Palo Alto Networks Certified

Network Security Engineer

Study Guide
Exam PCNSE
Chapter 01: Introduction
Chapter 02: Palo Alto Networks Components
Chapter 03: User Identification and Authentication
Chapter 04: Multi-vsys Environment
Chapter 05: Management and Profiles
Chapter 06: Firewall Configuration
Chapter 07: Routing and NAT
Chapter 08: Deploy and Configure Features and Subscriptions
Chapter 09: Deploy and Configure Firewalls Using Panorama
Chapter 10: Manage and Operate
Chapter 11: Troubleshooting
Answers
Acronyms
References
About Our Products

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Table of Contents
Palo Alto Networks Security Platform
Palo Alto Certified Network Security Administrator Exam
Exam Requirements
Chapter 01: Introduction
Introduction
Networking Concepts
Overview of Palo Alto Networks
Palo Alto Networks Security Platform
Secure the Enterprise
Secure the Cloud
Secure the Future
Why Palo Alto Networks is considered a leader in the security
industry?
Next-Generation Firewall:
Threat Intelligence:
Advanced Endpoint Protection:
Cloud Security:
Integrated Security Platform:
Research and Development:
Palo Alto Networks Certifications
Understanding the Importance of PCNSE Certification
Why Should You Get This Certification?
Who is this course for?
How Does PCNSE Certification Help?
How Challenging is the PCNSE Certification?

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 How Should One Prepare for the PCNSE Exam?
What is the Cost of the PCNSE Exam?
Skills Required for this Certification
Prerequisites
Recertification
Career Growth PCNSE Certification in 2024
Chapter 02: Palo Alto Networks Components
Introduction
How do Palo Alto Networks Products Work Together to Make
PAN-OS Services Better?
Security Components
Network Security Management: Panorama
Firewall Components
Panorama Components
PAN-OS Subscriptions and Their Enabled Features
Plugin Components
Heatmap and BPA Reports
Artificial Intelligence Operations (AIOps) / Telemetry
IPv6
Internet of Things (IoT)
Identify and Choose the Appropriate Interface or Zone Types
Interface Types
Identify Decryption Deployment Strategies
Packet Visibility
Decryption
Special Decryption Implementations
Keys and Certificates
Decryption Policies

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 SSL Forward Proxy
App-ID and Encryption
Mind Map
Practice Questions
Chapter 03: User Identification and Authentication
Introduction
Enforce User-ID
Methods of building user-to-IP mappings
Whether to use a User-ID Agent or Agentless Depends on your needs
Compare and contrast User-ID agents.
Methods of User-ID Redistribution
Methods of Group Mapping
Server Profile and authentication profile
Lab 3-01: Configure User-ID Authentication
Case Study
Business Challenge
Solution
How to use the Authentication Policy
Purpose and Use Case for the Authentication Policy
Dependencies
Captive portal versus GlobalProtect (GP) client
Management Plane and Data Plane Functions
Management Planes and Data Planes
Mind Map
Practice Questions
Chapter 04: Multi-vsys Environment
Introduction
The Significance of Multi-vsys Environments

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Define Multiple Virtual Systems (Multi-vsys) environment
What are Multi-vsys Environments?
Core Concepts of Multi-vsys Environments
Benefits and Applications
User-ID hub
User-ID
Inter-vsys routing
Service Routes
The Significance of Service Routes
Creating Service Routes
Real-World Applications
Administration
Administration: Managing Multi-vsys Environments Effectively
User Access Control
Policy Deployment
Monitoring and Troubleshooting
Backups and Disaster Recovery
Best Practices for Multi-vsys Administration
Mind Map
Practice Questions
Chapter 05: Management and Profiles
Introduction
Configure Management Profiles
Interface Management Profile
SSL/TLS profile
Deploy and Configure Security Profiles
Custom configuration of different Security Profiles and Security Profile
Groups

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Relationship between URL Filtering and Credential Theft Prevention
Use of Username and Domain Name in HTTP Header Insertion
DNS Security
How to Tune or Add Exceptions to a Security Profile
Compare and contrast threat prevention and advanced threat prevention
Compare and Contrast URL Filtering and Advanced URL Filtering
Set up Zone Protection, Packet Buffer Protection, and Denial-of-
Service (DoS) Protection
Customized Values versus Default Settings
Classified versus Aggregate Profile Values
Layer 3 and Layer 4 Header Inspection
Lab 5-01: Configure Zone Protection, Packet Buffer Protection,
and DoS Protection
Case Study
Business Challenge
Solution
Mind Map
Practice Questions
Chapter 06: Firewall Configuration
Introduction
Design the deployment configuration of a Palo Alto Network
Firewall
Advanced High Availability (HA) deployments
HA Pair
Zero-Touch Provisioning
Bootstrapping
VM-Series Bootstrapping
Bootstrap Package
Configure Authorization, Authentication, and Device Access

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Role-Based Access Control for Authorization
Different Methods used to Authenticate
The Authentication Sequence
The device access method
Lab 6-01: Configure Authorization, Authentication, and Device
Access
Case Study
Business Challenge
Solution
Configure and Manage Certificate
Usage
Profiles
Chains
Lab 6-02: Configure and Manage Certificates
Case Study
Business Challenge
Solution
Mind Map
Practice Questions
Chapter 07: Routing and NAT
Introduction
Configuring Routing
Dynamic Routing
Redistribution Profiles
Static Routes
Route Monitoring
Policy-Based Forwarding
Virtual Routers VS Logical Routers

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Configure NAT
NAT Policy Rules
Security Rules
Source NAT
No-NAT Policies
Use Session Browser to Find NAT Rule Name
U-Turn NAT
Check HIT Counts
Configure Security and NAT Policy
Security Policy
Network Address Translation (NAT) Policy
Security Zones
Committing Changes
Pushing Configuration
Using Panorama
Lab 7-01: Configure Security and NAT Policy
Case Study
Business Challenge
Solution
Configure Site-To-Site Tunnels
IPSec Components
Static Peers And Dynamic Peers For IPSec
IPSec Tunnel Monitor Profiles
IPsec Tunnel Testing
Generic Routing Encapsulation (GRE)
One-To-One And One-To-Many Tunnels
Determine When to use Proxy IDs
Configure Service Routes
Default

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Custom
Destination
Custom Routes For Different Virtual Systems VSDestination Routes
How To Verify Service Routes
Lab 7-02: Configure Service Routes
Case Study
Business Challenge
Solution
Configure Application-Based QoS
Enablement requirements
QoS Policy Rule
Add A Differentiated Services Code Point/ToS Component
QoS Profile
Determine How To Control Bandwidth Use On A Per-Application Basis
Use QoS To Monitor Bandwidth Utilization
Lab 7-03: Configure App-based Quality of Service (QoS)
Case Study
Business Challenge
Solution
Mind Map
Practice Questions
Chapter 08: Deploy and Configure Features and Subscriptions
Introduction
Configuring Decryption
Inbound Decryption
SSL Forward Proxy
SSL Decryption Exclusions
SSH Proxy

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Configure User-ID
User-ID Agent And Agentless
User-ID Group Mapping
Shared User-ID Mapping Across Virtual Systems
Data Redistribution
User-ID Methods
Benefits of Using Dynamic User Groups (DUGs) In Policy Rules
Requirements To Support Dynamic User Groups
How GlobalProtect Internal And External Gateways Can Be Used
Configure WildFire
Submission Profile
Action Profile
Submissions and Determinations
Signatures Actions
File Types and File Sizes
Update Schedule
Forwarding Of Decrypted Traffic
Configure Web Proxy
Transparent Proxy
Explicit Proxy
Mind Map
Practice Questions
Chapter 09: Deploy and Configure Firewalls Using Panorama
Introduction
Panorama Overview and Architecture
Panorama Models
Centralized Firewall Configuration and Update Management
Panorama Configuration and Administration

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Determine Panorama Log Storage Requirements
Manage Large-Scale Firewall Deployments
Set Up the Panorama Virtual Appliance
Set Up the M-Series Appliance
Register Panorama and Install Licenses
Install the Panorama Device Certificate
Install the Device Certificate for a Dedicated Log Collector
Install Content and Software Updates for Panorama
Transition to a Different Panorama Model
Access and Navigate Panorama Management Interfaces
Set Up Administrative Access to Panorama
Set Up Authentication Using Custom Certificates
Lab 9-01: Add Firewall into Panorama
Case Study
Business Challenge
Solution
Configure Templates and Template stacks
Components Configured in a Template
Template Order Impact on Firewall Configuration Push
Overriding a Template Value in a Stack
Configure Variables in Templates
Panorama-Dynamic Updates, Policies, and HA Relationships
Lab 9-02: Understand and Configure Panorama Templates
Case Study
Business Challenge
Solution
Lab 9-03: Configure Panorama Templates and Push Zone
Configuration
Case Study

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Business Challenge
Solution
Configure Device Groups
Device Group Hierarchies
Identify What Device Groups Contain
Distinguishing Use Cases: Pre, Local, Default, Post Rules
Identify the impact of configuring a primary device
Assign Firewalls to Device Groups
Lab 9-04: Configure Device Group and Push Address Object
Configuration
Case Study
Business Challenge
Solution
Lab 9-05: Configure Device Group and Push Address Object
Configuration
Case Study
Business Challenge
Solution
Manage Firewall Configurations within Panorama
Licensing
Commit Recovery Feature
Automatic Commit Recovery
Commit Types and Schedules.
Configuration Backups
Commit Type Options
Manage Dynamic Updates for Panorama and Panorama-Managed
Devices
Software and Dynamic Updates
Import Firewall Configurations into Panorama

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Configure Log Collectors
Check Firewall Health and Status from Panorama
Configure Role-Based Access Control on Panorama
Case Study: Plan Your Panorama Deployment
Introduction
Challenge
Solution
Deployment Plan
Procedure
Benefits
Conclusion
Mind Map
Practice Questions
Chapter 10: Manage and Operate
Introduction
Manage and Configure Log Forwarding
Identify log types and criticalities
Manage external services
Create and Manage Tags
Log Monitoring
Customize Logging and Reporting Settings
Plan and Execute the upgrade of a Palo Alto Networks system
Single firewall
High availability pairs
Upgrading Firewalls Under Panorama Management
Dynamic Updates
Manage HA functions
Link Monitoring

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Path Monitoring
HA Links
Failover
Active/Active and Active/Passive
HA interfaces
Clustering
Election setting
Mind Map
Practice Questions
Chapter 11: Troubleshooting
Introduction
Troubleshoot Site-to-Site Tunnels
Troubleshoot Phase 1
Troubleshoot Phase 2
Troubleshoot Interfaces
Troubleshoot Connectivity Issues on the Management Interface
Troubleshoot Decryption
Troubleshoot and Monitor Decryption
Tools for Troubleshooting
General Troubleshooting Methodology
Decryption Best Practice
Troubleshoot Routing
Routing Table Not Updated Scenario
Incorrect Default Route Scenario
Routing Loops Scenario
Route Flapping Scenario
Black Hole Routing Scenario
General Troubleshooting

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Troubleshooting Interfaces
Route Lookups
Drop Counters
Clearing Sessions
Troubleshoot Resource Protections
Useful Commands for Troubleshooting:
1. Session Table Full
2. Packet Buffer/ Packet Descriptors Full
Troubleshoot GlobalProtect
Tools used for Troubleshooting on the Firewall
General Troubleshooting Approach
Common Issues
Troubleshoot Policies
Procedure to Test Security Policy:
Troubleshoot HA Functions
Mismatched URL Database Vendor on High Availability Pair
Active to Passive Configuration Sync Failing for High Availability
Heartbeat Backup Enabled on Both Devices, but Status is Down
Panorama Troubleshooting
Troubleshoot Panorama System Issues
Troubleshoot Log Storage and Connection Issues
Replace an RMA Firewall
Troubleshoot Commit Failures
Troubleshoot Registration or Serial Number Errors
Troubleshoot Reporting Errors
Troubleshoot Device Management License Errors
Troubleshoot Automatically Reverted Firewall Configurations
Complete Content Update When Panorama HA Peer is Down
View Task Success or Failure Status

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Test Policy Match and Connectivity for Managed Devices
Restore an Expired Device Certificate
Downgrade from Panorama 9.1
Mind Map
Practice Questions
Answers
Chapter 02: Palo Alto Networks Components
Chapter 03: User Identification and Authentication
Chapter 04: Multi-vsys Environment
Chapter 05: Management and Profiles
Chapter 06: Firewall Configuration
Chapter 07: Routing and NAT
Chapter 08: Deploy and Configure Features and Subscriptions
Chapter 09: Deploy and Configure Firewalls Using Panorama
Chapter 10: Manage and Operate
Chapter 11: Troubleshooting
Acronyms
References
About Our Products

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Palo Alto Networks Certifications
Palo Alto Networks certifications are industry-recognized credentials that
validate your expertise in Palo Alto Networks security solutions. They can
help you advance your career, increase your earning potential, and gain a
competitive edge in the job market. Palo Alto Networks offers a variety of
certifications for different levels of experience and expertise, from
foundational to advanced. The most popular certifications are the Palo Alto
Networks Certified Security Administrator (PCNSA) and the Palo Alto
Networks Certified Network Security Engineer (PCNSE). The PCNSA
certification validates your ability to operate and manage Palo Alto
Networks Next-Generation Firewalls (NGFWs). The PCNSE certification
validates your ability to design, deploy, operate, manage, and troubleshoot
NGFWs.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Palo Alto Networks Security Platform
The Palo Alto Networks Security Platform is a complete cybersecurity
solution created to offer businesses improved defense against a variety of
cyber threats. It includes several products and services that cooperate to
protect endpoints, networks, and cloud environments.
The Palo Alto Networks Security Operating Platform was created to make it
easier for your teams to work quickly and effectively to safeguard your
business. To secure the organization, the cloud, and the future, it prevents
successful attacks, even those that are already underway.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Palo Alto Certified Network Security Administrator Exam
The technology of Palo Alto Networks is highly automated and integrated.
The Palo Alto Networks product line consists of several distinct
technologies that cooperate to stop successful cyberattacks. Palo Alto
Networks Next-Generation Firewalls may be deployed and configured
effectively while utilizing the rest of the platform, as demonstrated by the
Palo Alto Networks Certified Network Security Engineer (PCNSE).
The knowledge and abilities needed by network security engineers to plan,
implement, run, oversee, and debug Palo Alto Networks Next-Generation
Firewalls are validated by the PCNSE certification.
Exam Requirements
Candidates should have a firm grasp of networking and network security
principles, such as TCP/IP, routing and switching, and firewall
technologies, in order to prepare for the PCNSE certification. Experience
with Palo Alto Networks security solutions, such as the Palo Alto Networks
Firewall and Panorama management server, is also advised for candidates.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
About PCNSE Exam Information
Case study, short answer, repeated answer,
Exam Questions
MCQs
Number of Questions 70-80
Time to Complete 80 minutes
Exam Fee 160 USD

This exam measures your ability to accomplish the following technical tasks:
Core Concepts 12%
Deploy and Configure Core Components 20%
Deploy and Configure Features and Subscriptions 17%
Deploy and Configure Firewalls Using Panorama 17%
Manage and Operate 16%
Troubleshooting 18%
Recommended Knowledge
Identify how Palo Alto Networks products work together to improve PAN-
OS services
Determine and assess appropriate interface or zone types for various
environments
Identify decryption deployment strategies
Enforce User-ID
Determine how and when to use the Authentication policy
Differentiate between the fundamental functions that reside on the
management plane and data plane
Define multiple virtual systems (multi-vsys) environment
Configure management profiles
Deploy and configure Security profiles
Configure zone protection, packet buffer protection, and DoS protection
Design the deployment configuration of a Palo Alto Networks firewall
Configure authorization, authentication, and device access
Configure and manage certificates
Configure routing
Configure NAT
Configure site-to-site tunnels
Configure service routes
Configure application-based QoS

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Configure App-ID
Configure GlobalProtect
Configure decryption
Configure User-ID
Configure WildFire
Configure Web Proxy
Configure templates and template stacks
Configure device groups
Manage firewall configurations within Panorama
Manage and configure Log Forwarding
Plan and execute the process to upgrade a Palo Alto Networks system
Manage HA functions
Troubleshoot site-to-site tunnels
Troubleshoot interfaces
Troubleshoot decryption
Troubleshoot routing
General Troubleshooting
Troubleshoot resource protections
Troubleshoot GlobalProtect
Troubleshoot policies
Troubleshoot HA functions
All the required information is included in this Study Guide.
Domain Percentage
Domain Core
12%
1 Concepts
Domain Deploy and Configure Core
20%
2 Components
Domain Deploy and Configure Features and
17%
3 Subscriptions
Domain Deploy and Configure Firewalls Using
17%
4 Panorama
Domain Manage and
16%
5 Operate
Domain
Troubleshooting 18%
6

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Pass4sure - #1 IT Certifications Materials Provider
www.pass4sure.com
Pass4sure - #1 IT Certifications Materials Provider
www.pass4sure.com
Chapter 01: Introduction
Introduction
The Palo Alto Certified Network Security Engineer (PCNSE) certification
represents the next level of expertise in Palo Alto Networks' security
ecosystem. Building on the foundation laid by the PCNSA certification, the
PCNSE validates your advanced proficiency in Palo Alto Networks' Next-
Generation Firewall technology. This certification focuses on honing your
skills in designing, installing, configuring, and maintaining these powerful
firewalls while emphasizing the successful deployment of network traffic
control through User-ID, App-ID, and Policy. Additionally, it places a
paramount emphasis on ensuring security through Content-ID.
As you embark on your journey towards PCNSE, you will find that this
certification equips you with the requisite knowledge and competencies to
deploy the PAN-OS platform across diverse environments. The PCNSE
certification is designed to prepare you comprehensively for the PCNSE:
Palo Alto Networks Certified Network Security Engineer exam and
ultimately enable you to earn your PCNSE certification successfully. With
this certification, you will become a master in the Palo Alto Networks
security landscape, capable of implementing advanced security measures to
safeguard your network infrastructure.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Networking Concepts
Networking principles are critical in the PCNSE (Palo Alto Networks
Certified Network Security Engineer) certification. These foundational
principles form the bedrock upon which advanced security measures and
Palo Alto Networks technologies are built. The PCNSE certification delves
into the intricacies of these concepts within network security, where
understanding the core principles of computer networking is instrumental.
Proficiently grasping these networking concepts empowers professionals to
secure network infrastructures and design resilient network architectures,
establish secure connectivity, and enforce formidable security policies by
utilizing Palo Alto Networks solutions. By mastering these networking
fundamentals within the Palo Alto Networks framework, individuals are
equipped to defend networks against the ever-evolving landscape of cyber
threats, demonstrating their expertise as accomplished network security
engineers.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Overview of Palo Alto Networks
Palo Alto Networks is a global cybersecurity company that provides
advanced network security solutions. They provide various products and
services created to safeguard organizations against a wide array of
cybersecurity threats. Palo Alto Networks' flagship product is their Next-
Generation Firewall (NGFW), which integrates advanced security features
such as application awareness, threat prevention, and user identification.
They also provide solutions for cloud security, endpoint protection, threat
intelligence, and security management. Palo Alto Networks is recognized for
its creative cybersecurity methods, utilizing machine learning and artificial
intelligence to identify and thwart emerging threats. Organizations across
industries, including government, healthcare, finance, and technology,
widely adopt their solutions.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Palo Alto Networks Security Platform
The Palo Alto Networks Security Platform is a complete cybersecurity
solution created to offer businesses improved defense against various
cyber threats. It includes several products and services that cooperate to
protect endpoints, networks, and cloud environments.
The Palo Alto Networks Security Operating Platform was created to make it
easier for your teams to work quickly and effectively to safeguard your
business. To secure the organization, the cloud, and the future, it prevents
successful attacks, even those already underway.
Secure the Enterprise
Our closely integrated technologies were created with simplicity in mind and
are simple to use, providing reliable protection for network, cloud, and
mobile users.
Secure the Cloud
Prisma is the most comprehensive cloud security solution available in the
market. Utilize a solution suite created to secure the sophisticated IT
infrastructures of today to hasten your transition to the cloud.
Secure the Future
Cortex is the only open, integrated AI-based continuous security platform in
the market, and it is always evolving to counter the most complex attacks.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Why Palo Alto Networks is considered a leader in the security
industry?
Palo Alto Networks is a cybersecurity firm that delivers sophisticated
security solutions and services to businesses. They are known for their Next-
Generation Firewall technology, which offers advanced threat-prevention
capabilities. Here are a few reasons why Palo Alto Networks is considered a
leader in the security industry:
Next-Generation Firewall: Palo Alto Networks developed a Next-
Generation Firewall (NGFW) that goes beyond traditional firewalls. Their
NGFW provides application-level visibility and control, allowing
organizations to identify and control network traffic based on the
applications used. This helps prevent the spread of malware and provides
better protection against advanced threats.
Threat Intelligence: Palo Alto Networks has created an extensive threat
intelligence platform named WildFire. This platform performs real-time
analysis and recognition of novel and unidentified threats, enabling
organizations to promptly detect and respond to emerging threats. This
intelligence is shared across the Palo Alto Networks ecosystem, providing a
collective defense against cyber threats.
Advanced Endpoint Protection: Palo Alto Networks offers advanced
endpoint protection through their Traps solution. Traps use machine learning
and behavioral analysis to detect and prevent known and unknown malware
on endpoints. It gives organizations enhanced visibility and control over
their endpoints, reducing the risk of successful attacks.
Cloud Security: In response to the growth of cloud computing, Palo Alto
Networks has broadened its range of security solutions to safeguard cloud
environments. Their cloud security platform, Prisma Cloud, provides
comprehensive visibility, compliance, and threat protection for cloud
workloads and services across multiple platforms.
Integrated Security Platform: Palo Alto Networks emphasizes the
importance of an integrated security platform that combines various security
technologies into a unified system. This approach allows organizations

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
consistent visibility, policy enforcement, and threat prevention across
different network segments and security layers.
Research and Development: Palo Alto Networks invests significantly in
research and development to stay at the forefront of cybersecurity
innovation. They actively research emerging threats, develop new security
technologies, and collaborate with the broader cybersecurity community to
improve security practices.
Overall, Palo Alto Networks is regarded as a leader in the security industry
due to its advanced security solutions, focus on threat prevention, and
commitment to innovation. Their comprehensive approach to cybersecurity
helps organizations protect their networks, endpoints, and cloud
environments from a wide range of threats.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Palo Alto Networks Certifications
Palo Alto Networks certifications set standards for cybersecurity expertise
and knowledge, improving your proficiency in using and managing Palo
Alto Networks products. At the moment, there are six certifications:

Figure 1-01: Palo Alto Networks Certifications

Palo Alto Networks Certified Cybersecurity Entry-level Technician
(PCCET) - The first certification of its kind, the Palo Alto Networks
Certified Cybersecurity Entry-level Technician (PCCET) covers a
fundamental understanding of network security and cybersecurity principles
as well as several cutting-edge developments in all Palo Alto Networks
technologies. Palo Alto Networks Education Services has taken initiatives to
align with industry standards following the NIST/NICE (National Institute
of Standards and Technology/National Initiative for Cybersecurity
Education) workforce framework as the cybersecurity landscape gets more
complicated.
Palo Alto Networks Certified Network Security Administrator (PCNSA)
- The Palo Alto Networks Certified Network Security Administrator
(PCNSA) certification certifies that holders possess the knowledge and
abilities necessary to implement and manage Palo Alto Networks Next-
Generation Firewalls (NGFWs). The key elements of the Palo Alto
Networks product portfolio and the Palo Alto Networks NGFW feature set
have been demonstrated by PCNSA-certified personnel.
Palo Alto Networks Certified Network Security Engineer (PCNSE) -
The Palo Alto Networks Certified Network Security Engineer (PCNSE)

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
certification confirms that network security engineers possess the knowledge
and abilities necessary to design, deploy, operate, manage, and troubleshoot
Palo Alto Networks Next-Generation Firewalls (NGFWs). People who have
earned the PCNSE certification have proven to have a thorough
understanding of the Palo Alto Networks product line and can use it to its
fullest potential in the great majority of setups.
Prisma Certified Cloud Security Engineer (PCCSE) - The Prisma
Certified Cloud Security Engineer (PCCSE) certification certifies that a
person possesses the knowledge, abilities, and skills necessary to implement
and manage all parts of the Prisma Cloud. People who hold the PCCSE
certification have proven to have a thorough understanding of Palo Alto
Networks Prisma Cloud resources and technologies.
Palo Alto Networks Certified Detection and Remediation Analyst
(PCDRA) - The Palo Alto Networks Certified Detection and Remediation
Analyst (PCDRA) certification is a knowledge-based certification that
verifies applicants' comprehension of basic network security, cloud security,
and SOC security.
Palo Alto Networks Certified Security Automation Engineer (PCSAE) -
The Palo Alto Networks Certified Security Automation Engineer (PCSAE)
certification verifies the knowledge and abilities needed to create, examine,
and manage the native threat intelligence management Cortex XSOAR
security orchestration, automation, and response platform.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Understanding the Importance of PCNSE Certification
Staying ahead of the curve is imperative in the rapidly evolving
cybersecurity landscape, where cyber threats constantly adapt and become
more sophisticated. For network security professionals, this means
continually expanding their knowledge, developing specialized skills, and
staying up-to-date with the latest security technologies. In this pursuit of
expertise, the Palo Alto Networks Certified Network Security Engineer
(PCNSE) certification stands out as a beacon of excellence.
1. A Mark of Advanced Expertise
The PCNSE certification represents the next level of proficiency in the Palo
Alto Networks ecosystem. It signifies that an individual is highly competent
in configuring, managing, and securing network infrastructures using Palo
Alto Networks technologies. It is not just a certification but a testament to
one's advanced expertise in network security.
2. Elevating Career Opportunities
Network security is a competitive field; employers seek individuals with the
knowledge and skills to protect their organizations from cyber threats. A
PCNSE certification sets you apart from the crowd and enhances your
employability. It opens doors to career opportunities in various industries,
from healthcare to finance, where network security is a top priority.
3. Strengthening Organizational Security
Organizations place paramount importance on securing their networks and
data. Having PCNSE-certified professionals on staff assures them that their
network infrastructure is in capable hands. The certification empowers
individuals with the skills to design robust network architectures, enforce
effective security policies, and respond swiftly to emerging threats,
ultimately strengthening the security posture of their organizations.
4. Adapting to Evolving Threats
Cyber threats are constantly changing, and to effectively combat them,
security professionals must adapt. The PCNSE certification equips
individuals with the knowledge and tools to stay ahead of the curve. It
covers the latest security technologies and best practices, ensuring certified
engineers are well-prepared to face even the most cutting-edge cyber threats.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
5. Contributing to Industry Standards
PCNSE certification holders often play a crucial role in defining and
upholding industry best practices. Their expertise helps establish network
security standards, shaping how organizations protect their assets and
information. As a certified professional, you become part of this influential
community that guides the industry toward improved security practices.
6. Personal and Professional Growth
Beyond career benefits, PCNSE certification provides a sense of personal
accomplishment. Once completed, it is a challenging journey that instills
confidence in your abilities and knowledge. It demonstrates your
commitment to your professional development and your dedication to
safeguarding networks and data.
The importance of PCNSE certification goes beyond the accumulation of
knowledge and skills; it is about making a meaningful impact on the security
of organizations and the industry as a whole.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Why Should You Get This Certification?
The Palo Alto Networks Certified Network Security Engineer (PCNSE)
certification is a strategic move for several compelling reasons:
Expertise Validation: PCNSE certifies your high-level expertise in
configuring, managing, and securing networks with Palo Alto Networks
technology.
Career Advancement: PCNSE opens doors to better job opportunities,
higher salaries, and positions with greater responsibility in the
competitive field of network security.
Specialized Knowledge: Gain in-depth knowledge in firewall
configuration, threat prevention, VPN, and more, making you an
invaluable asset to your organization.
Global Recognition: PCNSE holds international credibility, enhancing
your appeal in a global job market.
Safeguarding Organizations: Protect organizations from cyber threats
by designing robust security policies, implementing advanced threat
prevention, and responding to incidents effectively.
Personal Growth: Beyond career benefits, PCNSE is a personal
development journey, challenging you to expand your knowledge and
skills.
Exclusive Community: Join an exclusive community of experts in the
field, providing networking opportunities and resources to enhance your
career and knowledge further.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Who is this course for?
The PCNSE exam is suitable for individuals seeking to showcase a profound
grasp of Palo Alto Networks technologies. This includes many professionals,
such as customers utilizing Palo Alto Networks products, value-added
resellers, pre-sales system engineers, system integrators, and support
personnel. To be eligible for the exam, candidates should possess 3 to 5
years of experience in the networking or security sectors and 6 to 12 months
of experience in deploying and configuring Palo Alto Networks NGFW
within the Palo Alto Networks product lineup.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
How Does PCNSE Certification Help?
Specialized Problem Solving
PCNSE certification sharpens your ability to tackle complex network
security challenges. It equips you with the skills to analyze, troubleshoot,
and resolve intricate security issues unique to Palo Alto Networks
technologies.
Rapid Incident Response
PCNSE-certified professionals are adept at responding swiftly to security
incidents. You learn to identify threats, minimize damage, and restore
operations effectively, ensuring minimal disruption to business operations.
Enhanced Collaboration
Holding a PCNSE certification can boost your collaborative skills. To create
cohesive security strategies, you will be well-prepared to work closely with
cross-functional teams, such as IT, compliance, and incident response.
Optimization of Security Policies
PCNSE-certified individuals excel at fine-tuning security policies. You gain
expertise in tailoring security settings to specific organizational needs,
balancing protection with operational efficiency.
Real-World Implementation
PCNSE certification goes beyond theory and focuses on practical
application. You learn to deploy, configure, and manage Palo Alto Networks
technologies in real-world scenarios, enhancing your readiness for on-the-
job challenges.
Expert Stakeholder Communication
PCNSE-certified professionals are skilled at translating technical security
issues into understandable terms for non-technical stakeholders. This ability
to bridge the communication gap is invaluable for board-level discussions
and reporting.
Vendor-Customer Relationship Building
If you are working with vendors and customers, PCNSE certification helps
foster trust. It demonstrates your commitment to staying current with Palo

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Alto Networks technologies, assuring clients and partners of your expertise.
In essence, PCNSE certification extends beyond career advancement and
expertise validation. It refines your problem-solving skills, bolsters incident
response capabilities, enhances collaboration, optimizes security policies,
promotes real-world application, improves stakeholder communication, and
strengthens vendor-customer relationships. These unique attributes make
PCNSE a significant asset in your network security journey.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
How Challenging is the PCNSE Certification?
The PCNSE (Palo Alto Networks Certified Network Security Engineer)
certification is known for its high difficulty level. Here's why:
Complex Material: PCNSE covers many complex topics related to
network security and Palo Alto Networks technologies.
Hands-On Experience: Practical experience in configuring and
managing Palo Alto Networks solutions is crucial, making it challenging
for those without real-world exposure.
High-Stakes Exam: The certification exam is tough, reflecting the
advanced nature of the certification.
Continuous Updates: The evolving nature of network security requires
candidates to stay current with the latest technologies and best practices.
In-Depth Knowledge: PCNSE demands a deep understanding of Palo
Alto Networks technologies.
Thorough Preparation: Successful candidates invest significant time
and effort in preparing, often involving formal training, hands-on
practice, and lab work.
While challenging, PCNSE is a valuable certification that can lead to
advanced career opportunities in network security.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
How Should One Prepare for the PCNSE Exam?
To prepare for the PCNSE exam, start by reviewing the official exam
blueprint provided by Palo Alto Networks. Gather study materials, including
official documentation, textbooks, and online resources. Gain hands-on
experience working with Palo Alto Networks devices or virtual
environments. Consider formal training courses and supplement them with
self-study and research. Set up practice labs to reinforce your skills and take
official or reputable practice exams to assess your readiness. Manage your
time wisely, engage with the Palo Alto Networks community, and stay
updated on industry developments. Register for the exam when you feel
confident, and arrive well-prepared and focused on exam day. After the
exam, review your performance and areas for improvement to continue
enhancing your skills and expertise.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
What is the Cost of the PCNSE Exam?
The exam taker must pay for each attempt. The PCNSE exam costs $160.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Skills Required for this Certification
The key competencies expected are:
1. Proficiency in planning, deploying, configuring, operating, and
troubleshooting various components within the Palo Alto Networks
product portfolio.
2. A comprehensive understanding of the distinct characteristics of the Palo
Alto Networks product lineup and how to implement them effectively.
3. Familiarity with the networking and security policies employed by PAN-
OS software.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Prerequisites
PCNSA - Palo Alto Networks Certified Network Security Administrator

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Recertification
Your PCNSE certification remains valid for two years after passing the
exam. Following your certification, there is a mandatory waiting period of
six months before you are eligible to attempt another PCNSE test. To ensure
the continuous validity of your certification, you must undergo
recertification, which involves retaking the PCNSE test.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Career Growth PCNSE Certification in 2024
As we stand on the precipice of 2024, the world of cybersecurity is in a state
of constant flux. Cyber threats are growing in complexity and frequency,
making the role of network security professionals more critical than ever
before. In this dynamic landscape, the Palo Alto Networks Certified
Network Security Engineer (PCNSE) certification emerges as a beacon of
opportunity for those looking to secure their career and significantly impact
the security of organizations worldwide. Let's explore the role of PCNSE in
career growth in 2024.
In-Demand Expertise
Network security experts are in high demand across various industries, from
finance and healthcare to government and e-commerce. In 2024, the demand
for PCNSE-certified professionals is expected to grow significantly. As
organizations continue to invest heavily in network security, they need
skilled individuals who can navigate the complexities of Palo Alto Networks
technologies. A PCNSE certification positions you as an in-demand expert
in the field, ensuring steady career opportunities.
Key to Specialized Roles
The field of network security is vast and multifaceted. In 2024, many
specialized roles are emerging, such as cloud security specialist, incident
response analyst, and security consultant. PCNSE certification is often a
prerequisite for these roles, as it provides the specialized knowledge and
skills necessary to excel in these positions. Whether you aspire to work in a
specific niche or want to diversify your career, the PCNSE certification
paves the way.
Leadership Opportunities
Security breaches and cyber threats are front-page news, and organizations
are constantly pressured to protect their data and infrastructure. PCNSE-
certified professionals are often entrusted with leadership positions, such as
Chief Information Security Officer (CISO) or network security manager.
These roles offer greater responsibility, substantial compensation packages,
and the chance to influence an organization's security strategy.
Global Relevance

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
The PCNSE certification is recognized globally as a mark of excellence in
network security. In 2024, this global recognition is expected to grow,
opening doors to career opportunities worldwide. Whether you aspire to
work for a multinational corporation or want to explore international
consulting, the PCNSE certification provides the credibility and skill set to
do so.
Contributing to Cyber Resilience
Beyond personal career growth, holding a PCNSE certification enables you
to contribute to the greater good by enhancing your organization's
cybersecurity posture. In 2024, as threats continue to evolve, PCNSE-
certified professionals play a pivotal role in safeguarding sensitive data,
ensuring business continuity, and protecting the privacy of individuals.
Continuous Learning and Adaptation
The field of network security is one of constant learning and adaptation. A
PCNSE certification demonstrates your commitment to staying current with
industry trends, best practices, and the latest technologies. This mindset of
continuous improvement keeps your skills sharp and ensures you remain a
valuable asset to any organization.
As we journey into 2024, the PCNSE certification presents opportunities for
network security professionals. It is a testament to your expertise and a key
that unlocks the doors to many career options.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Pass4sure - #1 IT Certifications Materials Provider
www.pass4sure.com
Chapter 02: Palo Alto Networks Components
Introduction
Palo Alto Networks offers a wide range of security products and components
that work together to protect organizations from cyber threats. These
products and components can be used to build a comprehensive security
architecture that addresses each organization's unique needs. This chapter
will cover a wide range of topics related to Palo Alto Networks products and
services, including:
PAN-OS services: core software that powers Palo Alto Networks
firewalls and other security devices.
Interface and zone types: provide different interfaces and zones that can
be used in a Palo Alto Networks security deployment.
Decryption deployment strategies: used to deploy and manage
decryption in a Palo Alto Networks security environment.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
How do Palo Alto Networks Products Work Together to Make
PAN-OS Services Better?
Palo Alto Networks offers a wide range of security products that work
together to improve PAN-OS services security operations. The three primary
offerings are Strata, Prisma, and Cortex, which focus on enterprise security,
cloud security, and security operations.
Security Components
Palo Alto Networks Cybersecurity Portfolio
The Palo Alto Networks cybersecurity portfolio is structured around three
primary offerings: Strata, which focuses on enterprise security; Prisma,
tailored for cloud security; and Cortex, which specializes in security
operations. These offerings work in concert to address some of the most
significant cybersecurity challenges globally.
Strata: Enterprise Security
Strata is designed to thwart cyberattacks through a leading-edge network
security suite. It empowers organizations to embrace network transformation
while maintaining consistent security for users, applications, and data,
regardless of location. The suite incorporates the following components:
Machine Learning-Powered Next-Generation Firewalls
Palo Alto Networks' Machine Learning (ML)–driven Next-Generation
Firewalls (NGFWs) enable the implementation of best practices. They
achieve this by employing policies based on applications, users, and content
to minimize attack vulnerabilities. These NGFWs are available in various
forms, including physical, virtualized, and cloud-delivered services. All of
them can be centrally managed with Panorama, ensuring uniform security
measures.
The NGFW family encompasses:
PA-Series: This includes multiple form factors within the PA-Series of
physical firewalls, offering consistent protection across the entire network
perimeter. They safeguard headquarters, data centers, office campuses,
branch offices, and mobile and remote workforces. Models in this series
include PA-220, PA-800, PA-3200, PA-5200, and PA-7000 Series.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 2-01: PA Series

VM-Series: The virtualized edition of the ML-powered NGFW delivers

equivalent protection to the PA-Series offerings. Moreover, it simplifies
the security of both private and public cloud deployments, incorporating
segmentation and proactive threat prevention measures.

Figure 2-02: VM Series

The VM-Series firewalls are compatible with various virtualization

environments:
Amazon Web Services
Cisco ACI
Citrix NetScaler SDX
Google CloudPlatform
Kernel-based Virtual Machine (KVM)
Microsoft Azure and Microsoft Hyper-V
OpenStack
VMware ESXi, VMware NSX, and VMware vCloud Air
Network Security Management: Panorama

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Panorama offers straightforward and centralized management capabilities for
gaining insights into network-wide traffic and threats while efficiently
administering NGFWs (Next-Generation Firewalls) across various locations.
Panorama is available in both hardware appliance and virtual forms, offering
the following key features:
Policy management
Centralized visibility
Insights into network security
Automated response to threats
Network security administration
Comprehensive enterprise-level reporting.
Prisma: Cloud Security
Prisma Cloud provides comprehensive security coverage throughout the
development lifecycle across various cloud environments, empowering you
to develop cloud-native applications confidently. The Prisma suite includes
Prisma Cloud, Prisma Access Secure Access Service Edge (SASE), Prisma
SaaS, and the VM-Series ML-powered NGFWs (Next-Generation
Firewalls).
Prisma Cloud
Prisma Cloud is a Cloud Security Posture Management (CSPM) and cloud
workload protection platform. It offers extensive visibility and threat
detection capabilities across an organization's hybrid and multi-cloud
infrastructure.
Prisma Cloud leverages cloud providers' APIs to obtain read-only access to
network traffic, user activities, and system and service configurations. It then
correlates this diverse data to assist cloud compliance and security analytics
teams in prioritizing risks and promptly responding to issues. Additionally,
Prisma Cloud employs an agent-based approach to secure host, container,
and serverless computing environments against vulnerabilities, malware, and
compliance violations.
This cloud-native security platform delivers the following benefits:
Comprehensive, cloud-native security
Protection throughout the entire lifecycle
Security coverage across any cloud provider

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Prisma Cloud safeguards various cloud-native infrastructure components,
including but not limited to:
Alibaba Cloud
Amazon Web Services
Docker EE
Google CloudPlatform
IBM Cloud
Kubernetes
Microsoft Azure
Rancher
Red Hat OpenShift
VMware Tanzu
Cortex: Security Operations
Cortex stands out as the most comprehensive suite of products for security
operations, offering enterprises a robust set of detection, investigation,
automation, and response capabilities. The Cortex product suite
encompasses Cortex XDR, Cortex XSOAR, Cortex Data Lake, and
AutoFocus.
Cortex XDR
Cortex XDR represents an industry-first extended detection and response
platform, running seamlessly across integrated endpoints, networks, and
cloud data to reduce noise and focus on genuine threats. This platform
provides complete visibility into network traffic, user behavior, and endpoint
activities. It simplifies investigating threats by correlating data from various
sensors to unveil threats and their timelines, making it easy to pinpoint the
root cause of each alert. Cortex XDR also enables immediate response
actions. Additionally, to thwart future attacks, you can proactively define
compromise (IOCs) and Behavioral Indicators of Compromise (BIOCs) to
detect and respond to malicious activities. Figure 2-03 illustrates the
architecture of Cortex XDR.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 2-03: Cortex XDR Architecture

Cortex XSOAR
Cortex XSOAR is the industry's pioneering Security Orchestration,
Automation, and Response (SOAR) platform, featuring native threat
intelligence management. The SOAR technology automates up to 95 percent
of response actions that typically require human review, enabling
overwhelmed security teams to concentrate on more critical tasks. Cortex
XSOAR integrates with various products, enhancing automation and
response capabilities across various processes.

Figure 2-04: Cortex XSOAR Architecture

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Cortex Data Lake
Cortex Data Lake facilitates the effortless collection of substantial volumes
of log data, allowing innovative applications to extract insights from an
organization's environment. It streamlines log infrastructure, automates log
management, and harnesses data effectively to prevent cyberattacks
proactively.
Cortex Data Lake offers the following advantages:
Streamlining security operations by gathering, integrating, and
normalizing an organization's security data.
Enabling advanced artificial intelligence and machine learning with
cloud-scale data.
Continuously learning from new data sources to enhance defense
mechanisms.
The Cortex Data Lake is the central hub for consolidating information from
multiple Palo Alto Networks products, as illustrated in Figure 2-05.

Figure 2-05: Cortex Data Lake

The following products can utilize Cortex Data Lake:

Prisma Access
Palo Alto Networks NGFWs (Next-Generation Firewalls) and Panorama
devices with cloud connectivity capabilities
Cortex XDR

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Previous versions of Palo Alto Networks Traps, which have now been
integrated into Cortex XDR
Traps versions 5.0 and above when used with the Traps management
service.
Firewall Components
Security Zones
Palo Alto Networks ML-powered NGFWs are organized into security zones.
These zones define specific network segments where all nodes, including
users, data centers, DMZ servers, and remote users, share similar network
security requirements. The firewall's security model is based on evaluating
traffic as it moves from one zone to another. Zones serve as a logical means
of grouping physical and virtual interfaces. They are essential for controlling
and logging traffic that traverses these interfaces. Every defined interface
must be associated with a zone, indicating all traffic arriving at or departing
from that interface. Zones are created for specific interface types, such as
Tap, Virtual Wire, Layer 2, or Layer 3, and can be assigned to multiple
interfaces of the same type. However, an interface can only belong to a
single zone, while a zone can encompass multiple interfaces.
All sessions within the firewall are identified by source and destination
zones. Security rules can use these defined zones to permit or deny traffic,
apply Quality of Service (QoS) policies, implement Network Address
Translation (NAT), and more. By default, traffic within a zone can flow
freely, referred to as intrazone traffic. In contrast, traffic between zones
(known as Interzone traffic) is denied by default. Security policy rules are
necessary to modify these default behaviors. Traffic can traverse between
zones only when a defined security policy rule matches the traffic and allows
it. These policies reference source and destination zones, not interfaces, to
determine traffic matches. Policy evaluation occurs from top to bottom,
meaning that the first rule with the appropriate matching criteria will be
applied.

EXAM TIP: Security zones are logical groups of interfaces that

share similar network security requirements. They are used to control and
log traffic that traverses these interfaces. Every defined interface must be
associated with a zone.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Security Policy
Security policy rules establish a positive (allow list) and negative (block list)
enforcement model for managing traffic through the firewall. When logging
is enabled for a matching policy, the action taken for that session is logged.
These logs prove invaluable for fine-tuning the positive and negative
enforcement models. The log information can be utilized to categorize
traffic, offering specific usage insights and enabling precise policy creation
and control. Log entries can also be forwarded to external destinations,
including email and web servers, syslog servers, Panorama, and Cortex Data
Lake.
Palo Alto Networks firewall logs, the ACC (Application Command Center),
App Scope, and various reporting tools describe traffic and usage patterns.
To create these Security policy rules, you can employ multiple matching
conditions. Criteria for matching traffic can encompass security zones,
source and destination IP addresses, source and destination devices, as well
as details about the application (App-ID), source user (User-ID), service
(port), HIP match, and URL. Furthermore, allowed session content can
undergo scanning based on Security Profiles (Content-ID) to identify
undesirable traffic content. These profiles enable the detection of both
known and unknown threats through signatures and inline Machine Learning
models.
To leverage security profiles, incorporate them into a Security policy rule, as
illustrated in Figure 2-06:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 2-06: Security Policy Rule

Traffic Processing Sequence

The traffic processing sequence within Palo Alto Networks firewalls follows
a systematic approach to secure network traffic. As traffic enters the firewall
through an ingress interface, it undergoes a series of evaluations. The
firewall checks security policies based on source and destination zones, IP
addresses, applications, and users to determine whether the traffic is
permitted or denied. If SSL decryption is enabled, encrypted traffic may be
decrypted for thorough inspection. The Intrusion Prevention System (IPS)
identifies and prevents known vulnerabilities and exploits, while URL
filtering and file blocking ensure control over web access and prevent the
transfer of malicious content. Traffic shaping and Quality of Service (QoS)
policies prioritize or limit specific traffic types, and post-routing decisions,
including Network Address Translation (NAT), may be applied. The firewall
logs relevant information, providing a comprehensive record for analysis and
reporting. This sequence is essential for configuring effective security
policies, troubleshooting issues, and maintaining a robust network defense
posture.
The visual representation below serves as a helpful tool to grasp the
processes involved in Palo Alto Networks firewall operations.
Comprehending this traffic flow is key to efficiently establishing an initial

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
configuration, fine-tuning rules post-installation, and effectively
troubleshooting existing rule sets.

Figure 2-07: Traffic Processing Sequence

The Palo Alto Networks NGFW (Next-Generation Firewall) is designed to

utilize an efficient system called next-generation processing. This approach
enables the evaluation of packets, identification of applications, policy
decisions, and content scanning to occur in a single, streamlined processing
pass. This architecture is known as Single Pass Parallel Processing (SP3).
Palo Alto Networks NGFWs incorporate the following next-generation
features:
App-ID
Content-ID
User-ID
Device-ID
Panorama Components
Panorama Overview
The PCNSE certification necessitates candidates to possess knowledge of
Panorama firewall management functions. The subsequent sections delve
into these management concepts, although not an exhaustive coverage of all

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Panorama features. Panorama offers various integration functions that
facilitate enterprise management for multiple firewalls.
The Panorama management server is the centralized hub for monitoring and
managing multiple Palo Alto Networks NGFWs, Prisma Access
deployments, WildFire appliances, and appliance clusters. This server
provides a focal point overseeing all applications, users, and network content
traversing. It leverages this knowledge to craft application enablement
policies that safeguard and govern the network. Panorama enhances
operational efficiency in managing and maintaining a distributed network of
firewalls by offering centralized policy and firewall management.
Panorama employs device groups and templates to organize firewalls into
logical groupings with similar configurations. These device groups and
templates centrally manage all configuration elements, policies, and objects
across the managed firewalls. Additionally, Panorama facilitates the
centralized management of licenses, software (e.g., PAN-OS software, SSL-
VPN client software, GlobalProtect agent software), and content updates
(e.g., application and threat updates, WildFire, and antivirus updates).
Panorama's management web interface maintains a consistent look and feel
with the firewall's management web interface. The firewall menus available
on the management web interface are mirrored in Panorama's management
web interface.

Specifically, you can use the Network and Device tabs under "Templates"
and the Policies and Objects tabs under "Device Groups" in Panorama to
deploy a common base configuration for multiple firewalls with similar
settings. It is achieved by combining a device group for managing shared
policies and objects and a template stack (or multiple templates) for
managing shared device and network settings.
PAN-OS Subscriptions and Their Enabled Features
Palo Alto Networks ML-powered NGFWs come equipped with a
comprehensive array of security subscriptions that are seamlessly integrated
to deliver automated and ML-driven security. These subscriptions
encompass the following:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Threat Prevention
Advanced URL Filtering
WildFire (Figure 2-08)
DNS Security (Figure 2-09)
SD-WAN
IoT Security
AutoFocus (Figure 2-10)

Figure 2-08: WildFire

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 2-09: DNS Security

Figure 2-10: AutoFocus

Plugin Components
Panorama plugins are available for both physical and virtual Panorama
devices. The selection of plugins for Panorama depends on specific
requirements, and these plugins need to be manually installed to expand
Panorama's native capabilities. It includes the management of the Prisma

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Access deployment. The VM-Series plugin for Panorama is preinstalled and
specifically designed for managing VM-Series firewalls.
Heatmap and BPA Reports
Comparison of Heatmap and BPA Reports
The free Best Practice Assessment (BPA) tool, designed for Palo Alto
Networks firewalls and Panorama, assesses a device's configuration by
evaluating the adoption rate of a firewall's capabilities and verifying the
adherence of policies to best practices. The BPA tool provides
recommendations and guidance for addressing failed best practice checks.
The ultimate aim of running the BPA tool is to reduce the attack surface,
making it advisable to schedule regular assessments (e.g., quarterly) for
continuous improvement.
The BPA tool comprises two key components: the Security Policy Adoption
Heatmap and the BPA assessment. The Heatmap scrutinizes a Palo Alto
Networks deployment by gauging the adoption rate of features and
capabilities across the targeted network infrastructure. The Heatmap can be
customized to filter information based on device groups, serial numbers,
zones, architectural areas, and other categories. The results chart the
progress in enhancing security towards achieving a zero-trust network.
The BPA assessment, on the other hand, evaluates a firewall or Panorama
configuration against best practices and provides recommendations for
fortifying the organization's security posture through full adoption of Palo
Alto Networks prevention capabilities. Over 200 security checks are
performed on the configuration, each resulting in a pass or fail score. In case
of a failing score, the tool offers justifications for the failure along with
remediation recommendations.
Both components necessitate uploading a tech support file from either
Panorama or a firewall to the Palo Alto Networks Customer Support Portal.
Following the tech support file import, it is crucial to complete the
architecture mapping, which aligns existing zone names with predefined
architecture classifications. Architecture classifications include Enterprise –
Perimeter – Internet, Internal – Core – Users, and Mobility – Remote
Users/VPN.
Heatmap Measurements

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
The Heatmap assesses the adoption rate of Palo Alto Networks features,
presenting the results based on the source zone to destination zone. Column
filters let users focus on specific device groups, source, and destination
zones. The Heatmap measures the adoption rate of various Palo Alto
Networks firewall features, including:
WildFire
Threat Prevention
Anti-Spyware
DNS Sinkhole
Antivirus
Vulnerability Protection
URL Filtering
File Blocking
Data Filtering
User-ID
App-ID
Service/Port
Logging
Artificial Intelligence Operations (AIOps) / Telemetry
AIOps, short for 'artificial intelligence for IT operations,' pertains to
platforms that utilize machine learning (ML) and analytics to automate
various IT operations. AIOps capitalizes on the wealth of data from
operational systems and boasts a unique capability to detect and respond to
issues swiftly. Harnessing the power of ML, AIOps employs the diverse data
it compiles to generate automated insights, thereby continuously refining and
evolving its strategies.
The process commences with data extraction, where tools collect data from
different systems and organize it efficiently, setting the stage for the
subsequent steps. Following data aggregation, an in-depth analysis of the
compiled data takes place. ML algorithms come into play, identifying
patterns, relationships, root problems, and focal points within the system.
AIOps then applies its "critical thinking skills" to respond to these findings.
It involves automating the optimization of IT operations while using the
detected patterns to learn and proactively address potential pain points.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
AIOps is complemented by the capability to provide comprehensive
analytical reports, facilitating data-driven decision-making.
Enabling Telemetry on a firewall allows it to collect and transmit traffic-
related information to Palo Alto Networks. This data details applications,
threats, device health, and passive DNS information. The entire Palo Alto
Networks community benefits from this data by improving threat detection
accuracy and adopting a community-driven approach to threat prevention.
Importantly, all data shared remains anonymous and is not disclosed to
external or third-party organizations.

EXAM TIP: Telemetry is the collection and transmission of data

from a device to a central server. In the context of Palo Alto Networks
firewalls, Telemetry allows the firewall to collect and transmit traffic-
related information to Palo Alto Networks. This data is used to improve
threat detection accuracy and develop new security features.

IPv6
The firewall's implementation of Neighbor Discovery (ND) is enhanced to
provision IPv6 hosts with the Recursive DNS Server (RDNSS) and DNS
Search List (DNSSL) options as per RFC 6106, IPv6 Router Advertisement
Options for DNS Configuration. It eliminates the need for a separate
DHCPv6 server to provision hosts when configuring Layer 3 interfaces. The
firewall sends IPv6 Router Advertisements (RAs) containing these options
to IPv6 hosts, fully configuring them to access internet services. IPv6 hosts
are thus equipped with:
Addresses of RDNS servers capable of resolving DNS queries
A list of domain names (suffixes) for the DNS client to append to
unqualified domain names before entering them into DNS queries
This IPv6 Router Advertisement for DNS configuration is supported across
various PAN-OS platforms for Ethernet interfaces, subinterfaces,
Aggregated Ethernet interfaces, and Layer 3 VLAN interfaces.
After configuring the firewall with RDNS server addresses, it provisions
IPv6 hosts with these addresses. IPv6 hosts use these addresses to reach an
RDNS server, where recursive DNS refers to a series of DNS requests.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
An IPv6 Router Advertisement can include multiple DNS Recursive Server
Address options, each with the same or different lifetimes. A single DNS
Recursive Server Address option can hold multiple Recursive DNS server
addresses, provided they share the same lifetime.
Internet of Things (IoT)
The IoT Security solution collaborates with Next-Generation Firewalls to
dynamically identify and maintain a real-time inventory of IoT devices on
your network. Leveraging AI and ML algorithms, this solution achieves high
accuracy, even when classifying IoT device types encountered for the first
time. IoT Security also automatically generates policy recommendations to
control IoT device traffic and creates IoT device attributes for firewall
policies.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Identify and Choose the Appropriate Interface or Zone Types
You can configure all of these interfaces within the Network > Interfaces
section.
Interface Types
Layer 2
A Layer 2 interface serves as a bridge between two or more networks,
connecting devices within a Layer 2 segment. The firewall is responsible for
forwarding frames to the connected port.
Layer 3
To utilize a Layer 3 interface, you must configure a virtual router. This
interface type is the most commonly used and supports IPv4 and IPv6. The
configuration entails specifying an IP address, associating the interface with
a specific zone, and linking it to a virtual router.
Several options are available for configuring a Layer 3 interface, including
settings for NetFlow, Maximum Segment Size (MSS) adjustment, Maximum
Transmission Unit (MTU) adjustment, binding of firewall services, neighbor
discovery for IPv6, manual MAC address assignment, LLDP, dynamic DNS
support, and link negotiation settings.
Virtual Wire
The Virtual Wire interface binds two firewall ports together in a transparent
firewall deployment. It simplifies the integration of a firewall into a network
topology, eliminating the need for the firewall to handle switching or routing
tasks.
This deployment method supports traffic control based on VLAN tags,
security policy rules, and other firewall features. The Virtual Wire interface
can be connected to a Layer 2 or Layer 3 device or host. However, it should
not be used if switching, VPN tunnels, or routing capabilities are required.
Also, do not use an Interface Management Profile with a Virtual Wire
interface.
Tap
The Tap interface offers a passive monitoring solution if you need a method
to access and monitor data flowing across a network. It allows for observing

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
traffic from a switch port analyzer or mirror port without any enforcement
capabilities.
Subinterfaces
A virtual interface, created as an extension of a parent interface, can be
assigned to separate security zones. Subinterfaces can be configured as
either Layer 2 or 3, particularly useful in scenarios where multiple VLANs
are carried over a single physical interface.
Tunnel
In VPN tunnel setups, a unique logical tunnel interface is employed. This
interface must be associated with a security zone to apply policies and be
assigned to a virtual router. If the Tunnel interface is assigned to a different
zone than the physical interface, security policies must be configured to
allow traffic between the VPN and trust zones. A Tunnel interface does not
necessarily require an IP address unless tunnel monitoring or dynamic
routing functions are necessary.
Aggregate
An Aggregate Ethernet (AE) group utilizes 802.1AX link aggregation to
combine multiple Ethernet interfaces into a unified virtual interface. This
approach increases bandwidth through traffic load balancing and enhances
redundancy. Configuring the individual interfaces before creating the AE
interface group is important, ensuring that the bandwidth and interface types
are consistent.
Loopback
A Loopback interface serves the purpose of connecting virtual routers within
the firewall. However, it can also be utilized for various networking tasks,
including serving as a destination for DNS sinkholes, accommodating
GlobalProtect service interfaces, aiding in routing identification, and more.
Decrypt
For decryption purposes, a Decrypt mirror interface is configured to route
decrypted traffic copies to an external interface, primarily for data loss
prevention. This interface is employed in conjunction with the Decryption
Port Mirror feature.
VLAN

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
A VLAN interface can incorporate one or more Layer 2 Ethernet ports and
facilitate routing within a Layer 3 network.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Identify Decryption Deployment Strategies
Palo Alto Networks firewalls can decrypt and inspect traffic to give you
more visibility, control, and granular security. This means the firewall can
enforce security policies on encrypted traffic, which it could not do
otherwise. You can use decryption to prevent malicious content from
entering your network or to stop sensitive content from leaving your network
hidden in encrypted traffic.
Packet Visibility
Encryption is becoming increasingly common for all network applications. It
prevents the Palo Alto Networks firewall from seeing what's inside packets,
which makes Content-ID impossible. Because of this, malware could slip by
the firewall undetected and attack an endpoint after being decrypted.
Decryption policies give the firewall more visibility into packet content to
inspect it.
Decryption
Palo Alto Networks firewalls can decrypt and inspect traffic to give you
more visibility, control, and granular security. It means the firewall can
enforce security policies on encrypted traffic, which it could not do
otherwise. You can use decryption to prevent malicious content from
entering your network or to stop sensitive content from leaving your network
hidden in encrypted traffic.
To enable decryption on a Palo Alto Networks firewall, prepare the keys and
certificates needed for decryption, create a decryption policy, and configure
decryption port mirroring. SSL and SSH are encryption protocols that can
protect data in transit. However, these protocols can also conceal unwanted
activity or malicious content.

EXAM TIP: Decryption can improve security by allowing you to

inspect and control encrypted traffic, but it also introduces new risks, such
as the possibility of the firewall's private keys being compromised.
Decryption can also impact the performance of the firewall, and certain
industry regulations or compliance standards may require it.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Special Decryption Implementations
Palo Alto Networks firewalls can also act as a Decryption Broker. They can
decrypt traffic and pass it to external security services for further inspection.
These external services can then return the traffic to the firewall, which will
re-encrypt and send it to its original destination.
Palo Alto Networks firewalls can automatically send a copy of decrypted
traffic to a specified interface using the Decryption Mirroring feature. This
free feature is available on mid-range and high-end firewalls that
automatically forward copies of decrypted traffic to external Data Loss
Prevention (DLP) products.
Keys and Certificates
Palo Alto Networks firewalls decrypt encrypted traffic by using keys to
convert ciphertext (encrypted text) to plaintext (readable text) and vice
versa. Certificates are used to authenticate the firewall as a trusted third
party and to create a secure connection. SSL decryption requires certificates
to establish trust between two devices and secure the SSL/TLS connection.
Certificates can also be used to exclude servers from SSL decryption. You
can integrate a hardware security module (HSM) with a firewall to enhance
the security of the private keys used in SSL Forward Proxy and SSL inbound
inspection decryption.
Palo Alto Networks firewall decryption is a policy-based feature that can
decrypt, inspect, and control both inbound and outbound SSL and SSH
connections. Decryption policies allow you to specify which traffic should
be decrypted based on the destination, source, or URL category. You can
then block or restrict the specified traffic based on your security settings.
The firewall uses certificates and keys to decrypt the traffic specified by the
policy to plaintext. It then enforces App-ID and security settings on the
plaintext traffic, including Decryption, Antivirus, Vulnerability, Anti-
Spyware, URL Filtering, and File-Blocking Profiles. After the traffic is
decrypted and inspected, the firewall re-encrypts the plaintext traffic before
it exits the firewall to ensure privacy and security.
Decryption Policies
Palo Alto Networks firewalls use decryption policies to control the
decryption of inbound traffic. When the firewall detects encrypted traffic, it

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
evaluates the decryption policies to see if there is a match. If a match occurs,
the firewall will attempt to decrypt the traffic according to the policy's
decryption action. Once the traffic has been decrypted, the firewall processes
it normally.
SSL Forward Proxy
Outbound SSL traffic decryption is commonly implemented through SSL
Forward Proxy, where the firewall is an intermediary. This setup is often
called a "Man in the Middle." In this process, the original certificate from
the server is replaced with a certificate signed by a different key, which is
then sent to the client.
When a developer creates a solution using SSL decryption, they can take
additional programmatic steps to inspect the certificate received by the client
for specific characteristics present in the original certificate. If these
characteristics are not found, the developer may assume that a decryption
process is intercepting the communication, and they may take actions to
limit full functionality, viewing this presence as a security risk. These
products are typically not fully functional in a decryption environment and
must be exempted from Decryption policies.
Recognizing this challenge, Palo Alto Networks offers a mechanism to flag
certain encrypted traffic for decryption bypass. Palo Alto Networks partially
manages this mechanism for known pinned traffic and provides
administrative control for local requirements.

EXAM TIP: SSL Forward Proxy is a decryption deployment

strategy where the firewall acts as an intermediary between the client and
the server and decrypts outbound SSL traffic. This allows the firewall to
inspect the traffic before it exits the network.
App-ID and Encryption
The efficiency of the App-ID scanning engine is frequently hindered by
encrypted traffic, making it challenging to identify specific elements. Such
traffic is usually categorized under the App-ID label "SSL." However, in
certain instances, the App-ID engine can assess components of the certificate
responsible for securing this data, enabling it to assign App-IDs without the
need to scan the content accurately.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Mind Map

Figure 2-11: Mind Map

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Practice Questions

1. Which firewall feature does not require a Decryption policy?

A. Antivirus
B. App-ID
C. File blocking
D. Network Address Translation

2. How can the NGFW warn users when a web server's certificate is
from an unknown certificate authority?
A. Warns the user about the untrusted certificate and allows them to
proceed.
B. Does not warn the user and sends the untrusted certificate to the
browser.
C. Stores two certificates in the firewall to distinguish between trusted
and untrusted websites.
D. Uses two certificate authority certificates to generate certificates for
trusted and untrusted websites.

3. Which two firewall features can directly fulfill the requirement of

logging all decrypted traffic for a company that decrypts user browsing
traffic?
A. Decryption Broker
B. Policy-Based Forwarding
C. Default Router setting of Forward Cleartext
D. Interface setting of Decryption Port Mirroring
E. Decryption, policy rule action, set to Forward Cleartext

4. Which component(s) of the integrated Palo Alto Networks security

solution can restrict access to a corporate z/OS (MVS) mainframe?

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
A. Threat Intelligence Cloud
B. Advanced Endpoint Protection
C. Next-Generation Firewall
D. Advanced Endpoint Protection and Next-Generation Firewall

5. Which interface type is employed in VPN tunnel setups?

A. Layer 2
B. Layer 3
C. Subinterface
D. Tunnel

6. Which Palo Alto Networks product is primarily designed to

normalize threat intelligence feeds and potentially facilitate automated
responses?
A. MineMeld
B. WildFire
C. AutoFocus
D. Threat Prevention

7. Which interface type serves as a bridge between two or more

networks, connecting devices within a Layer 2 segment?
A. Tap
B. Layer 3
C. Virtual Wire
D. Layer 2

8. Which two products can send logging data to the Palo Alto Networks
Logging Service?
A. Traps
B. Next-Generation Firewalls

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
C. Aperture
D. MineMeld
E. AutoFocus

9. Which interface type is the most commonly used and supports IPv4
and IPv6?
A. Layer 2
B. Layer 3
C. Virtual Wire
D. Tap

10. Which Palo Alto Networks product is primarily focused on

protecting endpoints from successful cyberattacks?
A. Global Protect
B. Magnifier
C. Traps
D. Evident

11. What are the two main types of SSL decryption?

A. SSL Forward Proxy and SSL Inbound Inspection
B. Keys and Certificates
C. App-ID and Encryption
D. Decryption Broker and Decryption Mirroring

12. Which Palo Alto Networks product is primarily designed to provide

comprehensive context and deeper insights into attacks?
A. MineMeld
B. WildFire
C. AutoFocus
D. Threat Prevention

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
13. What is the purpose of decryption on a Palo Alto Networks
firewall?
A. To provide more visibility into packet content
B. To enforce security policies on encrypted traffic
C. To prevent malicious content from entering your network
D. All of the above

14. Which Palo Alto Networks product is designed to thwart endpoint

threats?
A. Next-Generation Firewalls
B. Traps advanced endpoint protection
C. VM-Series firewalls
D. Evident

15. What is the purpose of a Decryption Broker?

A. To decrypt traffic and then pass it to external security services for
further inspection.
B. To automatically send a copy of decrypted traffic to a specified
interface.
C. Establish trust between two devices and secure the SSL/TLS
connection.
D. To prevent malicious content from entering your network.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Pass4sure - #1 IT Certifications Materials Provider
www.pass4sure.com
Chapter 03: User Identification and
Authentication
Introduction
User identification and authentication are essential components of any
network security strategy. Organizations can ensure that only authorized
individuals can access their networks and resources by identifying and
authenticating users.
This chapter will cover the following topics:
Explain Enforce User-ID and its variety of methods that can be used to
build user-to-IP mapping. Define agent or agentless User-ID and
comparison of User-ID agent. We can also discuss the method of User-ID
Redistribution and group mapping.
Discuss how we use an authentication policy in which we can learn
Multi-Factor Authentication and its dependencies. Also, we learn about
captive portals vs. globalprotect.
Learn the difference between management and data plane function.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Enforce User-ID
User-ID allows you to recognize every user across your network by
employing diverse methods to ensure identification, irrespective of their
location or the access methods and operating systems they use. It includes
platforms like Microsoft Windows, Apple iOS, Mac OS, Android, and
Linux/UNIX.
Methods of building user-to-IP mappings
User-ID and Mapping Users
The User-ID feature in Palo Alto Networks NGFW allows you to create
policy rules and generate reports based on users and groups rather than
individual IP addresses. It seamlessly integrates with various enterprise
directory and terminal services, enabling you to associate application activity
and policies with users and groups, not just IP addresses. When User-ID is
enabled, usernames can be included in ACC, App Scope, reports, logs, and
user IP addresses. For user- or group-based policies, the firewall needs a list
of all available users and their corresponding group mappings, which can be
selected when defining policies. The firewall obtains group mapping
information by connecting directly to the LDAP directory server; no other
directory services are supported for group mapping. Before the firewall can
enforce user and group-based policies, it must map IP addresses to
usernames based on the received packets. User-ID provides various methods
to collect this mapping information. A User-ID agent process operates either
on the firewall (agentless implementation) or can be installed separately on a
Microsoft Windows Server-based host. This agent monitors authentication
events in different network technologies and compiles the data to create a
master table that maps IP addresses to users. For IP addresses not mapped by
the agent, you can configure the firewall to redirect HTTP requests to a
Captive Portal login to identify mappings. You have the flexibility to
customize multiple user mapping mechanisms to match your specific
environment, even using different mechanisms at different sites.
Mapping IP Addresses to Usernames
Users' IP addresses are frequently changing due to their use of multiple
devices and the mobility offered by laptops. Continuously capturing this

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
information poses a challenge. The firewall must have the capability to
monitor multiple sources simultaneously. Additionally, the firewall offers
various methods to gather user information. It can utilize server monitoring
to monitor the Security logs of Windows servers for successful
authentication events. Syslog monitoring is another option for tracking login
events and can be used with LDAP and Linux, among other systems. The
diverse methods for mapping users include:
Server Monitoring
A User-ID agent that is either Windows-based and installed on a domain
server within your network, or an integrated PAN-OS User-ID agent that is
installed on the firewall, can be used to monitor login events in the security
event logs of specific Microsoft Exchange Servers, Domain Controllers, or
Novell eDirectory servers. For instance, you can set up the User-ID agent in
an AD environment to keep an eye on the security logs for connections to
file and print services, Exchange server access (if enabled), and Kerberos
ticket grants or renewals. This requires that the AD domain be set up to log
successful account login events in order for these events to appear in the
security log. Furthermore, you need to set up server monitoring for every
server in the domain to record every user login event because users can
access any server inside the domain.
Port Mapping
Palo Alto Networks Terminal Services agents can be installed on Windows
or Citrix terminal servers in environments such as Microsoft Terminal
Services or Citrix, where multiple users may share the same IP address.
These agents use the source port of each client connection to map each user
to a session. The Terminal Services agent is not supported for Linux terminal
servers, and the XML API is used to send user mapping information from
login or logout events to User-ID.
Syslog
The Windows-based User-ID agent and the PAN-OS integrated User-ID
agent employ Syslog Parse Profiles. These profiles interpret login and logout
event messages sent to syslog servers from devices responsible for user
authentication, including wireless controllers, 802.1x devices, Apple Open
Directory servers, proxy servers, and other network access control devices.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 3-01: User-ID Integration with Syslog
XFF Headers
In cases where a proxy server sits between users and the firewall, the
firewall might see the proxy server's source IP address rather than the host's
source IP address that initiated the traffic. Most proxy servers support the
inclusion of the source IP address within an XFF header. Utilizing this
original client source IP address enables the firewall to accurately map the IP
address to a username.
Authentication Policy and Captive Portal
When none of the previously mentioned methods can map an IP address to a
username, an Authentication policy and Captive Portal can be employed. In
this scenario, web traffic (HTTP or HTTPS) matching an Authentication
policy rule forces the user to authenticate through one of the following three
Captive Portal authentication methods:
Browser challenge, which can use Kerberos or NT LAN Manager
(NTLM)

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Web form, offering multi-factor authentication (MFA), security assertion
markup language (SAML) single sign-on (SSO), Kerberos, TACACS+,
remote authentication dial-in user service (RADIUS), LDAP, or local
authentication
Client Certificate Authority (CA), issues digital certificates to end-user
devices, validating their identity within the network. These certificates
enhance authentication by combining something the user knows
(password) with something they possess (certificate), fortifying the
network against unauthorized access and potential threats.
GlobalProtect
GlobalProtect is the recommended method for mobile users to establish VPN
access to the firewall. They use an application on their endpoint to enter
login credentials, which are then utilized for User-ID mapping.
GlobalProtect is highly recommended for mapping device IP addresses to
usernames.
XML API
In cases where standard user mapping methods may not be suitable, the
PAN-OS XML API can be employed. It is particularly useful for scenarios
involving third-party VPNs or 802.1x-enabled wireless networks.
Client probing
Client probing is another method used in Microsoft Windows environments,
where the User-ID agent probes client systems using Windows Management
Instrumentation or NetBIOS. It is important to note that client probing is not
the recommended approach for user mapping.

EXAM TIP: Palo Alto Networks strongly advises against using

client probing to acquire User information within a high-security network.

EXAM TIP: While not the recommended method for user

mapping, if you intend to enable client probing, Palo Alto Networks
strongly suggests prioritizing WMI probing over NetBIOS probing.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
The User-ID agent's primary functionality is illustrated in Figure 3-02.

Figure 3-02: User-ID

PAN-OS software can concurrently utilize several information sources to
maintain a precise and current table that maps IP addresses to users for
active sessions.

EXAM TIP: User-ID is ineffective in scenarios where the firewall

needs to map IP addresses to usernames, but the source IP addresses of
users undergo NAT translation beforehand.

Whether to use a User-ID Agent or Agentless Depends on your

needs
Use Agentless (PAN-OS)
Agentless (PAN-OS) is suitable for small-to-medium deployments with few
users and 10 or fewer domain controllers or exchange servers. It is also a
good choice to share PAN-OS-sourced mappings from Microsoft Active
Directory (AD), Captive Portal, or GlobalProtect with up to 255 devices.
Use User-ID Agent (Windows)
User-ID Agent (Windows) is recommended for medium-to-large
deployments with many users or more than 10 domain controllers. It is also
the preferred option for multi-domain setups with many servers to monitor.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Compare and contrast User-ID agents.
Identifying the User-ID Agent to Deploy
User-ID offers two agents for monitoring servers and gathering User-ID
information: an integrated agent built into the PAN-OS firewall and a
Windows-based client. Both agents share the same functionality, but certain
factors can help decide which one to utilize.
Organizations may opt for the Windows agent if they have more than 100
domain controllers, as neither agent type can monitor more than 100 domain
controllers or 50 syslog servers. Another reason for choosing the Windows
agent over the integrated PAN-OS agent might be to conserve processing
resources on the firewall's management plane.
On the other hand, if network bandwidth is a concern, the PAN-OS
integrated agent could be preferred. The integrated agent directly
communicates with the servers, whereas the Windows agent communicates
with the servers and then relays User-ID information to the firewall for
updating the firewall's database.
Methods of User-ID Redistribution
In any firewall enforcing user-based policies, having user mapping
information is crucial. In extensive networks, rather than configuring all
firewalls to query mapping information sources directly, you can optimize
resource usage by setting up certain firewalls to collect mapping data
through redistribution. Redistribution also enables these firewalls to enforce
user-based policies for users who authenticate through local sources (like
regional directory services) but require access to remote services and
applications (such as global data center applications). The Data
Redistribution feature allows a firewall to serve as a source of IP user
mappings, among other data types, for any device configured to
communicate with the agent service of that source firewall or through
Panorama.
If you configure an Authentication policy, your firewalls must also
redistribute authentication timestamps generated when users authenticate to
access applications and services. These timestamps are used to determine the
timeouts for Authentication policy rules. Timeouts allow a successfully
authenticated user to request services and applications without

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
reauthentication within specified timeout periods. Redistributing timestamps
ensures consistent timeout enforcement across all firewalls in your network.
It's worth noting that firewalls share user mappings and authentication
timestamps as part of the same redistribution process, eliminating the need
for separate redistribution configurations for each type of information.

EXAM TIP: You can share user mapping information obtained

through any method except for Terminal Server (TS) agents. However, it is
important to note that you cannot distribute Group Mapping or Host
Information Profile (HIP) match information. If you are utilizing Panorama
to oversee firewall management and consolidate firewall logs, you can
employ Panorama to manage User-ID redistribution. It is a more
straightforward approach compared to establishing additional connections
between firewalls to redistribute User-ID information.
User-ID Table Sharing
You can enable a firewall or virtual system to act as a data distribution agent,
allowing it to distribute user mapping information and authentication
timestamp data. It is done by configuring the Data Redistribution settings,
which create an agent capable of communicating with various firewalls or
devices for sharing local information.
User-ID Table Consumption
User-ID agents actively monitor sources such as directory servers to
establish IP-to-username mappings. These agents then transmit the collected
user mappings to firewalls, Log Collectors, or Panorama destinations. Each
appliance can function as a redistribution point, forwarding the user
mappings to other firewalls, Log Collectors, or Panorama instances. Before a
firewall or Panorama can effectively collect user mappings, it is essential to
configure their connections to the User-ID agents or redistribution points.
Use Case Example

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 3-03: Example

Methods of Group Mapping

Here are some recommended practices for group mapping in an Active
Directory (AD) environment:
Single Domain Environment: If your network has a single domain, you
only need one group mapping configuration. This configuration should
include an LDAP server profile that establishes a connection between the
firewall and the domain controller with the best connectivity. You can
include up to four domain controllers within the LDAP server profile to
enhance redundancy. However, adding multiple group mapping
configurations cannot increase redundancy beyond four domain
controllers for a single domain.
Multiple Domains or Forests: In the case of multiple domains or forests
within your network, creating a separate group mapping configuration for
each domain or forest is essential. Each configuration should include an

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 LDAP server profile connecting the firewall to a domain server in the
respective domain or forest. To ensure smooth operation, make sure
usernames are unique across separate forests.
If your network uses universal groups, create one LDAP server
profile to connect to the root domain of the global catalog server on
port 3268 or 3269 for SSL. Additionally, create another LDAP
server profile to connect to the root domain controllers on port 389
or 636 for SSL. This approach ensures user and group information is
accessible for all domains and subdomains.
Before implementing group mapping, it is essential to establish a
primary username for user-based security policies. This primary
username is crucial as it is the key user identifier in policy setup,
logs, and reports.

Server Profile and authentication profile

Regarding Multi-Factor Authentication (MFA) Server Profile
A multi-factor authentication (MFA) server profile defines integrated MFA
vendors' methods, locations, and authentication details. Supported vendors
are listed in the MFA Vendor dropdown menu. To support the certificate
used by the MFA solution for securing its communication with the firewall,
a Certificate Profile is necessary.

Authentication Profile:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
An Authentication Profile specifies the authentication type and Server
Profile for the initial Captive Portal-driven authentication. The Factors tab
incorporates the integrated MFA vendor-defined in the Multi-Factor
Authentication server profile. Multiple factors can be added, requiring the
user to complete each challenge sequentially from the top down.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Lab 3-01: Configure User-ID Authentication
Case Study
Cyber Innovations Inc. is a leading technology solutions provider
specializing in cybersecurity and network infrastructure. With a commitment
to delivering cutting-edge services, the company has rapidly expanded its
operations to serve a diverse clientele. Cyber Innovations Inc. operates in
multiple regions, focusing on North America, Europe, and Asia-Pacific.
Cyber Innovations Inc. is a dynamic player in the technology sector,
boasting an impressive annual revenue of $250 million and a dedicated
workforce of 1,200 employees. With a global footprint, the company has
strategically positioned offices and branches in major cities across North
America, Europe, and Asia-Pacific. This extensive geographical presence
empowers Cyber Innovations Inc. to meet its clients’ diverse and evolving
global needs. Whether serving clients in bustling North American tech hubs,
European financial centers, or the rapidly expanding markets of the Asia-
Pacific region, the company’s commitment to excellence remains
unwavering, driving its success in the highly competitive technology
industry.
Business Challenge
Cyber Innovations Inc., a leading technology firm, faces a critical business
challenge within its network infrastructure. The organization’s network
configuration involves a Palo Alto Firewall that acts as a barrier between a
Local Area Network (LAN) and a Wide Area Network (WAN). In this
context, the challenge revolves around the need for comprehensive User
Identification (User-ID) on the Firewall.
The importance of User-ID stems from the dynamic and user-centric nature
of modern network environments. Within Cyber Innovations Inc., the LAN
serves as the backbone for various business-critical applications, services,
and resources. However, efficiently managing access control and security in
such an environment requires precise identification of users.
Solution

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
To address the challenge of User Identification (User-ID), Cyber Innovations
Inc. has devised a comprehensive solution involving the configuration of
Active Directory (AD) and Domain Controller (DC) integration on the Palo
Alto Firewall. This solution aims to enable User-ID capabilities in the LAN
environment.
The organization establishes a connection between the Palo Alto Firewall
and the Active Directory infrastructure. This integration allows the Firewall
to access user authentication and identity information. Domain Controllers
are configured to work in conjunction with the Firewall’s User-ID feature.
This includes setting up communication protocols and ensuring that user-to-
IP mappings are accurate and up-to-date.
Cyber Innovations Inc. can ensure precise user identification and
authentication by configuring Active Directory and Domain Controller
integration on the Palo Alto Firewall and enabling the User-ID feature in the
LAN environment.
Follow the steps to complete the lab:
1. Configure LDAP and UID Agent Service Routes
2. Configure Zone
3. Configure LDAP Profile
4. Configure User Identification
5. Configure the User Identification Monitored Server
6. Commit

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 3-04: Configure User-ID Authentication
1. Configure LDAP and UID Agent Service Routes
1. Navigate to Device > Setup
Under the Services tab, click on the Service Route Configuration
button to edit it.

2. Click on the Customize radio button. Click LDAP service under the
Service column.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. Select the interface ethernet1/1, and its associated IP Address will
appear in the Source Address field.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Select the UID Agent to configure it.

5. Select the interface ethernet1/1, and its associated IP Address

appears in the Source Address field. Click the OK button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Configure Zone
1. Navigate to Network > Zones
Select the LAN Zone to configure it.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Checkmark the Enable User Identification checkbox. Click the OK
button.

3. Configure LDAP Profile

1. Navigate to Device > Server Profiles > LDAP
Click on the Add button to add a new LDAP Profile.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Enter lab.local in the Profile Name field. Click on the Add button
under the Server List window.

3. Under the Server List window, enter DC1 under the Name, IP
Address 10.1.1.10 under LDAP Server, and 389 under the Port column.
Under the Server Settings, enter active-directory in the Type,
DC=lab,DC=local in the Base DN, and lab-user-id@lab.local in the
Bind DN field. Enter passwords in the Password and Confirm
Password fields. Uncheck the Require SSL/TLS secured connection
checkbox. Click on the OK button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Configure User Identification
1. Navigate to Device > User Identification
Under the Group Mapping Settings, click on the Add button to
configure Group Mapping settings.

2. Enter lab.local in the Name field. Select the lab.local Profile in the
Server Profile.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. Under the Group Include List tab, select the cn=domain users under
the DC=lab,DC=local > dn=users Organizational Unit (or folder).
Click on the Plus signed button to add all the members of the domain
users. Click on the OK button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Under the User Mapping tab, click on the gear icon of the Palo Alto
Networks User-ID Agent Setup window.

5. Enter lab.local\lab-user-id in the User Name field. Enter passwords

in the Password and Confirm Password fields. Click on the OK
button.

6. Under the Server Monitor tab, checkmark the Enable Security Log
checkbox.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
7. Under the Client Probing tab, uncheck the Enable Probing
checkbox.

8. Under the Cache tab, checkmark the Enable User Identification

Timeout checkbox. Click on the OK button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
5. Configure the User Identification Monitored Server
1. Under the Server Monitoring window, click on the Add button.

2. Enter DC1 in the Name field, checkmark the Enabled checkbox,

select Microsoft Active Directory in the Type menu, and enter the IP
Address 10.1.1.10/24 in the Network Address field. Click on the OK
button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
6. Commit
Click the Commit button to save the configuration.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
How to use the Authentication Policy
Purpose and Use Case for the Authentication Policy
MFA and Authentication Policy
Multi-factor authentication (MFA) can be configured to ensure that users
authenticate using multiple methods (factors) when accessing highly
sensitive services and applications. For instance, users may need to enter a
login password and input a verification code received on their phone before
accessing critical financial documents. This layered approach helps
safeguard against unauthorized access by attackers who might compromise
passwords alone.
For end-user authentication via the Authentication policy, Palo Alto
Networks firewalls offer direct integration with various MFA platforms such
as Duo v2, Okta Adaptive, PingID, and RSA SecurID. Additionally,
integration through RADIUS is possible with other MFA platforms.
MFA is governed by an Authentication policy, enabling precise application
of the appropriate authentication methods. These policy rules can trigger
simple Captive Portal challenge pages for one-time authentication or
incorporate one or more integrated MFA vendor Server Profiles into
Authentication Profiles for additional authentication challenges. Once a user
completes all required challenges, Security policy rules that permit access to
protected services are evaluated.
Special Note About MFA
Palo Alto Networks firewalls support MFA using a multi-factor
authentication server profile, allowing native integration with external third-
party MFA solutions. Supported MFA factors include push notifications,
Short Message Service (SMS), voice calls, and One-Time Password (OTP)
authentication. This profile specifies the particular MFA product and its
configuration details.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
The Multi-Factor Authentication Server Profile can be part of multiple
authentication challenges that users must complete. For example, users
might be required to enter a login password and provide a verification code
received via phone before accessing critical financial documents. The
firewall presents these challenges through a Captive Portal, with the Captive
Portal configuration including an Authentication Profile that represents the
initial challenge users encounter. An Authentication Enforcement policy
includes the MFA product as a secondary authentication requirement. This
selection of the MFA product's Authentication Profile adds it as the second
authentication step for users.
Dependencies
Dependencies for Implementing MFA
Several Palo Alto Networks firewall settings must be configured before
implementing MFA to safeguard sensitive services and applications. MFA
authentication is triggered when a user requests access to a service that the
firewall processes within its traffic. Initially, the traffic is assessed by an
Authentication policy rule. When a matching rule is found, the
authentication action specified in that rule is executed.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Figure 3-05 illustrates the essential objects required to configure the
Authentication policy rule:

Figure 3-05: Authentication Policy Rule Objects

Authentication Enforcement object: One critical object specifies which
Authentication Profile to use and is assigned to an Authentication policy
rule. It also defines the Captive Portal authentication method and includes
a custom message to guide users in responding to the challenge.
Captive portal versus GlobalProtect (GP) client
Captive portal and GlobalProtect (GP) client are both methods that can be
used to authenticate users on a network. However, there are some key
differences between the two.
Captive Portal
In cases where the firewall or the User-ID agent cannot map an IP address to
a username, such as when the user is not logged in or is using an operating

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
system not supported by the domain servers (e.g., Linux), Captive Portal can
be configured. Any web traffic (HTTP or HTTPS) matching a Captive Portal
policy rule mandates user authentication. Authentication methods can be
based on a transparent browser-challenge (e.g., Kerberos SSO or NTLM in
Captive Portal authentication), a web form (for RADIUS, TACACS+,
LDAP, Kerberos, or local database authentication), or client certificates.
GlobalProtect client
The GlobalProtect client software operates on end-user systems, sharing
User-ID information and facilitating access to network resources through the
deployed GlobalProtect portals and gateways.
The GlobalProtect App
The GlobalProtect app is compatible with various platforms, including
Windows, macOS, iOS, Android, Linux, Chromebook, and IoT devices. On
Microsoft Windows and Apple macOS devices, the application can be
customized to adapt its behavior and hide specific user interface elements to
align with the requirements of a particular environment.
Figure 3-06 provides an overview of how GlobalProtect portals, gateways,
and agents/apps collaborate to ensure secure access for all users, regardless
of their device type or location:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 3-06: GlobalProtect Architecture

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Management Plane and Data Plane Functions
The management and data planes are two distinct functional layers that work
together to ensure efficient and secure data transmission. The management
and data planes are typically separated on network devices.

Management Planes and Data Planes

In physical or virtual appliances, separating management and data plane
functionalities is fundamental to all Palo Alto Networks firewalls. These
functions have dedicated hardware resources in physical firewalls, ensuring
their independence. In virtual firewalls, this separation remains in place,
albeit logically segregated. Figure 3-07 illustrates the architecture of a PA-
220 firewall.

Figure 3-07: Management and Data Plane Architecture

Palo Alto Networks maintains the separation of the management and data
planes to safeguard system resources. In every Palo Alto Networks firewall,
certain functions are reserved for the management plane.
Configuration management
Logging
Reporting functions

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 User-ID agent process
Route updates
It includes terminating the management network and the console connector
on physical firewalls. For the PA-7000 Series firewalls, dedicated log
collection and processing are implemented on a separate card. The Figure 3-
08 provides an overview of the PA-7000 Series architecture:

Figure 3-08: PA-7000 Series Architecture

What are the functions that are performed on the data plane?
The data plane encompasses the following functions:
Signature match processor
All Content-ID and App-ID services
Security processors
Session management
Encryption and decryption
Compression and decompression
Policy enforcement
Network processor
Route

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Address Resolution Protocol (ARP)
MAC lookup
QoS
NAT
Flow control
Specific functions are designated for the data plane. The data plane directly
connects to the traffic interfaces. As more powerful firewall models are
developed, additional functionality is assigned to the management and data
planes as needed. Occasionally, dedicated cards with Field-Programmable
Gate Arrays (FPGAs) or custom application-specific integrated circuits
facilitate flexible and high-performance processing. Moreover, further
management plane functions may encompass the following:
First packet processing
Switch fabric management
Scope the impact of using SSL decryption
Effective decryption enhances security by preventing adversaries from
exploiting encrypted traffic to attack an organization. While decryption has
the potential to introduce security vulnerabilities, adhering to best practices
ensures that it strengthens security and provides essential visibility into
network traffic. Decryption is particularly valuable in uncovering threats
concealed within encrypted tunnels.
Scope the impact of turning logs on for every Security policy
Visibility is a crucial aspect of network security, and enabling logs for all
Security policies plays a significant role in achieving this visibility. By
default, traffic that matches default policies is not logged. To modify this
behavior, override the intrazone and interzone default rules must be
modified. However, it is important to note that enabling logging on the
default rules can generate a substantial volume of logs. It should only be
undertaken if it is genuinely necessary and if a thorough assessment of its
potential impact on storage capacity and system performance has been
carried out.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Mind Map

Figure 3-09: Mind Map

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Practice Questions

1. What type of information do User-ID map users to?

A. MAC addresses
B. IP addresses
C. Port number
D. IP address and port number

2. To map user identities and groups, which protocol does User-ID use?
A. NetBIOS
B. LDAP
C. Syslog
D. HTTPS

3. When informing the firewall of a new IP-address-to-username

mapping via API, which format is used?
A. XML
B. JSON
C. YAML
D. Base64

4. What needs to be configured on the firewall before it can access

User-ID-to-IP-address mapping tables from external sources?
A. Group Mapping Settings
B. Server Monitoring
C. Captive Portal
D. User-ID Agents

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
5. Which product or service can access User-ID-to-IP-address mapping
tables?
A. Cortex XDR
B. Panorama Log Collector
C. AutoFocus
D. Prisma Cloud

6. In Multi-Factor Authentication setups with Captive Portal, which

component connects the Captive Portal method to an Authentication
profile?
A. Multi-Factor Authentication server profile
B. Authentication policy rule
C. Authentication Sequence
D. Authentication Enforcement object
7. Which four firewall server profiles can be used for first-factor
authentication in multi-factor authentication configurations?
A. HTTP
B. Okta
C. PingID
D. Kerberos
E. RADIUS
F. SAML
G. LDAP
H. RSA SecurID Access

8. What are the dual purposes of multi-factor authentication?

A. Decrease the value of stolen passwords
B. Simplify password resets
C. Reduce and prevent password sharing
D. Ensure strong passwords

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
E. Provide single sign-on functionality

9. Which MFA factor is not supported by the NGFW?

A. Voice
B. Push
C. SMS
D. S/Key

10. What are the two modes of Captive Portal?

A. Proxy
B. Transparent
C. Webform
D. Certificate
E. Redirect
11. Which action is unnecessary when configuring multi-factor
authentication with a SAML Identity Provider (IdP)?
A. Establish an Authentication policy rule.
B. Configure NTLM settings.
C. Create an Authentication object.
D. Generate an Authentication Profile.

12. On a PA-7000 Series firewall, which management function operates

on a dedicated, separate card?
A. Configuration management
B. Logging
C. Reporting
D. Management web service

13. Which function is housed within the management plane?

A. App-ID matching

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
B. Route lookup
C. Policy match
D. Logging

14. Do certain next-generation firewall models utilize FPGA chips?

A. Yes, exclusively on the data plane but limited to higher-end models.
B. Yes, exclusively on the management plane but limited to higher-end
models.
C. Yes, both on the data and management planes, but confined to
higher-end models.
D. No, they do not use FPGA chips.

15. What is the recommended method for mobile users to establish

VPN access to the firewall for User-ID mapping?
A. GlobalProtect
B. PAN-OS XML API
C. Captive Portal
D. Client probing

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Chapter 04: Multi-vsys Environment
Introduction
Adapting to diverse and complex requirements is paramount in the ever-
evolving network security landscape. This adaptability often calls for a
security infrastructure that can be tailored to the unique needs of different
departments, business units, or tenants within an organization. Palo Alto
Networks, a leading name in the world of cybersecurity, recognized this
need and introduced the concept of Multi-vsys (Multiple Virtual Systems)
environments.
This chapter is your comprehensive guide to understanding and harnessing
the power of Multi-vsys environments in network security, a topic of utmost
importance for those on their journey to become Palo Alto Networks
Certified Network Security Engineers (PCNSE). Whether you seek to
enhance your knowledge, prepare for the PCNSE certification exam, or
optimize your organization's network security, this chapter will equip you
with the knowledge and skills necessary to succeed.
The Significance of Multi-vsys Environments
Modern organizations are often complex entities with diverse network
security requirements. Different departments or subsidiaries may have
distinct security policies, resource needs, and access rights. Ensuring these
requirements are met without compromising the overall security posture can
be challenging.
Multi-vsys environments provide a robust solution to this challenge. They
allow network administrators to partition a single physical firewall into
multiple independent virtual firewalls, each with its configurations, security
policies, and network settings.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Define Multiple Virtual Systems (Multi-vsys) environment
In network security, Multiple Virtual Systems (Multi-vsys) are pivotal in
safeguarding data and ensuring secure network operations. This section will
explore the fundamental elements of Multi-vsys environments, their purpose,
and the key concepts that underpin their functionality.
What are Multi-vsys Environments?
At its core, a Multi-vsys environment is a framework designed to partition a
single physical firewall into multiple distinct virtual firewalls, each with its
own set of configurations, security policies, and network settings. These
virtualized firewalls function independently, like separate physical devices,
despite residing on the same hardware. This separation provides several
critical benefits:
1. Isolation
Each virtual system operates in isolation from the others, meaning that any
policy or configuration within one virtual system does not affect or interfere
with another. This isolation is essential for maintaining the integrity of
security measures and meeting compliance requirements. It essentially
prevents policy conflicts and potential security breaches when different
entities share the same physical firewall.
2. Flexibility
Multi-vsys environments offer unparalleled flexibility in managing network
security. This flexibility is precious for organizations with complex
structures, where different departments, subsidiaries, or tenants require
unique security policies, resources, and access rights. The ability to
customize policies and configurations for each virtual system ensures that
security measures align with specific needs.
3. Efficiency
Efficiency and cost-effectiveness are key advantages of Multi-vsys
environments. By consolidating multiple security instances onto a single
physical device, organizations can reduce both hardware and operational
costs while maintaining a high level of security. This not only streamlines
management but also optimizes resource utilization.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Scalability
Multi-vsys environments are highly scalable, making them suitable for
organizations of varying sizes can adapt to your requirements and grow with
your organization, whether you have a small network or a complex
infrastructure.
Core Concepts of Multi-vsys Environments
Virtual Systems (VS)
Virtual Systems are the building blocks of Multi-vsys environments. Each
VS is an independent, logical firewall within the physical firewall. They
have security policies, interfaces, routing configurations, and administrative
access controls. VSs are at the heart of the partitioning, ensuring separation
and independence.
Device Groups
Device Groups allow administrators to manage and control the configuration
of multiple firewall devices as a single entity. This simplifies rolling out
consistent configurations across various physical firewalls, each hosting one
or more Virtual Systems.
Virtual Systems (VSYS) ID
Each Virtual System is assigned a unique Virtual System Identifier (VSYS
ID), which is used to differentiate between them. The VSYS ID is integral in
determining which VS a particular configuration applies to and is vital in
ensuring data isolation and policy enforcement.
Security Policies
Security policies within Multi-vsys environments are configured on a per-
VS basis. This level of granularity allows administrators to tailor security
policies to meet the specific requirements of each virtual system.
Organizations can effectively safeguard their data by defining different
security rules for different VSs while ensuring optimal network
performance.
Benefits and Applications
Multi-vsys environments are not merely theoretical constructs but practical
solutions with various applications. Here are some scenarios where Multi-
vsys environments excel:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Enterprise Security: Multi-vsys environments are used extensively in
large organizations to segregate security policies between departments or
subsidiaries while maintaining centralized control and monitoring.
Service Providers: Service providers leverage Multi-vsys environments
to offer secure, partitioned network services to multiple tenants or
customers from a single hardware device.
Compliance and Regulatory Requirements: Organizations with strict
compliance requirements, such as those in healthcare or finance, utilize
Multi-vsys environments to ensure that different operations adhere to
regulatory standards.
Resource Optimization: By sharing a common hardware infrastructure
while maintaining separate virtual firewalls, Multi-vsys environments
optimize resource utilization and reduce costs.
Multi-vsys environments revolutionize network security by providing a
dynamic and versatile approach to managing diverse security requirements
within a single physical firewall. Understanding the core principles of this
framework is vital for network security professionals and aspiring PCNSEs,
as it forms the basis for effectively deploying and managing security in
today's complex environments.

EXAM TIP: A Multi-vsys environment is a system created to

divide a single physical firewall into several separate virtual firewalls.
Each virtual firewall operates independently, resembling individual
physical devices, with its unique configurations, security policies, and
network settings. Despite sharing the same hardware, these virtualized
firewalls function as if they were distinct entities.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
User-ID hub
The User-ID feature allows you to recognize individuals on your network
through various methods, ensuring identification across different locations
and using various operating systems like Microsoft Windows, Apple iOS,
Mac OS, Android, and Linux/UNIX.
This knowledge of user identities, as opposed to just their IP addresses,
offers several advantages:
1. Enhanced Visibility: User-ID offers improved insights into application
usage, providing a more relevant view of network activity. It proves valuable
when detecting unfamiliar applications on your network. Using tools like
ACC or the Log Viewer, your security team can pinpoint the application,
user, bandwidth usage, session details, the source and destination of the
application traffic, and any associated threats.
2. Policy Control: Linking user information to security policy rules
enhances the secure use of applications across the network. Only authorized
users with a legitimate need can access certain applications. For example,
essential applications like SaaS tools for HR services (e.g., Workday or
ServiceNow) should be available to any known user on the network.
Conversely, for more sensitive applications, access can be restricted to those
who require it, reducing potential security risks.
3. Logging, Reporting, and Forensics: In a security incident, forensics
analysis and reporting based on user information (instead of just IP
addresses) provide a more comprehensive understanding of the situation. For
example, predefined reports like User/Group Activity can summarize the
web activity of individual users or user groups, and the SaaS Application
Usage report can reveal which users are transferring the most data via
unsanctioned SaaS applications.
The firewall needs to map IP addresses in incoming packets to usernames to
enforce policies based on users and groups. User-ID offers multiple methods
to gather this User Mapping information. For example, the User-ID agent
can monitor server logs for login events and listen for syslog messages from
authentication services. For IP addresses that the agent does not map, you
can configure the Authentication Policy to redirect HTTP requests to a

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Captive Portal login. These user mapping mechanisms can be customized to
suit your specific environment. They can be employed differently at various
sites to ensure secure access to applications for all users in all locations at all
times.
User-ID

Figure 4-02: User-ID

The firewall requires a comprehensive roster of all users and their respective
group affiliations to implement policies based on users and groups. This
information is vital for selecting user groups when establishing your policy
rules. The firewall acquires Group Mapping data through two primary
methods: direct connectivity with the LDAP directory server or integration
via XML API with the directory server.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Inter-vsys routing
A Virtual System (vsys) represents an independent and logical firewall
instance housed within a single physical chassis. Activating virtual systems
on the firewall creates a logical division between different physical
networks. This division is valuable when keeping certain networks isolated
from each other is important. Virtual systems also allow you to manage
which administrators control specific network sections and firewall
configuration.
In specific situations, there may be a need to establish connectivity between
virtual systems. Instead of physically connecting separate networks, a more
secure approach involves enabling limited routing to facilitate
communication between specified subnets. The Security policy can then be
implemented to prevent any misuse of this network connection.
Initially, it is essential to establish visibility between virtual systems.
Because each vsys operates independently, it lacks awareness of other vsys
instances residing on the same physical chassis.

Figure 4-03: Visibility of Virtual Systems

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Moving forward, you should establish a new type of zone category named
"External" within every vsys to transfer sessions into a zone connecting the
virtual systems. The "External" category constructs a network-like structure,
permitting communication among the virtual systems.

Figure 4-04: External Zone Category

For each vsys that is part of this, generate a zone labeled "External."
Incorporate the target Virtual System to designate this zone as the remote
vsys. You can include multiple destination virtual systems as needed.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 4-05: Generate a zone labeled "External"
Following this, each vsys needs to be set up with a Security policy
permitting the local zone to establish connections from the local zone to the
External zone or from the External zone to the trusted network in cases
where the connection is deemed inbound.
For example, in an Out-of-Box (OOB) network scenario, the IT-sys can be
granted permission for an outbound connection to the External zone. At the
same time, the OOB vsys can accept an inbound connection from the
External zone.

Figure 4-06: Setup with a Security policy

As the virtual routers lack knowledge about the subnets within remote
virtual systems, it becomes necessary to introduce routing measures to guide
traffic toward the External zone correctly.

Figure 4-07: Routing Measures

1. Access Configuration Interface: Log in to the network device or
software platform managing the virtual routers. This could be a router,

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 firewall, or virtualization platform.
2. Navigate to Virtual Router Settings: Find the section or menu within
the configuration interface that deals with virtual routers. This is where
you can create and configure virtual routers.
3. Create Virtual Routers: Create two virtual routers named 'testing' and
'vr_lab' if they don't already exist.
4. Configure Routes for 'testing' Virtual Router:
Access the configuration settings for the 'testing' virtual router.
Add a static route for the lab-trust subnet 10.6.0.0/24, specifying the
next hop as the 'vr_lab' virtual router. This directs traffic destined for
10.6.0.0/24 to the 'vr_lab' router.
5. Configure Routers fr 'vr_lab' Virtual Router:
Access the configuration settings for the 'vr_lab' virtual router.
Add a reciprocal static route for the testing-trust subnet 10.100.0.0/24,
specifying the next hop as the 'testing' virtual router. This ensures that
traffic from 10.100.0.0/24 is directed to the 'testing' router.
6. Verify Configuration:
Double-check the configured routes on both virtual routers to ensure
accuracy.
Verify that there are no conflicts or overlapping routes.
7. Commit Configuration:
Save and apply the configuration changes to activate the new route
settings.
8. Test Connectivity:
Test connectivity between devices in the lab-trust subnet (10.6.0.0/24)
and testing-trust subnet (10.100.0.0/24) to confirm that traffic is
correctly routed through the virtual routers.
9. Monitor and Troubleshoot:
Keep an eye on network performance and monitor for any issues.
If there are problems, troubleshoot by checking route tables,
configurations, and logs.
10. Documentation:
Document the configuration, including the routes set up for each
virtual router, for future reference.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 4-08: Set up each Virtual Router with routes

Figure 4-09: Set up each Virtual Router with routes

Once this setup is saved, clients in the trust zones of both vsys1 and vsys2
can establish connections using Microsoft Remote Desktop or MSSQL
applications, following the security policy guidelines.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Service Routes
Service routes play a pivotal role in Multi-vsys environments, offering a
mechanism to direct network traffic to specific virtual systems or services
efficiently. By default, the firewall employs its management (MGT) interface
to connect to external services like DNS servers, external authentication
servers, and Palo Alto Networks services, encompassing software, URL
updates, licenses, and AutoFocus. An alternative to using the MGT interface
is to set up a data port (a standard interface) for accessing these services. The
path from the interface to the service on a server is referred to as a service
route. The service packets exit the firewall through the port designated for
the external service, and the server responds using the configured source
interface and source IP address.
You can establish service routes at a global level for the entire firewall or
customize service routes for a virtual system within a firewall configured for
multi-vsys, offering the flexibility to use interfaces associated with a
particular vsys. If a vsys lacks a specific service route configuration for a
particular service, it will inherit the interface and IP address settings defined
globally for that service.
The Significance of Service Routes
Service routes are a fundamental component of Multi-vsys environments.
They are responsible for directing network traffic to its intended destination,
whether a virtual system or a specific service, within the overall network
infrastructure. These routes serve as the pathways that guide data packets,
ensuring that they are delivered accurately and securely.
1. Optimizing Traffic Flow
Service routes are instrumental in optimizing the flow of network traffic.
Directing traffic efficiently helps reduce latency and improve overall
network performance. This is particularly critical in Multi-vsys
environments where traffic must be managed across multiple virtual
systems.
2. Enhancing Security
Service routes also play a vital role in maintaining robust security. By
channeling traffic to the correct virtual system, they ensure that security

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
policies specific to that system are enforced. This allows organizations to
uphold consistent security measures while accommodating diverse network
requirements.
3. Load Balancing
In scenarios where an organization hosts multiple virtual systems offering
the same service, service routes can be used to distribute traffic load evenly.
This load balancing optimizes resource utilization and enhances fault
tolerance by evenly distributing traffic in case one virtual system becomes
unavailable.
4. Isolation of Traffic
Service routes isolate traffic, ensuring that data intended for one virtual
system does not inadvertently reach another. This maintains the integrity of
each virtual system's security measures, preventing policy conflicts or
breaches.
Creating Service Routes
Typically, configuring service routes involves defining specific criteria for
routing traffic to the desired destinations. This can be based on various
attributes, such as source IP, destination IP, port numbers, and protocol.
Network administrators can define the criteria to match the requirements of
their organization.
Example: Configuring a Service Route
Suppose an organization has multiple virtual systems that host web services.
The service routes can be configured to direct incoming HTTP traffic (port
80) to one virtual system and HTTPS traffic (port 443) to another. This
segmentation ensures that the two services remain isolated and do not
interfere with each other while also optimizing traffic flow.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 4-010: Configuring a Service Route
Real-World Applications
Service routes find application in various scenarios:
Segmenting Network Traffic: In an organization where different
departments or business units require separate virtual systems, service
routes segment network traffic while enforcing each unit's security
policies.
Load Balancing: In scenarios where multiple virtual systems offer the
same service, service routes distribute incoming traffic evenly across
these systems, ensuring high availability and optimized resource
utilization.
Security and Compliance: For organizations with strict security and
compliance requirements, service routes help maintain data segregation
while complying with industry-specific regulations.
Resource Optimization: Service routes contribute to resource
optimization by ensuring that data packets are directed to the most
appropriate virtual system, thereby reducing latency and improving
network performance.
Service routes are essential to Multi-vsys environments, striking a delicate
balance between enhancing network performance and maintaining stringent
security policies. Understanding how to configure and utilize them
effectively is integral to network administrators and security professionals
seeking to harness the full potential of Multi-vsys architectures.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 EXAM TIP: Service routes play a crucial role in Multi-vsys
environments, serving as essential elements for directing network traffic to
its designated destination, be it a virtual system or a specific service within
the broader network infrastructure. These routes act as the designated
pathways guiding data packets, ensuring precise and secure delivery to
their intended destinations.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Administration
Administration: Managing Multi-vsys Environments Effectively
The successful administration of Multi-vsys environments is essential to
ensure optimal network security and performance. This section will explore
the tools, techniques, and best practices for administering and maintaining a
Multi-vsys setup.
User Access Control
User Access in Multi-vsys Environments
User access control is a crucial aspect of Multi-vsys administration. It
involves managing who has access to the various Virtual Systems (VS) and
their access level. Proper user access control ensures that only authorized
personnel can configure and make changes to the virtual systems, reducing
the risk of unauthorized configuration changes or security breaches.
1. Role-Based Access Control (RBAC)
RBAC allows administrators to define roles and assign specific privileges to
each role. For example, you can create roles for network administrators,
security administrators, or auditors, each with their own permissions. RBAC
streamlines user access control by granting appropriate access to individuals
based on their responsibilities.
2. Administrative Accounts
Each user or administrator should have a distinct account associated with
their specific Virtual System (VS). This not only ensures accountability but
also simplifies user management.
Policy Deployment
Deploying Security Policies Across Virtual Systems
One of the key challenges in Multi-vsys administration is managing and
deploying security policies consistently across all Virtual Systems. This
ensures that the organization's security posture remains uniform and robust.
1. Device Groups
Device groups are used to facilitate policy deployment. They enable
administrators to apply a single policy configuration to multiple physical

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
devices or virtual systems. By creating device groups, you can ensure that
policy changes are distributed efficiently to all relevant entities.
2. Template Stacks
Template stacks are a powerful tool for managing and deploying
configurations consistently across multiple Virtual Systems. They allow you
to create templates defining security policies and then apply them to the
relevant VSs. This ensures that security policies are consistent across the
Multi-vsys environment.
Monitoring and Troubleshooting
Continuous Monitoring and Effective Troubleshooting
Monitoring is a critical aspect of Multi-vsys administration. It involves real-
time network traffic, security logs, and system performance monitoring to
identify and address potential issues promptly.
1. Panorama Management
Panorama is a central management platform provided by Palo Alto Networks
that streamlines the administration of Multi-vsys environments. It offers a
unified view of all VSs, simplifies policy management, and provides
centralized monitoring and reporting.
2. Log Analysis
Effective log analysis is essential for troubleshooting and identifying
security incidents. Monitoring logs from all Virtual Systems helps
administrators promptly detect and respond to threats. Integrating log
analysis tools can further enhance security and performance monitoring.
Backups and Disaster Recovery
Protecting Against Data Loss
In Multi-vsys environments, regular backups and disaster recovery plans are
essential to protect against data loss and maintain operational continuity.
1. Backup Strategies
Develop backup strategies that include regular snapshots of configurations
and policies within each Virtual System. Backup schedules should be
defined to preserve critical data, allowing for rapid recovery in case of
system failures or data corruption.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Disaster Recovery Plans
A comprehensive disaster recovery plan should be in place to address
scenarios such as hardware failures, data breaches, or natural disasters. This
plan should encompass data restoration procedures and system recovery
processes.
Best Practices for Multi-vsys Administration
Effective Strategies for Administering Multi-vsys Environments
To ensure smooth administration in Multi-vsys environments, consider the
following best practices:
Regularly review and update security policies to adapt to changing
network requirements and emerging threats.
Implement change control processes to track and approve configuration
changes to Virtual Systems.
Conduct periodic security audits to identify vulnerabilities and
compliance issues.
Stay updated with firmware and software updates to benefit from new
features, bug fixes, and security enhancements.
Effective Multi-vsys administration ensures complex network
infrastructures' security, performance, and reliability. By implementing best
practices and utilizing the tools and techniques available, administrators can
maintain the integrity of Multi-vsys environments and address evolving
network security challenges.

EXAM TIP: User access control in Multi-vsys admin is critical. It

manages access to Virtual Systems, ensuring only authorized personnel can
configure them, reducing the risk of unauthorized changes or security
breaches.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Mind Map

Figure 4-11: Mind Map

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Practice Questions
1. What is the primary purpose of Multi-vsys (Multiple Virtual Systems)
environments in network security?
A. To create a single, unified security policy for the entire organization
B. To reduce the need for physical firewalls in an organization
C. To partition a physical firewall into multiple independent virtual
firewalls with unique configurations
D. To optimize network performance and speed

2. What is the core concept that allows administrators to manage the

configuration of multiple firewall devices as a single entity within
Multi-vsys environments?
A. Virtual Systems (VS)
B. Virtual Systems (VSYS) ID
C. Security Policies
D. Device Groups

3. Why is isolation important in Multi-vsys environments?

A. To reduce operational costs
B. To prevent policy conflicts and potential security breaches
C. To create a unified security policy for all virtual systems
D. To optimize resource utilization

4. In what scenarios are Multi-vsys environments typically applied?

A. To centralize control and monitoring in small organizations
B. To optimize resource utilization in large organizations

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
C. To provide secure, partitioned network services to multiple tenants or
customers
D. To ensure that different operations adhere to regulatory standards in any
industry

5. What is the primary advantage of using a User-ID for network security?

A. It enhances visibility into application usage
B. It reduces the need for firewall policies
C. It simplifies the network infrastructure
D. It only works with Microsoft Windows operating systems

6. How does the firewall acquire Group Mapping data for User-ID?
A. Through listening for syslog messages from authentication services
B. By redirecting HTTP requests to a Captive Portal login
C. Through direct connectivity with the LDAP directory server or
integration via XML API with the directory server
D. By monitoring server logs for login events

7. What is the primary purpose of inter-vsys routing?

A. To establish communication between virtual systems using physical
connections
B. To create a logical division between physical networks
C. To prevent all communication between virtual systems
D. To facilitate communication between specified subnets securely

8. What is the purpose of the "External" category and zone in inter-vsys

routing?
A. To isolate virtual systems from each other

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
B. To connect virtual systems physically
C. To establish communication among virtual systems
D. To prevent all network connections

9. How can inter-vsys routing be set up to guide traffic between virtual

systems?
A. By establishing physical connections between virtual systems
B. By implementing a strict Security policy to prevent all connections
C. By setting up each Virtual Router with routes for the corresponding
remote subnets
D. By limiting the number of administrators controlling each network
section

10. What is the significance of service routes in a Multi-vsys environment?

A. To optimize traffic flow, enhance security, enable load balancing, and
isolate traffic
B. To isolate network traffic from the internet
C. To control all traffic through a single virtual system
D. To create separate physical connections for each virtual system

11. How can service routes be configured to optimize traffic flow between
multiple virtual systems hosting web services?
A. By configuring service routes to direct all traffic to a single virtual
system
B. By defining specific criteria based on attributes like source IP,
destination IP, port numbers, and protocol
C. By segmenting network traffic to different departments or business units
D. By using the management (MGT) interface for all network traffic

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
12. In what scenario would service routes benefit load balancing in a Multi-
vsys environment?
A. When there is only one virtual system hosting all services
B. When there is no need for any security policies
C. When all traffic must go through the management (MGT) interface
D. When multiple virtual systems offer the same service

13. What is the purpose of Role-Based Access Control (RBAC) in Multi-

vsys administration?
A. To create administrative accounts for each user
B. To streamline policy deployment across virtual systems
C. To define roles and assign specific privileges to users
D. To conduct log analysis for security incidents

14. How can device groups be useful in Multi-vsys administration?

A. To perform log analysis for security incidents
B. To monitor real-time network traffic
C. To create templates for consistent policy deployment
D. To conduct disaster recovery planning

15. Why are regular backups and disaster recovery plans important in Multi-
vsys administration?
A. To monitor and troubleshoot network issues in real-time
B. To streamline the administration of Multi-vsys environments
C. To protect against data loss and maintain operational continuity
D. To implement change control processes for configuration changes

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Pass4sure - #1 IT Certifications Materials Provider
www.pass4sure.com
Chapter 05: Management and Profiles
Introduction
Palo Alto Networks management and profiles are essential components of
the Palo Alto Networks security platform. Management profiles provide a
centralized way to configure and manage Palo Alto Networks devices, while
profiles allow you to tailor security policies to specific needs.
This chapter will cover the following topics:
Discuss configuring a management profile and its management interface.
We will also learn the importance of configuring SSL/TLS service
profiles to specify permissible protocol versions for various SSL/TLS
services.
Discuss configuring and deploying a security profile and its overview; we
will explain antivirus, anti-spyware, vulnerability protection, URL
filtering, file blocking, wildfire analysis, data filtering, and DoS
protection. Also, discuss the relationship between URL filtering and
credential theft prevention, compare and contrast threat prevention vs.
advanced threat prevention and URL and advanced URL filtering.
Also, discuss the configuration zone protection and know the difference
between customized values vs default settings and classified vs. aggregate
profile values.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Configure Management Profiles
You can configure in-band interfaces using Interface Management profiles to
allow management access and various features. Data plane interfaces are set
up by default to disallow administrative functions, including HTTP/HTTPS,
Ping, SNMP, and others, for enhanced security. You can create an Interface
Management profile and associate it with the relevant interface to enable
these features.

EXAM TIP: An Interface Management profile is unnecessary for

the management (MGT) interface. During the initial firewall
configuration, you can define limitations for protocols, services, and IP
addresses directly for the MGT interface. Additionally, if the MGT
interface experiences issues and goes offline, you can enable management
access through another interface, ensuring uninterrupted firewall
management.

Interface Management Profile

Here are the steps to configure an Interface Management Profile:
1. Go to the Network menu, select Network Profiles, and click Interface
Mgmt. Next, click on the Add button.
2. Choose the network protocols you want to permit for management
traffic on the interface. Options include Ping, Telnet, SSH, HTTP,
HTTP OCSP, HTTPS, or SNMP.
3. Select the services that the interface should allow for management
traffic. These options include:
a. Authentication Portal or URL Admin Override Response Pages
b. User ID (for redistributing data and authentication timestamps)
c. User-ID Syslog Listener-SSL or User-ID Syslog Listener-UDP
(to configure User-ID for monitoring syslog senders using SSL
or UDP] traffic)
4. Optionally, you can add specific IP addresses to grant access to the
interface. The interface will have no IP address restrictions if no IP
addresses are added.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 5. Finally, click OK to save your configuration.
These steps help you create an Interface Management Profile to control
management access and services for your in-band interfaces.

EXAM TIP: When giving access to a firewall interface using an

Interface Management profile, do not allow management access (HTTP,
HTTPS, SSH, or Telnet) from the internet or other untrusted zones inside
your company's security perimeter. Also, never allow HTTP or Telnet
access because these protocols send data in plain text. Follow the Best
Practices for Securing Administrative Access to ensure you properly
secure management access to your firewall.

SSL/TLS profile
Palo Alto Networks firewalls and Panorama employ SSL/TLS service
profiles to specify certificates and permissible protocol versions for various
SSL/TLS services. These services encompass the Authentication Portal,
GlobalProtect portals and gateways, inbound traffic on the MGT interface,
the URL Admin Override feature, secure syslog log forwarding, and the
User-ID syslog listening service.
By defining protocol versions within these profiles, you gain control over
which cipher suites and TLS versions can be used to secure communication
with clients requesting these services. This proactive approach enhances
network security by allowing the firewall or Panorama to steer clear of
SSL/TLS versions known to have vulnerabilities. If a service request
involves a protocol version falling outside the specified range, the firewall or
Panorama will adapt the connection to a supported version, either
downgrading or upgrading as necessary.

EXAM TIP: For client systems to use firewall services, their

Certificate Trust List (CTL) must include the Certificate Authority (CA)
certificate that issued the certificate specified in the SSL/TLS service
profile. Otherwise, users will see a certificate error when requesting
firewall services. Most third-party CA certificates are already installed in
client browsers by default. If an enterprise or firewall-generated CA

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
certificate is the issuer, you must deploy that CA certificate to the CTL in
client browsers.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Deploy and Configure Security Profiles
Security Profiles implements precise security measures offered by Palo Alto
Networks' Content-ID next-generation technology. Once these Security
Profiles are established, they are linked to Security policy rules that dictate
the Content-ID scans to be executed on traffic allowed by a particular policy
rule. These profiles must be associated with the Security policy rules to
activate their protective measures, and they will exclusively apply to the
traffic governed by that specific rule.
Custom configuration of different Security Profiles and Security
Profile Groups
Security Profile Overview
Security Profiles may include:
Antivirus
Anti-Spyware
Vulnerability Protection
URL Filtering
File Blocking
WildFire Analysis
Data Filtering
DoS Protection

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 5-01: Report and Enforce Policy
Scanning occurs continuously through signature matching, operating in a
streaming fashion rather than on a per-file basis. Updating these signatures
depends on the firewall's configuration and licensing choices. For instance,
with a WildFire license, new virus and malware signatures can be added in
real-time. However, if the firewall has a Threat Prevention license but lacks
a WildFire license, signatures from WildFire will only be updated once
every 24 hours. Remember that content scanning, once activated, consumes
firewall resources. It is advisable to refer to a firewall comparison chart to
identify the model that aligns with the required Threat Enabled throughput
for your specific needs.

EXAM TIP: Security Profiles are not used to decide whether or

not to allow traffic. Instead, they are used to scan traffic already allowed
by a security policy rule.

Identifying Security Profiles for use

While Security policy rules are designed to permit or block network traffic,
Security Profiles are crucial in establishing an allow-but-scan rule. This rule
scans permitted applications for potential threats, including viruses,
malware, spyware, and DoS attacks. When network traffic aligns with the
allowed rule specified in the Security Policy, the attached Security Profile(s)
come into play, conducting in-depth content inspections like antivirus checks
and data filtering. Security Profiles essentially deliver the capabilities of the
Content-ID feature found in PAN-OS software.
It's worth noting that Security Profiles are not utilized in the match criteria of
a traffic flow. Instead, they are employed to scan traffic once it has been
allowed by the Security policy based on application or category.
The firewall provides default Security Profiles, readily available to fortify
your network against potential threats. The specific Security Profiles
connected to the Security policies allow rules to determine the extent of
threat detection applied to the traffic.
For added convenience, you can bundle commonly used Security Profiles
into a Security Profile Group. This group of profiles can be treated as a

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
unified entity and added to Security policy rules in one step, or it can be
included in Security policy rules by default if you opt to establish a default
Security Profile Group.
Antivirus Profiles
Antivirus profiles protect against viruses, worms, Trojan horses, and
spyware downloads. The Palo Alto Networks antivirus solution uses a
stream-based malware prevention engine that inspects traffic when the first
packet is received to protect clients without significantly impacting firewall
performance. These profiles perform scans for various malware found in
executables, PDF files, HTML, and JavaScript viruses. Additionally, they
offer scanning capabilities within compressed files and data-encoding
schemes. If you have enabled decryption on the firewall, this profile also
enables the scanning of decrypted content.
The default profile inspects all the listed protocol decoders for viruses. It
generates alerts for the SMTP, IMAP, and POP3 protocols while blocking for
FTP, HTTP, and Server Message Block (SMB) protocols. Here are the
different actions and their explanations:
Default: Palo Alto Networks defines a default action internally for each
threat and antivirus signature. Typically, the default action is an alert, a
reset, or a combination of both. The default action is in parentheses, like
"default (alert)," in the threat or antivirus signature.
Allow: This action allows the application traffic to pass through without
interruption.
Alert: This action triggers an alert for each application traffic flow
recorded in the Threat log.
Drop: This action immediately terminates or discards the application
traffic.
Reset-Client: In the case of TCP traffic, this action resets the client-side
connection. For UDP, it simply drops the connection.
Reset-Server: For TCP traffic, this action resets the server-side
connection. For UDP traffic, it drops the connection.
Reset-Both: In TCP scenarios, this action resets the connection between
the client and server ends. For UDP, it drops the connection.
These actions define how the firewall responds to identified threats and
antivirus signatures. Customized profiles offer the flexibility to streamline

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
antivirus inspections for traffic between trusted security zones, reducing
scrutiny. Conversely, they can intensify inspections for traffic originating
from untrusted zones like the internet and for traffic destined for highly
sensitive areas such as server farms.
Palo Alto Networks' WildFire system extends its coverage by providing
signatures for persistent threats that are evasive and not yet detected by other
antivirus solutions. When WildFire identifies such threats, signatures are
rapidly generated and incorporated into standard antivirus signatures. Threat
Prevention subscribers can download these updated signatures daily and
even sub-hourly by WildFire subscribers.
The WildFire inline Machine Learning (ML) option, integrated into the
Antivirus profile, empowers the firewall's data plane to conduct real-time
ML assessments on a variety of file types, including PE (Portable
Executable), ELF (Executable and Linked Format), MS Office files,
PowerShell, and shell scripts. This ML layer enhances antivirus protection,
complementing WildFire-based signatures to provide extended coverage for
files lacking existing signatures. Each inline ML model dynamically
identifies malicious files of specific types by analyzing file attributes,
including decoder fields and patterns, to make highly probable
classifications. This protection extends to both presently unknown threats
and future variants that share recognized malicious characteristics. Inline
ML models are added or updated through regular content releases to stay
current with evolving threats. It's important to note that enabling WildFire
inline ML requires an active WildFire subscription.
Anti-Spyware Profiles
Anti-Spyware Profiles prevent spyware-infected hosts from establishing
connections to external Command and Control (C2) servers. By doing so,
they enable the detection of potentially malicious traffic leaving the network
from compromised client devices. These profiles offer the flexibility to
apply different levels of protection between security zones. For instance, you
can create custom Anti-Spyware Profiles tailored to minimize inspection for
traffic between trusted zones while intensifying inspection for traffic from
untrusted zones, such as those facing the internet.
When implementing anti-spyware measures within a Security policy rule,
you have the option to either define your own custom Anti-Spyware Profiles

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
or select from the predefined profiles provided:
Default Profile: This profile follows the default action specified by Palo
Alto Networks for each signature when it was initially created.
Strict: The Strict profile takes a more aggressive approach by overriding
the default action for critical, high, and medium-severity threats and
enforcing the block action, regardless of the action initially defined in the
signature file. However, it still adheres to the default action for low and
informational-severity signatures.
Once the firewall identifies a threat event, you can configure specific actions
within an Anti-Spyware Profile. Here are the actions that can be configured
in an Anti-Spyware Profile:
default
allow
alert
drop
reset-client
reset-server
reset-both
These actions are similar to the firewall responses discussed earlier. In
certain instances, when the profile action is set to reset-both, the associated
threat log may display the action as a reset-server. It occurs when the
firewall detects a threat at the initiation of a session, presenting the client
with a 503 block page. This page disallows the connection, so only the
server-side connection needs resetting; the client side does not.
Block IP: This action blocks traffic originating from either a source or a
source-destination pair, and you can specify the duration of the block.
Additionally, you can activate the DNS Sinkholing action within Anti-
Spyware Profiles. This feature allows the firewall to generate a response to a
DNS query for a known malicious domain, causing the malicious domain
name to resolve to an IP address of your choice. This capability aids in
identifying infected hosts on the protected network through DNS traffic
analysis. Infected hosts can be easily pinpointed in the Traffic and Threat
logs, as any host attempting to connect to the sinkhole IP address is likely
compromised by malware.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Vulnerability Protection Profiles
Vulnerability Protection Profiles protect against attempts to exploit system
vulnerabilities or gain unauthorized access. These profiles are adept at
identifying situations where network traffic suggests a server or client is
susceptible to vulnerabilities. While Anti-Spyware Profiles assist in
identifying infected hosts as traffic exits the network, Vulnerability
Protection Profiles focus on safeguarding against threats attempting to
infiltrate the network.
For instance, Vulnerability Protection Profiles are designed to thwart threats
such as buffer overflows, illicit code execution, and other endeavors to
exploit system weaknesses. The default Vulnerability Protection Profile
protects clients and servers, guarding against all known threats categorized
as critical, high, and medium severity. Furthermore, you can create
exceptions allowing custom responses to specific signatures.
After the firewall detects a threat event, you can configure the Vulnerability
Protection Profile to execute actions similar to those in anti-spyware
responses. These actions include default, allow, alert, drop, reset-client,
reset-server, reset-both, and block IP. It's important to note that, similar to
the anti-spyware profiles, when the vulnerability protection action profile is
set to "reset-both," the associated threat log may display the action as a reset-
server. As previously discussed, this occurs when the firewall detects a threat
at the session's inception and presents the client with a 503-block page.
Since this page prevents the connection, only the server-side connection is
reset.
URL Filtering Profiles
A URL Filtering Profile serves as a set of controls for URL filtering, which
is applied to individual Security policy rules to enforce your organization's
web access policies. Out of the box, the firewall includes a default profile
configured to block categories prone to threats like malware, phishing, and
adult content. You have several options for using and customizing these
URL Filtering Profiles
You can configure user-credential detection to enhance security, allowing
users to submit credentials only to websites within specified URL categories.
This practice reduces the attack surface by preventing credential submission

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
to sites categorized as untrusted. If you block all URL categories related to
user credential submission within a URL Filtering Profile, there is no need to
check credentials for those sites.
URL Filtering Profiles empower you to monitor and control how users
access the web over HTTP and HTTPS. The firewall's default profile is
preconfigured to block websites known for hosting malware, phishing
attempts, and adult content. You can either use this default profile as-is,
clone it for creating customized profiles, or generate entirely new profiles
with an initial "allow all" configuration for better insight into network
traffic. This customization allows you to specify lists of websites to be
blocked or allowed, providing more granular control over URL categories.
For enhanced protection through advanced URL filtering subscriptions,
Inline Categorization employs real-time analysis of URL traffic using
firewall-based or cloud-based Machine Learning models. This technology
detects and prevents malicious phishing variants and JavaScript exploits
from infiltrating your network.
Data Filtering Profiles
Data Filtering Profiles are designed to prevent the leakage of sensitive
information from exiting a secured network such as credit card numbers or
Social Security numbers. These profiles also offer the flexibility to filter
content based on specific keywords, such as a sensitive project name or
confidential. They allow you to fine-tune the profile by specifying desired
file types, reducing the likelihood of false positives. For instance, you can
search only within Word documents or Excel spreadsheets and limit the
scanning to web-browsing traffic or FTP transfers.
Moreover, a range of predefined patterns is available to simplify the
configuration of common filtering requirements. These patterns cover
various sensitive data types, including Social Security, NHI Identification
Numbers, and credit card information. You have the option to create custom
data pattern objects based on the following criteria:
Predefined Patterns: You can apply predefined patterns from over 20
options, covering sensitive data like Social Security numbers, national
identity numbers from different countries, credit card information, and
other useful patterns.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Regular Expressions: You can filter content using custom regular
expressions, allowing you to define specific character strings to search
for.
File Properties: You can set up filters based on file properties and their
associated values, which is particularly useful when dealing with different
file types.
Additionally, suppose you employ a third-party endpoint Data Loss
Prevention (DLP) solution to populate file properties indicating sensitive
content. In that case, the firewall can enforce your DLP policy by effectively
recognizing and acting upon these properties.
File Blocking Profiles
The firewall employs File Blocking Profiles to prevent the transfer of
specific file types across designated applications and in specified session
flow directions (inbound, outbound, or both). Within these profiles, you can
configure actions such as alerting or blocking for uploads or downloads, and
you can precisely specify which applications should adhere to the File
Blocking Profile.
Furthermore, you have the flexibility to configure custom response pages
that appear when a user attempts to download a specified file type. These
response pages allow users to consider whether to proceed with the
download. When implementing file blocking within a Security policy rule,
you can either create your own tailored File Blocking Profiles or opt for one
of the predefined profiles available from content release version 653
onwards. These predefined profiles offer a convenient way to enable best-
practice file-blocking settings swiftly. You can employ two distinct file-
blocking profiles to enhance security within your network:
Basic File Blocking Profile: This profile should be associated with
Security policy rules that permit traffic to and from less-sensitive
applications. It is designed to block files frequently used in malware
attack campaigns or have no legitimate use case for upload or download.
The profile actively prevents the upload and download of various file
types, including PE files (.scr, .cpl, .dll, .ocx, .pif, .exe), Java files (.class,
.jar), Help files (.chm, .hlp), and other potentially malicious file types
such as .vbe, .hta, .wsf, .torrent, .7z, .rar, and .bat. Users are also
prompted for acknowledgment when downloading encrypted-rar or

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 encrypted-zip files. This profile generates alerts for all other file types for
added transparency, offering comprehensive visibility into the files
entering and leaving your network.
Strict File Blocking Profile: This profile is intended for use in Security
policy rules that grant access to the most sensitive applications. It
includes all the file types blocked by the basic file-blocking profile.
Additionally, it extends the blocking to encompass flash, .tar, multi-level
encoding, .cab, .msi, encrypted-rar, and encrypted-zip files, ensuring even
stricter security measures.
To configure a File Blocking Profile, you have several action options:
Alert: When a designated file type is detected, an entry is logged in the
Data Filtering log. No blocking occurs; it is just for monitoring and
record-keeping.
Block: Upon detecting the specified file type, the file is immediately
blocked, and the user encounters a customizable block page.
Simultaneously, a log is generated in the Data Filtering log to track the
action.
Continue: A customizable response page is presented to the user when
the specified file type is detected. In this case, the user can click through
the page to initiate the file download. Like the Block action, this
generates a log entry in the Data Filtering log. It is important to note that
this forwarding action necessitates user interaction and only applies to
web traffic.
WildFire Analysis Profiles
A WildFire Analysis Profile is a tool that allows you to configure the
firewall to send unknown files or email links for analysis by WildFire. This
analysis is particularly crucial for detecting zero-day threats concealed
within files. While the firewall's antivirus threat detection handles known
viruses based on local resources, the WildFire Analysis Profile focuses on
identifying new and emerging threats.
With this profile, you can specify which files should be forwarded for
analysis based on various criteria, including the application, file type, and
transmission direction (upload or download). Files that meet the conditions
defined in the profile rule are then sent for analysis, either to the WildFire
public cloud or a private cloud hosted by a WF-500 appliance, depending on

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
your rule's analysis location settings. Notably, if a profile rule is configured
to forward files to the WildFire public cloud, it will also forward files that
match existing antivirus signatures and unknown files.
Furthermore, WildFire Analysis Profiles offer the flexibility to set up a
WildFire hybrid cloud deployment. It allows you to leverage the local
analysis capacity of a WildFire appliance for sensitive file types, such as
PDFs, while simultaneously sending less-sensitive file types (e.g., PE files)
or file types that the appliance does not support for cloud-based analysis
(e.g., Android Application Packages (APKs)) to be processed by the
WildFire public cloud. This strategic approach ensures both quick verdicts
for files processed by the cloud and optimal utilization of the appliance's
capacity for sensitive content.
In essence, WildFire Analysis Profiles enable your organization to benefit
from enhanced threat analysis and a multi-tiered approach to file inspection
to bolster security and resource efficiency. Remember that files are not held
in quarantine while awaiting evaluation by WildFire. In cases where
malware is positively identified, it is the responsibility of the security
engineer to utilize the information collected by both the firewall and
WildFire to locate the file internally for remediation.
WildFire Analysis Profiles determine which files should be sent for analysis
by the organization's system-wide WildFire configuration settings. WildFire
typically provides a verdict on a file within a relatively short timeframe,
usually 5 to 10 minutes after submission. The outcome of WildFire analysis
includes a comprehensive report that encompasses all the attributes of the
original file and details about any contained malware. This report serves as a
valuable resource, offering a precise description of the specific nature of the
identified threat.
DoS Protection Profiles
DoS Protection profiles offer comprehensive control for managing DoS
(Denial-of-Service) Protection policy rules. These profiles empower you to
regulate the number of sessions across various criteria, such as interfaces,
zones, IP addresses, and even countries. You can base these controls on
aggregate session counts or consider source and destination IP addresses in
your assessment. The Palo Alto Networks firewalls are equipped with two
primary DoS protection mechanisms:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Flood Protection: This mechanism is designed to identify and thwart
attacks where the network experiences a flood of packets, resulting in
excessive half-open sessions or causing services to become unresponsive
to incoming requests. Typically, such attacks involve the use of spoofed
source addresses.
Resource Protection: This mechanism is focused on detecting and
preventing session exhaustion attacks. In this attack, multiple hosts, often
bots, are utilized to establish as many fully established sessions as
possible to consume all available system resources.
A single DoS Protection profile can incorporate both types of protection
mechanisms. This profile serves as a means to specify the actions to be taken
and the specific criteria for matching within a DoS policy. Within the DoS
Protection profile, you establish threshold settings for SYN, UDP, and ICMP
floods, activate resource protection, and determine the maximum allowable
concurrent connections. Once the DoS Protection profile is configured, it can
be linked to a DoS policy rule.
Customizing the DoS protection configuration by analyzing your specific
network environment is essential. These adjustments should be based on
your traffic patterns rather than on the default values provided.
Relationship between URL Filtering and Credential Theft
Prevention
Phishing Prevention Overview
Palo Alto Networks' URL filtering solution complements App-ID by
controlling web traffic (HTTP and HTTPS) and enhancing network security.
With URL filtering active, all web traffic is examined against a vast database
containing categorized websites. These URL categories serve as criteria for
applying security policies, ensuring safe web access, and managing network
traffic. URL filtering can also enforce safe search settings for users and
prevent credential phishing based on website categories.
Credential phishing prevention involves monitoring website username and
password submissions and comparing them with valid corporate credentials.
You can decide which websites allow or block corporate credential
submissions based on their URL category. When the firewall detects a user
attempting to transmit credentials to a restricted category website, it can

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
either display a block response page, preventing credential submission, or a
warning page, cautioning users against submitting credentials to sites in
specific URL categories. In the latter case, users can still proceed with their
credential submissions. These block and warning pages can be customized to
educate users about the risks of reusing corporate credentials, even on
legitimate, non-phishing websites.
Credential Detection
Before configuring credential phishing protection, you should determine
which method the firewall will use to identify credentials. Each of these
methods requires user-ID technology to be configured. The IP address-to-
username mapping and group mapping methods verify the validity of
submitted usernames. In these cases, the firewall permits or blocks the
submission based on your settings without considering the accompanying
password. On the other hand, the domain credential filter method goes a step
further by checking the validity of usernames and passwords submitted on a
web page. Here's how each method works:
IP address-to-username mapping (using PAN-OS-integrated agent):
The firewall utilizes IP address-to-user mappings collected by User-ID to
validate if a username submitted on a webpage matches the logged-in
user's username.
Group mapping (using PAN-OS integrated agent): User-ID agent
gathers group mapping data from a directory server, retrieving lists of
groups and their corresponding members. It then compares usernames
submitted on a webpage with the usernames of group members.
Domain credential filter (using a Windows-based agent): In this
method, the User-ID agent is installed on a Read-Only Domain
Controller. It collects password hashes associated with users for whom
you wish to enable credential detection and sends these mappings to the
firewall. The firewall then checks if the source IP address of a session
matches a username and if the password submitted on the web page
belongs to that username. In this mode, the firewall only takes action,
either blocking or alerting, when the submitted password matches a
known user's password.
Category Selection for Enforcement

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Once you have chosen the detection method for the URL Filtering Profile,
the next step is to decide on the enforcement action for each relevant
browsing category. Custom categories can be created when you need
flexibility in identifying specific category members. For each category, you
can specify how you want to handle user credential submissions as follows:
Alert: This action allows users to submit credentials to the website but
generates a URL Filtering log entry each time a user submits credentials
to sites within this URL category.
Allow: This is the default setting, allowing users to submit credentials to
the website without any additional action.
Block: With this action, users are prevented from submitting credentials
to the website. When a user attempts to submit credentials, the firewall
displays the Anti-Phishing Block page, which actively prevents the
submission.
Continue: If you select this action, the firewall presents the Anti Phishing
Continue page as a response when a user tries to submit credentials. After
seeing this warning page, users must actively choose to continue with the
submission.
When the firewall identifies a user's attempt to submit credentials to a
website falling within a restricted category, it can display a block response
page to prevent the submission or a continued page to caution the user
against submitting credentials to sites categorized in certain URL categories.
In both cases, the firewall still allows the user to proceed with their
credential submission. These block and continue pages can be customized to
educate users about the risks of reusing corporate credentials, even on
legitimate, non-phishing websites.
Use of Username and Domain Name in HTTP Header Insertion
Header insertion on the firewall is exclusively compatible with HTTP/1.x
traffic and does not extend to HTTP/2 traffic. You can establish insertion
entries based on predefined HTTP header insertion types or define your
custom types. This function applies to custom HTTP headers as well as
standard HTTP headers. Please note that HTTP header insertion can be
executed through the following methods:
GET
POST

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 PUT
HEAD
DNS Security
DNS Security enables predictive analytics, Machine Learning (ML), and
automation to thwart attacks that exploit DNS. Its close integration with
Next-Generation Firewall (NGFW) streamlines protection and removes the
necessity for separate tools. This results in the ability to promptly forecast
and thwart malicious domains, counteract threats concealed within DNS
tunneling, and leverage automation to detect and isolate compromised
devices swiftly. Figure 5-02 illustrates the sources of DNS Security, the
intermediate processing of source data, and the final delivery to a firewall:

Figure 5-02: Source of DNS Security

How to Tune or Add Exceptions to a Security Profile

Palo Alto Networks offers recommended default actions (like blocking or
alerting) for threat signatures. You can utilize a threat ID to exclude a
specific threat signature from enforcement or modify the firewall's action for
that particular threat signature. It allows you to, for instance, adjust the
action for threat signatures causing false positives on your network.
Follow these steps to configure exceptions for threats related to Antivirus,
vulnerability, spyware, and DNS signatures and change how the firewall
enforces them. However, ensure the firewall effectively detects and enforces

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
threats according to the default signature settings before proceeding. To do
this:
Ensure you have the latest Antivirus, Threats and Applications, and
WildFire signature updates.
Purchase and activate Antivirus, Anti-Spyware, and Vulnerability
Protection subscriptions for your Palo Alto Networks firewall.
Step 1: Exclude antivirus signatures from enforcement:
Go to the Objects menu, select Security Profiles, and click Antivirus.
Add a new Antivirus Profile or modify an existing one from which you
wish to exclude a specific threat signature.
In the Antivirus Profile settings, select Signature Exceptions.
Add the Threat ID associated with the threat signature you want to
exclude from enforcement.
Select OK to save the Antivirus Profile.
Step 2: Adjust the enforcement settings for vulnerability and spyware
signatures.
(Note: This step does not apply to DNS signatures; proceed to the next
option for modifying the enforcement of DNS signatures, which are a type
of spyware signature.)
Go to Objects > Security Profiles > Anti-Spyware for spyware
signatures or Objects > Security Profiles > Vulnerability Protection for
vulnerability signatures.
Create a new Anti-Spyware Profile or modify an existing one (for
spyware signatures), create a new Vulnerability Protection Profile, or
modify an existing one (for vulnerability signatures).
Look for Signature Exceptions for Anti-Spyware Protection or
Exceptions for Vulnerability Protection profiles within the profile
settings.
Choose the Action you want the firewall to apply for this threat
signature.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 If there are signatures that you want to exempt from enforcement due
to false positives, make sure to set the Action to Allow.
After making this adjustment, click OK to save the newly created or
modified Anti-Spyware or Vulnerability Protection Profile.
Step 3: Adjust enforcement for DNS signatures:
By default, DNS lookups for malicious hostnames detected by DNS
signatures are redirected (sinkhole). To modify this behavior:
Go to the Objects menu, select Security Profiles, and click Anti-
Spyware.
Create a new Anti-Spyware Profile or modify an existing one from
which you wish to exclude a particular DNS Exception.
In the profile settings, choose DNS Exceptions.
Locate the DNS Threat ID associated with the DNS signature you
want to exempt from enforcement and select the checkbox next to the
relevant signature.

Click OK to save the new or modified Anti-Spyware Profile.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Compare and contrast threat prevention and advanced threat
prevention
Threat Prevention
Threat Prevention is an Intrusion Prevention System (IPS) solution designed
to identify and block various threats, including malware, vulnerability
exploits, and command-and-control (C2) activities. It offers a multi-layered
defense system that operates on the local firewall and the cloud. The Threat
Prevention cloud uses detection services that pool threat data from Palo Alto
Networks services. This data is used to create signatures, each representing
specific identifiable patterns. These signatures serve as a reference for the
firewall to enforce security policies when it detects threats and malicious
activities. These signatures are categorized according to the threat type and
assigned unique identifier numbers. The firewall employs analysis engines to
identify threats associated with these signatures. These engines examine and
classify network traffic that displays unusual or suspicious characteristics.
Advanced Threat Prevention
Advanced Threat Prevention is a cloud-based security service that partners
with the existing Threat Prevention license to bolster protection against
advanced and elusive command-and-control (C2) threats. With Advanced
Threat Prevention, you can proactively thwart unknown threats through real-
time traffic inspection and inline detectors. The cloud-based detection
engines in Advanced Threat Prevention, powered by deep learning and
machine learning, scrutinize network traffic for advanced C2 and spyware
threats, safeguarding users from zero-day threats. By employing these cloud-
based detection engines, you gain access to various detection methods that
are continually updated and deployed automatically without users needing to
download update packages or strain firewall resources with process-
intensive analyzers. The logic behind the cloud-based detection engines is
under constant monitoring and refinement. It benefits from C2 traffic
datasets from WildFire and the expertise of Palo Alto Networks threat
researchers, ensuring highly accurate detection improvements. Advanced
Threat Prevention's deep learning engines can analyze C2-based threats
across various applications, including HTTP, HTTP2, SSL, unknown-UDP,
and unknown-TCP. While additional analysis models are delivered through
content updates, improvements to existing models are conducted as cloud-

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
side updates, eliminating the need for firewall updates. Advanced Threat
Prevention is configured within the Anti-Spyware Profile under inline cloud
analysis. In addition to its signature-based detection, Advanced Threat
Prevention offers an inline detection system that complements it, preventing
unknown and evasive C2 threats. The cloud-driven deep learning models in
Advanced Threat Prevention enable on-the-fly analysis at the firewall on a
per-request basis, effectively blocking zero-day threats from infiltrating the
network.

Figure 5-03: Categories of Threat Signatures

The firewall employs threat signatures, broadly categorized into Antivirus,
anti-spyware, and vulnerability. These categories are instrumental in
enforcing user-defined policies through Security Profiles, as follows:
Antivirus signatures: These detect various malware and viruses, such
as worms, Trojan horses, and spyware downloads.
Anti-spyware signatures: They aim to identify C2 (command-and-
control) spyware on compromised hosts that attempt to establish
connections or communicate with external C2 servers.
Vulnerability signatures: These are used to spot and address
vulnerabilities within the system that could be exploited.
Each signature comes with a default severity level and an associated default
action. For instance, for highly malicious threats, the default action is
typically set to "reset both." These settings are based on security
recommendations provided by Palo Alto Networks. In cases where
deployments rely on specialized internal applications or third-party
intelligence feeds incorporating open-source SNORT and Suricata rules,
custom signatures can be created to provide tailored protection. Firewalls
receive signature updates from two distinct update packages: the daily

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
antivirus content update and the weekly application and threats content
update. The antivirus content updates include antivirus and DNS (C2)
signatures used by the Antivirus and Anti-Spyware Profiles, respectively.
The Applications and Threats content updates include vulnerability and anti-
spyware signatures used by the Vulnerability and Anti-Spyware Profiles,
respectively. These updated packages also encompass content utilized by
other services and subfunctions.
Compare and Contrast URL Filtering and Advanced URL
Filtering
URL Filtering
URL Filtering is a valuable tool for safeguarding your organization against
web-based threats like phishing, malware, and command-and-control (C2)
risks. Real-time machine learning (ML) promptly identifies and blocks
access to newly discovered and unknown malicious websites before users
can reach them. Web Security rules seamlessly extend your organization's
Next-Generation Firewall (NGFW) policy, simplifying management with a
unified policy set.
The benefits of URL Filtering are as follows:
Risk Reduction: It lowers the risk of infections from dangerous
websites, shielding users and data from malware and credential-
phishing pages.
End-to-End Protection: It provides comprehensive protection across
the entire attack lifecycle by integrating WildFire and the broader
cybersecurity portfolio.
Updated Protections: URL Filtering keeps your defenses aligned with
the latest threat intelligence by utilizing Palo Alto Networks' cloud-
based URL categorization system, covering phishing, malware, and
unwanted content.
Enhanced Visibility and Threat Inspection: It offers full visibility
into web traffic that is typically concealed, along with granular control
over SSL decryption.
Advanced URL Filtering
Advanced URL Filtering is a cloud-based subscription service seamlessly
integrated with Palo Alto Networks Next-Generation Firewall (NGFW),

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
enhancing your network's defense against web-based threats like phishing,
malware, and command-and-control (C2) risks. This service employs
machine learning (ML) to perform real-time analysis of URLs, categorizing
them as benign or malicious. You can easily incorporate these categories into
your NGFW policy, granting you comprehensive control over web traffic.
These categorized URLs trigger additional NGFW capabilities, such as
targeted SSL decryption and advanced logging, to bolster security.
Advanced URL Filtering draws strength from its analysis, and leverages
shared threat intelligence from sources like WildFire, Palo Alto Networks'
prominent malware prevention service. It ensures automatic updates to
protect against malicious websites. Key benefits of Advanced URL Filtering
include:
Enhanced Web-Based Threat Protection: It combines the potency of
its URL database with a cloud-based web security engine driven by
ML to identify and block new malicious URLs in real time, even when
content is concealed from web crawlers. It prevents 40 percent more
threats compared to traditional web-filtering databases.
Leading-Edge Phishing Defense: It offers top-notch protection
against phishing, addressing a leading cause of security breaches.
Total Control Over Web Traffic: The service empowers you with
fine-grained controls and policy settings, allowing you to automate
security actions based on user profiles, risk assessments, and content
categories.
Operational Efficiency: It seamlessly integrates web protection into
the Palo Alto Networks platform, ensuring maximum operational
efficiency for your network security.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Set up Zone Protection, Packet Buffer Protection, and Denial-
of-Service (DoS) Protection
Zone protection, packet buffer protection, and DoS protection are essential
security features that can help protect your network from various attacks.
Customized Values versus Default Settings
Flood Protection
A Zone Protection profile with flood protection is designed to defend an
incoming network zone against various IP flood attacks, including SYN,
ICMP, ICMPv6, and UDP. The firewall monitors the cumulative volume of
each flood type entering the zone regarding new connections per second
(CPS). It compares these totals to the thresholds you specify within the Zone
Protection profile.
You can set three thresholds for new CPS entering the zone for each flood
type. Additionally, for SYN floods, you can establish a drop action. To
properly configure these thresholds, it is helpful to follow these guidelines
and adjust them as needed:
Alarm Rate: This threshold determines the new CPS rate at which an
alarm is triggered. To avoid unnecessary alerts due to normal fluctuations,
set the Alarm Rate about 15-20% above the average CPS rate for the
zone.
Activate: The Activate threshold signifies the new CPS rate at which
flood protection mechanisms come into action, causing the firewall to
begin dropping new connections. For ICMP, ICMPv6, UDP, and other IP
floods, this protection mechanism is typically a Random Early Drop
(RED). However, for SYN floods, you can set the drop action as SYN
Cookies or RED. Aim to set the Activate rate just above the peak CPS
rate for the zone to initiate the mitigation of potential floods.
Maximum: This threshold specifies the number of connections per
second at which incoming packets are dropped when RED is the chosen
protection mechanism. For the Maximum rate, target a setting that's
approximately 80-90% of the firewall's capacity, considering other
resource-consuming features.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
If you lack information about the baseline CPS rates for the zone, a good
starting point is to set the Maximum CPS rate at approximately 80-90% of
the firewall's capacity. You can then use this figure as a reference to establish
sensible flood mitigation alarm and activation rates. The default threshold
values are intentionally set at high levels to prevent unintentional dropping
of legitimate traffic when activating a Zone Protection profile. To tailor these
thresholds effectively to your network's traffic, consider setting the Alarm
Rate and Activate rate based on the Maximum rate you have determined.
The most reliable approach for finding the appropriate flood thresholds is to
collect baseline measurements for average and peak CPS across each flood
type. This data helps you understand the typical traffic conditions within
each zone and assess the firewall's capacity, considering the impact of
resource-intensive features like decryption. Regularly monitor and adjust the
flood thresholds as necessary, especially as your network undergoes changes
and evolves.
Reconnaissance Protection
In network security, the survey is similar to the military concept of gathering
intelligence. In this context, attackers discreetly probe a network to gather
information about its vulnerabilities. Reconnaissance activities serve as
preliminary steps before launching a network attack. To safeguard against
activities like port scans and host sweeps, activating Reconnaissance
Protection on all network zones is essential.
Port scans are a method used to identify open ports within a network.
A port scanning tool sends client requests to a range of port numbers
on a host to identify an active port that could be exploited in a
subsequent attack. Zone Protection profiles are instrumental in
defending against TCP and UDP port scans.
On the other hand, host sweeps involve examining multiple hosts to
determine if a specific port is open and vulnerable to exploitation.
Reconnaissance tools have legitimate uses, such as performing penetration
tests (pen tests) to assess network security or evaluate a firewall's
effectiveness. To allow for these essential tasks, you can designate up to 20
IP addresses or netmask address objects for exclusion from Reconnaissance
Protection. This exclusion permits your internal IT department to conduct
penetration tests to identify and address network vulnerabilities.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Packet-Based Attack Protection
Packet-based attacks come in various forms, and Zone Protection profiles
are used to inspect IP, TCP, ICMP, IPv6, and ICMPv6 packet headers to
secure a specific network zone. They achieve this by:
Dropping Undesirable Packets: Zone Protection profiles can discard
packets exhibiting undesirable characteristics.
Stripping Undesirable Packet Options: These profiles can remove
undesirable options from packets before allowing them into the
protected zone.
When configuring Packet-Based Attack Protection, selecting the appropriate
drop characteristics for each packet type is important. Here are the best
practices for each IP protocol:
IP Drop: Drop unknown and malformed packets. Also, eliminate
Strict Source Routing and Loose Source Routing options, as permitting
these options can enable adversaries to bypass security policy rules
that rely on the Destination IP address as a matching criterion. For
internal zones, consider checking "Spoofed IP Address" to ensure only
traffic with a source address matching the firewall's routing table can
access the zone.
TCP Drop: Maintain the default TCP SYN with Data and TCP SYN-
ACK with Data drop settings. Drop Mismatched overlapping TCP
segments, Split Handshake packets, and strip the TCP Timestamp from
packets.
ICMP Drop: The recommended settings for ICMP drop depend on
your specific use of ICMP. For example, if you aim to block ping
activity, it is possible to block ICMP Ping ID 0.
IPv6 Drop: If compliance is a concern, ensure that the firewall drops
packets with non-compliant routing headers, extensions, and so on.
ICMPv6 Drop: If compliance is a priority, ensure the firewall drops
specific packets that do not match a security policy rule.
Protocol Protection
Within a Zone Protection profile, Protocol Protection is a defense against
attacks based on non-IP protocols. You can activate Protocol Protection to
either permit or block non-IP protocols in various scenarios, such as between
security zones on a Layer 2 VLAN or virtual wire or between interfaces

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
within a single zone on a Layer 2 VLAN (note that non-IP Protocol
Protection does not apply to Layer 3 interfaces and zones, as they inherently
block non-IP protocols).
Configuring Protocol Protection: Used to mitigate security risks and to aid
in compliance with regulatory requirements. It is achieved by preventing less
secure protocols from entering a specific zone or interface within a zone.
You can establish an Exclude or Include List to configure Protocol
Protection for a zone. The Exclude List functions as a block list, meaning the
firewall blocks all the protocols you place in the Exclude List while allowing
all other protocols. On the other hand, the Include List operates as an allow
list, permitting only the protocols you specify and blocking all other
protocols.
Ethernet SGT Protection
In a Cisco TrustSec network, the Cisco Identity Services Engine (ISE)
assigns a 16-bit Layer 2 Security Group Tag (SGT) to a user or endpoint's
session. When your firewall is integrated into a Cisco TrustSec network, you
can create a Zone Protection profile with Ethernet SGT protection. With this
feature, the firewall can examine headers with an Ethertype of 0x8909
(associated with 802.1Q) to identify specific Layer 2 Security Group Tag
(SGT) values. The firewall will drop the packet if the SGT matches any
values you configure in the Zone Protection profile linked to the interface. It
lets you decide which SGT values should be denied access to a particular
network zone.
Classified versus Aggregate Profile Values
When configuring DoS Protection, you have the option to configure both
aggregate and classified DoS Protection Profiles. These profiles can be
applied individually or with DoS Protection Policy Rules.
Aggregate Profiles: These profiles establish thresholds that apply to the
entire group of devices specified in a DoS Protection policy rule instead
of applying them individually to each device. One device within the
group could potentially receive most of the allowed connection traffic.
For example, setting a Max Rate of 20,000 CPS means that the total
CPS for the group is 20,000, and an individual device can accept up to
20,000 CPS if the other devices do not have active connections.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Aggregate DoS Protection profiles provide an additional layer of broad
protection, particularly for specific groups of critical devices. It is useful
when enforcing extra constraints on particular subnets, users, or services.
Classified Profiles: In contrast, classified profiles set flood thresholds
that apply individually to each device specified in a DoS Protection
policy rule. For instance, if you define a maximum rate of 5,000 CPS,
each device mentioned in the rule can handle up to 5,000 CPS before
dropping new connections. It is important to note that if you apply a
classified DoS Protection policy rule to multiple devices, those devices
should have similar capacity, and you should intend to control their CPS
rates similarly because classified thresholds are applied to each device.
Classified profiles are particularly geared towards protecting individual
critical resources.
The choice of how to configure the Address (whether source-ip-only,
destination-ip-only, or src-dest-ip-both) for classified profiles hinges on
your specific DoS protection objectives, what you intend to safeguard,
and whether the protected device(s) are located in internet-facing zones.
When both an aggregate and a classified DoS Protection profile are
applied to the same DoS Protection policy rule, the firewall follows a
specific order of operation. First, it applies the aggregate profile and, if
necessary, the classified profile. For example, consider a scenario where
you protect a group of five web servers using both profiles within a DoS
Protection policy rule.
In this case, the aggregate profile's configuration dictates that new
connections will be dropped when the combined total for the group
reaches a maximum rate of 25,000 CPS. Meanwhile, the classified
profile's configuration specifies that new connections to any individual
web server in the group will be dropped when it exceeds a maximum rate
of 6,000 CPS. There are three scenarios where the threshold for new
connection traffic is crossed.
In the first case, if the new CPS rate surpasses the aggregate Max
Rate but not the classified Max Rate, the firewall enforces the
aggregate profile, blocking all new connections for the specified
Block Duration.
In the second scenario, if the new CPS rate doesn't exceed the
aggregate Max Rate, but the CPS to a specific web server

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 surpasses the classified Max Rate, the firewall checks both
profiles. If the group rate is below 25,000 CPS, the firewall
doesn't block new connections for the group. However, if the rate
for a particular server exceeds 6,000 CPS, the firewall applies the
classified profile, blocking new connections to that server for the
configured Block Duration.
In the third scenario, if the new CPS rate exceeds both the
aggregate and classified Max Rates for a web server, the firewall
first blocks new connections for the entire group based on the
aggregate profile. Then, it applies the classified profile to block
new connections to the specific server that exceeded 6,000 CPS.
The traffic to other servers within the group, complying with the
classified profile's Max Rate, remains unaffected.
Layer 3 and Layer 4 Header Inspection
Enabling global L3 and L4 header inspection empowers the firewall to
identify and prevent vulnerabilities within supported protocols, which
include IP/IPv6, ICMP/ICMPv6, TCP, and UDP. The firewall can also log
and block packets that match custom rules specified by the user.
Furthermore, to complete this setup, it is essential to activate Net Inspection
(NetworkZones) for each security zone using custom rules for header
inspection. Users can add, delete, or duplicate existing rules in this
configuration. They can also establish the precedence and operational status
of these custom rules, which are evaluated by the Zone Protection profile.
Once L3 and L4 header inspection is properly configured within a Zone
Protection profile, the next step is to apply this profile to an ingress security
zone for it to take effect.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Lab 5-01: Configure Zone Protection, Packet Buffer Protection,
and DoS Protection
Case Study
Cyber Innovations Inc. is a leading technology solutions provider
specializing in cybersecurity and network infrastructure. With a commitment
to delivering cutting-edge services, the company has rapidly expanded its
operations to serve a diverse clientele. Cyber Innovations Inc. operates in
multiple regions, with a focus on North America, Europe, and the Asia-
Pacific region.
Cyber Innovations Inc. is a dynamic player in the technology sector,
boasting an impressive annual revenue of $250 million and a dedicated
workforce of 1,200 employees. With a global footprint, the company has
strategically positioned offices and branches in major cities across North
America, Europe, and Asia-Pacific. This extensive geographical presence
empowers Cyber Innovations Inc. to meet its clients’ diverse and evolving
global needs. Whether serving clients in bustling North American tech hubs,
European financial centers, or the rapidly expanding markets of the Asia-
Pacific region, the company’s commitment to excellence remains
unwavering, driving its success in the highly competitive technology
industry.
Business Challenge
Cyber Innovations Inc., a prominent technology company, is confronted with
a critical business challenge concerning its network security infrastructure.
The organization operates two distinct LANs, with the crucial internal
resource, a high-value server, residing in LAN 2.
The challenge at hand is to fortify the security of LAN 2 to safeguard this
vital internal resource effectively. As cyber threats continue to evolve and
intensify, ensuring the integrity and availability of the server is paramount.
Cyber Innovations Inc. seeks a robust solution to shield LAN 2 against a
myriad of potential threats, including cyberattacks and network disruptions.
Solution

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Cyber Innovations Inc. has hired you for a comprehensive solution to
address the pressing business challenge and enhance the security posture of
LAN 2. The chosen approach involves the implementation of Zone
Protection, packet buffer protection, and Denial of Service (DoS) protection
measures tailored specifically for LAN 2.
Implementing Zone Protection involves configuring the Palo Alto Firewall
to monitor and control traffic at a granular level. This includes setting up
policies and rules that allow only authorized traffic to access LAN 2 while
blocking or limiting potentially harmful traffic. Zone Protection ensures that
traffic entering or leaving LAN 2 complies with predefined security policies.
Packet buffer protection mechanisms are put in place to prevent buffer
overflow attacks that can overwhelm the Firewall and disrupt network
operations. By efficiently managing and monitoring the packet buffer, the
Firewall can resist attacks designed to flood the network with excessive
traffic.
The Firewall is equipped with DoS protection capabilities that actively
detect and mitigate DoS attacks. These measures include rate limiting, traffic
monitoring, and anomaly detection to identify and block malicious traffic
patterns that could disrupt the operations of LAN 2.
By implementing these security measures tailored to LAN 2, Cyber
Innovations Inc. can effectively fortify the network against cyber threats and
ensure the uninterrupted availability and security of its critical internal
resource, the server.
Follow the steps to complete the lab:
1. Enable Packet Buffer Protection Globally
2. Reboot the Firewall
3. Configure the Zone Protection Profile
4. Commit

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Figure 5-04: Configure Zone Protection, Packet Buffer Protection, and DoS
Protection
1. Enable Packet Buffer Protection Globally
1. Navigate to Device > Setup
Under the Session tab, click on the Session Settings Edit icon.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Check mark the Packet Buffer Protection box. Click on the OK
button.

3. Click the OK button.

2. Reboot the Firewall

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Click on the Operations tab and the Reboot Device button to reboot the
device to save the changes.

3. Configure the Zone Protection Profile

1. Navigate to Network > Zones
Click on the LAN 2 Zone to edit it.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Since there is no Zone Protection Profile available, click the Zone
Protection Profile option to create one.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. Enter the Name as LAN 2 Zone Protection. Check mark the SYN
and UDP checkboxes. Select the Random Early Drop option under the
SYN parameters.

4. Under the Reconnaissance Protection, checkmark the TCP Port

Scan, Host Sweep, and UDP Port Scan options.

5. Click the Add button to add an IP Address to exclude from blocking

or scanning.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
6. Enter the Name Internal-Security-Test and the IP Address
10.2.2.20/24 if there is any security tester in the internal network. Click
the OK button.

7. Under the Packet Based Attack Protection tab > IP Drop tab
Checkmark the Spoofed IP Address, Strict IP Address Check,
Fragmented Traffic, and Strict Source Routing check boxes.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
8. Under the Packet Based Attack Protection tab > TCP Drop tab
Checkmark the Mismatched Overlapping TCP Segment, Split
Handshake, TCP SYN with Data, and TCP SYNACK with Data
checkboxes.

9. Check the Enable Packet Buffer Protection checkbox. Click the OK

button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Commit
Click the Commit button to save the configuration.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Mind Map

Figure 5-05: Mind Map of Management and Profiles

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Practice Questions

1. What action indicates the relevance of Security profiles within a

policy rule?
A. deny
B. drop
C. reset
D. allow

2. During WildFire's assessment to determine if files are malware or

legitimate, are the files quarantined?
A. Always yes
B. Always no
C. By default, yes, but you can change the settings
D. By default, no, but you can change the settings

3. Which feature within the NGFW permits the blocking of websites

that are not suitable for business purposes?
A. App-ID
B. File Blocking
C. Exploit Protection
D. URL Filtering

4. What specific credential-phishing-prevention action allows users to

choose credential submission to a site?
A. Alert
B. Allow
C. Block
D. Continue

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
5. In a scenario where multiple users share the same client IP address,
which user credential detection method is effective (e.g., due to
dynamic address translation)?
A. IP-to-user mapping
B. Group mapping
C. Domain credential filter
D. IP-and-port-to-user mapping

6. For a firewall administrator aiming to activate credential phishing

prevention that hinders users attempting to input their organization's
user ID and password, what form of user credential detection should be
employed?
A. IP-to-user mapping
B. Domain credential filter
C. Group mapping
D. Citrix mapping

7. Which profile is utilized for data loss prevention based on file

content?
A. Antivirus
B. Anti-Spyware
C. Vulnerability Protection
D. URL Filtering
E. File Blocking
F. WildFire Analysis
8. What profile monitors DNS resolution lookups associated with threat
activity?
A. Anti-Spyware
B. Vulnerability Protection
C. URL Filtering
D. File Blocking

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
E. WildFire Analysis
F. Data Filtering

9. Which profile is employed for file analysis to detect zero-day

malware?
A. Antivirus
B. Anti-Spyware
C. Vulnerability Protection
D. URL Filtering
E. File Blocking
F. WildFire Analysis
G. Data Filtering

10. Which profile is used to scrutinize traffic for enforcing appropriate

browsing policy?
A. Antivirus
B. Anti-Spyware
C. Vulnerability Protection
D. URL Filtering
E. File Blocking
F. WildFire Analysis
G. Data Filtering

11. What profile is activated to detect and prevent the transfer of

executable files through the firewall?
A. Antivirus
B. Anti-Spyware
C. Vulnerability Protection
D. URL Filtering
E. File Blocking

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
F. WildFire Analysis
G. Data Filtering

12. Which profile should be employed to identify and prevent the

transmission of executable files via the firewall?
A. Antivirus
B. Anti-Spyware
C. Vulnerability Protection
D. URL Filtering
E. File Blocking
F. WildFire Analysis
G. Data Filtering

13. What initial configuration is performed on a firewall with factory

default settings, as Palo Alto Networks' best practices recommended?
A. Add licenses.
B. Update PAN-OS software.
C. Configure the management network port.
D. Update dynamic update files.

14. Which profile is crucial in preventing spyware-infected hosts from

establishing connections to external Command and Control (C2)
servers?
A. URL Filtering Profiles
B. Data Filtering Profiles
C. Antivirus Profiles
D. Anti-Spyware Profiles

15. What action is taken when a Data Filtering Profile detects a

sensitive data breach in network traffic?

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
A. Block the entire network traffic.
B. Generate an alert and continue allowing traffic.
C. Terminate the connection immediately.
D. Reset both client and server connections.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Pass4sure - #1 IT Certifications Materials Provider
www.pass4sure.com
Chapter 06: Firewall Configuration
Introduction
Firewalls are essential security devices for any network, protecting against a
wide range of threats, including unauthorized access, malware, and denial-of-
service attacks. By carefully configuring your firewall, you can significantly
improve the security of your network and reduce your risk. This chapter will
introduce you to the basics of firewall configuration. We will cover the
following topics:
We will explain how to design the deployment configuration of a Palo
Alto Network Firewall in which we learn advanced HA deployment, HA
pair, Zero-touch provisioning, bootstrapping in VM series, and bootstrap
Package.
Also, explained how to configure authorization, authentication, and
device access, where we learned RBAC, the method used to
authenticate, authentication sequence, and device access method.
We will explain how to configure and manage the certificate profile and
chain.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Design the deployment configuration of a Palo Alto Network
Firewall
Designing a Palo Alto Networks Firewall's deployment configuration is critical
in building a secure and robust network infrastructure.
Advanced High Availability (HA) deployments
Firewalls in a High Availability pair can be configured in one of two modes:
Active/Passive Mode: In this mode, one firewall actively manages
network traffic while the other remains synchronized and ready to take
over in case of a failure. Both firewalls share the same configuration
settings, and the active firewall handles traffic until a failure occurs.
When the active firewall fails, the passive one seamlessly transitions to
the active state, enforcing the same security policies to maintain network
security. Active/passive HA suits virtual wire, Layer 2, and Layer 3
deployments. It is a simpler design, making troubleshooting routing and
traffic issues easier. It supports Layer 2 deployments.
Active/Active Mode: Both firewalls in the pair are active
simultaneously, processing traffic and collaborating to manage session
setup and ownership. Each firewall maintains its own session and
routing tables while synchronizing. However, active/active mode does
not support the DHCP client, and only the active-primary firewall can
function as a DHCP Relay. The active-secondary firewall drops DHCP
broadcast packets. Active/active HA is suitable for virtual wire and
Layer 3 deployments.

EXAM TIP: HA3 interfaces are not designed for Layer 3

configurations. As a result, HA active/active members need either a direct
link or a Layer 2 switch to connect them for HA3 connectivity.

EXAM TIP: In an active/active configuration, it is important to note

that traffic is not load-balanced by default. While you can distribute traffic
to the peer firewall, true load balancing does not occur. Options include
employing Equal-Cost Multi-Path (ECMP), utilizing multiple Internet

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Service Providers (ISPs), and implementing load balancers to share the load
between firewalls.

When deciding between active/passive and active/active modes, consider the

following distinctions:
Active/Passive Mode: This mode offers a simpler design and is notably
easier for troubleshooting routing and traffic flow issues. It is compatible
with Layer 2 deployments.
Active/Active Mode: This mode involves advanced design concepts,
leading to potentially more complex networks. Depending on your
active/active HA implementation, you may need additional
configurations, such as activating networking protocols on both
firewalls, replicating NAT pools, and deploying floating IP addresses for
proper failover. Both firewalls actively process traffic in active/active
mode, introducing concepts like session owner and session setup for
Layer 7 content inspection. Active/active mode is advisable if each
firewall requires its routing instances and you need continuous real-time
redundancy from both firewalls. It provides faster failover and can
handle high traffic volumes more effectively than active/passive mode
because both firewalls are actively processing traffic.

EXAM TIP: Active/active mode in an HA pair can temporarily

handle traffic exceeding the typical capacity of a single firewall. However,
it is crucial to avoid making this the standard practice, as a failure in one
firewall results in routing all traffic to the surviving firewall in the HA pair.
Your design should ensure that the remaining firewall can effectively
process the maximum capacity of your traffic loads while retaining content
inspection capabilities. Overloading the capacity of the remaining firewall
in your design may lead to issues such as increased latency and potential
application failures.

HA Pair
Implementing High Availability (HA) in a network is a fundamental strategy to
ensure uninterrupted network services and enhanced security.
Active/Passive HA Pair

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
To establish an active/passive HA pair, as outlined below, follow these high-
level tasks:
Establish connections between the ports dedicated to HA.
Enable the ability to ping the management port for monitoring.
Configure HA mode and group ID
Establish the control link connection.
Optionally, enable encryption to secure the control link connection.
Create a backup control link to ensure redundancy.
Configure the primary data link (HA2) and its backup.
Enable heartbeat backup
Set the device priority levels and decide whether to enable preemption.
Optionally, adjust the high availability timers as needed.
(Optional): Modify the link status of the HA ports on the passive device:
Optionally, configure the link status for HA ports on the passive device.
Enable high availability functionality.
(Optional): Activate LACP and enable LLDP Pre-Negotiation for
active/passive HA if needed.
Verify that the firewalls are successfully paired and operating as
intended.

Figure 6-01: Topology of Paired Firewall

Active/Active HA Pair
Here is the basic workflow for configuring firewalls in an active/active pair:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Determine the specific scenario where active/active configuration is
needed.
Establish the necessary connections between the high availability (HA)
ports.
Allow pinging of the management port for monitoring purposes.
Enable active/active high availability and assign a group ID.
Set the unique Device ID, enable synchronization between firewalls, and
define the control link connection on the partner firewall.
Enable heartbeat backup
Optionally, modify the settings of the HA timers to suit your
requirements.
Configure the primary control link connection for communication.
If necessary, enable encryption to secure the primary control link
connection.
Create a backup control link for redundancy.
Configure the primary data link (HA2) and its backup.
Set up the HA3 link to facilitate packet forwarding.
Optionally, modify the Tentative Hold time as needed.
Configure the Session Owner and Session Setup
Configure an HA virtual address to handle network traffic.
Configure the floating IP address.
Define the configuration for ARP load-sharing.
Specify the conditions and criteria for HA failover.
Save and activate the configured settings to ensure they take effect.
Zero-Touch Provisioning
To configure your firewall for Zero-Touch Provisioning (ZTP) using
Panorama, follow these steps:
Navigate to Panorama and access the Plugins to Download section.
Ensure you have installed the latest version of the ZTP plugin.
Install the Panorama device certificate.
Register Panorama with the ZTP service.
Create a default device group and a template, which will be used to
connect the ZTP-enabled firewalls to Panorama.
Access Panorama and go to Zero Touch Provisioning. Synchronize
Panorama with the ZTP service.
Set up the administrative account for the ZTP installer.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Add the ZTP-enabled firewalls to Panorama for seamless provisioning.
Bootstrapping
Palo Alto Networks firewalls have a bootstrapping feature that allows them to
self-configure during their initial startup. This feature involves using a
preconfigured storage volume, a USB drive for physical appliances, or storage
accounts for VM-Series firewalls. This volume contains essential configuration
data, licenses, dynamic updates, and PAN-OS updates; all applied
automatically as part of the firewall's boot process.
VM-Series Bootstrapping
Bootstrapping provides a method for creating a consistent and efficient process
for deploying new VM-Series firewalls across a network. It involves
packaging a predefined configuration model for the network, which can then
be used to deploy VM-Series firewalls in various locations. Bootstrapping can
be initiated from external devices like virtual disks, virtual CD-ROMs, or
cloud storage services like Amazon Web Services S3 or Google Cloud buckets.
This process allows for the configuration and licensing of VM-Series firewalls.
You have several bootstrapping options:
Basic Initial Configuration and Licensing: This sets up the firewall with
a fundamental initial configuration and licenses, enabling it to connect to
Panorama and retrieve the complete configuration.
Full Configuration: This fully configures the firewall during the bootup
process.
The workflow for setting up bootstrapping on a VM-Series firewall is as
follows:
Restore the firewall to its original factory default settings.
Choose the preferred bootstrapping method.
Optionally, generate the VM authentication key on Panorama.
Prepare the required licenses for bootstrapping.
Assemble the bootstrap package and save it in the suitable delivery
format for your hypervisor.
Execute the bootstrapping process on the VM-Series firewall.
Confirm the successful completion of the bootstrapping process.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 6-02: Bootstrap Completion Process

Bootstrap Package
The bootstrap process is initiated only when the firewall is in a factory default
state upon startup. Once you attach a virtual disk, CD-ROM, or storage bucket
to the firewall, the firewall scans for a bootstrap package. If such a package is
found, the firewall utilizes its specified settings. If you have included the IP
address of a Panorama server in the package, the firewall establishes a
connection with Panorama. In cases where the firewall has internet access, it
contacts the licensing server to update its Universally Unique Identifier
(UUID) and acquire the necessary license keys and subscriptions. As a result,
the firewall becomes registered as an asset in the Palo Alto Networks Support
Portal. However, if the firewall lacks internet connectivity, it will either use the
license keys provided in the bootstrap package or connect to Panorama, which
retrieves the appropriate licenses and deploys them to the managed firewalls.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
The bootstrap package you create must include the following folders, even if
they are empty:
/config folder: This folder holds configuration files, including init-
cfg.txt and bootstrap.xml. Suppose you plan to pre-register VM-Series
firewalls with Panorama during bootstrapping. In that case, you must
generate a VM authorization key on Panorama and include it in the init-
cfg file.

EXAM TIP: When planning to pre-register VM-Series

firewalls using bootstrapping and Panorama, creating a VM
authentication key within Panorama is necessary. This key should be
generated and then incorporated into the init-cfg.txt file.

/license folder: In this folder, you store license keys or authorization

codes for the licenses and subscriptions you intend to activate on the
firewalls. Suppose the firewall does not have internet connectivity. In
that case, you must either manually obtain the license keys from the Palo
Alto Networks Support Portal or use the Licensing API to obtain and
save each key in this folder. Including an authorization code bundle
instead of individual codes is essential to fetch all associated license
keys. Using individual codes simultaneously would result in retrieving
only the license key for the first code included.

EXAM TIP: It is essential to provide an authorization code

bundle instead of individual authorization codes. It allows the firewall
or orchestration service to efficiently retrieve all the license keys
/so
associated with a firewall simultaneously. If individual authorization
codes are used instead of a bundle, the firewall will only obtain theftw
license key associated with the first authorization code in the file.are
fol
der: Here, you include software images required to upgrade a newly
provisioned VM-Series firewall to the desired PAN-OS version for your
network. Include all intermediate software versions between the Open
Virtualization Format version and the final PAN-OS software version
you want to install on the VM-Series firewall.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
/content folder: This folder contains Applications and Threats updates
and WildFire updates for valid subscriptions on the VM-Series firewall.
Ensure you include the minimum content versions required for the
desired PAN-OS version. The minimum required content version is
crucial for the VM-Series firewall to complete the software upgrade.
/plugins folder: Optionally, you can include a single VM-Series plugin
image in this folder.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Configure Authorization, Authentication, and Device Access
Palo Alto Networks Firewalls offer robust capabilities for configuring and
managing authorization, authentication, and device access. Whether it is
establishing multi-factor authentication for users, defining access policies, or
integrating external authentication services, the configuration process plays a
pivotal role in enhancing the security posture of an organization's network.
Role-Based Access Control for Authorization
Administrative Accounts and Roles
Administrators have the flexibility to configure, manage, and monitor Palo
Alto Networks firewalls and Panorama through various management
interfaces, including the web interface, command line interface (CLI), and the
XML API management interface. It is possible to tailor access for
administrators based on roles and specific permissions, allowing for the
delegation of tasks.
Administrative accounts are how roles and authentication methods are
assigned to those managing Palo Alto Networks firewalls and Panorama. Each
device has a default administrative account (admin) that provides full read-
write access, often called superuser access. However, additional administrative
accounts can be created as necessary.
The configuration of administrator accounts considers your organization's
security needs, the authentication services already in use, and the specific
administrative roles required. An administrative role defines the level of
system access granted to an administrator. Access can be as broad or granular
as needed, depending on the organization's security requirements. For instance,
you might decide that a data center administrator should have access to all
device and networking configurations while a security administrator only
controls security policy definitions. Others may have limited access via the
CLI or XML API. There are various role types to cater to these distinctions.
Dynamic roles: Built-in predefined roles offer access to both Panorama
and managed firewalls. When new features are introduced, the firewall
and Panorama will automatically update the definitions of these roles.
There is no need for manual updates. Table 6-01 outlines the access
privileges associated with these dynamic roles.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Table 6-01: Access Privileges through Dynamic Role
Admin role profiles: Besides the predefined roles, you can create
custom roles to provide more specific access control over various
functional areas in the web interface, CLI, and XML API. However,
when new features are introduced, manually updating these custom roles
with the corresponding access privileges is essential. The firewall and
Panorama would not automatically add new features to the definitions of
custom roles.
Different Methods used to Authenticate
Different authentication methods for you will depend on your specific needs
and requirements.
Authentication
Authentication is a method used to safeguard services and applications by
confirming users' identities and ensuring that only authorized users can access
them. Numerous features in firewalls and Panorama rely on authentication. For
instance, administrators need to authenticate to gain access to these systems'
web interface, CLI, or XML API. On the other hand, end users authenticate via
methods like Captive Portal or GlobalProtect to access various services and
applications through the firewall. Your network's security can be fortified by

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
choosing from a range of authentication services seamlessly integrated into
your existing security infrastructure, ensuring a smooth user experience.
If your network employs a Public Key Infrastructure (PKI), you can deploy
certificates, enabling authentication without requiring users to respond to login
challenges manually. Additionally, or in combination with certificates,
interactive authentication methods can be implemented, which require users to
authenticate using one or more specified methods.
Supported authentication types include the following:
MFA
SAML
SSO
Kerberos
TACACS+
RADIUS
LDAP
Local
Protecting Service Access Through the Firewall
The Authentication policy verifies end users' identities before granting them
access to various services and applications. When a user requests a service or
application, such as visiting a web page, the firewall assesses the
Authentication policy. Depending on the specific rule that matches the
Authentication policy, the firewall prompts the user to authenticate using one
or more methods or factors, such as login and password, voice, SMS, push, or
OTP authentication. For the initial factor, users use a Captive Portal web form
for authentication, and for any additional factors, they utilize an MFA (Multi-
Factor Authentication) login page.
Once the user has authenticated using all the required factors, the firewall
evaluates the Security policy to determine whether to grant access to the
requested service or application. You can set a timeout period to minimize the
disruption of user workflows caused by frequent authentication challenges.
During this period, users only need to authenticate for their initial access to
services and applications, sparing them from repeated authentication. The
Authentication policy integrates with the Captive Portal to keep track of the
timestamps used for timeout evaluation and to facilitate user-based policies
and reports.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Based on the user information collected during the authentication process,
User-ID establishes a new IP address-to-username mapping or updates the
existing mapping if there are changes. The firewall generates user-ID logs to
record these additions and updates. Additionally, it generates an Authentication
log for each request that matches an authentication rule. For centralized
monitoring and reporting, you can configure reports based on User-ID or
Authentication logs and forward these logs to Panorama or external services,
similar to how you handle other log types.
Configuring the Authentication Policy
Follow these steps to set up an Authentication policy for end users accessing
services through Captive Portal. Ensure that your Security policy allows user
access to the required services and URL categories that mandate
authentication:
Configure Captive Portal: If you are using Multi-Factor Authentication
(MFA) services for user authentication, you must enable the Mode to
Redirect.
Choose an Authentication Service: Configure the firewall to use one of
the following services for user authentication:
External Authentication Services: Create a Server Profile to define
how the firewall connects to the external service.
Local Database Authentication: Add user accounts to the local user
database on the firewall.
Kerberos Single Sign-On (SSO): Generate a Kerberos keytab for the
firewall. You can configure the firewall to use Kerberos SSO as the
primary authentication service. In cases of SSO failures, it can fall back
to an external service or local database authentication.
Configure an Authentication Profile: Create an optional Authentication
Profile and set up an Authentication Sequence for each group of users.
Establish Authentication policy rules that require the same authentication
services and settings.
Choose the Type of Authentication Service and Relevant Settings:
External Service: Select the Type of external server and choose the
corresponding Server Profile you created.
Configure Local Database Authentication by setting the Type to Local
Database. Add the Captive Portal users and user groups you have set up
in the Advanced settings.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Kerberos SSO: It defines the Kerberos Realm and import the Kerberos
Keytab.
Configure an Authentication Enforcement object, which links each
Authentication Profile to a specific Captive Portal method; follow these
steps:
Navigate to Objects and access the Authentication section. Then, add a
new object.
Provide a Name to identify this object.
Choose an Authentication Method that corresponds to the
authentication service type you established in the Authentication Profile:
For the challenge, select this method if you prefer the client's
browser to transparently handle the first authentication factor without
requiring the user to enter login credentials manually. To use this
method, you should configure Kerberos Single Sign-On (SSO) in the
Authentication Profile or NTLM authentication in the Captive Portal
settings. If the browser challenge fails, the firewall will use the web-
form method.
Opt for a web form if you want the firewall to display a Captive
Portal web form, prompting users to enter their login credentials.
Select the authentication profile you have previously configured.
Input a message to display on the Captive Portal web form, providing
instructions to users on how to authenticate for the initial authentication
factor.
Save the object by clicking OK.
To configure an Authentication policy rule, follow these steps:
Create a rule for each group of users, services, and URL categories that
require the same authentication services and settings.
Go to Policies and choose Authentication. Then, Add a new rule.
Give the rule a Name for identification.
Define the rule's parameters:
Select the source by adding specific zones and IP addresses, or choose
any zones or IP addresses.
Specify the user or user group to which the rule applies. The default is
set to any.
Select or add the Host Information Profiles the rule applies to (default
is any).

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Set the Destination by adding specific zones and IP addresses or
selecting any zones or IP addresses.
Choose the service or service groups for which the rule controls access
(default is service-http).
Specify the URL categories for which the rule controls access (default
is any). You can create a custom URL category if needed.
Under Actions, select the Authentication Enforcement object you
previously created.
Define the Timeout period in minutes, during which the firewall
prompts the user to authenticate only once for repeated access to services
and applications.
Save the rule by clicking OK.
For Multi-Factor Authentication (MFA) configurations:
Customize the MFA login page, which the firewall displays for users to
authenticate additional MFA factors.
To verify that the firewall enforces your Authentication policy:
Log in to your network as one of the source users specified in an
Authentication policy rule.
Request a service or URL category matching the rule. The firewall will
display the Captive Portal web form for the first authentication factor.
End the session for the accessed service or URL.
Start a new session for the same service or application within the timeout
period specified in the Authentication rule.
The firewall will allow access without re-authentication.
(Optional): To maintain consistent timeouts for all users, distribute user
mappings and authentication timestamps to other firewalls that enforce the
Authentication policy.
The Authentication Sequence
When setting up user or administrative access, you must define one or more
authentication methods. A user or administrator profile typically includes an
Authentication Profile, which outlines the preferred authentication method. If
you require multiple methods, you can utilize an Authentication Sequence,
essentially a list of Authentication Profiles. The sequence attempts the first
profile first, and if it is unavailable, it moves on to the next option. An
Authentication Profile, in turn, links to a single Server Profile, which contains

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
the essential configuration and access details needed to establish a connection
with the external authentication service.

Figure 6-03: External Authentication Service

The device access method

Panorama Access Domains
Panorama access domains serve as a means to regulate the access of device
groups and template administrators. They determine which device groups they
can manage (including policies and objects), interact with templates (for
controlling network and device settings), and access the web interface of
managed firewalls through context switching. You can establish a maximum of
4,000 access domains and manage them locally or by utilizing RADIUS
Vendor-Specific Attributes (VSAs), TACACS+ VSAs, or SAML attributes.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Lab 6-01: Configure Authorization, Authentication, and Device
Access
Case Study
Cyber Innovations Inc. is a leading technology solutions provider specializing
in cybersecurity and network infrastructure. With a commitment to delivering
cutting-edge services, the company has rapidly expanded its operations to
serve a diverse clientele. Cyber Innovations Inc. operates in multiple regions,
with a focus on North America, Europe, and the Asia-Pacific region.
Cyber Innovations Inc. is a dynamic player in the technology sector, boasting
an impressive annual revenue of $250 million and a dedicated workforce of
1,200 employees. With a global footprint, the company has strategically
positioned offices and branches in major cities across North America, Europe,
and Asia-Pacific. This extensive geographical presence empowers Cyber
Innovations Inc. to meet its clients’ diverse and evolving global needs.
Whether serving clients in bustling North American tech hubs, European
financial centers, or the rapidly expanding markets of the Asia-Pacific region,
the company’s commitment to excellence remains unwavering, driving its
success in the highly competitive technology industry.
Business Challenge
Cyber Innovations Inc., a leading technology company, faces a critical
business challenge related to its network security infrastructure. The
organization operates two distinct LANs separated by a Palo Alto Firewall.
While LAN1 hosts Guest users, it poses a unique security concern. Guest users
typically do not adhere to the same security standards as internal users, making
LAN2 vulnerable to potential security breaches.
The challenge at hand is to safeguard LAN2 against unauthorized access or
attacks originating from LAN1, where Guest users may unknowingly introduce
security risks. Cyber Innovations Inc. recognizes the importance of securing
LAN2 to protect sensitive data and critical resources.
Solution
To address the pressing business challenge and enhance the security of LAN2,
Cyber Innovations Inc. has devised a comprehensive solution involving

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Authorization, Authentication, and Device Access controls when Guest users
attempt to access LAN2 through the Palo Alto Firewall.
The first layer of defense involves strict authorization policies. When a Guest
user attempts to access resources on LAN2, they must go through an
authorization process. This process verifies the user’s identity, access purpose,
and required permissions. Only authorized users with a legitimate need to
access LAN2 are granted permission.
Implement robust authentication mechanisms to verify the identity of Guest
users. Multi-factor authentication (MFA) can also be employed to ensure that
only authorized users with valid credentials can proceed. This step adds an
extra layer of security by requiring users to provide more than one form of
authentication, such as a password and a temporary token.
To further mitigate risks, stringent controls can be applied to the devices used
by Guest users. Only devices that meet predefined security standards and
compliance requirements are allowed access to LAN2. The Palo Alto Firewall
actively scans and assesses devices for vulnerabilities and compliance before
granting access.
By implementing these measures, you can significantly reduce the security
risks associated with Guest users on LAN1 accessing LAN2. This proactive
approach to network security ensures that only authorized, authenticated, and
compliant users and devices can access LAN2, effectively preventing potential
security breaches and safeguarding critical resources.
Follow the steps to complete the lab:
1. Configure Local User
2. Configure Authentication Profile
3. Configure Management Interface
4. Configure Ethernet Interface
5. Configure the Zones
6. Configure the Policy Rule
7. Commit

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 6-04: Configure Authorization, Authentication and Device Access
1. Configure Local User
1. Navigate to Device > Local User Database > Users
Click the Add button to add a new user.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Enter Guest in the Name, select Password as the Mode, and enter
passwords in the Password and Confirm Password fields. Check the
Enable box and click OK to save it.

2. Configure Authentication Profile

1. Navigate to Device > Authentication Profile
Click the Add button to add an Authentication Profile.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Enter Auth_Profile in the Name field.

3. Under the Advanced tab, add the Guest user in the Allow List. Click
the OK button.

3. Configure Management Interface

1. Navigate to Network > Network Profiles > Interface Mgmt
Click the for-mgmt management profile to edit it.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Enter Captive-mgmt-profile as the Name. Checkmark the Ping,
Response Pages, and User ID checkboxes. Click the OK button.

4. Configure Ethernet Interface

1. Navigate to Network > Interface
Click the interface ethernet1/1 to edit it.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Under the Advanced tab, click the Other Info tab, select the
previously created Captive-mgmt-profile, and click the OK button.

5. Configure the Zones

1. Navigate to Network > Zones
Click the LAN 1 Zone to edit it.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Checkmark the Enable User Identification checkbox. Click the OK
button.

6. Configure the Policy Rule

1. Navigate to Policies > Authentication
Click the Add button to add a new Policy Rule.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Under the General tab, enter Captive-Policy as the Name.

3. Under the Source tab, add the LAN 1 Zone as the Source Zone.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Under the Destination tab, add the LAN 2 Zone as the Destination
Zone.

5. Under the Actions tab, select the default-web-form in the

Authentication Enforcement field. Click the OK button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
7. Commit
Click the Commit button to save the configuration.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Configure and Manage Certificate
A certificate is a digital document that binds a public key to an identity.
Certificates are used to secure communication over the Internet by verifying
the parties' identity.
Usage
Certificate Background
In cryptography, a public key or digital or identity certificate is a document
used to establish public key ownership. This certificate encompasses details
about the key and information regarding the identity of the key's owner
(referred to as the subject). It is adorned with a digital signature from an entity
that has verified the certificate's contents (known as the issuer). When the
signature is validated, and the software examining the certificate trusts the
issuer, the software can then utilize the key to engage in secure communication
with the certificate's subject.
In various encryption applications such as email encryption, code signing, and
e-signature systems, the subject of a certificate is often a person or an
organization. However, in the Transport Layer Security (TLS) context, a
certificate's subject typically pertains to a computer or other device.
Nonetheless, TLS certificates may also identify organizations or individuals
alongside their primary role in identifying devices. It is worth noting that TLS,
previously known as SSL, plays a crucial role in HTTPS, a protocol designed
to secure web browsing. In a typical Public Key Infrastructure (PKI)
framework, a Certificate Authority (CA) usually issues certificates. CAs are
often commercial entities that charge customers for issuing certificates on their
behalf. However, CAs can also be established and managed by individuals and
organizations seeking certificates for internal purposes.
The primary responsibility of a CA is to sign certificates, essentially acting as a
trusted third party that facilitates introductions between different entities. A
CA receives certificate requests from subscribers, which can be individuals or
organizations, verifies the provided information, and, based on this
verification, may sign an end-entity certificate. To perform this role effectively,
a CA must possess one or more widely trusted root or intermediate certificates
and their corresponding private keys. This broad trust can be established by

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
including the CA's root certificates in widely used software or by obtaining
cross-signatures from other CAs, thereby delegating trust.
The certificate recipient is responsible for verifying the information contained
within it. One crucial verification step involves confirming that the certificate
was indeed issued by the Certificate Authority (CA), whose information is in
the certificate. This verification hinges on the CA's signing key, part of its Root
Certificate. The Root Certificate is used to sign all the certificates issued by the
CA. To run this validation test successfully, the recipient must have access to
the CA's Root Certificate, typically stored locally. These CA Root Certificates
are often retained in local certificate caches managed by the operating system,
browsers, or other software. The firewall also maintains a cache of CA Root
Certificates.
CAs are also responsible for keeping current revocation information about the
certificates they issue, indicating whether those certificates are still valid or
have been revoked. This information is available through the Online
Certificate Status Protocol (OCSP) or certificate revocation lists.

Figure 6-05: CA Root Certificate Cache

Profiles
Certificate profiles play a significant role in defining user and device
authentication across various applications, including Authentication Portal,

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Multi-Factor Authentication (MFA), GlobalProtect, site-to-site IPsec VPN,
external dynamic list validation, Dynamic DNS, User-ID agent, Terminal
Services agent access, and web interface access to Palo Alto Networks
firewalls and Panorama. These profiles specify which certificates to use, how
to verify the certificate's revocation status, and how this status affects access.
For each application, it is necessary to configure a specific certificate profile.

EXAM TIP: A recommended best practice is to enable both Online

Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL)
status verification in certificate profiles. It ensures thorough validation of
certificates to confirm they have not been revoked. By enabling both OCSP
and CRL, you establish a robust approach. In situations where the OCSP
server might be inaccessible or encounter issues, the firewall will
seamlessly switch to utilizing CRL for certificate status verification,
enhancing the overall reliability of the validation process.

Chains
Not all websites adhere to the complete certificate chain requirement, as
outlined in the TLSv1.2 standard (RFC 5246). It mandates authenticated
servers to provide a valid certificate chain leading back to a recognized
Certificate Authority (CA). When you enable decryption and apply a Forward
Proxy Decryption Profile that allows blocking sessions involving untrusted
issuers in the decryption policy, and if an intermediate certificate is absent
from the certificate list provided by the website's server to the firewall, the
firewall encounters a challenge. It cannot construct the certificate chain up to
the top-level (root) certificate.
In such instances, the firewall will present its forward untrust certificate to the
client because it lacks the necessary intermediate certificate to establish trust
up to the root certificate level.
If there is a critical need to communicate with a specific website for business
purposes, and that website has one or more missing intermediate certificates. If
the decryption policy is set to block sessions involving untrusted issuers, you
have the option to locate and download the missing intermediate certificate.
Once obtained, you can install it on the firewall, designating it as a trusted root
CA. By doing so, the firewall will trust the website's server. An alternative

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
approach is to contact the website's owner and request that they configure their
server to include the intermediate certificate in the handshake process.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Lab 6-02: Configure and Manage Certificates
Case Study
Cyber Innovations Inc. is a leading technology solutions provider specializing
in cybersecurity and network infrastructure. With a commitment to delivering
cutting-edge services, the company has rapidly expanded its operations to
serve a diverse clientele. Cyber Innovations Inc. operates in multiple regions,
with a focus on North America, Europe, and the Asia-Pacific region.
Cyber Innovations Inc. is a dynamic player in the technology sector, boasting
an impressive annual revenue of $250 million and a dedicated workforce of
1,200 employees. With a global footprint, the company has strategically
positioned offices and branches in major cities across North America, Europe,
and Asia-Pacific. This extensive geographical presence empowers Cyber
Innovations Inc. to meet its clients’ diverse and evolving global needs.
Whether serving clients in bustling North American tech hubs, European
financial centers, or the rapidly expanding markets of the Asia-Pacific region,
the company’s commitment to excellence remains unwavering, driving its
success in the highly competitive technology industry.
Business Challenge
Cyber Innovations Inc., a prominent technology company, faces a significant
business challenge related to its network connectivity. The organization
maintains two distinct LANs, separated by a Palo Alto Firewall. While LAN1
accommodates users, an issue has emerged where a user attempting to access
LAN2 through the Firewall encounters an error message regarding an insecure
connection.
This challenge disrupts seamless communication and user experience,
potentially hampering productivity. Cyber Innovations Inc. recognizes the need
to resolve this issue promptly to ensure secure and uninterrupted access
between LAN1 and LAN2.
Solution
To address the pressing business challenge and enable secure and error-free
connections between LAN1 and LAN2, Cyber Innovations Inc. has devised a
solution involving creating and managing a Secure Socket Layer (SSL)
Certificate on the Palo Alto Firewall.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
The first step in the solution involves generating an SSL certificate specifically
designed for the Palo Alto Firewall. This SSL certificate serves as a digital
identity for the Firewall, enabling secure communication between users and
the Firewall itself.
Effective management of the SSL certificate is crucial for ongoing security. By
implementing a robust certificate management process, you need to ensure that
the certificate is valid and up-to-date. This includes monitoring the certificate’s
expiration date and renewing it when necessary to prevent disruptions in
secure connections.
It should be bound to the appropriate interfaces and services to establish secure
communication channels. This ensures that when users from LAN1 attempt to
connect to LAN2 through the Firewall, no error messages related to insecure
connections are encountered.
By creating and managing an SSL Certificate on the Palo Alto Firewall, Cyber
Innovations Inc. successfully eliminates the business challenge of insecure
connection errors when users from LAN1 access LAN2. This solution
enhances the user experience and ensures that data transmission remains
confidential and secure.
Follow the steps to complete the lab:
1. Configure Certificates
2. Configure SSL/TLS Service Profile
3. Configure General Management
4. Commit
5. Export the Certificates

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 6-06: Create and Manage Certificates
1. Configure Certificates
1. Navigate to Device > Certificate Management > Certificates
Click the Generate button to generate a certificate.

2. Enter RootCert in the Certificate Name, IP Address 10.1.1.100 in the

Common Name, and checkmark the Certificate Authority checkbox. Add
the IP and Country in the Certificate Attributes. Click the Generate button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. Click on the certificate that you created in the previous step. Checkmark
the Trusted Root CA checkbox and click the OK button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. You can see the previously created RootCert. Click on the Generate
button to generate another certificate.

5. Enter ServerCert in the Certificate Name, IP Address 10.1.1.1 in the

Common Name, and select RootCert in the Signed by menu. Add the IP
10.1.1.1/24 and Country US in the Certificate Attributes. Click the
Generate button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Configure SSL/TLS Service Profile
1. Navigate to Device > Certificate Management > SSL/TLS Service
Profile
Click on the Add button to add a new profile.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Enter SSL/TLS Service Profile in the Name field. Select the ServerCert
in the Certificate menu. Click the OK button.

3. Configure General Management

1. Navigate to Device > Setup
Under the Management tab, click the General Settings Edit icon to edit it.

2. Select the SSL/TLS Service Profile in the SSL/TLS Service Profile

option. Click the OK button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Commit
Click the Commit button to save the configuration.

5. Export the Certificates

1. Navigate to Device > Certificate Management > Certificates
Select the certificate and click the Export Certificate button to export it to
your computer.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Select the Base64 Encoded Certificate (PEM) File Format and click the
OK button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Mind Map

Figure 6-07: Mind Map of Firewall Configuration

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Practice Questions

1. When does a firewall verify the existence of the bootstrap volume?

A. Each time it is cold boots
B. Whenever it initiates a boot from a factory default state
C. When a firewall is launched in maintenance mode
D. Each time it warms boots

2. In which directory within the bootstrap volume can you find a

necessary dynamic update file?
A. /content folder
B. /license folder
C. /software folder
D. /config folder

3. What are the three key configuration elements that need to be

handled when setting up multi-factor authentication for users accessing
services via the firewall?
A. GlobalProtect Portal
B. Captive Portal
C. Authentication Enforcement Profile
D. Authentication Profile
E. Response pages

4. Which of the following is NOT a supported deployment mode for

active/passive HA?
A. Virtual wire
B. Layer 2
C. Layer 3

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
D. DHCP client

5. Which specific firewall configuration component is utilized to set up

access to an external authentication service?
A. Local user database
B. Server profiles
C. VM information source
D. Admin roles
E. Authentication policy rules

6. Which of the following is a key difference between active/passive

and active/active HA?
A. Active/passive HA supports Layer 2 deployments, while
active/active HA does not.
B. Active/active HA requires more complex network design and
configuration.
C. Active/active HA provides faster failover and can handle peak
traffic flows better.
D. All of the above.

7. What two firewall functions are exclusively available to

administrators with the superuser dynamic role?
A. Managing certificates
B. Managing firewall admin accounts
C. Editing the management interface settings.
D. Creating virtual systems within a firewall.
E. Entering the configuration mode of the CLI.

8. In active/active HA mode, both firewalls in the pair are active,

process traffic, and work synchronously to handle ______________.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
A. Session setup and session ownership
B. Routing table maintenance
C. DHCP relay
D. All of the above

9. Which of the following is a benefit of active/active HA?

A. It provides faster failover and can handle peak traffic flows better.
B. It allows each firewall to have its routing instances.
C. It requires less complex network design and configuration.
D. All of the above.
10. Which term refers to a provisioning method that requires minimal
manual intervention and is designed for seamless and automated
deployment?
A. Zero-Transition Protocol
B. Zero-Touch Provisioning
C. Zero-Tolerance Policy
D. Zero-Traffic Processing

11. Which component allows Palo Alto Networks firewalls to

configure themselves during the first boot automatically?
A. ZTP installer account
B. Bootstrap package
C. HA2 connection
D. Dynamic updates

12. What is the primary purpose of bootstrapping for Palo Alto

Networks firewalls?
A. Managing network policies
B. Automatic configuration during the first boot
C. Software updates

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
D. Licensing management

13. Which component is used to create a package with the model

configuration for a network in VM-Series bootstrapping?
A. Panorama device certificate
B. VM auth key
C. Bootstrap package
D. External storage volume

14. In the context of certificates, what is the primary purpose of a

Certificate Authority (CA)?
A. Certificate verification
B. Certificate revocation
C. Certificate issuance
D. Certificate encryption

15. In active/passive HA mode, when does the passive firewall

transition to the active state?
A. Randomly
B. Immediately upon deployment
C. When a configuration change is made
D. When the active firewall fails

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Pass4sure - #1 IT Certifications Materials Provider
www.pass4sure.com
Chapter 07: Routing and NAT
Introduction
A deep understanding of routing and Network Address Translation (NAT) is
paramount in the ever-evolving landscape of network security and
administration. These foundational concepts are essential for the Palo Alto
Networks Certified Network Security Engineer (PCNSE) certification and
form the backbone of secure and efficient network management.
In this chapter, you will understand:
Focus on Routing and NAT
Critical roles in safeguarding network infrastructure
Routing benefits like:
Enables efficient data transfer.
Facilitates seamless communication.
Supports resource sharing among network devices.
NAT Insights:
Crucial mechanism for conserving IP addresses.
Fortifies the network against external threats.
Acts as a protective measure for enhanced network security.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Configuring Routing
Configuring routing involves setting up pathways for efficient data transfer
within a network. This includes defining rules, protocols, and parameters to
manage traffic effectively, optimizing the communication between network
devices.
Dynamic Routing
Dynamic routing adapts in real-time to network changes. Protocols like
OSPF and BGP enable routers to automatically adjust and optimize routing
paths, enhancing network efficiency in large and dynamic environments.
Traffic Forwarding
Every incoming traffic that reaches the firewall is directed to one of two
paths: either sent to an internal firewall process (referred to as destination
traffic) or allowed to pass through a traffic interface (referred to as transit
traffic). Transit traffic, without exception, must be transferred to the egress
interface using a traffic-handling entity corresponding to the interface type.
Instances of these entities include VLAN objects, which handle Layer 2
traffic, virtual routers designed for Layer 3 traffic, and virtual wires tailored
for virtual wire interfaces.

Figure 7-01: Traffic Forwarding

It is feasible to execute numerous traffic handler types simultaneously in
varying quantities. Each entity possesses configuration features that align
with its specific requirements for protocol handling. In the case of older
virtual routers, they have the flexibility to introduce a range of dynamic
routing support if required. The Advanced Route Engine within virtual
routers supports dynamic routing protocols like the Border Gateway
Protocol (BGP) and handles static routes.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 7-02: Router Settings
Every Layer 3 dynamic routing protocol comes with its own tailored
configuration choices. Here is an example of the Open Shortest Path First
(OSPF) protocol within the Legacy Route Engine:

Figure 7-03: Open Shortest Path First (OSPF) protocol

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
IPsec tunnels are categorized as Layer 3 traffic divisions for implementation
and are managed by virtual routers like any other network segments.
Decisions about forwarding are determined based on destination addresses
rather than VPN policies.
Routing Configuration
PAN-OS offers support for various routing protocols such as static routes,
BGP, OSPF, Routing Information Protocol (RIP), and multicast routing, and
these can be configured in two routing engines. However, only one of these
routing engines can be active at a given time.
The Legacy Routing Engine continues the virtual routing features from
previous PAN-OS versions, allowing for multiple dynamic routing protocols
and accommodating multiple virtual routing instances, with the maximum
number determined by the specific firewall model. On the other hand, the
Advanced Routing Engine exclusively supports BGP and static routes, and it
can manage a single virtual router instance, irrespective of the firewall
model. There are limitations on the number of entries in both the forwarding
tables (Forwarding Information Bases [FIBs]) and the routing tables
(Routing Information Bases [RIBs]) for either routing engine.
The configuration of virtual routers is designed to align with the existing
routing infrastructure. In addition to protocol setup, Redistribution Profiles
can facilitate protocol compatibility.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 7-04: Virtual Router Instance

Figure 7-05: Virtual Router- Static Route

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 7-06: Area ID

Figure 7-07: Static Routes

Virtual Routers
The firewall has two routing engines, but only one can be active at any given
time. The default option is the Legacy Route Engine, which carries over
from previous PAN-OS versions. This engine can handle BGP, OSPF,
OSPFv3, and RIP dynamic routing protocols, as well as static routes, route
monitoring, and Redistribution Profiles. Multiple virtual router instances can
be created and managed concurrently when using the Legacy Route Engine.
In select firewall models, there is also the option of the Advanced Route
Engine, which exclusively supports the BGP dynamic routing protocol along
with static routes. However, the Advanced Route Engine allows for just a
single virtual router instance. Switching between routing engine types
necessitates a firewall reboot.
Firewalls employing the Advanced Route Engine are best suited for larger
data centers, enterprises, ISPs, and cloud services.
Administrative Distance

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 In the virtual router setup, adjust the administrative distances for route types
as needed for your network. When a virtual router has multiple routes
leading to the same destination, it relies on administrative distances to
determine the optimal path among various routing protocols and static
routes, favoring routes with lower distances.
ECMP Routing
ECMP processing is a networking capability that permits the firewall to
utilize as many as four routes with the same cost to reach a specific
destination. In the absence of this feature, a virtual router typically selects
only one route from the routing table to reach a destination and includes it in
the forwarding table. The other available routes remain unused unless the
chosen route encounters an issue.
Enabling ECMP functionality on a virtual router empowers the firewall to
include up to four equal-cost routes to a destination in its forwarding table.
This, in turn, allows the firewall to perform the following actions:
● Distribute a load of flows (sessions) heading to the same destination
across multiple equal-cost links.
● Make efficient use of all the available bandwidth on the links leading to
the same destination, preventing some links from going unused.
● Dynamically shift traffic to another ECMP member leading to the same
destination in case of a link failure without waiting for the routing
protocol or RIB table to choose an alternative path or route. This reduces
downtime and enhances network reliability.
Redistribution Profiles
Route Redistribution
Route redistribution on the firewall involves the process of taking routes
acquired by the firewall from one routing protocol, a static route, or a
connected route and making them accessible to a different routing protocol.
This, in turn, broadens the range of networks that can be reached. Without
route redistribution, a router or virtual router only shares routes with other
routers using the same routing protocol.
You have the option to redistribute IPv4 or IPv6 BGP, connected, or static
routes into the OSPF RIB, and likewise, you can redistribute OSPFv3,
connected, or static routes into the BGP RIB.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Route distribution allows you to expand the availability of specific networks
previously accessible solely through manual static route configuration on
specific routers. Now, these networks can be accessed by BGP autonomous
systems or OSPF areas. Additionally, you can promote locally connected
routes, such as routes to a private lab network, BGP autonomous systems, or
OSPF areas.
For example, if you wish to grant internal OSPFv3 network users access to
BGP for internet device connectivity, you can redistribute BGP routes into
the OSPFv3 RIB. Conversely, if you want external users to access certain
portions of your internal network, you can make internal OSPFv3 networks
accessible through BGP by redistributing OSPFv3 routes into the BGP RIB.
Static Routes
Static routes are typically employed alongside dynamic routing protocols. In
most cases, static routes are configured for destinations that a dynamic
routing protocol cannot reach.
Route Monitoring
When you set up path monitoring for a static route, the firewall utilizes this
feature to identify instances where the route to the monitored destination
becomes unavailable. Subsequently, the firewall redirects traffic by
employing alternative routes.
Policy-Based Forwarding
Typically, the firewall relies on the destination IP address within a packet to
determine which egress interface to use. To perform this route lookup, it
consults the routing table associated with the virtual router connected to the
interface. Policy-Based Forwarding (PBFcan override the routing table,
allowing you to define specific parameters for egress interface selection,
such as destination IP address or traffic type.
When setting up a PBF rule, you are required to specify the following:
● A unique name for the rule.
● Either a source zone or interface.
● An egress interface.
Source and destination addresses can be specified using an IP address, an
address object, or a Fully Qualified Domain Name (FQDN). It is important

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
to note that using application-specific rules with PBF is not recommended
because PBF rules may be applied before the firewall has identified the
application.
Virtual Routers VS Logical Routers
Virtual Routers
Layer 3 interfaces and their corresponding virtual routers represent the most
commonly utilized deployment options. A virtual router, essentially a
firewall function, engages in Layer 3 routing. These virtual routers play a
crucial role in enabling the firewall to acquire routes to various subnets,
which can be done either manually through static route configuration or by
participating in one or more Layer 3 routing protocols (dynamic routes). The
routes the firewall gathers through these methods populate the IP Routing
Information Base (RIB) within the firewall.
When a packet needs to reach a different subnet than the one it arrived on,
the virtual router consults the RIB to determine the best route, places it in the
Forwarding Information Base (FIB), and subsequently forwards the packet
to the next hop router as defined in the FIB. The firewall employs Ethernet
switching for communication with other devices on the same IP subnet. An
exception to including only a single optimal route in the FIB is when Equal-
Cost Multi-Path (ECMP) is used, in which case all equal-cost routes are
added to the FIB.
Ethernet, VLAN, and tunnel interfaces on the firewall are designated to
receive and forward Layer 3 packets. The destination zone is determined by
the outgoing interface based on specific forwarding criteria, and the firewall
evaluates policy rules to determine the applicable security policies for each
packet. Furthermore, virtual routers, besides routing to other network
devices, have the capacity to route to other virtual routers within the same
firewall if a next hop is specified to point to another virtual router.
Incorporating Layer 3 interfaces into a virtual router allows them to engage
with dynamic routing protocols like BGP, OSPFv2, OSPFv3, or RIP, as well
as the addition of static routes with the routing protocol configured in the
routing engine. Within the Legacy Route Engine, you can establish multiple
virtual routers, each maintaining an independent set of routes that are not

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
shared with other virtual routers. This permits you to configure distinct
routing behaviors for various interfaces.
It is important to note that every Layer 3 Ethernet, loopback, VLAN, and
tunnel interface on the firewall must be associated with a virtual router.
Although each interface can belong to just one virtual router, you have the
flexibility to configure multiple routing protocols and static routes for a
given virtual router.
In Legacy Route Engine cases, a firewall can host more than one router
instance, with the maximum capacity varying by model. Each interface can
be linked to a single virtual router at any given time. Virtual routers are
capable of routing directly to one another within the firewall, enhancing
network flexibility and connectivity.
Logical Routers
The firewall leverages logical routers to access Layer 3 routes to different
subnets. This access can be established through manual static route
definitions or by participating in one or more Layer 3 routing protocols,
known as dynamic routes. The routes acquired by the firewall using these
methods populate the IP Routing Information Base (RIB) within the firewall.
When a packet is destined for a different subnet than the one it initially
arrived on, the logical router seeks the best route within the RIB, transfers it
to the Forwarding Information Base (FIB), and forwards the packet to the
next hop router designated in the FIB. The firewall employs Ethernet
switching to reach other devices residing on the same IP subnet. An
exception to the rule of adding just one best route to the FIB occurs in the
case of Equal-Cost Multi-Path (ECMP), where all equal-cost routes are
included in the FIB.
Ethernet, VLAN, and tunnel interfaces that are defined on the firewall are
tasked with receiving and forwarding Layer 3 packets. The destination zone
is determined based on the outgoing interface, guided by specific forwarding
criteria. The firewall then refers to policy rules to determine the appropriate
Security policies to apply to each packet. Beyond their role in routing to
other network devices, logical routers can also route to other logical routers
within the same firewall, provided a next hop is designated to point to
another logical router.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
For the configuration of Layer 3 interfaces, you have the flexibility to enable
their participation in dynamic routing protocols like BGP, OSPF, OSPFv3, or
RIP and to add static routes as needed. Additionally, you can establish
multiple logical routers, each maintaining a distinct set of routes not shared
among logical routers. This allows for the configuration of varying routing
behaviors for different interfaces.
To enable dynamic routing between one logical router and another, you can
set up a loopback interface within each logical router, create a static route
connecting the two loopback interfaces, and then configure a dynamic
routing protocol to establish communication between these two interfaces.
In summary, every Layer 3 Ethernet, loopback, VLAN, and tunnel interface
on the firewall must be associated with a logical router. Although each
interface excludes one logical router, you can configure multiple routing
protocols and static routes for a given logical router. Regardless of the
specific static routes or dynamic routing protocols configured for a logical
router, there is a fundamental configuration requirement.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Configure NAT
NAT Policy Rules
Network Address Translation (NAT) enables the organization to employ
internal IP addresses that remain hidden from the public Internet. NAT rules
consider source and destination zones, source and destination addresses, and
specific application services, such as HTTP. Like Security policy rules, NAT
policy rules are sequentially assessed when dealing with incoming traffic,
and the first rule that aligns with the traffic conditions is implemented.
Security Rules
A Security policy serves as a means to implement rules and actions, offering
the flexibility to be either broad or highly specific. These policy rules are
sequentially assessed when confronted with incoming traffic. It is important
to note that the first rule that aligns with the incoming traffic's conditions
takes precedence, making it imperative for more precise rules to precede
more general ones. For example, a rule for a particular application should
come before one encompassing all applications, provided all other traffic-
related settings remain consistent.
The process of matching Security policy rules occurs from the top of the
rulebase to the bottom. In each Security policy match, there are typically two
processing steps. Step 1 ensures that a match has been established based on
the specified matching conditions within the Security policy. Suppose a
match is identified in Step 1. In that case, the traffic is logged following the
configuration of that policy rule, and the designated action, be it deny, allow,
drop, or reset, is executed. After processing, no further matching is
conducted within the Security policy rulebase.
Security Rule Actions
You can apply the following actions to traffic that aligns with the attributes
specified in a security policy:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Table 7-01: Security rule Actions
Source NAT
Internal users typically employ Source NAT when connecting to the internet
to ensure that their source addresses are translated and kept confidential.
Source NAT encompasses three primary types: Dynamic IP and Port (DIPP),
dynamic IP, and static IP.
DIPP
Dynamic IP and Port (DIPP) allows multiple hosts to transform their source
IP addresses into the same public IP address while maintaining different port
numbers. This dynamic conversion usually involves transitioning to the next
available address within the NAT address pool. This address pool
configuration may consist of a single IP address, an address range, a subnet,
or a combination of these options. Alternatively, DIPP offers the option to
specify the interface's address itself. The benefit of specifying the interface
within the NAT rule is that it automatically adjusts to utilize any
subsequently acquired address by that interface.
DIPP is sometimes known as interface-based NAT or network address port
translation. It comes with a default NAT oversubscription rate, which

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
signifies the maximum number of times the same translated IP address and
port pair can be employed concurrently.
Dynamic IP
Dynamic IP involves the one-to-one, dynamic transformation of a source IP
address without the inclusion of port numbers. This transformation leads to
the utilization of the next available address within the NAT address pool. It
is important to ensure that the size of the NAT pool matches the number of
internal hosts that necessitate address translations. As a default
configuration, if the source address pool happens to be larger than the NAT
address pool and all the NAT addresses are eventually allocated, any new
connections requiring address translation will be rejected. To modify this
default behavior, the Advanced (Dynamic IP/Port Fallback) option can be
activated to enable the utilization of DIPP addresses when needed. In either
case, as existing sessions conclude and the addresses within the pool become
vacant, they can be assigned to facilitate the translation of new connections.
Dynamic IP NAT also provides the flexibility for you to reserve dynamic IP
NAT addresses as needed.
Static IP
Static IP involves the one-to-one, fixed conversion of a source IP address
while preserving the source port in its original state. A typical situation
where static IP translation is applied is when dealing with an internal server
that needs to be accessible from the internet.
No-NAT Policies
No-NAT rules are established to exempt specific IP addresses that fall within
the range defined by subsequent NAT rules in the NAT policy. To create a
no-NAT policy, you need to define all the matching criteria and then choose
No Source Translation in the source translation column.
You can confirm the processing of NAT rules by navigating to Device >
Troubleshooting and testing traffic matches for the NAT rule, as
demonstrated below:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 7-08: Test Configuration
Use Session Browser to Find NAT Rule Name
The session browser provides the capability to view and filter ongoing
sessions on the firewall. Within the session details, you can discern which
NAT Policy rule is being employed to manage a given session.
U-Turn NAT
The term "U-Turn" refers to situations in which a connection's logical path
spans the firewall, originating from the internal network, reaching the
external network, and then reversing course to connect to an internal
resource by employing its external IP address. U-Turn NAT represents a
configuration technique employed to facilitate deployments wherein an
external IP address must access an internal resource.
Use of U-turn NAT
In certain scenarios, an internal host may require an external IP address to
operate a specific service, such as a locally hosted web server or mail server.
This need for internal hosts to utilize an external IP address can arise due to
factors such as the absence of an internal DNS server or other service-
specific requirements.
For example, when using regular destination NAT configuration in a
situation like this, any connections initiated from a laptop and directed to the
server's external IP address, say, 198.51.100.230, get routed to the default
gateway because this IP address does not belong to the local subnet.
Consequently, these connections undergo translation to the destination IP
address, 192.168.0.97, without applying any source NAT, resulting in the
web server sending return packets directly to the laptop. This can lead to an
asymmetric flow in the network.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 By implementing U-Turn NAT, an alteration is made to the outbound packets
from the laptop by applying source NAT to them as well. This source NAT
adjustment directs the server to send reply packets directly to the firewall
instead of the laptop. By sending packets directly to the firewall, asymmetry
is avoided, and this allows the firewall to continue applying content scanning
to the session.
Configuring U-Turn NAT
The Security policy consists of an inbound rule that permits incoming
connections from the internet to the internal web server, specifically for web
browsing applications on the default port 80. Additionally, the outbound
Security policy grants all users the ability to access the internet with any
application. Two implied rules facilitate intrazonal traffic, such as trust-to-
trust communications, while a denied intranet zone prohibits sessions from
reaching other zones unless there is an explicit policy allowing it.
In the NAT policy, an inbound rule is established to authorize connections
from any source to the external IP address, to translate them to the server's
internal IP address. There is also a hide-NAT rule designed to enable internal
connections to access the internet and undergo source translation behind the
firewall's external interface IP address.
However, when a client PC attempts to reach 198.51.100.230, the external IP
address associated with the internal server, the accessed page is not loading.
Analysis using Wireshark reveals the transmission of an SYN packet to
the external IP, receipt of an SYN/ACK from the internal IP address
(192.168.0.97), and subsequent transmission of a reset signal because the
client is unable to comprehend the ongoing process.
Upon revisiting the firewall and inspecting the NAT policy, it becomes
evident that the inbound NAT rule is configured to accept connections from
any source zone and perform translation to the appropriate internal server IP
address.
Creating a New NAT Rule Details:
● Name: internal access
● Source zone: trust
● Destination zone: untrust
● Destination address: 198.51.100.230

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Under the Translated Packet tab:
● Destination address: 192.168.0.97 (IP address of the web server in
question)
● Source address translation: Dynamic IP/Port
● Switch address type: Interface
● Interface: ethernet1/2 (internal interface of the firewall)
● IP address: 192.168.0.230/24
Label a new fresh rule as internal access. In the Original Packet section,
configure the Source Zone as trust, the Destination Zone as untrust, and
set the Destination Address to 198.51.100.230. In the Translation Packet
section, align the Destination Address, mirroring the regular rule, to
192.168.0.97. Enable source address translation by selecting Dynamic IP
and Port and switch the Address Type to interface address.
Alternatively, you can opt for the Address Type as translated address and
pick an address within the IP range associated with the interface. In this
example, for simplicity, let's continue with the IP address designated to the
interface.
From the drop-down menu, select the trust zone interface, set its IP, and
confirm the configuration by clicking OK.
Note: Ensure that the new NAT rule is positioned above the inbound rule.
Failing to do so will result in the original NAT rule taking precedence over
the newly established rule.
Once the configuration is committed, you can return to the client PC.
Verifying and Testing U-Turn NAT
With the changes made, accessing the web page at this point results in the
loading of the default page from Internet Information Server 7, and the web
server can be reached internally via its external IP address.
A review of the Wireshark packet capture shows that the client is now
receiving return packets from the external IP. This is due to the firewall's
ability to perform NAT in both directions of the data flow.
Check HIT Counts
Monitor the frequency with which Security, NAT, QoS, Ppolicy-Based
Forwarding (PBF), Decryption, Tunnel Inspection, Application Override,

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Authentication, or DoS protection rules align with traffic. This practice is
valuable for maintaining the relevance of firewall policies, which should
evolve in response to shifts in the environment and security requirements.
Leverage the data on policy rule hit counts as a means to detect and
eliminate unused rules. This is particularly essential for preventing the
potential exploitation of over-provisioned access. Examples of situations
where this might occur include when a server is taken out of service or when
temporary access to a service is no longer necessary. By identifying and
removing these unused rules, you can bolster your security posture and
optimize your firewall configuration.
Data on policy rule usage serves as a valuable tool for validating the
inclusion of rules and any rule modifications, as well as for tracking the
timeframe during which a particular rule was applied. An illustrative
scenario is when transitioning from port-based rules to application-based
rules. In this case, you create an application-based rule positioned above the
port-based rule and verify if any traffic corresponds with the port-based rule.
Following the transition, the hit count data is instrumental in assessing
whether it is safe to remove the port-based rule by confirming if traffic is
now aligning with the application-based rule instead of the port-based one.
The hit count for policy rules aids in determining the rule's effectiveness in
enforcing access.
If needed, you can reset the rule hit count data to either validate an existing
rule or gauge rule usage within a specified timeframe. It is important to note
that policy rule hit count data is not retained on the firewall or Panorama;
therefore, this data is no longer accessible after a reset or clearing of the hit
count.
When filtering the policy rulebase, administrators have the capability to take
actions like deletion, disabling, enabling, and tagging policy rules directly
from the policy optimizer. As an example, you can filter out rules that are
not in use and tag them for further review to ascertain whether they can be
safely removed or retained within the rulebase. Empowering administrators
to take action directly through the policy optimizer can streamline rule
lifecycle management, reduce administrative overhead, and ensure that
firewalls are not over-provisioned.
As needed, follow these general procedures:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Step 1: Initiate the web interface.
Step 2: Confirm that Policy Rule Hit Count is activated.

Figure 7-09: Policy Rulebase Settings

Step 3: Opt for the "Policies" selection.
Step 4: Examine the usage data associated with each policy rule, which
encompasses the following details:
● Hit Count: This reflects the number of instances when traffic met the
specified criteria in the policy rule. It retains this count even after reboots,
data plane restarts, and system upgrades unless you manually reset or
rename the rule.
● Last Hit: This timestamp indicates the most recent occurrence when
traffic aligned with the rule.
● First Hit: This timestamp signifies the initial occasion when traffic
matched this particular rule.
● Modified: This details the date and time of the most recent modification
made to the policy rule.
● Created: This provides the date and time when the policy rule was
originally established.

Figure 7-10: Usage Data

Step 5: Inside the Policy Optimizer dialog, assess the Rule Usage filter.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Step 6: Refine the selection of rules within the designated rulebase.
1. Opt for your preferred Timeframe for filtering or set a Custom time
frame.
2. Choose the specific Rule Usage on which you want to base your filter.
3. (If applicable) In case you have recently reset the usage data for any rules,
consider checking the "Exclude rules reset during the last <number of
days> days" option. This allows you to decide when to omit a rule based on
the number of days you specify since the rule was last reset. This filter only
includes rules that were reset prior to the specified number of days in the
results.

Figure 7-11: Rule Usage

4. (If needed) Define search filters according to rule data.
● Hover your cursor over the column header and select Columns.
● Include any supplementary columns that you wish to have visible or use
for the filter.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 7-12: Search Filters
● Position your cursor over the data within the column that you wish to
filter. Then, select Filter. In cases where the data includes dates, you can
specify whether to filter based on This date, This date or earlier, or
This date or later. Finally, apply the filter by clicking the respective
option ( → ).

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 7-13: Filter
Step 7: Address one or more unused policy rules by taking the following
actions:
1. Choose one or more of the unused policy rules.
2. Execute one of the subsequent actions:
a. Delete: Remove one or more selected policy rules.
b. Enable: Activate one or more selected policy rules that were previously
disabled.
c. Disable: Deactivate one or more selected policy rules.
d. Tag: Assign one or more group tags to one or more selected policy
rules. It is important to note that the group tag must already exist for tagging
the policy rule.
e. Untag: Eliminate one or more group tags from one or more selected
policy rules.
3. Confirm your changes by committing them.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Configure Security and NAT Policy
Security Policy
Security policies are rules that determine how traffic is allowed or denied
based on various parameters such as source and destination zones, addresses,
services, and users.
Each rule in a security policy defines specific criteria, and traffic matching
those criteria will be subjected to the specified security measures, including
threat prevention, URL filtering, and more.
Security policies help enforce the organization's security posture by
controlling what types of traffic are permitted or denied.
Network Address Translation (NAT) Policy
NAT policies define how network address translation should be applied to
traffic passing through the firewall. NAT is used to modify packets' source
and/or destination addresses to achieve various objectives, such as
conserving public IP addresses or enabling communication between different
network segments.
There are different types of NAT, including dynamic IP and port address
translation (PAT), static NAT, and others, each serving specific use cases.
Security Zones
These zones are logical groupings of network segments based on their
security requirements. Each security zone represents a set of interfaces that
share similar security characteristics.
Security policies use these zones to define rules, making it easier to manage
and scale security configurations.
Committing Changes
After making changes to security or NAT policies in Panorama,
administrators need to commit the changes. This ensures that the
configurations are applied and take effect.
Committing changes involves reviewing the proposed changes and then
confirming the update. Until changes are committed, they are not active on
the managed firewalls.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Pushing Configuration
After committing changes in Panorama, administrators need to push these
configurations to the individual firewalls. This ensures that the managed
firewalls are synchronized with the latest policies defined in Panorama.
Pushing configurations is a crucial step to make sure that all firewalls in the
network are consistent in their security and NAT policies.
Using Panorama
Configuring security and NAT policies using Panorama involves managing
and pushing them to member firewalls. Here is a general overview:
Preparation:
Define Objects: Create reusable objects like addresses, address
groups, services, and service groups in Panorama's "Objects" tab.
These objects will be referenced in your policies.
Device Groups: Organize firewalls into logical groups based on
shared policies or configurations in the "Device Groups" tab.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Lab 7-01: Configure Security and NAT Policy
Case Study
Acme Corporation, a global leader in technology solutions, operates a vast
and complex network infrastructure to support its worldwide operations.
With over 15,000 employees across the globe and annual revenues
exceeding $3 billion, Acme is committed to delivering innovative products
and services to its customers. The company’s services span various
industries, from healthcare and finance to e-commerce, making network
security and reliability paramount to its operations.
Acme Corporation’s network spans multiple continents and regions. The
company maintains data centers across North America, Europe, and Asia to
ensure efficient service delivery and redundancy. With over 50 branch
offices, connecting thousands of employees, and serving millions of
customers, the company’s network is both vast and dynamic.
Business Challenge
Acme Corporation, a dynamic organization with an extensive network
infrastructure and multiple Palo Alto Firewalls, confronts a significant
challenge in efficiently managing its security and NAT policies. With
firewalls distributed across various locations, maintaining consistent and
synchronized security policies and network address translation (NAT)
configurations has become increasingly complex. Acme faces the
challenges, such as Disparate Security Policies, Inconsistent NAT
Configurations, and Manual Updates.
Managing security policies individually on each Palo Alto Firewall has
resulted in discrepancies and variations in rule definitions, making it
challenging to enforce consistent security standards across the network. The
NAT configurations, which are essential for directing and translating
network traffic, are set up independently on each firewall device. This
decentralization has led to inconsistencies in NAT rules and hindered the
seamless flow of traffic. As a Palo Alto Network Security Engineer,
complete the Panorama setup by configuring basic policies.
Solution

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
To address the security and NAT policy management challenges, Acme
Corporation recognizes the need to configure these policies centrally within
Panorama and subsequently push these configurations to its Palo Alto
Firewalls. This solution streamlines policy management, ensures
consistency, and optimizes the network's security posture. The key
components of this solution are Centralized Security Policy Configuration,
Centralized NAT Policy Configuration, and Streamlined Configuration
Deployment.
Acme utilizes Panorama to create, manage, and maintain its security policies
in a centralized manner. Within Panorama, Acme configures network
address translation (NAT) policies that determine how traffic is translated
and directed. NAT policies can be consistently defined, edited, and updated
within Panorama.
In conclusion, Acme Corporation addresses the challenges related to policy
consistency, NAT uniformity, and operational efficiency by adopting a
centralized approach to configure security and NAT policies from Panorama
and pushing these configurations to the Palo Alto Firewalls. This strategic
solution ensures that the organization's security and NAT policies are
synchronized across the network, promoting enhanced security and
streamlined network operations.
Follow the steps to complete the lab:
1. Configure Security Policy Pre Rules
2. Configure Default Route for Internet Connection
3. Configure NAT Pre Rules
4. Commit
5. Verification

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 7-14: Configure Security and NAT Policy

Log into Panorama.

a. Open a web browser and navigate to the URL https://<panorama-ip-
address>
b. Enter your Panorama username and password.
c. Click Login.

1. Configure Security Policy Pre Rules

Log into Panorama
1. Navigate to Panorama > Managed Devices > Summary
You can see how many Firewalls are connected to Panorama.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Navigate to Device Groups > Policies > Security > Pre Rules
Select the India-DG in the Device Group drop-down menu.

2. Click the Add button to add a new Security Policy Rule.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. Under the General tab, enter In-Out in the Name field.

4. Under the Source tab, enter Inside in the Source Zone and India-Site
in the Source Address.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
5. Under the Destination tab, enter Outside in the Destination Zone
and checkmark Any in the Destination Address.

6. Under the Action tab, select Allow in the Action menu. Click the OK
button.

7. Click the Commit to Panorama option in the Commit menu.

8. Click the Commit button to start committing.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Configure Default Route for Internet Connection
1. Log into the Firewall
Navigate to Network > Virtual Routers
Click the Default Route to edit it.

2. Under the Static Routes menu, click the Add button to add a new
Static Route.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. Enter Default in the Name field. Enter 0.0.0.0/0 in the Destination.
Select ethernet1/2 in the Interface option. Enter the Next Hop IP
Address 172.29.129.254, which is the gateway for the traffic going out
through ethernet1/2 to the Internet. Click the OK button to save it.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. Configure NAT Pre Rules
1. Navigate to Device Groups > Policies > NAT > Pre Rules
Select the AUS-DG option in the Device Group menu.

2. Click the Add button to add a new NAT Policy.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. Enter In-Out in the Name field under the General tab.

4. Under the Original Packet tab, select Inside as the Source Zone.
Select AUS-Site Address Object in the Source Address. Select Any as
the Destination Address.

5. Under the Translated Packet tab, select Dynamic IP And Port in the
Translation Type menu option. Select Translated Address as the
Address Type. Enter the IP Address 172.29.129.249 under the
Translated Address window, which is the IP Address of the egress
interface of the Firewall. Click OK to save it.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Commit
Commit and Push all the configuration.

5. Verification
1. Go to the PC on any site and try accessing the Internet. You should be
able to access the Internet.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Pass4sure - #1 IT Certifications Materials Provider
www.pass4sure.com
Configure Site-To-Site Tunnels
In order to establish a VPN tunnel, both ends must equip their Layer 3
interfaces with a logical tunnel interface, which the firewall uses to connect
and initiate the VPN tunnel. This tunnel interface is essentially a virtual
interface employed to transmit data between two endpoints. It is essential to
note that any configured proxy IDs are taken into account when considering
the capacity of the IPSec tunnel.
The tunnel interface must be associated with a security zone to enforce
policies and be linked to a virtual router to leverage the existing routing
framework. To ensure proper routing, it is crucial that the tunnel interface
and the physical interface belong to the same virtual router. This enables the
firewall to execute a route lookup and ascertain the appropriate tunnel for
data transmission.
Usually, the Layer 3 interface connected to the tunnel interface is
categorized under an external zone, like the "untrust" zone. While it is
possible for the tunnel interface to reside within the same security zone as
the physical interface, you have the option to establish a separate zone for
the tunnel interface, enhancing security and visibility. If a distinct zone is
created for the tunnel interface, such as a "VPN zone," it is imperative to
configure security policies that facilitate the flow of traffic between the VPN
zone and the "trust" zone.
For routing traffic between sites, a tunnel interface does not necessitate an IP
address. An IP address becomes mandatory when enabling tunnel
monitoring or implementing a dynamic routing protocol to direct traffic
across the tunnel. In the context of dynamic routing, the tunnel IP address
functions as the next-hop IP address for routing traffic through the VPN
tunnel.
If you are configuring a Palo Alto Networks firewall with a VPN peer that
operates with a policy-based VPN. In that case, it is imperative to configure
both local and remote Proxy IDs during IPSec tunnel setup. Each peer
assesses the Proxy IDs configured on it and cross-references them with what
is actually received in the packet to facilitate a successful IKE phase 2
negotiation. When multiple tunnels are needed, it is essential to configure

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
distinct Proxy IDs for each tunnel interface, with a maximum limit of 250
Proxy IDs per tunnel interface. Each Proxy ID adds to the overall capacity of
the firewall's IPSec VPN tunnels, and the specific tunnel capacity varies
depending on the model of the firewall.
IPSec Components
IPSec Tunnel Interfaces
IPsec VPNs conclude their connection on Layer 3 tunnel interfaces, and
these tunnel interfaces can be allocated to distinct zones, allowing for
tailored Security policies in each zone. These tunnels necessitate IPsec and
Crypto Profiles to facilitate Phase 1 and Phase 2 connectivity. In PAN-OS,
route-based VPNs are endorsed, signifying that the determination of routing
traffic through the VPN is contingent on the virtual router. Palo Alto
Networks firewalls are also equipped to connect with alternative policy-
based VPNs, mandating the utilization of proxy IDs to ensure compatibility.
The diagram below illustrates the various elements encompassed in defining
IPsec tunnels:

Figure 7-15: Elements Encompassed in Defining IPsec Tunnels

Static Peers And Dynamic Peers For IPSec
In the scenario shown in Figure 7-16, one location utilizes static routes while
the other employs OSPF for routing. When there is a discrepancy in the
routing protocols between these sites, each firewall's tunnel interface must
be set up with a static IP address. To enable the exchange of routing
information, the firewall participating in both static and dynamic routing
must be furnished with a Redistribution Profile.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
The configuration of the Redistribution Profile empowers the virtual router
to distribute and screen routes among different protocols, including static
routes, connected routes, and host routes, transferring data from the static
autonomous system to the OSPF autonomous system. In the absence of this
Redistribution Profile, each protocol operates independently and does not
share route data with other protocols running on the same virtual router.
In this specific example, the remote office employs static routes. All traffic
bound for the 192.168.x.x network is directed to tunnel.41. The virtual router
on VPN Peer B is engaged in both static and dynamic routing processes. It is
equipped with a Redistribution Profile to transmit (export) the static routes
to the OSPF autonomous system.

Figure 7-16: Static Peers and Dynamic Peers For IPsec

IPSec Tunnel Monitor Profiles
A Monitor Profile serves the purpose of overseeing IPsec tunnels and the
next-hop device for PBF rules. In both scenarios, the Monitor Profile serves
to define a course of action when a resource (be it an IPsec tunnel or a next-
hop device) becomes inaccessible. While Monitor Profiles are not
obligatory, they prove to be highly beneficial in preserving the connection
between different sites and upholding the integrity of PBF rules. The

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
subsequent parameters are employed for the configuration of a Monitor
Profile.

Table 7-02: IPsec Tunnel Monitor Profiles

IPsec Tunnel Testing
Follow these steps to verify VPN connectivity:
Step 1: Initiate IKE phase 1 by either pinging a host on the other end of the
tunnel or by using the following command in the command-line interface
(CLI):
test vpn ike-sa gateway <gateway_name>
Step 2: Check if IKE phase 1 has been established by entering the following
command:
show vpn ike-sa gateway <gateway_name>
In the output, look for the presence of the Security Association. If it is not
displayed, review the syslog messages to understand the cause of the failure.
Step 3: Begin IKE phase 2 by either pinging a host from the other end of the
tunnel or by using this CLI command:
test vpn ipsec-sa tunnel <tunnel_name>

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Step 4: Check if IKE phase 2 has been established by entering the following
command:
show vpn ipsec-sa tunnel <tunnel_name>
Again, verify if the Security Association is visible in the output. If it is not,
check the syslog messages to diagnose the reason for the failure.
Step 5: To access information about VPN traffic flow, use the following
command:

Figure 7-17: VPN traffic flow

Generic Routing Encapsulation (GRE)
A Generic Routing Encapsulation (GRE) tunnel establishes a point-to-point
logical link between two endpoints, typically involving a firewall and
another network appliance. The firewall can initiate or terminate GRE
tunnels, providing a means to route or forward packets through the tunnel.
GRE tunnels are known for their simplicity and are frequently the preferred
tunneling protocol for point-to-point connections, especially when
connecting to cloud-based services or partner networks.
You would create a GRE tunnel when you want to direct packets intended
for a specific IP address to follow a particular point-to-point path. For
example, this path could lead to a cloud-based proxy or partner network.
These packets traverse the GRE tunnel, which often encompasses a transit
network such as the internet, on their way to the destination address. This
setup allows the cloud service to enforce its services or policies on the
packets.
The Figure 7-18 illustrates an example of a GRE tunnel linking the firewall
to a cloud service via the Internet.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 7-18: GRE tunnel linking the firewall to a cloud service via the
Internet
When a packet is permitted to exit the firewall due to a policy match and
proceeds to egress through a GRE tunnel interface, the firewall applies GRE
encapsulation to the packet. It does not establish a session for it. This means
the firewall does not execute a Security policy rule lookup for the GRE-
encapsulated traffic. As a result, you do not need a Security policy rule
specifically for the GRE traffic that the firewall is encapsulating.
However, when the firewall receives GRE traffic, it generates a session and
enforces all relevant policies on the GRE IP header in addition to the
encapsulated traffic. The firewall treats the incoming GRE packet like any
other packet. Therefore,
● Suppose the firewall receives the GRE packet on an interface that belongs
to the same security zone as the tunnel interface associated with the GRE
tunnel (e.g., tunnel.1). In that case, the source zone is identical to the
destination zone. By default, traffic is permitted within a security zone
(referred to as intrazone traffic), so the inbound GRE traffic will be
allowed by default.
● Nevertheless, if you have configured your own intrazone Security policy
rule to deny such traffic, you must explicitly permit GRE traffic.
● Similarly, suppose the zone of the tunnel interface linked to the GRE
tunnel (e.g., tunnel.1) differs from the zone of the incoming interface. In
that case, you must create a Security policy rule to permit the GRE traffic.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 The firewall places the tunneled packet within a GRE packet. Including 24
bytes of GRE header naturally results in a smaller Maximum Segment Size
(MSS) within the Maximum Transmission Unit (MTU). If you do not
modify the IPv4 MSS adjustment size for the interface, the firewall will, by
default, reduce the MTU by 64 bytes (comprising 40 bytes from the IP
header and 24 bytes from the GRE header). To illustrate, if the initial MTU
is 1,500, the MSS will be adjusted to 1,436 (1,500 − 40 − 24 = 1,436). For
example, if you set an MSS adjustment size of 300 bytes, the MSS will be
further reduced to 1,176 bytes (1,500 − 300 − 24 = 1,176).

It is important to note that the firewall does not support the routing of traffic
from a GRE or IPsec tunnel to another GRE tunnel. However, you can route
traffic from a GRE tunnel to an IPsec tunnel. Furthermore:
● GRE tunnels do not provide support for Quality of Service (QoS).
● The firewall cannot operate as a single interface serving both as a GRE
tunnel endpoint and a decryption broker.
● NAT functionality between the GRE tunnel endpoints is not supported
within GRE tunneling.
One-To-One And One-To-Many Tunnels
Palo Alto Networks supports various VPN configurations, including the
following:
● Site-to-site VPN: This establishes a straightforward VPN connection
connecting a primary central site with one or more remote sites. It is
commonly known as a hub-and-spoke VPN since it links a central
(gateway) site with several remote (branch) sites.
● Remote-user-to-site VPN: In this scenario, an endpoint client utilizes the
GlobalProtect agent for secure remote user access via the firewall
gateway.
● Large-scale VPN (LSVPN): This configuration involves employing Palo
Alto Networks GlobalProtect LSVPN. It offers a scalable approach to
creating a hub-and-spoke VPN that can serve up to 1,024 branch offices.
Determine When to use Proxy IDs
Symptom

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 When setting up IPSec VPNs, it is imperative to utilize Proxy IDs when
working with a peer designed for policy-based VPNs. In certain situations,
there may be a need for multiple local and remote subnets to communicate
via the VPN with the same peer. In cases where the peer functions as a
policy-based VPN, the Palo Alto firewall's Tunnel configuration should be
configured with multiple proxy IDs to align with the peer's policies.
Despite having the correct configuration, there may still be instances where
traffic encounters issues due to how proxy IDs are stored in the data plane
(DP). This article highlights the recommended practices for configuring
multiple Proxy IDs with the same peer, particularly when dealing with
overlapping subnets.
Environment
● Any PAN-OS
● Palo Alto Networks Firewall
● IPSecVPN configured with Proxy IDs
Cause
In scenarios where multiple Proxy IDs are set up, it is crucial to pay
attention to the naming of Policy IDs. This is essential because the sequence
of proxy ID matching relies on the alphabetical order of the proxy ID names.
For example, consider a situation where there are four Proxy IDs arranged as
follows:
TestProxyID-1 : Local = 10.1.1.0/24, Remote = 192.168.30.0/24
ProxyID-10_8_0_0 : Local = 10.8.1.0/24, Remote = 192.168.30.0/24
proxy-id-10_123_0_0 : Local = 10.123.1.0/24, Remote = 192.168.30.0/24
AllNetworks : Local = 10.0.0.0/8, Remote = 192.168.30.0/24
When proxy IDs are stored in the data plane (DP), they are organized
through String Comparison, which utilizes ASCII sorting. Based on this
method, the string sorting order for the provided proxy ID names would be
as follows:
AllNetworks : Local = 10.0.0.0/8, Remote = 192.168.30.0/24
proxy-id-10_123_0_0 : Local = 10.123.1.0/24, Remote = 192.168.30.0/24
ProxyID-10_8_0_0 : Local = 10.8.1.0/24, Remote = 192.168.30.0/24
TestProxyID-1 : Local = 10.1.1.0/24, Remote = 192.168.30.0/24

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
The order in which IPSec Security SA's are stored in the data plane (DP)
will impact traffic processing. This is because when specific traffic requires
encryption with one of the proxy IDs, it will be evaluated from top to bottom
to find the first matching proxy ID.
In the example provided, even though the "AllNetworks" proxy ID is
located at the bottom in the configuration, it will be positioned first in the
DP order.
For example, in the given scenario, if any traffic originates from the source
IP range of 10.123.1.0/24 and travels through the IPSec tunnel to a remote
IP, it will not be directed through "proxy-id-10_123_0_0" but rather
through "AllNetworks." Consequently, this might result in issues on the
remote side, particularly if it checks incoming traffic against the proxy IDs.
Resolution
When dealing with proxy IDs that involve overlapping subnets, it is essential
to structure the proxy ID names to position a more specific proxy ID name
above a more general proxy ID name. This arrangement aligns with the
principles of String Sorting.

EXAM TIP: To enforce policies, the tunnel interface must be

associated with a security zone and linked to a virtual router to utilize the
existing routing framework.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Configure Service Routes
Set up global service routes on the firewall. In cases where a specific virtual
system lacks a service route for a particular service, it will automatically
adopt the interface and IP address configurations established globally for
that service.
Default
Follow these steps to configure static or default routes for a virtual router on
the firewall.
Step 1: Set up a static route.
● Navigate to Network > Virtual Router and select the specific virtual
router you are configuring (e.g., default).
● Access the Static Routes tab.
● Choose between IPv4 or IPv6, depending on the type of static route you
intend to create.
● Assign a Name to the route. The name should commence with an
alphanumeric character and may contain a combination of alphanumeric
characters, underscores (_), hyphens (-), dots (.), and spaces. Beginning
with PAN-OS 10.0.8, the name can be up to 63 characters long.
● Specify the Destination, which involves entering the route and netmask
(e.g., 192.168.2.2/24 for an IPv4 address or 2001:db8:123:1::1/64 for an
IPv6 address). To create a default route, input the default route (0.0.0.0/0
for an IPv4 address or ::/0 for an IPv6 address). Alternatively, you can
generate an address object of the IP Netmask type.
● (Optional) For Interface, indicate the outgoing interface for directing
packets to the next hop. This allows for stricter control over which
interface the firewall should use instead of relying on the route table's
interface for the next hop of this route.
● To configure the Next Hop, choose from the following options:
IP Address: Specify the IP address (e.g., 192.168.56.1 or
2001:db8:49e:1::1) when you want to route to a specific next hop. For
IPv6 next hop addresses, ensure that you have enabled IPv6 on the
interface (applicable when configuring Layer 3 interfaces). When
setting up a default route for the Next Hop, select IP Address and

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 input the IP address of your internet gateway (e.g., 192.168.56.1 or
2001:db8:49e:1::1). Alternatively, you can create an address object of
the IP Netmask type, which should have a netmask of /32 for IPv4 or
/128 for IPv6.
Next VR: This option allows you to route internally to a different
virtual router on the firewall. Select this and then choose the desired
virtual router.
FQDN: Enter a Fully Qualified Domain Name (FQDN) or select an
address object that utilizes an FQDN. You also have the option to
create a new address object with the FQDN type. When using an
FQDN as the static route's next hop, it is crucial that the FQDN
resolves to an IP address within the same subnet as the interface
configured for the static route. Failure to meet this requirement will
result in the firewall rejecting the resolution, leaving the FQDN
unresolved. The firewall selects only one IP address from the DNS
resolution of the FQDN for each IPv4 or IPv6 family type. If the DNS
resolution returns multiple addresses, the firewall chooses the
preferred IP address that matches the IP family type (IPv4 or IPv6)
configured for the next hop. The preferred IP address is the first one
returned in the DNS server's initial response, and the firewall retains it
as the preferred choice as long as it appears in subsequent responses,
regardless of its order.
Discard: Select this option to discard packets directed to this
destination.
None: Choose this option if there is no next hop for the route. For
example, a point-to-point connection does not require a next hop
because there is only one path for the packets to travel.
● For the route, enter an Admin Distance, which serves to override the
default administrative distance set for the static routes on this virtual
router. The Admin Distance can be within the range of 10 to 240, with the
default value being 10.
● Specify a Metric for the route within the range of 1 to 65,535.
Step 2: Decide where to place the route.
Select the Routing Information Base (RIB) where you would like the
firewall to incorporate the static route:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
● Unicast: Place the route in the unicast route table. Opt for this if the route
should exclusively apply to unicast traffic.
● Multicast: Incorporate the route into the multicast route table (available
for IPv4 routes exclusively). Choose this if you intend for the route to
serve solely multicast traffic.
● Both: Add the route to both the unicast and multicast route tables
(available for IPv4 routes exclusively). This option allows either unicast
or multicast traffic to utilize the route.
● No Install: Avoid adding the route to either route table.
Step 3: (If applicable) On supported firewall models, you have the option to
associate a BFD Profile with the static route. This setup ensures that, in case
the static route becomes unavailable, the firewall eliminates the route from
both the Routing Information Base (RIB) and Forwarding Information Base
(FIB) and switches to an alternate route. The default setting is None.
Step 4: Confirm your selections by clicking "OK" twice.
Step 5: Save and implement the configuration changes.
Custom
When a firewall is configured with multiple virtual systems, these virtual
systems adopt the global service settings and service route configurations.
For example, the firewall can employ a common email server to send email
notifications to all the virtual systems. However, there are situations where
distinct service routes need to be established for each virtual system.
An example that underscores the importance of setting up service routes at
the virtual system level involves an Internet Service Provider (ISP) tasked
with accommodating numerous separate tenants on a single Palo Alto
Networks firewall.
Destination
On the Global tab, when you select Service Route Configuration and then
click Customize, the Destination tab becomes accessible. Destination service
routes are specifically located within the Global tab and are not available
under the Virtual Systems tab. This design ensures that the service route of
an individual virtual system cannot supersede route table entries that are not
assigned to that particular virtual system.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 A destination service route is employed to implement a customized
redirection for a service that is not included in the predefined list of
supported services. It essentially allows you to establish routing
configurations that take precedence over the entries in the Forwarding
Information Base (FIB) route table, regardless of their association with any
particular service. These settings may pertain to services that are either
connected or unrelated.
The Destination tab is applicable in the following scenarios:
● When a service lacks an application service route.
● Within a single virtual system, when you wish to utilize multiple virtual
routers or a combination of a virtual router and a management port for
routing purposes.

Table 7-03: Destination Service Route Settings

Custom Routes For Different Virtual Systems VSDestination
Routes
Virtual Systems
In cases where a firewall is configured for multiple virtual systems, these
virtual systems inherit the global service and service route settings. For
example, the firewall can use a shared email server to send email alerts to all
virtual systems. However, there are scenarios where you would want to
establish distinct service routes for each virtual system.
One such scenario is when you are an Internet Service Provider (ISP) tasked
with serving multiple individual tenants through a single Palo Alto Networks
firewall. Each tenant necessitates custom service routes to access a variety of

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
services, including DNS, Kerberos, LDAP, NetFlow, RADIUS, TACACS+,
Multi-Factor Authentication, email, SNMP trap, syslog, HTTP, User-ID
Agent, VM Monitor, Panorama for content and software updates. Another
situation might involve an IT organization aiming to grant full autonomy to
server-setting groups for their services. Each group can have its own virtual
system and define its unique service routes.
In a virtual system, you can choose a virtual router for a service route, but
you cannot select the egress interface. After the virtual router selection and
when the firewall dispatches the packet from the virtual router, the egress
interface is determined based on the destination IP address. Consequently, if
a virtual system contains multiple virtual routers, packets to all the servers
for service must exit through a single virtual router. While a packet may
egress through an interface with a source address, the return traffic follows
the interface with the corresponding source IP address, which can lead to
asymmetric traffic flows.
Destination Routes
When you access the Global tab and navigate to Service Route
Configuration > Customize, the Destination tab becomes visible.
Destination service routes are exclusively accessible within the Global tab
and are not accessible in the Virtual Systems tab. This separation ensures
that the service route configured for an individual virtual system cannot
supersede or modify the route table entries that are unrelated to that
particular virtual system.
The purpose of a destination service route is to introduce a customized
redirection of a service, especially when that service is not supported within
the list of services that have been customized. A destination service route
serves as a method to establish routing that can overwrite the entries in the
Forwarding Information Base (FIB) route table. It is important to note that
any settings within the destination service routes take precedence over the
route table entries, whether they are associated with specific services or not.
The utilization of destination routes is similar to the use cases previously
discussed in the "Destination" section.
How To Verify Service Routes

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Set up global service routes for the firewall, and any virtual system lacking a
service route configuration for a specific service will automatically inherit
the interface and IP address settings established globally for that particular
service.

EXAM TIP: When a firewall is configured with multiple virtual

systems, these virtual systems adopt the global service settings and service
route configurations. For example, the firewall can employ a common email
server to send email notifications to all the virtual systems. However, there
are situations where distinct service routes need to be established for each
virtual system.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Lab 7-02: Configure Service Routes
Case Study
Cyber Innovations Inc. is a leading technology solutions provider
specializing in cybersecurity and network infrastructure. With a commitment
to delivering cutting-edge services, the company has rapidly expanded its
operations to serve a diverse clientele. Cyber Innovations Inc. operates in
multiple regions, with a focus on North America, Europe, and the Asia-
Pacific region.
Cyber Innovations Inc. is a dynamic player in the technology sector,
boasting an impressive annual revenue of $250 million and a dedicated
workforce of 1,200 employees. With a global footprint, the company has
strategically positioned offices and branches in major cities across North
America, Europe, and Asia-Pacific. This extensive geographical presence
empowers Cyber Innovations Inc. to meet its clients’ diverse and evolving
global needs. Whether serving clients in bustling North American tech hubs,
European financial centers, or the rapidly expanding markets of the Asia-
Pacific region, the company’s commitment to excellence remains
unwavering, driving its success in the highly competitive technology
industry.
Business Challenge
Cyber Innovations Inc., a reputable technology company, is confronted with
a pressing business challenge within its network infrastructure. The
organization maintains a LAN-WAN setup, with a Palo Alto Firewall acting
as the gateway between the LAN and the wider Internet.
However, a recurring issue has emerged where LAN users can successfully
connect to specific IP addresses on the Internet. Still, they encounter
connectivity problems when attempting to connect to domain names. This
challenge disrupts seamless web access and negatively impacts user
experience, hampering productivity and limiting the full potential of internet
resources.
Solution

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
To address the critical business challenge and ensure uninterrupted access to
domain names on the internet for LAN users, Cyber Innovations Inc. has
developed a solution involving the implementation of Service Routes on the
Palo Alto Firewall.
The solution begins with the configuration of Service Routes on the Palo
Alto Firewall. These Service Routes define the specific path that network
traffic should follow when connecting to external domain names.
To resolve the connectivity issue, you need to ensure that when LAN users
attempt to connect to domain names, the Palo Alto Firewall does not utilize
its Management Interface. Instead, it uses the Data Port (ethernet1/2) to
establish connections with external DNS servers on the Internet. This
prevents any potential conflicts or restrictions associated with the
Management interface.
With the new Service Routes in place, LAN users can seamlessly and
efficiently connect to external domain names. When a user initiates a
connection request to a domain, the Firewall directs the request through the
appropriate data port, ensuring that domain names are promptly resolved
into their corresponding IP addresses.
Cyber Innovations Inc. successfully eliminates the business challenge of
restricted domain name connectivity by implementing Service Routes on the
Palo Alto Firewall. This solution enhances user productivity and ensures
LAN users can fully leverage the internet’s resources. It aligns with the
organization’s commitment to providing employees with seamless and
secure network access.
Follow the steps to complete the lab:
1. Configure Service Routes
2. Commit

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 7-19: Configure Service Routes
1. Configure Service Routes
1. Navigate to Device > Setup
Under the Services tab, click the Service Route Configuration option.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Click on the Customize radio button and checkmark the DNS service
checkbox.

3. Click the Set Selected Service Routes button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Enter ethernet1/2 in the Source Interface, and the associated IP
Address will appear in the Source Address field. Click the OK button.

5. You can see the configured interface and the associated IP Address.
Click the OK button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Commit
Click the Commit button to save the configuration.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Configure Application-Based QoS
QoS, or Quality of Service, comprises a suite of networking technologies
that ensure the reliable operation of high-priority applications and traffic
within the constraints of a shared network infrastructure. QoS mechanisms
accomplish this by delivering specialized treatment and resource allocation
to specific data flows in the network, empowering network administrators to
designate the processing order and bandwidth allocation for each type of
traffic.
Enablement requirements
Quality of Service (QoS)
Palo Alto Networks' QoS feature offers an "application-aware" QoS service
driven by App-ID, which is the firewall's capability to understand and
categorize applications. The QoS system operates as a self-contained entity
within the firewall, taking into account any pre-existing QoS markings on
packets but not directly manipulating them. Traffic is assessed against QoS
policy rules, which include factors such as QoS packet markings, App-ID,
and other matching criteria, to assign a traffic classification value ranging
from 1 to 8. These values serve as the foundation for making QoS decisions.
Notably, QoS traffic management is confined to outbound traffic for the
specified interface(s) and cannot be applied to incoming traffic. The
relationships among QoS policies, traffic classes, QoS Profiles, and
interfaces are illustrated in the Figure 7-20:

Figure 7-20: Enablement Requirements

QoS Policy Rule
When configuring a Security policy rule, the QoS Marking field is utilized to
embed QoS markings into packet headers. This marking is relevant to all

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
traffic handled by the Security policy rule. It is important to recognize that
this marking does not have a direct connection to the QoS processing taking
place within the firewall.

Figure 7-21: QoS Policy Rule

Palo Alto Networks firewall's QoS implementation is initiated with three
core configuration elements that form the foundation of a comprehensive
QoS system: a QoS policy, a QoS Profile, and the setup of QoS egress
interfaces. Each aspect of the QoS configuration process contributes to the
larger goal of enhancing and prioritizing traffic flow, as well as allocating
and guaranteeing bandwidth based on configurable criteria.
In QoS policies, traffic satisfying specified policy conditions is categorized
into classes ranging from 1 to 8. The PAN-OS QoS functionality can
leverage App-ID for dedicated bandwidth reservation in certain cases.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 7-22: Class Ranges
Add A Differentiated Services Code Point/ToS Component
A Differentiated Services Code Point (DSCP) represents a value within a
packet header that serves as a request, such as seeking high-priority or best-
effort delivery for network traffic. With session-based DSCP classification,
you can both respect the incoming traffic's DSCP values and apply a DSCP
value to a session's traffic as it departs the firewall. This approach ensures
consistent QoS (Quality of Service) treatment for all traffic, both inbound
and outbound, as it traverses the network. For example, inbound traffic
returning from an external server can receive the same QoS priority as
initially defined by the firewall, based on the DSCP value detected at the
session's outset. Any network devices situated between the firewall and the
end user will also enforce this identical priority for the return traffic, along
with any other outbound or inbound traffic associated with the session.
Different DSCP markings represent distinct levels of service:
Implementing this step enables the firewall to apply the same DSCP value to
traffic as it initially detected at the beginning of a session. For example, the
firewall would mark return traffic with the DSCP value AF11 in this
scenario. While configuring QoS lets you shape traffic upon exiting the
firewall, enabling this option within a Security rule allows intermediate
network devices located between the firewall and the client to maintain
priority enforcement for DSCP-marked traffic.
Expedited Forwarding (EF): This codepoint is employed to request
optimal delivery with minimal loss, low latency, and assured bandwidth for
traffic. Typically, packets bearing EF codepoint values are guaranteed the
highest-priority delivery.
Assured Forwarding (AF): AF codepoints are utilized to ensure reliable
delivery of applications. When traffic is marked with an AF codepoint, it
signifies a request for higher-priority treatment compared to the best-effort
service, although packets with an EF codepoint still receive higher priority
over those with AF codepoints.
Class Selector: This codepoint is used to maintain compatibility with
network devices that rely on the IP precedence field for marking traffic with
different priorities.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
IP Precedence (ToS): Legacy network devices can utilize it to designate
priority traffic. Before the introduction of the DSCP classification, the IP
Precedence header field was employed to indicate the priority of a packet.
Custom Codepoint: Custom codepoints enable the matching of traffic by
specifying a codepoint name and its corresponding binary value.
For example, selecting AF ensures that traffic marked with an AF codepoint
value is granted higher priority for dependable delivery compared to
applications marked for lower-priority treatment. To enable session-based
DSCP classification, you should start by configuring QoS based on the
initial DSCP marking detected at the beginning of a session. Subsequently,
you can enable the firewall to consistently apply the same DSCP value to the
return traffic of a session, maintaining QoS priority enforcement for the
initial outbound flow.
QoS Profile
QoS Profiles define the order of importance assigned to specific traffic when
the interface experiences congestion. As the priority level decreases, more
packets are subject to random discards until the congestion issue is resolved.
The extent of packet dropping is directly linked to their assigned priority.
When set to real-time priority, no packet drop occurs. In contrast, high,
medium, and low priority settings result in progressively more random
packet drops as traffic priority decreases.
Until the managed interface encounters congestion, no packet drops will take
place. Congestion happens when the outbound traffic queues fill up faster
than they can be emptied.
These profiles also establish the maximum bandwidth limit that is always
enforced. The bandwidth configured as the maximum limit is accessible to
all traffic until the interface faces congestion. Following congestion, sessions
might not receive more bandwidth than their guaranteed allocation.
QoS Profiles effectively prioritize specified traffic. The Figure 7-23
illustrates the four potential priority values:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 7-23: Four Potential Priority Values
Determine How To Control Bandwidth Use On A Per-
Application Basis
Voice and video traffic is especially vulnerable to the aspects regulated and
managed by the QoS feature, particularly latency, and jitter. To ensure that
voice and video transmissions are intelligible and of high quality, it is crucial
to prevent voice and video packets from being discarded, delayed, or
delivered inconsistently. An advisable approach for voice and video
applications, alongside the provision of adequate bandwidth, is to assign a
high-priority status to voice and video traffic.
Use QoS To Monitor Bandwidth Utilization
QoS bandwidth management empowers you to regulate network traffic,
preventing it from surpassing network capacity and leading to congestion.
This capability allows you to designate bandwidth for specific traffic types,
applications, and users. With QoS, you have the flexibility to enforce
bandwidth restrictions at different levels, whether narrow or broad. By
utilizing a QoS Profile rule, you can establish bandwidth limits for
individual QoS classes and the cumulative bandwidth allocation for all eight
QoS classes. As part of the QoS configuration process, you can link the QoS
Profile rule to a physical interface to enforce bandwidth settings for the
traffic exiting that interface. Individual QoS class settings are applied to
traffic that matches QoS policy rules. The overall bandwidth constraint
defined in the profile can be extended to cover all unencrypted traffic,

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
particularly unencrypted traffic stemming from source interfaces and source
subnets, all tunneled traffic, and individual tunnel interfaces. To
accommodate diverse bandwidth requirements for outgoing traffic on an
interface, you can include multiple profile rules within a single QoS
interface. Both egress guaranteed and egress max settings support QoS
bandwidth adjustments.
Egress Guaranteed
Egress guaranteed designates a specific bandwidth quantity that is assured
for matching traffic. When the egress-guaranteed bandwidth is exceeded, the
firewall handles the traffic based on a best-effort approach. Any bandwidth
that is guaranteed but remains unused remains accessible for all traffic.
Depending on the QoS setup, you can ensure bandwidth for an individual
QoS class, for all or a subset of unencrypted traffic, and for all or a portion
of tunneled traffic.
For example, let's consider Class 1 traffic with a 5Gbps egress guaranteed
bandwidth. This means that while 5Gbps is available, it is not exclusively
reserved for Class 1 traffic. If Class 1 traffic does not fully utilize the
guaranteed bandwidth or remains unused, the remaining bandwidth can be
utilized by other traffic classes. However, during periods of high traffic
volume, a total of 5Gbps bandwidth is definitively allocated for Class 1
traffic. In such high-traffic scenarios, any Class 1 traffic exceeding the
5Gbps limit is handled on a best-effort basis.
Egress Max
As for egress max, it specifies an overarching bandwidth allocation for
matching traffic. The firewall will discard traffic that surpasses the set egress
max limit. The QoS configuration allows you to define a maximum
bandwidth limit for a QoS class, for all or a subset of unencrypted traffic, for
all or a portion of tunneled traffic, and for all traffic exiting the QoS
interface.

EXAM TIP: QoS Profiles define the order of importance assigned

to specific traffic when the interface experiences congestion. As the priority
level decreases, more packets are subject to random discards until the

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
congestion issue is resolved. The extent of packet dropping is directly
linked to their assigned priority.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Lab 7-03: Configure App-based Quality of Service (QoS)
Case Study
Cyber Innovations Inc. is a leading technology solutions provider
specializing in cybersecurity and network infrastructure. With a commitment
to delivering cutting-edge services, the company has rapidly expanded its
operations to serve a diverse clientele. Cyber Innovations Inc. operates in
multiple regions, with a focus on North America, Europe, and the Asia-
Pacific region.
Cyber Innovations Inc. is a dynamic player in the technology sector,
boasting an impressive annual revenue of $250 million and a dedicated
workforce of 1,200 employees. With a global footprint, the company has
strategically positioned offices and branches in major cities across North
America, Europe, and Asia-Pacific. This extensive geographical presence
empowers Cyber Innovations Inc. to meet its clients’ diverse and evolving
global needs. Whether serving clients in bustling North American tech hubs,
European financial centers, or the rapidly expanding markets of the Asia-
Pacific region, the company’s commitment to excellence remains
unwavering, driving its success in the highly competitive technology
industry.
Business Challenge
Cyber Innovations Inc., a forward-thinking technology company, faces a
critical business challenge within its network infrastructure. The
organization operates a network configuration where a Palo Alto Firewall
separates a Local Area Network (LAN) from a Wide Area Network (WAN).
In this context, the challenge is to optimize and prioritize network traffic to
ensure seamless performance and enhance the overall Quality of Service
(QoS) for critical applications.
The need for Application-based Quality of Service (QoS) arises from the
diverse nature of network traffic within Cyber Innovations Inc.’s LAN-WAN
setup. The LAN serves as the foundation for numerous critical applications,
including real-time communication tools, cloud-based services, and data-
intensive applications. In such a dynamic environment, network congestion,

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
bandwidth limitations, and latency issues can significantly impact these
applications’ performance and user experience.
Solution
It is essential to differentiate and prioritize traffic based on application
requirements to address this challenge effectively. By implementing
Application-based QoS, the company aims to ensure that mission-critical
applications receive the necessary bandwidth and network resources while
less critical or non-business traffic is appropriately managed, preventing it
from consuming excessive resources.
Once applications are identified, traffic is classified into different categories
based on predefined policies. These policies take into account the specific
requirements and criticality of each application. With traffic classified into
categories, the Palo Alto Firewall assigns appropriate QoS priorities to each
category. This ensures that mission-critical applications receive higher
priority and are allocated more bandwidth and lower latency, thus optimizing
their performance.
The solution includes bandwidth management controls that allocate and
reserve specific portions of available bandwidth for high-priority
applications. This prevents non-essential or recreational traffic from
consuming excessive bandwidth. By implementing Application-based QoS
on the Palo Alto Firewall, Cyber Innovations Inc. ensures that critical
applications operate seamlessly, even in scenarios with limited bandwidth or
high network congestion.
Follow the steps to complete the lab:
1. Configure QoS Policy Rule
2. Configure QoS Profile
3. Configure QoS Interface
4. Commit

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 7-24: Configure Application-based QoS
1. Configure QoS Policy Rule
1. Navigate to Policies > QoS
Click on the Add button to add the QoS Policy.

2. Under the General tab, enter QoS Policy in the Name.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. Under the Source tab, select Any in the Source Zone.

4. Under the Destination tab, select Any in Destination Zone.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
5. Under the Application tab, select Skype in the Applications column.

6. Under the Other Settings tab, select 5 in the Class menu.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Configure QoS Profile
1. Navigate to Network > Network Profiles > QoS Profile
Click on the Add button to add the QoS Profile.

2. Enter QoS Profile Skype in the Profile Name. Click the Add button
under the Class column and select class5.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. Enter real-time in the Priority column, 1000 in the Egress Max
(Mbps) column, and 800 in the Egress Guaranteed (Mbps) column.
Click the OK button.

3. Configure QoS Interface

1. Navigate to Network > QoS

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Click on the Add button to configure it.

2. Select ethernet1/1 in the Interface Name, enter 1000 in the Egress

Max (Mbps), and checkmark the Turn on QoS feature on this
interface checkbox. Select the QoS Profile Skype in the Clear Text
menu. Click the OK button.

4. Commit

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Click the Commit button to save the configuration.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Mind Map

Figure 7-25: Mind Map

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Practice Questions
1. What is the primary purpose of a virtual router in the context of dynamic
routing within a firewall?
A. To establish firewall security policies for incoming traffic.
B. To manage Layer 3 routing and determine optimal routes for traffic.
C. To handle VLAN objects for Layer 2 traffic.
D. To enable Policy-Based Forwarding (PBF) for egress interface selection.

2. Which routing engine exclusively supports the Border Gateway Protocol

(BGP) and static routes and allows for only a single virtual router
instance?
A. The Legacy Route Engine
B. The Advanced Route Engine
C. Both routing engines support BGP and static routes equally.
D. Neither routing engine supports BGP or static routes.

3. What is the purpose of Equal-Cost Multi-Path (ECMP) routing in a

firewall, and how does it enhance network reliability?
A. ECMP allows for load distribution across multiple equal-cost routes and
prevents link redundancy.
B. ECMP allows the firewall to choose one optimal route from the routing
table.
C. ECMP enables the firewall to select one optimal route and wait for the
routing protocol to choose an alternative route.
D. ECMP permits dynamic traffic shifting in case of link failure, reducing
downtime and enhancing network reliability.

4. What is the primary purpose of NAT policy rules in a firewall?

A. To determine the optimal route for incoming traffic.
B. To exempt specific IP addresses from NAT translation.
C. To enforce security policies for incoming traffic.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
D. To define how internal IP addresses are translated for public internet
use.

5. In a Security policy rulebase, how are rules evaluated when confronted

with incoming traffic?
A. Rules are evaluated from the bottom to the top of the rulebase.
B. Rules are applied randomly.
C. Rules are evaluated sequentially from the top to the bottom of the
rulebase.
D. Rules are evaluated based on their complexity, with more complex rules
taking precedence.

6. What is the purpose of U-Turn NAT in a firewall, and how does it

address issues related to asymmetry in network traffic?
A. U-Turn NAT ensures that all traffic is translated in both directions for
consistency.
B. U-Turn NAT allows internal hosts to utilize external IP addresses.
C. U-Turn NAT prevents the firewall from translating traffic, maintaining
asymmetry.
D. U-Turn NAT is used for routing traffic from external to internal
networks.

7. What is the primary purpose of a tunnel interface in a VPN setup?

A. To manage the routing of traffic between remote sites.
B. To apply security policies to VPN traffic.
C. To encapsulate and transmit data between VPN endpoints.
D. To assign IP addresses to VPN connections.

8. When routing traffic between sites in a VPN, why might you need to
configure an IP address on a tunnel interface?
A. An IP address is always required for proper routing.
B. An IP address is used to manage security policies.
C. An IP address is needed for tunnel monitoring.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
D. An IP address is not necessary for routing between sites.

9. How should proxy IDs be configured in a VPN setup to ensure proper

sequence and matching with a peer using a policy-based VPN?
A. Proxy IDs should be configured in any order, as the order does not affect
matching.
B. Proxy IDs should be configured with more general IDs first, followed by
more specific ones.
C. Proxy IDs should be configured with specific IDs first, followed by
more general ones.
D. Proxy IDs should be configured alphabetically by name.

10. What is the purpose of creating a service route with the "Next VR"
option in a firewall's virtual router configuration?
A. To route traffic to a different virtual router within the same virtual
system.
B. To specify an IP address as the next hop for the route.
C. To discard packets directed to the specified destination.
D. To define a route with no next hop.

11. What is the purpose of the "Destination" service routes in a firewall's

service route configuration?
A. To establish custom service settings for each virtual system.
B. To create routing configurations for services not supported in the
predefined list.
C. To override the Forwarding Information Base (FIB) route table entries.
D. To manage the routing of multicast traffic.

12. How can you ensure a virtual system adopts global service settings and
service route configurations for a particular service?
A. By customizing the service settings for each virtual system separately.
B. By enabling multicast routing for the virtual system.
C. By assigning the same email server for all virtual systems.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
D. By creating destination service routes for each virtual system.

13. What is the primary purpose of QoS profiles in Palo Alto Networks'
QoS system?
A. To assign DSCP values to outbound traffic.
B. To categorize applications using App-ID.
C. To manage congestion and random packet drops.
D. To set priority levels for specific traffic when the interface experiences
congestion.

14. What is the purpose of Differentiated Services Code Point (DSCP) in

QoS?
A. To define a maximum bandwidth limit for traffic.
B. To categorize applications using App-ID.
C. To request optimal delivery for network traffic.
D. To assign priority levels to packets based on legacy IP precedence
values.

15. How can QoS help ensure high-quality voice and video transmissions?
A. By categorizing applications based on App-ID.
B. By managing congestion and random packet drops.
C. By assigning DSCP values to outbound traffic.
D. By assigning high-priority status to voice and video traffic.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Chapter 08: Deploy and Configure Features and
Subscriptions
Introduction
In the dynamic landscape of cybersecurity, adaptability is paramount. The
ability to secure your network and fine-tune its defenses to meet evolving
threats is a skill that defines the modern network security professional. This
chapter will empower you with the knowledge and practical skills to deploy
and configure key features and subscriptions on Palo Alto Networks devices.
As you delve into this chapter, you will embark on a journey that explores
some of the most critical elements of Palo Alto Networks Next-Generation
Firewalls, a cornerstone in securing today's digital environments. We will
guide you as you navigate the intricacies of configuring decryption, User-ID,
WildFire, and Web Proxy – each a pivotal component in the comprehensive
security ecosystem Palo Alto Networks provides.
This chapter will equip you with the essential understanding and hands-on
expertise needed to harness the full potential of these features, empowering
you to secure your network and gain deep insights into user behavior,
identify and combat advanced threats, and manage web traffic with
precision.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Configuring Decryption
You can set up the firewall to decrypt traffic to gain visibility, control, and
enhanced security. Decryption policies apply to SSL, which includes SSL-
encapsulated protocols like IMAP[S], POP3[S], SMTP[S], and FTP[S], as
well as SSH traffic. SSH decryption can decode both outbound and inbound
SSH traffic, ensuring that secure protocols are not misused for unauthorized
applications and content tunneling.
Inbound Decryption
Configuring Decryption
A Palo Alto Networks firewall can also be a decryption intermediary for
external security services. This feature involves decrypting the traffic and
directing it through a chosen interface to a specific security device or service
(or a series of devices) that inspects the unencrypted traffic. The last service
in the sequence sends the packet back to the firewall, which then encrypts it
and forwards it to its original destination.
Decryption Policies
Decryption policies govern the decryption of incoming traffic. Palo Alto
Networks firewalls automatically identify encrypted traffic and respond by
assessing the decryption policy rules. If a matching policy rule is located, the
firewall tries to decrypt the traffic based on the specified decryption action in
the policy rule. Afterward, regular packet processing resumes.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 8-01: Decrypt and No Decrypt
SSL Forward Proxy
To enable SSL Forward Proxy decryption, it is essential to establish the
certificates that authorize the firewall as a trusted intermediary (proxy) for
the communication between the client and the server.
SSL Decryption Exclusions
There are two categories of decryption exclusions: predefined and custom
exclusions.
● Predefined decryption exclusions permit applications and services that
might encounter issues when subjected to firewall decryption to remain
encrypted. Palo Alto Networks manages and periodically updates the
predefined exclusion list as part of the Applications and Threats content
update. These predefined exclusions are typically enabled by default, but
you can deactivate them when necessary.
● Additionally, you can create custom decryption exclusions to exempt
server-related traffic from decryption. This ensures that all traffic,
whether originating from or heading to the specified server, remains
encrypted.
SSH Proxy
Configuring SSH Proxy does not require certificates or the key to decrypt
SSH sessions. When SSH decryption is activated, the firewall decrypts SSH
traffic and enforces controls or restrictions on SSH traffic following the
decryption policy and Decryption Profile settings. Subsequently, the traffic is
re-encrypted as it exits the firewall. Decryption can only be carried out on
virtual wire, Layer 2, or Layer 3 interfaces.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Configure User-ID
User-ID Agent And Agentless
User-ID Agent
To establish associations between usernames and IP addresses, user-ID
agents actively monitor a range of data sources, including directory servers.
These User-ID agents then transmit these user mappings to various
destinations, such as firewalls, Log Collectors, or Panorama. Within this
setup, each of these appliances can serve as a redistribution hub, facilitating
the dissemination of these mappings to other firewalls, Log Collectors, or
Panorama units. To enable the collection of user mappings by a firewall
(device user identification User-ID agents) or Panorama (Panorama user
identification), it is imperative to configure their connections to the User-ID
agents or redistribution points.
User-ID Agentless
An agentless User-ID approach can be employed in scenarios where there is
a smaller to medium-sized deployment with 10 or fewer domain controllers
or exchange servers. It is designed for instances where the goal is to share
PAN-OS-sourced mappings from sources like Active Directory, Captive
Portal, or GlobalProtect with other Palo Alto devices, with a maximum limit
of 255 such devices.
User-ID Group Mapping
Best practices for group mapping in an Active Directory (AD) environment
include the following:
1. Single Domain:
● If your environment consists of a single domain, a single group mapping
configuration suffices. Use an LDAP server profile to establish a
connection between the firewall and the domain controller with the best
network connectivity.
● You can incorporate up to four domain controllers within the LDAP server
profile for added resilience. It is important to note that redundancy cannot
be extended beyond four domain controllers for a single domain by
introducing multiple group mapping configurations.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 2. Multiple Domains or Forests:
● In cases where you have multiple domains or forests, you must create a
group mapping configuration for each domain or forest, utilizing an
LDAP server profile that connects the firewall to a domain server in each
domain or forest.
● It is essential to ensure that usernames are unique across separate forests.
3. Universal Groups:
● When dealing with universal groups, you can set up an LDAP server
profile to link to the root domain of the global catalog server, using port
3268 or 3269 for SSL. Create another LDAP server profile to connect to
the root domain controllers on port 389. This approach ensures user and
group information is accessible for all domains and subdomains.
4. Primary Username Configuration:
● Before implementing group mapping, establish a primary username for
user-based Security policies. This attribute is pivotal in identifying users
within policy configurations, logs, and reports.
Shared User-ID Mapping Across Virtual Systems
You can designate a firewall or virtual system to act as a data distribution
agent, facilitating the redistribution of user mapping data and associated
authentication challenge timestamps. This straightforward process involves
configuring Data Redistribution settings to establish an agent that
communicates with other firewalls and devices to share locally stored
information.
Data Redistribution
Every firewall that enforces user-based policies relies on user-mapping
information. In expansive network setups, instead of configuring each
firewall to query mapping information sources directly, you can optimize
resource utilization by configuring the selected firewalls to acquire mapping
data through redistribution. Redistribution also empowers firewalls to
enforce user-based policies when users authenticate using local sources
(such as regional directory services) but require access to remote services
and applications (like global data center applications).

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
The Data Redistribution feature permits a firewall to serve as a source of IP
user mappings, along with various other types of data, for devices
configured to interact with the agent service of that source firewall or
through Panorama.
If you configure an authentication policy, it is imperative for your firewalls
to redistribute the authentication timestamps generated during user
authentication for accessing applications and services. These timestamps are
crucial for evaluating timeout periods specified in the Authentication policy
rules. These timeouts enable users who have successfully authenticated to
request services and applications without needing repeated authentication
within the defined timeout intervals. The redistribution of timestamps
ensures consistent timeout enforcement across all firewalls within the
network.
Notably, firewalls share user mappings and authentication timestamps as part
of the same redistribution process, eliminating the need for separate
redistribution configurations for each information type.
User-ID Methods
To apply policies based on users and groups, the firewall must be able to
associate the IP addresses present in the received packets with corresponding
usernames. These mappings are pivotal in ensuring that security rules are
enforced accurately.
Various methods of user mapping are available, including:
1. Server Monitoring
2. Port Mapping
3. Syslog
4. XFF Headers
5. Username Header Insertion
6. Authentication Policy and Authentication Portal
7. GlobalProtect
8. XML API
9. Client Probing
These methods collectively enable the firewall to establish the crucial link
between IP addresses and usernames, facilitating proper enforcement of
security policies.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Benefits of Using Dynamic User Groups (DUGs) In Policy Rules
Dynamic User Groups
Dynamic User Groups (DUGs) regulate access to resources managed by
firewall policies, encompassing the Security, authentication, and decryption
policies. DUGs offer the advantage of establishing policy rules that address
irregular user behavior and malicious activities and maintain visibility into
user actions.
When creating a policy rule, the Source User field can now include a DUG
as a matching criterion. This is a significant advancement from prior PAN-
OS releases, where only individual usernames or static group names could
be used in this context.
It is important to note that a firewall configuration commit is necessary after
creating a DUG and integrating it into a policy rule. However, you are not
required to commit changes when adding or removing users from a DUG.
User membership within a DUG is dynamic and hinges on the tagging and
untagging of usernames. This dynamic nature ensures that any updates to
DUG membership occur automatically. As a result, opting for DUGs over
static groups, such as LDAP groups, empowers you to respond to shifts in
user behavior or potential threats without the need for manual policy
adjustments.

Figure 8-02: Only DUG members get access

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Numerous techniques are at your disposal for applying or removing tags
from usernames. As depicted in the screenshot shown in Figure 8-03, you
can manually assign or remove tags from usernames through the web
interface.

Figure 8-03: Assign or remove tags

Usernames can be tagged or untagged through different methods, including
utilizing the auto-tagging functionality within a Log Forwarding Profile.
Another option is to employ a separate tool that can trigger the PAN-OS
XML API commands for tagging or untagging usernames. Within the web
interface, you have the flexibility to use logical AND or OR operators in
conjunction with tags to enhance filtering and matching capabilities.
Furthermore, it is possible to set a timeout value that dictates when a
username will undergo automatic untagging.
DUG Operation
Dynamic User Groups (DUGs) empower you to create a Security policy
with an automated response to user actions and behavior. This auto-
remediation feature reduces the administrative workload by automating the
firewall's response to user activities. It also enhances the firewall's reaction
time to malicious activities, thereby bolstering the overall security of the
environment.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
In the depicted scenario, the firewall logs a user's traffic data. These logs can
be directly analyzed on the firewall itself or configured for forwarding to a
third-party system for in-depth analysis. Suppose local analysis is employed
on the firewall. In that case, the log-forwarding configuration can initiate a
new built-in action, which assigns a tag to a username based on specific
events within the log entries. Alternatively, a third-party system can
associate a tag with a username by utilizing the PAN-OS XML API. A User-
ID agent maintains registrations of username-tag associations.
The firewall employs these username-tag pairs to determine the current
membership of users in a DUG. When configuring a DUG, it is linked with
one or more tags. Any user associated with a tag incorporated within a DUG
is automatically considered a member of that DUG. This DUG membership
status plays a pivotal role in determining the matching of future policy rules.
For instance, a Security policy could block a user, an authentication policy
could mandate multi-factor authentication for the user, or a decryption policy
could require the decryption of the user's traffic.

Figure 8-04: DUG Membership Status

Example Use Cases
Here are two examples as shown in Figure 8-05, illustrating the use cases of
Dynamic User Groups (DUGs):

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 8-05: Use Cases of Dynamic User Groups
The first example demonstrates how the firewall's control over a user's
access to network resources can be determined by aggregating the user's
comprehensive security profile, which is sourced from various channels. In
this scenario, the user's network traffic is logged for subsequent analysis.
Additionally, user metadata may be gathered from external sources like an
LDAP server. All this data can be scrutinized within the firewall's logs
through Security Information and Event Management (SIEM) systems, user
and entity behavior analytics tools, or a range of available instruments at a
Security Operations Center (SOC). Any of these tools can be configured to
either apply or remove a tag from a username, contingent on the analysis
outcomes. The act of tagging or untagging a username dictates its
membership in a Dynamic User Group (DUG). Subsequently, DUG
membership status, in conjunction with policy configuration, defines the
firewall's specific treatment of the user's network traffic.
The second example highlights the utilization of a DUG to implement time-
based access controls for individuals who require only short-term access to
network resources. In this case, you establish a DUG and incorporate it into
policies governing user access to network resources. Furthermore, you can
attach a time-based tag to a username. A username bearing this tag is
considered a member of the DUG, which permits network access. As the
time-based tag expires, the user's DUG membership is also terminated, along
with the network access it granted.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Requirements To Support Dynamic User Groups
Configuring DUGs
Before configuring and deploying Dynamic User Groups (DUGs), the initial
step involves configuring User-ID within the environment. User-ID agents
are responsible for maintaining a record of tags associated with usernames.
Following this, you set up custom tags to serve as criteria for DUG
membership. In the web interface, navigate to Objects > Tags, where you
can create one or more custom tags for dynamic assignment to users. Once
these custom tags have been established, you can create DUG.
Go to Objects > Dynamic User Group within the web interface to create
and configure a DUG. Click "Add" to create a new group. Provide a Name
for the group, optionally add a Description, and then enter one or more tags
in the Match field as the criteria for membership. For instance, in the given
example, the Name is "sneaky-users," no Description is provided, and the
sole Match condition is the tag labeled "anonymous." By selecting "Add
Match Criteria," you can use logical AND and OR operators to combine
multiple tags as membership criteria. It is important to note that the Tags
field value is assigned to the DUG object itself; it is not assigned to
individual users and does not serve as a condition for identifying users to
include as members of the DUG.

Figure 8-06: DUG

After the creation of the Dynamic User Group (DUG), the next step involves
configuring the firewall to utilize this DUG, offering four available options.
To dynamically associate a tag with a username, you can make use of

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Panorama, the XML API, a remote User-ID agent, or the web interface. The
firewall is capable of transmitting the username and tag registration data to
Panorama, which can then distribute this information to other firewalls.
Alternatively, external applications can invoke the firewall's XML API
commands to register the username and tag associations. A remote User-ID
agent can forward the username and tag registrations to either Panorama or
other User-ID agents on different firewalls. You also have the option to
utilize the web interface for registering or unregistering tags with usernames.
For instance, the screenshot as shown in Figure 8-07, demonstrates
registering or unregistering tags for a username via the web interface. You
can navigate to Objects > Dynamic User Groups and select "more" next
to a group name. In the ensuing window, click on "Register New Users" to
link a tag with a username. A subsequent window appears where you can
specify the Registration Source, offering options like the local User-ID
agent, a remote User-ID agent, or Panorama. In the provided example, the
Local User-ID agent was chosen. Subsequently, you can select the tags to
be registered with the user, such as the "anonymous" tag. If a tag needs to
have a timeout, signifying that it will eventually disassociate from the user,
you can set a Timeout value in minutes. Then, by clicking "Add," you can
include one or more users to whom the tag will be registered. Conversely, to
detach a tag from a username, you can commence the process by clicking the
"Unregister Users" button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 8-07: Registering or Unregistering Tags
In another illustration as shown in Figure 8-08, an alternative approach
involves using a Log Forwarding Profile linked to a Security policy rule to
automatically tag a username based on the user's network activity. For
instance, consider a Log Forwarding Profile named tag-users that has been
established. This profile is associated with a specific Security policy rule. If
the rule detects an HTTP session and identifies an entry in the URL Filtering
log with a URL category labeled as anonymous-proxy, the Log Forwarding
Profile triggers a predefined action, tagging the username with anonymous.
Consequently, the username is tagged and subsequently enrolled as a
member of a Dynamic User Group (DUG). If the DUG is used as a matching
condition within the Security policy, the firewall adjusts the user's access
privileges accordingly.

Figure 8-08: Log Forwarding Profile

How GlobalProtect Internal And External Gateways Can Be
Used
You can establish two distinct gateways in a mixed GlobalProtect
configuration encompassing both internal and external gateways. These
gateways are designated for VPN access and access to critical internal
resources. This setup involves the GlobalProtect application conducting
internal host detection, discerning whether it resides on the internal or
external network.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 EXAM TIP: An agentless User-ID approach can be employed in
scenarios where there is a smaller to medium-sized deployment with 10 or
fewer domain controllers or exchange servers.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Configure WildFire
The WildFire Analysis sandbox identifies previously unidentified malware
and produces signatures that Palo Alto Networks firewalls can deploy to
detect and obstruct malware. When a Palo Alto Networks firewall is
configured to send files and URLs for WildFire analysis using a WildFire
Analysis Profile, it can automatically transmit the sample for assessment by
WildFire. The determination of whether the sample is benign, grayware,
phishing, or malicious is made by WildFire based on the attributes,
behaviors, and actions exhibited during the analysis and execution within the
WildFire sandbox.
Following the discovery of new malware, WildFire generates signatures to
identify it. These updated signatures are globally distributed every five
minutes. Firewalls lacking an active WildFire subscription license receive
the updates the next day. In contrast, firewalls with a WildFire license get
immediate access to the signatures within five minutes of their creation.
Consequently, all Palo Alto Networks firewalls worldwide can proactively
block malware detected by a single firewall by comparing incoming samples
against these signatures.
Submission Profile
A WildFire submissions log is an automatically generated, timestamped
document that serves as an audit trail for monitoring events when a Palo
Alto Networks network security platform forwards samples (comprising files
and email links) to the WildFire cloud for analysis, following the prescribed
WildFire Analysis profile configurations (found in Objects > Security
Profiles > WildFire Analysis). Once WildFire completes the static and
dynamic analysis of a sample, the firewall generates entries within the
WildFire Submissions log. These log entries encompass information about
the firewall's action concerning the sample, whether it allowed or blocked it,
the WildFire verdict assigned to the submitted sample, and the sample's
severity level.
Action Profile
The WildFire Action settings within the Antivirus profile can have an impact
on network traffic, especially when the traffic triggers a WildFire signature

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
that leads to a reset or drop action. It is essential to exercise caution when
dealing with internal traffic, such as software distribution applications used
to deploy custom-built programs. It is crucial to transition safely to best
practices, particularly in PAN-OS versions 9.1, 10.0, 10.1, and 10.2, because
WildFire might flag custom-built programs as malicious and subsequently
generate a signature for them. To verify whether any internal custom-built
programs trigger WildFire signatures, you can check the WildFire
Submissions within the Monitor > Logs section.
Submissions and Determinations
Upon conducting an analysis of an unidentified sample within one of the
WildFire public clouds operated by Palo Alto Networks or a privately hosted
WildFire cloud, a verdict is generated to classify samples as malicious,
unwanted (where grayware falls under the category of obtrusive but not
malicious), phishing, or benign. The Table 8-01 provides a summary of the
WildFire determinations:

Table 8-01: WildFire Verdicts

Each of the distinct WildFire clouds – global (U.S.), regional, and private –
conducts sample analysis and produces WildFire verdicts autonomously,
without any interdependence on the other WildFire clouds. However,
excluding the WildFire private cloud verdicts, the WildFire determinations
are disseminated globally. This approach allows WildFire users to access a
comprehensive global repository of threat intelligence.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Signatures Actions
WildFire has the capability to identify zero-day malware present in various
types of network traffic, including web traffic (HTTP/HTTPS), email
protocols (SMTP, IMAP, and POP), and FTP traffic. It promptly generates
signatures to recognize and guard against future infections arising from the
identified malware. This signature creation process is automated, founded on
the malware payload of the sample, and subject to rigorous testing to ensure
both accuracy and safety.
Each of the distinct WildFire clouds, encompassing the global, regional, and
private deployments, individually analyzes samples and creates malware
signatures without reliance on the other WildFire clouds. With the exception
of signatures generated in the WildFire private cloud, these malware
signatures are shared globally. This facilitates WildFire users worldwide to
benefit from comprehensive malware coverage, irrespective of where the
malware was initially detected. Given the rapid evolution of malware, the
signatures generated by WildFire are designed to address multiple variations
of the same malware.
For firewalls equipped with an active WildFire license, real-time retrieval of
the latest WildFire signatures is possible immediately upon their availability.
In the absence of a WildFire subscription, signatures are made accessible
within 24-48 hours, bundled as part of the antivirus update for firewalls
holding an active Threat Prevention license.
Once the firewall has downloaded and implemented the newly acquired
signature, it can effectively block files containing the malware or any of its
variants. However, it is important to note that malware signatures do not
extend to the detection of malicious and phishing links. To enforce measures
against these types of links, it is essential to possess a PAN-DB URL
Filtering license, which permits the blocking of user access to malicious and
phishing websites.
File Types and File Sizes
File Types
Table 8-02 outlines the various file categories that are supported. The listed
file types provided as examples indicate commonly used formats and do not
constitute an exhaustive compilation. It is important to note that this list

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
evolves as the underlying technology accommodates new file types. The
examples offer a sense of the range within the file categories.

Table 8-02: File Type Category

File Size
In PAN-OS 9.0, both the maximum and default sizes for forwarding files to
WildFire have been raised, enhancing visibility and detection capabilities.
These updated default capacities, backed by Palo Alto Network's data
analytics, effectively safeguard against a substantial portion of threats.
Therefore, adopting the new default values as best practice is recommended.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Table 8-03: File Size
Update Schedule
The Palo Alto Networks NGFW offers support for the instantaneous
retrieval of WildFire signatures. This capability allows you to access newly
generated signatures promptly, significantly reducing the time frame in
which malware could potentially penetrate a network. Signature downloads
conducted during a sample check are stored in the firewall's cache, ensuring
swift access for local lookups.
Furthermore, when real-time signatures are enabled, the firewall
automatically fetches an additional signature package on a routine basis,
enhancing the overall coverage. These downloaded signatures remain
accessible in the firewall's cache until they become outdated; at this point,
they are either refreshed or replaced by the arrival of new signature updates.
The determination of which protections are the most pertinent and timely is
made by Palo Alto Networks, and those are included in the signature
packages.
Forwarding Of Decrypted Traffic
To enable the firewall to transmit decrypted SSL traffic for in-depth
WildFire analysis, the firewall must first decrypt the traffic and then assess it
against the Security policy regulations. If the traffic aligns with the WildFire
analysis profile connected to the security rule, the decrypted data is
dispatched for analysis before the firewall re-encrypts it. It is essential to
note that only a super user possesses the authorization to activate this
feature.
On a firewall without multiple virtual systems enabled, the steps to
follow are as follows:
1. If not already done, activate the firewall for decryption and enable the
Forward Files for Advanced WildFire Analysis.
2. Access "Device > Setup > Content-ID" and proceed to edit the Content-
ID settings. Make sure to enable Allow Forwarding of Decrypted Content.
3. Save the changes by clicking OK.
On a firewall with virtual systems enabled, the procedure is slightly
different:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
1. If not already accomplished, enable decryption and the Forward Files for
Advanced WildFire Analysis.
2. Go to Device > Virtual Systems, select the specific virtual system you
intend to modify, and allow the Forwarding of Decrypted Content.
Following these steps ensures that the firewall is configured to forward
decrypted SSL traffic for Advanced WildFire analysis.

EXAM TIP: A WildFire submissions log is an automatically created

document with timestamps, functioning as an audit trail. It monitors events
when a Palo Alto Networks network security platform sends samples
(including files and email links) to the WildFire cloud for analysis. This
occurs based on the specified WildFire Analysis profile configurations
located in Objects > Security Profiles > WildFire Analysis.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Configure Web Proxy
Suppose your network relies on a proxy device for security measures. In that
case, you can achieve comparable protection by utilizing the on-premises
web proxy feature available with PAN-OS 11.0. This web proxy
functionality introduces added options for the transition from an existing
web proxy infrastructure to a more straightforward and unified management
console. When combined with Prisma Access, the web proxy feature offers a
seamless approach for migrating, implementing, and managing Secure Web
Gateway (SWG) configurations through an intuitive and simplified interface.
During the shift from on-premises to the cloud, the web proxy feature
ensures that security and operational efficiency remain intact. It is worth
noting that deploying the web proxy requires both a valid DNS Security
license and the explicit proxy license for Prisma Access.
The web proxy offers support for two methods of traffic routing:
● Explicit Proxy
● Transparent Proxy
This web proxy functionality is available on the following platforms:
● PA-1400
● PA-3400
● VM Series (with vCPUs)
● Panorama when using PAN-OS 11.0
Transparent Proxy
In the case of the transparent proxy approach, the request includes the web
server's destination IP address, and the client's browser is rerouted to the
proxy without necessitating any client-side configuration. Panorama,
although optional, can be utilized. Transparent proxy implementation calls
for certain prerequisites, including the presence of a loopback interface,
User-ID configuration within the proxy zone, and the setup of specific
Destination NAT (DNAT) rules. Notably, the transparent proxy method does
not provide support for X-Authenticated-User (XAU).
Explicit Proxy

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Under the explicit proxy method, the request includes the destination IP
address of the designated proxy, and the client's browser sends requests
directly to this proxy.

EXAM TIP: The web proxy offers support for two methods of
traffic routing:
● Explicit Proxy
● Transparent Proxy

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Mind Map

Figure 8-09: Mind Map

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Practice Questions
1. What is the purpose of decryption policies on a Palo Alto Networks
firewall?
A. To manage firewall configuration settings.
B. To exempt specific applications from decryption.
C. To identify encrypted traffic and specify decryption actions.
D. To configure custom decryption certificates.

2. What is the main function of SSL Forward Proxy decryption on a Palo

Alto Networks firewall?
A. To manage encryption keys for SSL traffic.
B. To decrypt outbound SSH traffic.
C. To inspect unencrypted traffic for security purposes.
D. To act as a trusted intermediary for SSL communication.

3. What are the two categories of decryption exclusions?

A. Predefined and custom exclusions.
B. Incoming and outgoing exclusions.
C. SSL and SSH exclusions.
D. Trusted and untrusted exclusions.

4. In which type of interfaces can SSH decryption be carried out on a Palo

Alto Networks firewall?
A. Virtual wire, Layer 2, and Layer 3 interfaces.
B. SSL Forward Proxy interfaces.
C. Inbound and outbound interfaces.
D. Only on Layer 3 interfaces.

5. What is the purpose of User-ID agents in a Palo Alto Networks

environment?
A. To enforce security policies.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
B. To establish VPN connections.
C. To monitor and transmit user-to-IP mappings.
D. To manage firewall connections.

6. In what scenarios is an agentless User-ID approach typically employed?

A. In large deployments with multiple domain controllers.
B. In small to medium-sized deployments with up to 255 domain
controllers.
C. In deployments using external security services.
D. In scenarios where encryption is not a concern.

7. What are the recommended best practices for group mapping in an

Active Directory environment with multiple domains or forests?
A. Use a single group mapping configuration for all domains.
B. Create a group mapping configuration for each domain or forest.
C. Ensure usernames are the same across separate forests.
D. Use a global catalog server for group mapping.

8. How do Dynamic User Groups (DUGs) differ from static user groups
in policy rules?
A. DUGs require manual policy adjustments.
B. DUGs use LDAP groups for membership.
C. DUGs automatically update based on tagged usernames.
D. DUGs are used only in authentication policies.

9. What is the purpose of User-ID methods?

A. To define the user's access to external services.
B. To identify the user associated with an IP address.
C. To enforce encryption for user traffic.
D. To manage firewall policies.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
10. What is the primary purpose of WildFire Analysis in a Palo Alto
Networks firewall configuration?
A. To configure VPN settings.
B. To create WildFire signatures for known malware.
C. To transmit files and URLs for analysis.
D. To block malicious links in web traffic.

11. How frequently are the latest WildFire signatures made available for
Palo Alto Networks firewalls with an active WildFire license?
A. Every hour.
B. Every day.
C. Every five minutes.
D. Every month.

12. What is the purpose of the WildFire Submissions log?

A. To configure WildFire settings.
B. To log the creation of WildFire signatures.
C. To track the forwarding of samples for analysis.
D. To monitor firewall traffic.

13. How does WildFire determine the verdict for a submitted sample?
A. Verdicts are determined by the firewall.
B. Verdicts are determined by a global consensus.
C. Verdicts are determined by the submitter.
D. Verdicts are determined by WildFire based on analysis.

14. What is the impact of WildFire Action settings on network traffic?

A. They have no impact on network traffic.
B. They may reset or drop network traffic.
C. They increase network performance.
D. They enforce URL filtering policies.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
15. Which license is required to deploy the web proxy feature in PAN-OS
11.0?
A. DNS Security license
B. Transparent Proxy license
C. Explicit Proxy license
D. Panorama license

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Pass4sure - #1 IT Certifications Materials Provider
www.pass4sure.com
Chapter 09: Deploy and Configure Firewalls Using
Panorama
Introduction
Deploying and configuring firewalls using Panorama is crucial to network
security management. Panorama is a centralized management platform that
enables you to manage multiple firewalls from a single interface efficiently. It
allows you to streamline policy creation, monitor network activities, and
ensure consistent security across your entire network.
This chapter will help you to understand:
How to configure templates and template stacks
Configure device groups in which you will learn their hierarchies and
layered approaches for managing firewalls
The difference between use cases for pre-rules, post-rules, local and
default rules
Firewall configuration management within Panorama, including
licensing, commit and automatic recovery features, commit types and
schedules, managing dynamic updates, configuring log collectors, and
role-based access control.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Panorama Overview and Architecture
Multiple Palo Alto Networks Next-Generation Firewalls, WildFire
appliances, and appliance clusters are managed and monitored centrally by
the Panorama Management Server. It offers a central location from which you
can monitor every application, user, and piece of content moving across your
network. Using this knowledge, you can make application enablement
policies to protect and control the network. The operational effectiveness of
managing and maintaining a distributed network of firewalls is increased by
using Panorama for centralized policy and firewall management. A single
network may handle more firewalls when Panorama is used for centralized
WildFire appliance and WildFire appliance cluster management since it offers
high availability for fault tolerance and management efficiency.
Panorama may enable you to configure, monitor, and manage your Palo Alto
Network firewalls efficiently with a central location. Panorama adds values in
three major areas that include:
Centralized deployment and configuration: We can use Panorama to
pre-stage the firewall and WildFire appliances for deployment to optimize
central management and rapid deployment of WildFire appliances and
firewalls on your network. The firewalls can then be assembled into
groups, templates can be created to apply a default network and device
configuration, and device groups can manage globally shared and local
policy rules.
Aggregated logging with centralized control for analysis and
reporting: It can collect information on usage across all network-
managed firewalls and centrally analyze, investigate, and report on the
information. With the help of the comprehensive collection of policies to
securely enable applications on your network, it gives you a better
understanding of network traffic, user activity, and the risks involved,
enabling you to respond to any potential threats.
Distributed administration: You may enable or restrict access to local
and global firewall configurations and policies.
Availability of five Panorama Models:
The Panorama virtual appliance, M-600 appliance, M-500 appliance, M-200
appliance, and M-100 appliance. PAN-OS 9.1 only supports M-100

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
appliances if their memory has increased from 16 GB to 32 GB. In Figure 9-
01, Panorama Centralized Management illustrates how Panorama may be
configured to manage firewalls in a High Availability (HA) configuration.

Figure 9-01: Panorama Centralized Management

Panorama Models
Each of the following physical or virtual appliances that Panorama is offered
as support licenses for managing up to 25, 100, or 1,000 firewalls. Panorama
virtual appliances with comparable resources also enable licenses for
managing up to 2,500 firewalls, whereas M-600 appliances support licenses
for up to 5,000 firewalls.
Panorama Virtual Appliance: For sites that require a virtual management
appliance, this model offers easy installation and simplifies server
consolidation. AWS GovCloud, Microsoft Azure, Google Cloud Platform
(GCP), KVM, Hyper-V, a VMware ESXi server, or VMware vCloud Air
are only a few cloud computing platforms on which Panorama can be
installed.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
The virtual appliance may handle dedicated log collectors for higher
logging rates and locally collect firewall logs at up to 20,000 logs per
second. The virtual appliance can be a Dedicated Log Collector, a
Dedicated Management Server, or a Panorama management server with
local log collection capabilities. The following modes are available for
virtual appliance deployment:
Panorama Mode: The Panorama virtual appliance in this mode
supports a local Log Collector with 1 to 12 virtual logging disks.
A single virtual appliance may hold a maximum of 24TB on a single
virtual appliance, while a high availability (HA) pair can hold 48 TB.
Each logging disk has a 2TB storage capacity. Panorama mode is the
only way to install numerous virtual logging disks without losing the
logs on existing disks. Faster report generation is another advantage of
using Panorama mode. The virtual appliance in Panorama mode does
not support NFS storage.

EXAM TIP: Deploy the virtual appliance in Panorama mode to

maximize log storage and report generation.

Legacy mode (Only ESXi and vCloud Air): In this mode, the
Panorama virtual appliance receives and saves firewall logs. The
virtual appliance in Legacy mode has one disk partition set up by
default for all data. The partition's 11GB allocated space for log
storage. On ESXi 5.5 and later versions, as well as on vCloud Air, you
can add one virtual disk with a capacity of up to 8TB if you need more
local log storage. Earlier ESXi versions allow for a single virtual
appliance with a 2TB capacity. Only on the ESXi server, not in vCloud
Air, can you mount the virtual appliance in Legacy mode to an NFS
datastore if you require more storage than 8TB. When upgrading to
PAN-OS 9.1, this mode is only accessible if your Panorama virtual
appliance is in Legacy mode. Legacy mode is no longer accessible if
you change to any other mode after upgrading to PAN-OS 9.0 and later
releases. You would not be able to return to Legacy mode after
switching your Panorama virtual appliance to any of the other
available modes.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 EXAM TIP: Legacy mode is supported but not recommended in
production environments; it can still be utilized in lab or demonstration
environments.

Management-only mode: For your managed devices and Dedicated

Log Collectors in this mode, the Panorama virtual appliance serves as
a dedicated management appliance. Furthermore, a Panorama virtual
appliance with sufficient resources can control up to 2,500 firewalls in
this mode.
The Panorama virtual appliance can collect only configuration and
system logs; a dedicated log collector must collect all other logs. All
logs forwarded to a Panorama virtual appliance in Management-only
mode are deleted since the virtual appliance in Management-only
mode has only one disk partition for all data by default. As a result,
store the log data from your managed appliances and configure log
forwarding.
Log Collector mode: The virtual appliance Panorama performs the
role of a Dedicated Log Collector. A Panorama virtual appliance in
Log Collector mode offers greater scale and performance when several
firewalls are used to forward large amounts of log data.
The appliance only has a Command-Line Interface (CLI) in this mode;
it lacks a web interface for administrative access. However, you can
control the appliance using the Panorama management server's web
interface. It is necessary to have CLI access to a Panorama virtual
appliance in Log Collector mode only for initial setup and debugging.
An M-Series appliance - The specialized hardware appliances M-100, M-
200, M-500, and M-600 are designed for large-scale deployments. These
appliances enable the scale-up of your log collection infrastructure in
environments with high logging rates (over 10,000 logs per second) and
log preservation needs. The following attributes are present in all M-Series
models:
RAID drives to store firewall logs and RAID 1 mirroring to protect
against disk failures.
SSD to store the logs that Panorama and Log Collectors generate.
MGT, Eth1, Eth2, and Eth3 interfaces that support 1Gbps throughput.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Redundant, hot-swappable power supplies (except for the M-100
appliance).
Front-to-back airflow.

EXAM TIP: Only M-100 appliances upgraded from the factory

default 16GB memory to 32GB memory are supported in PAN-OS 9.0 and
later editions.

The following extra attributes of the M-600 and M-500 appliances make them
more suitable for data centers:
Interfaces for Eth4 and Eth5 that can handle 10Gbps throughput.
Additionally, the M-600 appliance has the following feature that makes
it better suited for extensive firewall deployments:
The M-600 appliance can manage up to 5,000 firewalls while in
Management Only mode.
The following deployment modes are available for M-Series
appliances:
Panorama mode—Firewalls and Dedicated Log Collectors are
managed by the appliance in Panorama mode, acting as a
management server for Panorama. The appliance also supports a
local Log Collector. The default mode is Panorama mode to
generate firewall logs.
Management Only mode—The Panorama appliance is a
specialized management appliance for your managed devices and
Dedicated Log Collectors in the Management Only mode. The
only logs the Panorama appliance can collect are configuration
and system logs, and your deployment needs a dedicated log
collector to store the other data. All logs forwarded to a Panorama
virtual appliance in Management Only mode are dropped since,
by default, the Panorama appliance in Management Only mode
has only one disk partition for all data. You must configure log
forwarding to store the log data from your managed appliances.
Log collector mode: The appliance performs as a dedicated log
collector. The volume and performance of an M-Series appliance
in Log Collector mode are increased when numerous firewalls

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 forward huge volumes of log data. The appliance only has a CLI
in this mode; it lacks a web interface for administrative access.
However, you can control the appliance using the Panorama
management server's web interface. An M-Series appliance in
Log Collector mode does not require CLI access beyond initial
setup and debugging.
Centralized Firewall Configuration and Update Management
Panorama groups firewalls into logical sets that require comparable
configuration using device groups and templates. Use device groups and
templates to centrally manage all configuration elements, policies, and
objects on the controlled firewalls. Additionally, Panorama enables you to
manage licensing, software (PAN-OS, SSL-VPN client,
GlobalProtect agent/app), and content updates (Applications, Threats,
WildFire, and Antivirus) from a single location. Each configuration object
must have a unique name for a device group, template, and template stack.
Context Switch—Firewall or Panorama
You can switch between a Panorama-centric view and a firewall-centric view
using the Context drop-down menu at the top-left of each tab in the
Panorama web interface. To administer firewalls centrally, set the context to
Panorama or change it to the web interface of a particular firewall to
configure it locally. Due to the similarities, you can easily switch between the
Panorama and firewall web interfaces to monitor and manage firewalls.
Only the firewalls connected to Panorama are listed in the Context drop-down
menu. The drop-down menu for a Device Group and Template administrator
only displays connected firewalls located in the Access Domains that the
administrator has been given access to. Use the Filters in the drop-down to
search the extensive list.
The icons for firewalls with a High Availability (HA) configuration have
colored backgrounds to show the HA state of the firewall. Being aware of the
HA state is helpful when choosing a firewall context. For example, you
frequently modify the configuration of an active firewall.
Green: Active.
Yellow: The firewall is inactive or in the starting state, which can last up
to 60 seconds after booting.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Red: In an active/active HA configuration, the firewall is tentative (for a
link or path monitoring event) or suspended (because an administrator
disabled it).

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Panorama Configuration and Administration
Achieving a cohesive policy management framework and centralized
reporting system for all the firewalls across your network becomes possible
by deploying the Panorama management server. You can implement it as a
virtual appliance or select from the hardware appliance options, including the
M-100, M-200, M-500, or M-600.
Determine Panorama Log Storage Requirements
When planning your Panorama deployment, estimating the amount of log
storage capacity needed is essential. This estimation helps you decide which
Panorama models to deploy, whether to expand their default storage
capacities, deploy Dedicated Log Collectors, or configure log forwarding to
external destinations.
Panorama automatically deletes older logs to make room for new ones when
log storage reaches its maximum capacity.
Step 1: Consider Your Organization's Log Retention Needs
Start by assessing the log retention requirements within your organization.
Factors Affecting Requirement: Various factors can influence these
requirements, including your organization's IT policies.
Take Log Redundancy into Account: When configuring a Collector
Group and enabling log redundancy, remember that each log entry will
store two copies. The configuration effectively doubles the amount of log
storage capacity you need.
Impact of Regulatory Compliance on Log Retention: Complying with
regulatory standards such as PCI DSS, Sarbanes-Oxley Act, and HIPAA
can significantly impact your log retention requirements.

EXAM TIP: If your organization mandates the removal of logs after

a specific duration, ensure you establish expiration periods for each log
type.
To prioritize log retention based on type, consider setting storage quotas as a
percentage of the total available storage capacity. It allows you to allocate
storage space according to your organization's needs.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Step 2: Determine Average Daily Logging Rates
To calculate the average daily logging rates, perform the task several times
throughout the day, during peak and non-peak periods. A higher frequency of
rate sampling leads to a more precise estimate.
A. Display Current Log Generation Rate
If Panorama is not collecting logs, access each firewall's CLI and
execute the following command. Then, calculate the total rates for all
firewalls to see the number of logs received in the last second:
debug log-receiver statistics
If Panorama is already collecting logs, run the command at the CLI of
each appliance responsible for log reception (Panorama management
server or Dedicated Log Collector). Calculate the total rates based on
the output, which provides the average logging rate for the last five
minutes:
debug log-collector log-collection-stats show incoming-logs

EXAM TIP: Alternatively, you can utilize an SNMP manager to

determine logging rates for Log Collectors and firewalls.

B. After collecting data on logging rates at various intervals, compute the

average rate by taking the mean of the sampled rates.
C. Find the daily logging rate by multiplying the average logs-per-second
rate by 86,400. This calculation provides an estimate of your daily log
generation.
Step 3: Estimate Required Storage Capacity

EXAM TIP: It is important to note that the formula used to estimate

storage capacity provides only a rough estimate. The required storage may
vary from the result obtained through the formula due to various factors.

Using the Formula for Log Storage Calculation:

You can employ a formula to estimate Panorama's required log storage
capacity. This formula considers log rate, retention period, and average log
size factors. A reasonable average log size to use is 489 bytes.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
[(<logs_per_second> x 86400) x <days_of retention>] x
<average_log_size> ÷ (1024 x 1024 x 1024)
Example Calculation:
For example, if you require to store logs for 30 days and your log rate is
1,500 Logs Per Second (LPS), the calculated storage capacity needed would
be [(1500 x 86400) x 30] x 489 ÷ (1024 x 1024 x 1024) = 1770GB.
The calculations above pertain to detailed logs and assume that 60% of the
available storage is allocated for them. It represents 60% of the Log
Collector's storage.
To find the total storage requirement, you would divide the calculated value
by 0.60. It accounts for the entire storage utilized by the Log Collector.
Roughly one-third, or approximately 33%, of the available disk space is
allocated to logd formatted logs. These logs are essential for tasks such as
system upgrades, downgrades, and addressing database issues. You would
divide the storage requirement by 0.66 to calculate the overall storage needed.
It considers both detailed logs and logd formatted logs.
Step 4: If you determine Panorama requires more log storage capacity, you
should consider strategies to address this shortage.
Manage Large-Scale Firewall Deployments
Panorama offers several options for efficiently managing extensive firewall
deployments. It allows you to consolidate all management functions,
supporting the management of up to 5,000 firewalls using an M-600
appliance in Management Only mode. Alternatively, you can manage up to
2,500 firewalls with a Panorama virtual appliance in Management Only
mode. Panorama introduces the Panorama Interconnect plugin to simplify the
deployment and operational management of even larger-scale firewall
deployments exceeding 5,000 firewalls. This plugin lets you oversee multiple
Panorama management server Nodes using a single Panorama Controller,
streamlining the management process.
Set Up the Panorama Virtual Appliance
The Panorama virtual appliance offers the flexibility of using your existing
VMware virtual infrastructure to centrally manage and monitor Palo Alto
Networks firewalls and Dedicated Log Collectors. You can deploy this virtual
appliance on various platforms, including ESXi servers, Amazon Web

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Services (AWS), AWS GovCloud, Microsoft Azure, Google Cloud Platform
(GCP), KVM, Hyper-V, or vCloud Air. In addition, instead of utilizing
Dedicated Log Collectors, you can directly forward firewall logs to the
Panorama virtual appliance. There is the choice to switch the virtual
appliance from Legacy mode to Panorama mode and set up a local Log
Collector to enhance log storage capacity and accelerate reporting.
Setup Prerequisites for the Panorama Virtual Appliance
Before proceeding with the installation of the Panorama Virtual Appliance,
ensure the following tasks are completed:
Access the Palo Alto Networks Customer Support website using your web
browser and complete the registration process for Panorama. You will
need the Panorama serial number from your order fulfillment email.
Registration will grant you access to the Panorama software downloads
page.
Review the list of supported Panorama hypervisors to confirm that your
chosen hypervisor meets the minimum version requirements for
deploying Panorama.
If you plan to install Panorama on a VMware ESXi server, ensure your
server complies with the minimum requirements. These requirements are
in the System Requirements section for the Panorama Virtual Appliance.
Please note that the requirements differ based on whether you intend to
run the virtual appliance in Panorama or Management Only mode.

EXAM TIP: For installations on VMware vCloud Air, system

settings can be configured during the installation process.

Review the minimum resource requirements for deploying the Panorama

virtual appliance on various platforms, including Amazon Web Services
(AWS), AWS GovCloud, Microsoft Azure, Google Cloud Platform (GCP),
Hyper-V, KVM, and VMware ESXi. These requirements ensure that the
virtual machine possesses the minimum necessary resources for the desired
mode, whether Panorama, Management Only, or Log Collector. The
minimum resource specifications are designed to optimize log collection
performance in Panorama and Log Collector modes. It is crucial to avoid

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
configurations that exceed the recommended number of virtual logging disks,
which could lead to reduced logs per second (LPS) capacity.
If the minimum resource requirements for Panorama mode are not met during
the installation of the Panorama Virtual Appliance, Panorama will
automatically switch to Management Only mode. It applies to all supported
hypervisors, public (AWS, AWS GovCloud, Azure, and GCP) and private
(Hyper-V, KVM, and VMware ESXi). In cases where the minimum resource
requirements for Management Only mode are not met, Panorama defaults to
Maintenance mode. It applies to supported public hypervisors, Hyper-V, and
KVM. Specifically for VMware installations, Panorama defaults to Legacy
mode if the minimum resource requirements for Management Only mode are
not satisfied.

EXAM TIP: It is highly recommended to deploy the Panorama

management server in Panorama mode, as it provides device management
and log collection capabilities. Legacy mode is still supported but not
advised for use in production environments. Furthermore, it is important to
note that switching Panorama to Legacy mode is no longer an option.

Install the Panorama Virtual Appliance

Before proceeding with the installation, deciding on the virtual appliance's
operational mode is essential. You can choose between Panorama mode,
Management Only mode, Log Collector mode, or Legacy mode (specific to
VMware). Each mode has specific resource requirements, detailed in the
Setup Prerequisites for the Panorama Virtual Appliance documentation. It is
important to ensure that you fulfill these prerequisites before installation.

EXAM TIP: As a recommended best practice, consider installing

the virtual appliance in Panorama mode. This choice optimizes log storage
and report generation capabilities.

Install Panorama on VMware

You can deploy the Panorama virtual appliance on ESXi and vCloud Air
VMware platforms.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Install Panorama on an ESXi Server
Step 1: Acquire the Panorama 9.1 base image. Open Virtual Appliance
(OVA) file.
Log in to the Palo Alto Networks Support Portal
Go to Updates > Software Updates and filter the results to find the
Panorama Base Images. Download the OVA file (Panorama-ESX-
9.1.0.ova)
Step 2: Install Panorama.
To initiate the installation of a new Panorama virtual appliance on a VMware
ESXi server, follow these steps:
Launch the VMware vSphere Client and establish a connection to your
VMware server.
Navigate to File > Deploy OVF Template.
Browse the Panorama OVA file you downloaded and proceed by
clicking Next.
Confirm that the product name and description match your downloaded
version, then click Next.
Assign a descriptive name to the Panorama virtual appliance and click
Next.
Select an appropriate datastore location (system disk) for the Panorama
image. Refer to the Setup Prerequisites for the Panorama Virtual
Appliance to ensure the selected system disk size is supported. Once
chosen, click Next.
Opt for the Thick Provision Lazy Zeroed disk format and click Next.
Specify which networks in your inventory to use for the Panorama
virtual appliance and proceed by clicking Next.
Confirm the selected options, click Finish to commence the installation
process, and once it is completed, click Close. It is important not to
power on the Panorama virtual appliance at the stage.
Step 3: Configuring the necessary resources for your Panorama virtual
appliance.
A. Begin by right-clicking the Panorama virtual appliance and selecting Edit
Settings.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
B. In the Hardware settings, assign the necessary CPUs and memory
resources based on your requirements. The virtual appliance will boot in
Panorama mode if sufficient CPUs, memory, and a virtual logging disk
(added later) are allocated. Otherwise, it will boot in Management Only
mode.
C. Set the SCSI Controller to LSI Logic Parallel.
D. Add a Virtual Logging Disk (Optional).
Note: This step is essential in specific situations, including:
In Panorama mode, create a dedicated logging disk.
When managing your SD-WAN deployment in Management Only mode.

1. To Add a virtual logging disk. Next, after selecting Hard Disk as the
hardware type.
2. Click Next to continue and create a new virtual disk.
3. Exact 2TB should be entered as the Disk Size.
Note: In Panorama mode, you can add up to 12 logging disks, each with
2TB of storage. Expanding the size of an already-added logging disk in
Panorama is not supported.

4. Choose your preferred Disk Provisioning format, considering your

business needs.
5. Specify a datastore or datastore structure as the location, browse to a
datastore with sufficient storage, click OK, and continue by clicking
Next.
6. Select a SCSI Virtual Device Node (default selection is acceptable)
and click Next. It is important to note that selecting a format other than
SCSI will result in a boot failure for Panorama.
7. Verify that all settings are accurate and complete the process by
clicking Finish.
E. Save your changes by clicking OK.
Step 4: Power On the Panorama Virtual Appliance:
A. Initiate the startup of the Panorama virtual appliance by right-clicking on it
in the vSphere Client and selecting Power > Power On. Wait until
Panorama has fully booted up before proceeding.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
B. Verify the Operating Mode. Ensure that the virtual appliance is operating
in the correct mode:
Right-click the Panorama virtual appliance and choose Open Console.
Log in using your username and password (the default is "admin" for
both).
Step 5: Set a new administrative password for the Panorama virtual
appliance. It is a crucial step before accessing the web interface or the CLI of
the Panorama virtual appliance. The new password should meet specific
criteria. It should contain at least eight characters, one lowercase character,
one uppercase character, and one number or special character.
When initially accessing the Panorama CLI, you will be prompted to enter the
Old Password and then the New Password for the admin user before
proceeding.
Step 6: To verify the operating mode, execute the command to show system
info in the Panorama CLI. The output will indicate whether the system mode
is panorama or management-only.
admin> show system info
Step 7: Register and License the Panorama Virtual Appliance:
A. Generate Serial Number (VM Flex Licensing):
A unique Panorama virtual appliance serial number must be created if you
use VM Flex licensing to register the appliance through the Palo Alto
Networks CSP (Customer Support Portal).
B. Register Panorama:
Regardless of the licensing method, you must register the Panorama
virtual appliance using the serial number provided by Palo Alto
Networks in your order fulfillment email. However, this step is
automated when using VM Flex licensing, and manual registration is
not required.
C. Activate Firewall Management License:
Activate or retrieve the Firewall Management License based on whether
the Panorama Virtual Appliance is connected to the Internet.
D. Activate Panorama Support License:
Activate the Panorama Support License as needed.
Step 8: Adjust System Disk Size for Panorama (ESXi Server).

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Step 9: For Panorama in Log Collector Mode:
If you intend to use Panorama as a Log Collector, add a virtual disk before
switching to Log Collector mode. It is essential for log storage.
For Panorama in Panorama Mode:
1. Similar to Log Collector mode, add at least one virtual logging disk
before switching when using Panorama in Panorama mode.
For Panorama in Management Only Mode:
1. When deploying Panorama in Management Only mode, set up a virtual
appliance and configure a Managed Collector to include a Dedicated
Log Collector for storing managed device logs.
2. Management Only mode does not support local log collection.
For SD-WAN Deployments:
1. Increase System Disk for Panorama (ESXi Server)
To utilize SD-WAN with Panorama on ESXi, expand the system disk to
224GB.

EXAM TIP: Please note that you cannot revert to an 81GB system
disk after increasing it to 224 GB.

2. Set Up Panorama in Management Only Mode for SD-WAN.

3. Configure a Management Only Mode Panorama Virtual Appliance and
add a 2TB logging disk to support SD-WAN deployments.
Install Panorama on vCloud Air
Follow these procedures to install a new Panorama virtual appliance in
VMware vCloud Air. Install Content and Software Updates for Panorama
should be skipped if you update a virtual appliance for Panorama deployed in
vCloud Air.
Step 1: Download the Open Virtual Appliance (OVA) file for the Panorama
9.1 base image.
A. View the Palo Alto Networks site for software downloads. (If you are
having trouble logging in, seek help at the Palo Alto Networks
Customer Support website.)
B. Download the Panorama 8.1 release OVA file (Panorama-ESX-
9.1.0.ova) from the Download column of the Panorama Base Images

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 field.
Step 2: Add the Panorama image to the vCloud Air catalog.
A. Install the OVF Tool in place on your client machine.
B. Open the CLI for the client system.
C. Navigate to the OVF Tool directory in C: Program Files\VMware OVF
Tool.
D. Create an OVF package from the OVA file:
Ovftoll.exe <OVA-file-pathname> <OVF-file-pathname>
E. Access the vCloud Air web console through a browser, choose the
Virtual Private Cloud OnDemand location, and record the browser
URL. To complete the following step, you will need the URL details.
F. Use the vCloud Air URL data to complete the variables when importing
the OVF package. The other factors are a virtual data center, a vCloud
Air template, and your vCloud Air username and domain.
Step 3: Now Install Panorama.
A. Select your Virtual Private Cloud OnDemand region by logging into the
vCloud Air web console.
B. Make a virtual machine for Panorama. Refer to the instructions in the
vCloud Air Documentation Center's Add a Virtual Machine from a
Template. Configure the CPU, memory, and storage as described
below:
Depending on whether the virtual appliance mode configures the CPU
and memory.
Set the Storage so that the system disk of the Panorama virtual appliance
is configured. The allowed disk sizes based on the Panorama virtual
appliance mode are listed in Setup Prerequisites for the Panorama Virtual
Appliance. Choose the SSD-Accelerated option for improved logging and
reporting performance.
You must add a virtual disk to Panorama on vCloud Air to boost the log
storage capacity.
The virtual appliance must add a virtual logging disk because, in
Panorama mode, it does not use the system disk to store logs.
Step 4: To enable inbound and outgoing traffic for the Panorama virtual
appliance, create vCloud Air NAT rules on the gateway.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 A. Include a NAT rule that permits administrators to access Panorama and
permits traffic from the firewalls to reach Panorama.
B. Include a NAT rule that enables Panorama to connect to the firewalls
and download updates from the Palo Alto Networks update server.
Step 5: To enable inbound traffic on the Panorama virtual appliance, create a
vCloud Air firewall rule. By default, outbound traffic is permitted.
Step 6: If the Panorama virtual appliance is not already on, turn it on.
Choose the Virtual Machines tab, pick the Panorama virtual machine,
and then click Power On on the vCloud Air web console.
The Panorama Virtual Appliance supports VMware Tools
The Panorama virtual appliance's software image (ovf) includes VMware
Tools. The vSphere environments, including vCloud Director and vCenter
server, can be used for the following due to the support for VMware Tools:
View the IP address for the management interface for Panorama.
View hard disk, memory, and CPU resource usage metrics. You can use
these metrics on the vCenter server or vCloud Director to enable alarms
or actions.
Using the vCenter server's or vCloud Director's power-off feature,
Panorama shut down and restarted.
Enable a heartbeat mechanism between the vCenter server and Panorama
so that it can be checked to see if both are operating normally or if
Panorama is rebooting. Heartbeats are suppressed if the firewall enters
maintenance mode to prevent the vCenter server from shutting down the
firewall. When the firewall cannot communicate heartbeats to the vCenter
server, disabling heartbeats enables the firewall to continue operating in
maintenance mode.
Install Panorama on AWS
On Amazon Web Services (AWS), you may set up Panorama and a Dedicated
Log Collector. The Panorama deployment on AWS operates under the Bring
Your Own License (BYOL) model, supporting all deployment modes
(Panorama, Log Collector, and Management Only). It mirrors the same
processes and capabilities found in the M-Series hardware appliances.
Here are the steps to set up the deployment:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Step 1: Access the AWS Web Service console and navigate to the EC2
Dashboard.
Step 2: Establish a Virtual Private Cloud (VPC) tailored to meet your
network requirements. Whether you launch the Panorama virtual appliance
within an existing VPC or create a new one, it is important that the Panorama
virtual appliance can receive traffic from other instances within the VPC and
facilitate inbound and outbound communication with the Internet as needed.
A. You can either create a new VPC or utilize an existing one, as outlined in
the AWS Getting Started documentation.
B. Ensure that network and security components are configured correctly.
Key tasks include:
Creating an Internet gateway to grant Internet access to the subnet where
your Panorama virtual appliance resides. Internet access is crucial for
software and content updates, license activation, and utilizing Palo Alto
Networks cloud services. Alternatively, you can perform updates and
license activation manually.
Establishing subnets segmented IP address ranges assigned to the VPC
for launching AWS instances. It is advisable to place the Panorama
virtual appliance in the management subnet, allowing you to configure
Internet access if necessary.
Adding routes to the route table for a private subnet to ensure proper
traffic routing within the VPC and, when applicable, to and from the
Internet.
Defining routes between subnets to facilitate communication between
Panorama, managed firewalls, and Log Collectors.
Implementing inbound security rules to allow specific types of traffic for
VPC management. The specifics of these rules will depend on your
deployment's topology. Common rules include permitting SSH (port 22)
traffic for Panorama CLI access, HTTPS (port 443) traffic for Panorama
web interface access, port 3978 for communication between Panorama,
managed firewalls, and managed Log Collectors, and port 28443 to
enable managed firewalls to receive software and content updates from
Panorama.
Step 3: To deploy Panorama on Amazon Web Services (AWS), follow these
steps:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
A. Go to the EC2 Dashboard in the AWS Web Service console and select
Launch Instance.
B. Under AWS Marketplace, search for Palo Alto Networks Panorama,
select the Panorama AMI, and click Continue.
C. Choose the appropriate EC2 instance type to allocate the resources for the
Panorama virtual appliance, then click Next: Configure Instance Details.

EXAM TIP: Review the resource requirements in the Setup

Prerequisites for the Panorama Virtual Appliance, especially if you plan
to use it as a Dedicated Log Collector. Note that resizing the virtual
machine after deployment may cause it to exit Log Collector mode and
lose log data.

D. Configure the instance details:

1. Choose Next and configure Instance Details.
2. Select the VPC for networking.
3. Choose the subnet.
4. If needed, select Enable for Auto-assign Public IP. It is essential to
ensure the Panorama management interface is accessible by the
firewalls you intend to manage.
5. Configure any additional instance details as required.
E. (Optional) Configure storage for the Panorama virtual appliance:
1. Click Next and Add Storage.
2. To add additional log storage, select Add New Volume.
If you plan to manage your SD-WAN deployment in Management Only
mode, add a 2TB logging disk.
If you intend to use Panorama in Panorama mode or as a Dedicated Log
Collector, adding the virtual logging disks during the initial deployment
is advisable. Panorama will be in Panorama mode if you meet the
resource requirements and have added at least one virtual logging disk;
otherwise, it defaults to Management Only mode.
F. (Optional) Add tags to help identify and group the Panorama virtual
appliance.
G. Configure the instance's security group:
1. Click Next and configure Security Group.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 2. Choose an existing security group or use the default one to allow all
inbound and outbound traffic types.
H. Review your selections and verify their accuracy before clicking "Launch.
I. Select an existing key pair or create a new one and acknowledge the
disclaimer. "
Note: If you create a new key pair, download and save the .pem file
securely, as it is not regenerable. It would help if you used PuTTYgen to
convert it to .ppk format.

The deployment process may take approximately 30 minutes, and the

duration could vary based on the number and size of attached disks. You can
monitor the progress by viewing the Launch Time in the AWS EC2
Dashboard.

Note: If you intend to utilize the Panorama virtual appliance as a Dedicated

Log Collector, make sure to allocate the necessary resources to the
appliance from the outset. Resizing the virtual machine after deployment
causes the Panorama virtual appliance to exit Log Collector mode, leading
to a loss of log data.
Step 4: To shut down the Panorama virtual appliance:
Select Instances from the EC2 Dashboard.
Choose the Panorama virtual appliance, click Actions, go to Instance
State, and select Stop.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Step 5: Create or assign an Elastic IP (EIP) address to the management
interface of the Panorama virtual appliance; follow these steps:
A. Go to Services > EC2 > Elastic IPs and choose Allocate Elastic IP
address.
B. Select a Network Border Group to specify the logical group of zones
from where the public IPv4 address is advertised.
C. For the Public IPv4 address pool, choose Amazon's pool of IPv4
addresses.
D. Allocate the EIP.
E. Click on the allocated IPv4 address in the Allocated IPv4 address
column, then select Associate Elastic IP address.
F. Choose the Panorama virtual appliance instance.
G. Select the Panorama virtual appliance Private IP address to associate
with the EIP.
Step 6: Turn on the virtual appliance for Panorama.
A. On the EC2 Dashboard, go to Instances.
B. Select the Panorama virtual appliance from the list of instances, click
Actions, then go to Instance State and select Start.
Step 7: Configure a new administrative password for the Panorama virtual
appliance. This password is required to access the web interface of the
Panorama virtual appliance. To access the CLI, you will need the private key
to launch the Panorama virtual appliance.
The new password must meet the following criteria: it should be at least eight
characters long and include at least one lowercase character, one uppercase
character, and one number or special character.
A. If you have an SSH service installed on your computer, you can log into
the Panorama virtual appliance using the following command:
ssh -i <private_key.ppk> admin@<public-ip_address>
B. Configure a new password using the provided commands and follow
the on-screen prompts:
admin> configure
admin# set mgt-config users admin password
C. Use the following command to establish the DNS server IP address if
you need to activate a BYOL (Bring Your Own License) and gain

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 access to the Palo Alto Networks licensing server:
admin# set deviceconfig system dns-setting servers primary
<ip_address>
D. Commit your changes with the command:
admin# commit
E. Terminate the SSH session.
If you are using PuTTY to SSH into the Panorama virtual appliance, follow
these steps:
A. If you use an existing key pair and have the .ppk file available, continue
to the next step. Open PuTTYgen and load the .pem file if you made a
new key pair or have the .pem file for an existing one.
B. Save the private key to a local accessible destination.
C. Open PuTTY, select SSH under Auth and then browse to the .ppk file
you saved in the previous step.

D. Select Sessions, enter the public IP address of the Panorama virtual

appliance, click Open, and click Yes when the security prompt appears.
E. Log in as admin when prompted.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 F. Configure a new password using the provided commands and follow
the on-screen prompts:
admin> configure admin# set mgt-config users admin password
G. Set the DNS server IP address for access to the Palo Alto Networks
licensing server using the following command:
admin# set deviceconfig system dns-setting servers primary
<ip_address>
H. Commit your changes with the command:
admin# commit
I. Terminate the SSH session.
Step 8: Register the Panorama virtual appliance and activate the device
management license and support licenses; follow these steps:
A. (For VM Flex Licensing Only) Provision the Panorama Virtual Appliance
Serial Number:
When using VM Flex licensing, generate the Panorama virtual
appliance serial number required for registration with the Palo Alto
Networks Customer Support Portal (CSP).
B. Register Panorama:
Palo Alto Networks' serial number, included in the order fulfillment
email, can be used to register the Panorama virtual appliance.
This step is unnecessary when using VM Flex licensing since the serial
number is automatically registered with the CSP upon generation.
C. Activate the Firewall Management License:
Activate or retrieve a Firewall Management License based on the
Panorama Virtual Appliance's Internet connectivity.
If connected to the Internet, activate/retrieve the license accordingly.
Follow the appropriate activation/retrieval process if not connected to
the Internet.
D. Activate a Panorama Support License.
Step 9: Complete the Panorama virtual appliance configuration as per your
deployment requirements.
For Panorama operating in Log Collector Mode:
A. Add a Virtual Disk to Panorama on AWS as necessary:
Ensure at least one virtual logging disk is added before transitioning the
Panorama virtual appliance to Log Collector mode.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 B. Start at Step 6 to initiate the switch to Log Collector mode.

EXAM TIP: Provide the Public IP address of the Dedicated Log

Collector when adding it as a managed collector to the Panorama
management server. Note that specifying the IP Address, Netmask, or
Gateway is not required.
For Panorama operating in Panorama Mode:
1. A virtual disk can be added to Panorama on AWS.
Include at least one virtual logging disk before converting the
Panorama virtual appliance to Panorama mode.
2. Configure a virtual appliance for Panorama in Panorama Mode.
3. Configure the Panorama appliance for Panorama mode.
4. Configure a Managed Collector.
For Panorama operating in Management Only mode.
1. Configure the Panorama virtual appliance for Management Only mode.
2. Management Only mode does not support local log collection and
requires a Dedicated Log Collector to store managed device logs.
Install Panorama on AWS GovCloud
You can now deploy Panorama and a Dedicated Log Collector within the
Amazon Web Services (AWS) GovCloud environment. AWS GovCloud is a
dedicated AWS region designed to meet the regulatory and compliance
standards required by US government agencies and customers. When
deploying Panorama on AWS GovCloud, it operates under the Bring Your
Own License (BYOL) model and supports all deployment modes, including
Panorama, Log Collector, and Management Only.
The Panorama virtual appliance in AWS GovCloud offers the same robust
security features as the standard AWS public cloud. It is well-suited for
securing workloads involving Controlled Unclassified Information (CUI) and
government-focused, publicly accessible data. The Panorama virtual
appliance in AWS GovCloud and the standard AWS public cloud provide
identical features and capabilities.
Before proceeding, ensure you meet the prerequisites outlined in the Setup
Prerequisites for the Panorama Virtual Appliance document. Once you are

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
prepared, follow the Install Panorama on AWS guide instructions to deploy
the Panorama virtual appliance in the AWS GovCloud region.
Install Panorama on Azure
You can set up Panorama and a Dedicated Log Collector on Microsoft Azure.
When deploying Panorama on Azure, it follows the Bring Your Own License
(BYOL) model, supports all deployment modes (Panorama, Log Collector,
and Management Only), and shares the same processes and features as the M-
Series hardware appliances.
Here are the steps to deploy Panorama on Azure:
Step 1: Log in to the Microsoft Azure portal.
Step 2: Configure the virtual network according to your network
requirements. Whether you choose to deploy the Panorama virtual appliance
within an existing virtual network or create a new one, it is essential that the
Panorama appliance can both receive traffic from other instances in the
virtual network and perform inbound and outbound communication with the
virtual network and the internet when necessary.
A. Create a Virtual Network or use an existing one.
B. Ensure that network and security components are appropriately defined.
If you intend to allow outbound Internet access only for the subnet to
which the Panorama virtual appliance belongs, create a NAT gateway.
Set up subnet segments of the IP address range assigned to the Virtual
Network (VNet). Placing the Panorama virtual appliance in the
management subnet is recommended, allowing you to configure
Internet access if needed.
Add routes to the route table for private subnets to ensure traffic can be
routed across subnets within the VNet and to and from the Internet as
necessary.
Create routes between subnets to enable communication between:
Panorama managed firewalls and Log Collectors.
Optionally, Panorama and the Internet.
Make sure to allow the following ingress security rules within the
VNet to manage VNet traffic, with each rule's ingress traffic source
tailored to your specific deployment:
Allow SSH (port 22) traffic for Panorama CLI access.
Allow HTTPS (port 443) traffic for Panorama web interface access.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Allow traffic on port 3978 to facilitate communication between
Panorama, managed firewalls, and managed Log Collectors. Log
Collectors also use the port to forward logs to Panorama.
Allow traffic on port 28443 to enable managed firewalls to receive
software and content updates from Panorama.
Step 3: Deploy the Panorama virtual appliance by going to the Azure
Dashboard, selecting Virtual machines, and adding a new virtual machine.
A. Search for Palo Alto Networks and choose the latest Panorama virtual
appliance image.
B. Proceed to create the Panorama virtual appliance.
Step 4: Configure the Panorama virtual appliance in the following steps:
A. Choose your Azure Subscription.
B. Select the Azure Resource Group, where all Azure instance resources
will be contained.
C. Provide a name for the Panorama virtual appliance.
D. Choose the Region where you want to deploy the Panorama virtual
appliance.
E. Optionally, set the Availability options.
F. Select the Image for deploying the Panorama management server.
Browse all available public and private images to deploy the Panorama
management server from the Azure marketplace.
G. Configure the size of the Panorama virtual appliance based on the
sizing requirements outlined in the Setup Prerequisites for the
Panorama Virtual Appliance. If you intend to use it as a Dedicated Log
Collector, ensure you allocate the necessary resources during the initial
deployment, as resizing afterward may result in log data loss.
H. Set up unique administrative credentials for the Panorama virtual
appliance. It includes specifying a Username (excluding 'admin' for
security reasons) and either providing a Password or pasting an SSH
public key for secure administrative access.
I. Configure the networking for the Panorama virtual appliance instance.
Select an existing virtual network or start from a new one.
Configure the Subnet, which is dependent on the selected virtual
network.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Select an existing Public IP address or create a new one to establish
the management interface.
Choose an existing NIC network security group or create a new
security group. Ensure that Inbound rules allow HTTPS and SSH
for proper traffic control.
J. Configure instance Management settings, including options like
enabling Auto-shutdown or boot Monitoring (by selecting a Diagnostic
storage account if enabled).
Adjust any other settings as needed to meet your requirements.
K. Review the configuration summary, accept the terms of use and privacy
policy, and create the Panorama virtual appliance.
Step 5: Verify the successful deployment of the Panorama virtual appliance:
A. Go to Dashboard > Resource Groups and select the one containing
the Panorama virtual appliance.
B. Under Settings, check the Deployments section for the virtual machine
deployment status.

EXAM TIP: Depending on the configured resources, the

deployment may take approximately 30 minutes, potentially longer. ICMP
protocol testing is not allowed in Microsoft Azure to verify the
deployment success.
If you plan to use the Panorama virtual appliance as a Dedicated Log
Collector, ensure you have correctly configured the appliance with the
required resources during the initial setup to prevent log data loss.

Step 6: Configure a static Public IP address for the Panorama virtual

appliance by accessing the Azure portal, selecting Virtual machines, choosing
the Panorama virtual machine, clicking on Overview, and configuring the
Public IP address assignment as Static. Save the new IP address
configuration.
Step 7: Access the web interface of the Panorama virtual appliance.
A. Go to the Azure portal, navigate All Resources, and select the
Panorama virtual appliance. Find the public IP address in the Overview
section.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 B. Open a secure (https) connection using the public IP address in your
web browser.
C. Provide the Panorama virtual appliance username and password. You
may encounter a certificate warning; accept it and proceed to the web
page.
Step 8: Register and activate licenses for the Panorama virtual appliance.
A. For VM Flex Licensing, provision the Panorama Virtual Appliance
Serial Number to register it with the Palo Alto Networks Customer
Support Portal (CSP).
B. Register the Panorama virtual appliance using the serial number
provided in the order fulfillment email.
VM Flex Licensing automatically registers the serial number with CSP
when generated.
C. Activate the firewall management license, whether the Panorama
Virtual Appliance is internet-connected.
D. Activate a Panorama Support License to complete the configuration.
Step 9: Finish configuring the Panorama virtual appliance according to your
deployment requirements.
If using Panorama in Log Collector Mode, add virtual disks as needed; at
least one virtual logging disk is necessary before switching to Log
Collector mode.
When adding a Log Collector as a managed collector to the Panorama
management server, enter the Public IP address of the Dedicated Log
Collector.
For Panorama in Panorama mode, add virtual disks before making the
switch.
1. Set up the Panorama Virtual Appliance in Panorama Mode.
2. Configure a Managed Collector.
In Management Only mode, establish the Panorama Virtual Appliance and
configure a Managed Collector to include a Dedicated Log Collector for
storing managed device logs.
Install Panorama on the Google Cloud Platform
You can now deploy Panorama and a Dedicated Log Collector on the Google
Cloud Platform (GCP). When you deploy Panorama on GCP, it operates

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
under the Bring Your Own License (BYOL) model, supports all deployment
modes (Panorama, Log Collector, and Management Only), and possesses the
same functionalities and processes as the M-Series hardware appliances. To
set up the Panorama virtual appliance on GCP, you must create a custom
image, which involves the following steps:
Step 1: Download the Panorama virtual appliance image:
A. Log in to the Palo Alto Networks Support Portal.
B. Navigate to the Updates section and filter by selecting Software
Updates, specifically focusing on Panorama Base Images.
C. Download the most recent version of the Panorama on GCP tar.gz
image.
Step 2: Upload the Panorama virtual appliance image to Google Cloud
Platform (GCP):
A. Access the Google Cloud Console and log in.
B. Go to the Products and Services menu and select Storage.
C. Create a bucket by configuring its settings and confirming the creation.
D. Choose the storage bucket you created, click Upload files, and select
the Panorama virtual appliance image you downloaded earlier.
E. Create the Panorama virtual appliance image.
Step 3: Now, we can configure the Panorama virtual appliance.
A. In the Products and Services menu, navigate to Compute Engine >
Images.
B. Proceed to create the Panorama virtual appliance image.
C. Provide a name for the Panorama virtual appliance image.
D. For the Source field, select Cloud Storage file from the drop-down
menu.
E. Click Browse to locate the storage bucket where you uploaded the
Panorama virtual appliance image, and then select the uploaded image.
Finalize the creation of the Panorama virtual appliance image.
Configure the Panorama virtual appliance:
Access the Products and Services menu and choose Compute
Engine.
Start deploying the Panorama virtual appliance by clicking Create
Instance.
Assign a descriptive name for easy identification.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 F. Specify the desired Region and Zone for deploying the Panorama
virtual appliance.
G. Allocate the Machine Type and customize the CPU cores, memory, and
CPU platform according to the Panorama Virtual Appliance Setup
Prerequisites. Consider resource requirements, especially if you intend
to use it as a Dedicated Log Collector.
H. Configure the Panorama boot disk:
1. For the Boot Disk, click "Change > Custom image" and select the
Panorama image file you uploaded in Step 2.
2. Verify the boot disk size and ensure the system disk is 81GB.
3. Confirm your configuration by clicking Select.
I. Under Identity and API access, select Allow full access to all Cloud
APIs.
J. In the Firewall section, enable Allow HTTPS traffic.
Step 4: Expand Management, security, disks, networking, and sole tenancy.
Step 5: To ensure access to the serial port for Panorama virtual appliance
management, follow these steps:
A. Go to the Management section.
B. Enter the following name-value pair in the Metadata:
serial-port-enable true
Step 6: Next, reserve a static IP address for the management interface. It
helps maintain connectivity with managed devices even if the Panorama
virtual appliance is rebooted and IP addresses are reassigned. Follow these
steps:
A. Access the Networking.
B. Edit the network interface for the Panorama virtual appliance.
C. Select the appropriate Panorama virtual appliance Network.
D. Choose the Panorama virtual appliance Subnetwork, which enables
instances within the same subnetwork to communicate using internal IP
addresses.
E. Configure the Primary internal IP address:
Ephemeral (Automatic): Assign a primary internal IP address
automatically.
Ephemeral (Custom): Configure a custom IP range for GCP to use
when assigning a primary internal IP address.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Reserve a static internal IP address: Manually set a primary internal
IP address.
F. Set the External IP address:
Ephemeral: Automatically assign an external IP address from a
shared pool.
Choose an external IP address that has already been reserved.
Create IP address: Reserve a new external IP address.
G. Enable IP forwarding by setting it to On. The Panorama virtual
appliance can accept packets from non-matching source or destination
IP addresses.
Step 7: Additionally, configure the SSH key for accessing the Panorama
virtual appliance CLI and configuring the administrative user password after
the initial deployment:
For PuTTY Users:
A. In the Security section, check the Block project-wide SSH keys box
(only instance keys are supported for Panorama virtual appliance login
post-deployment).
B. Paste the SSH key into the comment box. Ensure the SSH key format is
correct and saved in .ppk format for subsequent login.
For Linux and macOS Users:
A. Generate the SSH key from your Linux device's CLI.
ssh-keygen -C admin@panorama -f <panorama_key_name>
B. Create an output file for the SSH key and manually copy the SSH key
contents.
cat <panorama_key_name>.pub
C. Paste the public key into the SSH Keys section during GCP instance
creation.
Step 8: Moreover, you can add extra storage for log collection if needed:
When deploying the Panorama virtual appliance on GCP, deciding its mode
upfront is crucial. If you plan to use it in Panorama mode or as a Dedicated
Log Collector, ensure you add virtual logging disks during the initial setup.
By default, if you meet the Panorama mode resource requirements and add at
least one 2TB virtual logging disk during the initial deployment, the
Panorama virtual appliance will operate in Panorama mode. In this mode, it

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
can manage devices and Dedicated Log Collectors while collecting logs
locally.
However, if you do not meet these requirements during the initial
deployment, the Panorama virtual appliance will default to Management Only
mode. In this mode, it can manage devices and Dedicated Log Collectors but
cannot perform local log collection.
A. Select Disks and choose Add new disk.
B. Provide a Name for the disk.
C. Select the desired type from the Type drop-down menu.
D. Set the Source type to Blank disk.
E. Choose Read/write for the Mode.
F. Configure the Deletion rule based on your preferences.
G. Set the Size (GB) for the virtual logging disk.
H. Choose your preferred encryption solution for the data on the virtual
logging disk.
I. Click OK to create the disk.
Step 9: After completing these steps, create the Panorama virtual appliance.
Please note that the Panorama virtual appliance takes approximately 10
minutes to boot up following the initial deployment.
Step 10: To set a new administrative password for the Panorama virtual
appliance, follow these steps:
Before accessing the web interface, you must create a unique administrative
password. It should be at least eight characters and include at least one
lowercase character, one uppercase character, and one number or special
character.
A. If you have an SSH service installed on your computer, use the
following command to log into the Panorama virtual appliance:
For Windows Devices:
ssh -i <private_key.ppk> admin@<public-ip_address

For Linux Devices:

ssh -i <private_key.ppk> -oHostKeyAlgorithms=+ssh-rsa
<username>@<public-ip_address>

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Ensure to include the -oHostKeyAlgorithms=+ssh-rsa option to
specify the host key type; this step is essential to prevent errors during
SSH login.
B. Configure the new password using the provided commands and follow
the on-screen prompts:
admin> configure
admin# set mgt-config users admin password
C. If you have a BYOL (Bring Your Own License) and need to set the
DNS server IP address for the Panorama virtual appliance to access the
Palo Alto Networks licensing server, use the following command:
admin# set deviceconfig system dns-setting servers primary
<ip_address>
D. Commit your changes by entering the command:
admin# commit
E. Finally, terminate the SSH session.

If you use PuTTY to access SSH:

A. If you have an existing key pair and possess the .ppk file, proceed to
the next step. If you have created a new key pair or only have the .pem
file of the existing key pair, open PuTTYgen and load the .pem file.
B. Save the private key to a locally accessible location.
C. Open PuTTY, navigate to SSH > Auth and browse for the .ppk file
you saved in the previous step.
D. Go to the Sessions section, enter the public IP address of the Panorama
virtual appliance, and click Open. Accept any security prompts by
clicking Yes when prompted.
E. Log in as admin when prompted.
F. Configure a new password using the provided commands and follow
the on-screen instructions:
admin> configure
admin# set mgt-config users admin password

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 G. Set the DNS server IP address, if needed, with the following
command:
admin# set deviceconfig system dns-setting servers primary
<ip_address>
H. Commit your changes with the command:
admin# commit
I. Finally, terminate the SSH session.
These steps will help you secure a new administrative password for the
Panorama virtual appliance.
Step 11: To register and activate licenses for the Panorama virtual appliance,
follow these steps:
A. (For VM Flex Licensing) If you are using VM Flex licensing, it is
essential to perform the step to generate the Panorama virtual
appliance's serial number, which is required for registration on the Palo
Alto Networks Customer Support Portal (CSP).
B. Register Panorama:
Register the Panorama virtual appliance by entering the serial number
provided by Palo Alto Networks in the order fulfillment email.
C. For Firewall Management License. Activate the firewall management
license based on your Internet connectivity:
If the Panorama Virtual Appliance is Internet-connected,
activate/retrieve the Firewall Management License.
If the Panorama Virtual Appliance is not Internet-connected, follow the
activation/retrieval process for the Firewall Management License.
D. Activate Panorama Support License
Step 12: To complete the configuration of your Panorama virtual appliance
according to your deployment requirements, follow these guidelines:
For Panorama in Log Collector Mode:
A. If you intend to use Panorama in Log Collector Mode, ensure you add a
virtual disk to Panorama on the Google Cloud Platform as needed. Add
at least one virtual logging disk before switching the Panorama virtual
appliance to Log Collector Mode.
B. Follow the steps starting from Step 9 to switch to Log Collector Mode.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 EXAM TIP: When adding the Log Collector as a managed collector
to the Panorama management server, provide the Public IP address of the
Dedicated Log Collector. You do not need to specify the IP Address,
Netmask, or Gateway.

For Panorama in Panorama Mode:

A. If your deployment requires Panorama in Panorama Mode, add at least
one virtual logging disk to Panorama on the Google Cloud Platform. It
is a prerequisite before changing the Panorama virtual appliance to
Panorama Mode.
B. Set up the Panorama Virtual Appliance in Panorama Mode.
C. Configure a Managed Collector as needed.
For Panorama in Management Only Mode:
A. If your deployment mandates Panorama in Management Only Mode,
set up the Panorama Virtual Appliance accordingly.
B. Configure a Managed Collector to add a Dedicated Log Collector to the
Panorama virtual appliance. It is important to note that Management
Only Mode does not support local log collection, necessitating the use
of a Dedicated Log Collector to store managed device logs.
For SD-WAN Deployments:
A. If your deployment involves SD-WAN on Panorama deployed on the
Google Cloud Platform, you must increase the system disk size to
224GB.
B. Please be aware that once you successfully increase the system disk to
224GB, you cannot revert to an 81GB system disk.
C. Set up the Panorama Virtual Appliance in Management Only Mode.
D. Add a 2TB logging disk to Panorama in Management Only Mode to
support SD-WAN functionalities.
Install Panorama on KVM
You can now deploy Panorama and a Dedicated Log Collector on KVM.
Panorama deployed on KVM is a Bring Your Own License (BYOL) and
supports all deployment modes (Panorama, Log Collector, and Management

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Only). It offers the same processes and functionality as the M-Series
hardware appliances.
Here are the steps to deploy the Panorama virtual appliance on KVM:
Step 1: Download the Panorama 9.1 base image QCOW2 file:
A. Log in to the Palo Alto Networks Support Portal.
B. Navigate to Updates > Software Updates and apply a filter for
Panorama Base Images to find and download the QCOW2 file
(Panorama-KVM-9.1.0.qcow2).
Step 2: Create a new virtual machine image and add the Panorama virtual
appliance image for KVM to the Virtual Machine Manager:
A. Launch the Virtual Machine Manager. Choose the option to Create a
new virtual machine.
B. Select Import Existing disk image and proceed to the next step.
C. Browse and select the Panorama virtual appliance image volume and
confirm your selection.
D. Click Forward to continue.
Step 3: Configure the memory and CPU settings according to your
requirements.
A. Ensure you review the Setup Prerequisites for the Panorama Virtual
Appliance to meet the minimum resource requirements.
B. If you intend to use the Panorama virtual appliance as a Dedicated Log
Collector, allocate the necessary resources during the initial
deployment. Remember that resizing the virtual machine after
deployment can result in a loss of log data.
C. Adjust memory allocation based on the operational mode requirements.
Note that the Virtual Machine Manager may use MiB (mebibyte) for
memory allocation, so ensure accurate conversion to prevent under-
provisioning of the Panorama virtual appliance.
D. Configure the CPU settings based on the requirements for your chosen
operational mode.
E. Click Forward to proceed with the deployment.
Step 4: Name the Panorama virtual appliance and set up configuration
customization:
A. Provide a descriptive Name for the Panorama virtual appliance.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 B. Choose to Customize the configuration before installation.
C. Select the bridge for the management interface and keep the default
settings.
D. Click Finish.
Step 5: Configure the virtual system disk settings:
A. Select IDE Disk. Navigate to Advanced options and make the following
selections:
Disk Bus: Choose VirtIO or IDE based on your configuration.
Storage format: Set it to qcow2.
B. Under Performance options, set Cache mode to writethrough. It
improves installation time and execution speed on the Panorama virtual
appliance.
C. Click Apply.
Step 6: Set up the virtual machine console display.
A. Choose Display Spice.
If Display VNC is already listed in the Hardware list, proceed to the
next step, as the virtual machine is already configured to use the VNC
server for the display.
B. In the Type drop-down, select VNC server.
C. Click Apply.
Step 7: (Optional) Add additional storage for log collection. Repeat this step
if you need to add more virtual logging disks.
Adding these disks during the initial deployment is essential if you use the
Panorama virtual appliance in Panorama mode or as a Dedicated Log
Collector. By default, the Panorama virtual appliance is in Panorama mode
for the initial deployment when you meet the Panorama mode resource
requirements and have at least one virtual logging disk. Otherwise, it defaults
to Management Only mode, which is used solely for device and Dedicated
Log Collector management and does not collect logs locally.
Note that the Panorama virtual appliance on KVM supports only 2TB logging
disks, with a total log storage capacity of up to 24 TB. You cannot add a
logging disk smaller than 2TB or one with a size not divisible by 2TB, as the
Panorama virtual appliance partitions larger disks into 2TB partitions.
To add additional storage:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 A. Click on Add Hardware.
B. Configure the new Storage disk with these settings:
1. Create a disk image for a virtual machine with a capacity of
14901.2 GiB (equivalent to 2TB). Ensure you correctly convert the
required storage capacity to GiB to avoid under-provisioning the
virtual logging disk and potential maintenance mode issues.
2. Select the Disk device when choosing Device type.
3. Choose the Bus type (VirtIO or IDE) based on your configuration.
4. Under Advanced options, set Cache mode to writethrough.
C. Click Finish.
Step 8: The Panorama virtual appliance will take approximately 10 minutes
to boot up after the initial deployment.
Step 9: Configure a New Administrative Password.
You must set a unique administrative password before accessing the web
interface or CLI of the Panorama virtual appliance. Ensure that the new
password is a minimum of eight characters and includes at least one
lowercase character, one uppercase character, and one number or special
character. When you first log in to the Panorama CLI, you will be prompted
to enter the Old Password and then the New Password for the admin user
before you can proceed.
Step 10: Configure Network Access Settings for the Management Interface.
A. Open a connection to the console.
B. Log in to the firewall using the default username and password:
admin/admin.
C. Enter configuration mode with the following command:
admin> configure
D. Use the following commands to configure and enable access to the
management interface:
admin# set deviceconfig system type static
admin# set deviceconfig system ip-address <Panorama-IP> netmask
<netmask> default-gateway <gateway-IP> dns-setting servers primary
<DNS-IP>
After configuring these settings, commit the changes with the command:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
admin# commit
Step 11: Registering and Licensing the Panorama Virtual Appliance.
A. VM Flex Licensing (Optional): If you use VM Flex licensing, you must
generate the Panorama virtual appliance serial number. Registering the
appliance with the Palo Alto Networks Customer Support Portal (CSP)
is necessary.
B. Register Panorama:
To register the Panorama virtual appliance, use the serial number
provided by Palo Alto Networks in the order fulfillment email. This
step is essential for licensing and support.
C. Activate Firewall Management License:
Activate or retrieve a Firewall Management License. The process may
vary based on whether the Panorama Virtual Appliance is connected to the
Internet.
D. Activate Panorama Support License
Step 12: Completing Panorama Configuration for Your Needs
For Panorama in Log Collector Mode:
1. If you intend to use Panorama as a Log Collector, add a virtual logging
disk as required. You must have at least one virtual logging disk before
switching Panorama to Log Collector mode. Follow the steps starting
from Step 9.
For Panorama in Panorama Mode:
1. Add virtual logging disks before changing the Panorama virtual
appliance to Panorama mode. This mode allows centralized
management and monitoring.
2. Setting Up Panorama in Panorama Mode:
3. Configure Panorama as a Panorama management server to manage
multiple devices efficiently.
For Panorama in Management Only Mode:
1. Suppose you plan to use Panorama in Management Only mode, which
does not support local log collection. In that case, you will need to
configure a Managed Collector, such as a Dedicated Log Collector, to
store logs from managed devices.
Install Panorama on Hyper-V

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
You can deploy Panorama and a Dedicated Log Collector on Hyper-V.
Panorama deployed on Hyper-V is Bring Your Own License (BYOL),
supports all deployment modes (Panorama, Log Collector, and Management
Only), and shares the same processes and functionality as the M-Series
hardware appliances. Its features are available only on PAN-OS 8.1.3 and
later releases.
Here are the steps to set up the Panorama virtual appliance on Hyper-V:
Step 1: Download the Panorama 91.1 Virtual Appliance Image.
A. Log in to the Palo Alto Networks Support Portal.
B. Go to Updates and then Software Updates.
C. Filter by Panorama Base Images and download the VHDX file named
Panorama-HPV-9.1.0.vhdx.
Step 2: Set up any necessary vSwitches according to your network
requirements.
A. Click on the Action menu at the top of the window. From the dropdown
menu, choose Virtual Switch Manager. It will open the Virtual Switch
Manager window.

B. Within the Virtual Switch Manager window, you can Create a virtual
switch. Select the type of virtual switch (vSwitch) you want to create.
Step 3: Install the Panorama Virtual Appliance
A. Open Hyper-V Manager. Select your host and click Action, then choose
Virtual Switch Manager to open the Virtual Switch Manager window.
B. Under Create virtual switch, select the vSwitch type and click Create
Virtual Switch.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Configure Virtual Machine Settings:
A. In Hyper-V Manager, select your host. Click Action, then choose New
and Virtual Machine to open the New Virtual Machine Wizard.
Configure the following settings:

B. Name and Location for the Panorama virtual appliance.

C. Choose Generation 1 (the default and supported option).
D. Allocate Startup Memory based on the intended system mode (refer to
Panorama Virtual Appliance Setup Prerequisites for memory
requirements).

EXAM TIP: Disable dynamic memory allocation; the Panorama

virtual appliance requires static memory.

E. Configure Networking by selecting an external vSwitch for the

firewall's management interface.
F. Connect the Virtual Hard Disk using an existing virtual hard disk and
browse the downloaded VHDX file.
G. Review the summary and click Finish.
Step 4: Allocate CPU Cores:
Review the Setup Prerequisites for the Panorama Virtual Appliance to ensure
you meet the minimum resource requirements.

EXAM TIP: If you plan to use the Panorama virtual appliance as a

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Dedicated Log Collector, allocate the necessary resources during the initial
deployment. Remember that resizing the virtual machine after deployment
will cause it to exit Log Collector mode and lose log data.

A. In the Hardware list, select Processor.

B. Edit the number of allocated virtual processors as needed.

Step 5: Connect at least one network adapter for the data plane interface on
the firewall.
Select Settings > Hardware > Add Hardware and choose the appropriate
hardware type to add additional network interfaces. It is important to
remember that "Legacy Network Adapter" and "SR-IOV" are not supported.
Step 6: Add Virtual Logging Disks (Optional)
If you intend to use Panorama in Panorama mode or as a Dedicated Log
Collector, add virtual logging disks during the initial deployment. By default,
Panorama is in Panorama mode if you meet the resource requirements and

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
have at least one virtual logging disk; otherwise, it defaults to Management
Only mode. Virtual logging disks must be 2TB, and Panorama supports up to
24TB of log storage. Disks smaller than 2TB or not divisible by 2TB are not
supported.
In Hyper-V Manager, select the host and choose Action > New > Hard Disk.
Follow the prompts to configure the disk, specifying its size and other
settings.
Step 7: Power On the Panorama Virtual Appliance
A. Select the Panorama virtual appliance instance from the list of Virtual
Machines.
B. Choose Action > Start to power on the Panorama virtual appliance.

Step 8: Connect to the Panorama Virtual Appliance Console

A. In the Virtual Machines list, select the Panorama virtual appliance.
B. Choose Actions > Connect and enter the username and password to log
in (default is admin for both).
Step 9: Configure a new administrative password for the Panorama virtual
appliance. The password must be at least eight characters long and include
one lowercase character, one uppercase character, and one number or special
character.
Step 10: Set the IP Address for the Management Interface.
A. Enter the following commands in the Panorama CLI, replacing
placeholders with your network configuration:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 admin> configure
admin# set deviceconfig system ip-address <Panorama-IP> netmask
<netmask> default-gateway <gateway-IP> dns-setting servers primary
<DNS-IP>
admin# commit
admin# exit
B. Troubleshoot connectivity to network resources, including the default
gateway, DNS server, and the Palo Alto Networks Update Server, as
needed.

Step 11: Register the Panorama virtual appliance and activate the device
management license and support licenses. It includes provisioning the serial
number when using VM Flex licensing.
A. To initiate the registration process for the Panorama virtual appliance
and acquire the essential serial number needed for registration on the
Palo Alto Networks Customer Support Portal (CSP), follow these steps:
B. Register Panorama:
Palo Alto Networks' serial number, included in the order fulfillment
email, can be used to register the Panorama virtual appliance. It may

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 not be necessary when using VM Flex licensing, as the serial number is
often automatically registered with the CSP upon generation.
C. Activate the firewall management license:
Activate or retrieve the Firewall Management License when the Panorama
Virtual Appliance has Internet connectivity.
Activate/Retrieve a Firewall Management License when the Panorama
Virtual Appliance lacks Internet connectivity.
D. Activate a Panorama Support License.
Step 12: Complete the configuration of the Panorama virtual appliance
based on your deployment needs.
To prepare the Panorama virtual appliance on Hyper-V and switch between
different modes, follow these steps:
A. Adding Virtual Disks for Log Collection.
Add at least one virtual logging disk to enable Log Collector mode.
B. Begin at Step 9 to transition to Log Collector mode.

EXAM TIP: When configuring a Dedicated Log Collector,

provide its Public IP address when adding it as a managed collector to
the Panorama management server. You would not need to specify the
IP Address, Netmask, or Gateway.
For Panorama in Panorama Mode:
A. Add at least one virtual logging disk to operate Panorama in Panorama
mode.
B. Set up the Panorama Virtual Appliance in Panorama Mode to start
managing your network.
C. Configure a Managed Collector for enhanced functionality.
For Panorama in Management Only Mode:
A. Choose the Management Only mode if you aim solely to manage
devices and Dedicated Log Collectors without local log collection.
B. Set up the Panorama Virtual Appliance in Management Only Mode. To
store managed device logs, configure a Managed Collector since the
Management Only mode does not support local log collection.
Perform Panorama Virtual Appliance's initial configuration.
Depending on your specific Panorama model, utilize the web interfaces or
management tools provided by AWS, Azure, GCP, KVM Virtual Machine

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Manager, Hyper-V Manager, VMware vSphere Client, or vCloud Air web
console to establish network connectivity for your Panorama virtual
appliance. It is important to note that the Panorama virtual appliance is
deployed in Panorama mode by default. To ensure consistent and unified
reporting, consider configuring the time zone settings to use Greenwich Mean
Time (GMT) or Coordinated Universal Time (UTC) across Panorama,
managed firewalls, and Log Collectors.
Step 1: Gather Required Information.
Work with your network administrator to collect the necessary details for the
MGT interface, including:
IP address for the MGT interface (default is 192.168.1.1 if not previously
configured)
Netmask
Default gateway
DNS server IP address
Ensure you have the information, as it is crucial for configuring the MGT
interface.
Step 2: Access the Panorama Console.
A. Depending on your virtualization platform, follow these steps to access
the console:
B. Launch the VMware vSphere Client on an ESXi server and select the
Console tab for the Panorama virtual appliance.
C. For vCloud Air, use the web console and select your Virtual Private
Cloud OnDemand region. Then, navigate to the Virtual Machines tab,
right-click the Panorama virtual machine, and select Open In Console.
Use the admin/admin login credentials to log in.
D. For AWS, Azure, GCP, KVM, and Hyper-V, access the Panorama CLI.
Step 3: Configure MGT Interface.
In the Panorama CLI, set up the network access settings for the MGT
interface. The MGT interface handles management traffic, synchronization,
log collection, and communication within Collector Groups.
Note that starting with PAN-OS 9.0.4, default admin credentials are no longer
supported, and you will need to define a unique admin password when
configuring the Panorama virtual appliance.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 A. If it is your first time accessing the Panorama CLI, you will be
prompted to enter both the Old Password and the New Password for the
admin user. Use the following commands as a template, replacing
placeholders with actual values:
> configure
# set deviceconfig system ip-address <Panorama-IP> netmask
<netmask> default-gateway <gateway-IP> dns-setting servers
primary <DNS-IP>
# commit
# exit
B. To ensure proper network access to external services required for
firewall management, such as the default gateway, DNS server, and the
Palo Alto Networks Update Server, consider running connectivity tests.

Step 4: Configure the general settings for your Panorama setup with the
following steps:
A. Access the Panorama web interface securely through HTTPS using the
IP address and password you assigned to the management interface
(https://<IP address>).
B. Navigate to Panorama Setup and select Management. Edit the General
Settings.
C. Provide a Hostname for the server and specify the network Domain
name. Note that the domain name serves as a label and is not used for
domain joining purposes.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 D. Ensure that Panorama and the managed firewalls share the same Time
Zone, such as GMT or UTC. Configure NTP to keep Panorama
synchronized if you use the Cortex Data Lake. Timestamp consistency
across Panorama and firewalls is crucial for log analysis and reporting.
E. Enter Latitude and Longitude coordinates to position the Panorama
management server on the world map accurately.
F. Input the Serial Number received in the order fulfillment email.
G. Click on OK and commit to save configuration changes.
Step 5: Optionally, adjust the management interface settings.

EXAM TIP: For IPv6 configuration, remember that Panorama

requires both IPv4 and IPv6 settings to be configured for successful IPv6 IP
address setup. Configure the Public IP Address and IP Address fields if
your firewalls connect to Panorama using a public IP address translated to a
private one (NAT).
A. Select Panorama > Setup > Interfaces and then click on
Management.
B. Specify the Network Connectivity Services you wish to allow on the
interface (e.g., SSH access).

EXAM TIP: Avoid selecting Telnet or HTTP for security reasons.

C. Save your changes to the interface by clicking OK.
D. Commit your configuration changes by selecting Commit and
confirming your commitment to Panorama.
Configure the Panorama Virtual Appliance to Collect Logs
To establish a dedicated virtual appliance solely for log collection, you can
configure a Panorama virtual appliance on platforms like ESXi, AWS, AWS
GovCloud, Azure, Google Cloud Platform, KVM, or Hyper-V in Log
Collector mode. Initially, perform the virtual appliance's initial configuration
in Panorama mode. It entails licensing, software, content updates installation,
and configuring the management interface (MGT).
Subsequently, transition the Panorama virtual appliance to Log Collector
mode and complete the necessary Log Collector configuration.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Suppose you prefer using dedicated M-Series Appliance Interfaces
(recommended) for log collection and Collector Group communication
instead of relying on the MGT interface. In that case, you should first
configure these interfaces for the Panorama management server, then
configure them for the Log Collector. Afterward, execute a Panorama commit
followed by a Collector Group commit.

EXAM TIP: Switching the virtual appliance from Panorama mode

to Log Collector mode entails a reboot of the appliance, removal of the
local Log Collector, deletion of any existing log data, and clearing of all
configurations except for the management access settings. However, its
mode switch does not affect licenses, software, or content updates.

Step 1: If you have not already set up the Panorama management server,
perform one of the following tasks based on your deployment:
Configure the Panorama Virtual Appliance
Configure the M-Series Appliance
Step 2: Take note of the management IP addresses for the Panorama
management server. Collect the IP address for each HA peer if you have
deployed Panorama in an HA configuration.
A. Log in to the web interface of the Panorama management server.
B. Retrieve the IP Address of the primary (for non-HA) or active (for
HA) Panorama by navigating to Panorama > Setup > Management
and checking the Management Interface Settings.
C. Record the Peer HA IP Address of the passive Panorama for HA
deployments by going to Panorama > High Availability and checking
the Setup section.
Step 3: Now, set up the Panorama virtual appliance as a Dedicated Log
Collector.
Suppose you previously deployed this appliance as a Panorama management
server. You can skip this step because the MGT interface is already
configured, and the necessary licenses and updates are installed.
Remember that the Panorama virtual appliance in Log Collector mode does
not have a web interface for configuration tasks; it only offers a CLI.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Therefore, before switching the mode on the Panorama virtual appliance,
utilize the web interface in Panorama mode to:
A. Set up the Panorama virtual appliance on one of the supported
hypervisors, such as ESXi, AWS, AWS GovCloud, Azure, Google
Cloud Platform, or Hyper-V.
B. Perform the initial configuration of the Panorama Virtual Appliance.
C. Register Panorama and Install Licenses.
D. Install Content and Software Updates for Panorama.
Step 4: Modify the admin password and prepare the Dedicated Log
Collector; follow these steps:
A. Log in to the Panorama Web Interface.
B. Navigate to Panorama > Administrators and select the admin user.
C. Enter a new Password, Confirm the Password, and click OK.
D. Commit to your changes by selecting Commit > Commit to
Panorama.
Step 5: For Panorama deployed on AWS and Azure only, delete all users
except the admin user:
A. Log in to the Panorama Web Interface as admin.
B. Go to Panorama > Administrators.
C. Select the existing Administrators (excluding admin) and Delete.
D. Commit to your changes by selecting Commit > Commit to
Panorama.
Step 6: Log in to the Panorama CLI.
Step 7: Switch from Panorama mode to Log Collector mode by using the
following command:
request system system-mode logger
A. Confirm the mode change by entering "Y." The virtual appliance will
reboot. If the reboot ends your terminal session, reconnect to the virtual
appliance to access the Panorama login prompt.
Note: If you encounter a CMS Login prompt, it indicates that the Log
Collector is still rebooting. Press Enter at the prompt without entering
a username or password.
B. Log back into the CLI.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 C. Verify that the switch to Log Collector mode was successful using the
following command:
> show system info | match system-mode
If the mode change is successful, the output should display:
system-mode: logger

Step 8: Enable connectivity between the Log Collector and the Panorama
management server by entering the following commands at the Log Collector
CLI:
> configure
# set deviceconfig system panorama-server <IPaddress1> panorama-server-
2 <IPaddress2>
# commit
# exit

Step 9: Record the serial number of the Log Collector and set it up for
operation; follow these steps:
A. Log in to the Log Collector CLI. Type the following command into the
terminal to see its serial number.
show system info | match serial
B. Record the serial number.
Step 10: Add the Log Collector as a managed collector to the Panorama
management server:
C. Go to Panorama > Managed Collectors and select Add a managed
collector.
D. In the General settings, enter the serial number (Collector S/N) you
recorded for the Log Collector.
E. In the Panorama Server IP field, enter the IP address or FQDN of the
solitary (non-HA) or active (HA) Panorama. In the "Panorama Server
IP 2" field for HA deployments, type the IP address or FQDN of the
passive Panorama peer.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 F. These IP addresses must specify a Panorama interface with enabled
Device Management and Log Collection services. By default, these
services are enabled only on the MGT interface. Still, you might have
enabled them on other interfaces during the M-Series Appliance setup
as a Panorama management server.
G. Select Interfaces, click Management, and enter the Public IP
Address of the Dedicated Log Collector.
H. Click OK twice to save your changes to the Log Collector.
I. You can choose Commit > Commit to Panorama to commit changes
to the Panorama configurations.
J. Verify that Panorama > Managed Collectors lists the Log Collector
you added. The Connected column should display a checkmark to
indicate that the Log Collector is connected to Panorama. You might
need to wait a few minutes for the page to display the updated
connection status.

EXAM TIP: The Configuration Status column may display Out of

Sync, and the Run-Time Status column may show disconnected. These
statuses will change to In Sync and Connected after you configure a
Collector Group.
Step 11: Enable the logging disks by selecting Panorama > Managed
Collectors, editing the Log Collector, selecting Disks, and adding each disk.
Click OK to save your changes.
You can choose Commit > Commit to Panorama to commit changes
to the Panorama configurations.
(Recommended) Configure the Ethernet1, Ethernet2, Ethernet3,
Ethernet4, and Ethernet5 interfaces if the Panorama management server
and Log Collector will use them for Device Log Collection and
Collector Group Communication. Suppose you had previously
configured these interfaces when the Log Collector was in Panorama
mode. In that case, you will need to reconfigure them, as switching to
Log Collector mode would have deleted those configurations (except
for management access settings).
Configure each interface on the Panorama management server (other
than the MGT interface) by going to Panorama > Setup > Interfaces

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 and selecting the Interface Name. Then, enable the interface, complete
the necessary IP settings, and assign Device Management Services.
Configure each interface on the Log Collector (other than the MGT
interface) by going to Panorama > Managed Collectors, editing the Log
Collector, and selecting the Interfaces section. Then, enable the
interface, complete the necessary IP settings, and assign Device Log
Collection and Collector Group Communication services.
Click OK to save your changes for each interface.
You can choose Commit > Commit to Panorama to commit changes
to the Panorama configurations.
Step 12: Enabling Logging Disks.
A. Go to Panorama > Managed Collectors. Edit the Log Collector you
want to configure.
B. Select the "Disks" option and add each disk.
C. Click "OK" to save your changes.
D. You can choose Commit > Commit to Panorama to commit changes
to the Panorama configurations.
Step 13: Configuring Ethernet Interfaces (Ethernet1, Ethernet2, Ethernet3,
Ethernet4, and Ethernet5).
Suppose your Log Collector was previously deployed as a Panorama
management server, and you had configured these interfaces. In that case, you
must reconfigure them because switching to Log Collector mode would have
deleted those configurations (except for management access settings).
A. Configure each interface on the Panorama management server (other
than the MGT interface) if you have not already:
Go to Panorama > Setup > Interfaces and click the Interface Name.
Select the <interface-name> to enable the interface.
Based on the IP protocols used by your network, fill out either one or
both of the following field sets:
For ESXi:
IPv4: Public IP Address, IP Address, Netmask, and Default
Gateway
IPv6: IPv6 Address/Prefix Length and Default IPv6 Gateway
For AWS, Azure, and Google Cloud Platform:
Public IP address

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Choose one of the supported Device Management Services from the
interface:
Device Management and Device Log Collection (assign one or more
interfaces)
Collector Group Communication (assign only one interface)
Device Deployment (software and content updates, assign only one
interface)
Click OK to save your changes.
B. Configure each interface on the Log Collector (other than the MGT
interface):
1. Go to Panorama > Managed Collectors and edit the Log Collector.
2. Select Interfaces and click the name of the interface.
3. Select the <interface-name> to enable the interface.
4. 4. Based on the IP protocols used by your network, complete either
one or both of the following field sets:
5. For ESXi:
IPv4: Public IP Address, IP Address, Netmask, and Default
Gateway
IPv6: IPv6 Address/Prefix Length and Default IPv6 Gateway
6. For AWS and Azure:
Public IP address
7. Select the Device Management Services that the interface supports:
8. Device Log Collection (assign one or more interfaces)
9. Collector Group Communication (assign only one interface)
10. Click OK to save your changes to the interface.
C. Click OK to save your changes to the Log Collector.
D. You can choose Commit > Commit to Panorama to save changes to
the Panorama configurations.
Step 14: (Optional) Deploying Custom Certificates:
If your deployment uses custom certificates for authentication between
Panorama and managed devices, follow these additional steps:
A. Go to Panorama > Certificate Management > Certificate Profile,
choose the certificate profile from the drop-down, or click "New
Certificate Profile" to create one.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 B. Go to Panorama > Managed Collectors > Add > Communication for
a Log Collector.
C. Select the Secure Client Communication checkbox.
D. Select the type of device certificate from the Type drop-down.
If you are using a local device certificate, select the Certificate and
Certificate Profile from the respective drop-downs.
If you use SCEP as the device certificate, select the SCEP Profile
and Certificate Profile from the respective drop-downs.
E. Click "OK" to save your changes.
Step 15: (Optional) Configure Secure Server Communication on a Log
Collector:
A. Go to Panorama > Managed Collectors > Add > Communication.
B. Ensure that the Custom Certificate Only checkbox is not selected.
This allows you to continue managing all devices while transitioning to
custom certificates. When selecting the Custom Certificate Only
checkbox, the Log Collector cannot authenticate and receive logs from
devices using predefined certificates.
C. Select the SSL/TLS service profile from the SSL/TLS Service Profile
drop-down. The profile applies to all SSL connections between the Log
Collector and devices sending it logs.
D. Choose the certificate profile from the Certificate Profile drop-down.
E. Select Authorize Client Based on Serial Number to have the server
check clients against the serial numbers of managed devices. The client
certificate must have the special keyword "$UDID" set as the Common
Name (CN) to authorize based on serial numbers.
F. In Disconnect Wait Time (min), please specify the number of minutes
Panorama should wait before breaking and reestablishing the
connection with its managed devices. The field is blank by default; the
range is 0 to 44,640 minutes. The disconnect wait time does not begin
counting down until you commit to the new configuration.
G. (Optional) Configure an authorization list:
Click Add under Authorization List.
Select the Subject or Subject Alt Name as the Identifier type.
Enter an identifier of the selected type.
Click OK.
H. Select Check Authorization List to enforce the authorization list.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 I. Click OK.
J. Select Commit > Commit to Panorama.
Step 16: Assign the Log Collector to a Collector Group:
A. Configure a Collector Group. You must perform a Panorama commit,
and then a Collector Group commit to synchronize the Log Collector
configuration with Panorama. It also puts the Eth1, Eth2, Eth3, Eth4,
and Eth5 interfaces (if configured) in an operational state on the Log
Collector.
Note that within a single Collector Group, all the Log Collectors must
run on the same Panorama model, which means all M-600 appliances,
all M-500 appliances, all M-200 appliances, all M-100 appliances, or
all Panorama virtual appliances.

EXAM TIP: As a best practice, enable log redundancy across

collectors if you add multiple Log Collectors to a single Collector
group. This option requires each Log Collector to have the same
number of logging disks.

B. Go to Panorama > Managed Collectors to verify that the Log

Collector configuration is synchronized with Panorama. The
Configuration Status column should display In Sync, and the Run-Time
Status column should display Connected.
C. Access the Log Collector CLI and enter the following command to
verify that its interfaces are operational:
> show interface all
The output should display the state as "up" for each operational
interface.
D. If the Collector Group includes multiple Log Collectors, troubleshoot
connectivity to network resources to ensure they can communicate with
each other. Perform a Ping connectivity test for each interface that the
Log Collectors use. For the source IP address, specify the interface of
one of the Log Collectors, and for the host IP address, specify the
matching interface of another Log Collector in the same Collector
Group.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Enable Panorama Mode on a Panorama Virtual Appliance
Panorama mode enables the Panorama virtual appliance to function as a
Panorama management server with the capability for local log collection. By
default, when you initially deploy a Panorama virtual appliance on Amazon
Web Services (AWS), AWS GovCloud, Azure, Google Cloud Platform,
KVM, Hyper-V, ESXi, or vCloud Air and attaches at least one virtual logging
disk, it operates in Panorama mode.
However, it is important to note that while still supported, switching from
Legacy mode with a 50GB logging disk to Panorama mode is not
recommended for production environments. If you switch to Panorama mode
with a 50GB logging disk, you cannot add additional logging disks. Here are
the steps to switch to Panorama mode:
Step 1: Log in to the Panorama CLI.
Step 2: Execute the command to switch to Panorama mode:
> request system system-mode panorama
Confirm the mode change by entering 'Y.' Its action triggers a reboot of
the Panorama virtual appliance. If the reboot process causes your
terminal emulation software session to terminate, reconnect to the
Panorama virtual appliance to access the Panorama login prompt.
If you encounter a CMS Login prompt, the Panorama virtual appliance
has not rebooted. Press Enter at the prompt without entering a username
or password.
Step 3: To verify that the switch to Panorama mode was successful, log back
into the CLI and enter the following command:
> show system info | match system-mode
If the mode change is successful, the output should display:
system mode: panorama
It confirms that the Panorama virtual appliance has transitioned to Panorama
mode.
Set up a Management-Only Mode Panorama Virtual Appliance
Management Only mode allows the Panorama virtual appliance to function
solely as a Panorama management server without the capability for local log

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
collection. By default, when you initially deploy the Panorama virtual
appliance, it operates in Panorama mode, which includes log collection
capabilities. Switching the Panorama virtual appliance to Management Only
mode is recommended immediately after the initial deployment. Please note
that changing to Management Only mode is best done when no logs are being
forwarded to the Panorama management server because Management Only
mode does not support log collection. When you switch to Management Only
mode, any existing log data stored on the Panorama virtual appliance
becomes inaccessible. Features like the ACC (Application Command Center)
and reporting cannot query the logs stored on the Panorama virtual appliance.
For Panorama virtual appliances initially deployed in Legacy mode, changing
to Management Only mode has no impact on the appliance. However, as a
precaution, Palo Alto Networks recommends taking a virtual machine
snapshot of your Panorama virtual appliance to ensure you have a backup in
case of unexpected issues.

EXAM TIP: If you previously configured a local Log Collector, it

will still exist on Panorama when you switch to Management Only mode,
even though it would not have log collection capabilities. Deleting the local
Log Collector (found under Panorama > Managed Collectors) also deletes
the Eth1/1 interface configuration, which the local Log Collector uses by
default. If you choose to delete the local Log Collector, you will need to
reconfigure the Eth1/1 interface.
Step 1: Log in to the Panorama CLI.
Step 2: Execute the command to switch to Management Only mode:
> request system system-mode management-only
Confirm the mode change by entering 'Y.' Its action triggers a reboot of the
Panorama virtual appliance. If the reboot process causes your terminal
emulation software session to terminate, reconnect to the Panorama virtual
appliance to access the Panorama login prompt.If you encounter a CMS
Login prompt, the Panorama virtual appliance has not rebooted. Press Enter
at the prompt without entering a username or password.
Step 3: To verify that the switch to Management Only mode was successful,
log back into the CLI and enter the following command:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
> show system info | match system-mod
If the mode change is successful, the output should display:
system mode: management-only
It confirms that the Panorama virtual appliance has transitioned to
Management Only mode.
Expand the Panorama Virtual Appliance's Log Storage Capacity
After completing the initial configuration of the Panorama Virtual Appliance,
the ability to increase log storage capacity depends on the specific virtual
platform being used (VMware ESXi, vCloud Air, AWS, AWS GovCloud,
Azure, Google Cloud Platform, KVM, or Hyper-V) and the operating mode
(Legacy, Panorama, or Log Collector mode). Detailed information about
supported models can be found in the Panorama Models documentation.
Additional logging disks must be added. Attempting to expand the storage
capacity of an existing logging disk is not supported, and Panorama will not
recognize the additional storage space to expand the Panorama virtual
appliance's log storage capacity. For example, if you initially added a 2TB
logging disk and later attempted to expand it to 4TB, Panorama would still
perceive it as having 2TB of storage capacity. It would not utilize the
additional 2TB of storage space.
Upgrade the Panorama Virtual Appliance's CPU and Memory
During the initial configuration of the Panorama Virtual Appliance, you
determine the memory and the number of CPUs needed. Its decision is
influenced by whether the appliance is in Panorama mode or Management
Only mode, as well as factors like log storage capacity and the number of
managed firewalls. If you expand the storage capacity or manage additional
firewalls, consider increasing the memory and CPUs accordingly.
However, it is worth noting that a Panorama virtual appliance operating in
Log Collector mode must adhere to the specified system requirements but
does not necessarily require additional CPU and memory beyond the
minimum requirements.
Increase the System Disk on the Panorama Virtual Appliance:
It is recommended to increase the system disk capacity of the Panorama
virtual appliance to 224GB. Its expansion provides the necessary storage

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
capacity to accommodate large datasets and ensure ample disk space for
various functions, such as dynamic updates when managing extensive
firewall deployments or monitoring and reporting data for SD-WAN
deployments.
Convert Your Panorama Virtual Appliance
You can transition your evaluation Panorama virtual appliance into a fully
operational production Panorama virtual appliance, preserving its current
configuration and enabling you to utilize its management capabilities.
Suppose you already use an Enterprise License Agreement (ELA) licensing
model. In that case, you can also convert an existing production Panorama
virtual appliance to take advantage of the benefits offered by ELA licensing.
Set Up the M-Series Appliance
The M-600, M-500, M-200, and M-100 appliances are high-performance
hardware devices capable of operating in three different modes: Management
Only mode (serving as Panorama management servers with no local log
collection), Panorama mode (acting as Panorama management servers with
local log collection), or Log Collector mode (functioning as Dedicated Log
Collectors). These appliances offer multiple interfaces that can be allocated to
various Panorama services, such as firewall management and log collection.
Before configuring the appliance, it is essential to plan how to set up these
interfaces to enhance security, facilitate network segmentation in large-scale
deployments, and distribute traffic efficiently for various Panorama services.
Register Panorama and Install Licenses
Before utilizing Panorama for centralized management, logging, and
reporting, you must complete registering, activating, and retrieving the
necessary Panorama device management and support licenses. Every
Panorama instance must have valid licenses to allow you to manage firewalls
and access support services. The device management license is associated
with the maximum number of firewalls that Panorama can manage and is
based on the serial numbers of the firewalls, irrespective of the number of
virtual systems within each firewall. The support license facilitates Panorama
software and dynamic content updates, such as the latest Applications and
Threat signatures.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
It is important to note that Panorama virtual appliances on AWS and Azure
must be acquired directly from Palo Alto Networks and cannot be procured
from the AWS or Azure marketplaces.
Upon upgrading your Panorama virtual appliance to PAN-OS 8.1, you will
receive prompts if a capacity license has not been successfully installed or the
total number of managed firewalls exceeds the device management license
limit. You have a 180-day window from the upgrade date to either install a
valid device management license or adjust the number of managed firewalls
to comply with the license requirements. During this period, all commits will
fail if a valid device management license is not in place or the license limit is
exceeded.
Contact your Palo Alto Networks sales representative or an authorized
reseller to acquire a device management license. If you intend to use the
cloud-based Cortex Data Lake, you will also need a Cortex Data Lake license
firewall management and premium support licenses. Contact your Palo Alto
Networks Systems Engineer or a reseller for license purchases.
Install the Panorama Device Certificate
Installing a device certificate is imperative to utilize cloud services with the
Panorama management server. The process only needs to be done once, and
the device certificate has a lifespan of 90 days. The firewall will
automatically renew the device certificate 15 days before it expires. To ensure
the successful installation of the device certificate, Panorama should have
outbound Internet access, and your network must permit the following Fully
Qualified Domain Names (FQDN) and ports:
Step 1: - Generate a One Time Password (OTP).

EXAM TIP: The OTP remains valid for 60 minutes and expires if
not used within that time.

Panorama will make only one attempt to retrieve the OTP from the CSP
(Customer Support Portal). If unsuccessful, the OTP expires, necessitating the
generation of a new one.
Step 2: Log in to the Customer Support Portal as a Superuser (Superuser
privileges are necessary).

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Navigate to Products > Device Certificates and choose Generate OTP.
Select "Generate OTP for Panorama" as the Device Type, then generate the
OTP for the specific Panorama Device serial number.
Copy the OTP after generating it.
Step 3: Configure the Network Time Protocol (NTP) server:
An NTP server is essential to validate the expiration date of the device
certificate, ensuring it does not expire prematurely or become invalid.
1. Within Panorama's Web Interface, access Panorama > Setup >
Services.
2. Choose NTP and input the hostname or IP address of the Primary NTP
Server.
3. Optionally, you can also specify a Secondary NTP Server.
4. To enable time update authentication from the NTP server(s), select an
Authentication Type for each server:
None (default) for no NTP authentication.
Symmetric Key to use shared secrets for NTP authentication.
Specify the Key ID (1-65534) and the desired algorithm (MDS or
SHA1).
5. Save your configuration changes by clicking OK.
6. Commit the changes by selecting Commit and then Commit to
Panorama.
Step 4: Log in to the Panorama Web Interface as an admin user.
Step 5: Proceed to Panorama > Setup > Management > Device
Certificate Settings.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Step 6: Click on Get the certificate and provide the One-time Password
(OTP) you previously generated.

Step 7: Panorama will successfully retrieve and install the certificate.

Install the Device Certificate for a Dedicated Log Collector
Installing a device certificate is crucial to utilize Device Telemetry on the
Dedicated Log Collector. The device certificate comes with 90-day validity,
and the Dedicated Log Collector will automatically renew it 15 days before it
expires. To ensure the successful installation of the device certificate, the
Dedicated Log Collector must have outbound Internet access, and your
network should allow communication with the following Fully Qualified
Domain Names (FQDN) and ports:
Step 1: You must manually install the device certificate on each Dedicated
Log Collector individually, as installing it from the Panorama management
server is not supported.
Step 2: Log in to the Dedicated Log Collector CLI as a Superuser. You must
have admin privileges with Superuser access to apply the OTP for the device
certificate installation on the Dedicated Log Collector.
Step 3: Check the current status of the device certificate on the Dedicated
Log Collector by running the following command:
admin>
show device-certificate status
The Dedicated Log Collector will provide one of the following responses:
1. Device certificate was never installed—No device certificate found.
2. Device certificate expired—Current device certificate status: Expired,
along with details about the previous device certificate's lifetime and
the last fetch attempt.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 3. Device certificate fetch failed, along with information about the last
attempted device certificate fetch.

EXAM TIP: Generate One Time Password (OTP) with a 60-minute

validity. The OTP becomes invalid if not used within the timeframe. Be
aware that the firewall will only attempt to retrieve the OTP from the
Customer Support Portal (CSP). If the attempt fails, the OTP will expire,
and you must generate a new one.

4. Log in to the Customer Support Portal as a Superuser. Superuser

privileges are necessary to generate the OTP.
5. In the Customer Support Portal, navigate to "Products" > "Device
Certificates" and select Generate OTP.
6. Choose Generate OTP for Panorama as the Device Type and generate
the OTP for the specific Panorama Device serial number. Remember to
copy the OTP.
Step 4: Return to the Dedicated Log Collector CLI, where you have logged
in as an admin with Superuser access.
Step 5: Configure the Network Time Protocol (NTP) server to validate the
device certificate's expiration date properly. It prevents the device certificate
from expiring prematurely or becoming invalid. Use the following
commands:
admin> configure
admin# set deviceconfig system ntp-servers primary-ntp-server ntp-server-
address <ip_address>
admin# set deviceconfig system ntp-servers secondary-ntp-server ntp-
server-address <ip_address>
admin# commit
admin# exit
Install the device certificate by running the following command:
admin> request certificate fetch otp
<otp_value>

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Verify the successful installation of the device certificate with the following
command:
admin> show device-certificate status
A successful device certificate installation will display the appropriate
response, confirming that the certificate is installed and ready for use.
Device Certificate information:
Current device certificate status: Valid
Not valid before: 2022/11/30 15:17:47 PST
Not valid after: 2023/02/28 15:17:47 PST
Last fetched timestamp: 2022/11/30 15:29:42 PST
Last fetched status: success
Last fetched info: Successfully fetched Device Certificate
Install Content and Software Updates for Panorama
A valid support subscription is crucial as it grants access to the Panorama
software image and release notes. Its access is essential for staying up-to-date
with the latest fixes and security enhancements. Upgrading to the most recent
software and content updates is recommended to ensure your system benefits
from these improvements. Your reseller or a Palo Alto Networks Systems
Engineer can guide you on the updates that best suit your deployment. The
specific procedure for installing these updates depends on whether your
Panorama has a direct Internet connection and whether it is part of a high
availability (HA) configuration.
It is worth noting that M-100 appliances are supported in PAN-OS 9.1, but
only if upgraded to 32GB of memory from the default 16GB. A memory
upgrade is necessary for compatibility with PAN-OS 9.1.
Transition to a Different Panorama Model
If your network requirements evolve, such as increased logging rates, you can
migrate your Panorama management server and Dedicated Log Collectors to
Panorama Models better suited to meet these new demands.

EXAM TIP: However, The transition process involves importing

the Panorama configuration from your old Panorama to the new one.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Before you embark on the transition journey, you must ensure that both the
old and new Panorama systems operate in the same Panorama mode,
whether Management Only or Panorama mode.

Access and Navigate Panorama Management Interfaces

Panorama offers three management interfaces to cater to different user
preferences and needs:
Web Interface: The Panorama web interface boasts a user-friendly
design reminiscent of the firewall web interface. If you are already
acquainted with the firewall interface, you will find it easy to navigate,
perform administrative tasks, and generate reports using the Panorama
web interface. Its graphical interface provides secure access through
HTTPS and is the preferred method for conducting administrative
operations. If you ever need to enable HTTP access to Panorama, you
can make the necessary adjustments in the Management Interface
Settings under the Panorama > Setup > Management tab.
Command-Line Interface (CLI): The CLI offers a straightforward
interface where you can swiftly execute a sequence of commands to
accomplish various tasks. The CLI supports two distinct command
modes—operational and configuration—each with its hierarchy of
commands and statements. Once familiar with the command structure
and syntax, the CLI enables rapid responses and efficient administrative
work.
XML API: The XML-based API is a web service that utilizes
HTTP/HTTPS requests and responses. It empowers you to streamline
your operational processes and seamlessly integrate Panorama with your
existing in-house applications and repositories. Its interface helps
automate tasks and integrate Panorama functionality into their custom
solutions.
Set Up Administrative Access to Panorama
Panorama employs Role-Based Access Control (RBAC) to allow you to
define the permissions and roles of administrators. The following sections
provide details on establishing administrator roles, access domains, and
accounts for interacting with the Panorama web interface and Command-Line
Interface (CLI).

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Configure an Admin Role Profile
Admin Role profiles are customized administrative roles that allow you to
define precise access permissions, ensuring the security of sensitive company
data and user privacy. As a recommended practice, create Admin Role
profiles tailored to grant administrators access only to the specific areas of the
management interfaces required for their tasks.
Step 1: Navigate to Panorama > Admin Roles and click on Add.
Step 2: Provide a Name for the profile and select the Role type: Panorama
or Device Group and Template.
Step 3: Configure access privileges for each functional area in Panorama
(Web UI) and firewalls (Context Switch UI) by adjusting the icons to the
desired setting: Enable (read-write), Read Only, or Disable.

EXAM TIP: If administrators with custom roles must commit

device group or template changes to managed firewalls, they must have
read-write access to Panorama > Device Groups and Panorama >
Templates. If you are upgrading from an earlier Panorama version, the
upgrade process automatically provides read-only access to these nodes.
Remember that context-switching privileges in Panorama roles do not
manage access to the firewall CLI or XML API.
Step 5: If the Role type is Panorama, configure access to the XML API by
toggling the Enabled/Disabled icon for each functional area.
Step 6: If the Role type is Panorama, select an access level for the
Command-Line interface: None (default), superuser, superreader, or
panorama-admin.
Step 7: Click OK to save the profile.
Configure an Access Domain
You can utilize Access Domains to define specific access rights for Device
Group and Template administrators, particularly for designated device groups
and templates. Access Domains also control the administrators' ability to
switch to the web interface of managed firewalls. Panorama supports the
creation of up to 4,000 access domains.
Here's how to set up an Access Domain:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Step 1: Navigate to Panorama > Access Domain and click on Add.
Step 2: Provide a descriptive Name for the access domain.
Step 3: Choose an access privilege for Shared Objects:
Write: Administrators can perform all operations on Shared objects (It
is the default setting).
Read: Administrators can view and clone Shared objects but cannot
execute other operations. When adding non-shared objects or cloning
Shared ones, the destination must be a device group within the access
domain, not in the Shared location.
Shared-only: Administrators can add objects solely to the Shared
location. They can view, edit, and delete Shared objects but cannot
move or clone them. Consequently, administrators cannot perform any
operations on non-shared objects except for viewing them. It is useful
for organizations requiring all objects to be in a unified, global
repository.
Step 4: In the Device Groups tab, toggle the icons to enable read-write or
read-only access for device groups within the access domain. If you have set
the Shared Objects access to shared-only, read-only access will apply to
objects in device groups for which you have specified read-write access.
Step 5: Add each template you wish to assign to the access domain in the
Templates tab.
Step 6: Go to the Device Context tab, select the firewalls you want to assign
to the access domain, and click OK. Administrators can access the web
interface of these firewalls by using the Context drop-down menu in
Panorama.
Configure Administrative Accounts and Authentication
If you have set up an authentication profile or if authentication is unnecessary
for your administrators, you can proceed with configuring a Panorama
Administrator Account.
Set Up Authentication Using Custom Certificates
Palo Alto Networks devices typically rely on predefined certificates for
mutual authentication while establishing SSL connections for various
purposes, including management access and communication between devices.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
However, it is possible to configure authentication using custom certificates
as an alternative approach. Furthermore, custom certificates can enhance the
security of High Availability (HA) connections between Panorama HA peers.
Custom certificates offer the advantage of establishing a distinct chain of
trust, ensuring mutual authentication between Panorama, managed firewalls,
and log collectors.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Lab 9-01: Add Firewall into Panorama
Case Study
Acme Corporation, a global leader in technology solutions, operates a vast
and complex network infrastructure to support its worldwide operations. With
over 15,000 employees across the globe and annual revenues exceeding $3
billion, Acme is committed to delivering innovative products and services to
its customers. The company’s services span various industries, from
healthcare and finance to e-commerce, making network security and
reliability paramount to its operations.
Acme Corporation’s network spans multiple continents and regions. The
company maintains data centers across North America, Europe, and Asia to
ensure efficient service delivery and redundancy. With over 50 branch offices,
connecting thousands of employees, and serving millions of customers, the
company’s network is both vast and dynamic.
Business Challenge
Acme Corporation, a global technology leader with a vast network
infrastructure, faces significant challenges in managing its network security
effectively. With numerous Palo Alto Firewalls distributed across its network,
the company grapples with several complex issues, such as a lack of
centralized management, network complexity, and rapid changes in network
security.
Separately managing a multitude of Palo Alto Firewalls has become a
daunting task. The absence of centralized control results in inefficiencies,
increased risk, and the potential for human error in policy enforcement and
updates. As a Palo Alto Network Security Engineer, implement a solution to
centralize the management of all the Firewalls.
Solution
To address this business challenge, Acme Corporation must deploy Palo Alto
Networks’ Panorama, a centralized security management platform, and
integrate its existing Palo Alto Firewalls into this platform. The Panorama
solution offers several key advantages, such as centralized management,
streamlined policy updates, efficient monitoring and reporting, and enhanced
scalability.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Panorama provides a single pane of glass for managing multiple Palo Alto
Firewalls across diverse locations. Panorama allows Acme Corporation to
swiftly deploy policy changes, firmware updates, and threat prevention
profiles across its entire network from a central location. With Panorama, the
company can monitor the network’s security posture more effectively,
utilizing detailed reports and logs to gain insights into network activity and
threats.
By integrating its Palo Alto Firewalls into the Panorama management
platform, Acme Corporation can streamline its security management, boost
efficiency, and ensure the highest level of protection against evolving cyber
threats. This solution empowers the company to overcome the complexity of
its large network and maintain consistent security policies while adapting to
the ever-changing threat landscape.
Follow the steps to complete the lab:
1. IP Address Assignment to Panorama (Similar to Firewalls)
2. Add Firewall into Panorama
3. Commit

Figure 9-02: Add Firewall into Panorama

IP Address Assignment to Panorama (Similar to Firewalls)
Run the following commands:
> configure

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
# set deviceconfig system ip-address <Panorama-IP> netmask
<netmask> default-gateway <gateway-IP> dns-setting servers primary
<DNS-IP>
# commit
# exit
Add Firewall into Panorama
Log into Panorama.
a. Open a web browser and navigate to the URL https://<panorama-ip-
address>
b. Enter your Panorama username and password.
c. Click Login.
1. Navigate to Panorama > Managed Devices > Summary.

2. Click on the +Add button to add Firewall to Panorama.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. The Add Device window pops up. You need to get the Serial number
from the Firewall.

4. Log into the Firewall and copy the Serial# from the General
Information card under the Dashboard tab.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
5. Go back to the Panorama and paste the Serial number. Click the
Generate Auth Key button.

6. Click the OK button to save it.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
7. Click the OK button again.

8. Go to the Firewall and click the edit icon on the Panorama Settings
card under the Device tab.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
9. Enter the IP Address of Panorama in the Panorama Servers section.
Click the OK button.

Commit
10. Commit the changes to save all the configurations on the Firewall
and the Panorama.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
11. You can see the Connected Firewall on the Panorama under the
Panorama tab.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Configure Templates and Template stacks
This section will define a template stack to centrally manage and update
firewall configurations.
Components Configured in a Template
You will go to Panorama > Templates > Add Stack to create a template
stack and enter a name for the stack. Template stacks can combine up to eight
templates. Add templates in the order of priority. Next, in the Devices section,
select the firewalls to assign to the stack. A firewall can only be assigned to
one template stack. Optionally, select Group HA Peers for the firewalls in a
high availability (HA) configuration.
Template Order Impact on Firewall Configuration Push
You can establish a priority order within a stack of templates to ensure that
Panorama delivers a single, unambiguous configuration value for any
duplicated setting. To illustrate this concept, as shown in Figure 9-03, let's
consider a scenario: Picture a data center stack in which the data center
template takes precedence over the global template, exemplifying how
prioritization effectively resolves potential configuration conflicts.

EXAM TIP: To push a device group configuration containing

references to template or template stack variables, you must access the Edit
Selections and ensure that the Device and Network Templates are included.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 9-03: Template Stacks

Overriding a Template Value in a Stack

While templates and template stacks offer a way to apply a foundational
configuration to multiple firewalls, there are situations where you need to
customize settings on a per-firewall basis. These configurations may not
apply to all the firewalls within a template or template stack. Conversely, you
might want to alter the template settings to create a modified template stack
configuration that serves as the base for all managed firewalls. Overrides
provide the flexibility to accommodate exceptions or adjustments in your
configuration. For example, when employing a template to create a baseline
configuration, you may encounter a scenario where a subset of firewalls, such
as those in a test lab, requires distinct settings for DNS server IP addresses or
Network Time Protocol servers. In such cases, you can override the template
and template stack settings.
Overrides can be implemented in one of two ways:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 By using Variables: You can define values locally on a firewall to
override settings pushed from a template or template stack. Alternatively,
you can create firewall-specific variables to override template or template
stack values.
By utilizing a Template Stack: Define values or variables within the
template stack to supersede settings pushed from a template.
Configure Variables in Templates
Template stack variables as shown in Figure 9-04 can substitute IP addresses,
group IDs, and interfaces within configurations. These variables provide a
practical way to minimize the overall quantity of templates and template
stacks required. Consequently, you can achieve a more streamlined approach
by using fewer templates and template stacks, all while accommodating
distinct values that would have previously warranted individual templates or
template stacks.

Figure 9-04: Template Stack Variable

Panorama-Dynamic Updates, Policies, and HA Relationships
The interaction between Panorama and devices involves dynamic update
versions, policy enforcement, and managing High Availability (HA) peers.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Firewalls automatically fetch updates and apply them to enforce policies
without requiring manual configuration adjustments. Users can access the
most recent updates, review the release notes to understand the contents of
each update, and then choose the specific update they want to download and
install.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Lab 9-02: Understand and Configure Panorama Templates
Case Study
Acme Corporation, a global leader in technology solutions, operates a vast
and complex network infrastructure to support its worldwide operations. With
over 15,000 employees across the globe and annual revenues exceeding $3
billion, Acme is committed to delivering innovative products and services to
its customers. The company’s services span various industries, from
healthcare and finance to e-commerce, making network security and
reliability paramount to its operations.
Acme Corporation’s network spans multiple continents and regions. The
company maintains data centers across North America, Europe, and Asia to
ensure efficient service delivery and redundancy. With over 50 branch offices,
connecting thousands of employees, and serving millions of customers, the
company’s network is both vast and dynamic.
Business Challenge
Acme Corporation, a dynamic and growing enterprise, is grappling with the
intricacies of efficiently managing its expansive network infrastructure. With
Palo Alto Firewalls deployed across various locations and branch offices, the
company faces a substantial challenge in maintaining consistent and coherent
firewall configurations. The specific challenges are diverse Firewall
deployments, cumbersome configuration tasks, and consistency and
compliance.
Acme’s network architecture comprises a diverse set of firewall deployments
across different regions and environments. Ensuring that each Firewall
adheres to specific security policies and configurations has become a complex
and error-prone task. The absence of a unified platform for configuring and
managing firewall devices has led to a time-consuming process of manually
implementing changes and updates.
As a Palo Alto Network Security Engineer, perform the initial setup on the
Panorama so it can be used in pushing configuration consistently.
Solution
To address these pressing challenges, Acme Corporation recognizes the
essential need for Panorama Templates in its network infrastructure. This is

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
the very initial step while setting up Panorama. The implementation of
Panorama Templates and Template Stacks provides a comprehensive solution
to centralize management, ensure configuration consistency, and streamline
network operations. The key components of this solution are centralized
template management, configuration uniformity, efficient configuration
deployment, rapid updates and changes, and more.
Panorama Templates allow Acme to create and manage standardized
configuration templates that define security policies, NAT rules, and other
key aspects of firewall configuration. Template Stacks help ensure uniformity
by bundling templates to create a master configuration that aligns with the
organization’s security standards. This ensures that all firewall devices adhere
to the desired configuration settings.
In conclusion, the implementation of Panorama Templates and Template
Stacks offers Acme Corporation a comprehensive solution to the challenges
associated with managing diverse firewall deployments, cumbersome
configuration tasks, and the need for consistency and compliance.
Follow the steps to complete the lab:
1. Configure Panorama Templates
2. Configure Panorama Template Stack

Figure 9-05: Understand and Configure Panorama Templates

Log into Panorama.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
a. Open a web browser and navigate to the URL https://<panorama-
ip-address>
b. Enter your Panorama username and password.
c. Click Login.
1. Configure Panorama Templates
1. Log into Panorama
Navigate to Panorama > Templates

2. Click on the +Add button.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. Enter DNS in the Name field. Click the OK button.

4. Click the +Add button to add one more Template.

5. Enter Log in the Name field. Click the OK button.

2. Configure Panorama Template Stack

1. Click on the +Add Stack button to add multiple Templates.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Enter DNS and LOG in the Name field. Select the Firewall PA-
VM. Add both the DNS and the Log Templates in the TEMPLATES
window.

3. You can see both the Templates, DNS and Log. You can also see the
DNS and LOG Template Stack.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Pass4sure - #1 IT Certifications Materials Provider
www.pass4sure.com
Lab 9-03: Configure Panorama Templates and Push Zone
Configuration
Case Study
Acme Corporation, a global leader in technology solutions, operates a vast
and complex network infrastructure to support its worldwide operations. With
over 15,000 employees across the globe and annual revenues exceeding $3
billion, Acme is committed to delivering innovative products and services to
its customers. The company’s services span various industries, from
healthcare and finance to e-commerce, making network security and
reliability paramount to its operations.
Acme Corporation’s network spans multiple continents and regions. The
company maintains data centers across North America, Europe, and Asia to
ensure efficient service delivery and redundancy. With over 50 branch offices,
connecting thousands of employees, and serving millions of customers, the
company’s network is both vast and dynamic.
Business Challenge
Acme Corporation, a prominent enterprise with an extensive and distributed
network, is confronted with the daunting task of efficiently managing its Palo
Alto Firewall infrastructure across multiple regions. The company faces
several complex challenges in network security and configuration
management. These challenges include diverse firewall deployments,
inconsistent security policies, and zone-based network segmentation.
Acme’s network architecture consists of numerous firewall deployments
across various branches and data centers. Each location requires some initial
configuration that is common for all the locations, such as zones. As a Palo
Alto Network Security Engineer, configure the initial configuration and push
it to the Firewalls.
Solution
To address these intricate challenges, Acme Corporation recognizes the
critical need to deploy Panorama Template Stacks and centralize the
management of zone configurations for its Palo Alto Firewalls. This solution
provides the organization with the essential tools to streamline configuration
management, ensure consistent security policies, and simplify network

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
segmentation. The key components of this solution include Panorama
templates and template stacks, centralized zone configuration, and simplified
configuration deployment.
Acme leverages Panorama Templates to create standardized configurations
for different firewall deployments. These templates define security policies,
NAT rules, and other critical configuration settings. Template Stacks are
utilized to group templates, creating a hierarchical structure. This approach
streamlines the management of configurations, allowing Acme to organize
templates based on location, region, or specific requirements.
By managing zone configurations within Panorama, the organization ensures
consistency in defining and applying zones across all firewall devices. In
conclusion, deploying Panorama Template Stacks and centralizing zone
configurations provide Acme Corporation with a robust solution to the
challenges associated with diverse firewall deployments, inconsistent security
policies, and complex network segmentation.
Follow the steps to complete the lab:
1. Configure Templates and Template Stacks
2. Configure and Push Zone Configuration
3. Commit
4. Verification

Figure 9-06: Configure Panorama Templates and Push Zone Configuration

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Log into Panorama.
a. Open a web browser and navigate to the URL https://<panorama-ip-
address>
b. Enter your Panorama username and password.
c. Click Login.

1. Configure Templates and Template Stacks

1. Navigate to Panorama > Templates
Click the Add button to create a new Template. Four Templates are
already created; the last Template (Global) is created in this step.
Note: Create a separate Template for every LAN or site you have in the
topology. In this case, there are four sites (four Templates for each) and a
Global Template.

2. Enter Global in the Name field and Zones in the Description field.
Click the OK button to save it. Global Template has rules that are
common for all the sites.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. You can see the Global as well as the individual Templates for sites.

4. Click on the Add Stack button to create a Template Stack.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
5. Enter India-Stack in the Name field. Select the Firewall that is part of
the site India, which is PA-VM1. Select the Templates: India-Site and
Global. Click the OK button to save it.

6. You can see the newly configured India-Stack. It has the Global
Template and the India-Site Template.
Note: Template Stacks for all the other sites are also configured just like
India-Stack but are not shown in this lab due to repetitive tasks.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
7. Commit the changes in the Panorama. Click the Commit button to start
committing.

2. Configure and Push Zone Configuration

1. Navigate to Templates > Network > Zones
Select Global in the drop-down Template menu.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Click on the Add button to configure Zone.

3. Enter Inside in the Name field. Click on the OK button to save it. This
Zone is created in the Global Template that is common for all the sites.

4. Create another Zone named Outside. Click the OK button to save it.
This Zone is created in the Global Template that is common for all the

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
sites.

3. Commit
1. Start committing the changes.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Click on the Push to Devices option to push the configuration to all the
devices where the Global Template is included; all the Stack Templates
for all the sites include the Global Template for the common
configuration, such as Inside and Outside Zones.

3. Click the Push button to push the configuration to the Firewalls.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Verification
Go to a Firewall and navigate to Network > Zones
You can see the pushed configurations for Inside and Outside Zones.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Configure Device Groups
To effectively utilize Panorama, it is necessary to categorize the network's
firewalls into logical device groups. These device groups serve as a means of
grouping firewalls based on various factors such as network segmentation,
geographical location, organizational roles, or any other shared characteristic
that requires similar policy configurations. Device groups are crucial in
configuring policy rules and managing the associated objects. You can
arrange device groups in a hierarchical structure, where shared rules and
objects exist at the highest level while subsequent levels accommodate device
group-specific rules and objects. This organizational approach allows you to
establish a rule hierarchy that dictates how firewalls handle network traffic.
For instance, you can create shared rules to define a corporate acceptable use
policy. Then, suppose you need to control access to peer-to-peer traffic like
BitTorrent. In that case, you can create a device group rule, which Panorama
selectively pushes to only the regional offices, or set up a shared Security rule
and direct it specifically at the regional offices.
Device Group Hierarchies
Device Groups
You can establish a hierarchy of device groups, allowing you to nest up to
four levels of device groups. Lower-level groups inherit the policy rules and
objects from higher-level groups in this structure. At the bottommost level, a
device group can have ancestors that include parent, grandparent, and great-
grandparent device groups. Conversely, a device group can have descendants
at the highest level, encompassing child, grandchild, and great-grandchild
device groups. All device groups inherit settings from a shared location,
which serves as a container at the top of the hierarchy for configurations that
apply universally across all device groups.
Creating a hierarchy of device groups streamlines the organization of
firewalls based on common policy requirements while eliminating redundant
configurations. For instance, you can configure global settings shared among
all the firewalls, establish device groups with function-specific settings at the
first level, and set up device groups with location-specific settings at lower
levels. Without such a hierarchy, you would be compelled to configure

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
function-specific and location-specific settings for every device group within
a single level under the shared location.

Figure 9-07: Device Group Hierarchy

Identify What Device Groups Contain

Device groups provide a layered approach for administering policies across a
managed firewall network. Policy rules are assessed based on layers (shared,
device group, and local) and types (pre-rules, post-rules, and default rules) in
the sequence depicted in the accompanying diagram:

Figure 9-08: Layered Approach and Types

Distinguishing Use Cases: Pre, Local, Default, Post Rules

When incoming traffic reaches the firewall, it executes the action specified in
the first rule that matches the traffic and ignores all subsequent rules. Whether
you are viewing rules on a firewall or in Panorama, the web interface displays
them in the order of evaluation. All the rules inherited from Panorama, be
they shared, device group, or default rules, are highlighted in orange. Local
firewall rules are positioned between the pre-rules and post-rules.
Policy rules refer to Objects as essential configuration elements, such as IP
addresses, URL categories, Security Profiles, users, services, and
applications. Rules of any type (pre-rules, post-rules, default rules, and

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
locally defined rules on a firewall) and any rulebase (security, NAT, QoS,
PBF, decryption, Application Override, Captive Portal, and DoS protection)
can make use of objects. You can utilize an object in any rules that share the
same scope within the device group hierarchy.
For instance, if you create an object in the shared location, all the rules in the
hierarchy can use that shared object since device groups inherit objects from
the shared location. However, if you create an object within a specific device
group, only the rules within that device group and its descendant device
groups can utilize that device group object. Should you need object values
within a device group to differ from those inherited from an ancestor device
group, you can override the inherited object values. You can also return to the
inherited object values at any point. By generating objects for shared or
device group policies that can be used repeatedly, you minimize
administrative complexity and ensure uniformity in firewall policies. When
incorporating new policy rules into a Panorama device group, it is necessary
to determine the device group and decide whether the rules should be pre-
rules or post-rules.
Identify the impact of configuring a primary device
Each firewall and the Panorama management server have a default master
key. This master key encrypts all the private keys and passwords within the
configuration to ensure their security. An example of such a private key is the
one used for SSL Forward Proxy Decryption.
In a High Availability (HA) configuration, it is imperative to utilize the
identical master key on both firewalls. The master key is not automatically
synchronized between HA peers. Failure to use the same master key on both
sides would result in improper HA synchronization. For those managing
firewalls with Panorama, you can either configure the same master key on
Panorama and all the managed firewalls or set up a unique master key for
each managed firewall. When dealing with managed firewalls in an HA
configuration, it is essential to configure the same master key for each HA
peer.
It is of utmost importance to store the master key in a highly secure location.
It is not possible to retrieve or recover the master key once it is lost. The sole
method to restore the default master key is resetting the firewall to its factory
default settings.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 EXAM TIP: When the Master Key expires and is not renewed or
replaced promptly, the device enters maintenance mode.

Assign Firewalls to Device Groups

Device groups are collections of firewalls and virtual systems you want to
manage as unified entities. For instance, these device groups could
encompass firewalls responsible for branch offices or individual departments
within a company. Panorama treats these device groups as cohesive units
regarding policy application. It is worth noting that a firewall can be a part of
only one device group. Still, virtual systems are more flexible within
Panorama, allowing you to assign a single virtual system to different device
groups.
Device groups offer a hierarchical structure, allowing for up to four levels of
nesting under a shared location. This hierarchical approach facilitates the
management of policies across the network of firewalls. At the lowest level, a
device group may inherit policies and objects from parent, grandparent, and
great-grandparent device groups, collectively called ancestors. Conversely, at
the highest level, a device group can have child, grandchild, and great-
grandchild device groups, collectively called descendants. This device group
hierarchy is displayed in the Name column when accessing Panorama >
Device Groups.
Performing a Panorama commit and a device group commit is essential
whenever you change device groups, whether adding, editing or deleting
them. It ensures that the configuration changes are effectively pushed to the
firewalls associated with the respective device group. Panorama can manage
and support up to 1,024 device groups.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Lab 9-04: Configure Device Group and Push Address Object
Configuration
Case Study
Acme Corporation, a global leader in technology solutions, operates a vast
and complex network infrastructure to support its worldwide operations. With
over 15,000 employees across the globe and annual revenues exceeding $3
billion, Acme is committed to delivering innovative products and services to
its customers. The company’s services span various industries, from
healthcare and finance to e-commerce, making network security and
reliability paramount to its operations.
Acme Corporation’s network spans multiple continents and regions. The
company maintains data centers across North America, Europe, and Asia to
ensure efficient service delivery and redundancy. With over 50 branch offices,
connecting thousands of employees, and serving millions of customers, the
company’s network is both vast and dynamic.
Business Challenge
Acme Corporation, a thriving enterprise with a sprawling network
infrastructure, faces a pressing challenge in effectively managing and
maintaining the consistency of address objects and policies across its Palo
Alto Firewalls. With numerous firewall devices distributed across various
locations, maintaining a uniform and coordinated approach to address object
management and policy enforcement has become increasingly complex.
Acme encounters challenges, such as distributed address objects, policy
discrepancies, and time-consuming updates.
The organization’s address objects, representing specific IP addresses,
subnets, or network segments, are managed individually on each Palo Alto
Firewall. This decentralized approach results in inconsistencies, making it
difficult to ensure that address objects are up-to-date and accurate across the
network. As a Palo Alto Network Security Engineer, configure Address
Objects and push them to the Firewalls.
Solution
Acme Corporation recognizes the need to implement Device Groups,
configure address objects centrally, and push these configurations to its Palo

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Alto Firewalls using Panorama to overcome the address object and policy
management challenges. This solution streamlines address object
management, policy enforcement, and policy consistency throughout the
network. The key components of this solution are Device Groups, centralized
Address Object configuration, policy consistency, and efficient configuration
updates.
Device Groups provide a hierarchical structure for organizing firewall devices
based on their role, location, or other criteria. Acme takes advantage of
Panorama's centralized address object management capabilities. Address
objects, such as IP addresses, subnets, or address groups, are configured once
within Panorama and can be used across all firewall devices within the
specified Device Groups.
In conclusion, the adoption of Device Groups in Panorama, combined with
the centralized configuration and deployment of address objects and security
policies, empowers Acme Corporation to overcome the challenges of address
object inconsistency and policy management inefficiencies.
Follow the steps to complete the lab:
1. Configure Device Groups
2. Configure Address Objects
3. Commit and Push Configuration

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 9-09: Configure Device Group and Push Address Object
Configuration
Log into Panorama.
a. Open a web browser and navigate to the URL https://<panorama-ip-
address>
b. Enter your Panorama username and password.
c. Click Login.
1. Configure Device Groups
1. Navigate to Panorama > Device Groups
Click the +Add button to add a Device Group.

2. Enter India-DG in the Name field; DG is short for Device Group here.
Select Shared in the Parent Device Group. Select the Firewall that is
part of India, which is PA-VM1. Add the India-Stack in the
REFERENCE TEMPLATES window. Click the OK button to save it.
Note: India-Stack (Template Stack) was configured in the previous lab;
Configure Panorama Template and Push Zone Configuration.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. You can see the India-DG along with the other Device Groups for all
the other sites; they are not shown in the lab due to repetitive tasks. All
the Device Groups are the children of the Shared Device Group.

2. Configure Address Objects

1. Now, see the Policies and Objects under the Device Groups tab at the
top of the Panorama.
Navigate to Device Groups > Objects > Addresses.
Select the USA-DG in the Device Group drop-down menu.
Note: Template Stack is important when you want to configure something
related to Network or Device, while Device Group is important when you
want to configure something related to Policies or Objects.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Click the +Add button to add a new Address Object.

3. Enter India-Site in the Name field. Checkmark the Shared checkbox,

which means this object will be shared in all the Device Groups. Enter the
IP Address (192.168.10.0/24) of which you want to make an object. Click
the OK button to save it.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Under the Addresses menu, click the +Add button to add another
Address Object.

5. Enter USA-Site in the Name field. This time, do not checkmark the
Shared checkbox, which means this Address Object is only configured
for the USA-DG. Enter the Network that is part of the USA site to make
its object. Click the OK button to save it.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
6. You can see both the Address Objects in the USA-DG Device Group.
India-Site is shared, while USA-Site is specific to USA-DG.

7. Similarly, the same configuration is done in all the Device Groups; they
are not shown in the lab due to repetitive tasks. Address Objects are also
configured in all the other Device Groups (AUS-DG, India-DG, and UK-
DG).

3. Commit and Push Configuration

Commit and Push the configuration to save and push the configuration to
all the Firewalls.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Pass4sure - #1 IT Certifications Materials Provider
www.pass4sure.com
Lab 9-05: Configure Device Group and Push Address Object
Configuration
Case Study
Acme Corporation, a global leader in technology solutions, operates a vast
and complex network infrastructure to support its worldwide operations. With
over 15,000 employees across the globe and annual revenues exceeding $3
billion, Acme is committed to delivering innovative products and services to
its customers. The company’s services span various industries, from
healthcare and finance to e-commerce, making network security and
reliability paramount to its operations.
Acme Corporation’s network spans multiple continents and regions. The
company maintains data centers across North America, Europe, and Asia to
ensure efficient service delivery and redundancy. With over 50 branch offices,
connecting thousands of employees, and serving millions of customers, the
company’s network is both vast and dynamic.
Business Challenge
Acme Corporation, a thriving enterprise with a sprawling network
infrastructure, faces a pressing challenge in effectively managing and
maintaining the consistency of address objects and policies across its Palo
Alto Firewalls. With numerous firewall devices distributed across various
locations, maintaining a uniform and coordinated approach to address object
management and policy enforcement has become increasingly complex.
Acme encounters challenges, such as distributed address objects, policy
discrepancies, and time-consuming updates.
The organization’s address objects, representing specific IP addresses,
subnets, or network segments, are managed individually on each Palo Alto
Firewall. This decentralized approach results in inconsistencies, making it
difficult to ensure that address objects are up-to-date and accurate across the
network. As a Palo Alto Network Security Engineer, configure Address
Objects and push them to the Firewalls.
Solution
Acme Corporation recognizes the need to implement Device Groups,
configure address objects centrally, and push these configurations to its Palo

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Alto Firewalls using Panorama to overcome the address object and policy
management challenges. This solution streamlines address object
management, policy enforcement, and policy consistency throughout the
network. The key components of this solution are Device Groups, centralized
Address Object configuration, policy consistency, and efficient configuration
updates.
Device Groups provide a hierarchical structure for organizing firewall devices
based on their role, location, or other criteria. Acme takes advantage of
Panorama's centralized address object management capabilities. Address
objects, such as IP addresses, subnets, or address groups, are configured once
within Panorama and can be used across all firewall devices within the
specified Device Groups.
In conclusion, the adoption of Device Groups in Panorama, combined with
the centralized configuration and deployment of address objects and security
policies, empowers Acme Corporation to overcome the challenges of address
object inconsistency and policy management inefficiencies.
Follow the steps to complete the lab:
1. Configure Device Groups
2. Configure Address Objects
3. Commit and Push Configuration

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 9-10: Configure Device Group and Push Address Object Configuration

Log into Panorama.

a. Open a web browser and navigate to the URL https://<panorama-ip-
address>
b. Enter your Panorama username and password.
c. Click Login.

1. Configure Device Groups

1. Navigate to Panorama > Device Groups
Click the Add button to add a Device Group.

2. Enter India-DG in the Name field; DG is short for Device Group

here. Select Shared in the Parent Device Group. Select the Firewall that
is part of India, which is PA-VM1. Add the India-Stack in the
REFERENCE TEMPLATES window. Click the OK button to save it.
Note: India-Stack (Template Stack) was configured in the previous lab;
Configure Panorama Template and Push Zone Configuration.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. You can see the India-DG along with the other Device Groups for all
the other sites; they are not shown in the lab due to repetitive tasks. All
the Device Groups are the children of the Shared Device Group.

2. Configure Address Objects

1. Now, see the Policies and Objects under the Device Groups tab at the
top of the Panorama.
Navigate to Device Groups > Objects > Addresses.
Select the USA-DG in the Device Group drop-down menu.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Note: Template Stack is important when you want to configure
something related to Network or Device, while Device Group is
important when you want to configure something related to Policies or
Objects.

2. Click the Add button to add a new Address Object.

3. Enter India-Site in the Name field. Checkmark the Shared checkbox,

which means this object will be shared in all the Device Groups. Enter
the IP Address (192.168.10.0/24) of which you want to make an object.
Click the OK button to save it.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Under the Addresses menu, click the Add button to add another
Address Object.

5. Enter USA-Site in the Name field. This time, do not checkmark the
Shared checkbox, which means this Address Object is only configured
for the USA-DG. Enter the Network that is part of the USA site to make
its object. Click the OK button to save it.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
6. You can see both the Address Objects in the USA-DG Device Group.
India-Site is shared, while USA-Site is specific to USA-DG.

7. Similarly, the same configuration is done in all the Device Groups;

they are not shown in the lab due to repetitive tasks. Address Objects are
configured in all the other Device Groups (AUS-DG, India-DG, and UK-
DG) as well.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. Commit and Push Configuration
Commit and Push the configuration to save and push the configuration to
all the Firewalls.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Manage Firewall Configurations within Panorama
Managing firewall configurations within Panorama is crucial to efficiently
overseeing network security. Panorama, a centralized management tool by
Palo Alto Networks, provides the means to streamline and organize
configurations across multiple firewalls.
Licensing
The Panorama Software Firewall License plugin offers a streamlined
approach to licensing VM-Series firewalls when they connect to Panorama. It
is especially beneficial for VM-Series firewalls at the network perimeter that
lack direct connectivity to the Palo Alto Networks licensing server. The
plugin leverages Panorama to handle the licensing of VM-Series firewalls in
such scenarios.
Moreover, the Software Firewall License plugin simplifies activating and
deactivating licenses for VM-Series firewalls, particularly in dynamic
environments where auto-scaling and automation are used to deploy and
retire firewalls in response to changes in cloud-based deployments.
To install the Panorama Software Firewall License plugin, you will need
Panorama version 10.0.0, a more recent release, the VM-Series plugin version
2.0.4, or a newer version. Additionally, your VM-Series firewalls must run
PAN-OS 9.1.0 or a recent iteration.
Commit Recovery Feature
When you trigger a commit action, Panorama performs a thorough check to
ensure the proposed changes are valid and can be activated without issues.
The validation process provides a report highlighting conditions that may
prevent the commit (referred to as errors) or conditions that, while not
obstructing the commit, are noteworthy (known as warnings). For instance,
during validation, it might point out an incorrect route destination that
requires your attention for the commit to be successful.
The significance of this validation procedure lies in its ability to help you
detect and rectify errors before the commit action occurs. It does not alter the
current configuration, ensuring no changes are applied until you are confident
the commit will go through smoothly. It is particularly valuable when you

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
have a predefined commit window and want to ensure a successful commit
without errors.
Automatic Commit Recovery
Panorama's automatic commit recovery feature allows you to set up your
firewall to conduct a predefined number of connectivity tests. These tests
occur after you apply a configuration change from Panorama or initiate a
local commit on the firewall itself. By default, automatic commit recovery is
already activated. This feature empowers your managed firewalls to perform
local assessments of the configuration adjustments pushed by Panorama. The
goal is to verify that the new changes do not disrupt the connection between
Panorama and the managed firewall.
If the committed configuration introduces disruptions in this connection, the
firewall will automatically declare the commit a failure, and the configuration
will revert to the previous running state.
Furthermore, the firewall periodically checks its connectivity to Panorama
approximately once every hour. This routine check is designed to ensure
consistent communication. It is particularly useful when unrelated network
configuration changes might have interfered with the firewall's connection to
Panorama or if there are potential implications to the committed configuration
that could affect connectivity. If the hourly connectivity check fails, the
firewall generates a system log to alert administrators about possible
configuration or network connectivity issues. Notably, an event in the system
log is recorded when you disable the automatic commit recovery setting,
when a connectivity test fails, or when the firewall reverts to the last known
running configuration.
For firewalls configured in a high availability (HA) setup, it is essential to
know that each HA peer conducts these connectivity tests independently. HA
configuration synchronization might only occur once both HA peers have
successfully confirmed their connectivity to Panorama and validated their
connections.

EXAM TIP: Enable Automated Commit Recovery independently,

without combining it with other configuration changes. If you enable it with
other configuration modifications that lead to a disconnection between

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Panorama and the managed firewalls, the configuration will not
automatically revert.
Enable Automated Commit Recovery might trigger an automatic rollback
of the initial configuration push when adding ZTP firewalls to Panorama.
To enable automated commit recovery for your managed ZTP firewalls, set
the number of attempts to check for Panorama connectivity to 5.

Configuration Settings for Panorama Automatic Commit Recovery

In PAN-OS, managed firewalls can independently verify their connectivity to
the Panorama management server. If a firewall cannot communicate with
Panorama, it is designed to revert to the last known running configuration
automatically.
Automatic commit recovery is the feature that allows you to define the
number of connectivity tests and the intervals at which these tests take place.
These tests are executed before the firewall reverses the previous running
configuration. This process occurs when you apply a configuration from
Panorama or locally commit a configuration change on the firewall.
Commit Types and Schedules.
To configure commit types and schedules for automated commit recovery,
follow these steps:
1. Access the Panorama web interface through login.
2. Go to Device > Setup > Management.
3. In the Template context drop-down list, choose the template or template
stack responsible for managing the devices you want to configure for
automated commit recovery.
4. Configure the automated commit recovery settings:
a. Click the Edit for Panorama Settings.
b. Ensure that the Enable automated commit recovery option is
checked.
c. Set the desired number of attempts for checking Panorama
connectivity.
d. Specify the interval between retry attempts.
e. Confirm the configuration changes by clicking OK.
5. Select Commit and Commit and Push to apply the configuration changes.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
6. Verify that the automated commit recovery feature is enabled on the
managed firewalls.
7. Access the firewall web interface.
8. Navigate to Device > Setup > Management. In the Panorama Settings
section, confirm that Enable automated commit recovery is selected.

EXAM TIP: Panorama transmits the running configuration when

pushing configurations to managed firewalls. Due to this process, Panorama
requires you to commit the changes to the Panorama configuration before
you can push those changes to the managed firewalls.

Configuration Backups
Running Configuration and Candidate Configuration
Firewall settings are saved in XML configuration files that support archiving,
restoration, and management. Within a firewall, there are two essential
configurations: the running configuration, which holds all the currently active
settings, and the candidate configuration. The candidate configuration is
essentially a duplicate of the running configuration, with the addition of any
uncommitted changes. When you make adjustments using the web interface,
CLI, or XML API, these changes are stored in the candidate configuration
until a commit operation is executed. During the commit process, the
candidate configuration takes the place of the running configuration,
effectively applying the pending changes.
Panorama and Firewall Configuration Backups and Restorations
When Panorama is in a management relationship with a firewall, it can
retrieve copies of both Panorama-managed and locally managed
configurations. Whenever a commit occurs on a local firewall running PAN-
OS 5.0 or a later version, a backup of the running configuration is
automatically sent to Panorama. It includes commits made by administrators
locally on the firewall or those initiated automatically by PAN-OS, such as an
FQDN refresh.
By default, Panorama can retain up to 100 backups for each firewall, although
this limit is adjustable. To store backups of Panorama and firewall
configurations on an external host, you can either schedule exports from

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Panorama or perform an export as needed. Administrators can reinstate these
saved configuration files on the firewall at their discretion, which can be
accomplished via the Panorama > Managed Devices > Summary tools.
Replacing a Panorama-Managed Firewall via Return Merchandise
Authorization
You can utilize a Return Merchandise Authorization (RMA) to streamline
restoring the configuration on a managed firewall. It allows you to substitute
the serial number of the old firewall with that of the new replacement firewall
in Panorama's records. Once this substitution is made, you can restore the
configuration on the replacement firewall.
Restoring the configuration on the replacement firewall can be achieved by
importing a previously generated and exported firewall state from the old
firewall. Alternatively, if you work with managed firewalls running PAN-OS
5.0 or later versions, you can leverage Panorama to generate a partial device
state. This state can then be used to restore the firewall's configuration. By
performing the serial number replacement and importing the firewall state,
you can seamlessly continue to manage the firewall using Panorama.
Commit Type Options
To apply changes to the Panorama configuration and propagate them to
various network devices, including firewalls, Log Collectors, and WildFire
clusters and appliances, you have multiple options:
Commit to Panorama: This option activates the changes made in the
Panorama management server's configuration. It commits device group,
template, Collector Group, and WildFire cluster and appliance changes to
the Panorama configuration without pushing them to the network devices.
It allows you to save changes not yet ready for deployment on the
network devices.
Push to Devices: This choice pushes the Panorama running configuration
to device groups, templates, Collector Groups, and WildFire clusters and
appliances, effectively implementing the changes on the network devices.
Commit and Push: This operation commits all configuration changes to
the local Panorama configuration and subsequently pushes the Panorama
running configuration to device groups, templates, Collector Groups, and
WildFire clusters and appliances, ensuring that changes are both
committed and applied to the network devices.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
You can filter pending changes based on administrator or location, allowing
you to commit, push, validate, or preview only specific changes. Locations
can refer to specific device groups, templates, Collector Groups, Log
Collectors, WildFire appliances and clusters, shared settings, or the Panorama
management server.
It is important to note that when you commit changes, they are incorporated
into the running configuration. Any changes that have not been committed are
stored in the candidate configuration. Panorama manages a queue of commit
requests, enabling you to initiate a new commit even while a previous one is
in progress. Commit tasks are processed in the order they are initiated, with
priority given to auto-commits triggered by Panorama, such as FQDN
refreshes. However, if the commit queue reaches its maximum capacity for
administrator-initiated commits, you must wait for Panorama to complete a
pending commit before initiating a new one. You can use the Task Manager to
clear the commit queue or access detailed information about commit tasks to
monitor and manage commits.
You have several options for committing, validating, or previewing
configuration changes in different contexts:
When committing to Panorama using either Commit > Commit to
Panorama or Commit > Commit and Push, the following options are
available:
Commit All Changes
Commit Changes Made By
Commit Scope
Location Type
Object Type
Admins
Include in Commit
Group by Type
Preview Changes
Change Summary
Validate Commit
For pushing configuration changes to managed devices through Commit
> Push to Devices or Commit > Commit and Push, you can utilize these
options:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Push All Changes
Push Changes Made By
Push Scope
Location Type
Object Type
Entities
Admins
Include in Push
Edit Selections
Device Groups and Templates
Filters
Name
Last Commit State
HA Status
Changes Pending (Panorama) Commit
Preview Changes column
Select All
Deselect All
Expand All
Collapse All
Group HA Peers
Validate
Filter Selected
Merge with Candidate config
Include Device and Network Templates
Force Template Values
Log Collector Groups
WildFire Appliances and Clusters
Filters
Name
Last Commit State
No Default Selections
Validate Device Group Push
Validate Template Push
Group by Location Type

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Additionally, when committing changes to the Panorama configuration or
pushing changes to devices, the following options are applicable:
Description
Commit / Push / Commit and Push
Manage Dynamic Updates for Panorama and Panorama-
Managed Devices
You can establish a schedule for dynamic updates to determine how often the
firewall checks for and retrieves new updates. When dealing with
Applications and Threat content updates, it is often a good practice to stagger
the installation of new and modified application updates, ensuring that threat
updates are prioritized. This approach allows you to assess the impact of new
applications on your security policy while maintaining up-to-date threat
protection.
A direct internet connection is necessary for Panorama to schedule Supported
Updates on firewalls, Log Collectors, and WildFire appliances or clusters.
Without this connection, you can only perform updates on-demand. Note that
to schedule Antivirus, WildFire, or Bright Cloud URL updates for Log
Collectors, the Log Collectors must be running Panorama 7.0.3 or a later
release. Each device receiving an update generates a log entry, indicating
whether the installation was successful (Config log) or if it failed (System
log).
Software and Dynamic Updates
Dynamic Updates
Palo Alto Networks regularly releases dynamic firewall updates, providing
essential security enhancements without requiring a full firmware upgrade.
Software Updates
To maintain robust protection against the latest and even yet undiscovered
threats, it is vital to keep your firewalls consistently updated with Palo Alto
Networks' latest content and software updates. The availability of Dynamic
Content Updates is contingent on your subscribed services. You can establish
a schedule for content updates, specifying how often your firewall checks for
and applies these updates.
Import Firewall Configurations into Panorama

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
A well-thought-out pre-migration plan is essential if you have already
deployed Palo Alto Networks firewalls with local configurations but now
seek to shift to centralized management using Panorama. This plan involves
importing your existing firewall configurations into Panorama and ensuring
the firewalls maintain their expected functionality after the transition. In
instances where specific settings are unique to individual firewalls, on the
firewall, you can continue accessing and managing these unique settings
themselves. It is important to note that a setting cannot be managed through
Panorama and locally on the firewall, so you must choose one method. To
exclude certain firewall settings from Panorama's management, you have two
options:
1. Migrate the entire firewall configuration and then delete the settings on
Panorama that you intend to manage locally on the firewalls. Alternatively,
you can override a setting that Panorama pushes to a firewall with a
template or template stack.
2. Load a partial firewall configuration into Panorama, including only the
settings that you want to manage using Panorama.
It is important to note that firewalls do not lose log data during the transition
to Panorama management.
Configure Log Collectors
Navigate to Panorama > Managed Collectors to manage Log Collectors.
When adding a new Log Collector as a managed collector, the settings you
need to configure may vary depending on the location of the Log Collector
and whether you have deployed Panorama in a high availability (HA)
configuration. These settings include:
Dedicated Log Collector: The Interfaces tab is not initially displayed when
adding a dedicated Log Collector. You will need to enter the serial number
(Collector S/N) of the Log Collector, click OK, and then edit the Log
Collector to access and configure the interface settings.
Default Log Collector local to the solitary (non-HA) or active (HA)
Panorama management server: In this scenario, after entering the serial
number (Collector S/N) of the Panorama management server, the Collector
dialog will only display the disks, communication settings, and a subset of the
general settings. The Log Collector gets all of its settings from the Panorama
management server, except for the interface settings.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Default Log Collector local to the passive Panorama management server
(HA only): In a high availability (HA) setup, Panorama treats this Log
Collector as remote. Therefore, you must configure it similarly to a dedicated
Log Collector. This process allows you to effectively manage Log Collectors
based on your specific configuration and needs.
Check Firewall Health and Status from Panorama
Panorama provides comprehensive monitoring capabilities for the hardware
resources and performance of managed firewalls. It is a centralized platform
for tracking performance metrics over time, including CPU usage, memory
consumption, connections per second (CPS), and throughput. Additionally, it
offers insights into logging performance environmental factors like fan
operation, RAID status, and power supplies. Panorama also correlates various
events, such as configuration commits, content updates, and software
upgrades, with the overall health of the devices it manages.
Configure Role-Based Access Control on Panorama
Role-based access control empowers you to establish the rights and
responsibilities of administrators in your organization. Each administrator
must have a user account specifying a role and an authentication method.
These administrative roles govern access to specific settings, logs, and reports
within Panorama and firewall environments. You can map roles to access
domains when dealing with device groups and template administrators. These
access domains, in turn, dictate access to particular device groups, templates,
and firewalls by enabling context switching. It allows you to maintain a clear
separation of information between different functional or regional areas of
your organization. For instance, you can restrict an administrator from
monitoring activities related to data center firewalls while allowing them to
configure policies for test lab firewalls. By default, every Panorama
appliance, whether a virtual or M-Series appliance, comes with a predefined
administrative account (admin). This account provides comprehensive read-
write access, functioning as a superuser with privileges encompassing all
functional areas, device groups, templates, and firewalls. In the case of each
administrator, you can establish an Authentication Profile that defines the
mechanism Panorama uses to validate user access credentials.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Case Study: Plan Your Panorama Deployment
Introduction
In a network environment with multiple firewalls but lacking centralized
management, organizations often face several challenges that can make their
security operations difficult and inefficient. Deploying Panorama in a Palo
Alto Networks firewall network is a strategic move that significantly
enhances the manageability and scalability of the security infrastructure.
As organizations grow and face increasingly complex cybersecurity
challenges, the need for centralized, efficient, and comprehensive network
security management becomes paramount. Panorama serves as a powerful
solution to address these requirements, offering a single pane of glass for
configuring, monitoring, and reporting on multiple Palo Alto firewalls across
different locations. Whether it is ensuring consistent security policies,
optimizing network performance, streamlining updates, or simplifying
compliance management, Panorama plays a pivotal role in maintaining a
robust and effective cybersecurity posture.
Challenge
When there are many Firewalls in a network, it becomes very difficult for the
customer to manage each Firewall individually. Here is a breakdown of the
challenges that a customer can face:
1. Manual Configuration: Without centralized management, each individual
firewall device must be configured separately. This manual configuration
process is not only time-consuming but also prone to errors. Inconsistencies
in firewall settings can leave security gaps or cause network disruptions.
2. Policy Consistency: Maintaining consistent security policies across
multiple firewalls is a daunting task. Different administrators might configure
policies differently, leading to inconsistencies and making it challenging to
enforce uniform security rules.
3. Visibility and Monitoring: Monitoring the network for threats and
performance becomes fragmented. Network administrators must access each

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
firewall separately to analyze logs and security events, making it hard to gain
a comprehensive view of the network’s security status.
4. Updates and Patches: Applying updates, patches, and firmware upgrades
to numerous firewalls individually is cumbersome. This process increases the
risk of running outdated software with known vulnerabilities.
5. Compliance and Reporting: Meeting regulatory and compliance
requirements, which often demand centralized reporting and auditing
capabilities, becomes complicated when logs and data are dispersed across
multiple devices.
6. Scaling Challenges: As organizations expand, adding more firewalls to the
network can be challenging to manage without a central point of control. This
can lead to inefficiencies in provisioning new devices and maintaining
existing ones.
7. Response Time: In the event of a security incident, incident response
times are delayed as administrators need to navigate through multiple
interfaces to identify and mitigate threats.
Solution
The absence of centralized management leads to an inefficient and error-
prone security infrastructure, increasing operational costs and the risk of
security breaches. To address these challenges, organizations turn to solutions
like Panorama by Palo Alto Networks, which centralizes managing and
monitoring multiple firewall devices, streamlining operations and enhancing
network security.
Deployment Plan
1. Understand Panorama: Panorama is a centralized management system
for Palo Alto Networks Next-Generation Firewalls. It provides you with a
consolidated view and control over all firewall traffic, configurations, and
updates. You can manage all your firewalls irrespective of their locations. It is
important to understand the capabilities and features of Panorama before
deploying it.

To understand Panorama, you can use the following command to display

system information:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
show system info

2. Migrating to Panorama: Migrating to Panorama involves transitioning

your existing firewall configurations to be centrally managed by Panorama.
This process is easier than most administrators believe and provides benefits
such as simplified management, improved visibility into threats, and reduced
response times.

To migrate to Panorama, you can use the following command to start the
migration:
request logdb migrate vm start

3. Set Up Panorama: This involves determining your Panorama log storage

requirements and managing large-scale firewall deployments. You need to
plan your deployment based on the scale of your network and the volume of
logs that will be generated.

Setting up Panorama involves various commands depending on the

specific configuration. For example, to set the mode of operation for an M-
Series Appliance, you can use the following command;
request system system-mode

4. Install Panorama: Depending on your needs, you can install the

Panorama Virtual Appliance on various platforms such as VMware, ESXi
Server, vCloud Air, AWS, AWS GovCloud, Azure, Google Cloud Platform,
KVM, or Hyper-V. The installation process involves setting up the virtual
appliance on your chosen platform.
Installation of Panorama is typically done through a GUI interface and does
not involve CLI commands.
5. Initial Configuration: After installation, you need to perform the initial
configuration of the Panorama Virtual Appliance. This involves setting up
administrative access, configuring network settings, and more.

Initial configuration can involve various commands. For example, to

change the output for show commands to a format that you can run as CLI
commands, you can use the following command:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
set cli config-output-mode set

6. Panorama in HA Pair: High Availability (HA) in Panorama ensures a

significantly higher availability of your network by running two connected
server PCs in parallel. The servers monitor each other during runtime
operation, which allows them to detect a failing partner early. There are
specific steps for migrating an HA pair to Panorama management.

To synchronize the configuration of M-Series appliance high availability

(HA) peers, you can use the following command:
request high-availability sync-to-remote [running-config | candidate-
config]

7. Set Up Log Collector: The Log Collector is a component of Panorama

that collects logs from managed firewalls. Setting up the Log Collector
involves configuring it to receive logs from specific firewalls.
Setting up a Log Collector involves various commands depending on the
specific configuration.
8. Expand Log Storage Capacity: If needed, you can expand log storage
capacity on the Panorama Virtual Appliance. This involves adding additional
storage to accommodate more logs.
Expanding log storage capacity is typically done through a GUI interface and
does not involve CLI commands.
9. Redundant Log Servers: Redundancy in log servers helps ensure reliable
performance from a complex system. If one server fails, the other can take
over, ensuring that no data is lost and system performance is not affected.

1. Viewing Logs:
You can use the less command to view logs:
less mp-log ikemgr.log
If you open a log file, shift+g will take you to the end of the file (regular g
will take you to start of file). To search, use /<keyword>. While in search,
use n to go to the next or (shift+n) to go to the previous.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Real-time Log Viewing: The tail command can be used for real-time
log viewing:
tail follow yes mp-log ikemgr.log

3. Exporting and Importing Log Database:

You can use the scp export logdb and scp import logdb commands to
export and import the complete log database.

10. Increase CPUs and Memory: If necessary, you can increase CPUs and
memory on the Panorama Virtual Appliance. This might be required if you
are managing a large number of firewalls or dealing with a high volume of
traffic.

Increasing CPUs and Memory on a Palo Alto device, specifically for a

Panorama Virtual Appliance, is typically done through the virtual machine
settings in your hypervisor (like VMware vSphere or ESXi, KVM, etc.)
rather than through the Palo Alto CLI.
Here are the general steps:
1. Power off the Panorama Virtual Appliance in your hypervisor.
2. Edit the settings of the virtual machine.
3. Increase the number of CPUs and/or the amount of memory.
4. Power on the Panorama Virtual Appliance.
Please refer to your hypervisor’s documentation for specific steps, as it can
vary. Also, always ensure that your server has enough resources to
allocate.

11. Software Versions of Firewalls and Panorama: It is important to keep

your firewalls and Panorama software up-to-date. Palo Alto Networks
provides guidance on the currently supported versions of PAN-OS, release
dates, and what version is preferred. When upgrading firewalls using

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Panorama, make sure Panorama is running the same or a later PAN-OS
version than you are upgrading to.

To display a list of available PAN-OS software, you can use the following
command:
request system software info
Suppose the desired software version is not listed. In that case, you can
retrieve the list of available PAN-OS with the following command:
request system software check

Procedure
Here are the short procedural steps for each of the topics that are discussed:
1. Understand Panorama: Learn about Panorama’s capabilities and features.
2. Migrating to Panorama: Transition your existing firewall configurations
to be centrally managed by Panorama.
3. Set Up Panorama: Determine your log storage requirements and plan
your deployment.
4. Install Panorama: Install the Panorama Virtual Appliance on your chosen
platform.
5. Initial Configuration: Perform the initial configuration of the Panorama
Virtual Appliance.
6. Panorama in HA Pair: Set up an HA pair for higher availability of your
network.
7. Set Up Log Collector: Configure the Log Collector to receive logs from
specific firewalls.
8. Expand Log Storage Capacity: Add additional storage to accommodate
more logs if needed.
9. Redundant Log Servers: Set up redundant log servers for reliable
performance.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
10. Increase CPUs and Memory: Increase CPUs and memory on the
Panorama Virtual Appliance if necessary.
11. Software Versions of Firewalls and Panorama: Keep your firewalls and
Panorama software up-to-date.
Benefits
Here are some benefits customers have experienced after deploying
Panorama:
1. Enhanced Management Functionality: Panorama enhances management
functionality, providing a centralized location for policy and firewall
management. This increases operational efficiency in managing and
maintaining a distributed network of firewalls.
2. Improved Visibility: With Panorama, administrators can gain insight into
applications, users, and content traversing the firewalls from a central
location. This improved visibility can help in making informed decisions
about network security.
3. Streamlined Rule Base: Panorama helps streamline the rule base across
your deployment of next-generation firewalls. This can reduce administrator
workload and improve your overall security posture.
4. Automated Policy Workflows: Panorama allows you to use APIs and
Dynamic Address Groups to automate policy workflows that adapt to
changes, such as additions, moves, or deletions of servers.
5. Scalability: When required, you can use Panorama Interconnect to scale
your single pane of glass to tens of thousands of firewalls.
6. Centralized Logging and Reporting: Panorama provides centralized
logging and reporting, which can be crucial for auditing and compliance
purposes.
Conclusion
In conclusion, deploying Panorama offers numerous benefits, such as
enhanced management functionality, improved visibility, streamlined rule
base, automated policy workflows, scalability, and centralized logging and
reporting. It provides a centralized location for policy and firewall

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
management, increasing operational efficiency in managing and maintaining
a distributed network of firewalls. However, the benefits can vary based on
each customer’s specific needs and environment.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Mind Map

Figure 9-11: Mind Map

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Practice Questions

1. If a customer's remote offices, each with different firewall models,

are managed by Panorama, how can they efficiently share device
groups and templates?
A. Same device groups, same template stacks
B. Same device groups, different template stacks
C. Different device groups, same template stacks
D. Different device groups, different template stacks

2. What is the file format for firewall configuration files?

A. YAML
B. JSON
C. XML
D. CSV

3. In a Panorama template stack comprising two templates with

varying values for a specific configuration setting, which value will the
managed firewalls receive when the template stack is pushed?
A. The value from the top template of the stack
B. It acquires its value from the lowest template in the stack
C. Its value is based on the template identified as the parent D. An
administrator chooses the value from the two available options

4. What is the maximum number of templates that can be combined in

a template stack?
A. 8
B. 16
C. 32
D. 64

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
5. What is the purpose of Panorama's automatic commit recovery
feature in a Palo Alto Networks firewall setup?
A. To perform automatic backups of firewall configurations
B. To conduct periodic system updates
C. To verify and revert configuration changes that disrupt the
connection between Panorama and the firewall
D. To automate rule-based policy enforcement

6. How can you override a template value in a stack?

A. By defining values locally on the firewall
B. By defining firewall-specific variables
C. By defining values or variables on the template stack
D. All of the above

7. What is the purpose of template stack variables?

A. To replace IP addresses, group IDs, and interfaces in configurations
B. To reduce the total number of templates and template stacks
required
C. Both A and B
D. None of the above

8. What are the maximum levels in a device group hierarchy?

A. 1
B. 2
C. 3
D. 4

9. What is the impact of configuring a primary device?

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
A. The master key encrypts all the private keys and passwords within
the configuration
B. It is important to use the same master key on both HA peers
C. It is not possible to retrieve or recover the master key once it is lost
D. All of the above

10. Which approach is suitable for reverting to the previous

configuration when a newly committed firewall configuration leads to
unwanted consequences?
A. Restore the previous configuration settings using the load
configuration version feature, then commit the changes
B. Utilize the rollback commit link provided in the commit completion
message
C. Employ the import device state function to revert to the pre-commit
configuration
D. Utilize the load-named configuration snapshot to recover and
subsequently commit the previous configuration

11. In Panorama, where should you input Security policy rules to

ensure their precedence over locally defined rules?
A. Security policy rules with a targeted firewall
B. Section of the Security policy rules containing default rules
C. Section of the Security policy rules preceding the main rules
D. Post-rules section of the Security policy rules

12. What are the different commit type options in Panorama?

A. Commit to Panorama, Push to Devices, and Commit and Push
B. Commit, Push, Validate, and Preview
C. Both A and B
D. None of the above

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
13. What is the significance of the validation process performed by
Panorama before a committed action takes place?
A. It helps to detect and rectify errors before the commit action takes
place
B. It ensures that the current configuration is not altered
C. Both A and B
D. None of the above

14. What is the purpose of the Panorama Software Firewall License

plugin?
A. To streamline the licensing of VM-Series firewalls when they
connect to Panorama
B. To simplify the process of activating and deactivating licenses for
VM-Series firewalls
C. Both A and B
D. None of the above

15. In which order are policy rules evaluated?

A. Shared, device group, local
B. Device group, shared, local
C. Local, shared device group
D. Shared, local, device group

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Pass4sure - #1 IT Certifications Materials Provider
www.pass4sure.com
Chapter 10: Manage and Operate
Introduction
Panorama is a central management platform for Palo Alto Networks
firewalls. It allows you to manage multiple firewalls from a single location,
including adding and configuring firewalls, deploying security updates,
monitoring firewall performance, and troubleshooting firewall problems.
Log forwarding allows you to send logs from your Palo Alto Networks
Next-Generation Firewalls (NGFWs) to a remote server for centralized
management and analysis.
This chapter will cover the following topics:
Explain how to manage and configure log forwarding in which we will
learn to identify log types, manage external services, create tags, log
monitoring, and customize logging and reporting settings.
Explain how to plan and execute the process to upgrade a Palo Alto
Networks system in which we will learn a single firewall, HA pairs,
and dynamic updates.
Please explain how to manage HA functions in which we will learn
about link and path monitoring, HA links, Failover, Active/active and
active/passive, HA interface, Clustering, and election setting.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Manage and Configure Log Forwarding
Log forwarding is a powerful tool that can help you improve your network's
security and performance. By forwarding logs to a remote server, you can
centralize log management, archive logs for compliance purposes, and
analyze logs for security threats.
Identify log types and criticalities
Log forwarding, Filtering, and Tagging
Log Forwarding Profiles can transmit logs from specific firewall log
categories selectively. The firewall log categories are:
Authentication
Data Filtering
Decryption
Traffic
Threat
Tunnel
URL Filtering
WildFire Submissions
Methods Used to Forward Logs
Two primary techniques are employed for transmitting log events: directing
them according to event types and routing them to distinct systems. Log
events from System, Config, User-ID, HIP Match, and IP-Tag logs can be
rerouted based on particular event types. The configuration for these event
types can be accessed in the Device > Log Settings section.
Log events can also be directed to alternative systems like Panorama, SIEM
products, and syslog servers using a Log Forwarding Profile. Log
Forwarding Profiles are linked to individual firewall Security policy rules to
enable forwarding events associated with particular policies. You can define
one or more Log Forwarding Profile match lists within these profiles. This
level of granularity grants administrators precise control over forwarding
and the ability to tailor forwarding for policies of varying significance.
All forwarded events are promptly dispatched to their intended destinations
as generated on the firewall. Additionally, Palo Alto Networks provides the

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
option of utilizing Cortex Data Lake. This cloud-based solution can be a
central repository for forwarded logs from multiple Palo Alto Networks
devices. This centralized pool of log data is entirely accessible to the owner.
It can be a foundational resource for further integrating third-party security
applications through the Palo Alto Networks Cortex API.
Log Forwarding Profiles
It is possible to generate personalized log forwarding filters that rely on
various log characteristics to enhance the effectiveness of incident response
and monitoring processes, including attributes like threat type or source user.
Instead of transmitting all logs or logs with particular severity levels, these
filters enable transmitting only the pertinent information. For instance, a
security operations analyst dealing with malware attacks might want to
receive only Threat logs with the wildfire virus set as the type attribute.
Manage external services
Managing external services ensures that the services your organization relies
on from external providers are available, reliable, and secure.
Destination Log Types and Formatting
External forwarding accommodates the following categories of destinations:
SNMP traps
Syslog
HTTP server
Email
Panorama
Filtering and Forwarding Log Events
The Palo Alto Networks firewall provides two primary methods for
forwarding log events, which depend on the type of log message. Log
Forwarding Profiles are employed for events linked to scrutinized traffic. In
contrast, events associated with non-traffic-specific firewall operations can
be filtered and forwarded using Log Settings, which can be accessed under
Device > Log Settings.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Irrespective of the event type, log forwarding can transmit log event
duplicates to external destinations supporting various data formats.
SNMP
Email
Syslog
HTTP
Each log-forwarding destination is configured within the firewall through a
Server Profile tailored to the specific destination type. You can access this
configuration by navigating to Device > Server Profiles and creating a
profile for each destination.
Once the Server Profile for the destination is established, it can be integrated
into a Log Forwarding Profile. Most destination types, except Panorama,
allow for the adaptation of message formats. A common configuration for a
destination is as follows:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
A duplicate is dispatched according to the specified parameters whenever a
log event is redirected to another location. Simultaneously, the original log
event is recorded on the firewall as it typically would be.
Create and Manage Tags
Automated Actions and Tagging with Log Forwarding
Log Forwarding Profiles offer a way to gather the source or destination IP
address from an event and associate it with a tag. This tag can allocate the
address to a Dynamic Address Group utilized in a Security policy rule.
Log Monitoring
A log is an automatically generated and time-stamped file that records
system events occurring on the firewall and network traffic events being
monitored by the firewall. These log entries include artifacts, which
encompass attributes, actions, or characteristics associated with the logged
event, such as the type of application involved or the IP address of a
potential attacker. Each log type is responsible for capturing information

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
about a distinct event category. For instance, the firewall produces the Threat
log to document traffic that matches patterns of spyware, vulnerabilities,
viruses, or incidents like DoS attacks that meet the predefined criteria for
port scans or host sweeps on the firewall.
Customize Logging and Reporting Settings
Logging and Reporting Settings
This section allows for adjusting various settings, including expiration
periods and storage quotas, for reports and specific log types. These
settings are automatically synchronized between high availability (HA)
pairs.
You can configure expiration periods and storage quotas for logs
generated and stored locally by the firewall, which can be found under
Device > Setup > Management. These settings apply universally to
all virtual systems on the firewall.

EXAM TIP: By default, the firewall establishes an SSL

connection with AES256 encryption to register with Panorama. This
connection involves mutual authentication using predefined 2,048-bit
certificates for both Panorama and the firewall. The SSL connection is
utilized for configuration management and log collection tasks between
the two.

You can manage logs generated and stored locally by M-Series or

Panorama virtual appliances operating in Panorama mode. It includes
System, Config, Application Statistics, and User-ID logs, accessible
under Panorama > Setup > Management.
Furthermore, this section allows you to control logs of all types
generated locally or collected from firewalls by the Panorama virtual
appliance operating in Legacy mode, accessible through Panorama >
Setup > Management.
You can also modify attributes used for computing and exporting user
activity reports.
In addition, predefined reports created on either the firewall or Panorama
can be adjusted in this section.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Plan and Execute the upgrade of a Palo Alto Networks system
Upgrading a Palo Alto Networks system protects your network against the
latest threats. However, it is important to carefully plan and execute the
upgrade process to minimize the impact on your network and avoid any
problems.
Single firewall
The Palo Alto Networks NGFW is equipped with a Single Pass Software,
which efficiently processes packets to perform various actions, including
network operations, User-ID handling, and policy lookup, traffic
classification with application identification (App-ID), content decoding,
and threat detection through signature matching. This streamlined packet
processing approach significantly minimizes the overhead associated with
packet handling.
In contrast, other firewall vendors rely on a different network architecture
that introduces higher overhead when processing packets passing through
the firewall. Another notable feature in some Firewall vendor's NGFW is
Unified Threat Management (UTM), which processes packets and verifies
their contents. This approach can lead to increased CPU usage, negatively
impacting latency and throughput, resulting in performance degradation.
The Single Pass Software is specifically designed to achieve two critical
objectives:
Firstly, it performs operations on a per-packet basis. When a packet is
processed using this mechanism, functions like policy lookup,
application identification, decoding, and signature matching for all
threats and content are executed once.
Secondly, the packets processed by the Single Pass software are
handled in a stream-based manner, employing uniform signature
matching to identify and block threats. Single Pass does not rely on
separate engines, signature sets, or file proxies for scanning files
before download. Instead, it scans packets once in a stream-based
approach, minimizing latency and enhancing throughput.
This content processing carried out by the Single Pass software results in
high throughput and low latency while maintaining all security functions.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Additionally, the software offers the convenience of a fully integrated policy,
simplifying enterprise network security management.
High availability pairs
You can set up two Palo Alto Networks firewalls as a High Availability
(HA) pair, or you can create an HA cluster with up to 16 firewalls where the
members can be HA pairs or standalone firewalls. The primary purpose of
HA is to minimize downtime by ensuring a backup firewall is available if
one of the peer firewalls fails. In an HA pair or cluster, dedicated or in-band
HA ports synchronize data, including network configurations, object
definitions, and policies, and maintain the state information. It is important
to note that certain firewall-specific configurations, such as management
interface IP addresses, administrator profiles, HA settings, logs, and
Application Command Center (ACC) data, are not shared between the peer
firewalls.
Panorama, the centralized management system by Palo Alto Networks, is
recommended to achieve a unified view of applications and logs across an
HA pair. When a failover event occurs, one firewall takes over the traffic
security duties from the other. The conditions that trigger a failover include:
Failure of one or more monitored interfaces.
Inability to reach one or more specified destinations from the firewall.
Lack of response from the firewall to heartbeat polls.
A critical chip or software component failure is called packet path
health monitoring.
Palo Alto Networks firewalls usually support stateful active/passive or
active/active HA with session and configuration synchronization. However,
there are some circumstances to this:
The VM-Series firewall on Azure and VM-Series firewall on AWS
only support active/passive HA. When deploying the firewall with
Amazon Elastic Load Balancing (ELB) service on AWS, traditional
HA is not supported as the ELB service provides failover capabilities.
The VM-Series firewall deployed on the Google Cloud Platform does
not support traditional high availability (HA).
Upgrading Firewalls Under Panorama Management

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Panorama-managed firewalls can receive dynamic updates directly from
Panorama, including scheduled updates. Furthermore, PAN-OS upgrades can
be centrally managed through Panorama. A pair of Panorama instances can
be utilized for enhanced redundancy and security for handling software
updates. The first Panorama, connected to a trusted internet source, can
transfer these updates to a Secure Copy Protocol (SCP) server. The second
Panorama, deployed in an isolated network, can access the same SCP server
as a software update repository. It can then download and distribute the
updates to all the devices under its management.

EXAM TIP: Avoid altering or renaming the content update file

once downloaded to the SCP server. Panorama cannot complete the
download and installation of content updates if the file names have been
modified. Furthermore, to ensure a successful automatic content update,
confirm that there is sufficient disk space available on the SCP server.
Make sure the SCP server is operational and running when the download
process is scheduled to begin. Ensure that both Panorama devices are
powered on and not during a reboot.
HA Cluster Firewall Updates Managed by Panorama
Panorama treats the managed firewalls in High Availability (HA) pairs as
separate entities regarding software updates.
Dynamic Updates
Palo Alto Networks regularly releases updates that enable the firewall to
enforce security policies without upgrading the PAN-OS software or
modifying the firewall's configuration. These updates provide the firewall
with the most up-to-date security features and threat intelligence.
Except for application updates and some antivirus updates accessible to all
firewalls, the availability of dynamic content updates may vary based on
your specific subscriptions. You can schedule each dynamic content update,
specifying how often the firewall should check for and either download or
install new updates.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Manage HA functions
Palo Alto Networks provides several HA features that can be used to
improve the availability of your network.
Link Monitoring
Settings Related to Critical HA Functions
An HA pair configuration is established by grouping two firewalls and
synchronizing their configurations to eliminate a single network failure
point. A vital heartbeat connection between these firewall peers guarantees a
smooth failover process if one of the peers becomes non-operational.
By configuring two firewalls in an HA pair, you can ensure redundancy and
maintain business continuity. It is important to note that an HA cluster can
consist of up to 16 firewalls or HA pairs, all operating actively to enhance
resilience. HA clusters rely on an HA4 link to synchronize session state
information and employ link and path monitoring to determine the
operational status of cluster members. The HA4 link and potential HA4
backup links determine the functionality of HA cluster members.
HA Functionality
Network monitoring applications utilize SNMP for interrogating various
network components, including the Next-Generation Firewall (NGFW). The
firewall contains specific High Availability (HA) related information. You
can employ SNMP to monitor the dedicated (Control link) HA1, (Data Link)
HA2, HA2 backup, and HA3 interfaces. For SNMP statistics concerning the
dedicated HA2 interfaces, you can use the IF-MID and the interface's
Management Information Base (MIB). Panorama offers Managed Device
Health Monitoring, which presents essential HA status information in a
summarized view within the Panorama management web interface.
Path Monitoring
You can specify a group of destination IP addresses for the firewall to
monitor continuously. This monitoring is carried out using ICMP pings to
assess the reachability of these mission-critical IP addresses along their
network path. The default ping interval is 200 milliseconds, and an IP

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
address is marked as unreachable when 10 consecutive pings fail (the default
value).
When defining the failure condition for the IP addresses within a destination
IP group, you can choose between two options: Any IP address unreachable
or All IP addresses unreachable within that group. Multiple destination IP
groups can be assigned to a path group for a virtual wire, VLAN, or virtual
router. The failure condition for destination IP groups within a path group is
set to either "Any" or "All," which then determines the overall status of the
path group.
Furthermore, you can configure multiple path groups for virtual wires,
VLANs, and routers. To trigger a failover, you need to determine the global
failure condition, which can be set as Any path group fails or All path
groups fail. By default, if any of the IP addresses within any destination IP
group in any virtual wire, VLAN, or virtual router path group becomes
unreachable, the firewall will transition to a non-functional state (or tentative
state in active/active mode) to signal the failure of the monitored entity.
HA Links
Firewalls in a High Availability (HA) pair rely on HA links to synchronize
data and maintain state information. Depending on the firewall model, these
links can be dedicated HA ports, such as Control link (HA1) and Data link
(HA2), or in-band ports used as HA links.
Here are the recommended practices for configuring these HA links:
It is advised to utilize firewalls equipped with dedicated HA ports to
manage communication and synchronization between the two
firewalls.
In cases where the firewall lacks dedicated HA ports, as seen in
models like PA-220 and PA-220R, the best practice is to employ the
management port for HA1 and the dataplane port for HA1 backup.
When working with firewalls that lack dedicated HA ports, you should
decide which ports to use for HA1 and HA1 backup based on your
specific environment. Choosing the interfaces that are under the least
usage and congestion is essential. Assign HA1 to the most suitable
interface and designate the other as HA1 backup.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
The HA peers can mix standalone members and HA pairs in an HA cluster.
For session state synchronization, HA cluster members utilize an HA4 link
and an HA4 backup link. It is important to note that HA1 (control link), HA2
(data link), and HA3 (packet-forwarding link) are not supported for
communication between cluster members that are not configured as HA
pairs.
Failover
When one firewall in an HA pair (or a peer in an HA cluster) takes over
securing network traffic due to a failure, this event is called a failover.
Various conditions, including monitored metrics on a firewall, can trigger
failovers:
Heartbeat Polling and Hello Messages
Link Monitoring
Path Monitoring
Additionally, a failover can take place under the following circumstances:
When the administrator manually suspends the firewall.
When preemption occurs, it allows the original primary firewall to
resume its role.
A failover can happen due to an internal health check failure on the PA-3200
Series, PA-5200 Series, and PA-7000 Series firewalls. This health check,
designed to monitor critical components like the FPGA and CPUs, is not
user-configurable. General health checks can also trigger failovers on any
platform.
In the case of a Network Processing Card (NPC) failure in a PA-7000 Series
firewall that is part of an HA cluster, the following scenarios can occur:
If the NPC responsible for holding the HA clustering session cache
decreases, the firewall becomes non-functional. External session
distribution devices, like load balancers, must detect the firewall's
status change and redirect session load to other cluster members.
If an NPC of a cluster member fails and no link monitoring or path
monitoring is enabled on that NPC, the PA-7000 Series firewall
member remains operational but with reduced capacity.
If the NPC of a cluster member fails and link monitoring or path
monitoring is enabled on that NPC, the PA-7000 Series firewall

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 becomes non-functional. Once again, session distribution devices must
detect the change and distribute the session load to the remaining
cluster members.
Active/Active and Active/Passive
HA Pair Modes
Palo Alto Networks firewalls offer stateful active/passive or active/active
High Availability (HA) support, but there are some exceptions:
The VM-Series firewall on Amazon Web Services (AWS) only
supports active/passive HA. HA is not supported if this firewall is
deployed with Amazon Elastic Load Balancing (ELB), as ELB takes
care of failover functionality.
The VM-Series firewall on Microsoft Azure supports active/passive
HA starting from PAN-OS 9x or later.
The VM-Series firewall on the Google Cloud Platform lacks support
for traditional high availability (HA).
In public cloud deployments, VM-Series firewalls can be implemented in a
scaled setup, allowing multiple virtual firewalls to distribute traffic load by
creating parallel firewall instances. A cloud vendor's load balancer is
typically deployed before the firewall scale is set to manage traffic
distribution among available firewalls. This approach also creates an HA
scenario, where failing firewall instances can be automatically removed from
the scale set using the load balancer's detection mechanisms.
However, it is important to note that the scale-set HA method often lacks
session synchronization between firewalls. Consequently, failovers in this
scenario can be disruptive because existing sessions are terminated.
Active/Passive Pairs
Active/passive High Availability (HA) deployment is typically
recommended. In this setup, one firewall actively manages network traffic
while the other remains synchronized and ready to assume an active role if a
failure occurs. Both firewalls have identical configuration settings, and one
actively manages traffic until a path, link, or system failure triggers a
transition.
When the actively managing firewall experiences an issue and fails, the
passive firewall seamlessly takes over, enforces the same policies, and

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
ensures ongoing network security. Importantly, the firewalls synchronize
their session state tables, allowing the passive partner to take on the active
role and continue serving active sessions during failover. Active/passive HA
is compatible with virtual wire, Layer 2, and Layer 3 deployments.
Active/passive configurations are often simpler to manage because one
firewall handles traffic, and both firewalls share the same traffic interface
configuration.

EXAM TIP: When incorporating a new firewall for high

availability (HA) alongside an existing firewall, it is advisable to follow
the best practices. If the new firewall arrives with a pre-existing
configuration, resetting it to its factory default settings is recommended.
This action guarantees that the new firewall starts with a clean and default
configuration. Once the HA setup is in place, you can synchronize the
configuration from the primary firewall onto the newly added firewall with
its fresh, clean configuration.
Active/Active Pairs
In an active/active High Availability (HA) configuration, both firewalls in
the pair are actively processing network traffic. They operate synchronously,
managing session setup and session ownership collectively. Each firewall
maintains its own session and routing tables and stays in sync. This mode is
supported in both virtual wire and Layer 3 deployments.
However, some considerations exist when using active/active HA: Firewall
HA interfaces cannot receive IP addresses via DHCP. Only the traffic
interface on the active-primary firewall can function as a DHCP relay. The
active-secondary firewall drops DHCP broadcast packets. Furthermore, in a
Layer 3 deployment of active/active HA, you can assign floating IP
addresses that can move from one HA firewall to the other in case of a link
or firewall failure. The floating IP address's firewall interface responds to
ARP requests using a virtual MAC address.
Floating IP addresses are beneficial when you need features like the Virtual
Router Redundancy Protocol. They can also be used to implement VPNs and
source Network Address Translation (NAT), allowing for persistent
connections if a firewall providing those services fails.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Each HA firewall interface has its IP address and a floating IP address. The
interface IP address remains specific to the local firewall, while the floating
IP address shifts between firewalls upon a firewall failure. End hosts are
configured to use the floating IP address as their default gateway, enabling
traffic load balancing between the two HA peers. External load balancers
can also be utilized to distribute traffic.
When a link or firewall fails or a path monitoring event triggers a failover,
the floating IP address and virtual MAC address transfer to the functional
firewall. The functioning firewall sends a gratuitous ARP to update the
MAC tables of connected switches, informing them of the change in
ownership for redirecting traffic.
Once the failed firewall recovers, the floating IP address and virtual MAC
address typically return to the firewall with the Device ID (0 or 1) it was
originally associated with. Specifically, when the failed firewall is back
online, the currently active firewall checks whether the floating IP address
belongs to itself or the other firewall and automatically reassigns it to the
appropriate owner.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 10-01: Floating IP deployment
For interfaces with a floating IP address or ARP load-sharing IP address,
each firewall in the HA pair generates a virtual MAC address.
HA interfaces
HA Links and Backup Links
Firewalls in an HA pair and cluster rely on HA links to synchronize data and
maintain state information. Some firewall models provide dedicated HA
ports, including the control link (HA1) and data link (HA2), while others
necessitate using in-band ports as HA links. In HA clusters, in-band Layer 3
HA4 interfaces are used for cluster session synchronization. Here are the
recommended practices for configuring HA links:
For firewalls with dedicated HA ports, it is advised to utilize these
dedicated ports to manage communication and synchronization
between the firewalls.
In cases where the firewall lacks dedicated HA ports, the best practice
is to employ a data plane port for the HA port and use the management
port as the HA1 backup.
Implementing backup HA paths is highly recommended, especially since the
HA ports synchronize critical data required for proper HA failover. In
situations where dedicated backup links are unavailable, in-band ports can
serve as backup links for HA1, HA2, and HA3 connections.
When configuring backup HA links, be sure to consider the following
guidelines:
Ensure that the IP addresses of the primary and backup HA links do
not overlap.
The HA backup links should reside on a subnet distinct from the
primary HA links.
Separate physical ports must be configured for the HA1-backup and
HA2-backup links, with the HA1-backup link using ports 28770 and
28260.

EXAM TIP: To set up data ports for both dedicated HA and backup
HA interfaces. In cases where firewalls lack dedicated HA interfaces, like
the PA-200 and PA-400 Series, you must configure a data port to function

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
as an HA interface. These data ports, designated as HA1, HA2, or HA3
interfaces, can be directly connected to each HA interface on the firewall
or linked through a Layer 2 switch. However, enabling jumbo frames is
essential when configuring a data port as an HA3 interface because HA3
messages exceed the standard 1,500-byte frame size.

Clustering
Numerous Palo Alto Networks firewall models offer session state
synchronization capabilities within an HA cluster, supporting up to 16
firewalls. This HA cluster functionality allows peer firewalls to synchronize
sessions, protecting against potential data center failures or issues in large
security inspection points where horizontally scaled firewalls are used. In the
event of a network outage or the unavailability of a firewall, sessions can
smoothly transition to another firewall within the cluster.
This synchronization feature is particularly advantageous in the following
scenarios:
When HA peers are distributed across multiple data centers, it ensures
session continuity and redundancy.
When one data center is actively in use while the other remains on
standby as a backup.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 10-02: HA peers across multiple data centers
Additionally, a third use case for HA clustering is horizontal scaling. In this
setup, HA cluster members are added to a single data center to expand
security capabilities and guarantee session survivability.

Figure 10-03: Horizontal scaling in HA Clustering

HA clusters offer support for both Layer 3 and virtual wire deployments.
You can include a combination of HA pairs and standalone cluster members
within an HA cluster. It' is important to note that in an HA cluster, all
members are active; there is no concept of passive firewalls, except for HA
pairs, which can retain their active/passive relationship even after being
added to an HA cluster.
All cluster members collaborate to share the session state. When a new
firewall is introduced into an HA cluster, it prompts all the firewalls in the
cluster to synchronize their existing sessions. This synchronization is
facilitated through the dedicated HA4 and HA4 backup connections,
ensuring session state consistency among all cluster members with the same
cluster-ID. The HA4 link also monitors connectivity between cluster
members. However, it is crucial to be aware that HA1 (control link), HA2
(data link), and HA3 (packet-forwarding link) are not supported for
communication between cluster members that are not configured as HA
pairs.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
In session logging, only the firewall that originally owned the session
generates a traffic log for a typical session that has not undergone failover. In
the case of a session that has experienced failover, the new session owner,
which is the firewall receiving the traffic after failover, generates the traffic
log.

EXAM TIP: During an upgrade process, firewall members

maintain session synchronization, even when one member is operating on
a different software version.

Please refer to the accompanying table (Table 10-01) for specific details
regarding the firewall models that support HA clustering and the maximum
number of members allowed per cluster.

Table 10-01: Firewall Model support HA cluster

Election setting
To configure or activate the following settings:
Device Priority: This setting involves assigning a priority value to
each firewall to determine which becomes the active one. The firewall
with the lower priority value (higher priority) will take on the active
role. The priority value range is from 0 to 255. This prioritization
comes into play when both firewalls in the pair have the preemptive
capability enabled.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Preemptive: Enabling this setting allows the higher-priority firewall
to regain its active role (in active/passive or active-primary modes)
after recovering from a failure. It is important to note that the
preemption option must be enabled on both firewalls for the higher-
priority firewall to resume its active or active-primary status upon
recovery. If this setting is disabled, the lower-priority firewall will
remain active or active-primary even after the higher-priority firewall
recovers from a failure.
Heartbeat Backup: This setting utilizes the management ports on the
HA firewalls to provide a backup path for transmitting heartbeat and
Hello messages. The management port's IP address is shared with the
HA peer through the HA1 control link. No extra configuration is
required for this functionality.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Mind Map

Figure 10-04: Mind Map of Manage and Operate

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Practice Questions

1. Which of the following options can log events assign dynamic tags
to for both source and destination addresses?
A. Source and destination zone name
B. Source and destination address
C. Interface, zone name
D. DNS name, zone name

2. What is the purpose of the Device > Setup > Management page?
A. To allow you to configure expiration periods and storage quotas for
logs of all types generated and stored locally by the firewall.
B. To configure log forwarding profiles.
C. To configure security policy rules.
D. To configure user accounts and roles.

3. How can the firewall employ dynamically tagged objects to restrict

traffic?
A. Integrate the object into an enforcement list of a Data Filtering
object, which is subsequently linked to a Security policy rule.
B. Allocate the object to a dynamic list and include it in a Security
policy rule's destination address matching condition.
C. Attach the object to a Dynamic Address Group object, and then
include this group in the destination address matching condition of a
Security policy rule.
D. Include the object within an application group and utilize it in the
Security policy rules.

4. Which of the following is a Palo Alto Networks cloud-based

solution that can serve as a central repository for forwarded logs from

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
multiple Palo Alto Networks devices?
A. Cortex Data Lake
B. Panorama
C. Threat Prevention
D. WildFire

5. What are some benefits of using tags with log forwarding?

A. Tags can be used to automate actions and to create Dynamic
Address Groups.
B. Tags can be used to filter log events more easily.
C. Tags can be used to create custom log reports.
D. All of the above

6. What is the purpose of Log Forwarding Profile match lists?

A. To allow administrators to forward log events based on specific
criteria selectively.
B. To group log events together for easier analysis.
C. To create custom log reports.
D. All of the above

7. What are the four types of logs where a tag can be dynamically
assigned to data?
A. Traffic
B. Threat
C. URL Filtering
D. HIP Match
E. Tunnel Inspection
F. Configuration
G. System
8. Which log recodes the Dynamic tagging activity?

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
A. System
B. Configuration
C. IP-Tag
D. Data Filtering

9. What two types of log formats can a firewall forward log events to?
A. XES
B. SNMP
C. HTTP
D. Databases using the XML format

10. How does a firewall forward log events to an external destination?

A. They are dispatched in groups at the intervals defined within the
destination's Server Profile.
B. Log entries are queued and transmitted in batches at varying time
intervals, contingent on the severity of the events.
C. Dispatch occurs at the pace dictated by the applicable QoS policy
rule that governs log event traffic.
D. Logs are transmitted in real time when the firewall generates them.

11. What two firewall logs can be exported using the Scheduled Log
Export function?
A. Configuration
B. System
C. Traffic
D. URL

12. What is the intended advantage of an active/active firewall pair

versus an active/passive pair?
A. Increased throughput

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
B. Asynchronous routing support
C. Increased session count
D. Shared dynamic updates
13. Where does a firewall forward HA-related events to an external
monitoring technology?
A. Go to Device > Log Settings > System Log settings
B. Access it via Objects > Log Forwarding Profile > System Log
Type.
C. You can find it under Device > High Availability > General >
Event Forwarding.
D. Navigate through Dashboard > High Availability Widget >
Notification

14. What two Panorama objects can display the current HA state
information about a managed firewall?
A. Check the firewall listings under Monitor > HA Status.
B. Discover firewall-specific information within Managed Devices >
Health.
C. Firewall listings in Managed Devices > Summary
D. The Firewall HA Status widget is in Dashboard > Widgets.
E. The firewall's high availability status can be found in Panorama >
High Availability.

15. Which two of the following firewall features can use floating IP
addresses in an active/active HA pair?
A. Data-plane traffic interfaces
B. Source NAT
C. VPN endpoints
D. Loopback interfaces
E. Management port

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Pass4sure - #1 IT Certifications Materials Provider
www.pass4sure.com
Chapter 11: Troubleshooting
Introduction
Troubleshooting Palo Alto Networks and Panorama involves a detailed
analysis of logs, including Traffic, Threat, and System logs for Palo Alto
Networks firewalls. Administrators address issues related to Site-to-Site
Tunnels, Interfaces, Decryption, and Routing, and employ General
Troubleshooting techniques. Panorama, the centralized management tool,
aids in efficiently managing multiple firewalls by providing a consolidated
view of logs and configurations. The process includes log analysis, policy
verification, and ensuring consistent configurations across all devices for
effective issue resolution. In this chapter:
The exploration will initiate with an in-depth analysis of Site-to-Site
Tunnels, elucidating the intricacies involved in establishing secure
communication links between remote networks.
Subsequently, the focus will shift toward Interfaces, delving into issues
related to network connectivity, configuration nuances, and the
optimization of performance parameters.
A dedicated segment on Decryption will follow, emphasizing its
pivotal role in the meticulous monitoring and securing of network
traffic within the firewall framework.
Routing, being a foundational element of network connectivity, will
undergo thorough scrutiny, offering meticulous guidance for
addressing and resolving routing anomalies.
General Troubleshooting techniques will be elucidated, providing
practitioners with effective tools to discern and rectify commonplace
firewall-related challenges.
The chapter will extend its purview to encompass Resource Protection,
GlobalProtect, Policies, and High Availability (HA) Functions,
ensuring a holistic comprehension of Palo Alto firewall
troubleshooting intricacies.
Whether professionals will be grappling with network connectivity
intricacies, security challenges, or general firewall misconfigurations, this
chapter will equip them with the requisite insights and expertise for adeptly
navigating and resolving these upcoming challenges.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Troubleshoot Site-to-Site Tunnels
Troubleshooting Site-to-Site IPSec Tunnels on a Palo Alto Firewall is a
critical and intricate task that demands a deep understanding of network
security and firewall configurations. In today’s interconnected world,
organizations rely heavily on these secure communication channels to
transmit data between geographically dispersed locations. However, when
issues arise with these tunnels, they can disrupt business operations and
compromise the security of sensitive information. In this topic, you will
explore the essential steps and techniques required to effectively diagnose
and resolve problems within Site-to-Site IPSec Tunnels on Palo Alto
Firewalls, ensuring the seamless flow of data and safeguarding network
integrity. Whether you’re an experienced network administrator or a novice
in the field, this guide will provide valuable insights into troubleshooting
these critical components of modern network infrastructure.
Troubleshoot Phase 1
1. To eliminate potential ISP-related issues, begin by conducting a ping test
from the Palo Alto (PA) firewall’s external interface to the peer’s IP address.
Ensure that ping requests are allowed on the external interface of the peer’s
device.
2. If ping requests are blocked due to security requirements, alternative
methods can be employed. Check whether the other peer is responding to the
main/aggressive mode messages or the Dead Peer Detection (DPD)
messages. You can monitor these responses in the system logs, accessible
under the Monitor tab or within the ikemgr logs.
3. Verify that the Internet Key Exchange (IKE) identity is configured
correctly. Also, confirm that there is a policy in place to permit IKE and
IPSec applications. Typically, such a policy is not necessary if there is no
cleanup rule configured on the firewall. However, if a cleanup rule is in
place, this policy is typically configured between the external zones.
Cleanup Rule: Sometimes, you might have a rule that is like a cleanup rule
in your network security setup. This rule decides what to do with traffic that
does not match any specific rules. If you do not have this cleanup rule, you
might not need to worry about the special policy for IKE and IPSec.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Ensure that the encryption and authentication proposals are correctly
configured. In the event of a mismatch, logs indicating the issue can be
found in the system logs or by using the CLI command:
> less mp-log ikemgr.log

5. Double-check that the Pre-Shared Key (PSK) is accurate. If it is incorrect,

logs highlighting the PSK mismatch can be located in the system logs or by
using the following CLI command:
> less mp-log ikemgr.log

6. To gain further insight into the traffic behavior, consider capturing packets
and subsequently analyzing them. Utilize filters to narrow down the scope of
the captured traffic.
Here are some useful CLI commands for troubleshooting:
> show vpn ike-sa gateway <name>
> test vpn ike-sa gateway <name>
> debug ike stat

These commands can provide valuable information for diagnosing and

resolving issues with your Site-to-Site IPSec Tunnels on the Palo Alto
Firewall.
Advanced CLI Commands
1. Detailed Logging: If you want to get very detailed information about
what is happening, you can turn on debug-level logging:
To turn it on, use the command:
> debug ike global on debug
Then, you can view the logs using:
> less mp-log ikemgr.log

2. Capturing Negotiations: If you want to capture the messages that are

part of the negotiations (like setting up a secure connection), you can turn on

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
packet capturing (pcaps):
Use the command to turn capturing on:
> debug ike pcap on
Use the command to view these captured messages:
> view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap
ikemgr.pcap

3. Turning Off Debugs: When you are done with the detailed logging and
packet capturing, make sure to turn them off to avoid clutter:
Use the command to turn off packet capturing:
> debug ike pcap off
Use the command to turn off detailed logging:
> debug ike global off

4. Packet Filters: If you want to focus your packet capturing on a specific

part of your network, you can configure packet filters. By default, capturing
shows all VPN traffic.
5. Checking NAT-T: To check if NAT-Traversal (NAT-T) is enabled, you
should see packets on port 4500 instead of 500 from the 5th and 6th
messages of the main negotiation.
6. Vendor ID Check: Make sure that the vendor ID (identification) of the
peer (the other device you are connecting to) is supported on your Palo Alto
Networks device and vice versa. This helps ensure compatibility and
successful communication.
These commands are like tools for getting more information when you are
troubleshooting or setting up secure connections. You can turn on detailed
logs, capture negotiation messages, and check if certain settings are working
as expected. Just remember to turn them off when you are done to keep
things tidy.
Troubleshoot Phase 2
1. Check Tunnel Negotiation: Make sure the firewalls are talking to each
other and that there are two sets of security rules (SPIs) in place to protect

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
the connection. You can check this using the following commands:
Use the command to see the status of all your IPSec tunnels:
> show vpn ipsec-sa
Use the command to check a specific tunnel:
> show vpn ipsec-sa tunnel <tunnel.name>

2. Proposals Check: Ensure the negotiation terms (proposals) are correct. If

they are not, you can find logs about the mismatch in the system logs under
the Monitor tab.
You can also use this command to check:
> less mp-log ikemgr.log

3. Perfect Forward Secrecy (PFS): Make sure that PFS is turned on at both
ends of the tunnel. If it is not, you will see logs about the mismatch in the
system logs or by using the command:
> less mp-log ikemgr.log

4. Proxy-ID Configuration: Usually, you do not need to set up a proxy-ID

when both ends of the tunnel are Palo Alto Networks firewalls. But if the
other end is from a different vendor, you might need to configure these IDs.
A mismatch can be seen in the system logs or by using this command:
> less mp-log ikemgr.log

Useful CLI Commands:

1. This command shows the current status of the tunnel.
> show vpn flow name <tunnel.id/tunnel.name>

2. Use the command to check if data transmission is happening by looking

at the data bytes sent and received.
> show vpn flow name <tunnel.id/tunnel.name> | match bytes

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
If the number of encapsulation bytes increases without a corresponding
increase in decapsulation, it suggests that the firewall is transmitting
packets but not receiving them.
If decapsulation bytes increase but encapsulation does not, it means the
firewall is receiving but not transmitting packets.

3. Use the command to check if the firewall knows where to send traffic
destined for a specific IP address.
> test routing fib-lookup virtual-router default ip <destination IP>

4. Use the command to display the routing information

> show routing route

5. Use the command to test the status of a specific IPSec tunnel.

> test vpn ipsec-sa tunnel <name>

These commands help you troubleshoot and check the status of your secure
connections, making sure data is flowing smoothly between your firewalls.
Advanced CLI Commands
1. Use the command to enable detailed IKE (Internet Key Exchange)
debugging:
> debug ike global on debug

2. Use the command to view IKE debugging logs:

> less mp-log ikemgr.log

3. Use the command to activate packet capturing to capture IKE negotiation

packets for troubleshooting:
> debug ike pcap on

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Use the command to view the captured packets:
> view-pcap no-dns-lookup yes no-port-lookup yes debug-pcap
ikemgr.pcap

5. Use the command to deactivate packet capturing to stop capturing

packets:
> debug ike pcap off

6. Use the command to disable global IKE debugging:

> debug ike global off

If Tunnels Are Up, but Traffic Is not Passing Through:

First, check your security policies and routing settings to ensure they are
correctly configured.
Be aware that some devices upstream (in the network path) may perform
port and address translations. Because Encapsulating Security Payload (ESP)
is a layer 3 protocol, ESP packets do not have port numbers. Devices that
expect port numbers may silently drop ESP packets. This can be a common
reason for traffic not passing through the tunnel.
If the issue persists, consider applying debug packet filters, captures, or logs
as needed to pinpoint where the traffic is being dropped or encountering
issues. These tools can help you isolate the problem and gather more
information for troubleshooting.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Troubleshoot Interfaces
Troubleshooting Interfaces is an essential skill in managing Palo Alto
Networks firewalls. Interfaces serve as the critical points of contact between
your firewall and the broader network environment. Whether it is physical
connections handling incoming and outgoing traffic or virtual interfaces
facilitating the flow of data within your network, interfaces are the gateways
that demand careful attention. This section delves into the world of Interface
troubleshooting, offering insights and techniques to diagnose and resolve
issues that can impact network performance, security, and overall
functionality. Whether you are dealing with configuration problems,
connectivity issues, or performance bottlenecks, understanding how to
troubleshoot interfaces effectively is paramount in ensuring that your Palo
Alto firewall operates at its peak.
Troubleshoot Connectivity Issues on the Management Interface
1. On Your Laptop: First, download and install a program called Wireshark
on your laptop. Then, set up the IP address on your laptop so that it is in the
same network as the IP address of the firewall’s management interface.
2. On the Firewall: Physically connect the laptop you set up earlier to the
firewall’s management interface. Make sure the management interface’s
LED light is GREEN and blinking.
3. Back to Your Laptop: Now, open Wireshark on your laptop. Use your
laptop to send a ping command to the IP address of the firewall’s
management interface.
On the Firewall’s Console (Command Line):
Access the firewall’s console port and type in the following commands:
admin@lab> show interface management
admin@lab> show arp management (look for the MAC address of your
laptop)
admin@lab> ping host <laptop’s IP address>
admin@lab> show arp management (look for the MAC address of your
laptop)

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Back to Your Laptop: After you have sent the ping and completed the
steps on the firewall’s console, stop Wireshark.
Review the captured data in Wireshark, specifically looking for ARP packets
(Address Resolution Protocol) and ICMP packets (these are the ping
packets).
These steps help you analyze network communication between your laptop
and the firewall. It’s like checking how two devices talk to each other on the
network. You can refer to additional instructions if you need to perform a
tcpdump (another network analysis tool) from the console.
Viewing and Exporting Capture Files:
1. To View the Capture File:
If you want to see what is inside the capture file, you can do it using the
command line interface (CLI) with this command:
admin@lab> view-pcap mgmt-pcap mgmt.pcap

This command allows you to open and examine the contents of the capture
file.
2. To Export the Capture File:
If you need to take the capture file and move it to another location or device,
you can use these commands:
admin@lab> scp export mgmt-pcap from mgmt.pcap to
(username@host:path)

This command lets you securely copy the capture file to another device using
SCP (Secure Copy Protocol).
Alternatively, you can also export the capture file using TFTP (Trivial File
Transfer Protocol) with this command:
admin@lab> tftp export mgmt-pcap from mgmt.pcap to <TFTP
host>

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
This command is another way to transfer the capture file, typically to a TFTP
server, which is a simple way to share files over a network.
In simple terms, these commands help you either view the contents of a
capture file or move it to another place or device for further storage or
analysis.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Troubleshoot Decryption
Troubleshooting decryption within Palo Alto Firewalls is a vital endeavor in
the realm of network security and data protection. Palo Alto Firewalls serve
as robust guardians against modern cyber threats, but their ability to inspect
and secure encrypted traffic relies on the effectiveness of decryption
processes. In this comprehensive section, you will delve into the intricacies
of diagnosing and resolving decryption issues within Palo Alto Firewalls,
empowering network administrators and security professionals to bolster
their network security posture. Whether you are a seasoned expert or a
newcomer to the world of cybersecurity, this guide will provide valuable
insights into mastering the art of troubleshooting decryption in Palo Alto
Firewalls to ensure secure and uninterrupted data flow.
Troubleshoot and Monitor Decryption
Troubleshooting tools help you understand what is happening with your TLS
(secure web) traffic. These tools are like X-ray vision for your internet
security. They allow you to find and fix problems with your security setup
quickly.
For instance, with these tools, you can:
1. Figure out what is causing problems with decrypting web traffic by
looking at the service names and applications.
2. Identify any weak security methods that might be used by your web
traffic.
3. Look at both successful and unsuccessful attempts to understand what is
going on.
4. Get detailed info about individual online sessions.
5. Learn how your security setup is being used and what patterns it follows.
6. Keep an eye on stats about your security, like how often it works, what
versions it is using, and what methods it uses.
Tools for Troubleshooting
There are some tools that can help you see what is happening when your
computer talks to secure websites (like online shopping or banking). These

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
tools show you if things are going well or if there are problems with the
security.
1. ACC - SSL Activity: In this tab, there are five helpful widgets. They are
like mini tools that were added in PAN-OS 10.0. These widgets tell you
about the satisfactory and ordinary things happening when your computer
tries to read secure information on the internet. They can tell you if
something went wrong, what kind of security is being used, and how much
of the data is made safe or not.
2. Monitor > Logs > Decryption: The Decryption Log, introduced in PAN-
OS 10.0, is a record of all encrypted traffic that is decrypted by your Palo
Alto Networks firewall. It includes information about each session, such as
the application, the TLS version, the encryption algorithm, and whether or
not the decryption was successful.
You can use the Decryption Log to troubleshoot decryption problems,
monitor traffic patterns, and identify security risks. For example, you can use
the log to identify sessions that are using outdated TLS versions or weak
encryption algorithms. You can also use the log to identify sessions that are
triggering decryption errors.
By default, the Decryption Log only records unsuccessful TLS handshakes.
However, you can configure the firewall to log all TLS handshakes,
regardless of whether or not they are successful. This can be useful for
gaining visibility into all decrypted traffic.
Here is a brief explanation of some of the information that is included in the
Decryption Log:
Application: The type of application that was used to access the
encrypted resource.
SNI: The Server Name Indication, which is the hostname of the
encrypted resource.
Decryption Policy Name: The name of the Decryption policy that was
applied to the session.
Error Index: If the decryption failed, this field will indicate the reason
for the failure.
TLS Version: The version of the TLS protocol that was used.
Key Exchange Version: The version of the key exchange algorithm
that was used.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Encryption Algorithm: The encryption algorithm that was used to
protect the data.
Certificate Key Types: The type of certificate that was used to
authenticate the server.
You can filter the Decryption Log to view specific information. For example,
you can filter the log to view only sessions that are using a particular TLS
version or encryption algorithm. You can also filter the log to view only
sessions that are triggering decryption errors.
The Decryption Log is a valuable tool for troubleshooting decryption
problems, monitoring traffic patterns, and identifying security risks. You can
use the Decryption Log to see what encrypted traffic is going through your
firewall and to troubleshoot problems. You can also use it to identify security
risks, such as sessions that are using outdated TLS versions or weak
encryption algorithms.
3. Local Decryption Exclusion Cache: Some websites cannot be decrypted
by the firewall for technical reasons. For example, websites that use client
authentication or pinned certificates may break decryption.
There are two ways to exclude these websites from decryption:
SSL Decryption Exclusion List: This is a list of servers that Palo
Alto Networks has identified that break decryption technically. The list
is kept up to date with content updates, and you can also add servers to
it manually.
Local Decryption Exclusion Cache: This cache automatically adds
servers that local users encounter that break decryption for technical
reasons. It only works if the Decryption profile is applied to the traffic
that allows unsupported modes. If unsupported modes are blocked, the
traffic is blocked instead of added to the local cache.
In simpler terms, the SSL Decryption Exclusion List is a list of websites
known to break decryption. The Local Decryption Exclusion Cache
automatically adds websites that local users encounter that break decryption.
Whichever method you choose, the firewall will not try to decrypt traffic
from these websites. This prevents the firewall from blocking the traffic or
causing other problems.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Custom Report Templates for Decryption: Palo Alto Networks firewall
includes four predefined templates for creating custom reports that
summarize decryption activity:
Decryption Summary: This report provides a high-level overview of
decryption activity, including the number of sessions, the amount of
data decrypted, and the number of errors.
Decryption by Application: This report shows how much traffic is
decrypted for each application.
Decryption by Policy: This report shows how much traffic is
decrypted by each Decryption policy.
Decryption Errors: This report shows the types and frequency of
decryption errors.
You can use these templates to create custom reports that meet your specific
needs. For example, you could create a report that shows only the top 10
applications by decryption traffic or a report that shows all decryption errors
that occurred in the past 24 hours.
To create a custom report, go to Monitor > Manage Custom Reports and
click Add. Select the Decryption template that you want to use and then
click Create.
You can customize the report by adding or removing columns, filtering the
data, and sorting the results. Once you are satisfied with the report, click
Run to generate it.
Custom reports can be a valuable tool for monitoring decryption activity and
troubleshooting decryption problems.
General Troubleshooting Methodology
Here is a general methodology to troubleshoot decryption issues in Palo Alto
Networks firewalls:
1. Start by using the ACC widgets to identify traffic that is causing
decryption issues.
2. Once you have identified the traffic, use the Decryption Log and custom
report templates to gather more information about it. This will help you to
diagnose the problem and determine the best way to fix it.
Here are some common decryption issues and how to fix them:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Decryption Policy Rules: If a decryption policy rule is not configured
correctly, it can cause traffic to be decrypted incorrectly or not at all.
To fix this, you can modify the decryption policy rule.
Decryption Profiles: If a decryption profile is not configured
correctly, it can also cause problems. To fix this, you can modify the
decryption profile.
SSL Decryption Exclusion List: If a website is breaking decryption
for technical reasons, you can add it to the SSL Decryption Exclusion
List. This will prevent the firewall from trying to decrypt traffic from
that website.
Security Decisions: You may also need to make some security
decisions about which websites your employees, customers, and
partners really need to access and which websites you can block. This
can help to reduce the risk of decryption problems.
Here are some examples of decryption problems and how to fix them:
1. If a website is not being decrypted correctly, you can try modifying the
decryption policy rule for that website.
2. If a website is causing decryption errors, you can try modifying the
decryption profile for that website.
3. If a website is breaking decryption for technical reasons, you can add it to
the SSL Decryption Exclusion List.
If you are still having trouble troubleshooting decryption problems, you can
contact Palo Alto Networks support for assistance.
Decryption Best Practice
Decrypt as much traffic as possible so you can inspect it and handle traffic
that you cannot decrypt properly.
If you downgrade from PAN-OS 10.0 or later to PAN-OS 9.1 or earlier:
1. The Decryption Log, SSL Activity widgets in the ACC, and custom report
Decryption templates are removed from the UI.
2. References to Decryption logs are also removed from Log Forwarding
profiles.
3. The Local Decryption Exclusion Cache is only viewable using the CLI.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
If you push configurations from Panorama on PAN-OS 10.0 or later to
devices that run PAN-OS 9.1 or earlier, Panorama removes the features
introduced in PAN-OS 10.0.
Please note that downgrading to PAN-OS 9.1 or earlier is not recommended.
PAN-OS 10.0 includes a number of important security features and
performance improvements.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Troubleshoot Routing
Troubleshooting routing in Palo Alto Networks firewalls is critical to
maintaining a secure and efficient network infrastructure. Routing is the
backbone of data transmission, ensuring that traffic flows seamlessly
between various network segments. It directs packets to their intended
destinations, making it a key element in network connectivity and security.
In the realm of Palo Alto firewall management, ensuring proper routing is
crucial for guaranteeing that traffic reaches its destination securely and
efficiently. This topic delves into the intricacies of troubleshooting routing,
offering guidance on identifying and resolving issues that can disrupt
network communication, cause bottlenecks, or compromise security.
Whether you are grappling with misconfigurations, routing loops, or issues
with route redistribution, understanding how to troubleshoot routing
effectively is paramount for maintaining a robust and reliable network
infrastructure.
Routing Table Not Updated Scenario
Scenario:
Your Palo Alto firewall is not forwarding traffic correctly, and you suspect
that it is because the routing table is not updated.
Solution:
1. To fix this issue, you can use the command commit force to force the
firewall to update its routing table. This command will ensure that the
firewall has the most up-to-date information about the network and can
properly forward traffic.
2. Additionally, you can verify the routing configuration by using the
command show running config to check for any errors or inconsistencies
that may be causing the issue.
The first command will force the firewall to update its routing table. The
second command will show you the firewall’s current routing configuration
so you can check for any errors.
If you are still having problems after running these commands, you may
need to contact Palo Alto Networks support for assistance.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Incorrect Default Route Scenario
Scenario:
Your Palo Alto firewall is not forwarding traffic as expected, and you
suspect the default route is configured incorrectly.
Solution:
1. To fix this issue, you can use the command show route to verify the
current default route and make sure it is configured correctly.
2. If the default route is incorrect, you can use the command configure to
make the necessary changes.
3. You can also check the routing configuration by using the command show
running config for any errors or inconsistencies that may be causing the
problem.
If you are still having problems after running these commands, you may
need to contact Palo Alto Networks support for assistance.
Explanation of what a default route is and why it is important:
A default route is a route that is used to forward traffic to any destination
that is not explicitly defined in the routing table. If there is no default route,
the firewall will not be able to forward traffic to any destination that is not
specifically defined in the routing table.
It is important to have a correctly configured default route on your firewall
so that it can properly forward traffic to all destinations.
Routing Loops Scenario
Scenario:
Your network is experiencing bad performance, and you suspect that routing
loops are being formed in the network, causing traffic to be forwarded in
circles.
Solution:
1. To fix this issue, you can use the command show route to view the
routing table and check for any routing loops.
2. Once identified, you can use the command configure to make the
necessary changes to the routing table to break the loop.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. Additionally, you can implement routing protocol features such as Split
Horizon and Route Poisoning by configuring them in the firewall settings
to prevent such loops.
Explanation of what routing loops are and why they are a problem:
A routing loop is a situation where traffic is forwarded in circles. This can
happen when there are two or more routes to a destination, and the router is
not able to determine which route to use.
Routing loops can cause a number of problems, including:
1. Slow network performance
2. Packet loss
3. Network instability
If you suspect that you have routing loops on your network, you should
investigate and fix the problem as soon as possible.
Explanation of how routing protocol features such as Split Horizon and
Route Poisoning can prevent routing loops:
Routing protocols are used to exchange routing information between routers.
This information is used to create a routing table, which is used to forward
traffic to its destination.
Routing loops can occur when there are two or more routes to a destination,
and the router is not able to determine which route to use. This can cause
traffic to be forwarded in circles, which can slow down the network and
cause other problems.
Routing protocol features such as Split Horizon and Route Poisoning can
help to prevent routing loops.
Split Horizon prevents a router from advertising routes back to the router
that it learned the routes from. This helps to prevent routing loops from
forming.
For example, let us say that Router A learns a route to Network 10.0.0.0/24
from Router B. If Split Horizon is not enabled, Router A will advertise this
route back to Router B. This could create a routing loop if Router B also has
a route to Network 10.0.0.0/24.
With Split Horizon enabled, Router A will not advertise the route to Network
10.0.0.0/24 back to Router B. This helps prevent a routing loop from

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
forming.
Route Poisoning is a similar feature to Split Horizon, but it is more
aggressive. Route Poisoning advertises routes with a metric of infinity,
which makes the routes unusable. This helps to break routing loops that have
already formed.
For example, let’s say that a routing loop has formed between Router A and
Router B. Route Poisoning on Router A would cause it to advertise the route
to Network 10.0.0.0/24 to Router B with a metric of infinity. This would
cause Router B to stop using the route to Network 10.0.0.0/24, which would
break the routing loop.
Split Horizon and Route Poisoning are effective ways to prevent and break
routing loops. However, it is important to note that they are imperfect. There
are some cases where routing loops can still occur, even with these features
enabled.
For example, routing loops can still occur if there is a misconfiguration in
the network topology or if there is a problem with the routing protocol itself.
If you are concerned about routing loops, it is important to implement other
preventive measures, such as using routing protocols that support features
such as loop prevention and Path MTU Discovery.
Route Flapping Scenario
Scenario:
Your network is experiencing connectivity problems, and you suspect that
the routes on your firewall are frequently changing state.
Solution:
1. To fix this issue, you can use the command show route to view the
routing table and check for any routes that are frequently changing state.
2. Once identified, you can use the command configure to make the
necessary changes to the routing table to stabilize the routes.
3. Additionally, you can check for any issues with the routing protocols or
interfaces by using the commands show interface and show routing
protocol to see if there are any problems that may be causing the problem.
Route flapping is a situation where a router frequently changes the state of a
route between up and down. This can be caused by a number of factors, such

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
as:
1. Hardware problems
2. Software problems
3. Network congestion
4. Routing protocol misconfigurations
Route flapping can cause a number of problems, including:
1. Connectivity problems
2. Network instability
3. Performance degradation
Simplified explanation of route flapping in simple words:
Imagine a router as a traffic cop. The router’s routing table tells it how to
direct traffic to different destinations. When a router receives a packet, it
looks up the destination in its routing table and then forwards the packet to
the next router on the path to the destination.
Route flapping happens when a router keeps changing its mind about how to
route traffic to a particular destination. This can happen for a number of
reasons, such as a hardware problem with the router, a software bug, or a
misconfiguration in the routing protocol.
When route flapping happens, it can cause problems for devices that are
trying to communicate with each other. For example, if a device is trying to
send a packet to a server, the packet may be forwarded to the wrong router
multiple times. This can cause the packet to be lost or delayed.
Route flapping can also cause problems for the router itself. When a router is
constantly changing its routing table, it can use up a lot of CPU resources.
This can slow down the router and make it less responsive to traffic.
If you are experiencing route flapping on your network, it is important to
investigate and fix the problem as soon as possible. Route flapping can cause
a number of problems, including connectivity problems, network instability,
and performance degradation.
Here are some tips for preventing and fixing route flapping:
1. Make sure that all of your hardware and software is up to date and
properly configured.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
2. Monitor your network for congestion and other problems.
3. Verify that your routing protocols are configured correctly.
If you are still having problems, you may need to contact your network
administrator or a qualified technician for assistance.
Black Hole Routing Scenario
Scenario:
Your network is experiencing connectivity issues, and you suspect that the
firewall is sending traffic to a null route (black hole) or a non-existing
network.
Solution:
1. To fix this issue, you can use the command show route to view the
routing table and check for any routes that are sending traffic to a null route
or non-existing network.
2. Once identified, you can use the command configure to make the
necessary changes to the routing table to redirect the traffic to the correct
destination.
3. Additionally, you can check for any errors or inconsistencies in the routing
configuration by using the command show running config to see if there are
any problems that may be causing the problem.
A black hole routing issue is a situation where a router sends traffic to a non-
existent network or a null route. This can cause the traffic to be dropped,
which can lead to connectivity problems.
Black hole routing can be caused by a number of factors, including:
1. Misconfiguration in the routing table
2. Hardware problems
3. Software problems
4. Network congestion
5. Malicious attacks
Black hole routing can cause a number of problems, including:
1. Connectivity problems
2. Network instability

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. Performance degradation
4. Security vulnerabilities
If you are experiencing black hole routing, it is important to investigate and
fix the problem as soon as possible.
Here are some ways to prevent and fix black hole routing:
1. Make sure that your routing table is properly configured.
2. Monitor your network for congestion and other problems.
3. Keep your hardware and software up to date.
4. Verify that all of your network devices are properly connected.
5. Implement security measures to protect your network from malicious
attacks.
6. Use a firewall to control traffic in and out of your network.
If you still have problems, you may need to contact your network
administrator or a qualified technician for assistance.
Imagine a network as a road system. The routing table is like a map that tells
routers how to get to different destinations. Black hole routing happens when
a router sends traffic to a road that does not exist. This can cause the traffic
to be lost, just like a car would be lost if it tried to drive on a non-existent
road.
Black hole routing can be a serious problem, so it is important to take steps
to prevent and fix it. By following the tips above, you can help ensure your
network runs smoothly and securely.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
General Troubleshooting
Effective troubleshooting is the backbone of maintaining a secure and
smoothly running network infrastructure, and Palo Alto Firewalls are no
exception. In this section, you will delve into the art of general
troubleshooting in Palo Alto Firewalls, equipping network administrators
and security professionals with the knowledge and techniques needed to
swiftly diagnose and resolve issues that may arise within these crucial
security systems. Whether you are a seasoned expert or new to the realm of
cybersecurity, this section will provide invaluable insights into mastering the
fundamental processes of troubleshooting in Palo Alto Firewalls to ensure
optimal network security and operational efficiency.
A firewall is like a security guard for data, deciding what can pass and what
cannot. But occasionally, even when data should be allowed, it encounters
delays or barriers.
What do you do next when you have tried basic fixes like test rules and
packet captures, and the data remain unresponsive? You will explore the
more advanced troubleshooting steps in this section, mostly using the
command line.
Troubleshooting Interfaces
When you look at interface counters, you are checking for a few important
things:
1. Dropped Packets: Are any packets not getting through? You check for
dropped packets, both overall and based on the type of data. This is like
checking if any letters or messages got lost in transit. If you see a lot of
dropped packets, it means some data is not reaching its destination.
2. Received Data: Is this interface receiving data at all? You look at how
many bytes and packets are coming in. Imagine this as counting how many
letters you have received. It shows you if data is coming in at all.
3. Transmitted Data: Is this interface sending data out to the network? You
check how many bytes and packets are going out. This is like counting how
many letters you have sent out. It helps you know if your data is leaving
your computer and going into the network.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
4. Interface Errors: Are there any problems with the interface, like errors?
You look at receiving and forwarding errors. That is like an error if you have
ever had a letter with smudged ink or missing words. These errors mean
something went wrong with the data as it traveled through the interface.
5. ARP Issues: Is there a hiccup with the ARP (Address Resolution
Protocol)? You check for any issues where it can not find the right address.
Think of ARP as an address book for your computer. If it can not find an
address, it is like not being able to find someone’s contact information. You
check this counter to ensure your computer finds the right addresses.
6. Security Concerns: Is there a security problem? You look at all the other
counters to ensure everything is secure. This is like looking at all the
possible problems with the interface. It helps you ensure that everything is
secure and that no vulnerabilities or issues could put your data at risk.
These checks help you ensure that data flows smoothly, securely, and
without problems through your network interface. It is like monitoring your
data’s journey to make sure it is safe and successful.
admin@PA-Firewall> show counter interface eth1/1

Interface: eth1/1
--------------------------------------------------------------------------------

Logical interface counters read from CPU:

--------------------------------------------------------------------------------
bytes received 1029392992089
bytes transmitted 1492332031720
packets received 2546880536
packets transmitted 2700000916
receive errors 0
packets dropped 3689663
packets dropped by flow state check 319
forwarding errors 0

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
no route 7
arp not found 0
neighbor not found 0
neighbor info pending 0
mac not found 0
packets routed to different zone 0
land attacks 0
ping-of-death attacks 0
teardrop attacks 0
ip spoof attacks 0
mac spoof attacks 0
ICMP fragment 0
layer2 encapsulated packets 0
layer2 decapsulated packets 0
tcp cps 37
udp cps 4
sctp cps 0
other cps 0
--------------------------------------------------------------------------------
Route Lookups
Imagine you are driving, and you are not sure which road to take. You would
look at your map (forwarding table) to find the right path. The test routing
fib-lookup ip 100.1.1.3 virtual-router default command is like asking your
GPS to make sure you are on the right track. It checks for a valid route to
your destination in the map (forwarding table). If there is not, it means your
device does not know how to get there. So, this command helps you make
sure your device knows where it is going in the network.
The command test routing fib-lookup ip 100.1.1.3 virtual-router default
is used in networking to perform a FIB (Forwarding Information Base)
lookup for a specific IP address, in this case, 100.1.1.3, within the context of
the default virtual router. Let us break down what this command means:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 test routing: This part of the command tells the network device to
perform a test related to routing.
fib-lookup: A Fib lookup is essentially like searching for a specific
destination IP address in a table called the Forwarding Information
Base. This table is used to determine how to forward network packets
to their intended destinations.
ip 100.1.1.3: This part specifies the IP address (in this case, 100.1.1.3)
for which you want to find routing information. It is like asking, “How
do I get to the location represented by the IP address 100.1.1.3?”
virtual-router default: In many network setups, there can be multiple
virtual routers, each handling a different set of network rules. This part
of the command specifies that you want to perform the lookup within
the default virtual router, which is often the primary router used in a
network.
admin@PA-Firewall> test routing fib-lookup ip 100.1.1.3 virtual-router
default
--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
virtual-router: default
destination: 100.1.1.3
result:
via 192.0.2.2 interface eth1/1, source 192.0.2.1, metric 6543
--------------------------------------------------------------------------------
Drop Counters
Drop Counters are quite interesting and show the counts for every packet
dropped. In a Palo Alto firewall, it keeps track of all the times it says No to
data, and you can see this with a command: show counter global filter
severity drop.
Then, you can look at the different reasons for saying No (like not following
security rules), and it tells how many times it happened.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
The command show counter global filter severity drop is used in Palo Alto
firewalls to retrieve information about dropped packets and the reasons for
those drops.
admin@PA-Firewall> show counter global filter severity drop
Global counters:
Elapsed time since last sampling: 166.47 seconds
name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_rcv_err 353 0 drop flow parse Packets dropped: flow stage receive
error
flow_rcv_dot1q_tag_err 195 0 drop flow parse Packets dropped:
802.1q tag not configured
flow_no_interface 195 0 drop flow parse Packets dropped: invalid
interface
flow_policy_nofwd 212405 0 drop flow session Session setup: no
destination zone from forwarding
flow_policy_deny 15184139 5 drop flow session Session setup: denied by
policy
flow_policy_nat_land 8829 0 drop flow session Session setup: source
NAT IP allocation result in LAND attack
flow_tcp_non_syn_drop 5321357 2 drop flow session Packets dropped:
non-SYN TCP without session match
flow_fwd_l3_mcast_drop 1490885 1 drop flow forward Packets
dropped: no route for IP multicast
flow_icmp_err_not_passing_thru 1 0 drop flow ipsec ICMP error
packet dropped: no IP configured on the interface
flow_fwd_l3_ttl_zero 50426 0 drop flow forward Packets dropped: IP
TTL reaches zero
flow_fwd_l3_noarp 40390733 19 drop flow forward Packets dropped:
no ARP
flow_fwd_zonechange 1503 0 drop flow forward Packets dropped:
forwarded to different zone

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
flow_parse_l4_hdr 1 0 drop flow parse Packets dropped: TCP
(UDP/ICMP/SCTP) packet too short
flow_parse_l4_cksm 41723 0 drop flow parse Packets dropped:
TCP/UDP checksum failure
flow_parse_l4_port 352 0 drop flow parse Packets dropped: illegal
TCP/UDP port 0
flow_parse_iperror 6 0 drop flow parse Packets dropped: invalid IP
address
flow_xmt_platform_encap_err 17 0 drop flow offload Packets
dropped: Platform encapsulation error
flow_bind_nack_msg_drop 2 0 drop flow pktproc gtp-u bind-nack msg
dropped
flow_predict_convert_policy_deny 18 0 drop flow pktproc A matching
predict was not used because of policy denial
flow_action_close 438602 0 drop flow pktproc TCP sessions closed via
injecting RST
flow_action_reset 382 0 drop flow pktproc TCP clients reset via responding
RST
flow_arp_rcv_err 1340 0 drop flow arp ARP receive error
flow_host_rcv_err 6 0 drop flow mgmt Packets dropped: receive error
from control plane
flow_host_decap_err 85 0 drop flow mgmt Packets dropped:
decapsulation error from control plane
flow_host_service_deny 306456 0 drop flow mgmt Device management
session denied
flow_host_service_unknown 500272 0 drop flow mgmt Session
discarded: unknown application to control plane
flow_tunnel_decap_err 27 0 drop flow tunnel Packet dropped: tunnel
decapsulation error
flow_tunnel_ipsec_replay_err 21 0 drop flow tunnel Packet dropped:
header sequence number is a replay

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
flow_tunnel_ipsec_wrong_spi 4 0 drop flow tunnel Packet dropped:
IPsec SA for spi in packet not found
flow_tunnel_natt_nomatch 13 0 drop flow tunnel Packet dropped:
IPSec NATT packet without SPI match
flow_host_slowpath_drop 1053987 0 drop flow tunnel: ESP/AH host
bound packet comes before tunnel finishes installation
flow_gre_tunnel_decap_not_found 39 0 drop flow tunnel GRE Tunnel IPs
don’t match configuration
flow_fpga_rcv_err 359 0 drop flow offload Packets dropped: receive
error from offload processor
flow_fpga_ingress_exception_err 9502477 2 drop flow offload Packets
dropped: receive ingress exception error from offload processor
flow_fpga_egress_exception_err 578 0 drop flow offload Packets
dropped: receive egress exception error from offload processor
appid_lookup_invalid_flow 3 0 drop appid pktproc Packets dropped:
invalid session state
url_request_pkt_drop 173484 0 drop url pktproc The number of packets get
dropped because of waiting for url category request
--------------------------------------------------------------------------------
Total counters shown: 37
--------------------------------------------------------------------------------

To make the information easier to understand, you can use filters. Filters
help you focus on specific details. You used the severity drop filter in the
previous command to look at dropped data.
Now, let us add another filter called delta yes. This filter helps you see how
much the counters have changed since the last time you checked. It is like
tracking if the numbers are going up or down so you can notice any changes.
admin@PA-Firewall> show counter global filter severity drop delta yes
Global counters:
Elapsed time since last sampling: 89.376 seconds
name value rate severity category aspect description

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
--------------------------------------------------------------------------------
flow_policy_deny 513 5 drop flow session Session setup: denied by
policy
flow_tcp_non_syn_drop 240 2 drop flow session Packets dropped: non-
SYN TCP without session match
flow_fwd_l3_mcast_drop 104 1 drop flow forward Packets dropped: no
route for IP multicast
flow_fwd_l3_ttl_zero 8 0 drop flow forward Packets dropped: IP TTL
reaches zero
flow_fwd_l3_noarp 1950 21 drop flow forward Packets dropped: no ARP
flow_action_close 32 0 drop flow pktproc TCP sessions closed via
injecting RST
flow_host_service_deny 24 0 drop flow mgmt Device management
session denied
flow_host_service_unknown 11 0 drop flow mgmt Session discarded:
unknown application to control plane
flow_fpga_ingress_exception_err 205 2 drop flow offload Packets
dropped: receive ingress exception error from offload processor
url_request_pkt_drop 54 0 drop url pktproc The number of packets get
dropped because of waiting for url category request
--------------------------------------------------------------------------------
Total counters shown: 10
--------------------------------------------------------------------------------
To make the data even more specific, you can set up a filter in the graphical
interface (you can find it under packet captures). Use the packet-filter yes
option.
This filter will help you focus only on the traffic you want to see, making it
easier to find what you are looking for.
admin@PA-Firewall> show counter global filter severity drop packet-
filter yes
Global counters:
Elapsed time since last sampling: 10.385 seconds

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_rcv_dot1q_tag_err 182 0 drop flow parse Packets dropped: 802.1q
tag not configured
flow_no_interface 182 0 drop flow parse Packets dropped: invalid
interface
flow_policy_nofwd 155402 0 drop flow session Session setup: no
destination zone from forwarding
flow_policy_deny 4912229 0 drop flow session Session setup: denied by
policy
flow_policy_nat_land 3565 0 drop flow session Session setup: source NAT
IP allocation result in LAND attack
flow_tcp_non_syn_drop 2234727 0 drop flow session Packets dropped:
non-SYN TCP without session match
flow_fwd_l3_mcast_drop 27693 0 drop flow forward Packets dropped: no
route for IP multicast
flow_fwd_l3_ttl_zero 17151 0 drop flow forward Packets dropped: IP
TTL reaches zero
flow_fwd_l3_noarp 12261869 0 drop flow forward Packets dropped: no
ARP
flow_fwd_zonechange 1270 0 drop flow forward Packets dropped:
forwarded to different zone
flow_xmt_platform_encap_err 17 0 drop flow offload Packets dropped:
Platform encapsulation error
flow_action_close 151655 0 drop flow pktproc TCP sessions closed via
injecting RST
flow_action_reset 229 0 drop flow pktproc TCP clients reset via
responding RST
flow_host_rcv_err 6 0 drop flow mgmt Packets dropped: receive error
from control plane
flow_host_decap_err 66 0 drop flow mgmt Packets dropped: decapsulation
error from control plane

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
flow_host_service_deny 52052 0 drop flow mgmt Device management
session denied
flow_host_service_unknown 162114 0 drop flow mgmt Session discarded:
unknown application to control plane
flow_tunnel_decap_err 11 0 drop flow tunnel Packet dropped: tunnel
decapsulation error
flow_tunnel_ipsec_replay_err 10 0 drop flow tunnel Packet dropped:
header sequence number is a replay
flow_tunnel_ipsec_wrong_spi 1 0 drop flow tunnel Packet dropped: IPsec
SA for spi in packet not found
flow_tunnel_natt_nomatch 5 0 drop flow tunnel Packet dropped: IPSec
NATT packet without SPI match
flow_host_slowpath_drop 1053987 0 drop flow tunnel ESP/AH host
bound packet comes before tunnel finishes installation
flow_gre_tunnel_decap_not_found 12 0 drop flow tunnel GRE Tunnel IPs
don’t match configuration
url_request_pkt_drop 51336 0 drop url pktproc The number of packets get
dropped because of waiting for url category request
--------------------------------------------------------------------------------
Total counters shown: 24
--------------------------------------------------------------------------------
Clearing Sessions
Once in a while, network sessions can get stuck and not follow the usual
rules or be captured in packets.
To find these sessions, you can use the command show session all and then
narrow it down by the IP address you are interested in. You can use the
source, destination, or both.
In this example, you found three stuck RDP sessions:
-----
admin@PA-Firewall> show session all filter destination 10.16.8.31
--------------------------------------------------------------------------------

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
ID Application State Type Flag Src[Sport]/Zone/Proto (translated IP[Port])
Vsys Dst[Dport]/Zone (translated IP[Port])
--------------------------------------------------------------------------------
2015202 ms-rdp ACTIVE FLOW 10.16.201.251[9075]/VPN/6
(10.16.201.251[9075])
vsys1 10.16.8.31[3389]/LAN (10.16.8.31[3389])
2374790 ms-rdp ACTIVE FLOW 10.16.201.251[9076]/VPN/6
(10.16.201.251[9076])
vsys1 10.16.8.31[3389]/LAN (10.16.8.31[3389])
2041822 ms-rdp ACTIVE FLOW 10.16.201.251[58834]/VPN/17
(10.16.201.251[58834])
vsys1 10.16.8.31[3389]/LAN (10.16.8.31[3389])

If you need more info, you can dig deeper. If there is NAT involved
(translating addresses), you can see which rule is doing that.
This helps you look at both sides of the communication: from the client to
the server (c2s) and from the server back to the client (s2c).
admin@PA-Firewall> show session id 2015202
Session 2015202

c2s flow:
source: 10.16.201.251 [VPN]
dst: 10.16.8.31
proto: 6
sport: 9075 dport: 3389
state: INIT type: FLOW
src user: networkdirection\admin
dst user: networkdirection\admin

s2c flow:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 source: 10.16.8.31 [LAN]
dst: 10.16.201.251
proto: 6
sport: 3389 dport: 9075
state: INIT type: FLOW
src user: networkdirection\admin
dst user: networkdirection\admin

start time : Mon Nov 23 10:44:27 2020

timeout : 15 sec
total byte count(c2s) : 1772
total byte count(s2c) : 1688
layer7 packet count(c2s) : 8
layer7 packet count(s2c) : 6
vsys : vsys1
application : ms-rdp
rule : VPN Access
service timeout override(index) : False
session to be logged at end : False
session in session ager : False
session updated by HA peer : False
layer7 processing : enabled
URL filtering enabled : True
URL category : any
session via syn-cookies : False
session terminated on host : False
session traverses tunnel : False
session terminate tunnel : False
captive portal session : False

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
ingress interface : ae1.34
egress interface : ae1.18
session QoS rule : N/A (class 4)
tracker stage firewall : TCP RST - client
tracker stage l7proc : ctd proc changed
end-reason : tcp-rst-from-client
You can also clear the session if you need:
admin@PA-Firewall> clear session id 2015202
session 2015202 cleared

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Troubleshoot Resource Protections
Introducing the concept of troubleshooting resource protection through a
DoS (Denial-of-Service) Profile on Palo Alto Firewalls signifies a proactive
approach to network security. In the ever-evolving landscape of cyber
threats, safeguarding critical resources is paramount. Palo Alto Firewalls
offer robust tools to fortify your defenses. This guide will delve into the
strategic use of a DoS Profile, equipping network administrators and security
professionals with the knowledge and techniques required to safeguard their
network resources against malicious attacks. Whether you are a seasoned
network expert or new to the world of cybersecurity, this comprehensive
guide will provide invaluable insights into deploying DoS Profiles within
Palo Alto Firewalls to enhance the security and resilience of your network
infrastructure.
Useful Commands for Troubleshooting:
The command show counter global filter | match dos is used in Palo Alto
Firewalls to retrieve counter statistics specifically related to Denial-of-
Service (DoS) events. Here is a breakdown of what this command does:
show counter: This part of the command instructs the firewall to
display or show counter statistics. Counters are like counters in a
sports game; they keep track of different activities, like network traffic.
global: This tells the firewall to look at data from the entire device or
system, not just a specific part of it.
filter: It is like telling the firewall to sort and filter the data so you
only see specific information.
| match dos: This part of the command narrows down the results. It
filters the data to show only the statistics related to Denial-of-Service
(DoS) events. DoS attacks are attempts to overwhelm a network or
system, causing it to become slow or unresponsive.
When you run this command, the firewall will provide a report showing
counter statistics related to DOS events. It is a way to monitor and
understand the impact of DoS attacks on the network and take appropriate
measures to protect the network from such threats.
> show counter global filter | match dos

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 flow_dos_curr_sess_incr_failed 2 0 drop flow dos
Unable to increment current session count on session create

flow_dos_cl_curr_sess_add_incr 2 0 info flow dos

Incremented classified current session count on session create

flow_dos_cl_max_sess_limit 2 0 drop flow dos

Session limit reached for classified profile, drop session

The Palo Alto firewall command show dos-protection rule DoS-Rule

statistics is used to retrieve statistical information about a specific Denial-of-
Service (DoS) protection rule named DoS-Rule. Here is a breakdown of
what this command does:
show: This part of the command tells the firewall to display or show
something.
dos-protection rule: This indicates that you want to focus on a
specific DoS protection rule within the firewall’s configuration. DOS
protection rules are a way to define how the firewall should respond to
different types of DoS attacks.
DoS-Rule: This is the name of the specific DoS protection rule for
which you want to see statistics. You can have multiple rules with
different names, each designed to handle specific types of DoS attacks.
statistics: This part of the command specifies that you want to see
statistical data related to the specified DoS protection rule.
When you run this command, the firewall will provide a report showing
statistical information about the DoS-Rule. This information may include
data about the rule’s activity, such as the number of times it has triggered, the
types of attacks it has mitigated, and other relevant statistics. It helps
network administrators monitor the effectiveness of the rule in protecting the
network from DOS attacks.
> show dos-protection rule DoS-Rule statistics

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Rule:DoS-Rule, idx:0, id:3
Aggregate profile:
Classified profile: DoS-RscProtect
Classification Criteria: Source-IP Destination-IP
Action: protect
Classified profile: DoS-RscProtect

sessions:

current: 0 sessions dropped:6

-------------------------------------------------------------------------------
1. Session Table Full
You can use the command show session info | match table to look at some
information.
Sometimes, attackers can sneak in through open doors, like open IPs and
ports, and launch attacks. These attacks, especially in the case of TCP, can
create sessions on the firewall that last for a while (3600 seconds). If there
are too many of these sessions, the table gets full and can disrupt real traffic.
It is important to note that the attack speed may vary. If you allow some
specific settings or turn off certain protections, it can make the situation
worse. For example, suppose any TCP packet is allowed to create a session.
In that case, it can fill up the table quickly, affecting normal traffic.
How to Troubleshoot Session Table Full
In these situations, the best approach is to look at the session table. You can
do this by using the command show session all. Most of the time, you will
notice a specific source or target IP address that stands out.
Once you identify that unusual IP address, check if it is valid and should be
allowed through the firewall. If it should be allowed, consider adjusting the
firewall rules.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
In many cases, the best solution is to use mitigation techniques. You can set
up DoS Protection or Zone Protection Profiles to deal with these issues.
For example, using SYN Cookie mode in SYN Flood Protection can be
really helpful. It prevents the firewall from creating a session and sends a
specific packet (SYN/ACK) to the attacker. Unless the attacker sends a valid
response (ACK), the connection will not be established.
To make this work effectively, you might need to adjust the settings based on
your network’s specific needs. This means finding the right balance for the
SYN Flood Protection Mechanism by looking at how connections to the
target IP usually work.
2. Packet Buffer/ Packet Descriptors Full
When the Packet Buffer or Packet Descriptors gets full, it is like a warning
sign. You can check this by using commands like show running resource-
monitor or show running resource-monitor ingress-backlogs.
This situation often happens during DoS attacks with lots of data flying
around quickly. It can be because many new connections are being made
every second or there is a high rate of data in existing connections. Even if
some connections are blocked, the system still needs to store those packets
briefly before it can process them. It is like a traffic jam in the system, which
is not good.
How to Troubleshoot Packet Buffer/Packet Descriptors Full
Check the ACC tabs and use custom filters to see if one type of traffic is
much higher than the others. But keep in mind the ACC tab might not give
you the full picture during an ongoing attack. It relies on different databases
for its information.
For example, if the attack is happening within an existing session, there
might not be a record in the traffic logs yet. Also, if the attack involves lots
of new connections that are failing, the ACC tab might not show these
sessions.
To check for live sessions with more data than usual, you can use the min-
kb option in the session filter. This helps you find sessions with larger
amounts of data.
The command show session all filter min-kb 5000 is used to display
information about network sessions, specifically filtering for sessions that

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
have transferred a minimum of 5,000 kilobytes (KB) of data. Let us break
down the command:
show session: This part of the command tells the device to display
information about network sessions. A network session represents a
connection between two devices, like a client and a server. It includes
information about the data exchanged during the connection.
all: This indicates that you want to see information about all sessions, not
just specific ones.
filter min-kb 5000: This part of the command is used to filter or narrow
down the sessions displayed. It instructs the device to show only sessions
where at least 5,000 kilobytes (or approximately 5 megabytes) of data have
been transferred.
When you run this command, the device will provide a list of network
sessions that meet the criteria of transferring a minimum of 5,000 KB of
data. This can be helpful for monitoring network activity, identifying
potentially large data transfers, or troubleshooting specific connections.
admin@PA-Firewall> show session all filter min-kb 5000

--------------------------------------------------------------------------------

ID Application State Type Flag Src[Sport]/Zone/Proto (translated

IP[Port])

Vsys Dst[Dport]/Zone (translated IP[Port])

--------------------------------------------------------------------------------

10216 pcoip ACTIVE FLOW NS 10.1.1.11[50002]/Trust/17

(10.129.15.24[61158])

vsys1 10.101.41.211[4172]/Untrust
(10.101.41.211[4172])

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
You can use the min-kb value between 1 and 1,048,576 (almost up to 1
gigabyte) to see sessions with a lot of traffic. It helps find anything unusual.
To identify sessions that use too much of the On-Chip Packet Descriptor,
do this:
Check how much traffic each interface is getting by using the command
show system state browser and shift+L.
Pay attention to things like rx-bytes/s (how much data is received), rx-
unicast/s (individual data packets received), and rx-multicast/s (data
packets sent to multiple devices). These numbers are in the second column
when you use tracking with Y and U. It helps you find any overuse of the
On-Chip Packet Descriptor.
An On-Chip Packet Descriptor, often referred to as just a Packet
Descriptor, is a small block of memory or data structure within a network
device, like a network interface card or a network processor, that holds
information about a network packet as it is processed.
Here is what it does:
Data Storage: It stores essential details about each network packet as it
flows through the device. This data includes information like the source and
destination IP addresses, port numbers, protocol type, and other packet-
related information.
Processing: The On-Chip Packet Descriptor allows the device to process
and manage network packets efficiently. It can help the device understand
what to do with a packet, where to send it, or whether to block it, among
other actions.
Efficiency: By storing this information directly on the device’s chip, it can
access and manipulate the data more quickly than if it had to fetch it from
system memory, improving network performance.
Resource Management: The device can use these descriptors to keep track
of which packets are being processed and how many resources are allocated
to each one. This is crucial for maintaining efficient network operation.
In summary, an On-Chip Packet Descriptor is like a quick-reference card for
network packets. It helps the network device manage and process data

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
efficiently, which is essential for keeping the network running smoothly.
Once you figure out which port is getting the attack traffic, you will want to
take a quick look at that traffic. The best way is to do this on a connected
switch by copying the traffic (like making a copy) because it is easier on
your system.
But if that is not possible, you can use the Palo Alto Networks firewall to
capture the traffic. Here is how:
1. Set the filter to ingress-interface to focus on the right traffic.
2. Start capturing for about 10-15 seconds.
3. Stop the capture and use a tool like Wireshark (open with Wireshark) to
take a closer look.
4. In Wireshark, go to Statistics and check Protocol Hierarchy or
Conversations. This will help you find where the unusual traffic is coming
from, whether it is at the IP, UDP, or TCP level.
This information can help you figure out who is behind the attack. If it is
coming from a trusted source, you can take action against the affected host.
If it is from an untrusted source, you might need help from your Internet
Service Provider (ISP) to stop the attack at its source.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 11-01: Wireshark Packet Capture

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Troubleshoot GlobalProtect
Troubleshooting GlobalProtect, the secure remote access solution provided
by Palo Alto Firewalls, can be an essential skill for network administrators
and security professionals. Issues related to GlobalProtect can range from
connectivity problems to access issues and miscellaneous challenges. This
section delves into the common issues that may arise during GlobalProtect
usage and provides methods for effective troubleshooting. Whether you are
dealing with GlobalProtect’s inability to connect to the portal or gateway,
issues where the agent is connected but resource access remains elusive, or
any other miscellaneous complications, this section aims to equip you with
the knowledge and techniques needed to resolve these concerns. Familiarity
with the basics of GlobalProtect and its configuration is assumed, making
this resource a valuable tool for optimizing your remote access solutions.
Tools used for Troubleshooting on the Firewall
1. Packet Captures
Dataplane Captures: These captures are used to see how the firewall is
handling traffic between the client and the portal or gateway. They can be
useful for troubleshooting packet drops, but they are not very helpful when
SSL offload is enabled because packets may be missing.
Management Port Captures: These captures are used to see how the
firewall communicates with other network devices, such as the LDAP server,
for authentication.
2. Debug Logs
If you are having trouble troubleshooting a problem with your firewall, you
can try enabling debug mode. This will give you more detailed information
about what the firewall is doing, which can help you identify the cause of the
problem.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Table 11-01: Log files and their descriptions
3. CLI commands:
CLI commands are text commands that you can use to control your firewall.
You can use CLI commands to troubleshoot problems with your firewall and
to make changes to its configuration.
To use CLI commands, you will need to connect to your firewall using a
terminal program. Once you are connected, you can type CLI commands to
control the firewall.
General Troubleshooting Approach
1. First, double-check that your configuration matches the documents for
your situation. This is crucial.
2. If you have used GlobalProtect before, ensure the client is installed on
your computer. You will need it.
3. Use a tool called nslookup on your computer to make sure it can
understand and find the addresses (FQDNs) for the portal and gateway.
4. Open a web browser and go to these addresses: https://<Portal-
IP/FQDN> and https://<Gateway-IP/FQDN>. This checks if your web
connection to the portal and gateway is working well. The browser also
helps you look at the certificate from the portal/gateway. If there is an issue
with the certificate, your browser will show errors. Some examples include:
The certificate’s authority is not trusted.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 The name on the certificate does not match what is expected.
The certificate has expired.
There is a problem in the certificate chain (like a missing link).
5. If the web page does not load correctly, you can use a tool like Wireshark
to see if the initial connection (TCP handshake) is working. You can filter
(ip.addr==<Portal IP> or ip.addr==<gatewayIP>) the results to focus on
the portal or gateway IP addresses. This can help you spot network issues.
6. If your computer sends a SYN packet (a kind of request) but does not get
an ACK (a confirmation), it is time to look at the firewall. Check if network
sessions are being created and if any packets are being blocked. You can use
dataplane debugging and captures along with global counters to investigate.
Also, look into security policies and NAT settings to make sure traffic is not
being stopped.
7. In situations like the one described above, it can be useful to see if your
network resources are healthy. Use these commands to check for resource
overuse:
show running resource-monitor
debug dataplane pool statistics

8. For more insights when packets are not being blocked on the network,
examine the appweb3-sslvpn.log file.
9. When you see the GlobalProtect login page in your web browser, and if
client certificate-based authentication is turned on for the portal, it might ask
for a client certificate.
10. Make sure the right client certificate is installed in both the computer’s
certificate storage and the browser’s certificate storage. This helps with the
certificate-based login.
11. If you are seeing the error Valid Client Certificate is required, you
need to add the client certificate to your web browser and your computer. It
is a security thing.
12. Try logging in to the GlobalProtect Portal’s web page. This will check if
the authentication is working correctly.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
13. If you can not log in, look at the firewall’s authd logs to find out what is
causing the error.
14. If you can log in on the web page but do not have the GlobalProtect
client installed, get it now.
15. Open the GlobalProtect client and type in your info (like username and
password). Then click Apply.
16. Look at the message on the Status tab.
17. Get the logs from the GlobalProtect client (you will find this in the tools
section), and open the PanGPS.log file in the zipped folder.
18. Read through the logs. If you see error messages, take the right steps to
fix the problem.
19. At the same time, you might need to check the mp-log/appweb3-
sslvpn.log on the firewall for more info. This can give you extra details.
Common Issues
GlobalProtect Cannot Connect to the Portal or Gateway
If after following the steps above, you still have these issues:
1. IpReleaseAddress failed: The RPC server is unavailable
Try uninstalling other virtual adapters.
Reinstall the GlobalProtect client after removing all components.
Stop and start the RPC Services.
Consider reinstalling Windows OS.
Contact Technical Support if the problem continues.
2. Element not found
Update Microsoft patches on the client.
Try a different GlobalProtect client version.
Check Palo Alto release notes for reported issues.
Contact Technical Support if it is not resolved.
3. Failed to find PANGP virtual adapter interface
Disable WMI services.
Delete certain files (under the path
C:\Windows\System32\wbem\Repository)
Reboot and reinstall.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Reinstall client OS if needed.
Contact Technical Support if it is not fixed.
4. Failed to get default route entry
Reinstall the GlobalProtect client.
Try a newer version.
Restart Windows DHCP (Run > services..msc > DHCP Client >
Stop the service, and then Start the service.)
Update Microsoft patches or hot fix.
Contact Technical Support if the issue persists.
5. Cannot connect to root\cimv2
Rebuild the WMI repository.
Check for other affected services.
Contact Technical Support if needed.
6. Assign private IP address failed
Check if the IP address pool has enough IPs.
Ensure the pool does not overlap with the client’s IP.
Verify the User Group settings in GlobalProtect and AD server.
Make sure the user is in the correct group as per Network Settings.
GlobalProtect Agent Connected but Cannot Access Resources.
1. Check Adapter Settings
Make sure the GlobalProtect Client Virtual Adapter has an IP, DNS
info, and routes to remote resources.
You can use the GlobalProtect Client Panel or commands like ipconfig,
ifconfig, nslookup, netstat -nr, and route print.
2. Verify Port 4501
Ensure port 4501 is not blocked on the firewall, the client’s firewall, or
in between.
This port is used for communication between the client and the
firewall.
Check with packet captures and debugs to make sure packets are
flowing.
3. Check Firewall Policies

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Confirm the firewall has the right policies to allow traffic from the IP
pool assigned to the GlobalProtect Client Adapter.
The policy should go from the tunnel zone to the resource zone.
Use tools like traffic logs, packet captures, and debugs to troubleshoot.
Capture packets on the client adapter to compare sent and received
data.
4. Verify IP Pool Routes
Ensure there are proper routes for the IP pool used by GlobalProtect on
the network for return traffic.
If you use dynamic routing, redistribute these routes to the Palo Alto
routing protocol.
Use captures on the firewall for unencrypted traffic to see if packets
are being sent to resources and getting responses.
5. IP-User Mapping
Check if the firewall gets IP-User Mapping from GlobalProtect.
Use the show user ip-user-mapping ip <ip> command to confirm the
firewall recognizes the user’s group.
If group mapping is not correct, troubleshoot User-ID issues.
6. HIP Data
Ensure the firewall receives HIP data from GlobalProtect.
Verify that the HIP object is set up correctly and allowed in the
security rule.
Follow the guide on troubleshooting HIP data.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Troubleshoot Policies
Troubleshooting policies in Palo Alto firewalls is a critical aspect of
maintaining network security and ensuring the proper flow of traffic. These
policies dictate which packets are allowed and denied, affecting the overall
effectiveness of your network’s security posture. However, issues can arise
in policy configurations, leading to unexpected behavior, traffic blockages,
or security vulnerabilities. In this section, you will explore various
troubleshooting techniques and best practices for diagnosing and resolving
policy-related problems in Palo Alto firewalls, empowering network
administrators to maintain a robust and secure network environment.
Procedure to Test Security Policy:
1. Find the Local IP
On your Windows or Mac PC, use ipconfig /all or ifconfig to find the
local machine’s private IP address for testing the security policy.
2. Set the Source IP
Place the local machine’s IP address in the source address field of the
security policy rule.
Put this security policy rule at the very top.
3. Keep It Simple
Leave everything else as any and, if possible, remove security profiles.
Be cautious, as this open rule may have security implications.
4. Clear Sessions
Use the command clear session all filter source <IP address of the
test machine> to clear sessions for the test user.
5. Initial Test
Initiate the test to check if you can reach the destination.
6. Gradual Testing
If the initial test works, clear sessions again.
This time, add the destination IP address if known and test after
making a firewall commit.
Then, add the source zone and repeat.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Add the destination zone and repeat.
Continue adding details such as applications, source user, service
ports, URL filtering, and, if security allows, the security profile.
7. Troubleshoot
If an issue arises, pinpoint which part is causing it.
Use advanced debugging commands like flow basic, appid basic, ctd
basic, url_trie, proxy all, and ssl all to diagnose the problem.
8. Caution with Advanced Debugging
Note that advanced debug commands are resource-intensive.
Prolonged or improper use can lead to packet loss and device reboot,
causing an outage.
If advanced debugging is necessary, contact TAC (Technical
Assistance Center).

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Troubleshoot HA Functions
Troubleshooting High Availability (HA) functions in Palo Alto Networks
firewalls is an essential skill for network administrators seeking to maintain
a resilient and fault-tolerant security infrastructure. High Availability ensures
network continuity by enabling seamless failover between redundant firewall
units, guaranteeing uninterrupted protection even in the face of hardware
failures or planned maintenance. Understanding how to troubleshoot HA
functions is pivotal in identifying and resolving potential issues that could
disrupt this critical redundancy mechanism. From monitoring HA status to
diagnosing failover problems or synchronization mismatches, this topic
provides insight into addressing any hiccups in your Palo Alto Networks
firewall HA configuration, ensuring that your network remains safeguarded
without interruption.
Mismatched URL Database Vendor on High Availability Pair
1. Issue:
Two Palo Alto Networks devices are using the same software version. The
first device is set up to use PAN-DB, a service for web filtering, while the
second device is configured to use BrightCloud for a similar purpose. High
Availability is turned on for the first device, making it the active one. Later,
HA is also activated on the second device. When the setup process (after the
commit) on the second device is completed, the first device goes into a non-
functional state, and the second device takes over as the active one.
The log on the original active device indicates:
Group 1:
Mode: Active-Passive
Local Information:
Version: 1
Mode: Active-Passive
State: active (last 21 hours)
Last non-functional state reason: URL vendor mismatch

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
The second device, which uses BrightCloud, forces the first device into a
non-functional state with the message, Set dev peer state to Non-
Functional. This action triggers the second device to become the active one.
2. Cause:
The failover happens because the two devices in the High Availability (HA)
setup have different vendors for handling web URLs.
If the devices in the HA pair use different URL vendors, the one using PAN-
DB will go into a non-functional state. For instance, if the active device uses
BrightCloud and the passive one has PAN-DB, the passive unit with PAN-
DB will end up in a non-functional state.
Note:
PAN-DB and BrightCloud are both threat intelligence databases that are
used by Palo Alto Networks firewalls to protect networks from malicious
traffic.
PAN-DB: PAN-DB is a proprietary database that is maintained by Palo Alto
Networks. It contains information about known malicious IP addresses,
domains, and URLs.
BrightCloud: BrightCloud is a third-party threat intelligence database that
many different security vendors, including Palo Alto Networks use. It
contains information about known malicious websites, applications, and
email attachments.
3. Resolution:
1. Make sure both HA devices use the same URL vendor, either PAN-DB or
BrightCloud.
2. If you do not have a license for the chosen URL vendor, generate a trial
license for the passive firewall to match the active firewall’s database. For
example, if the active firewall uses BrightCloud and the passive one uses
PAN-DB:
Suspend HA for the passive firewall.
Load the BrightCloud trial license on the passive firewall.
Activate and download the BrightCloud database on the passive
firewall.
Restore high-availability functionality for the passive firewall.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Note: If a new configuration snapshot is loaded on a Palo Alto Networks
device with PAN-DB activated, you will still need to activate PAN-DB after
the load. If a device with an activated PAN-DB has no DNS connection, it
will remain activated.
Active to Passive Configuration Sync Failing for High
Availability
1. Issue:
Synchronization between two Palo Alto Networks devices in an
active/passive setup is not working as expected.
2. Cause:
This problem might be happening because of a Jumbo Frame settings
mismatch. To identify this issue, you can inspect the HA-SYNC job status on
the passive firewall:
> show jobs id 280

Enqueued ID Type Status Result Completed

--------------------------------------------------------------------------

2013/03/20 11:59:35 280 HA-Sync FIN FAIL 12:00:01

Warnings:

Details:device: device is not in jumbo-frame mode but interface ae1.518

mtu is greater than 1500

interface configuration error

Commit failed

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Note: The HA-Sync error message (shown above) indicates the problem.

Note:
A Jumbo Frame settings mismatch occurs when two network devices, in
this case, Palo Alto Networks firewalls in a high availability configuration,
have different settings regarding the use of Jumbo Frames. Jumbo Frames
are larger-than-normal Ethernet frames that can carry more data per packet.
If one device is configured to use Jumbo Frames while the other is not, it can
cause communication problems and synchronization failures between the
devices. This mismatch can disrupt the efficient transfer of data and lead to
issues in a network, particularly when devices need to work together
seamlessly in an HA configuration. To resolve this, both devices should have
matching Jumbo Frame settings to ensure consistent and reliable
communication.
3. Resolution:
Enable Jumbo Frame settings on both the active and passive Palo Alto
Networks firewalls. In the example mentioned earlier, make sure that the
passive firewall has Jumbo Frames enabled. This means ensuring that both
devices can use larger Ethernet frames for smoother communication.
1. Navigate to Device > Setup > Session
2. In the Session Settings window, checkmark the Enable Jumbo Frame
checkbox.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
3. You need to restart the device for the changes to be applied.

Heartbeat Backup Enabled on Both Devices, but Status is Down

1. Issue:
Heartbeat backup is turned on for two High Availability devices. Still, on the
WebGUI dashboard, it says the status is down.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 11-02: Heart Beat Backup Status Down
2. Cause:
The issue might occur if the peer IP is not listed as permitted on the
Management Interface.
3. Resolution:
To fix it, navigate to Device > Setup > Management > Management
Interface Settings and add the peer IP to the permitted list.

Figure 11-03: Permit IP Address on Device A

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Figure 11-04: Permit IP Address on Device B

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Panorama Troubleshooting
We will now cover a few topics to address issues with the Panorama
management server and Dedicated Log Collector.
Troubleshoot Panorama System Issues
Generate Diagnostic Files for Panorama
Diagnostic files help keep track of system activities and identify the
potential causes of problems on Panorama. The support representative could
request a tech support file to help Palo Alto Networks Technical Support
troubleshoot a problem. The following steps explain how to get and upload a
tech support file to your support case.
Step 1: Click Generate Tech Support File after selecting Panorama >
Support.
Step 2: Save the file to your computer after downloading it.
Step 3: Upload the file to your case on the Palo Alto Networks Customer
Support website.
Diagnose Panorama Suspended State
If Panorama is inactive, look out for the following issues:
Serial numbers: Confirm that each virtual appliance running
Panorama has a distinct serial number. When two or more instances of
Panorama are created using the same serial number, all instances will
be suspended.
Mode: Make sure both High Availability (HA) peers are in Panorama
mode or Legacy mode if you deploy the Panorama virtual appliance in
an HA configuration.
HA priority - Verify your HA priority settings to ensure one peer is
set to Primary and the other to Secondary. The Panorama peer with the
larger numerical value in the serial number is suspended if both peers'
priority settings are the same.
Panorama software version—Verify the major and minor version
numbers of the Panorama software to ensure that both Panorama HA
peers use the same version.
Monitor the File System Integrity Check

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Panorama conducts a regular file system integrity check (FSCK) to
safeguard its system files from corruption. This check happens either after
eight reboots or during a reboot that occurs 90 days after the last FSCK.
While Panorama is undergoing an FSCK, the web interface, and SSH login
screens will show a warning, preventing login until the process finishes. The
duration for completion varies based on the storage system's size, sometimes
taking several hours before access to Panorama is restored.
Control Panorama Storage to Update Software and Content
Using Panorama, you may deploy updates to firewalls, log collectors, and
wildfire appliances and install content and software updates for Panorama.
The amount of space Panorama has to keep updates cannot be customized.
Panorama notifies you to free up space (remove stored updates) for new
downloads or uploads when the allotted storage capacity approaches 90%.
The maximum update setting applies all updates that Panorama stores and is
a global setting. To modify the setting, you must use the CLI. The default
value of the maximum update setting of each category is two.
The maximum number of updates for each class can be changed. Enter
the following into the Panorama CLI, which can be between 2 and 64:
> set max-num-images count <number>
View how many updates are currently stored by Panorama.
> show max-num-images
To free up space on Panorama, delete updates using the web interface.
1. Choose the update type to be deleted.
2. Updates to the firewall or log collector:
3. Images of the software PAN-OS/Panorama - Select Panorama >
Device Deployment > Software.
4. Updates to the GlobalProtect agent/app software - Select
GlobalProtect Client under Panorama > Device Deployment.
5. Dynamic Updates—Choose Panorama > Device Deployment
from the menu.
6. Using a panorama software image - Choose
Panorama > Software. Updates to the Panorama content: Choose
Panorama > Dynamic Updates.
7. Click the X icon in the far right column for the image or update,

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 To free up space on Panorama, uninstall updates using CLI commands.
Software image versions to delete:
> delete software version <version_number>
Updates to deleted content:
> delete content update <filename>
Split-Brain Recovery in Panorama HA Deployments
The managed firewalls are connected to both the active and passive
Panorama High Availability (HA) peers when Panorama is configured in an
HA configuration. When the connection between the two Panorama peers
fails, the passive Panorama first determines whether a firewall is connected
to both peers before taking over as the active peer. The failover is not
initiated if a single firewall is connected to both peers.
When a failover occurs in the rare event where a set of firewalls is linked to
the active peer and a set is connected to the passive peer, but none of the
firewalls are connected to both peers, it is known as a split brain.
The other peer's state and HA's role are unknown to any Panorama peer.
Both Panorama peers are active and manage their own set of firewalls.
Debug your network problems and reestablish connectivity between the
Panorama HA peers to fix a split-brain.
Here are a few solutions if you need to modify the configurations of your
firewalls without reestablishing the connection between the peers:
Manually update both Panorama peers with the same configuration
updates. It guarantees that the configuration is synchronized upon the
re-established link.
If you need to add or alter the configuration at one Panorama location,
do so when the link between the Panorama peers is re-established. Just
make sure to start the synchronization from the peer where you made
the modifications. Select the Dashboard tab, then click the Sync to
peer link in the High Availability widget to synchronize the peers.
You can individually alter the configuration on each Panorama peer if
you need to add or modify the configuration for the connected
firewalls at each location. Each peer now has an entirely separate
configuration file (they are out of sync), and there is no replication

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 because the peers are disconnected. Therefore, you cannot permit the
configuration to be automatically re-synchronized to ensure that the
configuration changes on each peer are not lost when the connection is
re-established. Export the configurations from each Panorama peer to
address this issue, then manually integrate the modifications using an
external diff and merge tool. Following the integration of the changes,
you may import the unified configuration file onto the main Panorama
and synchronize it with the peer.
Troubleshoot Log Storage and Connection Issues
Only M-Series appliances support log migration.
Verify Panorama Port Usage
Use Table 11-02 to confirm the ports that need to be opened on your network
so that Panorama can connect with managed firewalls, Log Collectors,
WildFire appliances and appliance clusters, and its HA peer. Panorama uses
TCP protocol for port communications.
By default, Panorama manages devices (firewalls, log collectors, WildFire
appliances, and appliance clusters), gathers logs, interacts with collector
groups, and deploys software and content updates to devices using the
management (MGT) interface. On an M-500 or M-100 appliance running
Panorama 6.1 through 7.1, you can, however, elect to assign the log
collection and Collector Group communication functions to the Eth1 or Eth2
interfaces. The Eth1, Eth2, or Eth3 interfaces on the M-100 appliance and
the Eth1, Eth2, Eth3, Eth4, or Eth5 interfaces on the M-500 appliance can
each be given any function if the appliance is running Panorama 8.0 or a
later release. The ports in Table 11-02 still apply no matter the function you
give each interface. For example, MGT will use port 3978, and Eth2 will use
port 28270 if you assign log collection to MGT and Collector Group
communication to Eth2. (The Panorama virtual appliance can only perform
these functions using the MGT interface.)

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Table 11-02: Panorama port usage
Solve the Collector Group's Zero Log Storage Issue
If the disk pairs are not enabled to the Log Collectors for logging, the log
storage capacity for the Collector Group could show as 0 MB (zero MB). To
enable the disk pairs, take these steps for each Log Collector in the Collector
Group.
Step 1: RAID disk pairs should be added.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 A. Click the Collector Name after choosing Panorama > Managed
Collectors.
B. When adding each RAID disk pair, select Disks, then click OK.
Step 2: Push the updates to the Collector Group and commit the changes to
Panorama.
A. To edit selections in the push scope, select Commit > Commit and
Push.
B. Select Collector Groups, choose the updated Collector Group, and
click OK.
C. Push and commit your changes.
Step 3: Check the state of the disk pairs and the Log Collectors and verify
it.
A. Verify that each Log Collector's configuration is synchronized with
Panorama by selecting Panorama > Managed Collectors.
B. The Run Time Status column should read connected, and the
Configuration Status column should read in sync.
C. Verify that the disk pairs are Enabled and Available by selecting
Statistics in the last column for each Log Collector.
An M-Series Appliance's Failed Disk Should Be Replaced
You should replace and reconfigure the disk in a RAID 1 array if a disk on
an M-Series appliance fails.
When Should an ESXi server's Virtual Disk be replaced?
Once a virtual disk has been added to the Panorama virtual appliance
running on a VMware ESXi server, it cannot be resized. You must replace
the virtual disk to change the log storage capacity because the Panorama
virtual appliance in Legacy mode only supports one location for log storage.
Add another disk (up to 12) to Expand Log Storage Capacity on the
Panorama Virtual Appliance to operate in Panorama mode.
When a disk is replaced on the Panorama virtual appliance running in
Legacy mode, the logs on the existing disk are lost.
Step 1: Delete the previous virtual disk.
A. Go to the Virtual Machines tab in the VMware vSphere Client.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 B. Choose Power > Power Off by right-clicking the Panorama virtual
appliance.
C. Edit Settings can be accessed by right-clicking the Panorama virtual
appliance.
D. In the Hardware tab, choose the virtual disk, then click Remove.
E. Click OK after choosing a removal option.
Step 2: Now, Add the new virtual disk.
A. On an ESXi server, add a virtual disk to Panorama.
The virtual disk size supported by Panorama running on ESXi 5.5 and
later versions is up to 8TB. A virtual disk of up to 2TB is supported by
Panorama when running on an earlier version of ESXi.
B. Right-click the Panorama virtual appliance in the vSphere Client and
choose Power > Power On.
A cache data unavailable message will appear, and the reboot process
could take several minutes.
Step 3: Check to make sure the modified log storage capacity is correct.
A. Log in to the virtual appliance for Panorama.
B. Verify that the Log Storage column in the Logging and Reporting
Settings section appropriately displays the modified log storage
capacity by selecting Panorama > Setup > Management.
Change the Virtual Disk on an ESXi server:
Once a virtual disk has been added to the Panorama virtual appliance
running on VMware vCloud Air, it cannot be resized. You must replace the
virtual disk to change the log storage capacity because the Panorama virtual
appliance in Legacy mode only supports one location for log storage. You
can easily add a virtual disk to Panorama on vCloud Air in Panorama mode,
up to a maximum of 12.
When a disk is replaced on the Panorama virtual appliance running in
Legacy mode, the logs on the existing disk are lost.
Step 1: Remove the previous virtual disk.
A. Select your Virtual Private Cloud OnDemand region by logging into
the vCloud Air web console.
B. In the Virtual Machines tab, choose the Panorama virtual machine.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 C. Choose Actions > Edit Resources.
D. For the virtual disk you are deleting, click x.
Step 2: Now, you can add the new virtual disk.
A. Add one more disk.
B. Set the storage tier to Standard or SSD-Accelerated, increasing the
storage capacity to 8TB.
C. Save your edits.
Step 3: Reboot Panorama.
A. Log in to the virtual appliance for Panorama.
B. Choose Panorama > Setup > Operations and Reboot Panorama.
Step 4: Verify to ensure the modified log storage capacity is accurate.
A. After the Panorama virtual appliance restarts, log in.
B. Verify that the Log Storage fields in the Logging and Reporting
Settings section appropriately display the modified log storage
capacity by selecting Panorama > Setup > Management.
Migrate Logs in Log Collector Mode to a New M-Series Appliance
The logs gathered from firewalls by an M-600, M-500, M-200, or M-100
appliance in Log Collector mode (Dedicated Log Collector) can be
transferred to a new M-Series appliance by moving the appliance's RAID
disks. It enables you to transfer logs as part of a hardware upgrade (from an
M-100 appliance to an M-500 appliance) or to restore logs following a
system failure on the M-Series appliance.

EXAM TIP: It is not recommended to migrate logs by taking the

logging disks out of any M-Series appliance and loading them onto an M-
600 Panorama management server.

Start the new M-Series appliances that will be a dedicated log collector from
the initial setup. Mount the M-Series appliance on a rack.
Step 1: Perform the M-Series Appliance initial configuration.
A. Only the Management (MGT) interface should be configured when
configuring interfaces. The configurations for additional interfaces are

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 removed when switching to Log Collector mode (later in this method).
When configuring the Log Collector (see Step 2), include any
interfaces the Log Collector will utilize to MGT.
B. Register Panorama.
C. Only if the new M-Series appliance shares the same hardware model
as the outgoing M-Series appliance should you purchase and activate
the Panorama support license or transfer licenses.
D. You should purchase new licenses if the new M-Series appliance has a
different model than the old M-Series appliances.
Access the Palo Alto Networks customer support website by
logging in.
Click the Spares link after selecting the Assets tab.
To view the new M-Series appliance's serial number, click it.
To transfer licenses, click Submit after selecting the outdated M-
Series appliance.
E. A firewall management license must be activated. Enter the auth code
attached to the migration license if you are upgrading an M-100
appliance to an M-500 appliance.
F. Update the software and content for Panorama. Panorama, Log
Collector, Firewall, and WildFire Version Compatibility are excellent
resources for important data about software versions.
G. Switch between Panorama and Log Collector mode:
H. Access Log Collector mode by using the Log Collector CLI:
Type Y. Rebooting occurs on the M-Series appliance to confirm the
mode change. If the reboot procedure ends your session with the
terminal emulator software, reconnect to the M-Series appliance to see
the Panorama login prompt.
Press Enter without entering a username or password if you see a CMS
Login prompt.
I. To establish connectivity between the Panorama management server
and the Log Collector, use the Log Collector CLI. The primary
Panorama's MGT interface is at IPaddress1>, while the secondary
Panorama's MGT interface is at IPaddress2>.
Step 2: The new Log Collector should be added as a managed collector on
the Panorama server. You must type the entire serial number for all steps

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
with commands that call for one; using the Tab key to finish a partial serial
number is not supported.
A. Using the Panorama web interface or the following CLI commands,
you can configure the Log Collector as a managed collector:
When configuring the new Log Collector as a managed collector
(Panorama > Managed Collectors > Interfaces), you must define
any additional interfaces the old Log Collector utilized for log
collection and Collector Group communication.
B. Changes must be committed to Panorama. Do not immediately commit
the changes to the Collector Group.
C. Verify the Log Collector's connection to Panorama and the availability
and presence of its disk pairs.
At that stage in the restoration process, the disk pairings will appear
disabled.
Step 3: Remove the old Log Collector's RAID disks.
By pressing the Power button until the machine shuts down, you may
power off the old Log Collector.
Remove the disk pairings.
Step 4: Prepare the disk for the migration.

EXAM TIP: The indexes are rebuilt by generating the metadata for
each disk pair. It means the long time it takes to finish the process depends
on the data size. You can launch additional CLI sessions and execute the
metadata regeneration command in each session to finish the process
simultaneously for each pair, expediting the process.

A. Disks should be inserted into the new Log Collector.

EXAM TIP: The M-100 appliance's disk carriers are incompatible

with the M-500 appliances. Therefore, while migrating between these
hardware versions, each disk must be unscrewed from its old carrier and
placed in the new carrier before being placed in the new appliance.
The disk pair association must be maintained. Although a disk pair from the
old appliance's slot A1/A2 can be moved to slot B1/B2 on the new

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
appliance, you must maintain the disks together in the same slot; otherwise,
Panorama may be unable to restore the data successfully.
B. Run the following CLI command for every pair to enable the disk
pairs:
request high-availability sync-to-all peers
It is required to use the force and no-format arguments. The disk pair is
connected to the new Log Collector to the force argument.
C. Create the metadata for every pair of disks.
Step 5: Include a Log Collector in a Collector Group without disks.

EXAM TIP: Only commits required to complete the migration on

Panorama and the Log Collectors are made after this point. Avoid making
any further changes.
A. Open the CLI for Panorama.
B. Override the Panorama restriction to permit a Log Collector without a
disk to a Collector Group by using the log-migration-set-start
command.
Step 6: Transform the logs
The new Log Collector must fill the old Log Collector's place in the
Collector Group.
A. Assign the new Log Collector to the Collector Group to commit your
changes to Panorama.
Step 7: Change the Collector Group's configuration.
The new Log Collector can be added to the firewalls that forward logs
via the web interface (Panorama > Collector Groups > Device Log
Forwarding). Give the new Log Collector the same priority as the old
Log Collector in the firewall preference lists.
The priority assignments of firewall preference lists cannot be changed
via the CLI.
The old Log Collector should be removed from the Collector Group.
Commit your changes after removing the old Log Collector from the
configuration of Panorama.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 The controlled firewalls may send logs to the new Log Collector and
commit the changes to the Collector Group.
Step 8: On the new Dedicated Log Collector, create new keys.
The command must be executed for the Collector Group of the Log
Collector being replaced to add the new Log Collector to that group. To
enable Panorama to generate new RSA keys, existing RSA keys must be
deleted.
Open the CLI for Panorama.
On the new Log Collector, remove all RSA keys.
The process can be finished in up to 10 minutes.
Step 9: Verify that all Log Collectors in the Collector Group have
SearchEngine Status set to Active.
Continue only after all Log Collectors in the Collector Group have Active
SearchEngine Status. It will lead to the replacement of the Log Collector's
purging of logs.
Open the CLI for Panorama.
To show the Log Collector details. You can run the command ‘show
log-collector detail’ to every Dedicated Log Collector:
Confirm the status of the search engine.
Step 10: Replace the old Log Collector serial number with the new Log
Collector serial number on the new Log Collector.
You must change the old Log Collector serial number with the updated Log
Collector serial number to prevent the new Log Collector from experiencing
purging issues and being unable to remove old data from the migrated logs
when necessary.
Log Collector CLI can be accessed.
Replace the old serial number on the Log Collector with the new serial
number:
request log-migration-update-logger from <old-log-collector-serial-
number> to <new-log-collector-serial-number>
Transfer Logs in Panorama Mode to a New M-Series Appliance
You may migrate the firewall logs stored on an M-600, M-500, M-200, or
M-100 appliance to a new M-Series appliance if you need to replace one in

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Panorama mode (Panorama management server). Moving the disks enables
you to move logs as part of a hardware upgrade (from an M-100 appliance to
an M-500 appliance) or to recover logs following a system failure on the M-
Series appliance. It is not recommended to migrate logs by taking the
logging disks out of any M-Series appliance and loading them onto an M-
600 Panorama management server.
Set up the M-600 appliance, set log forwarding to the new M-600 appliance,
and configure the M-Series appliance as a managed Log Collector up until
the point at which you are no longer required to have access to the logs
stored on the M-Series appliance. Use the following steps to transfer logs in
Panorama Mode to a new M-Series Appliance.
Step 1: If you want to keep any logs from the old M-Series appliances,
forward them to an external destination.
The System and Configuration logs that Panorama and Log Collectors
produce are stored on the SSD. The SSD cannot be moved among M-
Series appliances.
Configure Panorama's log forwarding to forward logs to external
destinations.
Step 2: Export the Panorama configuration from the defunct M-Series
appliance in Panorama mode.
Select Panorama > Setup > Operations after logging in to the
Panorama appliance.
After entering a Name to identify the configuration, click OK to save
the Panorama configuration snapshot.
Select the Name of the configuration you just saved, click Export
named Panorama configuration snapshot, and then click OK. As an
XML file, Panorama exports the configuration to your client system.
Step 3: Remove the old M-Series appliance's RAID disks.
You can power off the old M-Series appliance by pressing the Power
button until the system powers off.
Remove the disk pairings.
Step 4: Complete the new M-Series appliance's initial setup.
Register Panorama.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 If the new M-Series appliance shares the same hardware model as the
old one, you should purchase and activate a Panorama support license
or transfer license. You should purchase new licenses if the new M-
Series appliance has a different model than the old M-Series
appliances.
Access the Palo Alto Networks customer support website by
logging in.
Click the Spares option after selecting the Assets tab.
To view the new M-Series appliance's serial number, click it.
Click the transfer licenses.
Click Submit after selecting the old M-Series appliance.
A firewall management license must be activated. Enter the auth code
associated with the migration license if you are migrating from an M-
100 to an M-500 appliance.
Update the software and also install content for Panorama.
Step 5: Use Panorama mode on the new M-Series appliance to load the
Panorama configuration snapshot you exported from the decommissioned
M-Series appliance.
Select Panorama > Setup > Operations after logging in to the new
M-Series appliance's Panorama Web Interface.
After selecting the configuration file you exported from the retired M-
Series appliance, click Import named Panorama configuration
snapshot, then click OK.
Select the configuration name you just imported, choose a Decryption
Key (Panorama's master key), and click OK. Then click Load named
Panorama configuration snapshot. The loaded configuration
replaces Panorama's current candidate configuration. Any issues that
occur when loading the configuration file are displayed by Panorama.
Save any errors that happened to a local file. To make sure the
migrated configuration is valid, fix each error.
Make necessary configuration adjustments as required.
Suppose the previous M-Series appliance employed interfaces other
than the MGT interface for Panorama services, such as log collection.
In that case, it is essential to configure those interfaces on the new M-
Series appliance via Panorama > Setup > Interfaces.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Choose Commit > Commit to Panorama and validate the commit,
addressing any errors before moving forward.
Confirm your modifications to the Panorama configuration.
Step 6: Insert the disks into the new M-Series appliance.
When migrating between the M-100 and M-500 appliances, note that the
disk carriers of these two models are incompatible. Consequently, during the
migration process, you will need to detach each disk from its old carrier and
place it into the new carrier before inserting it into the new appliance.
It is crucial to maintain the disk pair association. While you can move a disk
pair from slot A1/A2 on the old appliance to slot B1/B2 on the new one,
ensure that both disks remain together in the same slot. Failure to do so
might result in Panorama being unable to restore the data successfully.
Step 7: To copy log collector group metadata from the decommissioned M-
Series appliance to the new one and restart the mgmtsrvr process, please get
in touch with Palo Alto Networks Customer Support.
Step 8: If the M-Series appliance was previously part of a Collector Group,
verify that the serial number of the decommissioned M-Series appliance is
still associated with the correct Collector Group By using the following
command.
debug log-collector-group show name <Log Collector Group name>
If it is not, the Tech Support folders were incorrectly copied during the
previous step. In this case, contact Palo Alto Networks Customer Support to
rectify the Tech Support folder placement.
Step 9: Set the disks ready for migration.

EXAM TIP: Generating metadata for each disk pair is necessary to

rebuild the indexes. The process may take significant time to complete,
depending on the data size. To expedite it, you can open multiple CLI
sessions and execute the metadata regeneration command in each session
simultaneously for every pair.
Insert the disks into the new M-Series appliance.

EXAM TIP: When migrating between M-100 and M-500

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
appliances, it is important to note that these two models' disk carriers are
incompatible. Consequently, as you transition between these hardware
models, you will need to remove each disk from its old carrier and place it
into the new carrier before inserting it into the new appliance.
It is crucial to maintain the association between disk pairs. While you can
move a disk pair from slot A1/A2 on the old appliance to slot B1/B2 on
the new appliance, ensure that both disks remain together in the same slot.
Failure to do so might result in Panorama being unable to restore the data
successfully.
The use of force and no-format arguments is mandatory. The force
argument links the disk pair with the new appliance, while the 'no-
format' argument prevents the reformatting of drives, preserving the
logs stored on the disks.
Proceed to generate metadata for each disk pair. Please be aware that
this step can take up to 6 hours, depending on the volume of log data
stored on the disks.
Step 10: Configure the local Log Collector on the new M-Series appliance.
You must input the complete serial number for all commands requiring a
serial number. Pressing the Tab key will not autocomplete a partial serial
number. Do not activate the disks on the new M-Series appliance at this
stage. Once you successfully migrate the logs, Panorama will automatically
enable the disks.
Configure the local Log Collector as a managed collector using the
Panorama web interface or the provided CLI commands.
admin> configure
admin# set log-collector <log-collector_SN> deviceconfig system
hostname <log-collector-hostname>
admin# exit

Verify that the local Log Collector is connected to Panorama and that
the status of its disk pairs is listed as 'present/available.'
admin> show log-collector serial-number <log-collector_SN>
These disk pairs will remain disabled during this phase of the
restoration process.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Commit your changes to Panorama, but refrain from committing
changes to the Collector Group for now.
admin> configure
admin# commit

Step 11: Add a Log Collector with no disks to a Collector Group.

From this point forward, only commit changes necessary to finalize the
migration process on Panorama and the Log Collectors. Avoid making any
other modifications.
Access the Panorama CLI of the new M-Series appliance.
Overwrite the Panorama restriction to include a Log Collector with no
disk in a Collector Group by executing the command: request log-
migration-set-start
Commit the overwritten restriction:
admin> configure
admin# commit force

Step 12: Initiate the log migration process.

Access the Panorama CLI on the new M-Series appliance.
Include the new local Log Collector as a member of the Collector
Group and commit the changes to the Panorama configuration.
admin# set log-collector-group <collector_group_name> logfwd-
setting collectors <SN_managed_collector>
admin# commit
admin# exit

Remember that the old local Log Collector still appears in the list of
members because you have not removed it from the configuration.
For each disk pair, perform the log migration to the new appliance.
After migrating the logs, commit the changes to Panorama.
admin> request log-migration from <old_LC_serial_number> old-
disk-pair <log_disk_pair> to <new_LC_serial_number> new-disk-

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 pair <log_disk_pair>

Step 13: Reconfigure the Collector Group.

Use the Panorama Web Interface on the new M-Series appliance to
assign the new Log Collector to the firewalls that forward logs
(Panorama > Collector Groups > Device Log Forwarding).
Ensure the new Log Collector has the same priority in the firewall
preference lists as the old Log Collector.
Note that you cannot change the priority assignments of firewall
preference lists via the CLI.
Access the Panorama CLI on the new M-Series appliance.
Remove the old Log Collector from the Collector Group.
admin# delete log-collector-group <group_name> logfwd-setting
collectors <old_LC_serial_number>

Also, delete the old Log Collector from the Panorama configuration
and commit your changes to Panorama. Finally, commit the Collector
Group changes so the managed firewalls can send logs to the new Log
Collector.
admin# delete log-collector <old_LC_serial_number>
admin# commit
admin# exit

Step 14: Generate new keys on the new Log Collector. The command is
necessary to add the new Log Collector to the Collector Group and should
only be executed for the Collector Group of the Log Collector being
replaced. This step involves deleting the existing RSA keys to allow
Panorama to create new RSA keys.
Access the Panorama CLI on the new M-Series appliance.
Delete all RSA keys on the new Log Collector using the command:
'request logdb update-collector-group-after-replace collector-group
<collector-group-name>.' The process may take up to 10 minutes to
complete.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Step 15: Ensure that the SearchEngine Status is Active for all Log
Collectors in the Collector Group before proceeding.
Do not continue until its status is Active for all Log Collectors in the
Collector Group, as failure to do so may result in the purging of logs
from the Log Collector being replaced.
Access the Panorama CLI on the new M-Series appliance to display
the Log Collector details.
Alternatively, you have the option to execute this command on each
Dedicated Log Collector.
Ensure that the SearchEngine Status is confirmed as Active.
Step 16: On the new Log Collector, update the serial number from the
previous Log Collector to the serial number of the new Log Collector.
It is crucial to replace the old Log Collector's serial number with the new one
to prevent potential issues related to data purging. It ensures the new Log
Collector can effectively remove old data from the migrated logs when
necessary.
Access the CLI for the Log Collector.
Replace the old Log Collector's serial number with the serial number
of the new Log Collector with the following command.
request log-migration-update-logger from <old-log-collector-
serial-number> to <new-log-collector-serial-number>
Replace an RMA Firewall
Replace the serial number of the old firewall with that of the new firewall on
Panorama to reduce the time needed to restore the configuration on a
managed firewall involving a Return Merchandise Authorization (RMA).
Use Panorama to create a partial device state for managed firewalls using
PAN-OS 5.0 and later versions, or import a firewall state you already created
and exported from the replacement firewall to restore the configuration. You
may resume using Panorama to control the firewall by changing the serial
number and importing the firewall state.
Partial Device State Generation for Firewalls
When utilizing Panorama to generate a partial device state, it mirrors the
configuration of managed firewalls, with a few exceptions specific to Large

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Scale VPN (LSVPN) setups. The partial device state is created by merging
two elements of the firewall configuration:
Centralized Configuration Managed by Panorama: Panorama
maintains a snapshot encompassing shared policy rules and templates
under its management, which are then deployed to the firewalls.
Local Configuration on the Firewall: Whenever a configuration change
is committed on a firewall, a duplicate of its local configuration file is
transmitted to Panorama. Panorama stores this file and utilizes it in
constructing the partial device state bundle.

EXAM TIP: In an LSVPN configuration, it is important to note

that the partial device state bundle generated on Panorama differs from the
version obtained by exporting it directly from a firewall. Export from a
firewall can be initiated manually by navigating to Device > Setup >
Operations and selecting Export device state. Additionally, it can be
scheduled through an XML API script to export the file to a remote server.
The exported device state file becomes valuable in your firewall
replacement workflow.
If you have not exported the device state from a firewall, the device state
you generate as part of the replacement process will lack crucial dynamic
configuration information. It includes details like certificates and
registered firewalls, which are essential for restoring the complete
configuration of a firewall operating as an LSVPN portal.

Before Starting RMA Firewall Replacement

Ensure the firewall you plan to replace runs PAN-OS 5.0.4 or a recent
version. It is important to note that Panorama cannot generate the
device state for firewalls using older PAN-OS versions.
Take note of the following details regarding the firewall you intend to
replace:
Serial Number: You must input the serial number on the Palo Alto
Networks Customer Support website to facilitate the transfer of
licenses from the old firewall to the replacement firewall. You will
also need to enter this information into Panorama to update all

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 references to the old serial number with the new serial number of
the replacement firewall.
(Recommended) PAN-OS Version and Content Database Version:
For consistency, consider installing the same software and content
database versions, including the URL database vendor, on the
replacement firewall as were on the old firewall. It will help create
a similar state on the replacement firewall. However, if you choose
to install the latest content database version, be aware that there
may be differences due to updates and additions. To identify the
versions currently installed on the firewall, access the firewall's
System logs stored on Panorama.
Before importing the device state bundle and restoring the
configuration, prepare the replacement firewall for deployment by
performing the following steps:
Verify that the new firewall is of the identical model as the
previous one and is configured for similar operational capabilities.
Consider operational features such as whether the replacement
firewall needs to support multiple virtual systems, jumbo frames,
or operate in CC or FIPS mode.
Configure network access, transfer the necessary licenses, and
install the appropriate PAN-OS and content database versions on
the replacement firewall.
To complete the firewall replacement process, you must utilize the
Panorama CLI, and therefore, your administrator account must possess
either the superuser or panorama-admin user role.
In cases where you have an LSVPN configuration and you are
replacing a Palo Alto Networks firewall that serves as either a satellite
or an LSVPN portal, it is important to note that the dynamic
configuration information necessary to restore LSVPN connectivity
would not be available when you restore the partial device state
generated on Panorama. Suppose you have followed the
recommendation to regularly generate and export the device state for
firewalls in an LSVPN configuration. In that case, using the device
state you previously exported directly from the firewall is advisable
instead of generating one on Panorama.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 However, if you have not manually exported the device state from the
firewall and need to generate a partial device state on Panorama, the
absence of dynamic configuration will impact the firewall replacement
process as outlined below:
Suppose the firewall you are replacing is a GlobalProtect portal
explicitly configured with the serial numbers of the satellites
(Network > GlobalProtect > Portals > Satellite Configuration). In
that case, the restoration of the firewall configuration, while
lacking dynamic configuration, will still enable successful
authentication of the satellites by the portal firewall. The
authentication process will populate the required dynamic
configuration information, reinstating LSVPN connectivity.
On the other hand, if you are replacing a satellite firewall, it would
not be able to connect and authenticate with the portal. The failure
occurs either due to the serial number not being explicitly
configured on the firewall (Network > GlobalProtect > Portals >
Satellite Configuration) or if it was configured because the serial
number of the replacement firewall does not match that of the old
firewall. To restore connectivity after importing the device state
bundle, the satellite administrator must log in to the firewall and
enter the credentials (username and password) for authentication
to the portal. Following successful authentication, the dynamic
configuration required for LSVPN connectivity will be generated
on the portal.
In scenarios where the firewall was configured in a high availability
setup, it will automatically synchronize its running configuration with
its peer after restoring the configuration. It ensures the firewall obtains
the latest dynamic configuration required for seamless operation.
Restore the Firewall Configuration after Replacement
You must first set up the new firewall's basic configuration, which includes
selecting the operational mode and updating the PAN-OS software and
content release version to correspond to what was set up on the old firewall.
The device state of the old firewall will then be exported from Panorama and
imported into the new firewall. You can verify that the new firewall has been
connected, and to sync it with Panorama, you will return to Panorama.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Step 1: Perform the initial configuration on the new firewall and ensure
network connectivity.
Utilize a serial port connection or a Secure Shell (SSH) connection to
configure an IP address DNS server IP address and validate the new
firewall's access to the Palo Alto Networks updates server.
Step 2: Optionally, adjust the Operational mode on the new firewall to
match the setting on the old firewall.
To do this, establish a serial port connection and access maintenance mode
on the firewall using the debug system maintenance mode command.
> debug system maintenance-mode
Select "Set FIPS Mode" or "Set CCEAL 4 Mode" from the main menu to
align with the desired Operational mode.
Step 3: Retrieve the license(s) on the new firewall.
Use the following command to fetch the licenses: request license fetch.
> request license fetch
Step 4: Optionally, synchronize the operational state of the new firewall with
that of the old firewall. For example, enable multi-virtual system (multi-
vsys) capability if the old firewall had this feature enabled.
Employ the appropriate commands based on your firewall settings, such as:
> set system setting multi-vsys on
> set system setting jumbo-frame on

Step 5: Upgrade the PAN-OS version on the new firewall.

Ensure you upgrade to the same PAN-OS version installed on the old
firewall. Also, upgrade the content release versions to match or exceed those
on the old firewall.
Utilize the following commands for the upgrades:
To upgrade the content release version:
> request content upgrade download latest
> request content upgrade install version latest
To upgrade the anti-virus release version:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
> request anti-virus upgrade download latest
> request anti-virus upgrade install version latest
To upgrade the PAN-OS software version:
> request system software download version <version>
> request system software install version <version>

Step 6: Proceed to the Panorama CLI and export the device state bundle
from the old firewall to a computer using Secure Copy (SCP) or TFTP. This
step cannot be performed via the web interface.
Note: Skip this step if you have manually exported the device state from
the firewall.

The export command generates a tar-zipped file of the device state bundle,
excluding the LSVPN dynamic configuration (satellite information and
certificate details).
> scp export device-state device <old serial#> to <login> @ <serverIP>:
<path>
or
> tftp export device-state device <old serial#> to <serverIP>

Step 7: Replace the serial number of the old firewall with that of the new
replacement firewall on Panorama.
By updating the serial number on Panorama, you enable the new
firewall to connect to Panorama after restoring the configuration on the
firewall.
Enter Configuration mode and commit your changes. Then, exit
Configuration mode.
Step 8: Import the device state and commit the changes on the new firewall.
You can access the new firewall's web interface.
Navigate to Device > Setup > Operations and click the "Import
Device State" link in the Configuration Management section.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Select the file by browsing, then click OK.
Finally, commit your changes to the running configuration on the
firewall.
Step 9: Verify the Successful Restoration of the Firewall Configuration from
Panorama:
Access the Panorama web interface and navigate to Panorama >
Managed Devices.
Check the Connected column for the new firewall to ensure it displays
a checkmark.
Step 10: Synchronize the Firewall with Panorama:
Select Commit > Commit and Push in the Panorama web interface,
and then choose Edit Selections in the Push Scope.
Select the relevant options:
Device Groups: Choose the device group that contains the
firewall.
Include Device and Network Templates.
Collector Groups: Select the Collector Group that includes the
firewall.
Click "OK" to save the changes to the Push Scope.
Commit and Push your changes.

EXAM TIP: If you need to create reports for a time when the old
firewall was still operational after installing the new firewall, remember
that replacing the serial number on Panorama does not overwrite
information in logs.

Troubleshoot Commit Failures

If you encounter commit or push operation failures on Panorama, investigate
the conditions as shown in Table 11-03:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Table 11-03: Condition for Commit and Push Failure

Troubleshoot Registration or Serial Number Errors

If the Panorama > Support page on the M-600, M-500, M-200, or M-100
appliance does not show support license data or if the Panorama > Setup >
Management page still shows Unknown for the Serial Number even after
you register Panorama, take the following steps:
Step 1: Enter the serial number that Palo Alto Networks provided in an
email for your order’s fulfillment.
Click OK.
Step 2: The General Settings can be edited by selecting Panorama > Setup
> Management.
Step 3: Click OK after entering the serial number.
Step 4: Select Commit > Commit to Panorama to commit your changes.
Troubleshoot Reporting Errors
If Panorama encounters difficulties generating a report or lacks anticipated
data, it could be due to disparities in content versions, including the
Applications database, between Panorama and the managed collectors and
firewalls. To address this issue, the content versions on Panorama must be
identical or lower in version compared to those on the managed collectors
and firewalls.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Troubleshoot Device Management License Errors
After upgrading to PAN-OS 8.1, the Panorama virtual appliance performs a
check to verify the successful installation of a device management license.
Suppose the device management license is not successfully installed, or the
number of firewalls managed by the Panorama virtual appliance exceeds the
license limit. In that case, you will have a 180-day grace period to install a
valid device management license. During this time, if no valid device
management license is installed, the following alert will appear each time
you log in to the Panorama web interface:

Suppose the number of firewalls managed by the Panorama virtual appliance

surpasses the device management license limit. In that case, a similar alert
will be displayed upon logging in to the Panorama web interface.

Alert for Uninstalled or Exceeded Device Management License:

To resolve this issue, follow these steps:

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Step 1: Contact your Palo Alto Networks sales representative or authorized
reseller to acquire the required device management license.
Step 2: Log in to the Panorama Web Interface.
Step 3: Activate or retrieve a device management license based on whether
the Panorama virtual appliance is online or offline.
Troubleshoot Automatically Reverted Firewall Configurations
Suppose your managed firewall automatically reverts its configuration due to
a configuration change that disrupted the connection between the Panorama
management server and the firewall. In that case, you can troubleshoot the
out-of-sync firewalls to identify the changes made and pinpoint which
aspects of the last configuration push led to the firewall reverting its
configuration.
Step 1: To Verify the Automatic Reversion of the Managed Firewall:
On the Firewall:
1. Access the Firewall Web Interface.
2. Navigate to Tasks (located in the bottom-right corner of the web
interface).
3. Verify that the status of the last commit operation (whether pushed
from Panorama or committed locally) indicates "Reverted."

On Panorama:
1. Log in to the Panorama Web Interface.
2. Go to Panorama > Managed Devices > Summary.
3. Check the sync status of the Shared Policy and Template. Suppose you
recently pushed a configuration from Panorama to your managed

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 firewalls, resulting in a reversion. In that case, the Shared Policy or
Template may show as Out of Sync, depending on the nature of the
configuration changes.
Step 2: In the Last Merged Diff column for a managed firewall, utilize the
"Show Last Merged Config Diff" option () to compare the current running
configuration with the reverted configuration. For example, in a specific
scenario shown in the given Figure, a policy rule pushed from Panorama
denied all traffic between the managed firewall and Panorama, triggering the
automatic reversion of the firewall configuration.

Step 3: Make any necessary adjustments to configuration objects to ensure

the connection between the managed firewalls and Panorama remains intact
before re-pushing the configuration.
Complete Content Update When Panorama HA Peer is Down
When Panorama is configured for High Availability (HA), it balances the
content update jobs between the HA peers to lessen the load on each
Panorama when deploying updates to managed devices. The content update
jobs for the managed devices (is) that the down HA peer would typically
push the content updates to fail if an HA peer becomes unavailable during

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
the content update. Both manually updated and scheduled content experience
it. You must manually send the content update to those controlled devices to
finish the update.
Step 1: You may disable load balancing for content updates by logging into
the Panorama CLI.
Step 2: Open the Panorama Web Interface and log in.
Step 3: Install the dynamic update by choosing Panorama > Device
Deployment > Dynamic Updates.
Step 4: Click OK after selecting the managed devices for the failed content
update.

Step 5: Verify whether the chosen managed devices received the content
update successfully.
Step 6: Load balancing for content updates can be enabled by logging into
the Panorama CLI:
admin> set dlsrvr distribute yes

View Task Success or Failure Status

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Click on the Task Manager icon . Click the bottom right corner of
the Panorama on the web interface to see whether a task was successful or
unsuccessful. It helps solve issues; the Task Manager also shows a detailed
message. Test Policy Match and Connectivity for Managed Devices.
Test Policy Match and Connectivity for Managed Devices
Test that the correct traffic complies with the policy rules sent to your
managed devices and that your firewalls can connect to all necessary
network resources after successfully pushing the device group and template
stack configurations to your firewalls, Log Collectors, and WF-500
appliances.
Troubleshoot Policy Rule Traffic Match
To conduct policy match tests for managed firewalls and validate the
configuration of policy rules for your managed devices, ensuring that the
running configuration effectively secures your network by permitting or
denying the appropriate traffic, follow these steps. You can also export the
results to a PDF file for auditing purposes.
Step 1: Log in to the Panorama Web Interface.
Step 2: Go to Panorama > Managed Devices > Troubleshooting to
initiate a policy match test. Alternatively, you can run a policy match test
from the Policies tab.
Step 3: Provide the necessary information for the policy match test. In the
example, we are performing a Security policy match test:
Choose "Security Policy Match" from the "Select Test" drop-down menu.
Select the specific device/VSYS and designate the managed firewalls you
wish to test.
Input the Source IP address from which the traffic originated.
Specify the Destination IP address of the target device for the traffic.
Indicate the Protocol IP used for the traffic.
Enter any additional relevant information for your Security policy rule
testing if required.
Step 4: Execute the Security policy match test.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Step 5: Review the results by selecting Security Policy Match Results. It
will display the policy rules that match the test criteria.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Troubleshoot Connectivity to Network Resources
Follow these steps to conduct connectivity tests for your managed firewalls
and ensure your managed devices can connect to essential network
resources. These tests help verify that the configurations pushed to your
managed devices maintain the necessary connectivity to resources such as
Log Collectors, configured External Dynamic Lists, and the Palo Alto
Networks Update Server. Additionally, you can perform routing, WildFire,
Threat Vault, ping, and traceroute connectivity tests to confirm that both
Panorama and managed devices can access external network resources vital
for your network's operation and security.
Please note that the Ping connectivity test is supported for firewalls running
PAN-OS 9.0 or a later release.
Step 1: Log in to the Panorama Web Interface.
Step 2: Navigate to Panorama > Managed Devices > Troubleshooting to
initiate a connectivity test. Alternatively, you can run connectivity tests from
the Policies tab.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Step 3: Provide the necessary information for the connectivity test. In the
example, we are conducting a Log Collector Connectivity test:
Choose Log Collector Connectivity from the Select Test drop-down
menu.
Select the specific device/VSYS and choose the managed firewalls you
want to test.
If needed, enter any additional relevant information for your
connectivity testing.
Step 4: Execute the Log Collector connectivity test.
Step 5: Review the results by selecting Log Collector Connectivity Results.
It will display the Log Collector connectivity status for the selected devices.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Restore an Expired Device Certificate
The device certificates installed on your Panorama management server,
Dedicated Log Collector, or managed firewalls have a lifespan of 90 days.
These devices are programmed to automatically attempt certificate
reinstallation 15 days before the certificate's expiration date. However, you
can manually reinstall the device certificate should automatic reinstallation
fail.
Here's how to proceed:
Step 1: Go to the Panorama Web Interface and log in.
Step 2: Review the device certificate status for Panorama, Dedicated Log
Collectors, and managed firewalls.
For Panorama, navigate to Panorama > Setup > Management.
Examine the Current Device Certificate Status within the Device
Certificate Section. If the status displays Expired, action is required.
For the Dedicated Log Collector, access the CLI and enter the relevant
command to view its device certificate status. If it shows Expired,

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 manual reinstallation is necessary.
To review the managed firewall device certificate status, go to
Panorama > Managed Firewalls > Summary and filter for expired
certificates. You will see the Expired status in the "Device Certificate"
column.
Step 3: Perform the required steps to reinstall the expired device certificate
on Panorama, Dedicated Log Collectors, or managed firewalls.
Downgrade from Panorama 9.1
PAN-OS 9.1 introduces features such as automatic configuration reversion
and SD-WAN firewall support. However, these features are incompatible
with Panorama running PAN-OS 9.0 or earlier releases. Follow this
workflow to downgrade firewalls, Log Collectors, and Panorama from PAN-
OS 9.1 to an earlier feature release. This procedure is applicable for both
Panorama managing local Log Collectors and Panorama managing
Dedicated Log Collectors.

EXAM TIP: Review the Palo Alto Networks Compatibility Matrix

to ensure that the firewalls and appliances you intend to downgrade are
compatible with the PAN-OS release to which you plan to downgrade. Be
aware that some devices, like PA-220, PA-800 Series, PA-5200 Series, and
certain VM-Series firewalls, are not supported on releases earlier than
PAN-OS 8.0.

Here are the steps to perform the downgrade:

Step 1: Save a backup of the configuration files for Panorama and managed
devices.
Export Panorama and device configuration snapshots (Panorama >
Setup > Operations).
Keep these .tgz backup files in an external location for recovery if any
issues arise during the downgrade process.
Step 2: Downgrade each firewall currently running PAN-OS 9.1.
By selecting Panorama > Device Deployment > Software, you can
check for the available images.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 If downgrading multiple firewalls, ensure you downloaded the specific
PAN-OS 9.0 image for each model.
For Non-HA Firewalls:
Install the appropriate PAN-OS 9.0 version by selecting the firewalls you
want to downgrade, enabling Reboot device after installation, and clicking
OK.
For Active/Active HA Firewalls:
Proceed by clicking the Install button, then uncheck the Group HA
Peers option. Choose one of the HA peers and enable the Reboot
device after install option, then confirm by clicking OK. Allow the
firewall to complete its reboot before moving on.
Afterward, click Install again, uncheck Group HA Peers, select the
HA peer you have not updated in the previous step, enable "Reboot
device after install," and confirm by clicking OK. Before proceeding,
please wait for the firewall to complete its reboot.
For Active/Passive HA Firewalls
In this scenario, where we have an active firewall named fw1 and a passive
firewall named fw2, follow these steps:
Install the necessary update from the Action column. Then, uncheck
the Group HA Peers option. Select fw2, enable the Reboot device after
installation, and confirm by clicking OK. Allow fw2 to complete its
reboot.
Once fw2 has finished rebooting, verify that fw1 remains the active
peer, as indicated in the Dashboard > High Availability widget. Also,
ensure that fw2 continues to serve as the passive peer, with the local
firewall state marked as active and fw2 as the passive peer.
Access fw1 and execute the Suspend local device command through
Device > High Availability > Operational Commands.
Now, on fw2, navigate to the Dashboard > High Availability section
and confirm that the local firewall state remains active while the peer
firewall, fw1, is suspended.
Within Panorama, go to Panorama > Device Deployment >
Software. Install the required update from the Action column. Disable
Group HA Peers, select fw1, enable the Reboot device after

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 installation, and confirm by clicking OK. Wait for FW1 to finish its
reboot.
Once again, access fw1's Dashboard > High Availability widget and
verify that the local firewall state has switched to passive and fw2 is
now the active peer.
If preemption is enabled in the Election settings (Device > High
Availability > General), fw1 will regain its status as the active peer
after the reboot.
Now, let's summarize the steps for downgrading Log Collectors running
Panorama 9.1 and then downgrading Panorama itself:
Step 3: For Log Collectors:
Check for available images by going to Panorama > Device
Deployment > Software.
Find the Panorama 9.0 image and download it if it is not already
downloaded (Action column).
Once the download is complete, install the 9.0 image on each Log
Collector running Panorama 9.1. Enable the Reboot device after install
option to automate the reboot after the upgrade.
Step 4: For Panorama:
Again, check for available images in Panorama > Device
Deployment > Software.
Locate the Panorama 9.0 image and download it if it has not been
downloaded.
After downloading, install the 9.0 image on Panorama.
Reboot Panorama using one of the following methods:
If prompted to reboot, click Yes. Press Enter without entering a
username or password if you encounter a CMS Login prompt. Once
the Panorama login prompt appears, use the username and password
set during the initial configuration.
If there is no prompt to reboot, go to Panorama > Setup >
Operations and click Reboot Panorama (Device Operations).
Step 5: Migrating Panorama logs to the PAN-OS 9.0 log format
Before starting the migration, checking the incoming logging rate is
advisable. Initiating the log migration is recommended when the

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 incoming log rate is low. You can assess the rate by executing the
following command from the Log Collector CLI:
admin@FC-M500-1> debug log-collector log-collection-stats show
incoming-logs

EXAM TIP: During log migration, you should expect high CPU
utilization, potentially close to 100%, but it is normal, and operations will
continue to function normally. The migration process is designed to
prioritize incoming logs and other critical processes in cases of resource
contention.
To start log migration for each Log Collector and revert to the previous log
format, execute the following command from the CLI of each Log Collector:
admin@FC-M500-1> request logdb migrate lc serial-number <ser_num>
start
You can check the log migration status to monitor the progress of log
migration and estimate the time required to complete the migration of all
existing logs to the previous format.
admin@FC-M500-1> request logdb migrate lc serial-number <ser_num>
status Slot: all
Migration State: In Progress
Percent Complete: 0.04
Estimated Time Remaining: 451 hour(s) 47 min(s)

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Mind Map

Figure 11-05: Mind Map

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Practice Questions
1. What is a recommended troubleshooting step when conducting a ping
test from a Palo Alto firewall to the peer’s IP address is not feasible due
to security requirements?
A. Monitor responses to main/aggressive mode messages in system logs.
B. Review the ikemgr logs for Dead Peer Detection (DPD) messages.
C. Check the firewall’s NAT settings.
D. Reset the peer’s device to factory defaults.

2. What is the purpose of a cleanup rule in a network security setup?

A. To define traffic that matches specific rules.
B. To decide what to do with traffic that does not match any specific
rules.
C. To prioritize incoming traffic over outgoing traffic.
D. To monitor network performance and generate traffic reports.

3. In the context of setting up a VPN tunnel between Palo Alto Networks

firewalls and devices from different vendors, when is it necessary to
configure a proxy-ID?
A. Proxy-ID configuration is always required for VPN tunnels between
different vendors.
B. Proxy-ID configuration is never required when using Palo Alto
Networks firewalls.
C. Proxy-ID configuration is only required when using devices from
different vendors.
D. Proxy-ID configuration is optional and does not depend on the vendor
of the other device.

4. How can you view the contents of a capture file using the command
line interface (CLI) in a Palo Alto firewall?

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
A. Execute the export-pcap mgmt-pcap mgmt.pcap command.
B. Execute the import-pcap mgmt-pcap mgmt.pcap command.
C. Execute the analyze-pcap mgmt-pcap mgmt.pcap command.
D. Execute the view-pcap mgmt-pcap mgmt.pcap command.

5. Which aspect of network security do troubleshooting tools for TLS

(secure web) traffic primarily assist with?
A. Troubleshooting network connectivity issues.
B. Monitoring network bandwidth and usage.
C. Identifying weak security methods used by web traffic.
D. Managing firewall rule configurations.

6. Which of the following describes the primary function of the ACC -

SSL Activity tools in PAN-OS 10.0?
A. Monitoring overall network traffic.
B. Providing detailed statistics on network latency.
C. Analyzing the security and performance of SSL/TLS connections.
D. Managing firewall rules and access control.

7. How can custom report templates in Palo Alto Networks firewall help
summarize decryption activity?
A. By providing an in-depth analysis of network latency.
B. By giving a breakdown of intrusion detection statistics.
C. By offering insights into SSL/TLS encryption methods.
D. By creating customized reports on decryption activity.

8. What is the recommended initial step to troubleshoot decryption

issues in Palo Alto Networks firewalls?
A. Analyze network latency metrics.
B. Examine intrusion detection statistics.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
C. Utilize ACC widgets to identify problematic traffic.
D. Create custom report templates to diagnose the problem.

9. What is the result when downgrading from PAN-OS 10.0 or later to

PAN-OS 9.1 or earlier in terms of decryption-related features and
settings?
A. Decryption-related features and settings are retained without any
changes.
B. Decryption Log, SSL Activity widgets, and custom report Decryption
templates are removed from the UI.
C. The Local Decryption Exclusion Cache becomes accessible through
the web interface.
D. Decryption settings are enhanced with additional options.

10. In a scenario where your Palo Alto firewall is not forwarding traffic
correctly due to suspected routing issues, which command should you
use to ensure the firewall has the most up-to-date routing information?
A. show running-config
B. commit force
C. verify routing
D. diagnose routing

11. In a scenario where your Palo Alto firewall is not forwarding traffic
as expected due to a suspected issue with the default route, which
command should you use to verify and potentially correct the default
route configuration?
A. show route
B. diagnose routing
C. check default-route
D. reset firewall

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
12. What is a common problem caused by routing loops, as explained in
the context of network routing?
A. Improved network performance
B. Reduced packet loss
C. Network instability
D. Faster data transmission

13. When examining interface counters, what does the count of dropped
packets indicate in network analysis?
A. Efficient data transmission
B. High data reception
C. Successful data delivery
D. Data loss or delivery issues

14. What command can you use to inspect session information on the
firewall, and why is monitoring session table size important for security?
A. show system info | match table; It helps identify the source of the
attack.
B. show session info | match table; It reveals potential issues when
attackers exploit open IPs and ports.
C. display firewall sessions; It helps track legitimate traffic only.
D. analyze session logs; It identifies configuration errors in the firewall.

15. What is the purpose of using the nslookup tool in the context of
setting up GlobalProtect, and when should you use it?
A. To install the GlobalProtect client on your computer.
B. To ensure your computer is connected to the internet.
C. To verify that the computer can resolve the FQDNs for the portal and
gateway.
D. To check for software updates on your computer.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Pass4sure - #1 IT Certifications Materials Provider
www.pass4sure.com
Answers

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Chapter 02: Palo Alto Networks Components
1. Answer: D
Explanation: Network Address Translation (NAT) is a firewall feature that
allows you to translate the IP addresses in your network to public IP
addresses. It can be useful for hiding your internal network from the
internet or conserving IP addresses. NAT does not require decryption of
traffic, so it is the only firewall feature in the list that does not necessitate
the use of a decryption policy.
2. Answer: D
Explanation: When a web browser visits a website, it first checks its
certificate to ensure it is from a trusted CA. The browser will display a
warning message if the CA is not trusted. The NGFW can notify web
browsers of untrusted certificates using two certificate authority
certificates.
3. Answer: A and D
Explanation: The Decryption Broker is a Palo Alto Networks product that
can decrypt traffic and log the decrypted traffic. The Decryption Broker can
also send the decrypted traffic to other security devices, such as intrusion
detection systems.
The Decryption Port Mirroring feature allows you to mirror decrypted
traffic to a remote server for logging or analysis.
4. Answer: C
Explanation: The Palo Alto Networks Next-Generation Firewall can
restrict access to a corporate z/OS (MVS) mainframe using various security
features, such as application control, user authentication, and intrusion
prevention. Advanced Endpoint Protection can be used to protect the
endpoints that are accessing the mainframe from malware and other threats.
5. Answer: D
Explanation: A Tunnel interface is a special interface used to create a
virtual tunnel between two devices. This tunnel can transmit data over a
network that would otherwise be inaccessible. Tunnel interfaces are
typically used to create VPNs (Virtual Private Networks).
6. Answer: A

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Explanation: MineMeld is a Palo Alto Networks product designed to
normalize threat intelligence feeds and potentially facilitate automated
responses. MineMeld can collect threat intelligence feeds from various
sources and then normalize the feeds into a common format. MineMeld can
also be used to create custom threat intelligence feeds that can be used by
other Palo Alto Networks products.
7. Answer: D
Explanation: A Layer 2 interface is a network interface that operates at the
data link layer of the OSI model. It transmits and receives frames between
devices on the same network segment. Layer 2 interfaces are typically used
to connect switches, hubs, and other Layer 2 devices.
8. Answer: A and B
Explanation: The Palo Alto Networks Logging Service can receive
logging data from various Palo Alto Networks products, including Traps
and Next-Generation Firewalls. The Logging Service can then store and
analyze the logging data to identify security threats and trends.
9. Answer: B
Explanation: A Layer 3 interface is a network interface that operates at the
network layer of the OSI model. It means that it is responsible for routing
packets between different networks. Layer 3 interfaces are typically used to
connect routers, firewalls, and other Layer 3 devices.
10. Answer: C
Explanation: Traps is a Palo Alto Networks product that safeguards
endpoints from successful cyberattacks. Traps use various security features
like machine learning and behavioral analysis to detect and prevent
malware and other threats from infecting endpoints.
11. Answer: A
Explanation: SSL decryption decrypts SSL/TLS traffic so that a security
device can inspect it. There are two main types of SSL decryption:
SSL Forward Proxy
SSL Inbound Inspection
12. Answer: A
Explanation: MineMeld is a Palo Alto Networks product designed to
normalize threat intelligence feeds and potentially facilitate automated

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
responses. MineMeld can collect threat intelligence feeds from various
sources and then normalize the feeds into a common format. MineMeld can
also be used to create custom threat intelligence feeds that can be used by
other Palo Alto Networks products.
13. Answer: D
Explanation: Decryption on a Palo Alto Networks firewall provides more
visibility into packet content, enforces security policies on encrypted
traffic, and prevents malicious content from entering the network.
14. Answer: B
Explanation: Traps is a Palo Alto Networks product that provides
advanced endpoint protection against various threats, including malware,
ransomware, and zero-day exploits. Traps detect and prevent threats using
various techniques, including behavior analysis, machine learning, and
sandboxing.
15. Answer: A
Explanation: A Decryption Broker is a Palo Alto Networks firewall
feature that allows you to decrypt traffic and then pass it to external
security services for further inspection.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Chapter 03: User Identification and Authentication
1. Answer: B
Explanation: User-ID maps users to their IP addresses so that the firewall
can identify and apply the appropriate security policies to each user.
2. Answer: B
Explanation: User-ID uses the Lightweight Directory Access Protocol
(LDAP) to map user identities and groups. LDAP is a standard protocol for
accessing and managing directory information.
3. Answer: A
Explanation: The firewall uses XML to communicate with external
sources of User-ID-to-IP-address mapping tables. XML is a standard
format for exchanging data between different systems.
4. Answer: D
Explanation: User-ID Agents must be configured on the firewall before
accessing User-ID-to-IP-address mapping tables from external sources.
User-ID Agents are responsible for collecting user data and submitting it to
the firewall.
5. Answer: B
Explanation: The Panorama Log Collector can access User-ID-to-IP-
address mapping tables from Palo Alto Networks firewalls and other
sources. It allows the Panorama Log Collector to provide centralized
logging and reporting for all User-ID data.
6. Answer: C
Explanation: The Authentication Sequence connects the Captive Portal
method to an Authentication profile. The Authentication Sequence defines
the order in which authentication methods are used during multi-factor
authentication.
7. Answer: D, E, F, and G
Explanation: The following four firewall server profiles can be used for
first-factor authentication in multi-factor authentication configurations:
Kerberos
RADIUS

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 SAML
LDAP
8. Answer: A and C
Explanation: Multi-factor authentication has the dual purpose of reducing
the value of stolen passwords and reducing and preventing password
sharing. By requiring users to provide two or more authentication factors,
multi-factor authentication makes it much more difficult for attackers to
gain unauthorized access to systems and data.
9. Answer: D
Explanation: The NGFW does not support the S/Key MFA factor. S/Key is
a hardware-based MFA token that uses a One-Time Password (OTP) to
authenticate users.
10. Answer: B and E
Explanation: Captive Portal has two modes:
Transparent mode: In transparent mode, the firewall intercepts all
traffic and redirects it to the Captive Portal page.
Redirect mode: In redirect mode, the firewall redirects only specific
traffic to the Captive Portal page.
11. Answer: B
Explanation: NTLM settings are not required when configuring multi-
factor authentication with a SAML. SAML is a standard protocol for
exchanging authentication and authorization data between different
systems.
12. Answer: B
Explanation: The logging function on a PA-7000 Series firewall operates
on a dedicated, separate card. It helps to improve the firewall's performance
and ensure that logging data is not lost in the event of a failure.
13. Answer: D
Explanation: The logging function is housed within the management plane
of the firewall. The management plane is responsible for configuring and
managing the firewall.
14. Answer: A
Explanation: FPGAs are typically only used in higher-end NGFW models
because they are more expensive and complex than traditional CPUs.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
However, the performance benefits of FPGAs can make them a worthwhile
investment for organizations that must protect their networks from high-
volume and sophisticated attacks.
15. Answer: A
Explanation: GlobalProtect is a secure remote access solution that
provides users access to applications and resources on the corporate
network from anywhere in the world. To use GlobalProtect for User-ID
mapping, users must install the GlobalProtect client on their mobile device.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Chapter 04: Multi-vsys Environment
1. Answer: C
Explanation: Multi-vsys environments are introduced to address the
challenge of diverse network security requirements within an organization.
They allow network administrators to create multiple independent virtual
firewalls within a single physical firewall, each with its configurations,
security policies, and network settings. This enables different departments or
business units to have distinct security policies and resource needs without
compromising the organization's security posture.
2. Answer: D
Explanation: Device Groups are the core concept that allows administrators
to manage and control the configuration of multiple firewall devices as a
single entity within Multi-vsys environments, simplifying the rolling out of
consistent configurations.
3. Answer: B
Explanation: Isolation in Multi-vsys environments is essential to prevent
policy conflicts and potential security breaches when different entities share
the same physical firewall.
4. Answer: C
Explanation: Multi-vsys environments are often used by service providers to
offer secure, partitioned network services to multiple tenants or customers
from a single hardware device.
5. Answer: A
Explanation: User-ID enhances visibility into application usage, providing
more relevant insights into network activity, detecting unfamiliar
applications, and enabling detailed monitoring of application traffic and
associated threats.
6. Answer: C
Explanation: The firewall acquires Group Mapping data for User-ID
through two primary methods: direct connectivity with the LDAP directory

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 server or integration via XML API with the directory server. This data is
crucial for establishing policy rules based on users and groups.
7. Answer: D
Explanation: The primary purpose of inter-vsys routing is to securely
enable communication between specified subnets within different virtual
systems without the need for physical connections. It establishes routing
measures to guide traffic between virtual systems.
8. Answer: C
Explanation: The "External" category and zone create a network-like
structure that facilitates communication among virtual systems, facilitating
traffic exchange and connectivity.
9. Answer: C
Explanation: It is necessary to set up each Virtual Router with routes
tailored for the corresponding remote subnets, specifying the next hop as the
virtual router within the virtual system to guide traffic between virtual
systems in inter-vsys routing. This routing configuration enables the flow of
traffic between virtual systems.
10. Answer: (A) To optimize traffic flow, enhance security, enable load
balancing, and isolate traffic.
Explanation: Service routes in a Multi-vsys environment have multiple
significances, including optimizing traffic flow, enhancing security, enabling
load balancing, and isolating traffic to ensure data packets are delivered
accurately and securely.
11. Answer: B
Explanation: Service routes can be configured by defining specific criteria
based on attributes like source IP, destination IP, port numbers, and protocol
to optimize traffic flow between virtual systems hosting web services.
12. Answer: D
Explanation: Service routes are beneficial for load balancing in a Multi-
vsys environment when multiple virtual systems offer the same service.
They evenly distribute incoming traffic across these systems, ensuring high
availability and optimized resource utilization.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
13. Answer: C
Explanation: RBAC allows administrators to define roles and assign
specific privileges to each role, streamlining user access control by granting
appropriate access to individuals based on their responsibilities.
14. Answer: C
Explanation: Device groups facilitate policy deployment, enabling
administrators to apply a single policy configuration to multiple physical
devices or virtual systems, ensuring consistent policy deployment across the
Multi-vsys environment.
15. Answer: C
Explanation: Regular backups and disaster recovery plans are essential to
protect against data loss and maintain operational continuity in Multi-vsys
environments, ensuring that critical data can be restored in case of system
failures or data corruption.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Chapter 05: Management and Profiles
1. Answer: D
Explanation: In a firewall policy rule, the allow action signifies that
Security profiles are relevant. When a rule is set to "allow," the associated
Security profiles (like Antivirus, anti-spyware, URL filtering, etc.) are
applied to the traffic to ensure it complies with the defined security policies.

2. Answer: B
Explanation: WildFire's assessment does not quarantine files by default.
Files are not isolated or restricted, while WildFire checks if they are
malicious or legitimate. They can flow through the network without
interference, and the WildFire analysis results determine their status.

3. Answer: D
Explanation: URL Filtering is a feature of Next-Generation Firewalls
(NGFW) that allows organizations to control web access by blocking
websites considered inappropriate or unrelated to business activities. It
provides web security by filtering URLs and enforcing web usage policies.

4. Answer: D
Explanation: The Continue action for credential-phishing prevention
allows users to choose credential submission. It prompts users when they
attempt to submit credentials to a potentially risky site, giving them the
option to proceed or cancel the submission.

5. Answer: C
Explanation: In scenarios where multiple users share the same client IP
address due to dynamic address translation, the Domain credential filter
method effectively detects user credentials. It can identify users based on
their domain credentials, even if they share the same IP address.

6. Answer: B

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Explanation: The Domain credential filter method must be used to enable
credential phishing prevention that actively blocks user attempts to enter
organizational user IDs and passwords. This method can specifically target
and prevent such actions.

7. Answer: D
Explanation: The Data Filtering profile is used for Data Loss Prevention
(DLP) based on file content. It allows organizations to monitor and control
sensitive or confidential data transfer by inspecting file content and applying
policies to prevent data leaks.

8. Answer: A
Explanation: The Anti-Spyware profile can monitor DNS resolution
lookups associated with threat activity. It helps identify and block suspicious
or malicious domains related to spyware or other threats.

9. Answer: F
Explanation: The WildFire Analysis profile is used for file analysis,
particularly to detect zero-day malware. It leverages cloud-based analysis to
identify and prevent emerging threats that traditional antivirus signatures
may not recognize.

10. Answer: F
Explanation: The WildFire Analysis profile can be used to scrutinize
network traffic to enforce appropriate browsing policies. It helps
organizations ensure that web usage complies with their defined policies.

11. Answer: D
Explanation: The URL Filtering profile is activated to detect and prevent
the transfer of executable files through the firewall. It enforces controls over
web access and can block the downloading or transfer of potentially harmful
executable files.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
12. Answer: E
Explanation: The File Blocking profile should be employed to identify and
prevent the transmission of executable files through the firewall. It allows
organizations to block specific file types, including executables, to enhance
security.

13. Answer: C
Explanation: The initial configuration recommended by Palo Alto
Networks for a firewall with factory default settings is configuring the
management network port. It is essential for establishing remote
management and control of the firewall.

14. Answer: D
Explanation: Anti-Spyware Profiles are designed to prevent spyware-
infected hosts from connecting to external Command and Control (C2)
servers. These profiles help detect and block malicious traffic associated
with spyware activities. By configuring Anti-Spyware Profiles, you can
intensify inspections for traffic originating from untrusted zones, such as the
internet, to protect your network against spyware-related threats.

15. Answer: B
Explanation: When a Data Filtering Profile detects a sensitive data breach
in network traffic, it typically generates an alert to inform administrators
about the incident. However, it continues to allow the traffic to pass through.
This approach is often used to provide visibility into potential data breaches
without disrupting the flow of legitimate traffic.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Chapter 06: Firewall Configuration
1. Answer: B
Explanation: A firewall will check for the presence of a bootstrap volume
each time it boots from a factory default state. The bootstrap volume
configures the firewall with its initial configuration and licenses.

2. Answer: A
Explanation: The required dynamic update file for the bootstrap process is
in the /content directory of the bootstrap volume. This file updates the
firewall's PAN-OS software to the latest version.

3. Answer: B, C, and D
Explanation: The three configuration pieces that must be addressed to
configure multi-factor authentication for users accessing services through
the firewall are:
Captive Portal: The Captive Portal is used to authenticate users to the
firewall.
Authentication Enforcement Profile: The Authentication Enforcement
Profile defines which authentication methods users need to access
different services.
Authentication Profile: The Authentication Profile defines the
authentication methods that can be used to authenticate users to the
firewall.

4. Answer: D
Explanation: Active/passive HA is not supported in DHCP client mode.
The active firewall must be able to manage the DHCP client configuration,
which is not possible if the firewall is in passive mode.

5. Answer: B
Explanation: Server profiles are used to configure access to external
authentication services. Server profiles define the external authentication

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
service's connection information and authentication settings.

6. Answer: D
Explanation: All of the above are key differences between active/passive
and active/active HA. Active/passive HA supports Layer 2 deployments,
while active/active HA does not. Active/active HA requires more complex
network design and configuration, but it provides faster failover and can
handle peak traffic flows better.

7. Answer: B and D
Explanation: The two firewall functions that are reserved only for
administrators assigned the superuser dynamic role are:
Managing firewall admin accounts
Creating virtual systems within a firewall

8. Answer: D
Explanation: In active/active HA mode, both firewalls in the pair are
active, process traffic, and work synchronously to handle session setup and
session ownership. It means both firewalls know all active sessions and can
take over seamlessly if the other firewall fails.

9. Answer: D
Explanation: Active/active HA provides faster failover and can handle
peak traffic flows better than active/passive HA. Both firewalls are actively
processing traffic, so waiting for a failover is unnecessary before traffic can
start flowing again.

10. Answer: B
Explanation: ZTP stands for Zero-Touch Provisioning. This process allows
Palo Alto Networks firewalls to configure themselves with the correct
settings without manual intervention automatically.

11. Answer: B

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Explanation: The bootstrap package allows Palo Alto Networks firewalls to
configure themselves during the first boot automatically. The bootstrap
package is a file that contains the necessary configuration settings, licenses,
and software updates.

12. Answer: B
Explanation: The primary purpose of bootstrapping for Palo Alto Networks
firewalls is to automatically configure the firewall with the correct settings
during the first boot. This can save time and effort, especially when
deploying multiple firewalls.

13. Answer: C
Explanation: The bootstrap package is used to create a package with the
model configuration for a network in VM-Series bootstrapping. The
bootstrap package can be created using Panorama or the CLI.

14. Answer: C
Explanation: The primary purpose of a Certificate Authority (CA) is to
issue certificates. A CA is a trusted third party that verifies the identity of a
website or server before issuing a certificate.

15. Answer: D
Explanation: The passive firewall transitions to the active state when the
active firewall fails. A hardware failure, software failure, or network failure
can cause this.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Chapter 07: Routing and NAT
1. Answer: B
Explanation: Virtual routers within a firewall are responsible for Layer 3
routing. They determine the best traffic routes to different subnets and
populate the Forwarding Information Base (FIB) to forward packets
accordingly.
2. Answer: B
Explanation: The Advanced Route Engine exclusively supports BGP and
static routes and allows for a single virtual router instance. This contrasts
with the Legacy Route Engine, which supports multiple dynamic routing
protocols and multiple virtual routing instances.
3. Answer: D
Explanation: ECMP routing enables the firewall to include multiple equal-
cost routes to a destination in its forwarding table. This allows for dynamic
traffic shifting to an alternative route in case of a link failure, reducing
downtime and enhancing network reliability.
4. Answer: D
Explanation: NAT policy rules in a firewall specify how internal IP
addresses are translated when communicating with the public internet. They
consider source and destination zones, addresses, and application services,
allowing for Network Address Translation (NAT) to keep internal IP
addresses hidden from the public internet.
5. Answer: C
Explanation: In a Security policy rulebase, rules are evaluated sequentially
from the top to the bottom. The first rule that aligns with the incoming
traffic's conditions takes precedence, and no further matching is conducted
within the rulebase after a match is found.
6. Answer: A
Explanation: U-Turn NAT ensures that traffic is translated in both
directions, addressing issues related to asymmetry in network traffic. It helps

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 maintain consistency and avoid problems where return traffic doesn't reach
the expected destination due to translation discrepancies.
7. Answer: C
Explanation: The tunnel interface encapsulates and transmits data between
VPN endpoints. It acts as a virtual interface to transmit data securely between
two endpoints in a VPN setup.
8. Answer: C
Explanation: An IP address is required on a tunnel interface when enabling
tunnel monitoring or implementing a dynamic routing protocol to direct
traffic across the VPN tunnel. The tunnel IP address is the next-hop IP
address for routing traffic through the VPN tunnel.
9. Answer: B
Explanation: To ensure proper sequence and matching with a peer using
policy-based VPN, proxy IDs should first be configured with more general
IDs, followed by more specific ones. This arrangement aligns with the
principles of string sorting and ensures that the most specific proxy IDs take
precedence over more general ones when matching traffic.
10. Answer: A
Explanation: The "Next VR" option allows you to route traffic internally to
a different virtual router within the same virtual system. This can be useful
when you have multiple virtual routers and want to direct traffic to a specific
virtual router.
11. Answer: B
Explanation: The "Destination" service routes are used to implement
custom routing configurations for services that are not included in the
predefined list of supported services. These routes allow you to define
routing settings that take precedence over the entries in the Forwarding
Information Base (FIB) route table, regardless of their association with any
specific service.
12. Answer: C
Explanation: To ensure that a virtual system adopts global service settings
and service route configurations for a particular service, you can assign the

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 same email server (or other relevant service settings) to all virtual systems.
This way, they will all share the same service settings and configurations.
13. Answer: C
Explanation: QoS profiles in Palo Alto Networks' QoS system are primarily
used to manage congestion and random packet drops. These profiles define
the order of importance assigned to specific traffic when the interface
experiences congestion, and they control how packets are dropped as traffic
priority decreases.
14. Answer: C
Explanation: Differentiated Services Code Point (DSCP) is used in QoS to
request optimal delivery for network traffic, including characteristics like
minimal loss, low latency, and assured bandwidth. Different DSCP markings
represent different service levels, with some indicating higher-priority
treatment for traffic.
15. Answer: D
Explanation: QoS can ensure high-quality voice and video transmissions by
assigning high-priority status to voice and video traffic, which helps prevent
these packets from being discarded, delayed, or delivered inconsistently,
particularly to latency and jitter.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Chapter 08: Deploy and Configure Features and Subscriptions
1. Answer: C
Explanation: Decryption policies on a Palo Alto Networks firewall are used
to automatically identify encrypted traffic and define how it should be
decrypted based on the specified decryption action in the policy rule.
2. Answer: D
Explanation: SSL Forward Proxy decryption on a Palo Alto Networks
firewall is used to establish the firewall as a trusted intermediary (proxy) for
SSL communication between the client and the server.
3. Answer: A
Explanation: The two categories of decryption exclusions are predefined
and custom exclusions. Predefined exclusions are managed by Palo Alto
Networks and include applications and services that may encounter issues
with firewall decryption. Custom exclusions can be created to exempt
specific server-related traffic from decryption.
4. Answer: A
Explanation: SSH decryption on a Palo Alto Networks firewall can be
carried out on Virtual wire, Layer 2, and Layer 3 interfaces because these
types of interfaces allow the firewall to inspect and decrypt traffic passing
through them. SSH decryption involves decrypting Secure Shell (SSH)
encrypted traffic to inspect its content for security purposes. Virtual wire,
Layer 2, and Layer 3 interfaces provide the necessary visibility into the
traffic to perform decryption and analysis.
5. Answer: C
Explanation: User-ID agents actively monitor various data sources,
including directory servers, to establish associations between usernames and
IP addresses. They then transmit these user mappings to devices like
firewalls, Log Collectors, or Panorama.
6. Answer: B
Explanation: An agentless User-ID approach is typically used in smaller to
medium-sized deployments with 10 or fewer domain controllers or exchange

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 servers, with a maximum limit of 255 devices.
7. Answer: B
Explanation: The recommended best practice for group mapping in an
Active Directory environment with multiple domains or forests is to create a
separate group mapping configuration for each domain or forest. This
approach allows for more granular control and accurate mapping of user
groups within each domain or forest.
8. Answer: C
Explanation: Dynamic User Groups (DUGs) automatically update based on
tagged usernames, allowing for dynamic membership without manual policy
adjustments.
9. Answer: B
Explanation: User-ID methods are used to associate IP addresses with
corresponding usernames, allowing the firewall to identify the user
associated with an IP address for policy enforcement.
10. Answer: C
Explanation: WildFire Analysis is used to send files and URLs for analysis
to identify and detect previously unidentified malware.
11. Answer: C
Explanation: The latest WildFire signatures are made available globally
every five minutes for firewalls with an active WildFire license.
12. Answer: C
Explanation: The WildFire Submissions log serves as an audit trail for
monitoring events when a firewall forwards samples (files and email links)
to the WildFire cloud for analysis.
13. Answer: D
Explanation: WildFire determines the verdict for a submitted sample based
on the attributes, behaviors, and actions exhibited during the analysis and
execution within the WildFire sandbox.
14. Answer: B

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 Explanation: WildFire Action settings within the Antivirus profile can
impact network traffic, especially when triggering a WildFire signature that
leads to a reset or drop action, potentially affecting network performance.
15. Answer: A
Explanation: To deploy the web proxy feature in PAN-OS 11.0, you would
need an Explicit Proxy license. This license is required to enable and use the
explicit proxy functionality, allowing the firewall to act as a proxy for web
traffic.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Chapter 09: Deploy and Configure Firewalls Using Panorama
1. Answer: B
Explanation: Same device groups can share common policies and settings,
while different template stacks can accommodate different firewall models
and configurations.

2. Answer: C
Explanation: Firewall configuration files are stored in XML format. XML is
a markup language that is used to store and exchange data. It is a flexible and
extensible format that can represent various data structures.

3. Answer: A
Explanation: When Panorama pushes a template stack to managed firewalls,
the settings from the top template are applied first. If a setting is defined in
multiple templates in the stack, the value from the top template will be used.

4. Answer: A
Explanation: The maximum number of templates combined in a template
stack is 8.

5. Answer: C
Explanation: Panorama's automatic commit recovery feature is designed to
conduct connectivity tests after applying configuration changes from
Panorama or local commits on the firewall. The primary purpose is to verify
that the new changes do not disrupt the connection between Panorama and
the managed firewall. If disruptions are detected, the firewall automatically
declares the commit a failure, and the configuration is reverted to the
previous running state. This helps maintain consistent communication and
ensures that the firewall remains stable even after configuration changes.

6. Answer: D

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Explanation: You can override a template value in a stack by defining
values locally on the firewall, defining firewall-specific variables, or defining
values or variables on the template stack.

7. Answer: C
Explanation: Template stack variables replace IP addresses, group IDs, and
interfaces in configurations. It can be useful for reducing the total number of
templates and template stacks required to manage a network of firewalls.

8. Answer: D
Explanation: The maximum number of levels in a device group hierarchy is
4. It means you can create a hierarchy of device groups with up to four
levels.

9. Answer: D
Explanation: The impact of configuring a primary device in Panorama is
significant, and it is important to understand the implications before doing so.
It is important to store the master key in a safe and secure location and to use
the same master key on both HA peers if you are using Panorama HA.

10. Answer: A
Explanation: To restore the previous configuration when a new
configuration committed on a firewall has undesirable consequences, you can
use the load configuration version command to load the previous
configuration version and then follow with a commit.

11. Answer: C
Explanation: Pre-rules are evaluated before all other rules, so any rules
placed in the pre-rules section will be evaluated first. It means that pre-rules
can be used to override locally entered rules.

12. Answer: C

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Explanation: The two commit type options in Panorama, Commit to
Panorama and Commit and Push, give you flexibility in managing your
Panorama configuration. You can use the Commit to Panorama option to
save changes that are not yet ready for deployment, and you can use the
Commit and Push option to commit changes to Panorama and deploy them to
the network devices.

13. Answer: C
Explanation: The validation process performed by Panorama before a
commit action takes place is significant because it helps to detect and rectify
errors before the commit action takes place. It also ensures that the current
configuration is not altered.

14. Answer: C
Explanation: The purpose of the Panorama Software Firewall License
plugin is to streamline the licensing of VM-Series firewalls when they
connect to Panorama and to simplify the process of activating and
deactivating licenses for VM-Series firewalls.

15. Answer: A
Explanation: Policy rules are evaluated in the following order:
Shared policies
Device group policies
Local policies
It means that shared policies will be evaluated first, then device group
policies, and finally, local policies.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Chapter 10: Manage and Operate
1. Answer: B
Explanation: Log events can assign dynamic tags to source and destination
addresses. It allows you to dynamically create groups of objects based on
their behavior, which can be useful for creating security policies or reports.

2. Answer: A
Explanation: The Device > Setup > Management page allows you to
configure expiration periods and storage quotas for logs of all types
generated and stored locally by the firewall. It is important to manage the
amount of disk space used by logs and remove old logs to prevent the
firewall from running out of disk space.

3. Answer: C
Explanation: To block traffic using dynamically tagged objects, you can
assign the object to a Dynamic Address Group object and then add the
Dynamic Address Group object to the destination address matching
condition of a Security policy rule. It will block all traffic to the Dynamic
Address Group object, which can be used to block traffic to dynamically
tagged objects.

4. Answer: A
Explanation: Cortex Data Lake is a Palo Alto Networks cloud-based
solution that can serve as a central repository for forwarded logs from
multiple Palo Alto Networks devices. It allows you to centralize log
management and analysis and to create custom reports and dashboards.

5. Answer: D
Explanation: Option D is the correct answer.
Tags can be used to automate actions: By associating tags with
specific log events, you can trigger automated responses based on

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 predefined rules. For example, a tag indicating a security threat could
trigger an alert or isolation of the affected system.
Tags can be used to filter log events more easily: Tags act as labels
that categorize logs based on specific criteria. This allows you to
quickly filter and analyze relevant events within the massive volume
of log data, saving time and effort.
Tags can be used to create custom log reports: Tags enable you to
group and aggregate log data based on specific tags, allowing you to
generate customized reports that focus on specific areas of interest,
such as application performance, security incidents, or user activity.

6. Answer: A
Explanation: Log Forwarding Profile match lists allow administrators to
selectively forward log events based on specific criteria, such as the event
type, severity level, or source and destination addresses. A more efficient
approach involves minimizing the volume of log data sent to external
destinations, prioritizing and concentrating on the essential data.

7. Answer: A, B, C, and E
Explanation: Dynamic tags can be assigned to data in Traffic, Threat, URL
Filtering, and Tunnel Inspection logs.

8. Answer: C
Explanation: The Dynamic tagging activity is recorded in the IP-Tag log.
The IP-Tag log records all dynamic tagging activity, including creating,
deleting, and modifying dynamic tags.

9. Answer: B and C
Explanation: A firewall can forward log events to the following two types
of log formats:
SNMP (Simple Network Management Protocol): SNMP is a standard
protocol for managing network devices. It can collect and monitor log
events from firewalls and other network devices.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 HTTP (Hypertext Transfer Protocol) is the standard protocol for
transmitting web pages and online resources. It can also forward log
events from firewalls to external servers.

10. Answer: D
Explanation: A firewall forwards log events to an external destination as it
generates them in real time. It ensures the firewall can log events even if
the external destination is unavailable.

11. Answer: C and D

Explanation: The Scheduled Log Export function can export the Traffic
and URL logs for analysis or archiving.

12. Answer: B
Explanation: Active/active firewall pairs support asynchronous routing
and increased session count. It makes them a good choice for high-
performance environments where you need to be able to handle a large
amount of traffic.

13. Answer: A
Explanation: Using the Device > Log Settings > System Log settings
page, the firewall forwards HA-related events to an external monitoring
technology.

14. Answer: B and C

Explanation: These two objects provide different levels of detail about the
HA state of the managed firewall. The firewall-specific information in
Managed Devices > Health provides the most detailed information,
including the HA state of each interface, the HA status, and the HA priority.
The firewall listings in Managed Devices > Summary provide a high-level
overview of the HA state of the managed firewall, including the HA status
and priority.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
 15. Answer: B and C
Explanation: Floating IP addresses are IP addresses that are not assigned
to any specific physical interface. Instead, they are assigned to a logical
interface, such as a VPN endpoint or a source NAT pool. It allows you to
dynamically assign IP addresses to traffic, improving performance and
scalability. Source NAT and VPN endpoints are two firewall features that
support floating IP addresses in an active/active HA pair. It allows you to
distribute traffic to firewalls and create VPN tunnels between them and
other networks.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Chapter 11: Troubleshooting
1. Answer: A
Explanation: When ping tests are not possible due to security
requirements, monitoring the responses to main/aggressive mode messages
in system logs is a viable alternative. This helps in assessing the
connectivity and identifying potential issues between the Palo Alto firewall
and the peer’s device. The ikemgr logs, as mentioned in option B, can
provide additional insights into Dead Peer Detection (DPD) messages but
may not be the primary step when ping tests are restricted.

2. Answer: B
Explanation: A cleanup rule in a network security setup serves the
purpose of determining the action to take for traffic that does not match
any of the specific rules defined. It acts as a catch-all rule to handle traffic
that falls outside the scope of other rules. This ensures that unexpected or
unclassified traffic is not left unaddressed and helps maintain network
security and functionality.

3. Answer: C
Explanation: When setting up a VPN tunnel between Palo Alto Networks
firewalls, it is typically not necessary to configure proxy-IDs. However,
when the other end of the tunnel involves devices from different vendors,
configuring proxy-IDs becomes necessary to ensure compatibility and
proper functioning of the VPN. Mismatch issues related to proxy-IDs can
be identified through system logs or command line tools, indicating the
need for configuration in such scenarios.

4. Answer: D
Explanation: To view the contents of a capture file using the CLI in a Palo
Alto firewall, you should execute the view-pcap mgmt-pcap mgmt.pcap
command. This command allows you to open and examine the contents of
the capture file, helping you analyze the captured network traffic. The
other options (A, B, and C) are not used for viewing the contents of a

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
capture file but serve different purposes in managing capture files on the
firewall.

5. Answer: C
Explanation: Troubleshooting tools for TLS (secure web) traffic are
primarily used to identify weak security methods that might be employed
by web traffic. These tools help analyze the encryption and security
settings for web traffic, allowing you to discover vulnerabilities and ensure
that strong encryption methods are in place.

6. Answer: C
Explanation: The ACC - SSL Activity tools in PAN-OS 10.0 primarily
serve the purpose of analyzing the security and performance of SSL/TLS
connections. These tools provide insights into the quality and security of
the SSL/TLS connections your computer makes to secure websites,
helping you identify any potential issues or vulnerabilities. While they can
provide some general network traffic information, their primary focus is on
SSL/TLS connections.

7. Answer: D
Explanation: Custom report templates in Palo Alto Networks firewall
allow users to generate customized reports that summarize decryption
activity. These reports provide specific insights into decryption-related
data, such as the number of sessions, the volume of decrypted data, and
error statistics. The templates are designed to give a tailored view of
decryption activity, making it easier to analyze and understand how
decryption policies and applications are functioning. While the firewall
may provide other security-related statistics, the primary function of these
templates is to create custom reports for decryption activities.

8. Answer: C
Explanation: The recommended initial step to troubleshoot decryption
issues in Palo Alto Networks firewalls is to use the ACC (Application
Command Center) widgets to identify traffic that is causing decryption

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
problems. The ACC widgets visually represent network and application
activity, making it easier to pinpoint areas where decryption issues may be
occurring. Once problematic traffic is identified, further steps, such as
examining the Decryption Log and creating custom report templates, can
be taken to gather more detailed information and diagnose the problem
effectively.

9. Answer: B
Explanation: When downgrading from PAN-OS 10.0 or later to PAN-OS
9.1 or earlier, the Decryption Log, SSL Activity widgets in the ACC
(Application Command Center), and custom report Decryption templates
are removed from the user interface (UI). This means that certain
decryption-related features and settings that were available in the newer
version are no longer accessible in the older version of the firewall’s UI. It
is essential to be aware of these changes when performing a downgrade to
ensure you have the necessary information and tools for troubleshooting
and managing decryption activities.

10. Answer: B
Explanation: When your Palo Alto firewall is not forwarding traffic
correctly, and you suspect routing table issues, using the commit force
command is the appropriate solution. The commit force command forces
the firewall to update its routing table, ensuring that it has the most current
information about the network. This action helps resolve routing-related
problems and enables the firewall to properly forward traffic.

11. Answer: A
Explanation: When troubleshooting a situation where the Palo Alto
firewall is not forwarding traffic as expected and the issue is suspected to
be related to the default route, the appropriate command to use is show
route. This command allows you to verify the current default route
configuration on the firewall.

12. Answer: C

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Explanation: Routing loops are situations in network routing where traffic
is forwarded in circles, typically occurring when there are multiple routes
to a destination and the router struggles to determine the correct route to
use. This can lead to network instability, no improved performance, or
reduced packet loss. Instead, routing loops can disrupt the normal flow of
traffic and cause network instability.

13. Answer: D
Explanation: The count of dropped packets in interface counters indicates
data loss or delivery issues in network analysis. Observing a significant
number of dropped packets implies that some data is not reaching its
intended destination, which can lead to data loss or delivery problems.

14. Answer: B
Explanation: The correct command is show session info | match table,
which is used to inspect session information on the firewall. Monitoring
the session table size is essential for security because it helps identify
potential issues when attackers exploit open IPs and ports, especially in the
case of TCP sessions that can fill up the table and disrupt normal traffic.
Therefore, option B is the correct answer as it directly addresses the
importance of monitoring session table size in the context of security.

15. Answer: C
Explanation: The purpose of using the nslookup tool in the context of
setting up GlobalProtect is to verify that the computer can resolve the Fully
Qualified Domain Names (FQDNs) for the portal and gateway. This
ensures that the computer can correctly translate the FQDNs into IP
addresses, which is essential for the GlobalProtect client to establish a
connection with the correct portal and gateway.

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
Acronyms

ACC Application Command Center

ACC First-LOOK Application Command Center First-LOOK
ACE App-ID Cloud Engine
ACL Access Control List
ACI Application Centric Infrastructure
AD Active Directory
AE Aggregate Ethernet
AES Advanced Encryption Standard
AH Authentication Header
AIA Authority Information Access
ALG Application Layer Gateway
ARP Address Resolution Protocol
API Application Programming Interface
APK Android Application Packages
App-ID Application Identification
APTs Advanced Persistent Threats
AS Autonomous System
ASA Adaptive Security Appliance
AVG Active Virtual Gateway
AWS Amazon Web Service
BE Best Effort
BFD Bidirectional Forwarding Detection
BGP Border Gateway Protocol
BIOCs Behavioral Indicators of Compromise
BYOD Bring Your Own Device
CA Certificate Authorities
CAM Content-Addressable Memory

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
C&C command and control
CDL Cortex Data Lake
CDPs CRL Distribution Points
CDR Content Disarm and Reconstruction
CGN Carrier Grade NAT
CLI Command-Line Interface
CP Content Processor
CPU Central Processing Unit
CRLs Certificate Revocation Lists
CSP Customer Support Portal
CTL Certificate Trust List
DAC Dynamic Access Control
DAI Dynamic ARP Inspection
DBMS Database Management System
DDNS Dynamic Domain Name System
DDoS Distributed Denial of Service
DER Distinguished Encoding Rules
DFA Direct Filter Approach
DHCP Dynamic Host Configuration Protocol
DHE Diffie–Hellman Key Exchange
DIPP Dynamic IP and Port
DLP Data Loss Prevention
DMZ Demilitarized zones
DMVPN Dynamic Multipoint VPN
DNAT Destination Network Address Translation
DNS Domain Name System
DoS Denial of Service
DoT DNS over TLS
DPI Deep Packet Inspection

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
DSCP Differentiated Services Code Point
DST Destination
DUGs Dynamic User Groups
ECC Elliptical Curve Cryptography
ECDSA Elliptical Curve Digital Signature Algorithm
ECMP Equal-Cost Multi-Path
EDLs External Dynamic Lists
EDR Endpoint Detection and Response
EIP Elastic IP
ELF Executable and Linked Format
FDN FortiGuard Distribution Network
FTP File Transfer Protocol
FQDN Fully Qualified Domain Name
FQNs Fully Qualified Names
FSSO Fortinet Single Sign-On
GMT Greenwich Mean Time
GPOs Group Policy Objects
GPRS General Packet Radio Service
GRE Generic Routing Encapsulation
GTP GPRS Tunneling Protocol
GUI Graphical User Interface
GUID Globally Unique Identifier
HA High Availability
HTTP HyperText Transfer Protocol
HTTPS HyperText Transfer Protocol Secure
HSM Hardware Security Module
IaaS Infrastructure as a Service
IaC Infrastructure as Code
IAM Identity and Access Management

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
ICMP Internet Control Message Protocol
IDS Intrusion Detection System
IDMR Inter-Domain Multicast Routing
IdP Identity Provider
IDS Intrusion Detection System
IEEE Institute of Electrical and Electronics Engineers
IETF Internet Engineering Task Force
IIoT Industrial IoT
IKE Internet Key Exchange
IoC Indicators of Compromise
IoT Internet of Things
IP Internet Protocol
IPv4 Internet Protocol version 4
IPv6 Internet Protocol version 6
IPS Intrusion Prevention System
IPsec Internet Protocol Security
ISDB Internet Service Database
ISP Internet Service Provider
IT Internet Technology
LACP Link Aggregation Control Protocol
LAN Local Area Network
LDAP Lightweight Directory Access Protocol
LLDP Link Layer Discovery Protocol
LSAs Link State Advertisements
LSVPN Large Scale VPN
MAC Media Access Control
MFA Multi-Factor Authentication
MGT Management Interface
MIB Management Information Base

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
MITM Man-In-The-Middle
MSSP Managed Security Service Providers
NAT Network Address Translation
NGE Next Generation Encryption
NGFW Next-Generation Firewall
NIDS Network-based Intrusion Detection System
NNI Network to Network Interface
NP Network Processor
NSE Network Security Expert
NSO Network Services Orchestration
NSSA Not-So-Stubby Area
NTP Network Time Protocol
OCSP Online Certificate Status Protocol
OIDs Object Identifiers
OOB Out-of-Band
OSI Open Systems Interconnection
OSPF Open Shortest Path First
OTP One-Time Password
OVA Open Virtual Appliance
P2P Peer-to-Peer
PaaS Platform as a Service
PAT Port Address Translation
PBF Policy Based Forwarding
PCCET Palo Alto Networks Certified Cybersecurity Entry-level
Technician
PCCSE Prisma Certified Cloud Security Engineer
PCDRA Palo Alto Networks Certified Detection and
Remediation Analyst
PCNSA Palo Alto Networks Certified Security Administrator

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
PCNP Palo Alto Networks Certified Professional
PCNSE Palo Alto Networks Certified Network Security Engineer
PCSAE Palo Alto Networks Certified Security Automation Engineer
PE Portable Executable
PEM Privacy Enhanced Mail
PFS Perfect Forward Secrecy
POC Proof of Concept
PoLP Principle of Least Privilege
PKI Public Key Infrastructure
PUPs Potentially Unwanted Programs
QoS Quality of Service
QSGMII Quad Serial Gigabit Media Independent Interface
QUIC Quick UDP Internet Connections
RADIUS Remote Authentication and Dial-in User Service
RAM Return Merchandise Authorization
RBAC Role-Based Access Control
REST Representational State Transfer
RIP Routing Information Protocol
RSSO RADIUS Single Sign-On
SaaS Software as a Service
SAML Security Assertion Markup Protocol
SAN Subject Alternative Name
SCP Secure Copy
SDDC Software-Defined Data Center
SDKs Software Development Kits
SDN Software Defined Network
SNI Server Name Indication
SNMP Simple Network Management Protocol
SoC System on Chip

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
SOC Security Operation Center
SOP Security Operating Platform
SP3 Single Pass Parallel Processing
SP Security Processing
SPU Security Processing Unit
SQL Structured Query Langauge
SRC Source
SSH Secure Shell
SSL Secure Socket Layer
SSO Single Sign-On
SWGs Secure Web Gateways
TCL Tool Command Language
TLS Transport Layer Security
TCP Transmission Control Protocol
TTL Time to Live
TTPs Tactics, Techniques, and Procedures
UDP User Datagram Protocol
UID User Identification
URL Uniform Resource Locator
UTC Coordinated Universal Time
UTM Unified Threat Management
VDOM Virtual Domain
VIP Virtual IP
VLAN Virtual Local Area Network
VM Virtual Machines
VPN Virtual Private Network
VRF Virtual Routing and Forwarding
VSAs Vendor-Specific Attributes
WAN Wide Area Network

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
WAP Wireless Access Points
WiFi Wireless Fidelity
XSS Cross-Site Scripting,
ZHVO Zero-Hour Virus Outbreak
ZTP Zero-Touch Provisioning

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
References

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000ClivCAC
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000Cm0RCAS
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-
admin/decryption/troubleshoot-and-monitor-decryption
https://tekguru4u.com/how-to-troubleshoot-routing-issues-on-your-palo-
alto-firewall-top-commands-and-
solutions/#:~:text=Incorrect%20default%20route%20Scenario%3A%20Your
,sure%20it%20is%20configured%20correctly.
https://networkdirection.net/articles/firewalls/troubleshooting-palo-alto-
firewalls/
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000ClHDCA0
https://mindmajix.com/palo-alto-networks
https://docs.paloaltonetworks.com/hardware
https://www.paloguard.com/SP3-Architecture.asp
https://www.firewall.cx/security/palo-alto-networks/palo-alto-firewall-
single-pass-parallel-processing-hardware-architecture.html
https://sanchitgurukul.in/2019/03/19/palo-alto-firewall-platforms-and-
architecture/#:~:text=The%20control%20plane%20also%20referred,commit
%20operation%20to%20the%20Dataplane.
https://www.reddit.com/r/paloaltonetworks/comments/vhzj3b/palo_alto_ngf
w_control_plane_data_plane/
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-
systems/virtual-systems-overview/virtual-system-components-and-
segmentation#id5a1e8c70-31b4-4bfd-8367-f08adb5c4c5d
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-
systems/virtual-systems-overview/use-cases-for-virtual-systems

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/virtual-
systems/virtual-systems-overview/benefits-of-virtual-systems
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-
availability
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-
availability/ha-overview
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-
availability/ha-concepts/ha-modes#id15a9d293-d220-431a-b616-
bea9eedfdab2
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-
availability/ha-concepts/failover#id9e9b71b2-80f4-4ebb-8528-
0bb3c47b8402
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-
address-object-to-represent-ip-addresses/address-objects#id0896982f-a081-
47fd-913a-c2720aee2301
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-
address-object-to-represent-ip-addresses/create-an-address-object
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-
help/objects/objects-services#ideefccaa1-c038-4b03-b2bd-9dcf95847b0b
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-
help/objects/objects-services#ideefccaa1-c038-4b03-b2bd-9dcf95847b0b
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/use-an-
external-dynamic-list-in-policy/external-dynamic-list
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/use-
application-objects-in-policy/create-an-application-group
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/app-id/use-
application-objects-in-policy/create-an-application-filter
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/getting-
started/integrate-the-firewall-into-your-management-network/perform-
initial-configuration
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-
administration/use-the-web-interface/launch-the-web-interface

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-
administration/manage-firewall-administrators/configure-administrative-
accounts-and-authentication/configure-a-firewall-administrator-
account#ideef650af-9943-401a-ab08-3a5dcad2bc21
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-
help/web-interface-basics/commit-changes
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/firewall-
administration/use-the-web-interface/configure-banners-message-of-the-day-
and-logos
https://www.paloguard.com/Panorama.asp#:~:text=Overview%3A,to%20use
%20web%2Dbased%20interface.
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/set-up-
panorama/access-and-navigate-panorama-management-
interfaces#iddaf42d1a-75da-4b86-855e-6fe33aec4a57
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/set-up-
panorama/access-and-navigate-panorama-management-interfaces/log-in-to-
the-panorama-web-interface#id60bb9ed6-4859-441a-8c86-f2a81f2cb38e
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/set-up-
panorama/set-up-administrative-access-to-panorama/configure-an-admin-
role-profile#idf54b7aab-e379-4a34-b82b-b8165586ce53
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/set-up-
panorama/set-up-administrative-access-to-panorama/configure-an-access-
domain#id0aead9af-4502-43e4-b260-8cdb3026c6d4
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-
help/device/device-administrators
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/user-id-
overview#:~:text=User%2DID%20provides%20many%20mechanisms,syslo
g%20messages%20from%20authenticating%20services.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000CltrCAC
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?
id=kA10g000000ClLqCAK

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-cli-quick-start/get-
started-with-the-cli/access-the-cli
https://docs.paloaltonetworks.com/
https://web.archive.org/web/20220705165450/https://www.cisco.com/c/en/u
s/td/docs/solutions/Enterprise/Security/SAFE_RG/SAFE_rg/chap7.html
https://docs.fortinet.com/document/fortigate/7.1.0/cookbook/127383/security
-policy
https://docs.paloaltonetworks.com/search#q=security%20policies&sort=rele
vancy&layout=card&numberOfResults=25
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-
id/security-policy-rule-optimization
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/test-
policy-rule-traffic-matches
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-
admin/nat/source-nat-an
d-destination-nat/destination-nat
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-
admin/nat/source-nat-an
d-destination-nat/source-nat
https://docs.paloaltonetworks.com/
https://www.paloguard.com/Content-ID.asp
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-
prevention/set-up-antivirus-anti-spyware-and-vulnerability-protection
https://docs.paloaltonetworks.com/advanced-threat-
prevention/administration/configure-threat-prevention/set-up-antivirus-anti-
spyware-and-vulnerability-protection
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/policy/security-
profiles
https://docs.paloaltonetworks.com/advanced-wildfire
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?
pagePath=/content/pan/en_US/resources/datasheets/wildfire

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-
prevention/set-up-file-blocking
https://docs.paloaltonetworks.com/best-practices/internet-gateway-best-
practices/best-practice-internet-gateway-security-policy/transition-safely-to-
best-practice-security-profiles/transition-file-blocking-profiles-safely-to-
best-practices
https://docs.paloaltonetworks.com/advanced-url-
filtering/administration/configuring-url-filtering/url-filtering-best-practices
https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-
cloud-managed-admin/create-prisma-access-policy/security-
profiles/security-profile-best-practices
https://docs.paloaltonetworks.com/advanced-url-
filtering/administration/troubleshooting/pan-db-cloud-connectivity-
issues#idc1298d29-28a9-4dcf-859e-2f1a8d57e962
https://docs.paloaltonetworks.com/advanced-url-
filtering/administration/troubleshooting/problems-activating-pan-
db#idf8f697ca-b7b9-40ca-aef5-1c4496ac6116
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/decryption
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/certificate-
management
https://docs.paloaltonetworks.com/best-practices/10-0/decryption-best-
practices/decryption-best-practices
https://docs.paloaltonetworks.com/best-practices/9-1/decryption-best-
practices/decryption-best-practices
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-
admin/decryption/troubleshoot-and-monitor-decryption/decryption-
troubleshooting-workflow-examples
https://www.sunmanagement.net/wp-content/uploads/2020/02/Lab3-SSL-
TLS-Forward-Proxy-Decryption-V1.2.pdf
https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/set-up-
panorama
https://docs.paloaltonetworks.com/panorama/9-1/panorama-
admin/panorama-overview

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com
https://docs.paloaltonetworks.com/panorama/9-1/panorama-
admin/troubleshooting
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring
https://rowelldionicio.com/10-pan-os-interface-types/
https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datas
heets/education/pcnse-study-guide.pdf

Pass4sure - #1 IT Certifications Materials Provider

www.pass4sure.com