PCNSE Bootcamp v10.

1
Planning & Core
Concepts
PCNSE Overview
We are doing the PCNSE

3 | © 2021 Palo Alto Networks, Inc. All rights reserved.

Overview
• The PCNSE is a formal, third-party proctored certification that indicates in-depth
knowledge to design, install, configure, maintain, manage and troubleshoot
implementations based on the Palo Alto Networks platform..

• This exam will certify that the successful candidate has the knowledge and skills
necessary to implement Palo Alto Networks NGFW PAN-OS® 10.1 platform in any
environment.

• The exam covers topics related to PAN-OS® software, Panorama, GlobalProtect,

and other aspects of the Palo Alto Networks network security platform that a firewall
administrator needs to know to design, install, configure, maintain, and troubleshoot
the vast majority of Palo Alto Networks implementations. This exam does not cover
Aperture, Traps, or AutoFocus.

• More information is available from Palo Alto Networks at:

https://www.paloaltonetworks.com/services/education/certification.html

4 | © 2021 Palo Alto Networks, Inc. All rights reserved.

Exam Details

Certification Name: Palo Alto Networks Certified Network Security

Engineer

Delivered through Pearson VUE:

www.pearsonvue.com/paloaltonetworks

Exam Series: PCNSE

Seat Time: 80 minutes

Number of items: 75

Format: Multiple Choice, Scenarios with Graphics, and Matching

Content is Divided into 5 Knowledge Domains

6 | © 2017, Palo Alto Networks. Confidential and Proprietary.

Bootcamps are Normally a 40+ Hour Weeklong Activity
PCNSE is a valuable certification – you're making an investment in your career. This course developed to provide a guided self study approach

Attend the sessions

• LEAN-MEAN-STUDY-MACHINE = only way to pass in one class cycle (5 sessions)
• Some of you will simply want to attend the class multiple times

• Study during the week – use the links in the presentation

• Even if outdated, there’s a point to reviewing the links - the basics don’t change

• Do Some Objective Thinking

Ask yourself – what question could they ask about this?
•

Compare and Contrast where possible - think use case

•

• Complete the practice exams

•Don’t just guess the right answer
•Why are the other answers wrong
•Why is one answer better than another
•Note: some of the practice questions are ambiguous

• Collaborate in the Slack Channel (invitations were sent today - check your spam folder)
• We will support each other and share what we learn
• Great place to discuss those ambiguous questions
• https://pcnse.slack.com

• Build some Familiarity with Where Things are at in the GUI

• Dashboard, ACC, Policy, Objects, Network, Device (& Panorama) Tabs

PCNSE YouTube Channel

We stream Zoom sessions on YouTube Live
https://www.youtube.com/channel/UCmLLiVYaHYie29AT-hb48lA
Subscribe!

7 | © 2017, Palo Alto Networks. Confidential and Proprietary.

 Exam Domain #1
Planning & Core Concepts
1.1 Identify the security components of PAN-OS and
how they work together
 1.1.1 Identify the Security Components
The Palo Alto Networks cybersecurity portfolio is organized into three offerings: Strata for enterprise security, Prisma for cloud security, and Cortex for
security operations. The following sections describe how they work together to address some of the world’s greatest security challenges.

SECURE THE ENTERPRISE SECURE THE CLOUD SECURE THE FUTURE

10 | © 2019 Palo Alto Networks, Inc. All Rights Reserved.

 Palo Alto Networks Portfolio
Strata PA-Series Prisma Access Cortex XDR

ML-Powered Next-Generation Firewall Secure Access Service Edge Extended Detection and Response

App-ID | User-ID | Content-ID | Device-ID FWaaS | Secure Web Gateway | Zero Trust Endpoint Threat Prevention | Endpoint Detection & Response |
Network Access Behavioral Analytics | Managed Detection & Response
VM-Series
Cortex XSOAR
Prisma Cloud
Virtual Next-Generation Firewall
Extended Security Orchestration, Automation and Response
App-ID | User-ID | Content-ID | Device-ID Cloud Native Security Platform
Security Orchestration, Automation & Response |
Cloud Security Posture Management | Cloud Threat Intelligence Management
CN-Series Workload Protection | Cloud Network Security
| Cloud Infrastructure Entitlement
Containerized Next-Generation Firewall Management Expanse
App-ID | User-ID | Content-ID | Device-ID Attack Surface Management
Prisma SD-WAN
Internet-Connected Asset Discovery & Mitigation
Panorama Next-Generation SD-WAN

Firewall Management SD-WAN Crypsis

Cybersecurity Services

Data Breach Response | Cyber Risk & Resilience Management |

Incident Response Services

Cloud-Delivered Security Services (aka Content-ID)

DNS Security Threat URL Filtering WildFire IoT Security GlobalProtect SD-WAN Data Loss Prisma SaaS
Prevention Prevention
DNS Attack Exploit, Malware, Malicious Site & Malware Enterprise IoT Mobile User Secure Branch Data Protection & In-line & API SaaS
Prevention C2 Prevention Phishing Prevention Security Security Connectivity Compliance Application
Prevention Security

1111 || ©
©2020
2021 Palo Alto Networks, Inc. All rights reserved.
The PA-Series Portfolio

PA-5450 Series PA-7000 Series

PA-5200 Series

PA-400 Series
PA-3200 Series

PA-800 Series

PA-220R

PA-220
Small Branches & Network Large
Remote Locations Perimeter Data Centers

12 | © 2021 Palo Alto Networks, Inc. All rights reserved.

VM-Series NGFW
Security Where you need it When you Need it

Private Cloud
1- Get Endpoints
Information
● Cisco ACI
● Citrix NetScaler SDX
● Kernel-based Virtual Machine (KVM)

2- Push DAG to Firewalls

● Microsoft Hyper-V
● OpenStack
● VMware ESXi
● VMware NSX
● VMware vCloud Air

Public Cloud

● Azure
● AWS
● GCP
● Oracle
● Alibaba Web App DB
EPG EPG EPG

13 | © 2020 Palo Alto Networks, Inc. All rights reserved.

CN-Series (Containerized NGFW)
CN-Series providers comprehensive security for containerized applications

K8s Cluster

Ordering Payments
CN
NGFW

Node Node Node

Inbound East-West Outbound

Container-level Prevent lateral Stop data
protection against propagation within exfiltration with
break-ins container clusters container-context

By running a CN-Series NGFW on each node Internet

14 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Panorama
Centralized Configuration, Visibility, Logging

Logs Logs

Prisma™ Access Cortex™ Data Lake Public cloud

Logs

Reporting Policy

NGFW
Configuration

Configuration

Mobile Branch Panorama HQ

users

15 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Prisma Cloud
Comprehensive Cloud Native Security. Full Lifecycle, For Any Cloud

Visibility, compliance Compute Network Identity

and governance security protection security

Network
Asset Governance Data Vulnerability Runtime Application Micro- IAM Machine
Anomaly UEBA
Inventory & Compliance Security Mgmt Security Security Segmentation Governance Identity
Detection

Last 6 months Last 6 months Last 6 months Last 6 months

DevSecOps enablement through IaC Twistlock Integration with Prisma CNAF (Layer 7 Firewall) for User behavior analytics to detect
scanning during build & deploy Cloud Serverless account compromises

Comprehensive compliance and policy Forensics and improved runtime Network anomaly detection
coverage across clouds security for Serverless
Next 6 months
Alibaba cloud support New IAM Governance module to
Next 6 months
Next 6 months enforce least privileged access
Aporeto Integration for zero trust
Next 6 months AMI Scanning network security and micro-
segmentation
New Data Security (DLP) module for Serverless Auto-protect
data classification & malware detection

Improved automated remediation

16 | © 2020 Palo Alto Networks, Inc. All rights reserved.

Prisma Access & PRISMA SD-WAN (AKA CloudGenix)
The Industry’s Most Comprehensive SASE

SaaS Public Cloud Internet HQ/Data Center

Security as a Service Layer

FWaaS ZTNA Cloud SWG CASB DLP, IoT, RBI...

Network as a Service Layer

SD-WAN

Branch/Retail Home Mobile

Cortex XDR Detects and Investigates Sophisticated Attacks

Automatically detect attacks

using rich data and cloud-
based behavioral analytics

Cortex XDR

Accelerate investigations
by stitching data together
to reveal root cause

Cortex Data Lake

Tightly integrate with

enforcement points to stop
NETWORK ENDPOINT CLOUD threats and adapt defenses

18 | © 2019 Palo Alto Networks, Inc. All Rights Reserved.

Cortex XSOAR Automates Security Workflows

Alert sources 350 + Integrations

Bad IP 1.1.1.1
Orchestration &
Automation
XSOAR

Automated playbooks

Unify threat feeds

with incident alerts
External Security Threat Ticketing IT Firewall CSO
threat intel Enrich every tool and analyst analyst System Admin Admin
process
feeds
Take automated
action with Real-time collaboration | Case management
confidence
1.1.2 Identify the NGFW Components
Traffic Processing Sequence

PACKET FLOW SEQUENCE IN PAN-OS

https://live.paloaltonetworks.com/t5/Learning-Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081
Single-Pass Security Processing

● Conventional traffic inspection tools “daisy-chain” protections, creating inefficiencies

and visibility gaps
● Single-Pass Security Processing efficiently evaluates traffic and enforces security policy
● This unique capability makes the approach to preventing threats unique

App-ID Content-ID
Application
Protocol Decoding Data Filtering
L2/L3
Networking, Application
Protocol Detection
HA, Config User-ID & Decryption Policy Engine
URL Filtering
Management Application
Signatures
Reporting
Real Time Threat
Heuristics Prevention

22 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.1.3 Identify Panorama Components

23 | © 2017, Palo Alto Networks. Confidential and Proprietary.

1.1.4 Understand the PAN-OS Subscriptions & the Features they Enable

Threat Prevention Eliminates Known Threats

Vulnerability Anti-Virus Command

Protection Protection & Control
Protection

Detect and block Based on Content Research grade

Exploitation Not hash signatures

Combine with WildFire & URL Filtering: Protected at every stage of the attack
lifecycle, including from both known and unknown threats

24 | © 2021 Palo Alto Networks, Inc. All rights reserved.

URL Filtering Protection - PAN DB

Provides protections from both known and

unknown threats based on PAN-DB
classification. Inline and real time.

25 | © 2019 Palo Alto Networks, Inc. All Rights Reserved.

Detect and Prevent New Threats with WildFire Malware Analysis
Bare metal analysis

Machine learning Dynamic unpacking

Dynamic analysis Network traffic profiling

Multi-Vector Recursive
Static analysis
analysis

Web Malware, URLs, DNS, C2

Flash

Protections
Unknowns
Scripts
Updated within seconds, globally
Archive
Binaries
Prevent Patient Zero with inline ML
Documents

Partner
Network Endpoint Cloud
Ecosystem
Data collected from a vast Analysis techniques far beyond Automated protection against
global community traditional sandboxing multiple attack variants

26 | © 2021 Palo Alto Networks, Inc. All rights reserved.

DNS Security

Blocks known Stops malicious DNS Integration with

bad bomains traffic with ML and NGFW means it
predictive analytics cannot be bypassed

Data

WildFire Analysis Passive DNS URL Filtering Honeynets Unit 42 Whois

27 | © 2021 Palo Alto Networks, Inc. All rights reserved.

AutoFocus

28 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.1.5 Understand plug-in Components Panorama
plug-in

Palo Alto Networks plug-ins manage the 1- Get Endpoints

Information
communication between Panorama
and/or NGFW and external systems.

2- Push DAG to Firewalls

In the diagram to the right the plug-in is
managing the communication with a
Cisco ACI APIC.

In public cloud use cases the plug-in

manages the communication between
a VM-Series NGFW and and the public
cloud providers management interface
API.

Web App DB
EPG EPG EPG

https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-plugins/plugins-types.html

29 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.2 Differentiate between deployment
considerations of virtual form factors
1.2.1 Understand public cloud virtual firewall deployment considerations

31 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.2.2 Understand hybrid cloud virtual firewall deployment considerations

Key Considerations?

Where and how will the

VM-Series NGFW’s get their
signature licensing and
signature updates?

What if the Panorama is

onsite instead of the cloud?
What are the implications?

Should the Internet be

leveraged as an Out-of-Band
management network?

32 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.2.3 Understand private cloud virtual firewall deployment considerations

Step #1) Gather IP, netmask, gateway, dns server + authcode

Step #2) Console Access

Step #3) set deviceconfig system ip-address <ip> netmask <netmask> default-gateway
<gw-ip> dns-setting servers primary <dns-ip>

Step #4) commit

Step #5) Device → Licenses → License Management → Activate feature using authorization code

Requirements
DNS Name Resolution
Management interface must have Internet Access

33 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.3 Determine appropriate interface types for
various environments
Types of Interfaces

Palo Alto Networks firewalls support several different

interface types: TAP mode, virtual wire mode, Layer
2, Layer 3, and aggregate. A single firewall can freely
intermix interface types to meet any integration
need. The decision about which interface
configuration to choose depends on functional need
and existing network integration requirements.

1.3.1 Leverage Layer 2 interfaces

1.3.2 Leverage Layer 3 interfaces

1.3.3 Leverage vWire interfaces

1.3.4 Leverage Tap interfaces

1.3.5 Leverage vWire sub-interfaces

35 | © 2021 Palo Alto Networks, Inc. All rights reserved.
1.3.6 Leverage Tunnel Interfaces

PAN-OS Site-2-Site VPN based on route based

approach. Tunnel interface is used to establish
VPN connectivity. Traffic is routed through
tunnel via routes pointed to tunnel interface.

36 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.3.7 Leverage Aggregate Interfaces

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/network/network-interfaces/ag
gregate-ethernet-ae-interface-group.html

1.3.8 Leverage Loopback Interfaces

Loopback Interface Uses

Router-ID
NAT Tricks
DNS sinkhole Destinations
GP Service Interfaces

37 | © 2021 Palo Alto Networks, Inc. All rights reserved.

 1.3.9 Leverage Decrypt Mirror Interfaces

How to Configure Decrypt Mirror:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGDCA0

Decryption Mirroring:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-concepts/decryption-mirrorin
g.html

38 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.4 Identify decryption deployment strategies
1.4.1 Understand the risks and implications of enabling decryption

Massive Risks with SSL Decryption Reasons to Deploy Decryption

40 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.4.2 Identify what cannot be decrypted

Device → Certificate Management → SSL Decryption Exclusion

41 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.4.3 Understand the impact to the hardware of enabling decryption

PA-5260

42 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.4.4 Identify use cases and configure SSH proxy

43 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.4.5 Identify uses of decryption profiles

44 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.4.6 Understand the impact of using SSL decryption

45 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.4.7 References

Keys and Certificates for Decryption Policies

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-concepts/keys-and-certifica
tes-for-decryption-policies.html

Keys and Certificates

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/certificate-management/keys-and- certificates.html

How Palo Alto Networks identifies https applications without decryption

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVSCA0

Decryption Exclusions
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-exclusions.html

46 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.5 Understand how to insert the firewall within a
larger security stack
1.5.1 Identify the main use cases of decryption broker

48 | © 2021 Palo Alto Networks, Inc. All rights reserved.

 Special Topic
Byron Inahara
NGFW High Availability
HA Communications

50
HA1 Communications
▪ The HA1 Control Link is used to exchange:
▪ Hellos
▪ Heartbeats
▪ HA state information
▪ Management plane sync for routing
▪ User-ID information
▪ synchronize configuration changes both directions, active to passive or passive to active
▪ The HA1 link is a Layer 3 link and requires an IP address next hop gateway is supported
▪ Dedicated HA1 interfaces are considered “Out of Band” Management Plane

▪ Ports used for HA1

▪ TCP port 28769 and 28260 for clear text communication
▪ Port 28 for encrypted communication (SSH over TCP).
HA2 Communications
Data Link
▪ The HA2 link is used to synchronize sessions, forwarding tables, IPSec security associations and ARP
tables between devices in an HA pair. Data flow on the HA2 link is always unidirectional (except for the
HA2 keep-alive); it flows from the active device to the passive device. The HA2 link is a Layer 2 link, and
it uses ethertype 0x7261 by default.
▪ Ports used for HA2 The HA data link can be configured to use either IP (protocol number 99) or UDP
(port 29281) as the transport, and thereby allow the HA data link to span subnets.
▪ HA2 does not support ae interfaces
HA Monitoring

▪ Link Monitoring (data plane)

▪ Monitored in real time
▪ Interrupt driven, failure will cause failover immediately

▪ Path Monitoring (data plane)

▪ User customizable for pings duration and number of pings
▪ Defaults to 2000 ms (200ms x 10 ping counts)
▪ Minimum setting 200ms x 3 ping counts = 600 ms

▪ Internal Packet Path Health Monitoring (both)

▪ 3 pings per second
▪ Missed for 20 seconds means failure -> Non-Functional Mode
▪ Attempts to self repair with DP restarts and device restarts -> Maintenance Mode
HA Architecture – Failover Behavior

▪ Newly active device:

▪ Assumes VMAC and IP via Gratuitous ARP.
▪ The gratuitous ARP is only sent for the interface IP’s.
▪ This is not performed for any destination NAT IP’s.

▪ Sessions continue with basic session match

▪ Layer 7 state is not synched between A/P or A/A firewalls

▪ Routing protocols must converge but routing may continue as FIB is synched
HA distance vs Latency Between DC’s
▪ Distance is not really the correct measure, latency is much more important. 
▪ Latency:
▪ We “unofficially” recommend 20ms or better for HA purposes between DC’s.
▪ *80ms to 120ms have been reported by some SE’s, their customers reported no
issues.
▪ *These have not been validated and are not official recommendations.

▪ Bandwidth issues affecting HA quality, reliability and available bandwidth:

▪ Not enough bandwidth between DC’s for HA2/HA3 can affect sync/transmit.
▪ You can run into dropped packets and/or race conditions. 
▪ If dark fiber isn’t used, it will also depend on stuff like noise, jitter, phase errors, etc. that can corrupt and
delay packets.

▪ Reports of other types of DC to DC connections for HA traffic:

▪ MPLS network.
▪ VPN connections.
▪ For HA A/A HA3
▪ Requires a L2 (jumbo frame enabled) connection for all platforms using revenue/dp interfaces.
▪ L1 for PA-3200,PA-5200 and PA-7k platform HSCI.

▪ It’s not as easy as quoting a distance number. 

HA1 and HA2 Traffic Calculation Estimates
▪ HA1 has minimal traffic and is used for hello, heartbeats and configuration synching.  
▪ The amount of traffic is minimal compared with HA2. 
▪ HA1 traffic must get through or failover will happen.
▪ Remember that if HA1 heartbeats and hellos can’t get through, it’ll split brain.

▪ HA2’s session sync message size is 220 bytes + 42 bytes for the header (UDP/IP/Ethernet)
so the total size is 262 bytes. 
▪ So a sample calculation for a 1G HA2 link would be:
▪ 1Gbps / 262 x 8 bits/session = 477K sessions/second 
▪ This is not taking into consideration any HA2 link/path monitoring and packet processing delay.  Possible use
case example:

▪ Assuming 100 Mbps connection for HA is available, you’d be able to support 1/10th so it’ll be around
47K sessions/sec. 
▪ If the sessions peak at 40K sessions/sec and the link is 40% used, you’ll not be able to synch the
peak sessions. 
▪ The average 20K sessions/sec would be OK if the link 40% used.
▪ This is just a rough estimate
HA Active/Passive

57
HA Active/Passive:

In the active/passive configuration, two devices form an HA group to

provide redundancy. The two firewalls mirror each other in
configuration.

If the active firewall fails for any reason, the passive firewall becomes
active automatically with no loss of service.

A failover can also occur if selected Ethernet links fail or if the active
firewall cannot reach one or more of the specified destinations.

From a traffic processing perspective, at most one device receives

packets at any one time.

Note: In an HA pair, both firewalls must be the same model and

have the same licenses.
HA Active/Passive:
The following rules apply to HA operation and failover:

▪ The active firewall continuously synchronizes its configuration using HA1.

▪ Session synchronization is performed with the passive firewall over the HA2
interface.

▪ If the active firewall fails, then the passive firewall detects the loss of heartbeats
and automatically becomes active.

▪ If the configuration synchronization is lost, heartbeats are lost (HA1). Both

devices determine that the other is down, and both become active (Split brain
condition).

▪ You can configure the management ports on the HA devices to provide a

backup path for heartbeat and hello messages using the heartbeat backup
configuration option.
HA Active/Passive – States

Active/Passive
▪ Initial – initializing (state during bootup).
▪ Active – Processes all traffic.
▪ Passive – Backs up active device.
▪ Non-functional – Device in recovery from path, link, or task
failure.
▪ Suspended – Administrative suspend.
HA Active/Active

61
Session owner HA A/A
▪ Responsible for:
▪ All packet processing for App-ID and Content-ID.
▪ Processing for App-ID is often referred to as “completing L7 inspection”. This is
when the App-engine inspects the data.
▪ Packet is scanned for threats (if configured in security policy) and forwarded
according to device’s networking configuration
▪ Maintaining state for App-ID and Content-ID
▪ Traffic logs appear on the session owner’s device.

▪ Options:
▪ Primary device.
▪ If the configuration option is set to “primary device,” all sessions are set up on
the primary device.
▪ First packet.
▪ The device that receives the first packet of a session is the session owner.

▪ Layer 7 inspection is not required for the session (fast path/L4 app override):
▪ The receiving device matches the session with an existing session table entry
and forwards the packet towards its final destination.
HA Active/Active – States

Active/Active
▪ Initial – initializing (state during bootup).
▪ Active-Primary – processing traffic and acting as the primary device (handling
user-ID comms, floating ip and DHCP server/relay).
▪ Active-Secondary – processing traffic, backs up Active-Primary.
▪ Tentative – firewall failure, path or link monitor failure, relinquish virtual addresses,
and session ownership.
▪ Non-affected L3 interfaces will stay up and continue participating in routing
and packet forwarding utilizing the HA3 interface.
▪ Non-functional – mismatched A/A settings, HA3 link down or task failure.
▪ Suspended – Administrative suspend.
HA backup links

Backup Links
▪ Provide redundancy for the HA1 and the HA2 links. In-band ports are used as
backup links for both HA1 and HA2.
▪ Consider the following guidelines when configuring backup HA links
▪ The IP addresses of the primary and backup HA links must not overlap
each other.
▪ HA backup links must be on a different subnet than the primary HA
links.
▪ HA1-backup and HA2-backup ports must be configured on separate physical
ports. The HA1-backup link uses port 28770 and 28260.
▪ HA3 – Use ae interface for redundancy.
HA Deployment Examples

65
HA Active\Passive vwire firewall redundancy only
HA Active\Passive vwire full redundant network
HA Active\Passive L3
HA Active\Active vwire
HA Active\Active L3
HA Transition States

71
HA State Transitions – Active/Passive

Initial State transition Active

Manual Suspension

Suspended
State transition
•Link failure
•Dataplane failure
•Mismatched major
PANOS version

Non-functional Passive
HA State Transitions – Active/Passive

•Preemption by passive
Active •Reestablish connection (following Passive
split brain) to higher priority device

•Link/Path failure
•Dataplane failure
Mismatched major
PANOS version

•Manual suspension
•Flaps exceeded

Suspended Non-functional
HA State Transitions – Active/Passive

•Preempt active device

Passive Active
•Active changes state

•Link failure
•Dataplane failure
Mismatched major
PANOS version

•Manual suspension
•Flaps exceeded

Suspended Non-functional
HA State Transitions – Active/Passive

Non-functi Active failed due to

onal dataplane failure Active

State transition

Manual suspension

Suspended Passive
 Exam Domain #1
Planning & Core Concepts
Continued
1.6 Plan User-ID deployment.
1.6.1 Identify the methods of building user to IP mappings.

User-ID and Mapping Users

The User-ID feature of the Palo Alto Networks NGFW enables you to create policy rules and
perform reporting based on users and groups rather than on individual IP addresses.

User-ID seamlessly integrates Palo Alto Networks firewalls with a range of enterprise directory
and terminal services offerings, thus enabling you to associate application activity and policy
rules to users and groups, not just IP addresses.

Furthermore, with User-ID enabled, the Application Command Center (ACC), App Scope,
reports, and logs all include usernames in addition to user IP addresses.

78 | © 2021 Palo Alto Networks, Inc. All rights reserved.

Mapping IP Addresses to Usernames

Today’s working environment is extremely dynamic. Users no longer are restricted to using
just one device, a computer, on the network. A user may be using a smartphone, tablet,
desktop, and a laptop. Each device is given an IP address dynamically by a DHCP server,
which makes tracking the user difficult and almost impossible to control.

Use of a username is easier than use of an IP address to control and log a user’s activity. The
process of mapping a username to an IP address is the function of User-ID. A user’s IP address
constantly is changing because so many devices are used by users, and laptops provide so
much mobility. Capture of that information often is difficult. The firewall needs to be able to
monitor multiple sources simultaneously.

79 | © 2021 Palo Alto Networks, Inc. All rights reserved.

The different methods of user mapping are as follows:
• Server Monitoring: A Windows-based User-ID
agent, or the built-in PAN-OS integrated
User-ID agent inside the PAN-OS firewall,
monitors Security Event logs for successful
login and logout events on Microsoft domain
controllers, Exchange Servers, or Novell
eDirectory servers.
• Port mapping: For Microsoft Terminal
Services or Citrix environments, users might
share the same IP address. To overcome this
issue, the Palo Alto Networks Terminal Services
agent must be installed on the Windows or
Citrix terminal server. The Terminal Services
Agent uses the source port of each client
connection to map each user to a session.
Linux terminal servers do not support the
Terminal Services agent and must use XML API
to send user mapping information from login
or logout events to User-ID.
80 | © 2021 Palo Alto Networks, Inc. All rights reserved.
• Syslog: The Windows-based User-ID
agent and the PAN-OS integrated User-ID
agent use Syslog Parse Profiles to interpret
login and logout event messages that are
sent to syslog servers from devices that
authenticate users. Such devices include
wireless controllers, 802.1x devices, Apple
Open Directory servers, proxy servers, and
other network access control (NAC)
devices.
• XFF headers: If a proxy server exists
between users and a firewall, the firewall
might see the source IP address of the
proxy server instead of the original source
IP address of the host that originated the
traffic. Most proxy servers have a feature
that allows forwarding of the original
source IP address of the host to the firewall
within an XFF header. Use of the original
client source IP address enables the
firewall to map the IP address to a
username.
The different methods of user mapping Continued.

• Authentication policy and Captive Portal: The User-ID agent sometimes cannot map an IP address to a
username using any of the methods described. In these cases, you can use an Authentication policy and
Captive Portal, whereby any web traffic (HTTP or HTTPS) that matches an Authentication policy rule forces
the user to authenticate via one of the following three Captive Portal authentication methods:

• Browser Challenge: Uses Kerberos or NT LAN Manager (NTLM)

• Web Form: Uses multi-factor authentication, SAML single sign-on, Kerberos, TACACS+, RADIUS, LDAP, or
local authentications

• Client certificate authentication

• GlobalProtect: Mobile users have an application running on their endpoint for which they must enter login
credentials for VPN access to the firewall. The login information is used for User-ID mapping. GlobalProtect is
the most recommended method to map device IP addresses to usernames.

• XML API: The PAN-OS XML API is used in cases where standard user mapping methods might not work,
such as third-party VPNs or 802.1x-enabled wireless networks.

• Client Probing: Used in a Microsoft Windows environment where the User-ID agent probes client systems
using Windows Management Instrumentation (WMI) and/or NetBIOS. Client Probing is not a recommended
method for user mapping.
81 | © 2021 Palo Alto Networks, Inc. All rights reserved.
The different methods of user mapping Continued.

82 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.6.2 Differentiate User-ID agents.

Identifying User-ID Agent to Deploy

User-ID has two agents that can be used to monitor the servers and gather the User-ID
information. One is the built-in agent, called the integrated agent, inside the PAN-OS firewall.
The other agent is a Windows-based client that for 8.0 and later can be installed on any
Windows server 2008 or later system. Both agents have the same functionality. Several factors
can determine which agent to use.

An organization might choose to use the Windows agent if it has more than 100 domain
controllers because neither type of agent can monitor more than 100 domain controllers or
50 syslog servers. Another reason to choose the Windows agent over the integrated PAN-OS
agent is to save processing cycles on the firewall’s management plane.

However, if network bandwidth is an issue, you might want to use the PAN-OS integrated
agent because it communicates directly with the servers, whereas the Windows agent
communicates with the servers and then communicates the User-ID information to the
firewall so that it can update the firewall database.

83 | © 2021 Palo Alto Networks, Inc. All rights reserved.

84 | © 2021 Palo Alto Networks, Inc. All rights reserved.
1.6.3 Identify the methods of User-ID redistribution.

Methods of User-ID Redistribution

Every firewall that enforces user-based policy requires user mapping information. In a
large-scale network, instead of configuring all your firewalls to directly query the mapping
information sources, you can streamline resource usage by configuring some firewalls to
collect mapping information through redistribution.

Redistribution also enables the firewalls to enforce user-based policies when users rely on
local sources for authentication (such as regional directory services) but need access to
remote services and applications (such as global data center applications).

The Data Redistribution feature allows a firewall to be a source of IP user mappings, among
other types of data, for any device that is configured to communicate with the agent service
of that source firewall or via Panorama.

85 | © 2021 Palo Alto Networks, Inc. All rights reserved.

User-ID Continued

User-ID Table Sharing

You can enable a firewall or virtual system to serve as a data distribution agent that
redistributes user mapping information along with the timestamps associated with
authentication challenges. Simply configure the Data Redistribution settings to create an
agent that will communicate with any firewalls or other devices to share local information.

User-ID Table Consumption

To map IP addresses to usernames, User-ID agents monitor sources such as directory servers.
The agents send the user mappings to firewalls, Log Collectors, or Panorama. Each appliance
then can serve as redistribution points that forward the mappings to other firewalls, Log
Collectors, or Panorama. Before a firewall or Panorama can collect user mappings, you must
configure its connections to the User-ID agents or redistribution points.

86 | © 2021 Palo Alto Networks, Inc. All rights reserved.

87 | © 2021 Palo Alto Networks, Inc. All rights reserved.
Use Case Example

88 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.6.4 Identify the methods for group mapping.

The following are best practices for group mapping in an Active Directory (AD)
environment:

• If you have a single domain, you need only one group mapping configuration with an LDAP server profile
that connects the firewall to the domain controller with the best connectivity. You can add up to four domain
controllers to the LDAP server profile for redundancy. Note that you cannot increase redundancy beyond four
domain controllers for a single domain by adding multiple group mapping configurations for that domain.

• If you have multiple domains and/or multiple forests, you must create a group mapping configuration with
an LDAP server profile that connects the firewall to a domain server in each domain/forest. Take steps to
ensure unique usernames in separate forests.

• If you have Universal Groups, create an LDAP server profile to connect to the root domain of the Global
Catalog server on port 3268 or 3269 for SSL, then create another LDAP server profile to connect to the root
domain controllers on port 389. This helps ensure that users and group information is available for all
domains and subdomains.

• Before using group mapping, configure a Primary Username for user-based security policies, since this
attribute will identify users in the policy configuration, logs, and reports.

89 | © 2021 Palo Alto Networks, Inc. All rights reserved.

References

For more information on mapping user to groups:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/user-id/map-users-to-groups.ht
ml

For more information on group mapping settings, refer to:

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/user-identification/
device-useridentification-group-mapping-settings

Group Mapping
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/user-id-concepts/group
-mapping

90 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.7 Identify the purpose of captive portal, MFA, and
the authentication policy.
 1.7.1 Identify the purpose of and use case for MFA and the Authentication policy.
MFA and Authentication Policy

You can configure multi-factor authentication (MFA) to

ensure that each user authenticates using multiple
methods (factors) when it accesses highly sensitive
services and applications. For example, you can force
users to enter a login password and then enter a
verification code that they receive by phone before
allowing access to important financial documents. This
approach helps to prevent attackers from accessing
every service and application in your network just by
stealing passwords.

For end-user authentication via Authentication policy,

the firewall directly integrates with several MFA
platforms (e.g., Duo v2, Okta Adaptive, PingID, and RSA
SecurID) and integrates through RADIUS with other MFA
platforms.

92 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.7.2 Identify the dependencies for implementing MFA.

Dependencies for Implementing MFA

Before you can use MFA for protecting

sensitive services and applications, you must
configure several settings in the Palo Alto
Networks firewall.

MFA authentication is triggered when a user

requests access to a service that appears in
traffic that the firewall processes.

The traffic first is evaluated by an

Authentication policy rule. When a match is
found, the authentication action of the rule is
taken.

93 | © 2021 Palo Alto Networks, Inc. All rights reserved.

The following figure shows the relationship of the required objects to
configure the Authentication policy rule.

94 | © 2021 Palo Alto Networks, Inc. All rights reserved.

References

Configuration of base Captive Portal

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/map-ip-addresses-to-u
sers/map-ipaddresses-to-usernames-using-captive-portal/configure-captive-portal.html

Configure Multi-Factor Authentication

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/authentication/configure-mult
i-factorauthentication.html

Map IP Addresses to Usernames Using Captive Portal

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/map-ip-addresses-to-u
sers/map-ipaddresses-to-usernames-using-captive-portal.html

Authentication Policy
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/authentication/authentication-
policy.html

95 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.8 Summarize the components of Palo Alto
Networks SD-WAN deployments
1.8.1 Identify requirements for a PAN-OS SD-WAN deployment.

Deploying Distributed Networking Using SD-WAN

SD-WAN is a technology that enables you to use multiple

internet services and private services to create an intelligent
and dynamic WAN.

The SD-WAN plugin is integrated with PAN-OS, which

provides you with the security features of a PAN-OS firewall
combined with SD-WAN functionality.

You can install the SD-WAN plugin on the Panorama

management server. Panorama provides the means to
centrally configure and manage your firewalls and SD-WAN
environment. Panorama enables you to change and monitor
your network configuration from a centralized location rather
than configure and monitor each firewall individually.

You can configure and manage your SD-WAN environment

from the Panorama web interface or the Panorama REST API.

97 | © 2021 Palo Alto Networks, Inc. All rights reserved.

Before you deploy your SD-WAN environment, you should determine the role of each firewall,
either hub or branch, and determine which branches will communicate with which hubs.
Branches and hubs that will communicate with each other are functionally grouped into a
VPN cluster.

You also may have cloud-based services and want the internet traffic to flow directly from
branch office to the cloud using DIA. Use of DIA can prevent SaaS, web browsing, or
heavy-bandwidth applications from having to flow from branch office to the hub to the cloud
and back

98 | © 2021 Palo Alto Networks, Inc. All rights reserved.

Initial Planning

Planning is a critical part of deploying

your SD-WAN environment. In your
SD-WAN configuration, you must
configure one or more VPN clusters to
determine which branch offices will
communicate with which hub.

A VPN creates a secure connection

between the branch and hub devices.
VPN clusters are a logical grouping of
devices, and you should consider
geographical location or function when
you group your devices.

99 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.8.2 Identify requirements for a Prisma SD-WAN deployment.

References Whitepaper for the 5 requirements, refer to:

https://sd-wan.cloudgenix.com/rs/911-KCN-503/images/CloudGenix_Five%20Requirements%2
0For%20SDWAN_WP.pdf

Activate and Launch Prisma SD-WAN:

https://docs.paloaltonetworks.com/prisma/prisma-sd-wan/prisma-sd-wan-admin/get-started-
with-prismasd-wan/activate-and-launch-prisma-sd-wan.html

100 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.9 Differentiate between the management plane
and data plane

101
1.9.1 Identify functions that reside on the management plane.

Palo Alto Networks maintains the

management plane and data-plane
separation to protect system resources.

• Every Palo Alto Networks firewall assigns a

minimum of these functions to the
management plane:

• Configuration management

• Logging

• Reporting functions

• User-ID agent process

• Routing Protocols

The management network and console

connector terminate directly on this plane.
102 | © 2021 Palo Alto Networks, Inc. All rights reserved.
On the PA-7000 Series firewalls,
dedicated log collection and processing
is implemented on a separate card.

The following figure provides an

overview of the PA-7000 Series
architecture:

103 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.9.2 Identify functions that reside on the data plane.
The following functions are assigned to the data
plane:

• Signature match processor • ARP

• All Content-ID and App-ID services • Route

• Security processors • MAC lookup

• Encryption and decryption • NAT

• Compression and decompression

• Policy enforcement

• Network processor

• Flow control

• Session management

• QoS

104 | © 2021 Palo Alto Networks, Inc. All rights reserved.

The data plane connects directly to the traffic interfaces. As more computing capability is
added to more powerful firewall models, the management planes and data planes gain other
functionality as required, sometimes implemented on dedicated cards.

Several core functions gain field-programmable gate arrays (FPGAs) or custom

application-specific integrated circuits (ASICs) for flexible high-performance processing.
Additional management plane functions might include the following:

• First packet processing

• Switch fabric management

105 | © 2021 Palo Alto Networks, Inc. All rights reserved.

 1.9.3 Scope the impact of using SSL decryption.

When decryption is performed correctly, it enhances security. It prevents adversaries from misusing
encrypted traffic to attack your organization. If you follow best practices, decryption will provide you
your visualization requirements into all traffic. And at the same time, decryption will also protect
you from adversaries that hide threats in encrypted tunnels.

References

SSL Decryption Series: The Security Impact of HTTPS Interception:

https://blog.paloaltonetworks.com/2018/10/ssl-decryption-series-security-impact-https-interception/

Size the Decryption Firewall Deployment:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/prepare-to-deploy-decry
ption/size-the-decryption-firewall-deployment

106 | © 2021 Palo Alto Networks, Inc. All rights reserved.

1.9.4 Scope the impact of turning logs on for every security policy.

By default, traffic that hits default policies will not get logged into traffic logs.

Make sure you create policies and attach a log forwarding to them. If you have Panorama you
want to send them there, if not your SIEM or choice will do, but remember to do that so you
can expand how long you can see the logs.

107 | © 2021 Palo Alto Networks, Inc. All rights reserved.