the application meanings in the Traffic log (incomplete, insufficient data, non-syn

TCP, not

applicable, unknown TCP, unknown UDP, and unknown P2P). .................................................................. 153

Given a scenario, identify the set of Security Profiles that should be used ................................................ 153

Identify the relationship between URL filtering and credential theft prevention ....................................... 154

Identify differences between services and applications ............................................................................. 154

Identify how to create security rules to implement App-ID without relying on port-based

rules ............ 154

Identify the required settings and steps necessary to provision and deploy a next-generation

firewall. . 155

Identify how to configure and maintain certificates to support firewall features ...................................... 155

Identify how to configure a virtual router ................................................................................................... 156

Identify the configuration settings for site-to-site VPN .............................................................................. 156

Identify the configuration settings for GlobalProtect ................................................................................. 156

Identify how to configure features of the NAT rulebase ............................................................................. 157

Given a configuration example including DNAT, identify how to configure security rules ......................... 157

Identify how to configure decryption ......................................................................................................... 158

Given a scenario, identify an application override configuration and use case .......................................... 158

Identify how to configure VM-Series firewalls for deployment .................................................................. 158

Exam Domain 3 – Operate ............................................................................................................................... 159

Identify considerations for configuring external log forwarding ................................................................ 159

Interpret log files, reports, and graphs to determine traffic and threat trends .......................................... 160

Identify scenarios in which there is a benefit from using custom signatures ............................................. 160

Given a scenario, identify the process to update a Palo Alto Networks system to the latest

version of the

software. ..................................................................................................................................................... 161

Identify how configuration management operations are used to ensure desired operational

state of

stability and continuity ................................................................................................................................ 161

Identify the settings related to critical HA functions (link monitoring; path monitoring; HA1,

HA2, and HA3

functionality; HA backup links; and differences between A/A and A/P). .................................................... 162

Identify the sources of information pertaining to HA functionality. ........................................................... 162

Identify how to configure the firewall to integrate with AutoFocus and verify its functionality ................ 162

Identify the impact of deploying dynamic updates ..................................................................................... 162

Identify the relationship between Panorama and devices as it pertains to dynamic updates versions and

policy implementation and/or HA peers. .................................................................................................... 163

Exam Domain 4 – Configuration Troubleshooting ........................................................................................... 163

Identify system and traffic issues using WebUI and CLI tools. .................................................................... 163

Given a session output, identify the configuration requirements used to perform a packet capture ....... 164

Given a scenario, identify how to troubleshoot and configure interface components .............................. 164

Identify how to troubleshoot SSL decryption failures ................................................................................. 165

Identify certificate chain of trust issues ...................................................................................................... 165

Given a scenario, identify how to troubleshoot traffic routing issues. ....................................................... 166

Exam Domain 5 – Core Concepts ..................................................................................................................... 167

Identify the correct order of the policy evaluation based on the packet flow architecture ....................... 167

Given an attack scenario, identify the Palo Alto Networks appropriate threat prevention

component to

prevent/mitigate the attack. ....................................................................................................................... 167

Identify methods for identifying users ........................................................................................................ 168

Identify the fundamental functions residing on the management and data planes of a Palo

Alto Networks

firewall ........................................................................................................................................................ 168

Given a scenario, determine how to control bandwidth use on a per-application basis ............................ 169

Identify the fundamental functions and concepts of WildFire® .................................................................. 169

Identify the purpose of and use case for MFA and the Authentication policy ............................................ 170

Identify the dependencies for implementing MFA ..................................................................................... 170

Given a scenario, identify how to forward traffic ....................................................................................... 171

Given a scenario, identify how to configure policies and related objects. .................................................. 171

Identify the methods for automating the configuration of a firewall ......................................................... 172

Appendix C: Answers to the sample test, p. 137 .............................................................................................. 173

Appendix D: Glossary......................................................................................................................................... 181

Continuing Your Learning Journey with Palo Alto Networks ............................................................................. 189

E-Learning ........................................................................................................................................................ 189

Instructor-Led Training .................................................................................................................................... 189

Learning Through the Community ................................................................................................................... 189

Palo Alto Networks PCNSE Study Guide

Welcome to the Palo Alto Networks PCNSE Study Guide. The purpose of this guide is to help you prepare

for your PCNSE exam and achieve your PCNSE credential. This study guide is a summary of the key topic

areas that you are expected to know to be successful at the PCNSE exam. It is organized based on the

exam blueprint and key exam objectives.

Overview

The Palo Alto Networks® Certified Network Security Engineer (PCNSE) is a formal, third-party proctored

certification that indicates that those who have passed it possess the in-depth knowledge to design,

install, configure, maintain, and troubleshoot most implementations based on the Palo Alto Networks

platform.

This exam will certify that the successful candidate has the knowledge and skills necessary to implement

Palo Alto Networks next-generation firewall PAN-OS® 8.1 platform in any environment. This exam will

not cover Aperture and Traps.

More information is available from Palo Alto Networks at:

https://www.paloaltonetworks.com/services/education/pcnse

Exam Details

• Certification Name: Palo Alto Networks Certified Network Security Engineer

• Delivered through Pearson VUE: www.pearsonvue.com/paloaltonetworks

• Exam Series: PCNSE

• Seat Time: 80 minutes

• Number of items: 75

• Format: Multiple Choice, Scenarios with Graphics, and Matching

• Languages: English and Japanese

Intended Audience

The PCNSE exam should be taken by anyone who wants to demonstrate a deep understanding of Palo

Alto Networks technologies, including customers who use Palo Alto Networks products, value-added

resellers, pre-sales system engineers, system integrators, and support staff.

Qualifications

You should have three to five years’ experience working in the Networking or Security industries and the

equivalent of 6 months’ experience working full-time with Palo Alto Networks Security Operating

Platform.

You have at least one year of experience in Palo Alto Networks NGFW deployment and configuration.

Skills Required

• You can plan, deploy, configure, and troubleshoot Palo Alto Networks Security Operating Platform

components.

• You have product expertise and understand the unique aspects of the Palo Alto Networks Security

Operating Platform and how to deploy one appropriately.

• You understand networking and security policies used by PAN-OS software.

Recommended Training

Palo Alto Networks strongly recommends that you attend the following instructor-led training courses or

equivalent virtual e-Learning courses:

• Firewall Essentials: Configuration and Management (EDU-210) or e-Learning (EDU-110)

• Panorama: Managing Firewalls at Scale (EDU-220) or e-Learning (EDU-120)

• Optional training: Firewall: Debug and Troubleshoot (EDU-311)

When you have completed the courses, practice on the platform to master the basics. Use the following

resources to prepare for the exam. All resources can be found here:

https://www.paloaltonetworks.com/services/education/pcnse

• Cybersecurity Skills Practice Lab

• PCNSE Study Guide and Practice Exam

• Administrator’s Guide: specific configuration information and “best practice” settings

• Prep videos and tutorials

About This Document

Efforts have been made to introduce all relevant information that might be found in a PCNSE Certification

Test. However, other related topics also may appear on any delivery of the exam. This document should

not be considered a definitive test preparation guide but an introduction to the knowledge required, and

these guidelines may change at any time without notice. This document contains many references to

outside information that should be considered essential to completing your understanding.

Disclaimer

This study guide is intended to provide information about the objectives covered by this exam, related

resources, and recommended courses. The material contained within this study guide is not intended to

guarantee that a passing score will be achieved on the exam. Palo Alto Networks recommends that a

candidate thoroughly understand the objectives indicated in this guide and uses the resources and

courses recommended in this guide where needed to gain that understanding.

Preliminary Score Report

The score report notifies candidates that, regardless of pass or fail results, an exam score may be revised

any time after testing if there is evidence of misconduct, scoring inaccuracies, or aberrant response

patterns.

Palo Alto Networks Certified Network Security Engineer - PCNSE

Based on PAN-OS® Version 8.1

Domain

Weight (%)

Plan

16%

Deploy and Configure

23%

Operate

20%

Configuration Troubleshooting

18%

Core Concepts

23%

Total

100%

Exam Domain 1 – Plan

Identify how the Palo Alto Networks products work together to detect and prevent

threats

Preventing Successful Cyber-attacks

Palo Alto Networks® Security Operating Platform prevents successful cyberattacks by harnessing analytics

to automate routine tasks and enforcement. Tight integration across the platform, and with partners,

simplifies security so you can secure users, applications and data.

Operate efficiently to stop attacks that cause business disruption

The Security Operating Platform empowers you to confidently automate threat identification and

enforcement across cloud, network and endpoints using data-driven approach and precise analytics. It

blocks exploits, ransomware, malware, and fileless attacks to minimize infected endpoints and servers.

The platform lets you easily adopt best practices and take a Zero Trust approach to reducing

opportunities for attack.

Automate routine tasks to reduce response time and speed deployments

Chances are good that your operations teams and analysts are overburdened. The Security Operating

Platform improves productivity – and lets them focus on higher value activities – using automation.

Shared intelligence and consistent enforcement across network, cloud and endpoints strengthens

prevention and speeds response. DevOps can speed multi-cloud deployment and simplify management

through deep integrations with native cloud services and automation tools. Plus, your teams can

continuously validate compliance of cloud deployments with customizable reports and controls that save

time.

Improve security effectiveness and efficiency with tightly integrated innovations

Threats are dynamic. You need to keep evolving to stay ahead. New capabilities are tightly integrated,

building on the value of what you already have. With Palo Alto Networks Application Framework, you can

quickly consume innovative security apps, using your existing security data, sensors and enforcement

points. Whether developed by us, our ecosystem of third parties or your own teams, these apps can

detect and report on threats, or automate enforcement workflows, to reduce response time. This way,

the Security Operating Platform enables you to get the most out of your existing Palo Alto Networks

investment.

Palo Alto Networks Security Operating Platform

The Palo Alto Networks Security Operating Platform consist of the following components:

Network Security

Our next-generation firewalls secure your business with a prevention-focused architecture and integrated

innovations that are easy to deploy and use. Now, you can accelerate growth and eliminate risks at the same

time.

• Next-generation firewalls

Advanced Endpoint Protection

Traps™ advanced endpoint protection stops threats on the endpoint and coordinates enforcement with

cloud and network security to prevent successful cyberattacks.

• Traps

Cloud Security

Palo Alto Networks provides advanced protection for consistent security across all major clouds – Amazon®

Web Services, Microsoft® Azure® and Google® Cloud Platform – and our automation features minimize the

friction of app development and security. You can protect and segment applications, deliver continuous

security and compliance, and achieve zero-day prevention. Cloud Security is delivered by:

• VM-Series firewalls

• Evident: The unique combination of continuous monitoring, cloud storage protection, and

compliance validation and reporting will solve one of the most critical challenges in moving to public

cloud.

• Traps

Cloud-Delivered Security Services

Our security subscriptions allow you to safely enable applications, users, and content by adding natively

integrated protection from known and unknown threats both on and off the network.

These security subscriptions are purpose-built to share context and prevent threats at every stage of an

attack, allowing you to enable singular policies and automated protection that secure your network and

remote workforce while simplifying management and enabling your business. The Security Services consist

of:

• AutoFocus - The AutoFocus threat intelligence service enables security teams to prioritize their

response to unique, targeted attacks and gain the intelligence, analytics and context needed to

protect your organization. It provides context around an attack spotted in your traffic and threat

logs, such as the malware family, campaign, or malicious actor targeting your organization.

AutoFocus correlates and gains intelligence from:

o WildFire® service – the industry’s largest threat analysis environment

o PAN-DB URL filtering service

o MineMeld application for AutoFocus, enabling aggregation and correlation of any third-party

threat intelligence source directly in AutoFocus

o Traps advanced endpoint protection

o Aperture SaaS-protection service

o Unit 42 threat intelligence and research team

o Intelligence from technology partners

o Palo Alto Networks global passive DNS network

• GlobalProtect Secure Mobile Workforce - GlobalProtect cloud service reduces the operational

burden associated with securing your remote networks and mobile users by leveraging a cloud-based

security infrastructure managed by Palo Alto Networks. Based on the Palo Alto Networks Security

Operating Platform, administrators can manage GlobalProtect cloud service with Panorama to create

and deploy consistent security policies for all remote networks and mobile users. The GlobalProtect

cloud service shared ownership model allows you to move your remote networks and mobile user

security expenditures to a more efficient and predictable OPEX-based model.

• URL Filtering Web Security – A firewall subscription/license. Most attacks and exposure to malicious

content occurs during the normal course of web browsing activities, which requires the ability to

allow safe, secure web access for all users. URL Filtering with PAN-DB automatically prevents attacks

that leverage the web as an attack vector, including phishing links in emails, phishing sites, HTTP-

based command and control, malicious sites and pages that carry exploit kits.

• Threat Prevention – A firewall subscription/license. Threat Prevention leverages the visibility of our

next-generation firewall to inspect all traffic, automatically preventing known threats, regardless of

port, protocol or SSL encryption. Provides protection details for malware, vulnerability and spyware

attacks.

• WildFire® Malware Analysis – Primary features available at no cost to firewalls. Advanced features

available as a firewall subscription/license. Files being sent through the firewall can be evaluated by

WildFire® for zero-day malware. WildFire® cloud-based threat analysis service is the industry’s most

advanced analysis and prevention engine for highly evasive zero-day exploits and malware. The

cloud-based service employs a unique multi-technique approach combining dynamic and static

analysis, innovative machine learning techniques, and a groundbreaking bare metal analysis

environment to detect and prevent even the most evasive threats.

• MineMeld Threat Intelligence Sharing – An open-source application that streamlines the aggregation,

enforcement and sharing of threat intelligence. MineMeld allows you to aggregate threat

intelligence across public, private and commercial intelligence sources, including between

government and commercial organizations. MineMeld natively integrates with Palo Alto Networks

Security Operating Platforms to automatically create new prevention-based controls for URLs, IPs

and domain intelligence derived from all sources feeding into the tool.

• Logging Service – Palo Alto Networks Logging Service is a cloud-based offering for context-rich

enhanced network logs generated by our security offerings, including those of our next-generation

firewalls and GlobalProtect cloud service. The cloud-based nature of the Logging Service allows

customers to collect ever expanding rates of data, without needing to plan for local compute and

storage.

The Logging Service is the cornerstone of Palo Alto Networks Application Framework, which provides

a scalable ecosystem of security applications that can apply advanced analytics in concert with Palo

Alto Networks enforcement points to prevent the most advanced attacks. You are no longer limited

by how much hardware is available nor by how quickly the sensors can be deployed.

• Magnifier Behavioral Analytics – Magnifier behavioral analytics applies machine learning at cloud

scale to rich network, endpoint and cloud data, so you can quickly find and stop targeted attacks,

insider abuse and compromised endpoints. It is an application that uses the Application Framework

and customer logging data stored by the Logging Service.

Application Framework

With the Palo Alto Networks Application Framework, we are ushering in the future of security innovation,

reinventing how customers rapidly access, evaluate and adopt the most compelling new security

technologies as an extension of the next-generation Security Operating Platform they already own and

operate. The all-new framework is a culmination of over a decade of security disruption, providing customers

with superior security through compelling cloud-based apps developed by Palo Alto Networks and today’s

most innovative security providers, large and small.

The Application Framework consists of the following parts:

• Infrastructure - A suite of cloud APIs, services, compute and native access to customer-specific data

stores.

• Customer-specific data store - Palo Alto Networks Logging Service

• Apps – Are delivered from the cloud to extend the capabilities of the platform, including the ability to

effortlessly collaborate between different apps, share threat context and intelligence, and drive

automated response and enforcement.

Platform Integration

The Security Operating Platform’s power often lies in the integration of services with their collective

analytical capabilities. A next-generation firewall can directly integrate with several parts of the platform.

WildFire®, and URL filtering are the most common. Greater levels of protection are available with other

platform components. AutoFocus will add context to threat detected by your firewalls. Detected threats

can now be characterized as a narrowly focused attack on your organization or part of a larger, non-

targeted threat. This information supports a more informed priority decision about the allocation of finite

remediation resources.

Applications implemented within the Application Framework can provide different, specialized analysis of

data supplied by deployed firewall and Traps agents. The Logging Service provides the “Big Data” base of

information these applications analyze. When a next-generation firewall is connected to the logging

service an even greater depth of detail is supplied supporting a higher level of analysis. Magnifier is an

example of an Application Framework application that analyses this data to find targeted attacks that

would be harder to discern from individual firewall log analysis. This “Data Lake” is accessible through

Application Framework APIs for any authorized application to evaluate providing an opportunity for

complimentary product support.

Generally speaking, an approach that provides the maximum visibility of analyzed traffic and events,

backed up with analysis to support the identification of target attacks enables the highest level of

responsiveness to an organization’s security teams.

In keeping with this approach, one might deploy Traps or a next-generation firewall as a standalone

product initially utilizing their specific platform product support options and integrate other platform

services over time. As more firewalls are implemented the integration of their logs in the Logging Service

creates an organization-wide set of enriched data that threat detection services can analyze to give you

specific information on detected attacks and prescribe specific remediation.

Sample questions

1. Which component (or components) of the integrated Palo Alto Networks security solution

limits access to a corporate z/OS (also known as MVS) mainframe?

A. threat intelligence cloud

B. advanced endpoint protection

C. next-generation firewall

D. advanced endpoint protection and next-generation firewall

2. Which Palo Alto Networks product is primarily designed to provide context with deeper

information about attacks?

A. MineMeld

B. WildFire®

C. AutoFocus

D. Threat Prevention

3. Which Palo Alto Networks product is primarily designed to provide normalization of threat

intelligence feeds with the potential for automated response?

A. MineMeld

B. WildFire®

C. AutoFocus

D. Threat Prevention

4. Which Palo Alto Networks product is primarily designed to protect endpoints from successful

Cyber-attacks?

A. Global Protect

B. Magnifier

C. Traps

D. Evident

5. The Palo Alto Networks Logging Service can accept logging data from which two products?

(Choose two.)

A. Traps

B. next-generation firewalls

C. Aperture

D. MineMeld

E. AutoFocus

Given a scenario, identify how to design an implementation of the firewall to meet

business

requirements leveraging the Palo Alto Networks Security Operating

Platform.

Choosing the Appropriate Firewall

Feature and performance requirements impact the choice of firewall model. All Palo Alto Networks

firewalls run the same version of PAN-OS® software, ensuring the same primary feature set. When you

investigate which model fits a given need, evaluate throughput, maximum concurrent sessions, and

connections per second with App-ID, threat prevention, and decryption features enabled. Note that

there are two published throughput statistics: “firewall throughput” and “threat prevention

throughput.” “Threat prevention throughput” is the expected throughput with most of the defensive

options (App-ID, User-ID, IPS, antivirus, and anti-spyware) enabled, and “firewall throughput” is the

throughput with no Content-ID defense options enabled. Additional services might be available as

integrated products or service licenses that enrich logging data analysis. Overall, choosing a firewall is a

much a selection of functions and services that drive proper sizing decisions to meet your needs.

The following link provides a features summary of all firewall models including throughput:

https://www.paloaltonetworks.com/resources/datasheets/product-summary-specsheet

The Single Pass Architecture means packets traverse the architecture only once

The Palo Alto Networks firewall was designed to use an efficient system referred to as Next-generation

Processing. Next-generation Processing allows for packet evaluation, application identification, policy

decisions, and content scanning in a single efficient processing pass.

Palo Alto Networks firewalls contain the following primary next-generation features:

▪

App-ID: Scanning of traffic to identify the application that is involved, regardless of the protocol

or port number used.

▪

Content-ID: Scanning of traffic for security threats (e.g., data leak prevention and URL filtering.

virus, spyware, unwanted file transfers, specific data patterns, vulnerability attacks, and

appropriate browsing access

▪

User-ID: Matching of a user to an IP address (or multiple IP addresses) allowing your Security

policy to be based on who is behind the traffic, not the device.

Security Policy

The Security policy consists of security rules that are the basis of the firewall’s ability to enable or block

sessions. Multiple match conditions can be used when you create these rules. Security zones, source and

destination IP address, application (App-ID), source user (User-ID), service (port), HIP match, and URL

categories in the case of web traffic all can serve as traffic matching criteria for allow/block decision-

making. App-ID ensures the positive identification of applications regardless of their attempts at

evasiveness. Allowed session traffic can be scanned further based on Security Profiles (Content-ID) to

identify unwanted traffic content. These profiles use signatures to identify known threats. Unknown

threats are identified by WildFire®, which creates signatures to turn them into known threats.

Examples of security rules and profile settings follow:

Creating a Security policy rule

Profile settings for a Security policy rule that enable Content-ID threat scanning

Security Zones

Palo Alto Networks firewalls are zone based. Zones designate a network segment that has similar security

classification (i.e., Users, Data Center, DMZ Servers, Remote Users). The firewall security model is focused

on evaluating traffic as it passes from one zone to another. These zones act as a logical way to group

physical and virtual interfaces. Zones are required to control and log the traffic that traverses the

interfaces. All defined interfaces should be assigned a zone that marks all traffic coming to/from the

interface. Zones are defined for specific interface types (TAP, Virtual Wire, Layer 2 or Layer 3) and can be

assigned to multiple interfaces of the same type only. An interface can only be assigned to one zone.

All sessions on the firewall are defined by the source and destination zones. Rules can use these defined

zones to allow or deny traffic, apply QoS, or perform NAT. All traffic can flow freely within a zone and is

referred to as intrazone traffic. Traffic between zones (called interzone traffic) is denied by default.

Security policy rules are required to modify these default behaviors. Traffic will be allowed to travel only

between zones if a security rule is defined and the rule matches all conditions of the session. For

interzone traffic, Security policy rules must reference a source zone and destination zone (not interfaces)

to allow or deny traffic.

Security policies are used to create a positive (whitelist) and/or negative (blacklist) enforcement model

for traffic flowing through the firewall. The necessary security rules must be in place for the firewall to

properly evaluate, configure, and maintain Security policies. These rules are enumerated from the top

down and the first rules with the appropriate matching conditions will allow or deny the matching traffic.

If the logging is enabled on the matching rule, and the traffic crosses a zone, the action for that

session is logged. These logs are extremely useful for adjusting the positive/negative enforcement

model. The log information can be used to characterize traffic, providing specific use information and

allowing precise policy creation and control. Log entries can be forwarded to external monitoring devices

like Panorama, the Logging Service and/or a syslog server. Palo Alto Networks firewall logs, Application

Command Center, App Scope, and other reporting tools all work to precisely describe traffic and use

patterns.

Traffic Processing Sequence

Visualize the Palo Alto Networks firewall processes using the following graphical representation.

Understanding the linear version of the traffic flow can be useful when you create the initial

configuration and when you adjust the rules after installation. Note that the graphical representation is a

simplified version of the complete flow documented in the following article.

https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081

Session processing sequence

Enterprise Firewall Management

Palo Alto next-generation firewalls are managed individually and have no native ability to be managed as

a whole. In these cases, it is an administrative responsibility to keep multiple firewalls’ settings

coordinated.

Panorama is the Palo Alto Networks enterprise management solution. Once Panorama and firewalls are

linked, Panorama is the single interface to manage the entire enterprise.

Additional information on best practices in designing and deploying your Security policy when deploying

as an edge device can be found here:

https://www.paloaltonetworks.com/documentation/81/best-practices/best-practices-internet-gateway

Other deployment best practices can be found here:

https://www.paloaltonetworks.com/documentation/best-practices

Sample question

6. A potential customer says they need a firewall to process 50Gbps of traffic. Which firewall, if

any, do you recommend to the customer?

A. PA-7080

B. PA-7050

C. PA-5260

D. You don’t recommend a firewall model at this point. Ask about the kind of traffic and

how it needs to be processed. If the requirement is for 50Gbps IPsec VPN throughput,

then the customer needs a PA-7080. For 50Gbps with threat prevention, you need a PA-

7050. If only App-ID is used, a PA-5260 can fulfill the requirement.

Given a scenario, identify how to design an implementation of firewalls in High

Availability to

meet business requirements leveraging the Palo Alto Networks

Security Operating Platform

High Availability

You can set up two Palo Alto Networks firewalls as an HA pair. HA allows you to minimize downtime by

making sure that an alternate firewall is available in the event that the peer firewall fails. HA pairs are made

up of two firewalls of identical model, configuration and licensing. It is preferred that they are in physical

proximity of each other, but geographical separation is supported. The firewalls in an HA pair use dedicated

or in-band HA ports on the firewall to synchronize data—network, object, and policy configurations—and to

maintain state information. Firewall-specific configuration such as management interface IP address or

administrator profiles, HA specific configuration, log data, and the Application Command Center (ACC)

information is not shared between peers. For a consolidated application and log view across the HA pair,

you must use Panorama, the Palo Alto Networks centralized management system. When a failure occurs on

a firewall in an HA pair and the peer firewall takes over the task of securing traffic, the event is called a

Failover. The conditions that trigger a failover are:

• One or more of the monitored interfaces fail. (Link Monitoring)

• One or more of the destinations specified on the firewall cannot be reached. (Path Monitoring)

• The firewall does not respond to heartbeat polls. (Heartbeat Polling and Hello messages)

• A critical chip or software component fails, known as packet path health monitoring.

HA Modes

Palo Alto Networks firewalls support stateful active/passive or active/active high availability with session

and configuration synchronization with a few exceptions:

• The PA-200 firewall supports HA Lite only. HA Lite is an active/passive deployment that provides

configuration synchronization and some runtime data synchronization such as IPsec security

associations. It does not support any session synchronization (HA2), and therefore does not offer

stateful failover.

• The VM-Series firewall in AWS supports active/passive HA only; if it is deployed with Amazon

Elastic Load Balancing (ELB), it does not support HA (in this case ELB provides the failover

capabilities).

• The VM-Series firewall in Microsoft Azure does not support HA.

Active/Passive Clusters

Active/passive HA is the recommended deployment method in nearly every case. One firewall actively

manages traffic while the other is synchronized and ready to transition to the active state, should a

failure occur. In this mode, both firewalls share the same configuration settings, and one actively

manages traffic until a path, link, system, or network failure occurs. When the active firewall fails, the

passive firewall transitions to the active state and takes over seamlessly and enforces the same policies to

maintain network security. The firewalls synchronize the session state table allowing the passive partner

to step into and continue servicing active sessions at failover. Active/passive HA is supported in the virtual

wire, Layer 2, and Layer 3 deployments.

Because one firewall is handling traffic and both firewalls share the same traffic interface configuration,

active/passive is usually much easier to manage

Active/Active Clusters

Both firewalls in the pair are active and processing traffic and work synchronously to handle session setup

and session ownership. Both firewalls individually maintain session tables and routing tables and

synchronize to each other. Active/active HA is supported in virtual wire and Layer 3 deployments.

In active/active HA mode, the firewall does not support DHCP client. Furthermore, only the active-

primary firewall can function as a DHCP Relay. If the active-secondary firewall receives DHCP broadcast

packets, it drops them.

Physical and virtual firewall interfaces have unique addresses but can also have floating IP addresses

assigned allowing both firewalls to support the single address at failover.

Important information on Floating IP Addresses and Virtual MAC Addresses for the Active/Active

configuration can be found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/high-availability/ha-

concepts/floating-ip-address-and-virtual-mac-address#ida3676d14-7d84-4389-b042-2c9b69ed3411.

Choosing a Cluster Type

• Active/passive mode has simplicity of design; it is significantly easier to troubleshoot routing and

traffic flow issues in active/passive mode.

• Active/passive mode supports a VWire deployment; active/active mode does not.

• Active/active mode requires advanced design concepts that can result in more complex

networks. Depending on how you implement active/active HA, it might require additional

configuration such as activating networking protocols on both firewalls, replicating NAT pools,

and deploying floating IP addresses to provide proper failover. Because both firewalls are actively

processing traffic, the firewalls use additional concepts of session owner and session setup to

perform Layer 7 content inspection.

• Active/active mode is recommended if each firewall needs its own routing instances and you

require full, real-time redundancy out of both firewalls all the time. Active/active mode has faster

failover and can handle peak traffic flows better than active/passive mode because both firewalls

are actively processing traffic.

• In active/active mode, the HA pair can be used to temporarily process more traffic than what one

firewall can normally handle. However, this should not be the norm because a failure of one

firewall causes all traffic to be redirected to the remaining firewall in the HA pair. Your design

must allow the remaining firewall to process the maximum capacity of your traffic loads with

content inspection enabled. If the design oversubscribes the capacity of the remaining firewall,

high latency and/or application failure can occur.

More details on designing an Active/Active cluster can be found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/high-availability/set-up-

activeactive-ha/determine-your-activeactive-use-case

HA Links and Backup Links

The firewalls in an HA pair use HA links to synchronize data and maintain state information. Some models

of the firewall have dedicated HA ports—Control link (HA1) and Data link (HA2), while others require you

to use the in-band ports as HA links.

• For firewalls with dedicated HA ports, use these ports to manage communication and

synchronization between the firewalls. For details, see the link below.

• For firewalls without dedicated HA ports such as the PA-200, PA-220, PA-220R, and PA-500

firewalls, as a best practice use a data-plane port for the HA port and use the management port

as the HA1 backup.

Because the HA ports synchronize data critical to proper HA failover, implementing backup HA paths is a

recommended best practice. In-band ports can be used for backup links for both HA1 and HA2

connections when dedicated backup links are not available. Consider the following guidelines when you

configure backup HA links:

• The IP addresses of the primary and backup HA links must not overlap each other.

• HA backup links must be on a different subnet from the primary HA links.

• HA1-backup and HA2-backup ports must be configured on separate physical ports. The HA1-

backup link uses ports 28770 and 28260.

More information on the purpose and setup of the HA links can be found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/high-availability/ha-concepts/ha-

links-and-backup-links#id1df2d565-1765-4666-83b0-87652318e06f

HA pair configuration synchronization is discussed here:

https://live.paloaltonetworks.com/t5/Learning-Articles/Information-Synchronized-in-an-HA-Pair/ta-

p/57292

Sample questions

7. What would cause you to recommend an active/active cluster instead of an active/passive

one?

A. Active/action is the preferred solution when the firewall cluster is behind a load

balancer that randomizes routing, requiring both firewalls to be active.

B. Active/active is the preferred solution in most cases, because it allows for more

bandwidth while both firewalls are up. Active/passive is available only for backward

compatibility.

C. Active/active is the preferred solution when using the PA-7000 Series. When using the

PA-5200 Series or smaller form factors, use active/passive.

D. Active/active is the preferred solution when using the PA-5200 Series or smaller form

factors. When using the PA-7000 Series, use active/passive.

8. Which two of the following events can trigger an HA pair failover event? (Choose two.)

A. An HA1 cable is disconnected from one of the firewalls.

B. A Dynamic Update fails to download and install

C. The firewall fails to ping a destination address successfully

D. OSPF implemented on the firewall determines an available route is now down

E. RIP implemented on the firewall determines an available route is now down

9. Which of the following firewall models does not support active/passive HA pair?

A. PA-200

B. VM-Series in AWS

C. VM-Series in Azure

D. VM-Series in ESXi

10. Which two firewall features support Floating IP Addresses in an active/active HA pair?

(Choose two.)

A. Data-plane traffic interfaces

B. Source NAT

C. VPN endpoints

D. Loopback interfaces

E. Management port

11. How do firewalls in an Active/Passive HA pair synchronize their configurations?

A. An administrator commits the changes to one, then commits them to the partner at

which time the changes are sent to the other

B. An administrator pushes the config file to both firewalls then commits them

C. An administrator commits changes to one and it automatically synchronizes with the

other

D. An administrator schedules an automatic sync frequency in the firewall configs

Identify the appropriate interface type and configuration for a specified network

deployment.

Types of Interfaces

Palo Alto Networks firewalls support several different interface types: TAP mode, Virtual Wire mode,

Layer 2, Layer 3, and aggregate. A single firewall can freely intermix interface types to meet any

integration need. A particular interface’s configuration is chosen depending on functional need and

existing network integration requirements. The following illustration shows the primary configuration

options for integrating physical traffic ports. Layer 2 also is available but is not pictured.

Interface types are determined by functional needs.

The following screen capture shows primary configuration options for interfaces:

Possible interface configuration options to match your integration needs

Decrypt Mirror

Decrypt Mirror is a special configuration supporting the routing of decrypted traffic copies through an

external interface to a Data Loss Prevention (DLP) service. Data Loss Prevention is a product category for

products that scan Internet-bound traffic for key words and patterns that identify sensitive information.

Specific information is here:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Decrypt-Mirror-Port-

on-PAN-OS-6-0/ta-p/57440

LACP Protocol / Aggregate Interfaces

Physical Layer 2 and 3 interfaces can be aggregated into single logical interfaces using the LACP protocol

for multiplexing traffic.

Specific information is here:

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-LACP/ta-p/65837

Virtual Interfaces

Palo Alto Networks firewalls also provide several virtual interface types for additional functionality:

Loopback interfaces can be destination configs for DNS sinkholes and GlobalProtect service interfaces.

VLANs are logical interfaces specifically serving as interconnects between on-board virtual switches

(VLANs) and virtual routers, which allows traffic to move from Layer 2 to Layer 3 within the firewall.

Specific information is here. This article is dated and has older WebUI screenshots, but the concepts are

still current: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-a-Layer-2-to-

Layer-3-Connection-on-the-Palo/ta-p/52787

Loopback Interfaces

Loopback interfaces are Layer 3 interfaces that exist only virtually and connect to virtual routers in the

firewall. Loopback interfaces are used for multiple network engineering and implementation purposes.

They can be destination configurations for DNS sinkholes, GlobalProtect service interfaces (portals and

gateways), routing identification, and more.

Tunnel Interfaces

Tunnel interfaces specifically serve VPN tunnels (both point to point and large-scale VPN solutions such as

GlobalProtect) and are Layer 3 only. They serve as the entry and exit for traffic transiting a VPN tunnel.

To configure a VPN tunnel, you must configure the Layer 3 interface at each end and have a logical

tunnel interface for the firewall to connect to and establish a VPN tunnel. A tunnel interface is a logical

(virtual) interface that is used to deliver traffic between two endpoints. Each tunnel interface can have a

maximum of 10 IPsec tunnels, which means that up to 10 networks can be associated with the same

tunnel interface on the firewall. The encrypted tunnel traffic terminates on the VPN endpoint interface

(an interface on the firewall) and cleartext traffic continues to the tunnel interface before it enters the

routing environment of the firewall.

The tunnel interface must belong to a security zone to apply policy, and it must be assigned to a virtual

router to use the existing routing infrastructure. Ensure that the tunnel interface and the physical

interface are assigned to the same virtual router so that the firewall can perform a route lookup and

determine the appropriate tunnel to use.

The Layer 3 interface to which the tunnel interface typically is attached belongs to an external zone, for

example, the untrust zone. Although the tunnel interface can be in the same security zone as the

physical interface, for added security and better visibility you can create a separate zone for the tunnel

interface. If you create a separate zone for the tunnel interface (for example, a VPN zone), you will need

to create Security policies to enable traffic to flow between the VPN zone and the trust zone.

A tunnel interface does not require an IP address to route traffic between the sites. An IP address is

required only if you want to enable tunnel monitoring or if you are using a dynamic routing protocol to

route traffic across the tunnel. With dynamic routing, the tunnel IP address serves as the next-hop IP

address for routing traffic to the VPN tunnel.

Interface Configurations

Each interface includes configurations for binding various services to them. HTTPS includes the WebUI

service and should be included on at least one interface. The Permitted IP Addresses allow an Access

Control List to be included, restricting access to any interface with this profile assigned.

Protocol services and internal processes can be selectively bound to interfaces.

Palo Alto Networks firewalls provide several traffic-handling objects to move traffic between interfaces.

The available types are: VLAN objects (VLANs) for Layer 2 traffic, virtual routers for Layer 3 traffic, and

virtual wires for virtual wire interfaces.

The available traffic-handling objects to move traffic from one interface to another

Simultaneous implementations of multiple handler types in multiple quantities are possible. Each object

contains configuration capability appropriate to its protocol-handling needs. Virtual routers implement

various dynamic routing support if desired.

Routing capabilities of a Layer 3 virtual router

Each Layer 3 dynamic routing protocol includes appropriate specific configuration options. An example

of OSPFv2 follows.

An example of a dynamic routing configuration

IPsec tunnels are considered Layer 3 traffic segments for implementation purposes and are handled by

virtual routers as any other network segment. Forwarding decisions are made by destination address,

not by VPN policy.

References

• Network design (written for an older version of PAN-OS® software but still valid)

https://live.paloaltonetworks.com/t5/Integration-Articles/Designing-Networks-with-Palo-Alto-

Networks-Firewalls/ta-p/60868?attachment-id=1585

• Layer 2 interfaces

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-2-Interfaces/ta-

p/68229

• Layer 3 interfaces and related topics

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-NAT-and-

DHCP/ta-p/66999

• Layer 3 subinterfaces (VLAN tags)

https://live.paloaltonetworks.com/t5/Featured-Articles/Getting-Started-Layer-3-

Subinterfaces/ta-p/67395

• Virtual wire interfaces

Section 2 of https://live.paloaltonetworks.com/t5/Integration-Articles/Designing-Networks-with-

Palo-Alto-Networks-Firewalls/ta-p/60868?attachment-id=1585

Sample questions

12. You want to put the NGFW in front of an existing firewall to begin providing better security

while making the minimum required network changes. Which interface type to do you use?

A. TAP

B. Virtual Wire

C. Layer 2

D. Layer 3

13. Which kind of interface do you use to connect Layer 2 and Layer 3 interfaces?

A. VLAN

B. virtual router

C. loopback

D. tunnel

14. Which Dynamic Routing protocol cannot be configured on the firewall’s virtual router(s)?

A. RIP

B. OSPF

C. OSPFv3

D. IGRP

E. BGP

15. Which of the following are not compatible with Aggregate interface configuration?

A. Aggregating 12, layer 3 interfaces together

B. Aggregating 4, Virtual Wire interfaces together

C. Using Aggregate interfaces in an HA pair

D. 2 10Gps Optical and 2 10Gps copper ethernet ports aggregated together

Identify how to use template stacks for administering Palo Alto Networks firewalls

as a

scalable solution using Panorama.

Panorama Overview

Without Panorama, Palo Alto Networks firewalls have no direct knowledge of each other and must be

managed as independent entities. Panorama offers several important integration functions providing

enterprise management for multiple firewalls.

Panorama is a separate Palo Alto Networks product supplied in either virtual or physical appliance form

sized to match desired functions, number of firewalls, and level of firewall activity. Panorama should be

implemented as a high availability cluster consisting of two identical platforms. Unlike firewalls,

Panorama HA cluster members are often physically separated.

A functional overview of Panorama is here:

https://www.paloaltonetworks.com/products/management/panorama

A presentation of the different Panorama platforms and their capacities is here:

https://www.paloaltonetworks.com/documentation/81/panorama/panorama_adminguide/panorama-

overview/panorama-models

The following illustration outlines the main features of Panorama:

Panorama can provide centralized management, logging, reporting, software updates, and administrative control to multiple

firewalls.

A brief description of these features can be found here:

https://www.paloaltonetworks.com/documentation/81/panorama/panorama_adminguide/panorama-

overview/about-panorama#id52537f5d-4ddc-4701-b7e0-4d31476c2eb1

Log Aggregation

Log aggregation of events from firewalls to an enterprise-level log stored on Panorama requires specific

design and scaling consideration. When log aggregation is implemented, copies of log events are

forwarded from firewalls to Panorama as they are generated. Specific settings are created for each

firewall that determine the specific event types to forward. This forwarding can be CPU- and disk-

intensive on the Panorama platform and needs to be sized carefully. In high log volume situations, an

intermediate level of log collecting servers can be implemented (Logger in the preceding diagram).

More discussion of this topic is here:

https://www.paloaltonetworks.com/documentation/81/panorama/panorama_adminguide/panorama-

overview/centralized-logging-and-reporting

Palo Alto Networks designed the Panorama WebUI to be as similar to the firewall WebUI as possible to

simplify the transition to Panorama management. All menus (other than Panorama) are faithfully

reproduced and mostly have identical menu options:

Top-level user interface for Panorama

Templates

You use templates and template stacks to configure the settings that enable firewalls to operate on the

network. Templates are the basic building blocks you use to configure the Network and Device tabs on

Panorama™. Template stacks give you the ability to layer multiple templates and create a combined

configuration. Template stacks simplify management because they allow you to define a common base

configuration for all devices attached to the template stack and they give you the ability to layer

templates to create a combined configuration. This enables you to define templates with location- or

function-specific settings and then stack the templates in descending order of priority so that firewalls

inherit the settings based on the order of the templates in the stack.

Firewalls are assigned to template stacks. This link connects the template stack data with the specific

firewalls and a particular template stack’s data is pushed to its assigned firewalls with a Panorama push

function.

Both templates and template stacks support variables. Variables allow you to create placeholder objects

with their value specified in the template or template stack based on your configuration needs. Create a

template or template stack variable to replace IP addresses, Group IDs, and interfaces in your

configurations. Template variables are inherited by the template stack and you can override them to

create a template stack variable specific to one or more firewalls. However, templates do not inherit

variables defined in the template stack. When a variable is defined in the template or template stack and

pushed to the firewall, the value defined for the variable is displayed on the firewall.

When defining a template stack, consider assigning firewalls that are the same hardware model and

require access to similar network resources, such as gateways and syslog servers. This enables you to

avoid the redundancy of adding every setting to every template stack. Templates in a stack have a

configurable priority order that ensures Panorama pushes only one value for any duplicate setting.

Panorama evaluates the templates listed in a stack configuration from top to bottom with higher

templates having priority.

Required device group object selection to receive network configuration settings

A firewall only can be assigned to one template stack at a time. The template stack can be an individual

template or a collection of up to 16 individual templates.

An overview of Templates and Template Stacks can be found here:

https://www.paloaltonetworks.com/documentation/81/panorama/panorama_adminguide/panorama-

overview/centralized-firewall-configuration-and-update-management/templates-and-template-

stacks#id4ff18f85-9f4f-48fe-b6f9-e4b52a139d95

Sample questions

16. The Security policy for all of a customer’s remote offices is the same, but because of different

bandwidth requirements some offices can use a PA-220 and others require higher-end models

(up to PA-5000 Series). If the firewalls for the offices are all managed centrally using

Panorama, can they share the same device group? Can they share the same template?

A. Same device group and same template stack

B. Same device group, different template stacks

C. Different device groups, same template stack

D. Different device groups and different template stacks

17. A firewall is assigned to a Template stack of 2 templates. There is a common setting in each

Template that has a different value. When Panorama pushes the template stack contents to

the managed firewall which setting will the firewall receive?

A. The value from the top template of the stack

B. The value from the bottom template in the stack

C. The value from the template designated as the Parent.

D. The value an admin selects from the two available values.

18. Which statement is true regarding Log Collecting in a Panorama HA pair?

A. Both Panoramas cannot be configured to collect logs

B. Log collecting is handled by the Active HA Panorama until a failover occurs

C. Both Panoramas collect independent logging traffic and are not affected by failover

D. Both Panoramas receive the same logging traffic and synchronize in case of HA

failover

19. Which four firewall settings are stored in Panorama Templates? (Choose four.)

A. User Identification configuration

B. Custom Application-ID Signatures

C. Services definitions

D. DoS Protection Profiles

E. Traffic Interface configurations

F. Zone Protection Profiles

G. Server Profile for an external LDAP server

Identify how to use device group hierarchy for administering Palo Alto Networks

firewalls as

a scalable solution using Panorama.

Device Groups

Device Groups are Panorama objects used for storing firewall settings. Device Groups store settings found

under the Policy and Objects tab of the firewall UI. Other than storing a different type of settings they

behave like Templates except for the stacking concept. Device Groups are defined individually with their

parent and ancestor device group specified at creation time for inheritance purposes. Instead of assigning

firewalls to a stack they are assigned to an individual Device Group from which the firewall receives

settings from it and all the others in a Parent relationship. Device Group inheritance always includes the

pre-defined “Shared” group appearing in the senior position.

An example of Device Group inheritance

Information on Device Group design can be found here:

https://www.paloaltonetworks.com/documentation/81/panorama/panorama_adminguide/panorama-

overview/centralized-firewall-configuration-and-update-management/device-groups#id72c6ff97-83c1-

4aa8-a918-ea754a5a8887

A discussion of this hierarchy and inheritance can be found here:

https://www.paloaltonetworks.com/documentation/81/panorama/panorama_adminguide/panorama-

overview/centralized-firewall-configuration-and-update-management/device-groups/device-group-

hierarchy#id014f3417-fe14-4fdd-8fd7-c03ac8cb2e0b

Details about Device Groups and their use can be found here:

https://www.paloaltonetworks.com/documentation/81/panorama/panorama_adminguide/manage-

firewalls/manage-device-groups#id9b0560e8-e831-435e-a287-6a7970eae5d6

Configuration data from Panorama merges with the local firewall configuration (if any) at Panorama

commit time. In the case of policies, the merged result is built from strict rules. Locally created firewall

policies occupy the middle of the resulting list and Panorama-supplied policies occupy the top (Pre) or

bottom (Post).

The Pre and Post designations are determined at policy creation time in Panorama by deliberately

choosing the type during policy creation:

Panorama-supplied policies merge with local policies in this manner.

This image details options for Pre and Post position selections in Panorama

Panorama policy menu for Pre Rules and Post Rules

An administrator entering any information under the Panorama Policy or Objects tab must choose the

Device Group to receive the settings. If settings are being entered into Policies a selection of pre-rules or

post-rules must be made.

Committing Changes with Panorama

Panorama uses a similar Commit concept to firewalls but uses a process with multiple phases. When

changes have been made in Panorama data it must first be committed to Panorama and then pushed to

devices. Both of these processes provide methods to push partial data.

Committing to Panorama commits either the changes made by a chosen admin or all staged changes as

illustrated below.

Once changes are committed to Panorama they are pushed to firewalls according to their assigned

Device Groups and Template Stacks. This push process can either push all queued changes or be done

selectively for specific Device Groups or Template Stacks. And specific firewalls can be chosen for the

update.

Selecting the Edit Selections button at the bottom provides granular selection of the data to be pushed.

More information on the Commit and Push functions can be found here:

https://www.paloaltonetworks.com/documentation/81/panorama/panorama_adminguide/panorama-

overview/panorama-commit-validation-and-preview-operations#id1657d230-91b0-4ef0-99d2-

dc344e5cf50f

Sample questions

20. When entering Security policy rules you want to ensure your new rules will take precedence

over locally entered rules. Where do you put them in Panorama?

A. In the Security policy rules with a targeted firewall.

B. In the Default rules section of Security policy rules.

C. In the Pre-rules section of Security policy rules.

D. In the Post-rules section of Security policy rules.

21. Which three firewall settings are stored in Panorama Device Groups? Choose 3

A. User Identification configuration

B. Custom Application-ID Signatures

C. Services definitions

D. DoS Protection Profiles

E. Traffic Interface configurations

F. Zone Protection Profiles

G. Server Profile for an external LDAP server

Identify options to deploy Palo Alto Networks firewalls in a private or public cloud

(VM-Series)

Virtual Firewalls

The VM-Series is a virtualized form factor of our next-generation firewall that can be deployed in a range

of public and private cloud computing environments. VM-Series firewalls run the same PAN-OS® software

as appliance does with the same features and capabilities. Each environment supports the full functionality

of PAN-OS® software with minor differences depending on the deployed cloud technology.

The virtual firewalls can be found in the public cloud “marketplaces” or uploaded as a virtual appliance

into private clouds. There are several models available with the primary difference in them being the

number of simultaneous sessions it can support.

Complete information about supported environments and locations can be found here:

https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/vm-series-firewalls

In both private and public cloud environments, the VM-Series can be deployed as a perimeter gateway,

an IPsec VPN termination point, and a segmentation gateway, preventing threats from moving from

workload to workload. These firewalls run the same PAN-OS® software as hardware appliance firewalls

with the same feature set.

An overview of the available models is here:

https://www.paloaltonetworks.com/products/secure-the-network/virtualized-next-generation-

firewall/vm-series

VM-Series firewalls deployed in cloud environments have special considerations for HA deployment,

specific supported interface types, MAC address handling, Jumbo Frame use among others.

A complete description of these considerations can be found here:

https://www.paloaltonetworks.com/documentation/81/virtualization/virtualization

Sample questions

22. A private cloud has 20 VLANs spread over 5 ESXi hypervisors, managed by single vCenter. How

many firewall VMs are needed to implement microsegmentation?

A. 1

B. 4

C. 5

D. 20

23. When you deploy the Palo Alto Networks NGFW on NSX, do packets coming to an application

VM from VMs running on different hardware go through the NSX firewall? If so, which

modules do they go through?

A. No, the Palo Alto Networks NGFW replaces the NSX firewall.

B. Yes. The network, vSwitch, NSX firewall, Palo Alto Networks NGFW, application VM.

C. Yes. The network, vSwitch, Palo Alto Networks NGFW, NSX firewall, application VM.

D. Yes. The network, vSwitch, NSX firewall, Palo Alto Networks NGFW, NSX firewall,

application VM.

24. Which option shows the interface types that ESX supports in the VM-Series firewalls?

A. Tap, Layer 2, Layer 3, VWire

B. Layer 3 only

C. Tap, Layer 2, Layer 3

D. Layer 3, VWire

25. Which option shows the circumstances in which High Availability is supported for Private

Cloud VM-Series firewalls?

A. ESX supports both active/active and active/passive HA, and KVM and Hyper-V support

active/passive only.

B. ESX, KVM, and Hyper-V support active/passive and active/active HA implementations.

C. ESX, KVM, and Hyper-V support active passive HA-Lite configurations only, with no

Active/Active support.

D. ESX, KVM, and Hyper-V support active/passive implementations only.

Identify methods for Authorization, Authentication, and Device Administration

Administrative Accounts and Roles

Administrators can configure, manage, and monitor Palo Alto Networks firewalls and Panorama using the

web interface, CLI, and API management interface. You can customize role-based administrative access

to the management interfaces to delegate specific tasks or permissions to certain administrators.

Administrative accounts specify roles and authentication methods for the administrators of Palo Alto

Networks firewalls and Panorama. Each device has a predefined default administrative account (admin)

that provides full read-write access (also known as superuser access) to the firewall. Other administrative

accounts can be created as needed.

The types of administrative account roles are discussed here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/firewall-administration/manage-

firewall-administrators/administrative-role-types

Authentication

Authentication is a method for protecting services and applications by verifying the identities of users so

that only legitimate users have access. Several firewall and Panorama features require authentication.

Administrators authenticate to access the web interface, CLI, or XML API of the firewall and Panorama.

End users authenticate through Captive Portal or GlobalProtect to access various services and

applications. You can choose from several authentication services to protect your network and to

accommodate your existing security infrastructure while ensuring a smooth user experience.

If you have a public key infrastructure, you can deploy certificates to enable authentication without users

having to manually respond to login challenges. Alternatively, or in addition to certificates, you can

implement interactive authentication, which requires users to authenticate using one or more methods.

Supported authentication types include:

• Multi-Factor

• SAML

• Single Sign-On

• Kerberos

• TACACS+

• RADIUS

• LDAP

• Local

A complete discussion of these authentication types can be found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/authentication

When user or administrative access is configured one or more authentication methods must be specified.

A User/administrator definition typically requires an Authentication Profile which captures the desired

authentication method. When more than one is desired, an Authentication Sequence can be used instead

which is a list of Authentication Profiles. The first will be accessed and if not available will drop to the next

option. Authentication Profiles are made up of an ordered list of Server Profiles that contain specific

configuration and access information to the external authentication service.

Detailed information on creating Authentication Profiles and Sequences can be found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/authentication/configure-an-

authentication-profile-and-sequence#idf258e497-4998-4a70-8676-aa9aba521a44

A special note on Multi-Factor Authentication.

Palo Alto firewalls support multi-factor authentication. A Multi-factor Authentication Server Profile is

used to integrate to external 3rd party MFA solution. The MFA factors that the firewall supports include

Push, Short Message Service (SMS), Voice, and One-time password (OTP) authentication. This profile is

where the specific product is chosen and configuration information for the product’s integration is

entered.

The Multi-factor Authentication Server Profile shown above can in turn be a part of multiple challenges a

user must respond to. For example, you can force users to enter a login password and then enter a

verification code that they receive by phone before accessing critical financial documents.

The firewall challenges a user with a Captive Portal. Captive Portal configuration includes an

Authentication Profile selected for base Captive Portal configuration that represents the first challenge a

user must negotiate.

An Authentication Enforcement policy is then used to tie in the MFA product as a second required

authentication. Selecting the MFA product’s Authentication Profile adds it as a second authentication

requirement for users.

Configuring base Captive Portal is discussed here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/user-id/map-ip-addresses-to-

users/map-ip-addresses-to-usernames-using-captive-portal/configure-captive-portal

The complete MFA implementation process is discussed here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/authentication/configure-multi-

factor-authentication

Panorama Access Domains

Panorama implements an additional level of administration that through Access Domains. This optional

configuration restricts Panorama administrator access to the settings for specific firewall(s).

More information about this can be found here:

https://www.paloaltonetworks.com/documentation/81/panorama/panorama_adminguide/panorama-

overview/role-based-access-control/access-domains#id3fcb9a8f-be36-4dd2-ace7-f82c20a90409

Sample questions

26. Which built-in Dynamic role would you give an auditor who is authorized to audit everything

on the firewall?

A. Superuser

B. superuser (read-only)

C. virtual system administrator

D. virtual system administrator (read-only)

27. In order to configure Multi-Factor authentication for users accessing services through the

firewall what primary configuration pieces need to be addressed? (Choose 5)

A. GlobalProtect Portal

B. Server Profile

C. Captive Portal

D. Authentication Enforcement Profile

E. Authentication Policy

F. Local User Database

G. Authentication Profile

H. Response Pages

28. Which of the following configuration components are NOT used for user authentication in the

firewall?

A. Local User Database

B. Server Profiles

C. Certificates

D. Admin Roles

E. Authentication policy rules

29. Which two firewall functions are reserved only for admins assigned the Superuser dynamic

role? (Choose 2)

A. Certificate Management

B. Managing firewall admin accounts

C. Editing the Management interface settings

D. Creating Virtual Systems within a firewall

E. Accessing the Configuration mode of the CLI

Given a scenario, identify ways to mitigate resource exhaustion (because of denial-

of-service)

in application servers

Resource Exhaustion

Port scans and floods are common causes of resource exhaustion at the interface and system level for

protected devices and the firewall interfaces themselves. Although PAN-OS® software does have

powerful protections, none of them are turned on by default, which leaves a firewall exposed to these

attacks until protections are configured. Palo Alto Networks provides two protection mechanisms for

resource exhaustion caused by these attacks, Zone Protection Profiles and DoS Protection

policies/profiles.

Zone Protection Profiles

Zone protection profiles defend the zone at the ingress zone edge against reconnaissance port scan and

host sweep attacks, IP packet-based attacks, non-IP protocol attacks, and against flood attacks by limiting

the number of connections-per-second of different packet types.

Zone design itself provides segmentation of networks which magnifies the protection of Zone Protection

Profiles. A discussion of Zone design through the lens of protection can be found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/zone-protection-and-dos-

protection/how-do-zones-protect-the-network#iddd95afb5-16e3-491e-af0d-280511d3047c

Zone protection profiles provide broad defense of the entire zone based on the aggregate traffic entering

the zone, protecting against flood attacks and undesirable packet types and options. Zone protection

profiles don’t control traffic between zones, they control traffic only at the ingress zone. Zone protection

profiles don’t take individual IP addresses into account because they apply to the aggregate traffic

entering the zone (DoS protection policy rules defend individual IP addresses in a zone). This protection is

done early in the traffic processing flow minimizing firewall resource use.

A complete description of Zone Protection Profile settings appears here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/zone-protection-and-dos-

protection/zone-defense/zone-protection-profiles

A video tutorial about implementing Zone Protection Profiles is here:

https://live.paloaltonetworks.com/t5/Featured-Articles/Video-Tutorial-Zone-protection- profiles/ta-

p/70687

Recommendations for Zone Protection Profile settings are here:

https://live.paloaltonetworks.com/t5/Learning-Articles/Zone-Protection-Recommendations/ta-p/55850

DoS Protection Profile

DoS protection profiles and DoS protection policy rules combine to protect specific areas of your network

against packet flood attacks (only, unlike Zone Protection Profiles) and to protect individual resources

against session floods.

DoS protection profiles set the protection thresholds to provide DoS Protection Against Flooding of New

Sessions for IP floods (connections-per-second limits), to provide resource protection (maximum

concurrent session limits for specified endpoints and resources), and to configure whether the profile

applies to aggregate or classified traffic. DoS protection policy rules control where to apply DoS

protection and what action to take when traffic matches the criteria defined in the rule.

Unlike a zone protection profile, which protects only the ingress zone, DoS protection profiles and policy

rules can protect specific resources inside a zone and traffic flowing between different endpoints and

areas. Unlike a zone protection profile, which supports only aggregate traffic, you can configure

aggregate or classified DoS protection profiles and policy rules.

Implementation specifics for DoS Policy and Profile can be found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/zone-protection-and-dos-

protection/zone-defense/dos-protection-profiles-and-policy-rules

An important discussion of DoS protection in general and suggestions for protection can be found here:

https://live.paloaltonetworks.com/t5/Tech-Note-Articles/Understanding-DoS-Protection/ta-

p/54562?attachment-id=1085

An exploration of DoS attacks and defending against them using Palo Alto Networks firewalls is here:

https://live.paloaltonetworks.com/t5/Documentation-Articles/Understanding-DoS-Protection/ta-

p/54562?attachment-id=1085

A discussion of the differences between Zone Protection Profiles and DoS Policies is here:

https://live.paloaltonetworks.com/t5/Learning-Articles/Differences-between-DoS-Protection-and-Zone-

Protection/ta-p/57761

Sample questions

30. What are two reasons that denial-of-service protections are applied by zone? (Choose two.)

A. Because denial-of-service protections are applied very early in the processing, before

a lot of information is known about the connection – but the ingress interface is

already known

B. Because denial-of-service protections are only applied when manually turned on to

avoid quota overload (which would make denial of service easier)

C. Because denial-of-service protections can depend on only the zone, and never port

numbers or IP addresses.

D. Because denial-of-service protections on a Layer 3 interface are different from the

denial-of-service protections available on a Layer 2 interface, and those on virtual

wires are yet another category.

31. To which protocol or protocols does the SYN flood protection?

A. UDP

B. TCP

C. ICMP

D. GRE

32. To which two protocols does port scan reconnaissance protection apply? (Choose two.)

A. UDP

B. TCP

C. GRE

D. ICMP

E. IPX

33. In what two places do you configure flood protection? (Choose two.)

A. DoS Profile

B. QoS Profile

C. Zone Protection Profile

D. SYN Profile

E. XOFF Profile

34. An administrator needs to provide tailored DoS protection to a specific address. Which two

firewall features should be used? (Choose two.)

A. Zone Protection Profiles

B. Virtual Routers

C. Server Profiles

D. DoS protection policy rules

E. DoS protection profiles

Identify decryption deployment strategies

Packet Visibility

The use of encryption for all network applications is growing at a rapid rate. When traffic is encrypted,

the Palo Alto Networks firewall loses visibility into packet contents, making Content-ID impossible.

Because of this, malware might be able to pass unchallenged to an endpoint at which point it is decrypted

and able to attack. Decryption policies maximize the firewall’s visibility into packet content to allow for

content inspection.

Decryption

Palo Alto Networks firewalls provide the capability to decrypt and inspect traffic for visibility, control,

and granular security. Decryption on a Palo Alto Networks firewall includes the capability to enforce

Security policies on encrypted traffic, where otherwise the encrypted traffic might not be blocked and

shaped according to your configured security settings. Use decryption on a firewall to prevent malicious

content from entering your network or sensitive content from leaving your network concealed as

encrypted traffic. Enabling decryption on a Palo Alto Networks firewall can include preparing the keys

and certificates required for decryption, creating a decryption policy, and configuring decryption port

mirroring.

Traffic that has been encrypted using the protocols SSL and SSH can be decrypted to ensure that these

protocols are being used for the intended purposes only, and not to conceal unwanted activity or

malicious content.

Special Decryption Implementations

The Palo Alto Networks firewall can act as a Decryption Broker, decrypting traffic and then passing it

through a designated interface to external security services providing access to the cleartext contents.

These external services then return the traffic, which is re-encrypted by the Palo Alto Networks firewall

and then sent to its original destination.

A discussion of this capability appears here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/decryption-broker

Palo Alto Networks firewalls can automatically send a copy of decrypted traffic to a specified interface

using the Decryption Mirroring feature. This is an option available at no cost to middle and high-end

firewalls that automatically forward copies of decrypted traffic to external DLP products. A description of

this feature can be found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/decryption-

concepts/decryption-mirroring#idd86db0fc-4038-41bd-8098-f67ec9b27806

Keys and Certificates

Palo Alto Networks firewalls decrypt encrypted traffic by using keys to transform strings (passwords and

shared secrets) from ciphertext to plaintext (decryption) and from plaintext back to ciphertext (re-

encrypting traffic as it exits the device). Certificates are used to establish the firewall as a trusted third

party and to create a secure connection. SSL decryption (both Forward Proxy and inbound inspection)

requires certificates to establish trust between two entities to secure an SSL/TLS connection. Certificates

also can be used when excluding servers from SSL decryption. You can integrate a hardware security

module (HSM) with a firewall to enable enhanced security for the private keys used in SSL Forward Proxy

and SSL inbound inspection decryption.

Palo Alto Networks firewall decryption is policy-based, and can be used to decrypt, inspect, and control

both inbound and outbound SSL and SSH connections. Decryption policies allow you to specify traffic for

decryption according to destination, source, or URL category and to block or restrict the specified traffic

according to your security settings. The firewall uses certificates and keys to decrypt the traffic specified

by the policy to plaintext, and then enforces App-ID and security settings on the plaintext traffic,

including Decryption, Antivirus, Vulnerability, Anti-Spyware, URL Filtering, and File-Blocking Profiles.

After traffic is decrypted and inspected on the firewall, the plaintext traffic is re-encrypted as it exits the

firewall to ensure privacy and security.

An overview of this capability is here: https://www.paloaltonetworks.com/documentation/81/pan-

os/pan-os/decryption

Central to this discussion is the role of digital certificates to secure SSL and SSH encrypted data. Your

understanding of this role and planning for proper certificate needs and deployment are important

considerations in decryption use. Concepts are discussed here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/decryption-

concepts/keys-and-certificates-for-decryption-policies#idca90e9f4-2403-4907-8577-7d6d026cc2cb

The use of certificates is central to other important firewall functions in addition to decryption. This need

led to the implementation of extensive certificate management capabilities on the firewall. To see the

certificates in the user interface, click Device > Certificate Management. A discussion of certificate use

for all purposes in the firewall is here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/certificate-management/keys-

and-certificates

Decryption Policies

Ingress traffic decryption is controlled by Decryption policies. Palo Alto Networks firewalls automatically

will detect encrypted traffic and react by evaluating the Decryption policies. If a matching policy is found,

the firewall will attempt to decrypt the traffic according to the policy’s specified decryption action.

Normal packet processing resumes afterward.

A Decryption policy and its action under the Options tab

SSL Forward Proxy

Decryption of outbound SSL traffic commonly is implemented and takes the form of SSL Forward Proxy,

which features the firewall as an intermediate communication node. This deployment commonly is

referred to as a “Man in the Middle.” The diagram shows this functionality.

“Man in the Middle” deployment

Note that SSL Forward Proxy replaces the original certificate from the server with one signed by a

different key that is then delivered to the client.

A developer of a solution using SSL decryption can take extra programmatic steps to interrogate the

certificate received at the client for specific characteristics present in the original certificate. When these

characteristics are not found, the author often assumes that a decrypting process is in the middle of the

conversation and may act to prevent full functionality, considering this presence a security risk. These

products typically are not fully functional in a decrypting environment and must be added as exceptions

to Decryption policies.

In recognition of this fact, Palo Alto Networks provides a mechanism to mark certain encrypted traffic for

decryption bypass. This mist is managed in part by Palo Alto Networks for known pinned traffic while

allowing you administration capability for local requirements.

A discussion of this topic and how to manage decryption exclusions is found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/decryption-

exclusions

Decryption policies typically contain other exceptions representing other applications with this behavior.

App-ID and Encryption

The App-ID scanning engine’s effectiveness is often compromised by encrypted traffic that prevents

scanning for identifying elements. This traffic typically is given the App-ID of “SSL.” In some cases, the

App-ID engine can evaluate elements of the certificate that secures this data for specific identifying

elements, allowing the APP-ID engine to properly assign App-IDs without scanning contents. Details of

this process are here:

https://live.paloaltonetworks.com/t5/Learning-Articles/How-Palo-Alto-Networks-Identifies-HTTPS-

Applications-Without/ta-p/56284

Sample questions

35. Which feature never requires a Decryption policy?

A. antivirus

B. App-ID

C. file blocking

D. network address translation

36. How can the NGFW inform web browsers that a web server’s certificate is from an unknown

certificate authority (CA)?

A. Show a “the certificate is untrusted, are you SURE you want to go there” page before

accessing the website.

B. Relay the untrusted certificate directly to the browser.

C. Have two certificates in the firewall, one used for sites whose original certificate is

trusted, and the other for sites whose original certificate is untrusted.

D. Have two certificate authority certificates in the firewall. One is used to produce

certificates for sites whose original certificate is trusted, and the other for certificates

for sites whose original certificate is untrusted.

37. An organization that is decrypting user’s browsing traffic has a compliance requirement to

record all decrypted traffic. Which two firewall features can be used to directly support this

requirement? (Choose two.)

A. Decryption Broker

B. Policy Based Forwarding

C. Default Router setting of Forward Cleartext

D. Interface setting of Decryption Port Mirroring

E. Decryption policy rule action set to Forward Cleartext

Answers to sample questions

1. D

2. D

3. A, D

Identify the impact of application override to the overall functionality of the

firewall

Application override policies specify that certain traffic has a specific App-ID. An application override

policy also bypasses layer 7 scanning. This means that no further App-ID and Content-ID scanning

happens on that traffic.

Application Override policy

Unlike the App-ID engine, which inspects application packet contents for unique signature elements, the

Application Override policy’s matching conditions are limited to header-based data only. Traffic matched

by an Application Override policy is identified by the App-ID entered in the Application entry box.

Choices are limited to applications currently in the App-ID database.

Because this traffic bypasses all Layer 7 inspection, the resulting security is that of a Layer-4 firewall.

Thus, this traffic should be trusted without the need for Content-ID inspection. The resulting application

assignment can be used in other firewall functions such as Security policy and QoS.

Use Cases

Three primary uses cases for Application Override Policy are:

▪

To identify “Unknown” App-IDs with a different or custom application signature

▪

To re-identify an existing application signature

▪

To bypass the Signature Match Engine (within the SP3 architecture) to improve processing times

A discussion of typical uses of application override and specific implementation examples is here:

https://live.paloaltonetworks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create-an-Application-

Override/ta-p/65513

The following illustrations document the creation of a new App-ID for a custom internal application and

its use in an Application Override policy that assigns it to appropriate traffic:

Application override should assign purpose-built custom application definitions.

Traffic matching Application Override policies will be identified elsewhere by the included App-ID.

Sample questions

38. Which type or types of identification is disabled by Application Override?

A. Protocol-ID

B. User-ID

C. Content-ID

D. User-ID and Content-ID

39. Application Override is triggered by which configuration setting?

A. Custom App-ID

B. Application Override policy rule

C. Application Override definition in Custom Objects

D. Application Filters

Identify the methods of User--ID redistribution

User-ID works by mapping IP addresses to user identities. This information can come from Active

Directory, a Captive Portal, etc. When an organization uses multiple firewalls, it is useful to share the

User-ID information between them. If the user must log on manually, usability is a lot better when the

user only has to log on once. Even if the user’s identity is available automatically (for example, from

Active Directory), performance is better if the source of User-ID is queried only by a single firewall.

References

• Redistribute User Mappings and Authentication Timestamps

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/user-id/deploy-user-id-

in-a-large-scale-network/redistribute-user-mappings-and-authentication-timestamps

• User-ID Redistribution Using Panorama

https://www.paloaltonetworks.com/documentation/81/panorama/panorama_adminguide/pano

rama-overview/user-id-redistribution-using-panorama

Sample question

40. How do layers facilitate the mapping (IP to User-ID) and the redistribution of that information?

A. The IP to User-ID mapping is obtained by the lowest layer and is sent to the next

lowest layer. That layer sends it to the next lowest, and the process repeats until the

mapping reaches the top layer. Firewalls from each layer can receive information from

multiple firewalls at a lower level. This algorithm allows some firewalls, such as those

in remote offices and protecting regional applications, to have only the mappings for

users they protect.

B. The IP to User-ID mapping is obtained by the lowest layer and is sent to all the

firewalls on the layer above. This algorithm ensures that all the firewalls (except those

at the lowest layer) have all the mappings.

C. The IP to User-ID mapping is obtained by the highest layer and is sent to the next

highest layer. That layer sends it to the next highest, and the process repeats until the

mapping reaches the bottom layer. Firewalls from each layer can receive information

from multiple firewalls at a higher level. This algorithm allows some firewalls, such as

those in remote offices and protecting regional applications, to have only the

mappings for users they protect.

D. The IP to User-ID mapping is obtained by the highest layer and is sent to all the

firewalls on the layer below. This algorithm ensures that all the firewalls (except those

at the highest layer) have all the mappings

Exam Domain 2 – Deploy and Configure

Identify the application meanings in the Traffic log (incomplete, insufficient data,

non-syn

TCP, not applicable, unknown TCP, unknown UDP, and unknown P2P).

To safely enable applications on your network, the Palo Alto Networks next-generation firewalls provide

both an application and web perspective—App-ID and URL Filtering—to protect against a full spectrum of

legal, regulatory, productivity, and resource utilization risks.

App-ID enables visibility into the applications on the network, so you can learn how they work and

understand their behavioral characteristics and their relative risk. This application knowledge allows you

to create and enforce Security policy rules to enable, inspect, and shape desired applications and block

unwanted applications. When you define policy rules to allow traffic, App-ID begins to classify traffic

without any additional configuration.

App-ID, a patented traffic classification system only available in Palo Alto Networks firewalls, determines

what an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic

used by the application. It applies multiple classification mechanisms—application signatures, application

protocol decoding, and heuristics—to your network traffic stream to accurately identify applications.

The App-ID engine is driven by pattern recognition features in the hardware and software of PAN-OS®

firewalls. It is based on scanning payloads and application headers only. It does not use port number as a

recognition tool, only for secondary enforcement.

The signature database used by the App-ID scanning engine is updated periodically by Palo Alto Networks

through the Applications and Threat Updates.

The App-ID engine is fundamental to PAN-OS® software and cannot be turned off so that even when not

using App-ID as a part of policy rules the traffic logs show traffic classified by App-ID.

The App-ID engine also can look inside of protocols for “tunneling” applications. For example, the HTTP

protocol is recognized by the firewall as the App-ID “Web-Browsing” but when the http traffic belongs to

a specific application (i.e., Facebook) it will be identified as such by App-ID.

Here's how App-ID identifies applications traversing your network:

1. Traffic is matched against policy to check whether it is allowed on the network.

2. Signatures are then applied to allowed traffic to identify the application based on unique application

properties and related transaction characteristics. The signature also determines if the application is

being used on its default port or it is using a non-standard port. If the traffic is allowed by policy, the

traffic is then scanned for threats and further analyzed for identifying the application more

granularly.

3. If App-ID determines that encryption (SSL or SSH) is in use, and a Decryption policy rule is in place,

the session is decrypted and application signatures are applied again on the decrypted flow.

4. Decoders for known protocols are then used to apply additional context-based signatures to detect

other applications that may be tunneling inside of the protocol (for example, Yahoo! Instant

Messenger used across HTTP). Decoders validate that the traffic conforms to the protocol

specification and provide support for NAT traversal and opening dynamic pinholes for applications

such as SIP and FTP.

5. For applications that are particularly evasive and cannot be identified through advanced signature

and protocol analysis, heuristics or behavioral analysis may be used to determine the identity of the

application.

When the application is identified, the policy check determines how to treat the application, for

example—block, or allow and scan for threats, inspect for unauthorized file transfer and data patterns, or

shape using QoS.

Over the course of a session the App-ID is being evaluated in every packet (that isn’t encrypted) for its

App-ID. The state of App-ID recognition changes as a session progresses and these states can be found in

traffic logs. There might not have been payload data to scan (Insufficient data), or the session setup never

completed (Incomplete), or perhaps the App-ID engine was not able to identify the traffic (unknown-tcp

and unknown-udp). There are other states as well. For a full discussion of the App-ID types that might

appear in a traffic log refer to this document:

https://live.paloaltonetworks.com/t5/Management-Articles/Not-Applicable-Incomplete-Insufficient-

Data-in-the-Application/ta-p/65711

SaaS Applications

The App-ID engine identifies SaaS applications and provides additional functionality. There is a dedicated

SaaS Application Usage report under Monitor > PDF Reports > SaaS Application Usage to help your

organization identify applications storing your data in external locations. The App-IDs for SaaS application

contain additional data about these applications and their providers to help you make decisions about

sanctioning them at the organizational level.

Palo Alto Networks firewalls include a feature within the URL Filtering engine that provides HTTP Header

Insertion for certain SaaS applications that can prevent users from accessing private instances of a

particular SaaS application while having access to the organization’s sanctioned environment. A

discussion of this feature can be found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/app-id/http-header-insertion

Note on using App-ID

Because applications can often use non-standard ports for communication, a traffic enforcement

technology based only on port numbers does not provide Security administrators enough control over

the actual application traffic entering their organizations. Because App-ID identifies applications strictly

on packet contents and not port numbers it affords a much higher level of capability. When using Palo

Alto Networks firewalls it is strongly recommended security rules use App-ID as selection criteria, not

port numbers.

A general video about using App-ID can be found here:

https://youtu.be/Pm_hIhqknwk

Manage Custom or Unknown Applications:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/app-id/manage-custom-or-

unknown-applications#id74b58a78-164f-4dc5-aa4e-31ce62f2af0d

Sample questions

41. Which option shows the type or types of application that can cause an incomplete value in the

Application field in the Traffic log?

A. UDP

B. TCP

C. ICMP

D. Both TCP and UDP

42. Session traffic being evaluated by a firewall is encrypted with SSL. Without decrypting it how

does the firewall make an App-ID determination?

A. Evaluating the HTTP headers

B. Evaluating the SSL Hello exchange

C. Evaluating certificate contents used for encryption

D. Using information in the SSL Decryption Exclusion cache

43. During the firewall’s App-ID scanning of an on-going session a change of application is

detected. How does the firewall respond?

A. Closes the session, opens a new one and evaluates all security policies again

B. Closes the session, opens and new one and evaluates the original matching Security

policy rule only

C. Updates the application in the existing session and evaluates all security policies again

D. Updates the application in the existing session and continues to use the original action

from the first Security policy rule match

Given a scenario, identify the set of Security Profiles that should be used

While Security policy rules enable you to allow or block traffic on your network, security profiles help you

define an allow but scan rule, which scans allowed applications for threats, such as viruses, malware,

spyware, and DDoS attacks. When traffic matches the allow rule defined in the Security policy, the

security profile(s) that are attached to the rule are applied for further content inspection rules such as

antivirus checks and data filtering. Security Profiles are the features that provide the services of the

Content-ID feature of PAN-OS® software.

Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan

traffic after the application or category is allowed by the Security policy.

The firewall provides default security profiles that you can use out of the box to begin protecting your

network from threats. Security Profiles are attached to specific Security policy rules specifying that

particular type of threat detection should for traffic allowed by the rule.

You can add security profiles that are commonly applied together to create a security profile group; this

set of profiles can be treated as a unit and added to security policies in one step (or included in security

policies by default, if you choose to set up a default security profile group).

Security Profiles manage particular types of threat detection.

A detailed definition of these profiles and their use can be found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/policy/security-profiles

A discussion of the application of Security Profiles to Security policy rules can be found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/getting-started/set-up-a-basic-

security-policy#idaf666d2e-b8eb-401d-a40a-668d93913154

Sample questions

44. Which profile do you use for DLP (data loss protection)?

A. Antivirus

B. URL Filtering

C. File Blocking

D. Data Filtering

45. A firewall admin is concerned about users entering user credentials into phishing sites. Which

Security Profile can be configured to provide credential protection?

A. WildFire® Analysis

B. Tunnel Filtering

C. Data Filtering

D. URL Filtering

Identify the relationship between URL filtering and credential theft prevention

The Palo Alto Networks URL filtering solution compliments App-ID by enabling you to configure the

firewall to identify and control access to web (HTTP and HTTPS) traffic and to protect your network from

attack.

With URL Filtering enabled, all web traffic is compared against the URL filtering database, which contains

a listing of millions of websites that have been categorized into categories. You can use these URL

categories as a match criterion to enforce Security policy and to safely enable web access and control the

traffic that traverses your network. You can also use URL filtering to enforce safe search settings for your

users, and to Prevent Credential Phishing based on URL category.

Credential phishing prevention works by scanning username and password submissions to websites and

comparing those submissions against valid corporate credentials. You can choose what websites you

want to either allow or block corporate credential submissions based on the URL category of the website.

When the firewall detects a user attempting to submit credentials to a site in a category you have

restricted, it either displays a block response page that prevents the user from submitting credentials, or

presents a continue page that warns users against submitting credentials to sites classified in certain URL

categories, but still allows them to continue with the credential submission. You can customize these

block pages to educate users against reusing corporate credentials, even on legitimate, non-phishing

sites.

A discussion of this feature and how to implement can be found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/threat-prevention/prevent-

credential-phishing#id743cc2df-382e-4d53-a74a-51f38be19ecf

Sample questions

46. Which credential phishing prevention action allows users to decide to submit to a site

anyway?

A. Alert

B. Allow

C. Block

D. Continue

47. Which user credential detection method would work if multiple users share the same client IP

address (for example, because of dynamic address translation done by a device on the internal

side of the firewall)?

A. IP-to-user mapping

B. group mapping

C. domain credential filter

D. IP-and-port to user mapping

E. Identify the relationship between URL filtering and credential theft prevention.

48. A firewall administrator wished to enable Credential Phishing Prevention that blocks an

attempt by a user to enter their organizations user ID and password. Which Type of User

Credential Detection should be used?

A. IP User Mapping

B. Domain Credential Filter

C. Group Mapping

D. Citrix Mapping

Identify differences between services and applications

Applications identification (App-ID) is central to the operation of the NGFW. Port filters are no longer

sufficient because multiple applications use the same ports, and applications can use ports that are

different from their default. Services, however, are the objects that Palo Alto Networks uses to identify

port numbers.

There are a few features in the firewall that might require the identification of port number (Services) as

supplemental to the App-ID or as matching criteria for features that only scan packet headers (i.e.,

Application Override, NAT, etc.)

App-IDs are often found in Security policy rules and an application identified by App-ID might not be using

its default port. The selection of “application-default” in the Service configuration of Security policy rules

adds an enforcement condition that the detected App-ID must be using its default port(s) to match the

App-ID condition. In situations where an App-ID might be using a non-standard port, or it does not have

standard port number(s) at all the inclusion of a Service object to specify the ports or even the selection

of “any” as a port number might be appropriate.

References

• Objects > Applications https://www.paloaltonetworks.com/documentation/81/pan-os/web-

interface-help/objects/objects-applications#_96266

• Objects > Application Groups https://www.paloaltonetworks.com/documentation/81/pan-

os/web-interface-help/objects/objects-application-groups

• Objects > Services https://www.paloaltonetworks.com/documentation/81/pan-os/web-

interface-help/objects/objects-services

Sample question

49. Which two protocols are supported for services? (Choose two.)

A. ICMP

B. TCP

C. IGP

D. GRE

E. UDP

Identify how to create security rules to implement App-ID without relying on port-

based

rules

Security policy rules based on evaluation of protocol type and port numbers is not accurate enough to

effectively control application access through your firewall. Many applications use alternate or even

multiple port numbers making their detection even harder. For instance, allowing TCP port 80 provides

access for all web-based applications with their associated vulnerabilities.

Palo Alto Networks App-ID technology discussed in another section of this document provides for positive

identification of applications regardless of port usage. This makes the safe access enablement for only

required access to only the users that require them possible. This practice reduces your attack surface by

eliminating the potentially vulnerable traffic of unwanted applications. See the previous section for a

discussion of the use of App-ID versus port number enforcement.

Palo Alto Networks has developed an innovative approach to securing networks that identifies all traffic

by applications using a variety of techniques. This approach replaces conventional approaches that

attempt to control traffic based on port numbers.

A web-based App-ID listing of all the existing App-IDs can be found here:

https://applipedia.paloaltonetworks.com/

A discussion of App-ID based policy can be found here:

https://www.paloaltonetworks.com/resources/datasheets/application-based-policies

Details of creating and managing Security policy rules and the use of App-ID appears here:

https://www.paloaltonetworks.com/documentation/81/pan-os/web-interface-help/policies/policies-

security#ida067ab2f-c201-4411-9e51-c62e8e83935c

Sample questions

50. Which two applications cannot be identified by port number? (Choose two.)

A. Microsoft Outlook Express email

B. Google mail (Gmail)

C. SSH

D. Facebook

E. FTP

51. An administrator creates a Security policy rule allowing office-on-demand traffic through the

firewall. When the change is committed the firewall issues a warning saying,

“vsys1: Rule 'Allow Office apps' application dependency warning:

Application 'office-on-demand' requires 'ms-office365-base' be allowed

Application 'office-on-demand' requires 'sharepoint-online' be allowed

Application 'office-on-demand' requires 'ssl' be allowed

Application 'office-on-demand' requires 'web-browsing' be allowed”

What action should the administrator take?

A. None is required, this is only a warning. Protection is still enabled

B. The listed applications should be added to the same Security policy rule

C. The Service action of the rule should be set to “dependent application default”

D. Create a new Security policy rule for each listed application with an allow action

higher in the rule list

Identify the required settings and steps necessary to provision and deploy a next-

generation

firewall.

By default, the firewall has an IP address of 192.168.1.1 and a username/password of admin/admin. For

security reasons, you must change these settings before continuing with other firewall configuration

tasks. You must perform these initial configuration tasks either from the MGT interface, even if you do

not plan to use this interface for your firewall management, or by using a direct serial connection to the

console port on the device.

Steps to Connect the Firewall

You can connect to the firewall in one of the following ways:

• Connect a serial cable from your computer to the Console port and connect to the firewall using

terminal emulation software (9600-8-N-1). Wait a few minutes for the boot-up sequence to

complete. When the device is ready, the prompt changes to the name of the firewall, for

example, PA-500 login.

• Connect an RJ-45 Ethernet cable from your computer to the MGT port on the firewall. From a

browser, go to https://192.168.1.1. Note that you may need to change the IP address on your

computer to an address in the 192.168.1.0 network, such as 192.168.1.2, to access this URL.

For more information, see the initial sections of this link:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/getting-started

Installing and Activating Licenses

The next configuration steps involve installing the proper licenses and activating subscriptions on the

firewall. Use the resulting access to update PAN-OS® software and Dynamic Update files as required.

You can activate licenses first on the Palo Alto Networks website and then communicate them to the

firewall (assuming internet connectivity from the Management port). If connectivity is not available, you

can enter licenses directly.

See this information for details:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/getting-started/activate-licenses-

and-subscriptions#ide86db26b-258b-421f-9328-7aba83e734d4

Dynamic Updates

These activated licenses provide access to PAN-OS® software updates and Subscription data files

(Dynamic Updates). The following information explains these licenses and the process for updating files

and PAN-OS® software:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/getting-started/install-content-

and-software-updates#61072

Firewall Configuration

After these initial deployment steps are taken, configuration becomes a task of implementing network

connectivity and security settings to meet your specific requirements. These next steps can vary widely.

A complete discussion with implementation guidance is here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/getting-started

Sample questions

52. You finished configuring the firewall’s basic connectivity in the lab, and are ready to put it in

the data center. What do you have to remember to do before you power down the firewall?

A. Save the changes.

B. Commit the changes.

C. Create a restore thumb drive in case the configuration is deleted for some reason.

D. Verify that the configuration is correct. You do not need to do anything else if it is

correct, the configuration is updated automatically.

53. The Management port on a firewall can be configured as which type of interface?

A. Layer 2

B. Layer 3

C. Virtual wire

D. Serial

Identify various methods for Authentication, Authorization, and Device

Administration within

a firewall.

See Identify methods for Authorization, Authentication, and Device Administration on p. 33.

Identify how to configure and maintain certificates to support firewall features

Certificate Management

Certificates are used for a variety of purposes in Palo Alto Networks firewalls: securing SSL encryption,

authenticating connections, and authenticating other SSL certificates. To augment certificate handling,

the Palo Alto Networks firewall provides certificate management functions including import, export, and

certificate creation.

A discussion of certificate use and management is here:

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/certificate-management

An exploration of many SSL certificate-related technical issues, including implementation and

troubleshooting, is here:

https://live.paloaltonetworks.com/t5/Management-Articles/SSL-certificates-resource-list/ta-p/53068

Sample questions

54. Which is not an application in which the NGFW and Panorama use certificates?

A. Communication with Active Directory to obtain User-ID information

B. Device authentication for the Captive Portal for User-ID information

C. Device authentication for IPsec site-to-site VPN with Internet Key Exchange (IKE)

D. Certificate to re-encrypt inbound SSL traffic

55. Administrators within the enterprise wish to replace the default certificate used by the firewall

to secure the Web Management UI traffic with one generated by their existing certificate

authority. Which of the following certificate properties must be set for their new certificate to

function?

A. Certificate CN set to a domain name that resolves to any traffic port address of the

firewall

B. Certificate MUST be signed by the firewall root certificate

C. Certificate must have the “Forward Trust Certificate” property set

D. The CN must be set to the management port of the firewall

Identify how to configure a virtual router

Routing Configuration

PAN-OS® software supports static routes, BGP, OSPF, RIP, and Multicast routing configured in the virtual

router (VR). There are limitations for the number of entries in the forwarding and routing tables.

Different platform levels also can support varying numbers of VRs. The VR configuration is meant to

match the existing routing and routed infrastructure. In addition to protocol configuration, redistribution

profiles can support protocol interoperability.

Virtual routers handle all Layer 3 forwarding decisions.

Static route creation in a virtual router

An example dynamic routing protocol configuration

The virtual router’s routing and forwarding tables can be displayed.

A discussion of virtual routers and each of the supported dynamic routing protocols is here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/networking

Troubleshooting Routing

The CLI has advanced troubleshooting of routing functions. Output from the debug routing …

command provides insight into router processing, including advanced debugging logs and routing-

specific packet captures.

Sample questions

56. Can two Layer 3 interfaces have the same IP address. If so, under which conditions?

A. Yes, but they must be connected to different virtual routers

B. Yes, but they must be connected to the same Ethernet network through a switch. This

configuration can be used only for high availability

C. No, that is impossible

D. Yes, but they must be subinterfaces of the same physical interface

57. A firewall’s virtual router can connect to which three types of interfaces? (Choose three.)

A. Virtual Wire Interface

B. Management Interface

C. Layer 3 traffic interface

D. HA1 Interface

E. HA2 Interface

F. Loopback Interface

G. Tunnel Interface

Identify the configuration settings for site-to-site VPN

IPsec Tunnel Interfaces

IPsec VPNs are terminated on Layer 3 tunnel interfaces. (These tunnel interfaces can be put into

separate zones, allowing specific Security policy per zone.) These tunnels require IPsec and Crypto

profiles for Phase 1 and Phase 2 connectivity. PAN-OS® software supports route-based VPNs, which

means that the decision to route traffic through the VPN is made by the virtual router. Palo Alto

Networks firewalls support connection to alternate policy-based VPNs requiring the use of proxy IDs for

compatibility. The following diagram illustrates the various objects involved in IPsec tunnel definitions.

There are multiple objects to configure to enable an IPsec tunnel.

A complete discussion of required settings is found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/vpns

CLI Troubleshooting Commands

The CLI offers additional test and debug commands for troubleshooting required for configuring and

maintaining one or more tunnels. VPN events including errors are posted to the System log. The message

quality is more thorough when the firewall is the recipient of VPN negotiation requests from other

endpoints.

Sample questions

58. Which type is a tunnel interface?

A. Tap

B. Virtual wire

C. Layer 2

D. Layer 3

59. A firewall administrator is rolling out 50 Palo Alto Networks firewalls to protect remote sites.

He wishes each to have a site-to-site IPsec VPN tunnel to each of the three campus locations.

Which configuration function is the basis for automatic site-to-site IPsec tunnels setup from

each remote location to the three campuses?

A. Import of a settings table into the remote firewall’s IPsec tunnel config

B. Import of a settings table into the three campus’ IPsec tunnel config

C. Configuring the GlobalProtect Satellite settings of the campus and remote firewalls

D. Entering campus IPsec tunnel settings for each remote firewall’s IPsec Profile

Identify the configuration settings for GlobalProtect

GlobalProtect Overview

GlobalProtect solves the security challenges of roaming users by extending the same next-generation

firewall-based policies that are enforced within the physical perimeter to all users, no matter where they

are located. GlobalProtect uses client software to build secure personal VPN tunnels to the firewall.

GlobalProtect comprises many different components. An understanding of those basic components is

the starting point for a successful deployment. The GlobalProtect Portal performs the initial

authentication of a client, downloads/upgrades the GlobalProtect Client, performs a host information

profile (HIP) check (if licensed), and provides a list of GlobalProtect Gateways for user traffic. The

GlobalProtect Portal must be enabled on a Layer 3 interface with a reachable IP address. The

GlobalProtect Gateway creates/maintains the VPN tunnels for user traffic in SSL or IPsec forms. The

GlobalProtect Gateway distributes an IP address to each authenticated user. (This IP-to-username

address mapping can be used for effective User-ID in Security policy.) A diagram of the configuration

elements follows:

There are multiple objects to configure to enable GlobalProtect.

Every Palo Alto Networks firewall can provide GlobalProtect connectivity support to Windows and Mac

clients with no additional license requirement. Client software can be downloaded directly from the

Portal.

The GlobalProtect architectural components in a typical implementation.

Gateway traffic (SSL or IPsec encryption) can be terminated on a tunnel interface in a separate zone,

which allows for specific policies to be enabled for that zone and user(s).

With the appropriate license, HIP checks can be performed by GlobalProtect agent software on the client

platforms at connect time. The host information profile includes the OS version, patches installed, firewall

and antivirus parameters, the process list, the registry, and other information that is useful to assess the

security of an endpoint.

HIP Object components

The firewall can extract information from these reports and use them as part of the Security policy. In this

way the firewall provides appropriate access, depending on endpoint configuration.

HIP fields are used to define HIP objects. For example, an HIP object might apply to all devices using

Android 5.0, or all Samsung devices using Android 6.0.

Examples of HIP Objects

These HIP objects are then used in HIP profiles.

An HIP Profile

These HIP profiles can then be required by Security policy rules:

HIP objects bring remote endpoint configuration to Security policy decision-making.

References

• Configuration of the firewall for GlobalProtect is discussed here:

https://www.paloaltonetworks.com/documentation/81/globalprotect/globalprotect-admin-

guide/get-started

• HIP checking implementation and use is explored in detail here:

https://www.paloaltonetworks.com/documentation/81/globalprotect/globalprotect-admin-

guide/host-information

Sample questions

60. Which operating system is not supported for use with GlobalProtect clients?

A. iOS

B. Android

C. Windows

D. z/OS

61. Which two functions is a GlobalProtect Gateway responsible for? (Choose two.)

A. terminating SSL tunnels

B. authenticating GlobalProtect users

C. creating on-demand certificates to encrypt SSL

D. managing and updating GlobalProtect client configurations

E. managing GlobalProtect Gateway configurations

Identify how to configure items pertaining to denial-of-service protection and zone

protection

See Given a scenario, identify ways to mitigate resource exhaustion (because of denial-of-service)

application servers on p. 37.

Identify how to configure features of the NAT rulebase

Network address translation (NAT) allows the organization to use internal IP addresses that are not

exposed to the Internet. NAT rules are based on source and destination zones, source and destination

addresses, and application service (such as HTTP). As with Security Policies, NAT policy rules are

compared against incoming traffic in sequence, and the first rule that matches the traffic is applied.

Reference

• Policies > NAT

https://www.paloaltonetworks.com/documentation/81/pan-os/web-interface-

help/policies/policies-nat#_38816

Sample questions

62. Which NAT type can be used to translate between IPv4 and IPv6?

A. ipv4

B. nat64

C. nptv6

D. ipv6

63. When a firewall has more than one NAT Policy rule that matches a packet how does it process

the packet?

A. Each matching rule in the list is applied from the top down with cumulative changes

being processed at the end of the list

B. The first rule matching the packet is applied and processed, skipping the others

C. The firewall issues an error when committing NAT policy rules that can affect the same

packet

D. The last matching rule in the list is applied and processed.

Given a configuration example including DNAT, identify how to configure security

rules

Security Policies allow you to enforce rules and actions, and can be as general or specific as needed. The

policy rules are compared against the incoming traffic in sequence, and because the first rule that

matches the traffic is applied, the more specific rules must precede the more general ones. For example,

a rule for a single application must precede a rule for all applications if all other traffic-related settings

are the same.

Reference

• Policies > Security

https://www.paloaltonetworks.com/documentation/81/pan-os/web-interface-

help/policies/policies-security#_54026

Sample questions

64. An internal web browser sends a packet to a server. The browser’s connection has the source

IP address 192.168.5.3, port 31415. The destination is 209.222.23.245, port 80. The firewall

translates the source to 75.22.21.54, port 27182. Which three of these source IP addresses

would cause a rule to apply to this traffic? (Choose three.)

A. 192.168.5.0/24

B. 75.22.21.0/24

C. 192.168.4.0/23

D. 192.168.0.0/16

E. 75.22.0.0/17

F. 75.22.128.0/17

65. A NAT policy rule is created to change the Destination address of any packets with a source of

any address and a destination address of 10.10.10.10 (in the DMZ zone) to 192.168.3.45 (in

the Trust zone). For a packet that has this rule applied what Security policy rule components

are required to match and allow this traffic?

A. Source Address any, source zone any, destination address 192.168.3.45, destination

zone Trust, action = allow

B. Source Address any, source zone any, destination address 10.10.10.10, destination

zone Trust, action = allow

C. Source Address any, source zone any, destination address 192.168.3.45, destination

zone DMZ, action = allow

D. Source Address any, source zone any, destination address 10.10.10.10, destination

zone DMZ, action = allow

Identify how to configure decryption

You can configure the firewall to decrypt traffic for visibility, control, and granular security. Decryption

policies can apply to Secure Sockets Layer (SSL) including SSL encapsulated protocols (such as IMAP(S),

POP3(S), SMTP(S), FTP(S)) and to Secure Shell (SSH) traffic. SSH decryption can be used to decrypt

outbound and inbound SSH traffic to assure that secure protocols are not being used to tunnel

disallowed applications and content.

A Palo Alto Networks firewall can also act as a Decryption Broker for other external security services. This

feature will decrypt traffic and forward it out of the selected interface to a specific security device/service

(or chain of devices) that examines the clear-text traffic. The last service in the chain returns the packet to

the firewall which then encrypts it and forward it to the original destination.

Information on the use and configuration of this capability can be found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/decryption-broker

See also Special Decryption Implementations on p. 42.

Special Decryption Implementations

The Palo Alto Networks firewall can act as a Decryption Broker, decrypting traffic and then passing it

through a designated interface to external security services providing access to the cleartext contents.

These external services then return the traffic which is re-encrypted by the Palo Alto Networks firewall

and sent to its original destination.

A discussion of this capability appears in the same link as above:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/decryption-broker

Palo Alto Networks firewalls can also automatically send a copy of decrypted traffic to a specified

interface using the Decryption Mirroring feature. This is an option available at no cost to middle and high-

end firewalls that automatically forward copies of decrypted traffic to external DLP products. A

description of this feature can be found here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/decryption-

concepts/decryption-mirroring#idd86db0fc-4038-41bd-8098-f67ec9b27806

References

• Policies > Decryption and

https://www.paloaltonetworks.com/documentation/81/pan-os/web-interface-

help/policies/policies-decryption#_56365

• SSL Forward Proxy

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/decryption-

concepts/ssl-forward-proxy

• SSL Inbound Inspection

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/decryption-

concepts/ssl-inbound-inspection

• SSH Proxy

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/decryption-

concepts/ssh-proxy

• Configure SSL Forward Proxy

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/configure-ssl-

forward-proxy

• Configure SSL Inbound Inspection

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/configure-ssl-

inbound-inspection

• Configure SSH Proxy

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/decryption/configure-

ssh-proxy

Sample questions

66. Which protocol is supported for traffic decryption?

A. IPsec

B. SP3

C. SSH

D. NLSP

67. Where do you specify that a certificate is to be used for SSL Forward Proxy?

A. Certificate properties

B. Decryption Profile

C. Decryption policy

D. Security policy

68. A firewall administrator is decrypting outbound SSL traffic and realizes certain traffic is

sensitive and should not be decrypted. What feature must be configured to exclude the

specific traffic from decryption?

A. A Security policy rule that includes the specific URL with an “allow” action

B. A Decryption policy rule with the specific URL and “no decrypt” action

C. An Application Override policy that matches the application URL and port number

D. A Decryption Profile that includes the site’s URL

Given a scenario, identify an application override configuration and use case

To change how the firewall classifies network traffic into applications, you can specify Application

Override policies. This policy attaches the configured App-ID to matching traffic and bypasses the normal

App-ID processing steps in the firewall. This assigned application functions identically to an App-ID

supplied application name and can be used in the same way. For example, if you want to control one of

your custom applications, you can use an Application Override policy to identify traffic for that

application according to zone, source, and destination address, port, and protocol.

Note that the App-ID bypass characteristic of Application Override also skips essential Content-ID

processing which could result in undetected threats. This feature should be used for trusted traffic only.

References

• Policies > Application Override https://www.paloaltonetworks.com/documentation/81/pan-

os/web-interface-help/policies/policies-application-override#_81068

• Objects > Applications https://www.paloaltonetworks.com/documentation/81/pan-os/web-

interface-help/objects/objects-applications/defining-applications

Sample questions

69. Which option is not a parameter used to identify applications in an Application Override

policy?

A. protocol

B. port number

C. first characters in the payload

D. destination IP address

70. If an Application Override policy rule matches traffic it assigns the indicated App-ID to the

traffic. This assigned App-ID cannot be used in which firewall function?

A. Security policy rule match conditions

B. Policy Based Forwarding Policy rule match conditions

C. QoS Policy rule match conditions

D. NAT Policy rule match conditions

Identify how to configure VM-Series firewalls for deployment

The VM-Series of virtual firewalls can be deployed to several public and private cloud technologies. Each

environment has different deployment characteristics and requirements. Some require the uploading of

the firewall’s virtual appliance. Others provide it in an “Application Store” that is provisioned and

configured.

Regardless of the deployed environment every VM-Series firewall runs the same PAN-OS® supporting the

same set of features. Some environments have specific limits and requirements (i.e., supported interface

types).

Supported virtual technologies are outlined here:

https://www.paloaltonetworks.com/documentation/global/compatibility-matrix/vm-series-firewalls

Details for implementation in each of these environments and a review of their specific requirements and

limitations are here:

https://www.paloaltonetworks.com/documentation/81/virtualization/virtualization

Sample questions

71. Which virtual interface is the management on a VM-Series firewall running on ESXi?

A. vNIC #1

B. vNIC #2

C. vNIC #9

D. vNIC #10

72. Which three items of information are required at a minimum to install and configure VM-

Series firewalls? (Choose three.)

A. VLANs to be connected through the firewall

B. management port IP address

C. IP addresses for the data interfaces

D. management port default gateway

E. management port netmask

F. IP address for the external (internet-facing) interface

73. VM-Series firewalls require which additional license step?

A. Applying a “Base Capacity” license.

B. Applying a “Cloud Services” license.

C. Applying a “Site license” license.

D. Applying a “VM Update” license.

74. A VM-Series firewall being deployed in Azure can be automatically configured by

bootstrapping. Azure requires which of the following for Bootstrapping to work:

A. A Storage Account configured for Azure Files Service

B. A PowerShell script that feeds a configuration file to the firewall

C. A xml configuration file included in the base firewall provisioning

D. Azure Backup services configured with a config file and included in the firewall

provisioning

Exam Domain 3 – Operate

Identify considerations for configuring external log forwarding

Direct Firewall Log Forwarding

Using an external service to monitor the firewall enables you to receive alerts for important events,

archive monitored information on systems with dedicated long-term storage, and integrate with third-

party security monitoring tools.

Local Log storage on Palo Alto Networks firewalls is strictly allocated between different log files to ensure

that no particular log is overrun by another. This allocation is user-controlled.

Device > Setup > Management > Logging and Reporting Settings

Each storage area typically acts as circular logs in that, when filled, new entries will overwrite old ones.

Space is cleared in blocks and messages added to the System log.

Before you can use Panorama or external systems to monitor the firewall, you must configure the

firewall to forward its logs. Before forwarding to external services, the firewall automatically converts

the logs to the necessary format: syslog messages, SNMP traps, HTTP, or email notifications. Before

starting this procedure, ensure that Panorama or the external server that will receive the log data is

running and able to receive this traffic.

External forwarding supports the following types of destinations:

1. SNMP traps

2. syslog

3. HTTP server

4. Email

5. Panorama

All types (other than Panorama) support customization of the message format. A typical destination

configuration follows:

Creating a syslog log forwarding destination

Email message formats can be customized. For example:

An example of a customized email message

Any log event redirection causes a copy of the log event to be forwarded as specified. It is logged on the

firewall as usual.

There are two main methods to forward log events, depending on the log message type. Log events

destined for the System, Config, User-ID and HIP Match log are redirected using Device > Log Settings to

choose event destination(s) for specific event types:

Redirecting Log Events via Device > Log Settings

Use a Log Forwarding Profile to route Traffic, Threat, WildFire®, and other log events to other systems

such as Panorama, SIEM products, syslog servers, and so on:

A Log Forwarding Profile

Log Forwarding Profiles are attached to individual firewall Security policies to enable forwarding of the

events associated with the processing of the specific policy. These profiles include one or more Log

Forwarding Profile Match Lists. This granularity allows administrators specific control of forwarding and

the potential of different forwarding for policies of differing importance:

All forwarded events are sent to their destination as they are generated on the firewall. A complete

discussion of log forwarding configuration is here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/monitoring/configure-log-

forwarding

Palo Alto Networks also offer a cloud-based Logging Service that can be a central repository for

forwarded logs from multiple Palo Alto Networks devices. This central pool of log data is fully accessible

to the owner and acts as an optional base for further third-party security applications through Palo Alto

Networks Application Framework API.

Further information about this service can be found here:

https://www.paloaltonetworks.com/documentation/10/cloud-services/logging-service-gsg

Sample questions

75. Which log format is not supported for log exports?

A. SNMP trap

B. syslog

C. Apache log format

D. HTTP

76. Which log type gets redirected using a Log Forwarding Profile?

A. Config log

B. Traffic log

C. System log

D. HIP Match log

77. Which of these enterprises cannot use the logging service?

A. A top-secret NSA unit whose firewall protects them from the rest of a top secret

government network.

B. A mining operation in North Canada with intermittent Internet access.

C. A data center with tens of millions of log entries per day

D. A cruise ship with limited bandwidth most of the time (except when it is in port)

Interpret log files, reports, and graphs to determine traffic and threat trends

Logging and reporting are critical components of any security network. Being able to log all network

activity in a logical, organized, and easily segmented way makes logging even more valuable. Rapid,

thorough, and accurate interpretation of events is critical to security. Security practitioners often suggest

that security is only as good as the visibility it is built on. These reasons contribute to Palo Alto Networks

information collection and display design.

A discussion of available log data and making it into actionable information is here:

https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/pan/en_U

S/resources/whitepapers/actionable-threat-intelligence

Log information generally is in the Monitor tab of the WebUI. The reporting sections align with the

general use of these reports. The Log section presents detailed, real-time data with the ability to recall

previous data (subjected to available storage). It is divided into sections segmenting log data into related

information. PAN-OS® 8.1 includes a Unified log that collects copies of events from the Traffic, Threat,

URL Filtering, WildFire Submissions, and Data Filtering logs into a single location for easy parsing of

related data.

Each log provides similar features, making an organized presentation of desired data. Displayed log data

can be exported in CSV format at any time.

The CSV export option available on any detailed log display

This export will include all detail for the displayed record even if it isn’t visible in the chosen column

displays.

You can see the entries in various logs using Monitor > Logs. You can configure which columns are

displayed and their order and width.

Displayed columns can be chosen using the pull-down list appearing in any column header.

Each log display offers a powerful filtering capability facilitating the display of specific desired data.

Filters can be added using two methods to eliminate the display of undesired entries.

Filters can be built and even stored for future use. Specific data on this functionality is here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/monitoring/view-and-manage-

logs#_65083

While this log data is stored in detail in log storage, a firewall summarizes new log entries and adds the

results to separate on-board reporting databases used as default sources by Application Command

Center (ACC), App Scope, PDF Reports, and Custom Reports.

The scope of this summarization process can be controlled with settings on Device > Setup >

Management > Logging and Reporting Settings:

Settings for the repeating report database summarization process (two of the three tabs)

PDF Reports

The PDF Reports section offers many pre-defined PDF reports that can be run as a group on a scheduled

basis and delivered through email daily or weekly.

These reports typically run once per day and summarize all activity on the firewall. A report browser of

predefined reports appears on the right. When these reports are chosen, they display their results for

the previous day’s traffic:

Predefined Report Browser showing choices of categories and specific reports on the right

The PDF Report section offers other important reporting tools. Custom reports can be created, stored,

and run on-demand and/or a schedule basis. More information is here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/monitoring/view-and-manage-

reports/generate-custom-reports

User/Group Activity Report

A predefined User/Group Activity report provides complete application use and browsing activity reports

for individuals or group. Information is here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/monitoring/view-and-manage-

reports/generate-usergroup-activity-reports

PDF Summary Report

A PDF Summary Report includes several top-5-oriented reports grouped to provide a general

representation of the firewall’s traffic during the previous day. Details are here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/monitoring/view-and-manage-

reports/manage-pdf-summary-reports#id5ffe964e-cb29-469d-911b-ed27f120e2cc

App Scope reports focus on base-line performance comparisons of firewall use. These reports provide

power tools to characterize changes in detected use patterns. They were designed for ad-hoc queries

more than scheduled report output. Detailed information is here:

https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/monitoring/use-the-app-scope-

reports#_26529

Application Command Center

The Application Command Center (ACC) is an interactive, graphical summary of the applications, users,

URLs, threats, and content traversing your network. The ACC uses the firewall logs to provide visibility

into traffic patterns and information about threats that can be acted on. The ACC layout includes a

tabbed view of network activity, threat activity, and blocked activity. Each tab includes pertinent widgets

for better visualization of network traffic. The graphical representation allows