Pcnsa Study Guide PDF

PALO ALTO NETWORKS
CERTIFIED NETWORK
SECURITY
ADMINISTRATOR
STUDY GUIDE
First Edition | December 2018
http://education.paloaltonetworks.com
© 2018 Palo Alto Networks, Inc.
Note that the content is in a draft state and may change.

Palo Alto Networks, Inc. www.paloaltonetworks.com
© 2018 Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, PAN-OS, and WildFire are
trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners.
©2018 Palo Alto Networks, Inc. 2

Contents
Overview .......................................................................................................... 12
Exam Details .............................................................................................................................. 12
Intended Audience .................................................................................................................... 12
Qualifications............................................................................................................................. 12
Skills Required ........................................................................................................................... 13
Recommended Training ............................................................................................................ 13
About This Document................................................................................................................ 13
Disclaimer .................................................................................................................................. 13
Preliminary Score Report........................................................................................................... 13
Exam Domain 1 – Palo Alto Networks Security Operating Platform Core
Requirements ................................................................................................... 14
1.1 Identify the components of the Palo Alto Networks Security Operating Platform. ........... 14
The Palo Alto Networks Security Operating Platform ......................................................... 14
Prevent Successful Cyberattacks ............................................................................. 14

Operate with ease using best practices.................................................................................. 14
Focus on What Matters .............................................................................................. 15

Automate tasks, using context and analytics, to reduce response time and speed
deployments. ......................................................................................................................... 15
Consume Innovations Quickly .................................................................................. 15

Improve security effectiveness and efficiency with tightly integrated innovations. ............ 15
Network Security ........................................................................................................ 16
Advanced Endpoint Protection ............................................................................... 17
Cloud Security ..................................................................................................... 17
Cloud-Delivered Security Services .......................................................................... 18

Application Framework and Logging Service ........................................................ 23
Sample questions ...................................................................................................................... 24
Requirements ................................................................................................... 26
1.2 Identify the components and operation of single-pass parallel processing architecture. . 26
Management and Data Planes ............................................................................................... 27
Requirements ................................................................................................... 29
1.3 Given a network design scenario, apply the Zero Trust security model and describe how it
relates to traffic moving through your network. ...................................................................... 29
Requirements ................................................................................................... 34
1.4 Identify stages in the Cyber-Attack Lifecycle and firewall mitigations that can prevent
them. ......................................................................................................................................... 34
Exam Domain 2 – Simply Passing Traffic ........................................................... 38
2.1 Identify and configure firewall management interfaces. ................................................... 38
Management Access to the Palo Alto Firewalls ................................................................... 38
Initial Steps to Gain Access to the Firewall .......................................................................... 38
Four Firewall Management Methods .................................................................................... 39
Interface Management Profiles ............................................................................................. 41
Firewall Dashboard Web Interface ....................................................................................... 43
2.2 Identify how to manage firewall configurations. ................................................................ 53
Manage Configurations Using Candidate and Running Configurations .............................. 53
Candidate Configuration ....................................................................................................... 54

Running Configuration ......................................................................................................... 55
Manage Running and Candidate Configurations .................................................................. 55
Revert to Last Saved Configuration...................................................................................... 56
Revert to Running Configuration.......................................................................................... 56
Save Named Configuration Snapshot ................................................................................... 57
Save Candidate Configuration .............................................................................................. 58
Load Named Configuration Snapshot ................................................................................... 58
Load Configuration Version ................................................................................................. 59
Export Named Configuration Snapshot ................................................................................ 60
Export Configuration Version............................................................................................... 60
Export Device State .............................................................................................................. 60
Import Named Configuration Snapshot ................................................................................ 60
Import Device State .............................................................................................................. 61
2.3 Identify and schedule dynamic updates. ............................................................................ 62
Dynamic Updates .................................................................................................................. 62
Downloading and Installing Updates .................................................................................... 64
Downloading Updates ........................................................................................................... 65
Installing Updates ................................................................................................................. 65
Software Updates .................................................................................................................. 66
2.4 Configure internal and external services for account administration. ............................... 68
Administrative Role Types ................................................................................................... 68
Authentication Sequence ...................................................................................................... 72
Admin Account Passwords ................................................................................................... 73
Config Logs .......................................................................................................................... 74

2.5 Given a network diagram, create the appropriate security zones. .................................... 76
Security Zones ...................................................................................................................... 76
2.6 Identify and configure firewall interfaces. .......................................................................... 80
Types of Ethernet Interfaces ................................................................................................. 80
Tap, Virtual Wire, Layer 2, and Layer 3 interfaces .............................................................. 82
Virtual Wire .......................................................................................................................... 83
Virtual Wire Subinterfaces ................................................................................................... 86
Layer 2 Interfaces ................................................................................................................. 88
Layer 2 Subinterfaces ........................................................................................................... 90
Layer 3 Interfaces ................................................................................................................. 92
Layer 3 Subinterfaces ........................................................................................................... 95
2.7 Given a scenario, identify steps to create and configure a virtual router. ......................... 99
Virtual Routers ...................................................................................................................... 99
Virtual Router General Configuration Settings .................................................................. 101
Static Route Configuration Settings.................................................................................... 102
Path Monitoring for Static Routes Configuration Settings ................................................. 103
Virtual Router Forwarding Information Base ..................................................................... 105
Sample questions .................................................................................................................... 106
Exam Domain 2 – Simply Passing Traffic ......................................................... 106
2.8 Identify the purpose of specific security rule types. ......................................................... 106
Security Rule Types ............................................................................................................ 106
2.9 Identify and configure security policy match conditions, actions, and logging options... 110
Implicit and Explicit Rules ................................................................................................. 110

Security Rule Hit Count ...................................................................................................... 111
2.10 Given a scenario, identify and implement the proper NAT solution. ............................. 112
NAT Types.......................................................................................................................... 112
Source NAT Types ............................................................................................................. 114
Source NAT and Security Policies ..................................................................................... 115
Configuring Source NAT .................................................................................................... 117
Configuring Bidirectional Source NAT .............................................................................. 117
DIPP NAT Oversubscription .............................................................................................. 118
Destination NAT Types ...................................................................................................... 119
Destination NAT and Security Policies .............................................................................. 120
Configuring Destination NAT ............................................................................................ 121
Configuring Dynamic IP Address Support for DNAT ....................................................... 122
Configuring Destination NAT Port Forwarding ................................................................. 122
Exam Domain 3 – Traffic Visibility ................................................................... 124
3.1 Given a scenario, select the appropriate application-based security policy rules. .......... 124
Application Shifts ............................................................................................................... 124
Dependent Applications ...................................................................................................... 124
Determining Dependent Applications................................................................................. 126
Implicit Applications and Determining Implicit Applications ........................................... 126
Sample question ...................................................................................................................... 127
3.2 Given a scenario, configure application filters or application groups. ............................. 128
Application Filters .............................................................................................................. 128
Application Groups ............................................................................................................. 129
Nesting Application Groups and Filters ............................................................................. 130

3.3 Identify the purpose of application characteristics as defined in the App-ID database... 132
Application Properties ........................................................................................................ 132
Application Characteristics ................................................................................................. 132
Application Timeouts.......................................................................................................... 133
3.4 Identify the potential impact of App-ID updates to existing security policy rules. .......... 134
App-ID Updates and Impact ............................................................................................... 134
Content Update Absorption ................................................................................................ 135
Objective 3.5 Identify the tools to optimize security policies................................................. 138
Exam Domain 4 – Securing Traffic ................................................................... 139
4.1 Given a risk scenario, identify and apply the appropriate security profile. ...................... 139
Security Profiles .................................................................................................................. 139
Threat Logs ......................................................................................................................... 140
Antivirus Security Profiles .................................................................................................. 141
Anti-Spyware Security Profiles .......................................................................................... 141
Vulnerability Protection Security Profiles .......................................................................... 142
URL Filtering Security Profiles .......................................................................................... 142
File Blocking Security Profiles ........................................................................................... 142
Sample question ...................................................................................................................... 143
Objective 4.2 Identify the difference between security policy actions and security profile
actions. .................................................................................................................................... 143
Security Policy Actions and Security Profile Actions ........................................................ 143
Antivirus Security Profile Actions ...................................................................................... 144
Anti-Spyware Security Profile Actions .............................................................................. 145

Vulnerability Protection Security Profile Actions .............................................................. 146
URL Filtering Security Profile Actions .............................................................................. 147
File Blocking Security Profile Actions ............................................................................... 148
Sample question ...................................................................................................................... 149
Objective 4.3 Given a network scenario, identify how to customize security profiles. ......... 150
Antivirus Security Profile Customization ........................................................................... 150
Anti-Spyware Security Profile Customization.................................................................... 152
Vulnerability Protection Security Profile Customization ................................................... 154
URL Filtering Security Profile Customization ................................................................... 157
Safe Search.......................................................................................................................... 158
HTTP Header Logging ....................................................................................................... 159
File Blocking Security Profile Customization .................................................................... 159
Sample question ...................................................................................................................... 162
Objective 4.4 Identify the firewall’s protection against packet- and protocol-based attacks.
................................................................................................................................................. 162
Denial-of-Service Protection .............................................................................................. 162
Zone Protection Profiles ..................................................................................................... 163
Flood Attack Protection ...................................................................................................... 163
SYN Random Early Drop ................................................................................................... 164
SYN Cookies ...................................................................................................................... 164
UDP..................................................................................................................................... 164
ICMP ................................................................................................................................... 164
ICMPv6 ............................................................................................................................... 165
Other IP ............................................................................................................................... 165
Reconnaissance Attack Protection ...................................................................................... 165
Packet-Based Attack Protection.......................................................................................... 166
Protocol Attack Protection .................................................................................................. 168
DoS Protection Profiles and Policies .................................................................................. 169

Sample question ...................................................................................................................... 171
Objective 4.5 Identify how the firewall can use the cloud DNS database to control traffic
based on domains. .................................................................................................................. 171
Objective 4.6 Identify how the firewall can use the PAN-DB database to control traffic based
on websites. ............................................................................................................................ 171
How PAN-DB Maximizes URL Lookup Performance ...................................................... 172
PAN-DB Core ..................................................................................................................... 172
Seed Database ..................................................................................................................... 172
Management Plane Cache ................................................................................................... 173
Data-Plane Cache ................................................................................................................ 173
Sample question ...................................................................................................................... 174
Objective 4.7 Discuss how to control access to specific URLs using custom URL filtering
categories. ............................................................................................................................... 174
Custom URL Filtering Categories ...................................................................................... 174
Sample question ...................................................................................................................... 176
Exam Domain 5 – Identifying Users ................................................................. 176
Objective 5.1 Given a scenario, identify an appropriate method to map IP addresses to
usernames. .............................................................................................................................. 176
Objective 5.2 Given a scenario, identify the appropriate User-ID agent to deploy. .............. 177
Objective 5. 3 Identify how the firewall maps usernames to user groups. ............................ 178
Objective 5. 4 Given a graphic, identify User-ID configuration options. ................................ 180
Exam Domain 6 – Deployment Optimization ................................................... 181
Objective 6.1 Identify the benefits and differences between the Heatmap and the BPA
reports. .................................................................................................................................... 181

Palo Alto Networks PCNSA Study Guide
Welcome to the Palo Alto Networks PCNSA Study Guide. The purpose of this guide is to help you prepare
for your PCNSA exam and achieve your PCNSA credential. This study guide is a summary of the key topic
areas that you are expected to know to be successful at the PCNSA exam. It is organized based on the
exam blueprint and key exam objectives.
Overview
The Palo Alto Networks Certified Network Security Administrator (PCNSA) is a formal, third‐party
proctored certification that indicates that those who have passed it possess the in‐depth knowledge to
design, install, configure, and maintain most implementations based on the Palo Alto Networks
platform.
This exam will certify that the successful candidate has the knowledge and skills necessary to implement
Palo Alto Networks next-generation firewall PAN-OS® 8.1 platform in any environment. This exam will
not cover Aperture and Traps.
Exam Details
• Certification Name: Palo Alto Networks Certified Network Security Administrator
• Delivered through Pearson VUE: www.pearsonvue.com/paloaltonetworks
• Exam Beta Availability: Through December 31, 2018
• Exam Series: PCNSA(B)
• Seat Time: 110 minutes
• Number of items: 70
• Format: Multiple Choice, Scenarios with Graphics, and Matching
• Languages: English
Intended Audience
The PCNSA exam should be taken by anyone who wants to demonstrate a deep understanding of Palo
Alto Networks technologies, including customers who use Palo Alto Networks products, value-added
resellers, pre-sales system engineers, system integrators, and system administrators.
Qualifications
You should have two to three years’ experience working in the Networking or Security industries and the
equivalent of 6 months’ experience working full‐time with Palo Alto Networks Security Operating
Platform.
You have at least 6 months’ experience in Palo Alto Networks NGFW deployment and configuration.

Skills Required
• You can deploy, configure, and install Palo Alto Networks Security Operating Platform
components.
• You understand the unique aspects of the Palo Alto Networks Security Operating Platform and
how to deploy one appropriately.
• You understand networking and security policies used by PAN-OS software.
Recommended Training
Palo Alto Networks strongly recommends that you attend the following instructor-led training courses
or equivalent virtual digital learning courses:
• Firewall Essentials: Configuration and Management (EDU-210) or digital learning (EDU-110)
• PCNSA Practice Test: http://www.paloaltonetworks.com/ACE
About This Document

Efforts have been made to introduce all relevant information that might be found in a PCNSA
Certification Test. However, other related topics also may appear on any delivery of the exam. This
document should not be considered a definitive test preparation guide but an introduction to the
knowledge required, and these guidelines may change at any time without notice. This document
contains many references to outside information that should be considered essential to completing
your understanding.
Disclaimer
This study guide is intended to provide information about the objectives covered by this exam, related
resources, and recommended courses. The material contained within this study guide is not intended to
guarantee that a passing score will be achieved on the exam. Palo Alto Networks recommends that a
candidate thoroughly understand the objectives indicated in this guide and uses the resources and
courses recommended in this guide where needed to gain that understanding.
Preliminary Score Report

The score report during the beta period will show a status as “Taken” to confirm that the candidate has
completed the exam. Candidates will receive a notification of the beta results about six weeks after the
beta period ends.

Exam Domain 1 – Palo Alto Networks Security Operating Platform
Core Requirements
1.1 Identify the components of the Palo Alto Networks Security Operating
Platform.
The Palo Alto Networks Security Operating Platform
The Palo Alto Networks Security Operating Platform is built for automation. The platform successfully prevents
cyberattacks by utilizing accurate analytics, implementing automation, and delivering cloud-based
applications. The platform integrates applications from Palo Alto Networks, third parties, and customers.
The analytics-based automation allows IT personnel to operationalize their security easily and
consistently using best practices. Security tools that weren’t designed for automation require analysts to
manually combine insights from many disconnected sources before they act. The Palo Alto Networks
Security Operating Platform eliminates any disconnects by ensuring tight integration across the platform,
thus simplifying security so you can secure users, applications, and data consistently.
The Palo Alto Networks Security Operating Platform prevents successful cyberattacks by focusing on
what matters: leveraging cloud-based applications (see the following figure).
Prevent Successful Cyberattacks
Operate with ease using best practices.
Organizations need to operate efficiently to stop attacks that cause business disruption. The Security

Operating Platform empowers you to confidently automate threat identification and prevention across
clouds, networks, servers, and endpoints with a data-driven approach utilizing accurate, cloud-delivered
analytics. The platform blocks exploits, ransomware, malware, and fileless attacks. It allows you to easily
adopt security best practices using application-, user-, and content-based policies. These security
policies take a Zero Trust approach to minimize opportunities for attack.
Focus on What Matters
Automate tasks, using context and analytics, to reduce response time and speed
deployments.
Your operations teams and analysts likely are overburdened. The Security Operating Platform improves
productivity via automation, thus allowing IT personnel the time to focus on higher-value activities.
Automation allows you to streamline routine tasks. Tight integration across the platform with ecosystem
partners delivers consistent security across the cloud, networks, and endpoints (CNE). The shared
intelligence and consistent enforcement across CNE strengthens prevention and improves the speed of
responses. DevOps can improve the speed of multi-cloud deployment and simplify management
through deep integrations with native cloud services and automation tools. Plus, your teams can
continuously validate compliance of cloud deployments with customizable reports and controls that
save time. Security controls are automated with security policies that dynamically change to match your
applications, users, and content.
Consume Innovations Quickly
Improve security effectiveness and efficiency with tightly integrated innovations.
Threats are dynamic. You need to keep evolving to stay ahead. The platform continually improves
security effectiveness and efficiency with tightly integrated innovations. With the Palo Alto Networks
Application Framework as part of the platform, you can get the most out of your existing investments,
including your existing unified security data set, sensors and enforcement points, with custom and third-
party security applications. Whether these apps are developed by Palo Alto Networks, our ecosystem of
third parties, or your own teams (customer apps), they can detect and report on threats, or automate
enforcement workflows, to reduce response time. Organizations now can deploy frictionless, seamlessly
integrated security, delivered from the cloud as applications. These applications provide unlimited plug-
and-play protection, with drag-and-drop innovation. Application developers everywhere have instant
access to more than 10,000 organizations and more than a decade’s worth of aggregated threat data
and telemetry.

Palo Alto Networks Security Operating Platform
The Palo Alto Networks Security Operating Platform has the following components:
• Network Security
• Advanced Endpoint Protection
• Cloud Security
• Cloud-Delivered Security Services
• Application Framework and Logging Service
• Palo Alto Networks Apps, Third-Party Apps, and Customer Apps
Network Security
Palo Alto Networks firewalls allow you to adopt best practices using app, user, and content-based
policies to minimize opportunities for attack. Our next-generation firewalls are available as physical
appliances, virtualized appliances, and cloud-delivered services, all managed consistently with
Panorama. These next-generation firewalls secure your business with a prevention-focused architecture
and integrated innovations that are easy to deploy and use. Palo Alto Networks next-generation firewalls
detect known and unknown threats, including those within encrypted traffic, using intelligence
generated across many thousands of customer deployments. The firewalls reduce risks and prevent a
broad range of attacks. For example, they enable users to access data and applications based on
business requirements and they stop credential theft and an attacker’s ability to use stolen credentials.
With our next-generation firewalls, you can quickly create security rules that mirror business policy and
are easy to maintain and adapt to your dynamic environment. They reduce response times with
automated policy-based actions, and you can automate workflows via integration with administrative
tools such as ticketing services, or any system with a RESTful API.

The family of next-generation firewalls includes:
• VM-Series: Our virtualized next-generation firewall protects your private and public
cloud deployments by segmenting applications and preventing threats. For more
information, see https://www.paloaltonetworks.com/products/secure-the-cloud/vm-
series.
• GlobalProtect cloud service: The GlobalProtect cloud service provides next-generation
firewall security delivered from the cloud globally in an operationally efficient manner.
For more information, see
https://www.paloaltonetworks.com/products/globalprotect/cloudservice.
• Physical firewalls: Physical firewalls include the PA-200, PA-220, PA-500, PA-800, PA-3000,
PA-3200, PA-5000, PA-5200, and PA-7000 series. For more information, see
https://www.paloaltonetworks.com/products/secure-the-network/next-generation-
firewall.
Advanced Endpoint Protection
Advanced Endpoint Protection blocks exploits, ransomware, malware, and fileless attacks to minimize
infected endpoints and servers. Traps advanced endpoint protection stops threats on the endpoint and
coordinates enforcement with cloud and network security to prevent successful cyberattacks. Traps is
the only solution that pre-emptively blocks security breaches such as ransomware attacks, using a
unique multi-method approach that prevents known and unknown malware, exploits, and zero-day
threats.
Traps is unique in the breadth and depth of its endpoint protections:
• Stops malware, exploits, and ransomware before they can compromise endpoints.
• Provides protection while endpoints are online and offline, on network and off network.
• Coordinates enforcement with network and cloud security to prevent successful attacks.
• Detects threats and automates containment to minimize impact.
• Includes WildFire® cloud-based threat analysis service with your Traps subscription.
• Integrates with the Palo Alto Networks Security Operating Platform.
For more information, see https://www.paloaltonetworks.com/products/secure-the-endpoint/traps.
Cloud Security
Cloud Security speeds up multi-cloud deployments, with continuous compliance validation, through
deep integrations with native cloud services and automation tools. Palo Alto Networks provides
advanced protection for consistent security across all major clouds: Amazon Web Services, Microsoft
Azure and Google Cloud Platform.

Our cloud providers protect and segment applications, deliver continuous security and compliance, and
achieve zero-day prevention. Palo Alto Networks lets you deliver consistent, automated protections
across public and private clouds so you can adopt SaaS apps, rapidly roll out cloud-delivered services
and apps, and avoid business disruption.
Cloud security is delivered by:
• Inline security (VM-Series firewalls): The VM-Series protects your private and public cloud
deployments by enabling applications and preventing threats.
• API security (Evident): Continuously monitor and secure your cloud workloads via API to
prevent data loss and enable compliance.
• Host security (Traps): Protect cloud workloads against zero-day threats with multiple methods
of prevention and minimal impact on resources.
For more information, see https://www.paloaltonetworks.com/products/secure-the-cloud.
Cloud-Delivered Security Services
Confidently automate threat identification and prevention everywhere. Our security subscriptions allow
you to safely enable applications, users, and content by adding natively integrated protection from known
and unknown threats both on and off the network.
These security subscriptions are purpose-built to share context and prevent threats at every stage of an
attack, allowing you to enable singular policies and automated protection that secure your network and
remote workforce while simplifying management and enabling your business. The Security Services
consist of:
• AutoFocus: Disconnected tools and data sources have made the jobs for security analysts more
difficult to do quickly and effectively. AutoFocus contextual threat intelligence brings speed,
consistency, and precision to threat investigation. It provides instant access to community-based
threat data, enhanced with deep context and attribution from the Unit 42 threat research team,
saving time and effort. Now your teams can quickly investigate, correlate, and pinpoint
malware’s root cause without adding dedicated malware researchers or additional tools. Plus,
automated protections make raw intelligence simple to turn into protection across your
environment.

For more information, see https://www.paloaltonetworks.com/products/secure-the-
network/autofocus.html.
• Global Protect Cloud Service: You need to secure all users equally. But mobile, branch, and
cloud expansion move applications and users beyond the perimeter, which makes traditional
network security inefficient. GlobalProtect cloud service provides the full security capabilities of
the Palo Alto Networks next-generation firewall, delivered as a service. Now you can protect
users across your organization and prevent successful cyberattacks with scale and simplicity,
and without compromise. GlobalProtect cloud service automates the orchestration and rollout
of security services, reducing deployment time. You can deploy new features, increase coverage,
and scale globally with cloud infrastructure, which gives you a new level of flexibility.

https://www.paloaltonetworks.com/products/globalprotect/cloudservice.html.
• URL Filtering Web Security: The majority of attacks and exposure to malicious content occur
during normal web browsing activities. URL filtering with PAN-DB automatically prevents attacks
that leverage the web as an attack vector, including phishing links in emails, phishing sites,
HTTP-based command and control, malicious sites, and pages that carry exploit kits.
URL filtering provides:
• Reduction of the risk of infection from dangerous websites and protection of users and data
from malware and credential-phishing pages.
• Protection across the attack lifecycle through integration with WildFire and the Security
Operating Platform.
• Retention of protections synchronized with the latest threat intelligence through our cloud-
based URL categorization for phishing, malware, and undesired content.
• Full visibility and threat inspection into normally opaque web traffic through granular
control over SSL decryption.
network/subscriptions/url-filtering-pandb.

• Threat Prevention: Because threats do not discriminate between application delivery vectors,
an approach to security is needed that has full visibility into all application traffic, including SSL
encrypted content, with full user context. Threat Prevention leverages the visibility of our next-
generation firewall to inspect all traffic, and thus automatically prevents known threats,
regardless of port, protocol, or SSL encryption. Threat Prevention automatically stops
vulnerability exploits with IPS capabilities, offers inline malware protection, and blocks
outbound command-and control-traffic. When combined with WildFire and URL filtering,
organizations are protected at every stage of the attack lifecycle, including both known and
zero-day threats.
network/subscriptions/threat-prevention.
• WildFire Malware Analysis: WildFire automatically prevents zero-day exploits and malware.
Traditional malware analysis and sandboxing techniques are not adequate, and cannot keep
pace with new exploits. WildFire uses shared community-sourced threat data and advanced
analysis, and immediately shares protections across the network, endpoint, and cloud. WildFire
automatically delivers protections about every five minutes (by accessing a database that is
updated every 5 minutes), thus preventing successful cyberattacks.

network/wildfire.html.
• MineMeld Threat Intelligence Sharing: To prevent successful cyberattacks, many organizations
collect indicators of compromise (IOCs) from various threat intelligence providers with the
intent of creating new controls for their security devices. Unfortunately, legacy approaches to

aggregation and enforcement are highly manual in nature, and often create complex workflows
that require the extension of the time needed to identify and validate which IOCs should be
blocked.
Now security organizations can leverage MineMeld, an open-source application that streamlines the
aggregation, enforcement, and sharing of threat intelligence. MineMeld is available for all users
directly on GitHub and pre-built virtual machines (VMs) for easy deployment. With the proper
software, anyone can add to the MineMeld functionality by contributing code to the open-source
repository.

network/subscriptions/minemeld.
• Logging Service: On-premises log management traditionally has been a chore. Now the cloud-
delivered Logging Service allows you to easily collect large volumes of log data, so innovative
apps can gain insight from your environment. You can simplify your log infrastructure, automate
log management, and use your data to prevent attacks more effectively.

https://www.paloaltonetworks.com/products/management/logging-service.
• Magnifier Behavioral Analytics: Magnifier behavioral analytics applies machine
learning at a cloud scale to network, endpoint, and cloud data so that you can quickly
find and stop targeted attacks, insider abuse, and compromised endpoints. Magnifier
uncovers the actions attackers cannot conceal, by profiling user and device behavior
and identifying anomalies that indicate active attacks. Magnifier integrates rich
metadata collected from the Security Operating Platform with attack detection
algorithms and enables you to detect post-intrusion activity with precision.
Magnifier stops these threats:
• Targeted attacks: Magnifier detects anomalous activities that attackers carry out as they
move around the network looking for valuable data.
• Malicious insiders: By profiling behavior, Magnifier identifies behavioral anomalies such as
internal reconnaissance and credential abuse to identify attacks.
• Risky behavior: Magnifier allows your organization to follow security best practices by
monitoring user activity and identifying risky behavior.
• Compromised endpoints: Magnifier detects malware behavior and confirms infections using
Pathfinder endpoint analysis and WildFire threat analysis services.
network/magnifier-behavioral-analytics.
Application Framework and Logging Service
Put security innovations to work sooner and with less effort. Cybersecurity innovations come from
many sources: Palo Alto Networks, third parties, and customers. With the Palo Alto Networks

Application Framework, you can use apps from these sources right away, so you can stay a step
ahead of attackers.
With the Application Framework, customers can rapidly access, evaluate, and adopt new security
technologies as an extension of the next-generation Security Operating Platform they already own
and operate. The all-new framework is a culmination of more than a decade of security disruption
that has provided customers with superior security through cloud-based apps developed by Palo
Alto Networks and today’s most innovative security providers, large and small.
All threats are dynamic. Security needs to keep evolving to stay ahead of the latest threats. New
capabilities are tightly integrated, building on the value of what you already have. With Palo Alto
Networks Application Framework, you can quickly consume innovative security apps, using your
existing security data, sensors and enforcement points. Whether these apps are developed by Palo
Alto Networks, our ecosystem of third parties, or your own teams, they can detect and report on
threats or automate enforcement workflows to reduce response time. Thus the Security Operating
Platform enables you to maximize your existing Palo Alto Networks investment.
The Application Framework consists of the following components:
• Infrastructure: A suite of cloud APIs, services, compute, and native access to customer-specific
data stores
• Customer-specific data store: The Palo Alto Networks Logging Service
• Apps: Apps that are delivered from the cloud to extend the capabilities of the platform, including
the ability to effortlessly collaborate between different apps, share threat context and
intelligence, and drive automated response and enforcement.
For more information, see https://www.paloaltonetworks.com/products/application-framework.
Sample questions
1. The Palo Alto Networks Security Operating Platform is designed for which three purposes?
(Choose three.)
A. consume innovations quickly
B. ensure compliance
C. focus on what matters
D. prevent successful cyberattacks
2. Which item is not one of the six primary components of the Palo Alto Networks Security
Operating Platform
A. Applications (Palo Alto Networks apps, third-party apps, customer apps)
B. Cloud-Delivered Security Services
C. WildFire
D. Application Framework and Logging Service
E. Network Security

F. Advanced Endpoint Protection
G. Cloud Security
3. Which cloud-delivered security service provides instant access to community-based threat data?
A. Aperture
B. AutoFocus
C. Threat 42
D. Magnifier
4. Which cloud-delivered security services provides security for branches and mobile users?
A. MineMeld
B. Magnifier
C. Traps
D. Global Protect
5. Which Palo Alto Networks Security Operating Platform component provides access to apps from
Palo Alto Networks, third parties, and customers?
A. Applications (Palo Alto Networks apps, third-party apps, customer apps)
B. Cloud-Delivered Security Services
C. WildFire
D. Application Framework
E. Network Security
F. Advanced Endpoint Protection
G. Cloud Security
6. Which Palo Alto Networks firewall feature provides all of the following abilities?
• Stops malware, exploits, and ransomware before they can compromise endpoints
• Provides protection while endpoints are online and offline, on network and off
• Coordinates enforcement with network and cloud security to prevent successful
attacks
• Detects threats and automates containment to minimize impact
• Includes WildFire cloud-based threat analysis service with your Traps subscription
• Integrates with the Palo Alto Networks Security Operating Platform
A. Traps
B. Aperture
C. URL Filtering
D. WildFire
E. GlobalProtect
F. AutoFocus

Core Requirements
1.2 Identify the components and operation of single-pass parallel processing

architecture.
Palo Alto Networks has reduced latency enormously, using the Single-Pass Parallel Processing (SP3)
architecture, which combines two complementary components:
• Single-Pass Software
• Parallel Processing Hardware
The SP3 architecture is the overall design approach for Palo Alto Networks next-generation firewalls.
The architecture enables full, contextual classification of traffic, followed by a set of enforcement and
threat prevention options. The architecture classifies and controls traffic in a “single pass” through the
firewall using a variety of stream-based technology components. Each current protection feature in the
device (antivirus, spyware, data filtering, and vulnerability protection) uses this stream-based signature
format. The stream-based design of the architecture results in superior performance, especially when
multiple security functions are enabled.
This architecture allows you to achieve superior security posture and efficiency. The SP3 architecture
allows Palo Alto Networks to exceed competitors’ firewall performance. In competitive approaches,
next-generation features often are added in a sequence of separate engines that limit policy flexibility,
negatively impact performance, and increase management complexity.
The software’s “scan it all, scan it once” approach enables superior security posture and performance on
both physical or virtual next-generation firewalls. The architecture incorporates advanced technologies
(e.g., App-ID, User-ID, and WildFire®) to provide superior classification and control capabilities to help

secure your organization’s network.
Management and Data Planes
In addition to the Single Pass software, hardware is the other critical piece of the Palo Alto Networks SP3
architecture. The management plane and data-plane functionality on both physical and virtual firewalls
is integral to all Palo Alto Networks firewalls. These separate planes have dedicated hardware resources
(CPU, RAM, and storage), making them independent of each other. This separation means that heavy use
of one plane will not adversely impact the other plane’s performance. For example, an administrator
could be running a very processor-intensive report, and yet the ability to process packets would not be
affected by this reporting job, because of the separation of the data and control planes.
The control plane provides the management features of the firewall:
• Firewall configuration
• Logging
• Reporting
The data plane provides the data processing features of the firewall:
• Signature matching
• Security processing
• Network processing

Sample questions
1. Which management features does the Control Plane provide? (Choose three.)
A. security processing
B. logging
C. reporting
D. firewall configuration
E. signature matching
F. network processing
2. Which three data processing features does the data plane provide? (Choose three.)
A. network processing
B. security processing
C. signature matching
D. firewall configuration
E. logging
F. reporting

3. What are three components of the Network Processing module? (Choose three.)
A. QoS
B. NAT
C. App-ID
D. flow control
E. url match
F. spyware
4. Which approach most accurately defines the Palo Alto Networks SP3 architecture?
A. prioritize first
B. sequential processing
C. scan it all, scan it once
D. zero trust segmentation platform
5. What is the result of using a stream-based design of architecture?
A. superior performance
B. increased latency
C. superior latency
D. increased functionality

Core Requirements
1.3 Given a network design scenario, apply the Zero Trust security model and
describe how it relates to traffic moving through your network.
In the traditional security model, internal users, devices, and applications, and the traffic they generated
were trusted (authenticated and allowed access), but verification (monitoring and inspection of their
traffic) was not implemented, because that traffic was “trusted.” This traditional security model is not
effective in combatting today’s sophisticated cyberattacks. Most attacks today are caused by
compromised endpoints such as computers and mobile devices. The endpoint traffic can then traverse
the network laterally within the corporation to infect database servers and other high-value targets. The
traditional security model is a broken trust model.
Thus, internal traffic not only needs to be “trusted,” it also needs to be continually monitored and
inspected for any anomalies such as malware delivery, reconnaissance, exploitation, attacks, malware
installation, and command-and-control (C2) activity.
Note that internal users, devices, and applications do not include just those physically located at the
corporate site; they also include those that access the company site via remote access technologies such
as VPN, Citrix, remote desktop, SSH, HTTP, and HTTPS. Here are some examples of “internal” users.

• Remote employees
• Partners
• Wireless users
• Remote/branch offices
• Internal employees
Zero Trust is an alternative security model that addresses the shortcomings of the traditional,
perimeter-centric strategies. A perimeter-centric strategy is one where all of the security in enforced at
the network juncture between the internal network and the internet. Zero Trust is rooted in the
principle of “never trust, always verify,” and is designed to address lateral (east-west) threat movement
within a network by segmenting the network and applying security enforcement at each network
boundary. For example, an attacker that infiltrates an endpoint still may need to move laterally
throughout the environment to reach the data center where the targeted content resides.

Zero Trust has three main concepts:
All resources are accessed in a secure manner regardless of location:
• This concept is especially important as it relates to mobility. Zero Trust must secure the
following use cases:
o Tablet computers
o Smartphones
o Road warriors
o Laptop users
o Home workers
• Access control is on a “need-to-know” basis and is strictly enforced:
o Access control must be done on a granular basis.
o The WikiLeaks Attack is one example of an attack that was executed due to lack of
enforcement)
• All traffic is logged and inspected:

o Not just on perimeter (north-south) traffic
o Must be done on traffic that moves laterally (east-west) inside a network
In summary, both north-south and east-west traffic must be controlled, monitored, inspected, and
logged to prevent today’s sophisticated cyberattacks.
Sample questions
1. Which security model does Palo Alto Networks recommend that you deploy?
A. separation-of-trust
B. Zero Trust
C. trust-then-verify
D. never trust
2. The Zero Trust model is implemented to specifically address which type of traffic?
A. east-west
B. north-south
C. left-right
D. up-down
3. What are the three main concepts of Zero Trust? (Choose three.)
A. All resources are accessed in a secure manner, regardless of location.
B. Access control is on a “need-to-know” basis and is strictly enforced.
C. Credentials need to be verified.
D. All traffic is logged and inspected.
E. Internal users are trusted implicitly.
F. External users are trusted explicitly.
4. Which two statements are true about the Zero Trust model? (Choose two.)
A. Traffic is inspected laterally.
B. Traffic is inspected east-west.
C. Internal traffic is implicitly trusted.
D. External traffic is implicitly trusted.
5. Which three Palo Alto Networks products secure your network? (Choose three.)
A. MineMerge
B. Aperture
C. URL filtering
D. AutoMagnifier
E. TrapContent
F. WildFire

Core Requirements
1.4 Identify stages in the Cyber-Attack Lifecycle and firewall mitigations that can
prevent them.
The Cyber-Attack Lifecycle is a sequence of events that an attacker goes through to successfully infiltrate
a network and exfiltrate data from it. A block of just one stage in this lifecycle will protect a company's
network from attack. Palo Alto Networks products prevent advanced cyberattacks at every stage of the
attack lifecycle. The Palo Alto Networks platform protects every part of the global enterprise network: it
addresses vulnerabilities and malware arriving at the endpoint, mobile device, and network perimeter,
or within the data center.
When cyberattackers strategize their way to infiltrate an organization’s network and exfiltrate data,
they follow the series of stages that comprise the attack lifecycle. They must progress through each
stage to successfully complete an attack. Block cyberattacks at any point in the cycle to break the
chain of attack. Note that the attacks can follow any order with the attack chain. The following
sections describe the different stages of the attack lifecycle and steps that should be taken at each
stage to prevent an attack.

1. Reconnaissance: During the first stage of the attack lifecycle, cyber adversaries carefully plan their
method of attack. Attackers research, identify, and select targets within an organization such as
human resources and financial personnel that will allow them to meet their objectives. Attackers can
gather intelligence through publicly available sources such as Twitter, LinkedIn, and corporate
websites ─ all the places where a company will share information about itself. Cyberattackers also
will scan for vulnerabilities that can be exploited within the target network (services and
applications), and map out areas that they can take advantage of.
Prevent by:
• Performing continuous inspection of network traffic flows to detect and prevent port scans and
host sweeps.
• Implementing security awareness by limiting what should be posted on the internet: sensitive
documents, customer lists, event attendees, job roles, and responsibilities.
2. Weaponization and Delivery: If any vulnerability has been detected by reconnaissance, attackers
next determine which methods to use to deliver malicious payloads. Methods they might use include
automated tools such as exploit kits, spear phishing attacks with malicious links, infected
attachments, and malvertizing.
Prevent by:
• Gain full visibility into all traffic, including SSL traffic, by decrypting it and blocking high-risk
applications
• Extending protections to remote and mobile devices
• Protecting against perimeter breaches by blocking malicious or risky websites using URL filtering
• Blocking known exploits, malware, and inbound command-and-control (C2) communications
using multiple threat prevention disciplines, including IPS, anti-malware, anti-C2, DNS
monitoring, sinkholing, and file and content blocking
• Detecting unknown malware and automatically informing customers and third parties globally
to thwart new attacks
• Providing ongoing education to users about spear phishing links, watering hole attacks,
unknown emails, risky websites, malicious USB drives, and other attack methods
3. Exploitation: In this stage, attackers deploy an exploit against a vulnerable application or system,
typically using an exploit kit or weaponized document such as a Microsoft Word .doc or Adobe
Acrobat .pdf file. An exploit kit or weaponized document allows the attacker to gain an initial entry
point into the organization.
Prevent by:
• Keep systems patched

• Educating users to recognize phishing attempts
• Blocking known and unknown vulnerability exploits on the endpoint

• Automatically delivering new protections globally to thwart follow-up attacks
4. Installation: After cyberattackers have established an initial foothold, they will install malware to
conduct further operations, such as maintaining access, maintaining persistence, and escalating
privileges. Off-the-shelf tools are the most common method of attack.
Prevent by:
• Preventing malware installation on the endpoint, network, and cloud services
• Establishing secure security zones with strictly enforced user access controls that provide
ongoing monitoring and inspection of all traffic between zones (Zero Trust model)
• Limiting local admin access of users
• Training users to identify the signs of a malware infection and know how to follow up if
something occurs
5. Command and Control: With malware installed, attackers own both sides of the connection: their
malicious infrastructure and the infected endpoint. They can actively control the system and proceed
to the next stages of an attack. Attackers will establish a command channel to be able to
communicate and pass data back and forth between the infected devices and their own
infrastructure. Typical surveillance methods include key logging, audio capture, screen capture, and
webcam capture.
Prevent by:
• Blocking outbound C2 communications
• Blocking uploads that match file and data pattern uploads
• Redirecting malicious outbound communication to internal sinkholes to identify and block
compromised hosts
• Blocking outbound communication to known malicious URLs through URL filtering
• Creating a database of malicious domains to ensure global awareness and prevention
through DNS monitoring
• Limiting the attacker’s ability to move laterally within a network
6. Actions on the Objective: These actions are completed by an active attacker. After attackers have
control, persistence, and ongoing communication between the endpoint and the attacker’s
infrastructure, they will act to achieve their goal. Their objective could be to exfiltrate data, destroy
critical infrastructure, deface a website, or create fear or the means for extortion.
Prevent by:
• Using threat intelligence tools to proactively hunt for indicators of compromise (IoCs) on the
network
• Monitoring and inspecting all traffic between security zones

• Enforcing user access controls across secure zones
• Blocking outbound C2 communications along with traffic that matches file and data pattern
uploads
• Using URL filtering to block outbound communication to known malicious URLs
• Implementing granular control of applications and applying user control to enforce file
transfer application policies on the enterprise
• Eliminating known archiving and transfer tactics and limiting the attacker’s ability to move
laterally within a network
As was mentioned, advanced attacks are very complex because an adversary can succeed only by
progressing through every stage of the attack lifecycle. If they cannot successfully take advantage of
vulnerabilities, then they cannot install malware and will not be able to obtain command and control
over the system. Cyber-security is asymmetric warfare: An attacker must do everything correctly to
succeed, but a network defender needs to do only one thing correctly among multiple opportunities to
prevent an attack.
Disruption of the attack lifecycle relies not only on technology but also on people and processes in the
organization. The people must receive ongoing security awareness training and be educated in best
practices to minimize the likelihood of an attack progressing past the first stage. Processes and policies
must be in place for remediation if an attacker successfully progress through the entire attack lifecycle.
Here is a link to an on-demand webinar that examines the anatomy of real attacks carried out by
advanced adversaries: https://www.paloaltonetworks.com/resources/webcasts/defeat-pragmatic-
adversary.html
Sample questions
1. True or false: Blocking just one stage in the Cyber-Attack Lifecycle is all that is needed to
protect a company's network from attack.
A. True
B. False
2. What are two stages of the Cyber-Attack Lifecycle? (Choose two.)
A. Weaponization and delivery
B. Manipulation
C. Extraction
D. Command and Control
3. Command and control be prevented through which two methods? (Choose two.)
A. exploitation
B. DNS Sinkholing
C. URL filtering
D. reconnaissance

4. Exploitation can be mitigated by which two actions? (Choose two.)
A. keeping systems patched
B. using local accounts
C. blocking known and unknown vulnerability exploits on the endpoint
D. providing admin credentials
Exam Domain 2 – Simply Passing Traffic
2.1 Identify and configure firewall management interfaces.

Management Access to the Palo Alto Firewalls
Four methods are used to manage the Palo Alto Networks next-generation firewalls:
• Web interface
• CLI
• Panorama
• XML API
All Palo Alto Networks firewalls provide an out-of-band management port (MGT) that you can use to
perform firewall administration functions. The MGT port uses the control plane, separating the
management functions of the firewall from the data processing functions (data plane). This
separation between the control plane and data plane safeguards access to the firewall and enhances
performance. When you use the web interface, you must perform all initial configuration tasks from
the MGT port even if you plan to use an in-band data port for managing your firewall. A
serial/console port also is available to accomplish initial configuration of the firewall using SSH or
Telnet.
Some management tasks, such as retrieving licenses and updating the threat and application
signatures on the firewall, require access to the internet, which typically is done via the MGT port. If
you do not want to enable external access via your MGT port, you can set up an in-band data port on
the data plane to provide access to required external services (using service routes). Service routes
are explained in more detail in a following section.
Initial Steps to Gain Access to the Firewall
The first step to gain access to the firewall for the first time is to gather the following information.
Note that if the firewall is set up as a DHCP client, this information will be included automatically via
DHCP.
• IP address for MGT port

• Netmask

• Default gateway
• At least one DNS server address
The second step is to connect a computer to the firewall using either an RJ-45 Ethernet cable or a
serial cable.
An RJ-45 Ethernet cable is connected from your computer to the firewall MGT port. From a browser,
navigate to https://192.168.1.1. Note that you may need to change the IP address on your computer
to an address in the 192.168.1.0/24 subnet, such as 192.168.1.2, to access this URL.
The serial cable is connected from your computer to the firewall console port using terminal
emulation software such as SSH or Telnet. The default connection parameters are 9600-8-N-1.
The third step is to log in to the firewall. The default username is ‘admin’ and the default password is
admin.
Four Firewall Management Methods
Web interface: The web interface is used for configuration and monitoring over HTTP or HTTPS using
a web browser. HTTPS is the default method; HTTP is available as a less secure method than HTTPS.
CLI: The CLI is text-based configuration and monitoring over Secure Shell (SSH) or Telnet using the
console port. The Palo Alto Networks firewall CLI offers access to debugging information and often is

used by experienced administrators for troubleshooting. The account used for authenticating into the
CLI must have CLI access enabled.
The CLI command prompt will be in operational mode by default. The commands available within the
context of operational mode include basic networking commands such as ping and traceroute, basic
system commands such as show, and more advanced system commands such as debug. Commands to
shut down and restart the system also are available from within operational mode.
Access configuration mode by typing the command configure while in operational mode.
Configuration mode enables you to display and modify the configuration parameters of the firewall, verify
candidate configuration, and commit the config.
The following figure shows an example CLI screen with the first lines of show system state while in
operational mode:
Panorama: Panorama is a Palo Alto Networks product that provides centralized web-based
management, reporting, and logging for multiple firewalls. Use Panorama for centralized policy and
firewall management to increase operational efficiency in managing and maintaining a distributed
network of firewalls. If you have six or more firewalls deployed in your network, you should use
Panorama to reduce the complexity and administrative overhead needed to manage configuration,
policies, software, and dynamic content updates. The Panorama web interface is similar to the
firewall web interface, but with additional management functions.
XML API: The XML API provides a representational state transfer (REST)-based interface to access
firewall configurations, operational status, reports, and packet captures from the firewall. An API
browser is available on the firewall at https://<firewall>/api, where <firewall> is the hostname or IP

address of the firewall. You can use this API to access and manage your firewall through a third-party
service, application, or script.
The PAN-OS® XML API can be used to automate tasks such as:
• Create, update, and modify firewall and Panorama configurations

• Execute operational mode commands, such as restarting the system or validating configurations
• Retrieve reports
• Manage users through User-ID
• Update dynamic objects without having to modify or commit new configurations
Interface Management Profiles
Management of Palo Alto Networks firewalls is not limited to using a dedicated MGT interface or console port.
Data interfaces on the data plane also can be used as management interfaces. If the MGT interface goes down, you
can continue to manage the firewall by allowing management access over another data interface. Each data
interface includes configurations for binding various services to them:
• HTTPS (default)
• SSH (default)
• Ping (default)
• Telnet
• HTTP
• SNMP
• Response Pages
• User-ID
An interface management profile protects the firewall from unauthorized access by defining the
protocols, services, and IP addresses that a firewall interface permits for management. For example,
you might want to prevent users from accessing the firewall web interface over the ethernet1/1
interface but allow that interface to receive SNMP queries from your network monitoring system. In
this case, you would enable SNMP and disable HTTP/HTTPS in an interface management profile and
assign the profile to ethernet1/1.
HTTPS includes the web interface service and should be included on at least one data interface. The
Permitted IP Addresses field allows an Access Control List to be included, thus restricting access to any
interface with this profile assigned. If no IP addresses are added to the list of Permitted IP Addresses,
then any IP address is allowed. After at least one IP address is added to the list, only those IP
addresses are allowed access.
You can assign an interface management profile to Layer 3 Ethernet interfaces (including
subinterfaces) and to logical interfaces (aggregate group, VLAN, loopback, and tunnel interfaces). If
you do not assign an interface management profile to an interface, the firewall denies management
access for all IP addresses, protocols, and services by default.

Interface Management Profile Screenshot 1

Interface Management Profile Screenshot 2
Firewall Dashboard Web Interface
Firewall Dashboard
The firewall Dashboard provides information in a condensed format. It is the main screen for
web interface management.

The Dashboard is customizable and allows you to determine which widgets to display:
• Application widgets:
o ACC Risk Factor
o Top Applications
o Top High Risk Applications
• Logs widgets:
o Config Logs
o Data Filtering Logs
o System Logs
o Threat Logs
o URL Filtering Logs
• System widgets:
o General Information
o High Availability
o Interfaces
o Locks
o Logged In Admins
o System Resources
Functional Category Tabs
Management of the firewall is conducted using seven category tabs, which are listed and
briefly described as follows:
The Dashboard Page and Functional Categories Tabs

• Dashboard: Provides general information such as device name, MGT IP address, and licensing
information. This page can be augmented by adding widgets.
• ACC: Uses the firewall logs to graphically depict traffic trends on your network
• Monitor: Provides logging visibility and the ability to run packet captures
• Policies: Allows the creation of policies such as security policies and NAT policies
• Objects: Allows the creation of objects such as Address objects
• Network: Allows the configuration of network parameters such as interfaces and zones
• Device: Allows the configuration of system information such as the hostname or banners
Tasks Icon
The Tasks icon appears at the bottom right. Select it to display the tasks that you, other administrators,
or the PAN-OS software has initiated since the last firewall reboot (for example, manual commits or
automatic FQDN refreshes).

Service Routes
By default, the firewall uses the management interface to communicate with various servers including
those for External Dynamic Lists, DNS, email, and Palo Alto Networks updates servers. The management
interface also is used to communicate with Panorama. Service routes are used so that the
communication between the firewall and servers goes through the data ports on the data plane. These
data ports require appropriate security policies before external servers can be accessed.
Configuring Service Routes

Go to Device > Setup > Services > Service Route Configuration > Customize and configure the
appropriate service routes. See the following figures:

To configure service routes for non-predefined services, you can manually enter the destination
addresses in the Destination section:

In the example shown, the service route for 192.168.27.33 is configured to source from the data plane’s
ethernet1/2 interface, which has a source IP address of 192.168.27.254 192.168.27.254.
Firewall Services
Palo Alto Networks firewalls provide three primary services: DNS, DHCP, and NTP.
DNS
Domain Name System (DNS) is a protocol that translates (resolves) a user-friendly domain name such as
www.paloaltonetworks.com to an IP address so that users can access computers, websites, services, or
other resources on the internet or private networks. You must configure your firewall with at least one
DNS server so it can resolve hostnames.

Configuring DNS
To configure DNS, select Device > Setup > Services > Global and Edit. (For firewalls that do not support
multiple virtual systems, there is no Global tab; edit the Services tab.) On the Services tab, for DNS, click
Servers and enter the Primary DNS Server address and Secondary DNS Server address. Click OK and
Commit.
DHCP
A Palo Alto Networks firewall acting as a DHCP client (host) can request an IP address and other
configuration settings from a DHCP server. The use of DHCP saves time and effort because users need
not know the network’s addressing plan or other options, such as default gateway, they are inheriting
from the DHCP server.
Some configuration parameters that DHCP can learn dynamically follow:
• IP address for MGT port

• Netmask
• Default gateway
• At least one DNS server address

Management Interface DCHP Client Option
NTP
NTP client information is optional. The NTP information can be obtained via DHCP if the firewall is
configured as a DHCP client.
Configuring NTP
Select Device > Setup > Services > Global and Edit. (For firewalls that do not support multiple virtual
systems, there is no Global tab; edit the Services tab.)

Sample questions
1. What are two firewall management methods? (Choose two.)
A. CLI
B. RDP
C. VPN
D. XML API
2. Which two devices are used to can connect a computer to the firewall for management
purposes? (Choose two.)
A. rollover cable
B. serial cable
C. RJ-45 Ethernet cable
D. USB cable
3. What is the default IP address on the MGT interfaces of a Palo Alto Networks firewall?
A. 192.168.1.1
B. 192.168.1.254
C. 10.0.0.1
D. 10.0.0.254
4. What are the two default services that are available on the MGT interface? (Choose two.)
A. HTTPS
B. SSH
C. HTTP
D. Telnet

5. True or false. Service route traffic has Security policy rules applied against it.
A. True
B. False
6. Service routes may be used to forward which two traffic types out a data port? Choose
two.)
A. External Dynamic Lists
B. MineMeld
C. Skype
D. Palo Alto Networks updates
2.2 Identify how to manage firewall configurations.

Manage Configurations Using Candidate and Running Configurations
All configuration changes in a Palo Alto Networks firewall are done to a candidate configuration, which
resides in memory on the control plane. A commit activates the changes since the last commit and
installs the running configuration on the data plane, where it will become the running configuration.

Candidate Configuration
The act of saving your changes to the candidate configuration does not activate those changes. A
commit must be performed on the firewall to activate the changes and to cause the candidate
configuration to become the running configuration. The commit can be done either via the web
interface or the CLI.
The candidate configuration can be saved as either a default snapshot file (snapshot.xml) or as a
custom-named snapshot file (nnnn.xml). However, a firewall does not automatically save the candidate
configuration to persistent storage; you must manually save the candidate configuration. If the firewall
reboots before you commit your changes, you can revert the candidate configuration to the current
snapshot to restore changes you made between the last commit and the last snapshot, using the Revert
to last saved configuration option.

Running Configuration
The running configuration is a configuration that is saved within a file named running-config.xml. The
running configuration exists in data plane memory, where it is used to control firewall traffic and
operate the firewall. A commit operation is necessary to write the candidate configuration to the
running configuration.
After you commit changes, the firewall automatically saves a new version of the running configuration
that is timestamped. You can load a previous version of the running-configuration using the Load
configuration version option. The firewall queues commit requests so that you can initiate a new
commit while a previous commit is in progress. The firewall performs the commits in the order they are
initiated but prioritizes commits that the firewall initiates automatically, such as FQDN refreshes.
If a system event or administrator action causes a firewall to reboot, the firewall automatically reverts to
the current version of the running configuration.
Manage Running and Candidate Configurations
Palo Alto Networks firewall configurations are managed using five categories, which are found under
Device > Setup > Operations and are described in the next sections:
• Revert
• Save
• Load
• Export
• Import
As a best practice, periodically save candidate configurations.

Revert to Last Saved Configuration
This option restores the default snapshot (snapshot.xml) of the candidate configuration (the snapshot
that you create or overwrite when you click Device > Setup > Operations > Save candidate
configuration or Save at the top right of the web interface). This option restores the last saved
candidate configuration from the local drive. The current candidate configuration is overwritten. This
quick restore is useful when you work on “hot” boxes.
The first message asks if you want to continue with the restore:
The second message informs you which file has been restored:
Revert to Running Configuration
This option restores the current running configuration. This operation undoes all the changes you made
to the candidate configuration since the last commit and restores the config from the running-config.xml
file.
The first message asks if you want to continue with the revert:

The second message informs you which file has been restored.
Save Named Configuration Snapshot
This option creates a candidate configuration snapshot that does not overwrite the default
snapshot (.snapshot.xml). Enter a custom name for the snapshot or select an existing snapshot
to overwrite. This function is useful when you create a backup file or a test configuration file
that could be downloaded for a further modification or testing in the lab environment.

Save Candidate Configuration
This option creates or overwrites the default snapshot (snapshot.xml) of the candidate configuration
(the snapshot that you create or overwrite when you click Device > Setup > Operations > Save
candidate configuration or Save at the top right of the web interface).
Load Named Configuration Snapshot
This option overwrites the current candidate configuration with one of the following:
• Custom-named candidate configuration snapshot (instead of the default snapshot)
• Custom-named running configuration that you imported
• Current running configuration (running-config.xml)

Load Configuration Version
This option overwrites the current candidate configuration with a previous version of the running
configuration that is stored on the firewall. The firewall creates a timestamped version of the running
configuration whenever a commit is made.

Export Named Configuration Snapshot
This option exports the current running configuration, a candidate configuration snapshot, or a
previously imported configuration (candidate or running). The firewall exports the configuration as an
XML file with the specified name. You can save the snapshot in any network location. These exports
often are used as backups. These XML files also can be used as templates for building other firewall
configurations.
Export Configuration Version
This option exports a version of the running configuration as an XML file.
Export Device State
This option exports the firewall state information as a file. In addition to the running configuration, the
state information includes device group and template settings pushed from Panorama, if applicable. If
the firewall is a GlobalProtect portal, the bundle also includes certificate information, a list of satellites
that the portal manages, and satellite authentication information. If you replace a firewall or portal, you
can restore the exported information on the replacement by importing the state bundle.
Import Named Configuration Snapshot
This option imports a running or candidate configuration as an XML file from any network location such
as a host computer. Click Browse and select the configuration file to be imported. The XML file then can
be loaded as a candidate configuration and even ultimately loaded as the running configuration if
required.

Import Device State
This option imports the state information file that you exported from a firewall using the Export device
state option. The state information includes the running configuration and device group and template
settings pushed from Panorama, if applicable. If the firewall is a GlobalProtect portal, the bundle also
includes certificate information, a list of satellites, and satellite authentication information. If you
replace a firewall or portal, you can restore the information on the replacement by importing the state
bundle.
Sample questions
1. Which plane does the running-config reside on?
A. Management
B. Control
C. Data
D. Security
2. Which plane does the candidate config reside on?
A. Management
B. Control
C. Data
D. Security

3. Candidate config and running config files are saved as which file type?
A. EXE
B. TXT
C. HTML
D. XML
E. RAR
4. Which command must be performed on the firewall to activate any changes?
A. commit
B. save
C. load
D. save named
E. import
F. copy
5. Which command backs up configuration files to a remote network device?
A. import
B. load
C. copy
D. export
6. The command load named configuration snapshot overwrites the current
candidate configuration with which three items? (Choose three.)
A. custom-named candidate configuration snapshot (instead of the default snapshot)
B. custom-named running configuration that you imported
C. snapshot.xml
D. current running configuration (running-config.xml)
E. Palo Alto Updates
2.3 Identify and schedule dynamic updates.

Dynamic Updates
To ensure that you are always protected from the latest threats (including those that have
not yet been discovered), you must keep your firewalls up-to-date with the latest content
and software updates published by Palo Alto Networks. Palo Alto Networks regularly posts
updates for application detection, threat protection, and GlobalProtect data files through
dynamic updates.

The following content updates are available, depending on which subscriptions you have:
• Antivirus: Includes new and updated antivirus signatures, including WildFire® signatures and
automatically-generated command-and-control (C2) signatures. WildFire signatures detect
malware seen first by firewalls from around the world. You must have a Threat Prevention
subscription to get these updates. New antivirus signatures are published daily.
• Applications: Includes new and updated application signatures. This update does not require
any additional subscriptions, but it does require a valid maintenance/support contract. New
applications are published monthly, and modified applications are published weekly. To best
deploy application updates to ensure application availability, be sure to follow the Best Practices
for Application and Threat Content Updates.
• Applications and Threats: Includes new and updated application and threat signatures,
including those that detect spyware and vulnerabilities. This update is available if you have a
Threat Prevention subscription (and you get it instead of the Applications update). New and
modified threat signatures and modified applications signatures are published weekly; new
application signatures are published monthly. The firewall can retrieve the latest update within

30 minutes of availability. To best deploy application and threat updates based on your security
and application availability needs, be sure to follow the Best Practices for Application and Threat
Content Updates.
• GlobalProtect Data File: Contains vendor-specific information for defining and evaluating host
information profile (HIP) data returned by GlobalProtect apps. You must have a GlobalProtect
license (subscription) and create an update schedule to receive these updates.
• GlobalProtect Clientless VPN: Contains new and updated application signatures to enable
clientless VPN access to common web applications from the GlobalProtect portal. You must
have a GlobalProtect license (subscription) and create an update schedule to receive these
updates and enable clientless VPN to function.
• Palo Alto Networks (PAN-DB) URL filtering: Complements App-ID by enabling you to configure
the firewall to identify and control access to web (HTTP and HTTPS) traffic and to protect
your network from attack. If URL filtering is enabled, all web traffic is compared against the
URL filtering database, which contains a listing of millions of websites that have been
categorized into 60 to 80 categories.
Although the Palo Alto Networks URL filtering solution supports both BrightCloud and PAN-DB, only the
PAN-DB URL filtering solution allows you to choose between the PAN-DB Public Cloud and the PAN-DB
Private Cloud. Use the public cloud solution if the Palo Alto Networks next-generation firewalls on your
network can directly access the internet. If the network security requirements in your enterprise
prohibit the firewalls from directly accessing the internet, you can deploy a PAN-DB private cloud on one
or more M-500 appliances that function as PAN-DB servers within your network. PAN-DB URL filtering
requires a PAN-DB URL filtering license.
Every 5 to 10 minutes a new version is published that contains updated categorization data and an
incremented version number. Each time the Palo Alto Networks firewall sends a request to the cloud, it
checks the current version number. If the number is different, the firewall upgrades the device’s version
to the current cloud version. The primary purpose of the frequency of updates is to leverage native
integration with WildFire®, which creates new signatures and records malicious URLs every 5 minutes.
• BrightCloud URL Filtering: Provides updates to the BrightCloud URL filtering database only.
You must have a BrightCloud subscription to get these updates. New BrightCloud URL
database updates are published daily.
• WildFire: Available with a WildFire subscription, this update provides near- real-time
malware and antivirus signatures created as a result of the analysis done by the WildFire
cloud service. As a best practice, schedule the firewall to retrieve any WildFire updates every
minute). If you have a Threat Prevention subscription and not a WildFire subscription, you
must wait 24 to 48 hours for the WildFire signatures to be added into the antivirus update.
• WF-Private: Provides malware signatures generated by an on-premises WildFire appliance.
Downloading and Installing Updates
You can view the latest updates, read the release notes for each update, and then select the update you
want to download and install. You also can revert to a previously installed version of an update.

Always review Content Release Notes for the list of the newly identified and modified applications and
threat signatures that the content release introduces.
You can download updates directly from the Palo Alto Networks update server. You also can
download the updates to another system such as a user desktop or a Panorama
management appliance and then upload them to the firewall. Whether you download an
update through the web or upload an update from Panorama, the update will appear in the
list of available updates at Device > Dynamic Updates. Click Install to install the updates.
Downloading Updates
Installing Updates

Software Updates
PAN-OS® updates are managed in the Device > Software section of the web interface. A final system
reboot must be performed to put the new PAN-OS software into production. This reboot is disruptive
and should be done during a change control window.
The software downloads are done over the MGT interface by default. A data interface can be used to
download the software using a service route. The latest version of applications and threats must be
installed to complete the software installation. If your firewall does not have internet access from the
management port, you can download the software image from the Palo Alto Networks Customer
Support Portal and then manually Upload it to your firewall.
Before you upgrade to a newer version of software:
• Always review the release notes to determine any impact of upgrading to a newer version of
software.
• Ensure the firewall is connected to a reliable power source. A loss of power during an
upgrade can make the firewall unusable.
• Although the firewall automatically creates a configuration backup, a best practice is to
create and externally store a backup before you upgrade.
To upgrade to a newer version of software, complete the following steps:
1. Ensure you follow the correct upgrade path. When you upgrade, typically you must
download the x.0 base release before you install the maintenance or feature release.
For example, to upgrade from 7.x.y to 8.x.y, download both 8.0 and 8.x.y. 8.0
automatically is installed when you install 8.x.y.
2. Select Device Software and click Check Now to display the latest PAN-OS updates.
3. Locate and Download the applicable PAN-OS software
4. After you download the image (or, for a manual upgrade, after you upload the
image), Install the image.
1. After the installation completes successfully, reboot using one of the following
methods:
o If you are prompted to reboot, click Yes.
o If you are not prompted to reboot, select DeviceSetupOperations and
click Reboot Device.
5. After the installation completes successfully, reboot the firewall.

6. Verify that the firewall is passing traffic.
Select Monitor Session Browser and verify that you are seeing new sessions:

Sample questions
1. What is the shortest time interval that you can configure a Palo Alto Networks firewall to
download WildFire updates?
A. 1 minute
B. 5 minutes
C. 15 minutes
D. 60 minutes
2. What is the publishing interval for WildFire updates, with a valid WildFire license?
A. 1 minute
B. 5 minutes
C. 15 minutes
D. 60 minutes
3. True or false. A Palo Alto Networks firewall automatically provides a backup of the config
during a software upgrade.
A. True
B. False
4. If you have a Threat Prevention subscription and not a WildFire subscription, how long must
you wait for the WildFire signatures to be added into the antivirus update?
A. 1 to 2 hours
B. 2 to 4 hours
C. 10 to 12 hours
D. 12 to 48 hours

5. Which three actions should you complete before you upgrade to a newer version of
software? (Choose three.)
A. Review the release notes to determine any impact of upgrading to a newer version
of software.
B. Ensure the firewall is connected to a reliable power source.
C. Export the device state.
D. Create and externally store a backup before you upgrade.
6. What are five ways to download software? (Choose five.)
A. over the MGT interface on the control plane
B. over a data interface on the data plane
C. upload from a computer
D. from the Palo Alto Networks Customer Support Portal
E. from the PAN-DB database
F. from Panorama
2.4 Configure internal and external services for account administration.

Administrator accounts control access to firewalls. By default, Palo Alto Networks firewalls have a
predefined, default local admin account that has full access. Admin accounts can be either local or non-
local (external). Additional local or external admin accounts can be created with customized
administrative privileges by assigning them to admin role profiles, or you can assign admin accounts to
built-in account types using dynamic roles.
Administrative Role Types
A role defines the type of access that an administrator has to the firewall. The two role types are admin
role profile roles and dynamic roles:
• Admin role profile roles: These are custom roles you can configure for more granular access
control over the functional areas of the web interface, CLI, and XML API. For example, you can
create an admin role profile role for your operations staff that provides access to the firewall
and network configuration areas of the web interface and a separate profile for your security
administrators that provides access to security policy definitions, logs, and reports. On a firewall
with multiple virtual systems, you can select whether the role defines access for all virtual
systems or specific virtual systems. After new features are added to the product, you must
update the roles with corresponding access privileges; the firewall does not automatically add
new features to custom role definitions.
Administrator Account Configuration

Admin Role Profile Types
Web Interface XML API
CLI

• Dynamic roles: These are built-in or predefined roles that provide access to the firewall. When
new features are added, the firewall automatically updates the definitions of dynamic roles; you
never need to manually update them. The following list identifies the access privileges
associated with dynamic roles.
o Superuser: Full access to the firewall, including defining new administrator accounts and
virtual systems. You must have superuser privileges to create an administrative user with
superuser privileges.
o Superuser (read-only): Read-only access to the firewall
o Virtual system administrator: Full access to a selected virtual system (vsys) on the firewall
o Virtual system administrator (read-only): Read-only access to a selected vsys on the firewall
o Device administrator: Full access to all firewall settings except for defining new accounts or
virtual systems
o Device administrator (read-only): Read-only access to all firewall settings except password
profiles (no access) and administrator accounts (only the logged-in account is visible)
Administrator Account Configuration
Local admin accounts are authenticated using a local database.

External admin accounts require an external authentication service that is specified using an
authentication profile.
PAN-OS® software supports the following authentication types:
• None
• Local Database
• RADIUS
• LDAP
• TACACS+
• SAML
• Kerberos
Authentication profiles provide authentication settings that you can apply to administrator accounts,
SSL-VPN access, and Captive Portal. An Authentication Profile configuration screenshot follows:
Authentication Profiles
Authentication profiles reference server profiles.

Authentication Profile References a Server Profile
A server profile includes the server name, its IP address, the service port that it is listening to, and other
values. An example of a RADIUS Server Profile follows:
Server Profile
Authentication Sequence
Admin roles for external admin accounts can be assigned to an Authentication Sequence, which includes
a sequence of one or more authentication profiles that are processed in a specific order. The firewall

checks against each authentication profile within the Authentication Sequence until one authentication
profile successfully authenticates the user. If an external admin account does not reference an
Authentication Sequence, it directly references an authentication profile instead. A user is denied access
only if authentication fails for all the profiles in the authentication sequence. A depiction of an
Authentication Sequence follows:
Authentication Sequence
Admin Account Passwords
To ensure tighter security, you should enable Minimum Password Complexity Requirements. These
global settings are applied to all admin accounts and help protect the firewall against unauthorized
access for administrator accounts that require stricter complexity and aging requirements than do
accounts for standard administrators.

Global Minimum Password Complexity Requirements
A password profile can be assigned to an admin account, which overrides the global password settings:
Password Profile
Config Logs
Config logs display entries for changes to the firewall configuration. Each entry includes the date and
time, the administrator username, the IP address from where the administrator made the change, the
type of client (web, CLI, or Panorama), the type of command executed, the command status (succeeded
or failed), the configuration path, and the values before and after the change.

Sample questions
1. Which two statements are true about an admin role profile role? (Choose two.)
A. It is a built-in role.
B. It can be used for CLI commands.
C. It can be used for XML API.
D. Superuser is an example.
2. PAN-OS software supports which two authentication types? (Choose two.)
A. RADIUS
B. SMB
C. TACACS+
D. AWS
3. Which two dynamic role types are available on the PAN-OS software? (Choose two.)
A. Superuser
B. Superuser (write only)
C. Device user
D. Device administrator (read-only):

4. Which type of profile does an Authentication Sequence include?
A. Security
B. Authorization
C. Admin
D. Authentication
5. An authentication profile includes which other type of profile?
A. Server
B. Admin
C. Customized
D. Built-in
6. True or False: Dynamic roles are called “dynamic” because you can customize them.
A. True
B. False
7. What is used to override global Minimum Password Complexity Requirements?
A. authentication profile
B. local profile
C. password role
D. password profile
2.5 Given a network diagram, create the appropriate security zones.

Security Zones
The Palo Alto Networks firewalls use security zones to analyze, control, and log network traffic as it
traverses from one zone interface to another zone interface. Zones logically group networks that
contain particular types of traffic that are contained within defined security classifications. Examples of
such classifications are Internet, Data Center Applications, Users, IT Infrastructure, and Customer Data.
Security zones are divided into two broad categories: Intrazone and Interzone. Intrazone traffic, by
default, allows traffic to flow between interfaces that exist in the same zone. Interzone traffic, by
default, denies traffic from flowing between interfaces that exist in different zones. Security zones
contain one or more physical or virtual interfaces. An interface can belong to only one zone.
Security policy rules are applied to zones (not interfaces) to allow or deny traffic, apply QoS, perform
NAT, apply security profiles, or set logging parameters. Security policy rules are described in another
section of this study guide.
The following diagram is an example of network segments partitioned into multiple zones based on their
security classification. The zones and the corresponding security policies should be made as definitive as
possible to reduce your network’s attack surface. All zone names are custom names that are defined by

the firewall administrator. There are five primary zone types (Tap, Layer 2, Layer 3, Tunnel, and Virtual
Wire) that support only specific interface types, as depicted in the following figure. Different zone and
interface types can be used simultaneously on different physical firewall interfaces. An interface can
belong to only one zone. Tunnel zones became available in PAN-OS® 8.0 and are used for a feature
named tunnel content inspection.
A sixth zone type named External is a special zone that is available only on some firewall models. The
External zone allows traffic to pass between virtual systems when multiple virtual systems are
configured on the same firewall. Virtual systems are supported only on the PA-2000, -3000, -4000, -
5000, and -7000 Series firewalls. The External zone type is visible in the drop-down list only when it is
supported by a firewall with the virtual systems feature enabled.
Note that MGT and HA interfaces are not assigned to a zone.
Zones need to be created and configured by assigning a zone name and specifying the zone type.
Interfaces do not have to be configured prior to the zone’s creation; they can be assigned to a zone
later. Note that zone names are case-sensitive.

Five Zone Types
The following figure shows that the Layer 3 Zone allows four interface types: Layer 3 (Ethernet1/6),
loopback, tunnel, and vlan:

Sample questions
1. Which two default zones are included with the PAN-OS software? (Choose two.)
A. Interzone
B. Extrazone
C. Intrazone
D. Extranet
2. Which two zone types are valid? (Choose two.)
A. Trusted
B. Tap
C. Virtual Wire
D. Untrusted
E. DMZ
3. What is the zone of type Externa used to pass traffic between?
A. Layer 2 interfaces
B. Layer 3 interfaces
C. virtual routers
D. virtual systems
4. Which two statements are correct? (Choose two.)
A. Interfaces must be configured before you can create a zone.
B. Interfaces do not have to be configured before you can create a zone.
C. An interface can belong to only one zone.
D. An interface can belong to multiple zones.
5. Which three interface types can belong in a Layer 3 zone? (Choose three.)
A. loopback
B. Layer 3
C. tunnel
D. virtual wire
6. What are used to control traffic through zones?
A. access lists
B. security policy lists
C. security policy rules
D. access policy rules

2.6 Identify and configure firewall interfaces.

Types of Ethernet Interfaces
PAN-OS® software includes five different Ethernet interface types: Tap, Virtual Wire, Layer 2, Layer 3, and
HA. (High Availability [HA] interfaces are not discussed in this section). A firewall can be configured with
multiple instances of each interface type to accommodate its functional requirements within a network.
The following figure shows how a firewall can be used in Tap, Virtual Wire, Layer 2. or Layer 3 mode.
Five Ethernet Interface Types
Flexible Deployment Options for Ethernet
• App-ID, Content-ID, and User-ID • SSL decryption (no • All the Virtual Wire mode
visibility without inline encryption) capabilities including Layer 2 or
deployment Layer 3 services: virtual routers,
• Allows NAT
• Traffic logged to provide visibility VPN, and routing protocols

Other available interface types include the following:
• Decrypt Mirror: PA-3000 Series, PA-5000 Series, and PA-7000 Series firewalls only. This feature
enables decrypted traffic from a firewall to be copied and sent to a traffic collection tool that
can receive raw packet captures, such as NetWitness or Solera, for archiving and analysis.
Decrypt Mirror is often used to route decrypted traffic through an external interface to a data
loss prevention (DLP) service. DLP is a product category for products that scan internet-bound
traffic for keywords and patterns that identify sensitive information. Note that a free license is
required to use this feature.
• Log card: For PA-7000 Series firewalls only. A log card data port performs log forwarding for
syslog, email, Simple Network Management Protocol (SNMP), and WildFire® file forwarding.

One data port on a PA-7000 must be configured as a log card interface because the MGT
interface cannot handle all the logged traffic.
• Aggregate: Used to bundle multiple physical HA3, Virtual Wire, Layer 2, or Layer 3 interfaces
into a logical interface for better performance (via load-balancing) and redundancy using IEEE
802.1AX (LACP) link aggregation. The interface types to be bundled must be the same. All Palo
Alto Networks firewalls except the PA-200 and VM-Series models support Aggregate Ethernet
(AE) interface groups.
• HA interface: Each high availability (HA) interface has a specific function. One HA interface is for
configuration synchronization and heartbeats; the other HA interface is for state
synchronization. If active/active high availability is enabled, the firewall can also use a third HA
interface to forward packets.
• Management: MGT interfaces are used to manage a firewall using either an RJ-45 or serial or
console port.
• Loopback: Loopback interfaces are Layer 3 virtual interfaces that connect to virtual routers in
the firewall. Loopback interfaces are used for multiple network engineering and implementation
purposes. They can be destination configurations for DNS sinkholes, GlobalProtect service
interfaces (portals and gateways), routing identification, and more.
• Tunnel: A tunnel interface is a logical (virtual) interface used with VPN tunnels to deliver
encrypted traffic between two endpoints. The tunnel interface must belong to a security zone to
before policy can be applied, and it must be assigned to a virtual router to use the existing
routing infrastructure. A tunnel interface does not require an IP address to route traffic between
the sites. An IP address is only required if you want to enable tunnel monitoring or if you are
using a dynamic routing protocol to route traffic across the tunnel.
Tap, Virtual Wire, Layer 2, and Layer 3 interfaces
• Tap: A Tap interface monitors traffic that is connected to a network switch's MIRROR/SPAN
port. This mirrored traffic is forwarded by a switch port to a firewall’s Tap interface and is
analyzed for App-ID, User-ID, Content-ID, and other traffic, just like any other normal data traffic
that would pass through the firewall. Before traffic can be logged, a security policy must be
configured that includes the Tap zone. Tap interfaces are easy to deploy and can be
implemented without disruption to your existing network. Tap mode offers visibility in the
Traffic log and also the ACC tab of the Dashboard. The information can be used to help
configure security policy rules, and to make other firewall configuration changes. Tap traffic is
not managed (blocked, allowed, or shaped) TAP interfaces must be assigned to a Tap zone.

To configure a Tap interface, go to Network > Interfaces > Ethernet > <select_interface>.
Virtual Wire
A Virtual Wire interface is used to simply pass traffic through a firewall by binding two Ethernet
interfaces, allowing traffic to pass between them. Virtual Wire interfaces are often placed between an

existing firewall and a secured network to allow analysis of the traffic before actually migrating from a
legacy firewall to a Palo Alto Networks firewall.
• No IP or MAC addresses are assigned to virtual wire interfaces. No routing or switching is done
on a Virtual Wire interface. A virtual wire interface that receives a frame or packet ignores any
Layer 2 or Layer 3 addresses for switching or routing purposes, but applies your security or NAT
policy rules before passing an allowed frame or packet over the virtual wire to the second
Virtual Wire interface and on to the network device connected to it. A virtual wire requires no
changes to adjacent network devices. A virtual wire can bind two Ethernet interfaces of the
same medium (either copper or both fiber), or bind a copper interface to a fiber interface.
• Two Virtual Wire interfaces, each in a virtual wire zone (the zone came be the same or
different), and a virtual wire object are required to complete a virtual wire configuration. The
following figure shows one interface in one zone (Internet) and the other interface in another
zone (Inside). If both interfaces are in different zones (interzone traffic), all traffic will be
inspected by security policy rules until sessions can be established, and then you can check for
User-ID, App-ID, and Content-ID, and perform logging, QoS, decryption, LLDP, zone protection,
DoS protection, and NAT.
• If both interfaces are in the same zone (intrazone traffic), all of the traffic would be allowed by
default, and sessions can be easily established. However, you also can check for User-ID, App-ID,
and Content-ID, and perform logging, QoS, decryption, LLDP, zone protection, DoS protection,
and NAT.
• Virtual Wire interfaces can be subdivided into Virtual Wire subinterfaces that can be used to
classify traffic according to VLAN tags, IP addresses, IP ranges, or subnets. Use of subinterfaces
allows you to separate traffic into different zones for more granular control than regular (non-
subinterface) Virtual Wire interfaces.

To configure a Virtual Wire object, go to Network > Virtual Wires > Add.
To configure a Virtual Wire interface, go to Network > Interfaces > Ethernet > <select_interface>.

Virtual Wire Subinterfaces
Virtual wire deployments can use virtual wire subinterfaces to separate traffic into different zones.
Virtual Wire subinterfaces provide flexibility in enforcing distinct policies when you need to manage
traffic from multiple customer networks. Virtual Wire subinterfaces allow you to control and separate
traffic by specifying criteria such as VLAN tags and IP classifiers. IP classifiers consist of host IP addresses,
IP subnets, and IP ranges. Assign each subinterface to a different zone, and then enforce security
policies for the traffic that matches the defined criteria. Note that zones can belong to separate virtual
systems.

To configure a Virtual Wire subinterface, go to Network > Interfaces > Ethernet > <select_interface>.

Virtual Wire Subinterface
Layer 2 Interfaces
Layer 2 interfaces are used to switch traffic between other Layer 2 interfaces. Before switching can take
place, each Layer 2 interface must be assigned to a VLAN object. Assignment of interfaces that belong to
the same VLAN but exist in different Layer 2 zones allow you to analyze, shape, manage, and decrypt the
traffic. Layer 2 traffic can route to other Layer 3 interfaces using a Layer 3 VLAN interface. Note that
Layer 2 interfaces do not participate in spanning tree other than forward BPDUs.

To configure a VLAN object, go to Network > VLAN > Add.

To configure a Layer 2 interface, go to Network > Interfaces > Ethernet > <select_interface>.
Layer 2 Subinterfaces
Layer 2 interfaces can be subdivided into Layer 2 subinterfaces. For each Ethernet port configured as a
physical Layer 2 interface, you can define an additional logical Layer 2 interface (subinterface) for each
VLAN tag assigned to the traffic that the port receives. The firewall enables Layer 2 switching between
Layer 2 subinterfaces that are connected to the same VLAN object. To enable switching between Layer 2
subinterfaces, assign the same VLAN object to the subinterfaces. Even though Layer 2 subinterfaces are
available on a Palo Alto Networks firewall, the best practice is to use Layer 3 subinterfaces. Use of Layer
3 subinterfaces isolates Layer 2 traffic, yet provides routing between subnets.

To configure a Layer 2 subinterface, go to Network > Interfaces > Ethernet > <select_interface>.

Layer 2 Subinterface
Layer 3 Interfaces
In a Layer 3 deployment, the firewall routes traffic between multiple interfaces. A Virtual Router object
must exist for the firewall to route traffic between Layer 3 interfaces. Layer 3 interfaces are assigned IP
addresses. PAN-OS® software supports both IPv4 and IPv6 addressing. As is the case in most interface
types, Layer 3 traffic can be monitored, analyzed, managed, shaped, translated, and encrypted or
decrypted. If a tunnel is used for routing or if tunnel monitoring is turned on, the tunnel needs an IP
address. The Advanced tab contains options that enable you to configure a variety of Layer 3 interface
settings such as MTU, static ARP, LLDP, IPv6 NDP, link speed, and duplex settings. Both IPv4 and IPv6
addresses can be configured on a single interface.
Loopback interfaces are Layer 3 virtual interfaces that connect to virtual routers in the firewall.
Loopback interfaces are used for multiple network engineering and implementation purposes. They can
be destination configurations for DNS sinkholes, GlobalProtect service interfaces (portals and gateways),
routing identification, and more.
Unlike Tap, Virtual Wire, or Layer 2 interfaces, Layer 3 interfaces can be used to manage firewalls using
an interface management profile. An interface management profile protects the firewall from
unauthorized access by defining the protocols, services, and IP addresses that a firewall Layer 3 interface
permits for management traffic. Interface management profiles are discussed in more detail in a
different section of this study guide.

Example of an Interface Management Profile
You can configure a Layer 3 interface with one or more static IPv4 addresses or as a DHCP client. A single
Layer 3 interface can be assigned multiple IPv4 addresses, although they should not be in the same
subnet. You can configure a Layer 3 interface with one or more IPv6 addresses, either as a link-local
address or a Global address.
Layer 3 interfaces also can be configured as subinterfaces, where each subinterface is assigned a unique
IP address.

To configure a virtual router object, go to Network > Virtual Routers > Add.

To configure a Layer 3 interface, go to Network > Interfaces > Ethernet > <select_interface>.
Layer 3 Subinterfaces
For each Ethernet port configured as a physical Layer 3 interface, you can define additional logical Layer
3 interfaces (subinterfaces). Layer 3 subinterfaces possess the same capabilities and features as Layer 3
interfaces, with a difference being that Layer 3 subinterfaces are assigned to 802.1Q VLANs. A Virtual
Router object is required to route traffic between each VLAN.

To configure a Layer 3 subinterface, go to Network > Interfaces > Ethernet > <select_interface>.

Sample questions
1. Which two actions can be done with a Tap interface? (Choose two.)
A. encrypt traffic
B. decrypt traffic
C. allow or block traffic
D. log traffic
2. Which two actions can be done with a Virtual Wire interface? (Choose two.)
A. NAT
B. route
C. switch
D. log traffic
3. Which two actions can be done with a Layer 3 interface? (Choose two.)
A. NAT
B. route
C. switch
D. create a Virtual Wire object
4. Layer 3 interfaces support which two items? (Choose two.)
A. NAT
B. IPv6
C. switching
D. spanning tree

5. Layer 3 interfaces support which three advance settings? (Choose three.)
A. IPv4 addressing
B. IPv6 addressing
C. NTP configuration
D. NDP configuration
E. link speed configuration
F. link duplex configuration
6. Layer 2 interfaces support which three items? (Choose three.)
A. spanning tree blocking
B. traffic examination
C. forwarding of spanning tree BPDUs
D. traffic shaping via QoS
E. firewall management
F. routing
7. Which two interface types support subinterfaces? (Choose two.)
A. Virtual Wire
B. Layer 2
C. Loopback
D. Tunnel
8. Which two statements are true regarding Layer 3 interfaces? (Choose two.)
A. You can configure a Layer 3 interface with one or more as a DHCP client.
B. You can assign only one IPv4 addresses to the same interface.
C. You can enable an interface to send IPv4 Router Advertisements by selecting the Enable
Router Advertisement check box on the Router Advertisement tab.
D. You can apply an interface management profile to the interface.
2.7 Given a scenario, identify steps to create and configure a virtual router.
Virtual Routers
Virtual routers obtain routes to remote subnets either by the manual addition of static routes or the
dynamic addition of routes using dynamic routing protocols. Each Layer 3 Ethernet, loopback, VLAN, and
tunnel interface defined on the firewall must be associated with a virtual router. Although each
interface can belong to only one virtual router, you can configure multiple routing protocols and static
routes for a virtual router.
Dynamic routing protocols available on a Palo Alto Networks firewall are as follows:

• BGP4
• OSPFv2
• OSPVv3
• RIPv2
Multicast routing protocols available on a Palo Alto Networks firewall are as follows:
• IGMPv1, IGMPv2, IGMPv3
• PIM-SM, PIM-ASM, PIM-SSM
Dynamic routing protocols have administrative distances applied to them that are used to determine the
best route to a destination when multiple routes are available from two different routing protocols. The
default administrative distances can be modified.
You can create multiple virtual routers, each of which maintains a separate set of routes that aren’t
shared between these virtual routers, thus enabling you to configure different routing behaviors for
different interfaces. Virtual routers can route to other virtual routers within the same firewall if a next
hop is specified to reach another virtual router.
The firewall initially populates its learned routes into the firewall’s IP routing information base (RIB). The
virtual router obtains the best route from the RIB, and then places it in the forwarding information base
(FIB). Packets then are forwarded to the next hop router defined in the FIB.

Virtual Router General Configuration Settings
The administrative distances are shown on the right side of the following screencap. Most of these
distances are consistent with the values in RFCs, but they can be modified to reflect the needs of your
environment.

Static Route Configuration Settings
Static routes have the lowest administrative distances by default, other than locally connected routes.
This default administrative distance value is 10, which can be changed.
Static routes have a default metric value of 10, which also can be changed. If you have multiple static
routes to the same destination, you can make one preferable over the other by changing the metric. The
default metric in the following example was changed from its default value of 10 to 5:

Path Monitoring for Static Routes Configuration Settings
Path monitoring monitors upstream interfaces on remote, reliable devices using ICMP pings. If the path
monitoring fails, an associated static route is removed from the routing table. An alternative route then
can be used to route traffic.

This static route is removed from the routing table until reachability to the next hop is obtained.

Virtual Router Forwarding Information Base
The following screenshot shows the CLI output of the FIB. A GUI runtime display also is available.

Sample questions
1. What is the default administrative distance of a static route within the PAN-OS® software?
A. 1
B. 5
C. 10
D. 100
2. Which two dynamic routing protocols are available in the PAN-OS® software? (Choose two.)
A. RIP1
B. RIPv2
C. OSPFv3
D. EIGRP
3. Which value is used to distinguish the preference of routing protocols?
A. Metric
B. Weight
C. Distance
D. Cost
E. Administrative Distance
4. Which value is used to distinguish the best route within the same routing protocol?
A. Metric
B. Weight
C. Distance
D. Cost
E. Administrative Distance
5. In path monitoring, what is used to monitor remote network devices?
A. Ping
B. SSL
C. HTTP
D. HTTPS
E. Link State
2.8 Identify the purpose of specific security rule types.

Security Rule Types
Security policies allow you to enforce rules and take action, and can be as general or as specific as
needed. The policy rules are compared against the incoming traffic in sequence. The more specific rules
must precede the more general ones, because the first rule that matches the traffic is applied.

The default rules apply for traffic that doesn’t match any user-defined rules. These default rules are
displayed at the bottom of the security rulebase. The default rules are predefined rules that are part of
the predefined configuration and are read-only by default; you can override them and change a limited
number of settings, including the tags, action (allow or deny), log settings, and security profiles. The
names for the two default rules are intrazone-default and interzone-default.
Default Rules: Intrazone Default and Interzone Default
Intrazone Security Policy

Interzone Security Policy
The following table describes the three types of security policy:
Rule Type Description
A security policy allowing traffic within the same zone. Intrazone rule types
apply to all matching traffic within the specified source zones (a destination
Intrazone zone cannot be specified for intrazone rules).
• Default rule For example, if the source zone is being set to A and B, the rule would apply to
• Displayed at the all traffic within zone A and all traffic within zone B, but not to traffic between
bottom of the zones A and B.
security rulebase
Traffic logging is not enabled by default. However, best practice is to log the
traffic.
A security policy allowing traffic between two different zones. However, the
traffic within the same zone will not be allowed when the policy is created as
type Interzone. Interzone rule types apply to all matching traffic between the
Interzone specified source and destination zones.
• default rule For example, if the source zone is being set to A, B, and C and the destination
• Displayed at the zone to A and B, the rule would apply to traffic from zone A to zone B, from
bottom of the zone B to zone A, from zone C to zone A, and from zone C to zone B, but not to
security rulebase traffic within zones A, B, or C.
Traffic logging is not enabled by default. However, best practice is to log the
traffic.
Universal
By default, all the traffic destined between two zones, regardless of whether it

Rule Type Description
• Exists above the is from the same zone or different zone. Universal rule types apply to all
intrazone and matching interzone and intrazone traffic in the specified source and
interzone security destination zones.
policies
For example, if a universal role is being created with source zones A and B and
destination zones A and B, the rule would apply to all traffic within zone A, all
traffic within zone B, and all traffic from zone A to zone B and all traffic from
zone B to zone A.
Traffic logging is enabled by default.
Sample questions
1. What are the two default (predefined) security policy types in PAN-OS® software? (Choose
two.)
A. Universal
B. Interzone
C. Intrazone
D. Extrazone
2. True or false. Because the first rule that matches the traffic is applied, the more specific rules
must follow the more general ones.
A. True
B. False
3. Which statement is true?
A. For Intrazone traffic, traffic logging is enabled by default.
B. For Interzone traffic, traffic logging is enabled by default.
C. For Universal traffic, traffic logging is enabled by default.
D. none of the above

2.9 Identify and configure security policy match conditions, actions, and logging
options.
Implicit and Explicit Rules
Two implicit (predefined) security policy rules come with the PAN-OS® software: intrazone and
interzone. The intrazone security policy rule allows traffic within a zone by default. The interzone
security policy does not allow traffic between zones by default. These two predefined security policies
reside at the bottom of the security rulebase set, and are processed after all other preceding security
policy rules are processed. All preceding security rules must be explicitly defined by an administrator.
Note that traffic is not logged by default for the predefined rules and that traffic is logged by default for
explicitly defined rules. Best practice is to log for all security policies, whether implicit or explicit.
A shadow rule warning indicates that a broader rule matching the criteria is configured above a more
specific rule.
The following screenshot shows that no traffic ever will match the second rule, which specifically allows
skype and dropbox, because all applications already have been allowed by the first rule. Rule2’s ”skype”
shadows rule3’s “skype.”

Security Rule Hit Count
The PAN-OS® software allows you to monitor hit count. The three components of Rule Usage are as
follows:
• Hit Count: The number of times traffic matched the criteria you defined in the policy rule.
Persists through reboot, data-plane restarts, and upgrades unless you manually reset or rename
the rule.
• Last Hit: The most recent timestamp for when traffic matched the rule
• First Hit: The first instance when traffic was matched to this rule
In the following screenshot, note that the hit counts have not incremented because this example has no
live traffic:

Sample questions
1. What are the two default (predefined) security policy types in PAN-OS® software? (Choose two.)
A. Universal
B. Interzone
C. Intrazone
D. Extrazone
2. True or false? Best practice is to enable logging for the two predefined security policy rules.
A. True
B. False
3. What will be the result of one or more occurrences of shadowing?
A. a failed commit
B. an invalid configuration
C. a warning
D. none of the above
4. Which type of security policy rules always exist above the two predefined security policies?
A. intrazone
B. interzone
C. universal
D. global
2.10 Given a scenario, identify and implement the proper NAT solution.
NAT Types
The two basic types of NAT are source NAT (SNAT) and destination NAT (DNAT).
SNAT is used to replace the original source IP address in a packet. A typical scenario for SNAT is when a
packet is originated from within a company’s network and then is forwarded out to the internet. The
original source IP address usually is an RFC 1918 IP address that is not routable within the internet.

DNAT is used to replace the original destination IP address in a packet. A typical scenario for DNAT is
when a packet is originated from the internet and then is forwarded to a company’s internal network.
The original destination IP is routable within the internet. When the packet arrives at the firewall, the
routable IP address is replaced with the real IP address of the destination device (usually an RFC 1918 IP
address) and then is forwarded to the destination device.
DNAT can be used in other scenarios such as when subnets overlap.

Source NAT Types
The following table describes the three source NAT types: static IP, dynamic IP, and dynamic IP and port:
Source NAT Type Description
Static IP The same address always is used for the translation and the port is unchanged.
For example, if the source range is 192.168.0.1 – 192.168.0.10, and the
translation range is 10.0.0.1 – 10.0.0.10, address 192.168.0.2 always is
translated to 10.0.0.2. The address range usually is limited.
This concept applies if only a host /32 IP address is used.

Source NAT Type Description
Dynamic IP The original source IP address translates to the next available address in the
specified range but the port number remains unchanged. Up to 32,000
consecutive IP address are supported. A dynamic IP pool can contain multiple
subnets, so you can translate your internal network addresses to two or more
separate public subnets.
Dynamic IP and This is the most commonly used source NAT type. Address selection is based on
port a hash of the source IP address. For a given source IP address, the firewall uses
the same translated source address for all sessions.
Source NAT and Security Policies
A security policy rule requires a source IP, destination IP, source zone, and destination zone. When you
add an IP address to a security policy, you must add the IP address value that existed before NAT was
implemented, which is called the pre-NAT IP. After the IP address is translated (post-NAT IP), determine
the zone where the post-NAT IP address would exist. This post-NAT zone is used in the Security Policy
Rule.
A simple way to remember how to configure security policies where NAT was implemented is to
memorize the following: “pre-NAT IP; post-NAT zone.”

Configuring Source NAT
Configuring Bidirectional Source NAT
For static translations, bidirectional NAT allows the firewall to create a corresponding translation in the
opposite direction of the translation you configure. If you are configuring static source NAT, bidirectional
NAT allows you to eliminate the need to create an additional NAT policy rule for the incoming traffic.
If you enable bidirectional translation, you must ensure that you have security policies in place to
control the traffic in both directions. If there are no such policies, the bidirectional feature allows
packets to be translated automatically in both directions.

DIPP NAT Oversubscription
The DIPP NAT Oversubscription Rate is the number of times that the same translated IP address and
port pair can be used concurrently. Reduction of the oversubscription rate will decrease the number of
source device translations but will provide higher NAT rule capacities. Oversubscription assumes that
the destination is different in each translation.
Platform Default turns off oversubscription, whereby the default rate of the firewall model applies:
• 1x: means no oversubscription, where each IP address and port pair can be used only one time
• 2x: oversubscribed two times
• 4x: oversubscribed three times
• 8x: oversubscribed eight times

Destination NAT Types
Destination NAT (DNAT) typically is used to allow an external client to initiate access to an internal host
such as a web server. The two types of destination NAT are as follows:
Destination NAT Type Description
Static You can set the translated address as an IP address or range of IP addresses
and a translated port number (1 – 65,535), to which the original destination
address and port number are translated. If the Translated Port field is
blank, the destination port is not changed.

Destination NAT Type Description
Dynamic IP (with You can enter a translated address that is an FQDN, an address object, or an
session distribution) address group from which the firewall selects the translated address. If the
DNS server returns more than one address for an FQDN or if the address
object or address group translates into more than one IP address, the
firewall distributes sessions among those addresses using the specified
session distribution method.
Destination NAT and Security Policies
A security policy rule requires a source IP, destination IP, source zone, and destination zone. When you
add an IP address to a security policy, you must add the IP address value that existed before NAT was
implemented, which is called the pre-NAT IP. After the destination IP address is translated (post-NAT IP),
determine the zone where the post-NAT IP address would exist. This post-NAT zone is used in the
security policy rule.
A simple way to remember how to configure security policies where NAT was implemented is to
memorize the following: “pre-NAT IP; post-NAT zone.”

Configuring Destination NAT

Configuring Dynamic IP Address Support for DNAT
You can enter a translated address that is an FQDN, an address object, or an address group from which
the firewall selects the translated address. If the DNS server returns more than one address for an FQDN
or if the address object or address group translates into more than one IP address, the firewall
distributes sessions among those addresses using the specified session distribution method.
Configuring Destination NAT Port Forwarding

Sample questions
1. What are two source NAT types? (Choose two.)
A. universal
B. static
C. dynamic
D. extrazone
2. A simple way to remember how to configure security policies where NAT was implemented is to
memorize the following: (Choose one.)
A. post-NAT zone, post-NAT zone
B. post-NAT IP, post-NAT zone
C. pre-NAT IP, post-NAT zone
D. pre-NAT IP, pre-NAT zone
3. What are two types of destination NAT? (Choose two.)
A. dynamic IP (with session distribution)
B. DIPP
C. global
D. static
4. What are two possible values for DIPP NAT oversubscription? (Choose two.)
A. 1x
B. 4x
C. 16x
D. 32x
5. Which statement is true regarding bidirectional NAT?
A. For static translations, bidirectional NAT allows the firewall to create a corresponding
translation in the opposite direction of the translation you configure.
B. For static translations, bidirectional NAT allows the firewall to create a corresponding
translation in the same direction of the translation you configure.
A. For dynamic translations, bidirectional NAT allows the firewall to create a corresponding
translation in the opposite direction of the translation you configure.
B. For dynamic translations, bidirectional NAT allows the firewall to create a corresponding
translation in the same direction of the translation you configure.

Exam Domain 3 – Traffic Visibility
3.1 Given a scenario, select the appropriate application-based security policy

rules.
Application Shifts
Applications can change during the lifetime of a session. This behavior is called an “application shift.” For
example, a user types www.icloud.com into a web browser to access their iCloud email. This initial
request goes out as an HTTP request, and the application is recognized as web-browsing. After the HTTP
request is completed, the application is changed to icloud-base. After the icloud-base application is
processed, the application changes to icloud-mail.
Dependent Applications
Some applications within PAN-OS® software are dependent on other applications, which means that if
Application#1 is dependent on Application#2, then both Application#1 and Application#2 need to be
allowed in security policies. For example, icloud-mail is dependent on icloud-base, therefore both
applications need to be allowed in security policies. Also, icloud-base is dependent on web-browsing, so
the web-browsing application also needs to be added to security policy. Additional dependent
applications are shown in the following figure.

Warnings Due to Missing Dependencies
No Warnings Due to No Missing Dependencies

Determining Dependent Applications
To determine applications and their dependencies, navigate to Objects > Applications.
Implicit Applications and Determining Implicit Applications
Some applications such as icloud are dependent on the web-browsing application to be specified in a
security policy. Sometimes you do not have to explicitly allow access to the dependent applications for
the traffic to flow because the firewall can determine the dependencies and allow them implicitly. One
example is google-base. To be able to use google-base, you do not have to add ssl or web-browsing to a
security policy.
To determine applications that specifically are used, navigate to Objects > Applications.

Sample question
1. What are two application dependencies for icloud-mail? (Choose two.)
E. ssl
F. skype
G. google-base
H. icloud-base

3.2 Given a scenario, configure application filters or application groups.

Application Filters
An administrator can dynamically categorize multiple applications into an application filter based on the
specific attributes Category, Subcategory, Technology, Risk, and Characteristic. For example, if you want
to allow all audio streaming applications, you could create an application filter that includes the
subcategory of audio-streaming, which automatically would add all applications to the filter from the
App-ID database that are subcategorized as audio-streaming. The filter then would be added as an
application to a security policy rule. Application filters simplify the process of ensuring that all
applications that meet any attribute automatically are added to a security policy.

Application Groups
An administrator can manually categorize multiple applications into an application group based on App-
ID. This application group then is added to one or more security policy rules as required, which
streamlines firewall administration. Instead of a firewall administrator individually adding different
applications into a security policy, only the application group needs to be added to the policy.
Application groups often are used to simplify security, QoS, and PBF policy rule implementation.

Nesting Application Groups and Filters
An administrator can nest application groups and filters. Multiple applications and multiple application
filters can be combined into an application group. One or more application groups then also can be
combined into one application group. The final application group then can be added to a security policy
rule.

Sample questions
1. What does an application filter enable an administrator to do?
A. manually categorize multiple service filters
B. dynamically categorize multiple service filters
C. dynamically categorize multiple applications
D. manually categorize multiple applications
2. Which two items can be added to an application group? (Choose two.)
A. application groups
B. application services
C. application filters
D. admin accounts

3.3 Identify the purpose of application characteristics as defined in the App-ID

database.
Application Properties
All applications in the App-ID database are defined by five properties:

Property Definition
Category Used to generate the Top Ten Application Categories chart within the ACC and is
available for filtering
Subcategory Also used to generate the Top Ten Application Categories chart within the ACC
and is available for filtering
Technology Technology most closely associated with the application
Parent App Setting that applies when a session matches both the parent and a custom
application
Risk A relative risk rating, from 1 to 5, with 5 being the most risky
Application Characteristics
All applications in the App-ID database are defined by nine characteristics.

The definitions are self-explanatory.

Application Timeouts
Item Definition
Timeout Number of seconds before an idle application flow is terminated. A zero indicates
that the default timeout of the application will be used. This value is used for
protocols other than TCP and UDP in all cases, and for TCP and UDP timeouts
when the TCP timeout and UDP timeout are not specified.
TCP Timeout Number of seconds before an idle TCP application flow is terminated. A zero
indicates that the default timeout of the application is used.
UDP Timeout Number of seconds before an idle UDP application flow is terminated. A zero
indicates that the default timeout of the application is used.
TCP Half Maximum length of time that a session remains in the session table between
Closed receiving the first FIN and receiving the second FIN or RST. If the timer expires,
the session is closed.
TCP Time Maximum length of time that a session remains in the session table after
Wait receiving the second FIN or RST. If the timer expires, the session is closed. If this
time is not configured at the application level, the global setting is used (range is
1 to 600 seconds).If this value is configured at the application level, it overrides
the global TCP Time Wait setting.

Sample questions
1. What does the TCP Half Closed setting mean?
A. maximum length of time that a session remains in the session table between receiving
the first FIN and receiving the third FIN or RST.
B. minimum length of time that a session remains in the session table between receiving
the first FIN and receiving the second FIN or RST.
C. maximum length of time that a session remains in the session table between receiving
the first FIN and receiving the second FIN or RST.
D. minimum length of time that a session remains in the session table between receiving
the first FIN and receiving the third FIN or RST.
2. What are two application characteristics? (Choose two.)
A. stateful
B. excessive bandwidth use
C. intensive
D. evasive
3.4 Identify the potential impact of App-ID updates to existing security policy
rules.
App-ID Updates and Impact
A firewall admin must be careful before they install any App-ID updates because some applications may
have changed since the last App-ID update (content update). For example, an application that was
previously categorized under web-browsing now may be categorized under its own unique App-ID.
Categorization of applications into more specific applications allows more granularity and control of
applications within security policies. Because the new App-ID no longer will be categorized as web-
browsing, no security policy now will contain this new App-ID. Consequently, the new App-ID will be
blocked.
You can minimize this risk by using the Disable new apps in content update feature. New updates will
be downloaded and installed according to the schedule, but they will be disabled until they are manually
enabled.

Content Update Absorption
To see the applications that have been modified since the last content release, select Review Apps in
the Action column. The screen will display details about the modified application.

Select Review Policies to display the security policy rules that might enforce traffic differently once the
application is modified.

Always review content release notes for the list of newly identified and modified applications and threat
signatures that the content release introduces. Content release notes also describe how the update
might impact existing security policy enforcement and provides recommendations about how you can
modify your security policy to best leverage what’s new. Installation of new App-IDs included in a
content release version sometimes can cause a change in policy enforcement for the application that
now is uniquely identified.

.
Sample questions
1. Which column in the Applications and Threats screen includes the options Review Apps and
Review Policies?
A. Features
B. Type
C. Version
D. Action
2. What can you select to minimize the risk using of installing new App-ID updates?
A. Enable new apps in content
B. Disable new apps in app-id database
C. Disable new apps in content
D. Enable new apps in App-ID database
Objective 3.5 Identify the tools to optimize security policies.

See the Legacy Port-Based to App-ID Rule Converter feature in the PAN-OS® 9.0 New Features Guide.

Exam Domain 4 – Securing Traffic
4.1 Given a risk scenario, identify and apply the appropriate security profile.
Security Profiles
Security profiles are added to the end of security policy rules. After a packet has been allowed by the
security policy, security profiles are used to scan packets for threats, vulnerabilities, viruses, spyware,
malicious URLs, and exploitation software. Traffic also can be scanned for suspicious file uploads.
A Security Profile Group can be created that includes one or more security profiles, which simplifies the
task of adding security profiles to a security policy rule.
The following table describes the security profile types:
Type Description
Antivirus Detects infected files being transferred within the application
Anti-Spyware Detects spyware downloads and traffic from previously installed spyware
Vulnerability Detects attempts to exploit known software vulnerabilities
Protection
URL Filtering Classifies and controls web browsing based on website content
File Blocking Tracks and blocks file uploads and downloads based on file type and
application
WildFire Analysis Forwards unknown files to the WildFire® service for malware analysis.
Note: This type will not be discussed further in this section.
Data Filtering Identifies and blocks transfer of specific data patterns found in network
traffic
Note: This type will not be discussed further in this section.

Threat Logs
Threats are recorded and logged in the Threat log. Threat logs display entries when traffic matches one
of the security profiles attached to a security policy rule on the firewall. Each entry includes the
following information: date and time; type of threat (such as virus or spyware); threat description or URL
(Name column); source and destination zones, addresses, and ports; application name; alarm action
(such as allow or block); and severity level. The Threat log is used as the source of information that is
displayed on the ACC tab (Application Control Center).
Threat levels are based on severity. There are five levels of severity:
Critical: Critical threats are serious threats such as those that affect default installations of
widely deployed software, and result in the compromise of servers. Critical threats include
those where the exploit code is widely available to attackers. The attacker usually does not
need any special authentication credentials or knowledge about the individual victims, and the
target does not need to be manipulated into performing any special functions.

• High: High threats are those that can become critical but have mitigating factors; for example,
they may be difficult to exploit, do not result in elevated privileges, or do not have a large victim
pool.
• Medium: Medium threats are minor threats and those that pose minimal impact. Examples
include DoS attacks that do not compromise the target or exploits that require an attacker to
reside on the same LAN as the victim. Medium threats affect only non-standard configurations
or obscure applications, or provide very limited access.
• Low: Low threats are warning-level threats that have little impact on an organization's
infrastructure. They usually require local or physical system access and often may result in
victim privacy or DoS issues and information leakage. Data Filtering profile matches are logged
as Low.
• Informational: Informational threats are suspicious events that do not pose an immediate threat
but that are reported to call attention to deeper problems that could exist. URL Filtering log
entries are logged as Informational. Log entries with any verdict and an action set to block also
are logged as Informational.
Antivirus Security Profiles
Antivirus security profiles protect against viruses, worms, and Trojans, along with spyware downloads.
The Palo Alto Networks antivirus solution uses a stream-based malware prevention engine that inspects
traffic the moment the first packet is received to provide protection for clients without significantly
impacting the performance of the firewall. This profile scans for a wide variety of malware in
executables, PDF files, HTML, and JavaScript, and includes support for scanning inside compressed files
and data encoding schemes. The profile also enables scanning of decrypted content if decryption is
enabled on the firewall.
The default profile inspects all listed protocol decoders for viruses and generates alerts for SMTP, IMAP,
and POP3 protocols while blocking FTP, HTTP, and SMB protocols. You can configure the action for a
decoder or antivirus signature and specify how the firewall responds to a threat.
Customized profiles can be used to minimize antivirus inspection for traffic between trusted security
zones. They also can be used to maximize the inspection of traffic received from untrusted zones, such
as the internet, and the traffic sent to highly sensitive destinations such as server farms.
The Palo Alto Networks WildFire system also provides signatures for persistent threats that are
more evasive and have not yet been discovered by other antivirus solutions. Signatures are
quickly created as threats are discovered by WildFire and then are integrated into the standard
antivirus signatures that can be downloaded daily by Threat Prevention subscribers (subhourly
for WildFire subscribers).
Anti-Spyware Security Profiles
Anti-spyware security profiles block spyware on compromised hosts from trying to communicate with
external command-and-control (C2) servers, thus allowing you to detect malicious traffic leaving the

network from infected clients. You can apply various levels of protection between security zones. For
example, you may want to have custom anti-spyware profiles that minimize inspection between trusted
zones while maximizing inspection on traffic received from an untrusted zone such as internet-facing
zones.
Vulnerability Protection Security Profiles
Vulnerability Protection security profiles stop attempts to exploit system flaws or gain unauthorized
access to systems. While Anti-spyware security profiles identify infected hosts as traffic leaves the
network, but vulnerability protection security profiles protect against threats entering the network. For
example, vulnerability protection security profiles protect against buffer overflows, illegal code
execution, and other attempts to exploit system vulnerabilities. The default vulnerability protection
security profile protects clients and servers from all known critical-, high-, and medium-severity threats.
You also can create exceptions that allow you to change the response to a specific signature.
URL Filtering Security Profiles
The URL Filtering security profile determines web access and credential submission permissions for each
URL category. By default, site access for all URL categories is set to “allow” when you create a new URL
filtering security profile. All allowed traffic will not be logged by default. You can customize the URL
filtering security profile with custom site access settings for each category, or use the predefined default
URL filtering security profile on the firewall to allow access to all URL categories except the following
threat-prone categories, which it blocks: abused-drugs, adult, gambling, hacking, malware, phishing,
questionable, and weapons.
For each URL category, select User Credential Submissions to allow or disallow users from submitting
valid corporate credentials to a URL in that category. This action will prevent credential phishing.
Management of the sites to which users can submit credentials requires User-ID, and you must first set
up credential phishing prevention. URL categories with the Site Access set to block automatically are set
to also block user credential submissions.
File Blocking Security Profiles
A security policy can include specification of a file blocking profile that blocks selected file types from
being uploaded or downloaded, or generates an alert when the specified file types are detected.

Sample question
1. What are two benefits of vulnerability protection security profiles? (Choose two.)
A. prevent compromised hosts from trying to communicate with external command-and-
control (C2) servers
B. protect against viruses, worms, and Trojans
C. prevent exploitation of system flaws
D. prevent unauthorized access to systems
Objective 4.2 Identify the difference between security policy actions and
security profile actions.
Security Policy Actions and Security Profile Actions
When packets traverse a firewall, they are inspected in two primary stages:
• Security Policy Stage
• Security Profile Stage
In the Security Policy Stage, packets must meet all of the criteria in the security policy to match the
security policy. If all the criteria match, the security policy action is applied. If the security policy action is
“allow,” the packet is inspected by the security profiles included within the security policy rule. If all of
the security profile criteria do not match, or the security policy is any action other than “allow,” the
packet is evaluated against the next security policy rule, and so on. A Security Profile Group can be
created that includes one or more security profiles, which simplifies the task of adding security profiles
to a security policy rule.

The Available Security Policy Actions
Antivirus Security Profile Actions
The default profile inspects the listed protocol decoders for viruses and generates alerts for SMTP,
IMAP, and POP3 protocols while blocking FTP, HTTP, and SMB protocols. You can configure the action
for a decoder or antivirus signature and specify how the firewall responds to a threat event; see the
following table:
Action Description
Default For each threat signature and Antivirus signature that is defined by Palo Alto
Networks, a default action is specified internally. The default action typically is
an “alert” or a “reset-both.” The default action is displayed in parentheses, for
example, default (alert), in the threat or antivirus signature.
Allow Permits the application traffic
Alert Generates an alert for each application traffic flow. The alert is saved in the
Threat log
Drop Drops the application traffic
Reset Client For TCP, resets the client-side connection. For UDP, drops the connection
Reset Server For TCP, resets the server-side connection. For UDP, drops the
connection
Reset Both For TCP, resets the connection on both client and server ends. For UDP,
drops the connection
zones. They also can be used to maximize the inspection of traffic received from untrusted zones such as

the internet and of traffic sent to highly sensitive destinations such as server farms. The Palo Alto
Networks WildFire® product also provides signatures for persistent threats that are more evasive and
have not yet been discovered by other antivirus solutions. As threats are discovered by WildFire,
signatures are quickly created and then integrated into the standard antivirus signatures that can be
downloaded daily by Threat Prevention subscribers (subhourly for WildFire subscribers).
Anti-Spyware Security Profile Actions
Custom Anti-Spyware profiles can be created, or one of the two following predefined profiles can be
chosen when applying anti-spyware to a security policy rule:
Profile Description
Default Uses the default action for every signature, as specified by Palo Alto Networks when the
signature is created
Strict Overrides the default action of critical-, high-, and medium-severity threats to the block
action, regardless of the action defined in the signature file. This profile still uses the
default action for low- and informational-severity signatures.
After the firewall detects a threat event, you can configure the following actions in an Anti-Spyware
profile:
Action Description
Default For each threat signature and anti-spyware signature that is defined by Palo Alto
Networks, a default action is specified internally. The default action typically is an
“alert” or a “reset-both.” The default action is displayed in parentheses, for
example, default (alert), in the threat or antivirus signature.

Action Description
Allow Permits the application traffic
Alert Generates an alert for each application traffic flow. The alert is saved in the Threat
log.
Drop Drops the application traffic
Reset Client For TCP, resets the client-side connection. For UDP, drops the connection.
Reset Server For TCP, resets the server-side connection. For UDP, drops the connection.
Reset Both For TCP, resets the connection on both client and server ends. For UDP, drops the
connection.
Block IP Blocks traffic from either a source or a source-destination pair. It is configurable for a
specified period of time.
You also can enable the DNS Sinkholing action in anti-spyware profiles to enable the firewall to create a
response to a DNS query for a known malicious domain, thus causing the malicious domain name to
resolve to an IP address (sinkhole address) that you define. This feature helps to identify infected hosts
on the protected network using DNS traffic. Infected hosts then can be easily identified in the traffic and
Threat logs because any host that attempts to connect to the sinkhole IP address most likely is infected
with malware. Anti-spyware and vulnerability protection profiles are configured similarly.
Two Predefined Anti-Spyware Security Profiles
Vulnerability Protection Security Profile Actions
The default vulnerability protection security profile protects clients and servers from all known critical-,
high-, and medium-severity threats. You also can create exceptions that allow you to change the
response to a specific signature.

Two Predefined Vulnerability Protection Security Profiles
URL Filtering Security Profile Actions
Action Description
Alert The website is allowed and a log entry is generated in the URL filtering log.
Allow The website is allowed and no log entry is generated.
Block The website is blocked and the user will see a response page and will not be able to
continue to the website. A log entry is generated in the URL Filtering log.
Blocking of site access for a URL category also sets User Credential Submissions for that
URL category to “block.”
Continue The user will be prompted with a response page indicating that the site has been
blocked due to company policy, but the user is prompted with the option to continue to
the website. The “continue” action typically is used for categories that are considered
benign and is used to improve the user experience by giving the user the option to
continue if they consider the site to be incorrectly categorized. The response page
message can be customized to contain details specific to your company. A log entry is
generated in the URL Filtering log.
The Continue page doesn’t display properly on client systems configured to use a proxy
server.
Override The user will see a response page indicating that a password is required to allow access
to websites in the given category. With this option, the security admin or helpdesk
person would provide a password granting temporary access to all websites in the given
category. A log entry is generated in the URL Filtering log.
The Override page doesn’t display properly on client systems configured to use a proxy
server.
None The “none” action applies only to custom URL categories. Select none to ensure that, if
multiple URL profiles exist, the custom category will not have any impact on other

Action Description
profiles. For example, if you have two URL profiles and the custom URL category is set to
block in one profile, if you do not want the “block” action to apply to the other profile,
you must set the action to none.
Also, to delete a custom URL category, the category must be set to none in any profile
where it is used.
File Blocking Security Profile Actions
Field Description
Name Enter a rule name (up to 31 characters in length).
Applications Select the applications the rule applies to or select Any.
File Types Click in the field and then click Add to display a list of supported file types. Click a file
type to add it to the profile and continue to add file types as needed. If you select Any,
the defined action is taken on all supported file types.
Direction Select the direction of the file transfer (upload, download, or both).
Action Select the action taken when the selected file types are detected:
• alert: An entry is added to the Threat log.
• block: The file is blocked.
• continue: A message to the user indicates that a download has been
requested and asks the user to confirm whether to continue. The purpose is to
warn the user of a possible unknown download (also known as a drive-by-
download) and to give the user the option of continuing or stopping the
download.

When you create a file blocking profile with the action “continue,” you can choose only the application
web-browsing. If you choose any other application, traffic that matches the security policy will not flow
through the firewall because the users will not be prompted with a continue page.
Sample question
1. Which two actions are available for antivirus security profiles? (Choose two.)
A. continue
B. allow
C. block IP
D. alert

Objective 4.3 Given a network scenario, identify how to customize security

profiles.
Antivirus Security Profile Customization
zones. They also can be used to maximize the inspection of traffic received from untrusted zones such as
the internet and of traffic sent to highly sensitive destinations such as server farms. The Palo Alto
Networks WildFire® product also provides signatures for persistent threats that are more evasive and
have not yet been discovered by other antivirus solutions. As threats are discovered by WildFire,
signatures are quickly created and then integrated into the standard antivirus signatures that can be
downloaded daily by Threat Prevention subscribers (subhourly for WildFire subscribers).
Antivirus Security Profile Customization for Decoder Actions

Antivirus Security Profile Customization to Exclude Specific Apps from AV Inspection

Antivirus Security Profile Customization to Exclude Threats from AV Inspection
Anti-Spyware Security Profile Customization
Custom anti-spyware profiles can be created. For example, you can reduce the stringency for anti-
spyware inspection for traffic between trusted security zones and maximize the inspection of traffic
received from the internet or traffic sent to protected assets such as server farms.

Anti-Spyware Security Profile Customization of Categories

Anti-Spyware Security Profile Customization of Actions
Vulnerability Protection Security Profile Customization
The default vulnerability protection security profile protects clients and servers from all known critical-,
high-, and medium-severity threats. Customized profiles can be used to minimize vulnerability checking
for traffic between trusted security zones and to maximize protection for traffic received from untrusted
zones such as the internet, along with traffic sent to highly sensitive destinations such as server farms.
The Exceptions setting found under the “Exceptions” tab allows you to change the response for a
specific signature based on its Threat ID number or name. For example, you can block all packets that
match specific signatures, except for the one(s) that you set up as exception(s), which could be set up as
an action to generate only alerts.

Vulnerability Protection Profile Customization of CVEs and Vendor IDs

Vulnerability Protection Profile Customization of Actions and Severity

Vulnerability Protection Profile Customization of Categories
URL Filtering Security Profile Customization
URL filtering should be customized to meet the unique needs of your organization.

URL Filtering Profile Customization of Categories and Site Access
URL Filtering Profile Customization Using Overrides
Safe Search
Many search engines have a safe search setting that filters out pornographic images and videos in
search query return traffic. When Safe Search Enforcement is enabled, the firewall blocks search results
if the end user is not using the strictest safe search settings in the search query. The firewall can enforce

safe search for the following search providers: Google, Yahoo, Bing, Yandex, and YouTube. This is a best-
effort setting and is not guaranteed by the search providers to work with every website.
HTTP Header Logging
The HTTP Header Logging feature provides visibility into the attributes included in the HTTP
request sent to a server. When HTTP Header Logging is enabled, one or more of the following
attributes are recorded in the URL Filtering log:
• User Agent: The web browser that the user used to access the URL. This information is sent in
the HTTP request to the server. For example, the User Agent can be Internet Explorer or Firefox.
• Referrer: The URL of the webpage that linked the user to another webpage. It is the source that
redirected (referred) the user to the webpage that is being requested.
• X-Forward-For: The header field option that preserves the IP address of the user who requested
the webpage. It allows you to identify the IP address of the user, which is particularly useful if
you have a proxy server on you network or you have implemented source NAT that is masking
the user’s IP address such that all requests seem to originate from the proxy server’s IP address
or a common IP address.
File Blocking Security Profile Customization
File blocking should be customized to meet the unique needs of your organization.

File Blocking Applications Customization

File Blocking File Types Customization
File Blocking Direction Customization

File Blocking Action Customization
Sample question
1. Which two HTTP Header Logging options are within a URL filtering profile? (Choose two.)
A. User-Agent
B. Safe Search
C. URL redirection
D. X-Forward-For
Objective 4.4 Identify the firewall’s protection against packet- and protocol-
based attacks.
Denial-of-Service Protection
PAN-OS® software does not only provide protection using security policies and security profiles, which
use signatures and heuristics to identify attacks. PAN-OS software also provides denial-of-service (DoS)

protection, which is based on analysis of packet headers to detect threats rather than signatures.
A DoS attack attempts to make network devices unreachable by disrupting services. These attacks
usually come from the internet but can come from misconfigured or compromised internal devices. The
typical method is to flood the target with resource requests until the requests consume all of the
target’s available resources: memory, CPU cycles, and bandwidth. Typical targets are internet-facing
devices that users can access from outside the corporate network such as web servers and database
servers. Palo Alto Networks firewalls provide the following three DoS attack mitigation tools as part of a
layered approach to DoS protection. Note that packet buffer protection will not be described in this
section.
• Zone protection profiles: Apply only to new sessions in ingress zones and provide broad
protection against flood attacks by limiting the connections-per-second (CPS) to the firewall,
plus protection against reconnaissance (port scans and host sweeps), packet-based attacks, and
Layer 2 protocol-based attacks.
• DoS protection profiles and policy rules: Provide granular protection of specific, critical devices
for new sessions. Classified policies protect individual devices by limiting the CPS for a specific
device or specific devices. Aggregate policies limit the total CPS for a group of devices but don’t
limit the CPS for a particular device in the group to less than the total allowed for the group, so
one device still may receive most of the connection requests.
• Packet buffer protection: Protects against single-session DoS attacks from existing sessions that
attempt to overwhelm the firewall’s packet buffer.
Zone Protection Profiles
A zone protection profile is applied to an ingress zone. It offers protection against floods,
reconnaissance attacks, and other packet-based attacks. Zone protection is broad-based
protection and is not designed to protect a specific end host or traffic going to a particular
destination zone. One zone protection profile can be applied to a zone. Zone protection is
enforced only when there is no session match for the packet because zone protection is based
on new CPS, not on packets per second (pps). If the packet matches an existing session, it will
bypass the zone protection setting.
Flood Attack Protection
Zone protection profiles consist of five types of floods:
• SYN
• UDP
• ICMP
• ICMPv6
• Other IP
Flood Protection Activate Rates

SYN Random Early Drop
This feature causes SYN packets to be dropped to mitigate a flood attack. When the flow exceeds the
Activate rate threshold, the firewall drops individual SYN packets randomly to restrict the flow. When
the flow exceeds the Maximum rate threshold, 100% of incoming SYN packets are dropped.
SYN Cookies
This feature causes the firewall to act like a proxy, intercept the SYN, generate a cookie on behalf of the
server to which the SYN was directed, and send a SYN-ACK with the cookie to the original source. Only
when the source returns an ACK with the cookie to the firewall does the firewall consider the source
valid and forward the SYN to the server. This is the preferred Action.
UDP
UDP is activated when the number of UDP packets (not matching an existing session) the zone receives
per second is reached. The firewall uses an algorithm to progressively drop more packets as the attack
rate increases, until the rate reaches the Maximum rate. The firewall stops dropping the UDP packets if
the incoming rate drops below the Activate threshold.
ICMP
ICMP is activated when the number of ICMP packets (not matching an existing session) the zone
receives per second is reached. The firewall uses an algorithm to progressively drop more packets as the
attack rate increases, until the rate reaches the Maximum rate. The firewall stops dropping the ICMP

packets if the incoming rate drops below the Activate threshold.
ICMPv6
ICMPv6 is activated when the number of ICMPv6 packets (not matching an existing session) the zone
receives per second is reached. The firewall uses an algorithm to progressively drop more packets as the
attack rate increases, until the rate reaches the Maximum rate. The firewall stops dropping the ICMPv6
packets if the incoming rate drops below the Activate threshold.
Other IP
Other IP is activated when number of other IP packets (non-TCP, non-ICMP, non-ICMPv6, and non-UDP
packets) (not matching an existing session) the zone receives per second is reached. The firewall uses an
algorithm to progressively drop more packets as the attack rate increases, until the rate reaches the
Maximum rate. The firewall stops dropping the Other IP packets if the incoming rate drops below the
Activate threshold.
Reconnaissance Attack Protection
Reconnaissance protection protects against reconnaissance attacks, which are the first type of attacks
within a Cyber-Attack Lifecycle. During the first stage of the attack lifecycle, cyberattackers carefully plan
their method of attack. They research, identify, and select targets within an organization such as human
resources and financial personnel that will allow them to meet their objectives. Attackers can gather
intelligence through publicly available sources such as Twitter, LinkedIn, and corporate websites ─ all the
places where a company will share information about itself. The cyberattackers also will scan for
vulnerabilities that can be exploited within the target network (services and applications), and map out
that they can take advantage of.
Prevent by:
• Performing continuous inspection of network traffic flows to detect and prevent port scans and
host sweeps
• Implementing security awareness by limiting what should be posted on the internet: sensitive
documents, customer lists, event attendees, job roles, and responsibilities
See Palo Alto Networks documentation for more detail about these complicated types of attacks.

Packet-Based Attack Protection
There are many types of packet-based attack protection. Each one will not be covered in detail in this
section. Please refer to Palo Alto Networks documentation to obtain more detail on these complicated
types of attacks.
The five major categories of packet-based attacks protection are:
• IP Drop
• TCP Drop
• ICMP Drop
• IPv6 Drop
• ICMPv6 Drop

Packet-based attacks take many forms. Zone protection profiles check IP, TCP, ICMP, IPv6, and ICMPv6
packet headers and protect a zone by:
• Dropping packets with undesirable characteristics.

• Stripping undesirable options from packets before admitting them to the zone.
Select the drop characteristics for each packet type when you configure packet-based attack protection.
The best practices for each IP protocol are:
• IP Drop: Drop Unknown and Malformed packets. Also drop Strict Source Routing and Loose
Source Routing because allowing these options allows adversaries to bypass security policy rules
that use the destination IP address as the matching criterion. For internal zones only, check
Spoofed IP Address so only traffic with a source address that matches the firewall routing table
can access the zone.
• TCP Drop: Retain the default TCP SYN with Data and TCP SYNACK with Data drops, drop
Mismatched overlapping TCP segment and Split Handshake packets, and strip the TCP
Timestamp from packets.
Enable the Rematch Sessions option as a best practice. It applies committed newly configured or edited
security policy rules to existing sessions. However, if you configure Tunnel Content Inspection on a zone
and Rematch Sessions is enabled, you also must disable Reject Non-SYN TCP (change the selection from
Global to No). If you don’t disable that option, when you enable or edit a Tunnel Content Inspection
policy the firewall will drop all existing tunnel sessions. Create a separate zone protection profile to
disable Reject Non-SYN TCP only on zones that have Tunnel Content Inspection policies and only when
you enable Rematch Sessions.

• ICMP Drop: There are no standard best practice settings because dropping of ICMP packets
depends on how you use ICMP (or if you use ICMP). For example, if you want to block ping
activity, you can block ICMP Ping ID 0.
• IPv6 Drop: If compliance matters, ensure that the firewall drops packets with non-compliant
routing headers, extensions, etc.
• ICMPv6 Drop: If compliance matters, ensure that the firewall drops certain packets if the
packets don’t match a security policy rule.
Protocol Attack Protection
In a zone protection profile, Protocol Protection defends against non-IP protocol-based attacks. Enable
Protocol Protection to block or allow non-IP protocols between security zones on a Layer 2 VLAN or on a
virtual wire, or between interfaces within a single zone on a Layer 2 VLAN (Layer 3 interfaces and zones
drop non-IP protocols, so non-IP Protocol Protection doesn’t apply).
Configure Protocol Protection to reduce security risks and facilitate regulatory compliance by
preventing less secure protocols from entering a zone or an interface in a zone. If you don’t configure a
zone protection profile that prevents non-IP protocols in the same zone from going from one Layer 2
interface to another, the firewall allows the traffic because of the default intrazone allow security policy
rule. You can create a zone protection profile that blocks protocols such as LLDP within a zone to
prevent discovery of networks reachable through other zone interfaces.
If you need to discover which non-IP protocols are running on your network, use monitoring tools such
as NetFlow, Wireshark, or other third-party tools. Examples of non-IP protocols you can block or allow
are LLDP, NetBEUI, Spanning Tree, and Supervisory Control and Data Acquisition (SCADA) systems such
as Generic Object Oriented Substation Event (GOOSE), among many others.
Create an Exclude List or an Include List to configure Protocol Protection for a zone. The Exclude List is
a blacklist—the firewall blocks all of the protocols you place in the Exclude List and allows all other
protocols. The Include List is a whitelist—the firewall allows only the protocols you specify in the list and
blocks all other protocols. Use include lists for Protocol Protection instead of exclude lists. Include lists
specifically sanction only the protocols you want to allow and block the protocols you don’t need or
didn’t know were on your network, which reduces the attack surface and blocks unknown traffic. A list
supports up to 64 Ethertype entries, each identified by its IEEE hexadecimal Ethertype code. When you
configure zone protection for non-IP protocols on zones that have Aggregated Ethernet (AE) interfaces,
you can’t block or allow a non-IP protocol on only one AE interface member because AE interface
members are treated as a group.

DoS Protection Profiles and Policies
DoS protection profiles and DoS protection policy rules combine to protect specific groups of critical
resources and individual critical resources against session floods. Compared to zone protection profiles,
which protect entire zones from flood attacks, DoS protection provides granular defense for specific
systems, especially critical systems that users access from the internet and often are attack targets, such
as web servers and database servers. Apply both types of protection because if you only apply a zone
protection profile, then a DoS attack that targets a particular system in the zone can succeed if the total
CPS doesn’t exceed the zone’s Activate and Maximum rates. DoS protection is resource-intensive, so
use it only for critical systems. DoS protection profiles specify flood thresholds, similarly to zone
protection profiles. DoS protection policy rules determine the devices, users, zones, and services to
which DoS profiles apply. See Palo Alto Networks documentation for more detail about these
complicated types of attacks

Sample question
1. What are the two components of Denial-of-Service Protection? (Choose two.)
A. zone protection profile

B. DoS protection profile and policy rules
C. flood protection
D. reconnaissance protection
Objective 4.5 Identify how the firewall can use the cloud DNS database to
control traffic based on domains.
See the Multi-Category and Risk-Based URL Filtering and the Real-Time Cloud DNS Signatures features in
the PAN-OS® 9.0 New Features Guide.
Objective 4.6 Identify how the firewall can use the PAN-DB database to control
traffic based on websites.
The majority of attacks and exposure to malicious content occurs during normal web browsing activities,
which means that all users must have safe, secure web access. PAN-DB is a global URL and IP database,
designed to fulfill an enterprise’s web security needs. URL filtering with PAN-DB automatically prevents
attacks that leverage the web as an attack vector, including phishing links in emails, phishing sites, HTTP-
based command and control, malicious sites, and pages that carry exploit kits.
Granular policy allows the prevention of downloads, the automation of warning messages, or the
restriction of access altogether. PAN-DB provides real-time protections from emerging attacks. PAN-DB
receives updates from WildFire® every five minutes to block malicious sites, in addition to other
advanced identification techniques.
PAN-DB is tightly integrated into PAN-OS® software, thus providing advanced persistent threat (APT)
protection with high performance beyond traditional URL filtering. Traditional URL filtering is intended
to control unwanted web surfing such as non-business or illegal sites, but it usually doesn’t cover up-to-
the-minute malicious websites such as newly discovered malware site, exploit site, or command-and-
control (C2) sites.

How PAN-DB Maximizes URL Lookup Performance
The following sections describe the components shown in the following figure.
PAN-DB Classification and Cache System
PAN-DB Core
The PAN-DB core, located in the Palo Alto Networks threat intelligence cloud, has a full URL and IP
database to cover web security needs.
Seed Database
When the PAN-DB is enabled on your firewalls, a subset of the full URL database is downloaded from the
Palo Alto Networks threat intelligence cloud to firewalls based on the selected geographic region. Each
region contains a subset of the URL database that includes URLs most accessed for the given region. This
regional subset of the URL database allows the firewalls to store a much smaller URL database, thus
greatly improving URL lookup performance. You also can download a seed database by region to each
firewall from the Panorama centralized management system.

Seed Database by Regions
Management Plane Cache
The seed database is placed into the management plane cache, which provides quick URL lookups. The
management plane cache will pull more URLs and categories from the PAN-DB core as users access sites
that are not currently in the management plane cache. Any URL requested by a user is “unknown” to
Palo Alto Networks will be examined, categorized, and implemented as appropriate.
Data-Plane Cache
A data-plane cache contains the most frequently accessed sites, which enables quicker URL lookups.
The Malicious URL database is delivered from WildFire.
Millions of URLs and IPs are classified in a variety of ways. The PAN-DB receives URLs and IP addresses
from the “Multi-language Classification Engine” and from “URL Change Requests from users.” The PAN-
DB also receives malicious URL and IP information from WildFire. Examples of malicious URL and the IP
database follow:
• Malware Download URL and IP address: Prevent from downloading malware
• C&C URL and IP address: Disable malware communications
The malicious URLs are generated as WildFire identifies unknown malware, zero-day exploits and APTs
by executing them in a virtual sandbox environment.
PAN-DB will block a malicious URL with low latency.
PAN-DB has a superior mechanism that increases the speed of URL lookups, which means that you will
get URL category information without sacrificing throughput.

The malicious URLs are generated as WildFire identifies unknown malware, zero-day exploits, and APTs,
and executes them in a virtual sandbox environment. The ongoing malicious URL updates to PAN-DB
allows you to block malware downloads and disable malware C2 communications.
Use the malicious URL database to block a variety of malicious web access and communication without
compromising web access performance.
Sample question
1. Which two types of attacks does the PAN-DB prevent? (Choose two.)
A. phishing sites
B. HTTP based command-and-control
C. infected JavaScript
D. flood attacks
Objective 4.7 Discuss how to control access to specific URLs using custom URL
filtering categories.
Custom URL Filtering Categories
Use the Custom URL Category page to create your custom list of URLs and use it in a URL filtering profile
or as a match criterion in policy rules. In a custom URL category, you can add URL entries individually or
import a text file that contains a list of URLs. URL entries added to custom categories are case-
insensitive.
Custom URL category settings are as follows:
• Name: Enter a name to identify the custom URL category (up to 31 characters in length). This
name displays in the category list when URL filtering policies are defined and in the match
criteria for URL categories in policy rules. The name is case-sensitive and must be unique. Use
only letters, numbers, spaces, hyphens, and underscores.
• Description: Enter a description for the URL category (up to 255 characters in length).
• Shared: Select this option if you want the URL category to be available to:
o Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the URL
category will be available only to the virtual system selected in the Objects tab.
o Every device group on Panorama. If you clear this selection, the URL category will be
available only to the device group selected in the Objects tab.
• Sites:

o Add: Click Add to enter URLs, only one in each row. Each URL can be in the format
“www.example.com” or can include wildcards (“*.example.com”). For additional
information about formats supported, go to Block List in Objects > Security Profiles > URL
Filtering.
o Import: Click Import and browse to select the text file that contains the list of URLs. Enter
only one URL per row. Each URL can be in the format “www.example.com” or can include
wildcards (“*.example.com”). For additional information about formats supported, go to
Block List in Objects > Security Profiles > URL Filtering.
o Export: Click Export to export the custom URL entries included in the list. The URLs are
exported as a text file.
• Delete: Select an entry and click Delete to remove the URL from the list. Before you can delete a
custom category that you have used in a URL filtering profile, you must set the action to None.
Go to Category actions in Objects > Security Profiles > URL Filtering.

Sample question
1. Which two valid URLs can be used in a custom URL category? (Choose two.)
A. ww.youtube.**
B. www.**.com
C. www.youtube.com
D. *.youtube.com
Exam Domain 5 – Identifying Users
Objective 5.1 Given a scenario, identify an appropriate method to map IP

addresses to usernames.
Today’s working environment is extremely dynamic. Users no longer are restricted to using just one
device, a computer, on the network. A user may be using a smartphone, tablet, desktop, and a laptop.
Each device is given an IP address dynamically by a DHCP server, which makes tracking the user difficult
and almost impossible to control. Use of a username is easier than use of an IP address to control and
log a user’s activity. The process of mapping a username to an IP address is called User-ID.

A user’s IP address constantly is changing because so many devices are used by users and laptops
provide so much mobility. Capture of that information often is difficult. The firewall needs to be able to
monitor multiple sources simultaneously.
For instance, a user’s cellphone usually is not in the corporate domain and doesn’t require the user to
log in to the domain. However, users often will have their corporate email on the phone. When the
phone checks for new email and authenticates with the Exchange server, the system can capture the IP
address from the logs.
The user could be using an iPad or Linux workstation that also is not on the domain. The firewall has a
service called Captive Portal that can be used to force the user to authenticate to use the internet. The
firewall then has the user’s name and IP address.
The system also has other ways to capture user information. The firewall can use server monitoring to
monitor the security logs on a Windows server for successful authentication events. Syslog monitoring
can be used with LDAP and Linux, among others.
For more information about the methods used to collect User-ID information, see the following
information:
• “User-ID” module in the EDU-110 and EDU-210 training, Firewall Essentials: Configuration and
Management
• User-ID in the PAN-OS Administrator’s Guide:
https://www.paloaltonetworks.com/documentation/81/pan-os/pan-os/user-id
Objective 5.2 Given a scenario, identify the appropriate User-ID agent to deploy.
User-ID has two agents that can be used to monitor the servers and gather the User-ID information. One
is the built-in agent inside the PAN-OS® firewall. The other agent is a Windows-based client that can be
installed on any Windows XP SP3 or higher system. Both agents have the same functionality. Several
factors can determine which agent to use.
An organization may choose to use the Windows agent if it has more than 100 domain controllers
because neither of the agents can monitor more than 100 domain controllers or 50 syslog servers.
Another reason to choose the Windows agent over the integrated PAN-OS agent is to save processing
cycles on the management plane.
However, if bandwidth is an issue, you may want to use the PAN-OS integrated agent because it
communicates directly with the servers, whereas the Windows agent communicates with the servers
and then communicates the User-ID information to the firewall so that it can update the firewall
database.
For more information about the different agents and how they are used, see the following information:
Management

Objective 5. 3 Identify how the firewall maps usernames to user groups.
Several options must be configured before User-ID can function. The server profile is the most important
item to configure. The server profile is used to connect the firewall to the server and retrieve a list of
usernames and groups.
The server profile will require different information, depending on what is used. The multiple types of
server profiles are as follows:
After the server profile is configured, the group mapping needs to be configured:

The administrator should select the server profile they configured earlier and complete the domain
settings. The Group Include List tab will show the available groups in the domain. The administrator can
choose which group to monitor and which ones to ignore:

For more information about the methods to map users and groups to collect User-ID information, see
the following information:
Management
Objective 5. 4 Given a graphic, identify User-ID configuration options.

User-ID uses multiple technologies to map IP addresses to usernames. The method that will be used
depends on the operating system, applications used in the organization, and network infrastructure
used within the company.
For instance, if the company is using an Aruba system, the XML API can be used to retrieve the
information from the Aruba system.
If the company is using Citrix or Microsoft terminal servers to deliver desktops to end users, then the
Terminal Services agent is used to retrieve the User-ID information. The Terminal Services agent needs
to be installed on the actual Citrix or Microsoft terminal server.
The system can use client probing to gather information from Windows clients. The User-ID agent will
send requests to the Windows client to identify the user that is logged in to the system.

For more information on the different agents and how they are used, see the following information:
Management

Exam Domain 6 – Deployment Optimization
Objective 6.1 Identify the benefits and differences between the Heatmap and
the BPA reports.
This section is being developed. For more information about Heatmap and BPA reports, see the module
“Next-Generation Security Practices” in the Firewall Essentials: Configuration and Management (EDU-
210) training.

Pcnsa Study Guide PDF

Uploaded by

Copyright:

Available Formats

Pcnsa Study Guide PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pcnsa Study Guide PDF

Uploaded by

Copyright:

Available Formats

What are the main components of the Palo Alto Networks Security Operating Platform?

What are the main components of the Palo Alto Networks Security Operating Platform?

What are some of the benefits of using the Heatmap and BPA reports?

What are some of the benefits of using the Heatmap and BPA reports?

PALO ALTO NETWORKS

© 2018 Palo Alto Networks, Inc.

Note that the content is in a draft state and may change.

©2018 Palo Alto Networks, Inc. 2

Prevent Successful Cyberattacks ............................................................................. 14

Focus on What Matters .............................................................................................. 15

Consume Innovations Quickly .................................................................................. 15

Network Security ........................................................................................................ 16

Advanced Endpoint Protection ............................................................................... 17

Cloud Security ..................................................................................................... 17

Cloud-Delivered Security Services .......................................................................... 18

©2018 Palo Alto Networks, Inc. 3

©2018 Palo Alto Networks, Inc. 4

©2018 Palo Alto Networks, Inc. 5

©2018 Palo Alto Networks, Inc. 6

©2018 Palo Alto Networks, Inc. 7

©2018 Palo Alto Networks, Inc. 8

©2018 Palo Alto Networks, Inc. 9

©2018 Palo Alto Networks, Inc. 10

©2018 Palo Alto Networks, Inc. 12

About This Document

Preliminary Score Report

©2018 Palo Alto Networks, Inc. 13

Prevent Successful Cyberattacks

Operate with ease using best practices.

©2018 Palo Alto Networks, Inc. 14

Focus on What Matters

Consume Innovations Quickly

Improve security effectiveness and efficiency with tightly integrated innovations.

©2018 Palo Alto Networks, Inc. 15

©2018 Palo Alto Networks, Inc. 16

Advanced Endpoint Protection

©2018 Palo Alto Networks, Inc. 17

Cloud-Delivered Security Services

©2018 Palo Alto Networks, Inc. 18

©2018 Palo Alto Networks, Inc. 19

©2018 Palo Alto Networks, Inc. 20

For more information, see https://www.paloaltonetworks.com/products/secure-the-

©2018 Palo Alto Networks, Inc. 21

For more information, see https://www.paloaltonetworks.com/products/secure-the-

©2018 Palo Alto Networks, Inc. 22

Application Framework and Logging Service

©2018 Palo Alto Networks, Inc. 23

©2018 Palo Alto Networks, Inc. 24

©2018 Palo Alto Networks, Inc. 25

1.2 Identify the components and operation of single-pass parallel processing

©2018 Palo Alto Networks, Inc. 26

Management and Data Planes

©2018 Palo Alto Networks, Inc. 27

©2018 Palo Alto Networks, Inc. 28

Exam Domain 1 – Palo Alto Networks Security Operating Platform

©2018 Palo Alto Networks, Inc. 29

©2018 Palo Alto Networks, Inc. 30

©2018 Palo Alto Networks, Inc. 32

©2018 Palo Alto Networks, Inc. 33