Professional Documents
Culture Documents
1
Planning & Core
Concepts
PCNSE Overview
We are doing the PCNSE
• This exam will certify that the successful candidate has the knowledge and skills
necessary to implement Palo Alto Networks NGFW PAN-OS® 10.1 platform in any
environment.
Number of items: 75
• Collaborate in the Slack Channel (invitations were sent today - check your spam folder)
• We will support each other and share what we learn
• Great place to discuss those ambiguous questions
• https://pcnse.slack.com
ML-Powered Next-Generation Firewall Secure Access Service Edge Extended Detection and Response
App-ID | User-ID | Content-ID | Device-ID FWaaS | Secure Web Gateway | Zero Trust Endpoint Threat Prevention | Endpoint Detection & Response |
Network Access Behavioral Analytics | Managed Detection & Response
VM-Series
Cortex XSOAR
Prisma Cloud
Virtual Next-Generation Firewall
Extended Security Orchestration, Automation and Response
App-ID | User-ID | Content-ID | Device-ID Cloud Native Security Platform
Security Orchestration, Automation & Response |
Cloud Security Posture Management | Cloud Threat Intelligence Management
CN-Series Workload Protection | Cloud Network Security
| Cloud Infrastructure Entitlement
Containerized Next-Generation Firewall Management Expanse
App-ID | User-ID | Content-ID | Device-ID Attack Surface Management
Prisma SD-WAN
Internet-Connected Asset Discovery & Mitigation
Panorama Next-Generation SD-WAN
Cybersecurity Services
DNS Security Threat URL Filtering WildFire IoT Security GlobalProtect SD-WAN Data Loss Prisma SaaS
Prevention Prevention
DNS Attack Exploit, Malware, Malicious Site & Malware Enterprise IoT Mobile User Secure Branch Data Protection & In-line & API SaaS
Prevention C2 Prevention Phishing Prevention Security Security Connectivity Compliance Application
Prevention Security
1111 || ©
©2020
2021 Palo Alto Networks, Inc. All rights reserved.
The PA-Series Portfolio
PA-5200 Series
PA-400 Series
PA-3200 Series
PA-800 Series
PA-220R
PA-220
Small Branches & Network Large
Remote Locations Perimeter Data Centers
Private Cloud
1- Get Endpoints
Information
● Cisco ACI
● Citrix NetScaler SDX
● Kernel-based Virtual Machine (KVM)
Public Cloud
● Azure
● AWS
● GCP
● Oracle
● Alibaba Web App DB
EPG EPG EPG
K8s Cluster
Ordering Payments
CN
NGFW
Logs Logs
Logs
Reporting Policy
NGFW
Configuration
Configuration
Network
Asset Governance Data Vulnerability Runtime Application Micro- IAM Machine
Anomaly UEBA
Inventory & Compliance Security Mgmt Security Security Segmentation Governance Identity
Detection
Comprehensive compliance and policy Forensics and improved runtime Network anomaly detection
coverage across clouds security for Serverless
Next 6 months
Alibaba cloud support New IAM Governance module to
Next 6 months
Next 6 months enforce least privileged access
Aporeto Integration for zero trust
Next 6 months AMI Scanning network security and micro-
segmentation
New Data Security (DLP) module for Serverless Auto-protect
data classification & malware detection
SD-WAN
Cortex XDR
Accelerate investigations
by stitching data together
to reveal root cause
Bad IP 1.1.1.1
Orchestration &
Automation
XSOAR
Automated playbooks
App-ID Content-ID
Application
Protocol Decoding Data Filtering
L2/L3
Networking, Application
Protocol Detection
HA, Config User-ID & Decryption Policy Engine
URL Filtering
Management Application
Signatures
Reporting
Real Time Threat
Heuristics Prevention
Combine with WildFire & URL Filtering: Protected at every stage of the attack
lifecycle, including from both known and unknown threats
Multi-Vector Recursive
Static analysis
analysis
Protections
Unknowns
Scripts
Updated within seconds, globally
Archive
Binaries
Prevent Patient Zero with inline ML
Documents
Partner
Network Endpoint Cloud
Ecosystem
Data collected from a vast Analysis techniques far beyond Automated protection against
global community traditional sandboxing multiple attack variants
Data
Web App DB
EPG EPG EPG
https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-plugins/plugins-types.html
Key Considerations?
Step #3) set deviceconfig system ip-address <ip> netmask <netmask> default-gateway
<gw-ip> dns-setting servers primary <dns-ip>
Step #5) Device → Licenses → License Management → Activate feature using authorization code
Requirements
DNS Name Resolution
Management interface must have Internet Access
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/network/network-interfaces/ag
gregate-ethernet-ae-interface-group.html
Decryption Mirroring:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-concepts/decryption-mirrorin
g.html
PA-5260
Decryption Exclusions
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/decryption-exclusions.html
50
HA1 Communications
▪ The HA1 Control Link is used to exchange:
▪ Hellos
▪ Heartbeats
▪ HA state information
▪ Management plane sync for routing
▪ User-ID information
▪ synchronize configuration changes both directions, active to passive or passive to active
▪ The HA1 link is a Layer 3 link and requires an IP address next hop gateway is supported
▪ Dedicated HA1 interfaces are considered “Out of Band” Management Plane
▪ Routing protocols must converge but routing may continue as FIB is synched
HA distance vs Latency Between DC’s
▪ Distance is not really the correct measure, latency is much more important.
▪ Latency:
▪ We “unofficially” recommend 20ms or better for HA purposes between DC’s.
▪ *80ms to 120ms have been reported by some SE’s, their customers reported no
issues.
▪ *These have not been validated and are not official recommendations.
▪ HA2’s session sync message size is 220 bytes + 42 bytes for the header (UDP/IP/Ethernet)
so the total size is 262 bytes.
▪ So a sample calculation for a 1G HA2 link would be:
▪ 1Gbps / 262 x 8 bits/session = 477K sessions/second
▪ This is not taking into consideration any HA2 link/path monitoring and packet processing delay. Possible use
case example:
▪ Assuming 100 Mbps connection for HA is available, you’d be able to support 1/10th so it’ll be around
47K sessions/sec.
▪ If the sessions peak at 40K sessions/sec and the link is 40% used, you’ll not be able to synch the
peak sessions.
▪ The average 20K sessions/sec would be OK if the link 40% used.
▪ This is just a rough estimate
HA Active/Passive
57
HA Active/Passive:
If the active firewall fails for any reason, the passive firewall becomes
active automatically with no loss of service.
A failover can also occur if selected Ethernet links fail or if the active
firewall cannot reach one or more of the specified destinations.
▪ Session synchronization is performed with the passive firewall over the HA2
interface.
▪ If the active firewall fails, then the passive firewall detects the loss of heartbeats
and automatically becomes active.
Active/Passive
▪ Initial – initializing (state during bootup).
▪ Active – Processes all traffic.
▪ Passive – Backs up active device.
▪ Non-functional – Device in recovery from path, link, or task
failure.
▪ Suspended – Administrative suspend.
HA Active/Active
61
Session owner HA A/A
▪ Responsible for:
▪ All packet processing for App-ID and Content-ID.
▪ Processing for App-ID is often referred to as “completing L7 inspection”. This is
when the App-engine inspects the data.
▪ Packet is scanned for threats (if configured in security policy) and forwarded
according to device’s networking configuration
▪ Maintaining state for App-ID and Content-ID
▪ Traffic logs appear on the session owner’s device.
▪ Options:
▪ Primary device.
▪ If the configuration option is set to “primary device,” all sessions are set up on
the primary device.
▪ First packet.
▪ The device that receives the first packet of a session is the session owner.
▪ Layer 7 inspection is not required for the session (fast path/L4 app override):
▪ The receiving device matches the session with an existing session table entry
and forwards the packet towards its final destination.
HA Active/Active – States
Active/Active
▪ Initial – initializing (state during bootup).
▪ Active-Primary – processing traffic and acting as the primary device (handling
user-ID comms, floating ip and DHCP server/relay).
▪ Active-Secondary – processing traffic, backs up Active-Primary.
▪ Tentative – firewall failure, path or link monitor failure, relinquish virtual addresses,
and session ownership.
▪ Non-affected L3 interfaces will stay up and continue participating in routing
and packet forwarding utilizing the HA3 interface.
▪ Non-functional – mismatched A/A settings, HA3 link down or task failure.
▪ Suspended – Administrative suspend.
HA backup links
Backup Links
▪ Provide redundancy for the HA1 and the HA2 links. In-band ports are used as
backup links for both HA1 and HA2.
▪ Consider the following guidelines when configuring backup HA links
▪ The IP addresses of the primary and backup HA links must not overlap
each other.
▪ HA backup links must be on a different subnet than the primary HA
links.
▪ HA1-backup and HA2-backup ports must be configured on separate physical
ports. The HA1-backup link uses port 28770 and 28260.
▪ HA3 – Use ae interface for redundancy.
HA Deployment Examples
65
HA Active\Passive vwire firewall redundancy only
HA Active\Passive vwire full redundant network
HA Active\Passive L3
HA Active\Active vwire
HA Active\Active L3
HA Transition States
71
HA State Transitions – Active/Passive
Manual Suspension
Suspended
State transition
•Link failure
•Dataplane failure
•Mismatched major
PANOS version
Non-functional Passive
HA State Transitions – Active/Passive
•Preemption by passive
Active •Reestablish connection (following Passive
split brain) to higher priority device
•Link/Path failure
•Dataplane failure
Mismatched major
PANOS version
•Manual suspension
•Flaps exceeded
Suspended Non-functional
HA State Transitions – Active/Passive
•Link failure
•Dataplane failure
Mismatched major
PANOS version
•Manual suspension
•Flaps exceeded
Suspended Non-functional
HA State Transitions – Active/Passive
State transition
Manual suspension
Suspended Passive
Exam Domain #1
Planning & Core Concepts
Continued
1.6 Plan User-ID deployment.
1.6.1 Identify the methods of building user to IP mappings.
The User-ID feature of the Palo Alto Networks NGFW enables you to create policy rules and
perform reporting based on users and groups rather than on individual IP addresses.
User-ID seamlessly integrates Palo Alto Networks firewalls with a range of enterprise directory
and terminal services offerings, thus enabling you to associate application activity and policy
rules to users and groups, not just IP addresses.
Furthermore, with User-ID enabled, the Application Command Center (ACC), App Scope,
reports, and logs all include usernames in addition to user IP addresses.
Today’s working environment is extremely dynamic. Users no longer are restricted to using
just one device, a computer, on the network. A user may be using a smartphone, tablet,
desktop, and a laptop. Each device is given an IP address dynamically by a DHCP server,
which makes tracking the user difficult and almost impossible to control.
Use of a username is easier than use of an IP address to control and log a user’s activity. The
process of mapping a username to an IP address is the function of User-ID. A user’s IP address
constantly is changing because so many devices are used by users, and laptops provide so
much mobility. Capture of that information often is difficult. The firewall needs to be able to
monitor multiple sources simultaneously.
• Authentication policy and Captive Portal: The User-ID agent sometimes cannot map an IP address to a
username using any of the methods described. In these cases, you can use an Authentication policy and
Captive Portal, whereby any web traffic (HTTP or HTTPS) that matches an Authentication policy rule forces
the user to authenticate via one of the following three Captive Portal authentication methods:
• Web Form: Uses multi-factor authentication, SAML single sign-on, Kerberos, TACACS+, RADIUS, LDAP, or
local authentications
• GlobalProtect: Mobile users have an application running on their endpoint for which they must enter login
credentials for VPN access to the firewall. The login information is used for User-ID mapping. GlobalProtect is
the most recommended method to map device IP addresses to usernames.
• XML API: The PAN-OS XML API is used in cases where standard user mapping methods might not work,
such as third-party VPNs or 802.1x-enabled wireless networks.
• Client Probing: Used in a Microsoft Windows environment where the User-ID agent probes client systems
using Windows Management Instrumentation (WMI) and/or NetBIOS. Client Probing is not a recommended
method for user mapping.
81 | © 2021 Palo Alto Networks, Inc. All rights reserved.
The different methods of user mapping Continued.
User-ID has two agents that can be used to monitor the servers and gather the User-ID
information. One is the built-in agent, called the integrated agent, inside the PAN-OS firewall.
The other agent is a Windows-based client that for 8.0 and later can be installed on any
Windows server 2008 or later system. Both agents have the same functionality. Several factors
can determine which agent to use.
An organization might choose to use the Windows agent if it has more than 100 domain
controllers because neither type of agent can monitor more than 100 domain controllers or
50 syslog servers. Another reason to choose the Windows agent over the integrated PAN-OS
agent is to save processing cycles on the firewall’s management plane.
However, if network bandwidth is an issue, you might want to use the PAN-OS integrated
agent because it communicates directly with the servers, whereas the Windows agent
communicates with the servers and then communicates the User-ID information to the
firewall so that it can update the firewall database.
Every firewall that enforces user-based policy requires user mapping information. In a
large-scale network, instead of configuring all your firewalls to directly query the mapping
information sources, you can streamline resource usage by configuring some firewalls to
collect mapping information through redistribution.
Redistribution also enables the firewalls to enforce user-based policies when users rely on
local sources for authentication (such as regional directory services) but need access to
remote services and applications (such as global data center applications).
The Data Redistribution feature allows a firewall to be a source of IP user mappings, among
other types of data, for any device that is configured to communicate with the agent service
of that source firewall or via Panorama.
You can enable a firewall or virtual system to serve as a data distribution agent that
redistributes user mapping information along with the timestamps associated with
authentication challenges. Simply configure the Data Redistribution settings to create an
agent that will communicate with any firewalls or other devices to share local information.
To map IP addresses to usernames, User-ID agents monitor sources such as directory servers.
The agents send the user mappings to firewalls, Log Collectors, or Panorama. Each appliance
then can serve as redistribution points that forward the mappings to other firewalls, Log
Collectors, or Panorama. Before a firewall or Panorama can collect user mappings, you must
configure its connections to the User-ID agents or redistribution points.
The following are best practices for group mapping in an Active Directory (AD)
environment:
• If you have a single domain, you need only one group mapping configuration with an LDAP server profile
that connects the firewall to the domain controller with the best connectivity. You can add up to four domain
controllers to the LDAP server profile for redundancy. Note that you cannot increase redundancy beyond four
domain controllers for a single domain by adding multiple group mapping configurations for that domain.
• If you have multiple domains and/or multiple forests, you must create a group mapping configuration with
an LDAP server profile that connects the firewall to a domain server in each domain/forest. Take steps to
ensure unique usernames in separate forests.
• If you have Universal Groups, create an LDAP server profile to connect to the root domain of the Global
Catalog server on port 3268 or 3269 for SSL, then create another LDAP server profile to connect to the root
domain controllers on port 389. This helps ensure that users and group information is available for all
domains and subdomains.
• Before using group mapping, configure a Primary Username for user-based security policies, since this
attribute will identify users in the policy configuration, logs, and reports.
Group Mapping
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/user-id/user-id-concepts/group
-mapping
Authentication Policy
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/authentication/authentication-
policy.html
You also may have cloud-based services and want the internet traffic to flow directly from
branch office to the cloud using DIA. Use of DIA can prevent SaaS, web browsing, or
heavy-bandwidth applications from having to flow from branch office to the hub to the cloud
and back
https://sd-wan.cloudgenix.com/rs/911-KCN-503/images/CloudGenix_Five%20Requirements%2
0For%20SDWAN_WP.pdf
101
1.9.1 Identify functions that reside on the management plane.
• Configuration management
• Logging
• Reporting functions
• Routing Protocols
• Policy enforcement
• Network processor
• Flow control
• Session management
• QoS
When decryption is performed correctly, it enhances security. It prevents adversaries from misusing
encrypted traffic to attack your organization. If you follow best practices, decryption will provide you
your visualization requirements into all traffic. And at the same time, decryption will also protect
you from adversaries that hide threats in encrypted tunnels.
References
By default, traffic that hits default policies will not get logged into traffic logs.
Make sure you create policies and attach a log forwarding to them. If you have Panorama you
want to send them there, if not your SIEM or choice will do, but remember to do that so you
can expand how long you can see the logs.