Pcnsa Study Guide PAN OS v11.0 1

Palo Alto Networks Certified Network
Security Administrator
(PCNSA)
Study Guide
Jan 2023
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
Table of Contents
How to Use This Study Guide 6
About the PCNSA Exam 6

Exam Format 6
How to Take This Exam 7
Disclaimer 7
Audience and Qualifications 7

Intended Audience 7
Skills Required 7
Competencies Required 7
Recommended Training 7
Domain 1: Device Management and Services 8

1.1 Demonstrate the knowledge of firewall management interfaces 8
1.1.1 Management interfaces 8
1.1.2 Methods of access 8
1.1.3 Access restrictions 11
1.1.4 Identity-management traffic flow 13
1.1.5 Management services 13
1.1.6 Service routes 15
1.1.7 References 17
1.2 Provision local administrators 17
1.2.1 Authentication profile 17
1.2.2 Authentication sequence 19
1.2.3 Reference 20
1.3 Assign role-based authentication 20
1.4 Maintain firewall configurations 20
1.4.1 Running configuration 21
1.4.2 Candidate configuration 22
1.4.3 Discern when to use load, save, import, and export 22
1.4.4 Differentiate between configuration states 22
1.4.5 Backup Panorama configurations and firewalls from Panorama 26
1.4.6 References 27
1.5 Push policy updates to Panorama-managed firewalls 27
1.5.1 Device groups and hierarchy 27
1.5.2 Where to place policies 28
1.5.3 Implications of Panorama management 30
1.5.4 Impact of templates, template stacks, and hierarchy 31
1.5.5 References 33
1.6 Schedule and install dynamic updates 34
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide 2
1.6.1 From Panorama 34
1.6.2 From the firewall 35
1.6.3 Scheduling and staggering updates on an HA pair 36
1.6.4 References 42
1.7 Create and apply security zones to policies 42
1.7.1 Identify zone types 42
1.7.2 External types 42
1.7.3 Layer 2 42
1.7.4 Layer 3 43
1.7.5 Tap 43
1.7.6 VWire 44
1.7.7 Tunnel 45
1.7.8 References 45
1.8 Identify and configure firewall interfaces 46
1.8.1 Different types of interfaces 46
1.8.2 How interface types affect Security policies 46
1.8.3 References 49
1.9 Maintain and enhance the configuration of a virtual or logical router 49
1.9.1 Steps to create a static route 49
1.9.2 How to use the routing table 50
1.9.3 What interface types can be added to a virtual or logical router 51
1.9.4 How to configure route monitoring 51
1.10 Sample Questions 52
Domain 2: Managing Objects 57

2.1 Create and maintain address and address group objects 57
2.1.1 How to tag objects 57
2.1.2 Differentiate between address objects 57
2.1.3 Static groups versus dynamic groups 58
2.1.4 References 59
2.2 Create and maintain services and service groups 59
2.2.1 References 62
2.3 Create and maintain external dynamic lists 62
2.3.1 References 63
2.4 Configure and maintain application filters and application groups 63
2.4.1 When to use filters versus groups 63
2.4.2 The purpose of application characteristics as defined in the App-ID database 66
2.4.3 References 67
Domain 3: Policy Evaluation and Management 69

3.1 Develop the appropriate application-based Security policy 69
3.1.1 Create an appropriate App-ID rule 69
3.1.2 Rule shadowing 69
3.1.3 Group rules by tag 70
3.1.4 The potential impact of App-ID updates to existing Security policy rules 71
3.1.5 Policy usage statistics 71
3.1.6 References 71
3.2 Differentiate specific security rule types 71
3.2.1 Interzone 72
3.2.2 Intrazone 73
3.2.3 Universal 73
3.2.4 References 73
3.3 Configure security policy match conditions, actions, and logging options 74
3.3.1 Application filters and groups 74
3.3.2 Logging options 74
3.3.3 App-ID 75
3.3.4 User-ID 76
3.3.5 Device-ID 77
3.3.6 Application filter in policy 78
3.3.7 Application group in policy 78
3.3.8 EDLs 78
3.3.9 References 79
3.4 Identify and implement proper NAT policies 79
3.4.1 Destination 79
3.4.2 Source 80
3.4.3 References 81
3.5 Optimize Security policies using appropriate tools 81
3.5.1 Policy test match tool 81
3.5.2 Policy Optimizer 82
3.5.3 References 83
Domain 4: Securing Traffic 86

4.1 Compare and contrast different types of Security profiles 86
4.1.1 Antivirus 86
4.1.2 Anti-Spyware 86
4.1.3 Vulnerability Protection 86
4.1.4 URL Filtering 87
4.1.5 WildFire Analysis 87
4.1.6 Reference 88
4.2 Create, modify, add, and apply the appropriate Security profiles and groups 88
4.2.1 Antivirus 89
4.2.2 Anti-Spyware 90
4.2.3 Vulnerability Protection 90
4.2.4 URL Filtering 90
4.2.5 WildFire Analysis 91
4.2.6 Configure Threat Prevention policy 91
4.2.7 References 92
4.3 Differentiate between Security profile actions 92
4.3.1 Reference 94
4.4 Use information available in logs 94
4.4.1 Traffic 94
4.4.2 Threat 94
4.4.3 Data 95
4.4.4 System logs 95
4.4.5 Reference 96
4.5 Enable DNS Security to control traffic based on domains 96
4.5.1 Configure DNS Security 96
4.5.2 Apply DNS Security in policy 96
4.5.3 References 98
4.6 Create and deploy URL-filtering-based controls 99
4.6.1 Apply a URL profile in a Security policy 99
4.6.2 Create a URL Filtering profile 99
4.6.3 Create a custom URL category 102
4.6.4 Control traffic based on a URL category 103
4.6.5 Why a URL was blocked 104
4.6.6 How to allow a blocked URL 104
4.6.7 How to request a URL recategorization 105
4.6.8 References 107
4.7 Differentiate between group mapping and IP-to-user mapping within policies and logs
108
4.7.1 How to control access to specific locations 108
4.7.2 How to apply to specific policies 108
4.7.3 Identify users within the ACC and the monitor tab 109
4.7.4 References 109
Appendix A: Sample Questions with Answers 111
Continuing Your Learning Journey with Palo Alto Networks 120
How to Use This Study Guide
Welcome to the Palo Alto Networks Certified Security Administrator Study Guide. The purpose of
this guide is to help you prepare for your PCNSA: Palo Alto Networks Certified Security
Administrator exam and achieve your PCNSA certification.
You can read through this study guide from start to finish, or you may jump straight to topics you
would like to study. Hyperlinked cross-references will help you locate important definitions and
background information from earlier sections.
About the PCNSA Exam

The PCNSA certification validates the knowledge and skills required for network security
administrators responsible for deploying and operating Palo Alto Networks Next-Generation
Firewalls (NGFWs). PCNSA certified individuals have demonstrated knowledge of the Palo Alto
Networks NGFW feature set and in the Palo Alto Networks product portfolio core components.
More information is available from the Palo Alto Networks public page at:
https://www.paloaltonetworks.com/services/education/palo-alto-networks-certified-network-securit
y-administrator
PCNSA technical documentation is located at:

https://beacon.paloaltonetworks.com/student/collection/668330-palo-alto-networks-certified-netwo
rk-security-administrator-pcnsa?sid=997e3b6e-0839-4c30-a393-e134fbad744a&sid_i=0
Exam Format
The test format is 60-75 items. Candidates will have five minutes to review the NDA, 80 minutes to
complete the exam questions, and five minutes to complete a survey at the end of the exam.
The approximate distribution of items by topic (Exam Domain) and topic weightings are shown in
the following table.
This exam is based on Product version 11.0.
Exam Domain Weight (%)
Device Management and Services 22%
Managing Objects 20%
Policy Evaluation and Management 28%
Securing Traffic 30%
TOTAL 100%
How to Take This Exam
The exam is available through the third-party Pearson VUE testing platform.
To register for the exam, visit: https://home.pearsonvue.com/paloaltonetworks
Disclaimer
This study guide is intended to provide information about the objectives covered by this exam,
related resources, and recommended courses. The material contained within this study guide is not
intended to guarantee that a passing score will be achieved on the exam. Palo Alto Networks
recommends that candidates thoroughly understand the objectives indicated in this guide and use
the resources and courses recommended in this guide where needed to gain that understanding.
Audience and Qualifications
Intended Audience
Security administrators responsible for operating and managing the Palo Alto Networks Next
Generation Firewall.
Skills Required
● You understand Palo Alto Networks firewall and centralized management components and,
with minimum assistance, can configure, operate, and identify problems with configuring
and operating the firewall as well as configure firewall policies, specifically App-ID and
User-ID (those capabilities not tied to a subscription) as well as profiles and objects.
● You have 2 to 3 years’ experience working in the Networking or Security industries, the
equivalent of 6 months’ experience working full-time with the Palo Alto Networks product
portfolio and/or at least 6 months’ experience in Palo Alto Networks NGFW administration
and configuration.
Competencies Required
● Able to configure and operate Palo Alto Networks product portfolio components.
● An understanding of the unique aspects of the Palo Alto Networks product portfolio and
how to administer one appropriately.
● An understanding of the networking and security policies used by PAN-OS software.
Recommended Training
Palo Alto Networks strongly recommends that you attend the following instructor-led training
courses or equivalent digital-learning courses:
● Firewall Essentials: Configuration and Management (EDU-210) course
Domain 1: Device Management and Services
1.1 Demonstrate the knowledge of firewall management interfaces
1.1.1 Management interfaces
All Palo Alto Networks firewalls provide an out-of-band management (MGT) port that can be used
to perform firewall administration functions. The MGT port uses the control plane, thus separating
the management functions of the firewall from the network-traffic-processing functions (data
plane). This separation between the control plane and the data plane helps safeguard access to the
firewall and enhances performance. When using the web interface, perform all the initial
configuration tasks from the MGT port even if you plan to use an in-band data port for managing
the firewall. A serial/console port is also available to accomplish the initial configuration of the
firewall by using Secure Shell (SSH) or Telnet.
Some management tasks, such as retrieving licenses and updating the threat and application
signatures on the firewall, require access to the internet, typically via the MGT port. If you do not
want to enable external access via the MGT port, you can set up an in-band data port on the data
plane to provide access to the required external services by using the service routes. Service routes
are explained in detail later.
1.1.2 Methods of access

The four methods used to access the Palo Alto Networks Next-Generation Firewalls are:
● Web interface
● CLI
● Panorama
● XML API
To gain access to the firewall for the first time, the first step is to gather the following information for
the MGT port. Note that if the firewall is set up as a Dynamic Host Configuration Protocol (DHCP)
client, the following information will be included automatically via DHCP:
● IP address
● Netmask
● Default gateway
● Domain Name System (DNS) server address (at least one)
The second step is to connect a computer to the firewall by using either an RJ-45 Ethernet cable or
a serial cable.
An RJ-45 Ethernet cable connects the computer to the firewall MGT port. From a browser, navigate
to https://192.168.1.1. Note that you might need to change the IP address on the computer to an
address in the 192.168.1.0/24 subnet, such as 192.168.1.2, to access this URL.
To perform the initial configuration via the CLI or to know the address served to the MGT port via
DHCP for accessing the web interface, connect the serial cable from the computer to the firewall
console port by using a terminal emulation software, such as SSH or Telnet. The default connection
parameters are 9600-8-N-1.
The third step is to log in to the firewall. The default username is “admin,” and the default password
is “admin”. Starting with PAN-OS 9.1, you will be forced to change the admin account password the
first time you log in to the web interface.
Web interface: The web interface is used to configure and monitor HTTP or HTTPS by using a web
browser. HTTPS is the default method; HTTP is available as a less secure method than HTTPS.
CLI: The CLI is a text-based configuration and monitoring of the serial console port or the MGT port
using SSH or Telnet. The Palo Alto Networks firewall CLI offers access to debugging information;
experienced administrators often use it for troubleshooting. The account used for authenticating
the CLI must have CLI access enabled.
The CLI is in operational mode by default. The commands available within the context of
operational mode include basic networking commands such as ping and traceroute, basic system
commands such as show, and more advanced system commands such as debug. The commands
used to shutdown and restart the system are also available from within operational mode.
You can access configuration mode by typing the configure command while in operational mode.
Configuration mode enables you to display and modify the configuration parameters of the firewall,
verify the candidate configuration, and commit config.
The following image shows a sample CLI screen with the first lines of show system state while in
operational mode:
Panorama: Panorama is a Palo Alto Networks product that provides centralized and web-based
management, reporting, and logging for multiple firewalls. Panorama is used for centralized policy
and firewall management to increase operational efficiency in managing and maintaining a
distributed network of firewalls. If six or more firewalls are deployed on a network, Panorama is used
to reduce the complexity and administrative overhead needed to manage configuration, policies,
software, and dynamic content updates. The Panorama web interface is similar to the firewall web
interface but with additional management functions.
XML API: The XML API provides an interface that is based on representational state transfer (REST)
to access firewall configurations, operational status, reports, and packet captures from the firewall.
An API browser is available on the firewall at https://<firewall>/api, where <firewall> is the hostname
or IP address of the firewall. You can use this API to access and manage the firewall through a
third-party service, application, or script.
The PAN-OS XML API can be used to automate tasks, such as:
● Creating, updating, and modifying firewall and Panorama configurations
● Executing operational mode commands, such as restarting the system or validating
configurations
● Retrieving reports
● Managing users through User-ID
● Updating dynamic objects without having to modify or commit new configurations
1.1.3 Access restrictions
The management of Palo Alto Networks firewalls is not limited to using a dedicated management
(MGT) interface or console port. Data interfaces on the data plane also can be used as management
interfaces. If the MGT interface is down, you can continue to manage the firewall by allowing
management access over another data interface. Each data interface includes the following
configurations for binding various services to them:
● HTTPS (default)
● SSH (default)
● Ping (default)
● Telnet
● HTTP
● SNMP
● Response Pages
● User-ID
An Interface Management profile protects the firewall from unauthorized access by defining the
protocols, services, and IP addresses that a firewall interface permits for management. For example,
you might want to prevent users from accessing the firewall web interface over the ethernet1/1
interface but allow that interface to receive SNMP queries from the network monitoring system. In
this case, you enable SNMP and disable HTTP/HTTPS in an Interface Management profile and
assign the profile to ethernet1/1.
HTTPS includes the web interface service and should be included in at least one data interface. The
Permitted IP Addresses field allows an access control list to be included, thus restricting access to
only the specified IP addresses for any interface with this profile assigned. If no IP addresses are
added to the list of permitted IP addresses, then any IP address is allowed. After at least one IP
address is added to the list, only those added IP addresses are allowed access.
You can assign an Interface Management profile to Layer 3 Ethernet interfaces (including
subinterfaces) and to logical interfaces, such as aggregate group, virtual local area network (VLAN),
loopback, and tunnel interfaces. If you do not assign an Interface Management profile to an
interface, the firewall denies management access for all the IP addresses, protocols, and services by
default.
1.1.4 Identity-management traffic flow
In many network environments, it's good practice to create an Out Of Band network where the
management interfaces of your security appliances and services live so they cannot be
compromised by a user with a lot of spare time to try and guess passwords.
This can create challenges, as your appliances may need to access resources that are not available
on the secured network. One example is Palo Alto Networks' integrated User Identification
mechanisms, where either the firewall reads security audit logs on an Active Directory server, or the
server gets an agent software installed that does the reading and sends the output back to the
firewall. If the AD server is not connected to the secured network, a different route needs to be
taken to get the information on the firewall.
To assist this, a service route can be configured that redirects connections originating from the
management plane, via the backplane, to the dataplane. This will force the outgoing connection to
egress from a normal network interface without exposing the management interface. This will work
for both the installed UID agent software and the clientless configuration on the firewall.
1.1.5 Management services
Palo Alto Networks firewalls integrate with three key services: DNS, DHCP, and NTP. DNS and NTP
must be set up during the initial firewall configuration.
DNS
DNS is a protocol that translates (resolves) a user-friendly domain name such as
www.paloaltonetworks.com to an IP address so that users can access computers, websites, services,
or other resources on the Internet or on private networks. You must configure the firewall with at
least one DNS server so that it can resolve hostnames.
Configuring DNS
To configure DNS, select Device > Setup > Services > Services_gear_icon. On the Services tab, for
DNS, click Servers and enter the Primary DNS Server addresses and Secondary DNS Server
addresses. Click OK and Commit.
DHCP
A Palo Alto Networks firewall acting as a DHCP client (host) can request a DHCP server for an IP
address and other configuration settings. The use of DHCP saves time and effort because users
need not know the network addressing plan or other options, such as the default gateway being
inherited from the DHCP server.
The configuration parameters that DHCP can learn dynamically include:
● IP address for MGT port

● Netmask
● Default gateway
● At least one DNS server address
NTP
NTP client information is optional but recommended. The NTP information can be obtained via
DHCP if the firewall is configured as a DHCP client.
Configuring NTP
Select Device > Setup > Services > Services_gear_icon.
1.1.6 Service routes
By default, the firewall uses the management interface to communicate with various servers,
including those for external dynamic lists (EDLs), DNS, email, and Palo Alto Networks update
servers. It also uses the management interface to communicate with Panorama. Service routes are
used so that the communication between the firewall and servers goes through the data ports on
the data plane. These data ports require appropriate security policy rules before the external servers
can be accessed.
Configuring service routes

Go to Device > Setup > Services > Service Route Configuration > Customize and configure the
appropriate service routes. See the following figure:
To configure service routes for non-predefined services, you can manually enter the destination
addresses on the Destination tab, as shown below:
In this example, the service route for 192.168.27.33 is configured to source from the data plane’s
ethernet1/2 interface, which has a source IP address of 192.168.27.254.
1.1.7 References
● Management Interfaces,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manag
ement-interfaces
1.2 Provision local administrators
1.2.1 Authentication profile
Authentication profiles provide authentication settings that you can apply to administrator
accounts, SSL-VPN access, and Captive Portal. Refer to the following authentication profile
configuration screenshot:
Authentication profiles
An Authentication profile references a server profile:
A server profile includes the server name, its IP address, the service port that it is listening to, and
other values. An example of an LDAP server profile is as follows:
1.2.2 Authentication sequence
Admin roles for external administrator accounts can be assigned to an authentication sequence,
which includes a sequence of one or more authentication profiles that are processed in a specific
order. The firewall checks against each authentication profile within the authentication sequence
until one authentication profile successfully authenticates the user. If an external administrator
account does not reference an authentication sequence, it directly references an authentication
profile instead. A user is denied access only if authentication fails for all the profiles in the
authentication sequence. A depiction of an authentication sequence is as follows:
1.2.3 Reference
● Administrative Role Types,
e-firewall-administrators/administrative-role-types
1.3 Assign role-based authentication
The role determines what the administrator can view and modify.
If you select Role Based, then you select a custom role profile from the drop-down list.
If you select Dynamic, then you can select one of the following predefined roles:
● Superuser — Has full access to the firewall and can define new administrator accounts and
virtual systems. You must have superuser privileges to create an administrative user with
superuser privileges.
● Superuser (read-only) — Has read-only access to the firewall.
● Device administrator — Has full access to all the firewall settings except for defining new
accounts or virtual systems.
● Device administrator (read-only) — Has read-only access to all the firewall settings except
password profiles (no access) and administrator accounts (only the logged-in account is
visible).
● Virtual system administrator — Has access to specific virtual systems on the firewall to
create and manage specific aspects of virtual systems (if Multi Virtual System Capability is
enabled). A virtual system administrator doesn’t have access to network interfaces, virtual
routers, IPSec tunnels, VLANs, virtual wires, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or
network profiles.
● Virtual system administrator (read-only) — Has read-only access to specific virtual systems
on the firewall to view specific aspects of virtual systems (if Multi Virtual System Capability is
enabled). A virtual system administrator with read-only access doesn’t have access to
network interfaces, virtual routers, IPSec tunnels, VLANs, virtual wires, GRE tunnels, DHCP,
DNS Proxy, QoS, LLDP, or network profiles.
1.4 Maintain firewall configurations
All configuration changes in a Palo Alto Networks firewall are done to a candidate configuration,
which resides in memory on the control plane. A commit activates the changes since the last
commit and installs the running configuration on the data plane, where it will become a running
configuration.
1.4.1 Running configuration
The running configuration is saved within a file named running-config.xml. The running
configuration exists in data-plane memory, where it is used to control firewall traffic and operate the
firewall. A commit operation is necessary to write the candidate configuration to the running
configuration.
After you commit the changes, the firewall automatically saves a new version of the running
configuration that is timestamped. You can load a previous version of the running configuration by
using the Load configuration version option. The firewall queues the commit requests so that you
can initiate a new commit while a previous commit is in progress. The firewall performs the
commits in the order they are initiated but prioritizes the commits, such as FQDN refreshes, which
the firewall initiates automatically.
If a system event or administrator action causes a firewall to reboot, the firewall automatically
reverts to the current version of the running configuration.
1.4.2 Candidate configuration
The act of saving changes to the candidate configuration does not activate those changes. A
commit must be performed on the firewall to activate the changes and to cause the candidate
configuration to become a running configuration. The commit can be done either via the web
interface or the CLI.
You can save the candidate configuration as either a default snapshot file (snapshot.xml) or a
custom-named snapshot file (<custom_name>.xml). However, a firewall does not automatically save
the candidate configuration to persistent storage; you must manually save the candidate
configuration. If the firewall reboots before you commit the changes, you can revert the candidate
configuration to the current snapshot to restore the changes made between the last commit and
the last snapshot by using the Revert to last saved configuration option.
1.4.3 Discern when to use load, save, import, and export

Palo Alto Networks firewall configurations are managed using five categories located under Device
> Setup > Operations, which are described in the next sections:
● Revert
● Save
● Load
● Export
● Import
1.4.4 Differentiate between configuration states
Revert to last saved configuration

This option restores the default snapshot (snapshot.xml) of the candidate configuration (the
snapshot you create or overwrite when you click Device > Setup > Operations > Save candidate
configuration or Save at the top right of the web interface). This option restores the last saved
candidate configuration from the local drive. The current candidate configuration is overwritten.
This quick restore is useful when you work on “hot” boxes.
The first message asks if you want to continue with the revert:
The second message informs you which file has been reverted:
Revert to running configuration

This option restores the current running configuration. This operation undoes all the changes made
to the candidate configuration after the last commit and restores the config from the
running-config.xml file.
The first message asks if you want to continue with the revert:
The second message informs you the firewall is being reverted.
Save named configuration snapshot
This option creates a candidate configuration snapshot that does not overwrite the default
snapshot (snapshot.xml). You enter a custom name for the snapshot or select an existing snapshot
to overwrite. This function is useful when you create a backup file or a test configuration file that
can be downloaded for further modification or for testing in the lab environment.
Save candidate configuration

This option creates or overwrites the default snapshot (snapshot.xml) of the candidate
configuration (the snapshot you create or overwrite when you click Device > Setup > Operations >
Save candidate configuration or Save at the top right of the web interface).
Load named configuration snapshot

This option overwrites the current candidate configuration with one of the following:
● Custom-named candidate configuration snapshot (instead of the default snapshot)

● Custom-named running configuration that is imported
● Current running configuration (running-config.xml)
Load configuration version
This option overwrites the current candidate configuration with a previous version of the running
configuration that is stored on the firewall. The firewall creates a timestamped version of the
running configuration whenever a commit is made.
Export named configuration snapshot

This option exports the current running configuration, a candidate configuration snapshot, or a
previously imported configuration (candidate or running). The firewall exports the configuration as
an XML file with the specified name. You can save the snapshot in any network location. These
exports are often used as backups. These XML files also can be used as templates for building other
firewall configurations.
Export configuration version
This option exports a version of the running configuration as an XML file.
Export device state

This option exports the firewall state information as a file. In addition to the running configuration,
the state information includes device group and template settings pushed from Panorama if
applicable. If the firewall is a GlobalProtect portal, the bundle also includes certificate information, a
list of satellites that the portal manages, and satellite authentication information. If you replace a
firewall or portal, you can restore the exported information on the replacement by importing the
state bundle.
Import named configuration snapshot

This option imports a running or candidate configuration as an XML file from any network location
such as a host computer. The XML file can then be loaded as a candidate configuration and even as
a running configuration if required.
Import device state

This option imports the state information file exported from a firewall by using the Export device
state option. The state information includes the running configuration and, if applicable, the device
group and template settings pushed from Panorama. If the firewall is a GlobalProtect portal, the
bundle also includes certificate information, a list of satellites, and satellite authentication
information. If you replace a firewall or portal, you can restore the information on the replacement
by importing the state bundle.
1.4.5 Backup Panorama configurations and firewalls from Panorama
The running configuration on Panorama comprises all of the settings that you have committed and
that are active. The candidate configuration is a copy of the running configuration plus any inactive
changes that you made since the last commit. Saving backup versions of the running or candidate
configuration enables you to restore those versions later. For example, if a commit validation shows
that the current candidate configuration has more errors than you want to fix, you can restore a
previous configuration. You can also revert to the current running configuration without first saving
a backup.
After a commit is performed on a local firewall that runs PAN-OS 5.0 or later, a backup of the
firewall’s running configuration is sent to Panorama. Any commits performed on the local firewall
will trigger the backup, including the commits an administrator performs locally on the firewall, or
the automatic commits the PAN-OS initiates (for example, an FQDN refresh). By default, Panorama
stores up to 100 backups for each firewall though this is configurable. To store Panorama and
firewall configuration backups on an external host, you can schedule exports from Panorama or
export on demand. You can also import configurations from firewalls into the Panorama device
groups and templates to Transition a Firewall to Panorama Management.
VMware snapshot functionality is not supported for a Panorama virtual appliance deployed on
VMware ESXi and vCloud Air. Taking snapshots of a Panorama virtual appliance can impact
performance, result in intermittent and inconsistent packet loss, and cause Panorama to become
unresponsive. Additionally, you may lose access to the Panorama CLI and web interface, and
switching to Panorama mode is not supported. Instead, save and export your named configuration
snapshot to any network location.
1.4.6 References
● Manage Configuration Backups,
e-configuration-backups
1.5 Push policy updates to Panorama-managed firewalls
1.5.1 Device groups and hierarchy

Device Group Hierarchy can be created to nest device groups in a tree hierarchy of up to four levels,
with the lower-level groups inheriting the settings (policy rules and objects) of the higher-level
groups. At the bottom level, a device group can have parent, grandparent, and great-grandparent
device groups (ancestors). At the top level, a device group can have child, grandchild, and
great-grandchild device groups (descendants). All device groups inherit settings from the shared
location—a container at the top of the hierarchy for configurations, which is common to all the
device groups.
Creating a device group hierarchy helps in organizing firewalls based on common policy
requirements without redundant configuration. For example, you could configure shared settings
that are global to all the firewalls, configure device groups with function-specific settings at the first
level, and configure device groups with location-specific settings at lower levels. Without a
hierarchy, you would have to configure both function- and location-specific settings for every device
group in a single level under Shared.
1.5.2 Where to place policies
Device groups provide a way to implement a layered approach for managing policies across a
network of managed firewalls. A firewall evaluates policy rules by layer (shared, device group, and
local) and by type (pre-rules, post-rules, and default rules) in the following order from top to bottom.
When the firewall receives traffic, it performs the action defined in the first evaluated rule that
matches the traffic and disregards all the subsequent rules.
Whether you view rules on a firewall or in Panorama, the web interface displays them in evaluation
order. All the shared, device-group, and default rules that the firewall inherits from Panorama are
shaded in orange. Local firewall rules display between the pre- and post-rules.
EVALUATION ORDER RULE SCOPE AND DESCRIPTION ADMINISTRATION DEVICE
Panorama pushes shared pre-rules

to all the firewalls in all the device
groups. Panorama pushes
device-group-specific pre-rules to
all the firewalls in a particular
device group and its descendant
Shared pre-rules device groups.
If a firewall inherits rules from the

device groups at multiple levels in
the device group hierarchy, it
These rules are visible on firewalls,
evaluates the pre-rules from the
but you can only manage them in
highest to the lowest level. This
Panorama.
means that the firewall first
evaluates the shared rules and
then evaluates the rules of device
groups with no descendants.
Device group pre-rules You can use the pre-rules to

enforce the acceptable use policy
of an organization. For example, a
pre-rule might block access to
specific URL categories or allow
DNS traffic for all the users.
A local firewall administrator or a

Local rules are specific to a single Panorama administrator who
Local firewall rules
firewall or virtual system (vsys). switches to a local firewall context
can edit the local firewall rules.
Panorama pushes the shared

post-rules to all the firewalls in all
the device groups. Panorama
pushes the device-group-specific
Device group post-rules post-rules to all the firewalls in a
particular device group and its
descendant device groups.
If a firewall inherits rules from
device groups at multiple levels in
the device-group hierarchy, it These rules are visible on firewalls,
evaluates the post-rules from the but you can only manage them in
lowest to the highest level. This Panorama.
means that the firewall first
evaluates the rules of device
groups with no descendants and
then evaluates the shared rules.
Shared post-rules
Post-rules typically include the
rules to deny access to traffic,
based on the App-ID™ signatures,
User-ID™ information (users or
user groups), or service.
Default rules are initially
read-only, either because they are
part of the predefined
The default rules apply only to the configuration or because
Security rulebase and are Panorama pushed them to the
predefined on Panorama (at the firewalls. However, you can
Intrazone-default Shared level) and the firewall (in override the rule settings for tags,
each vsys). These rules specify how action, logging, and security
PAN-OS handles traffic that profiles. The context determines
doesn’t match any other rule. the level at which you can
The intrazone-default rule allows override the rules:
all the traffic within a zone. The ● Panorama — At the
interzone-default rule denies all shared or device-group
the traffic between zones. level, you can override the
If you override the default rules, default rules that are part
their order of precedence that runs of the predefined
from the lowest context to the configuration.
highest overridden settings at the ● Firewall — You can
firewall level take precedence over override the default rules
the settings at the device-group that are part of the
level, which take precedence over predefined configuration
the settings at the shared level. on the firewall or vsys, or
that Panorama pushed
from the shared location
or a device group.
1.5.3 Implications of Panorama management
Panorama enables you to configure, manage, and monitor your Palo Alto Networks firewalls
effectively with central oversight. The three main areas in which Panorama adds value are:
● Centralized configuration and deployment — To simplify central management and rapid

deployment of the firewalls and WildFire appliances on your network, use Panorama for
pre-staging the firewalls and WildFire appliances for deployment. You can then assemble
the firewalls into groups, create templates to apply a base network and device configuration,
and use device groups to administer globally shared and local policy rules.
● Aggregated logging with central oversight for analysis and reporting — Collect
information on activity across all the managed firewalls on the network and centrally
analyze, investigate, and report on the data. This comprehensive view of network traffic, user
activity, and associated risks empowers you to respond to potential threats by using the rich
set of policies to securely enable applications on your network.
● Distributed administration — Delegate or restrict access to global and local firewall

configurations and policies.
1.5.4 Impact of templates, template stacks, and hierarchy
You use templates and template stacks to configure the settings that enable firewalls to operate on
the network. Templates are the basic building blocks you use to configure the Network and Device
tabs on Panorama. You can use templates to define interface and zone configurations, manage
server profiles for logging and syslog access, or define VPN configurations. Template stacks provide
the ability to layer multiple templates and create a combined configuration. Template stacks
simplify management because they allow you to define a common base configuration for all the
devices attached to the template stack and provide the ability to layer templates to create a
combined configuration. This enables you to define templates with location- or function-specific
settings and then stack the templates in descending order of priority so that the firewalls inherit
the settings based on the order of the templates in the stack.
Both templates and template stacks support variables. Variables allow you to create placeholder
objects with their value specified in the template or template stack, based on the configuration
needs. Create a template or template stack variable to replace the IP addresses, Group IDs, and
interfaces in the configurations. Template variables are inherited by the template stack, and you can
override them to create a template stack variable. However, templates do not inherit the variables
defined in the template stack. When a variable is defined in the template or template stack and
pushed to the firewall, the value defined for the variable is displayed on the firewall.
You can use templates to accommodate the firewalls that have unique settings. Alternatively, you
can push a broader, common base configuration and then override certain pushed settings with
firewall-specific values on individual firewalls. When you override a setting on the firewall, the
firewall saves that setting to its local configuration and Panorama no longer manages the setting.
To restore template values after you override them, use Panorama to force the template or template
stack configuration onto the firewall. For example, after you define a common NTP server in a
template and override the NTP server configuration on a firewall to accommodate a local time zone,
you can later revert to the NTP server defined in the template.
When defining a template stack, consider assigning firewalls that are the same hardware model
and require access to similar network resources, such as gateways and syslog servers. This enables
you to avoid the redundancy of adding every setting to every template stack. The following figure
illustrates an example configuration in which you assign data center firewalls in the Asia-Pacific
(APAC) region to a stack with global settings—one template with APAC-specific settings and one
template with data-center-specific settings. To manage firewalls in an APAC branch office, you can
then reuse the global and APAC-specific templates by adding them to another stack that includes a
template with branch-specific settings. Templates in a stack have a configurable priority order that
ensures Panorama pushes only one value for any duplicate setting. Panorama evaluates the
templates listed in a stack configuration from top to bottom with the higher templates having
priority. The following figure illustrates a data center stack in which the data-center template has a
higher priority than the global template; Panorama pushes the idle timeout value from the
data-center template and ignores the value from the global template.
You cannot use templates or template stacks to set the firewall modes: virtual private network
(VPN) mode, multiple virtual systems (multi-vsys) mode, or operational modes (normal or FIPS-CC
mode). However, you can assign firewalls that have non-matching modes to the same template or
stack. In such cases, Panorama pushes mode-specific settings only to the firewalls that support
those modes. As an exception, you can configure Panorama to push the settings of the default vsys
in a template to the firewalls that don’t support virtual systems or that don’t have any virtual
systems configured.
1.5.5 References
● Device Group Hierarchy,
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/panorama-overview/cen
tralized-firewall-configuration-and-update-management/device-groups/device-group-hierar
chy
● Panorama,
https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/abo
ut-panorama#id52537f5d-4ddc-4701-b7e0-4d31476c2eb1_idd89f295d-bd7a-47cb-adad-3e132
3ba6ec5
● Templates and Template Stacks,
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/panorama-overview/cen
tralized-firewall-configuration-and-update-management/templates-and-template-stacks
1.6 Schedule and install dynamic updates
To always ensure protection from the latest threats (including those not yet discovered), you must
keep the firewalls up to date with the latest content and software updates published by Palo Alto
Networks. Palo Alto Networks regularly posts updates for application detection, threat protection,
and GlobalProtect data files through dynamic updates.
1.6.1 From Panorama

To schedule an automatic download and installation of an update, click Schedules, click Add, and
configure the settings as described in the following table:
DYNAMIC UPDATE SCHEDULE SETTINGS
Name Enter a name to identify the scheduled job (up to 31 characters). The name is
case-sensitive, must be unique, and can contain only letters, numbers, hyphens,
and underscores.
Disabled Select to disable the scheduled job.
Download Source Select the download source for the content update. You can select to download
content updates from the Palo Alto Networks Updates Server or from a Secure
Copy Protocol (SCP) server.
SCP Profile (SCP Select a configured SCP profile from which to download.
only)
SCP Path (SCP only) Enter the specific path on the SCP server from which to download the content
update.
Type Select the type of content update to schedule: App, App and Threat, Antivirus,
WildFire, or URL Database.
Recurrence Select the interval at which Panorama checks in with the update server. The
recurrence options vary by update type.
Time For a daily update, select the Time from the 24-hour clock.
For a weekly update, select the Day of the week, and the Time from the 24-hour
clock.
Disable new apps in You can disable new apps in content updates only if you set the update Type to
content update App or App and Threat and only if Action is set to Download and Install.
Select to disable applications in the update that are new relative to the last
installed update. This protects against the latest threats while giving you the
flexibility to enable the applications after preparing any policy updates. Then, to
enable applications, log in to the firewall, select DeviceDynamic Updates, click
Apps in the Features column to display the new applications, and click
Enable/Disable for each application you want to enable.
Action ● Download Only — Panorama™ will download the scheduled update.

You must manually install the update on the firewalls and Log
Collectors.
● Download and Install — Panorama will download and automatically
install the scheduled update.
● Download and SCP — Panorama will download and transfer the content
update package to the specified SCP server.
Devices Select Devices and then select the firewalls that will receive the scheduled
content updates.
Log Collectors Select Log Collectors and then select the managed collectors that will receive
the scheduled content updates.
1.6.2 From the firewall
The following diagram illustrates how updated information is often made available to the firewall:
The following content updates are available, depending on which subscriptions you have:
● Antivirus: Includes new and updated antivirus signatures, including WildFire signatures and
automatically generated command-and-control (C2) signatures. WildFire signatures detect
malware seen first by firewalls from around the world. You must have a Threat Prevention
subscription to get these updates. New antivirus signatures are published daily.
● Applications: Includes new and updated application signatures. New applications are
published monthly, and modified applications are published weekly.
● Applications and Threats: Includes new and updated application and threat signatures,
including those that detect spyware and vulnerabilities. This update is available if you have a
Threat Prevention subscription (and you get it instead of the Applications update). New and
modified threat signatures and modified applications signatures are published weekly; new
application signatures are published monthly. The firewall can retrieve the latest update
within 30 minutes of availability.
● GlobalProtect Data File: Contains vendor-specific information for defining and evaluating
the host information profile (HIP) data returned by GlobalProtect clients. You must have a
GlobalProtect license (subscription) and create an update schedule to receive these updates.
● GlobalProtect Clientless VPN: Contains new and updated application signatures to enable
clientless VPN access to common web applications from the GlobalProtect portal. You must
have a GlobalProtect license (subscription) and create an update schedule to receive these
updates and enable clientless VPN to function.
● Palo Alto Networks (PAN-DB) URL Filtering: Every five to ten minutes, a new version is
published, which contains updated categorization data and an incremented version
number. Each time the Palo Alto Networks firewall sends a request to the cloud, the firewall
checks the current version number. If the number is different, the firewall upgrades the
device’s version to the current cloud version. The primary purpose of the frequency of
updates is to leverage native integration with WildFire, which creates new signatures and
records malicious URLs every five minutes.
● WildFire: Provides real-time malware and antivirus signatures created as a result of the
analysis done by the WildFire cloud service and is available with a WildFire subscription. As a
best practice, schedule the firewall to retrieve WildFire updates every minute. If you have a
Threat Prevention subscription and not a WildFire subscription, you must wait 24 to 48
hours for the WildFire signatures to be added into the antivirus update.
● WF-Private: Provides malware signatures generated by an on-premises WildFire appliance.
1.6.3 Scheduling and staggering updates on an HA pair
Always review content Release Notes for the list of the newly identified and modified applications
and threat signatures that the content release introduces; refer to the image below:
You can download updates directly from the Palo Alto Networks update server. You can also
download the updates to another system, such as a user desktop or a Panorama management
appliance, and then upload them to the firewall. Whether you download an update through the
web or upload an update from Panorama, the update will appear in the list of available updates at
Device > Dynamic Updates. Click Install to install the updates.
Software updates
PAN-OS updates are managed in the Device > Software section of the web interface. You must
perform a final system reboot to place the new PAN-OS software into production. This reboot is
disruptive and should be done during a change control window.
The software downloads are done over the MGT interface by default. A data interface can be used to
download the software by using a service route. The latest version of applications and threats must
be installed to complete the software installation. If your firewall does not have internet access from
the management port, you can download the software image from the Palo Alto Networks Support
Portal and then manually upload it to your firewall.
Before you upgrade to a newer version of software:
● Always review the release notes to determine any impact of upgrading to a newer version of
software.
● Ensure that the firewall is connected to a reliable power source. A loss of power during an
upgrade can make the firewall unusable.
● Although the firewall automatically creates a configuration backup, follow best practice and
create and externally store a backup before you upgrade.
Use the following procedure to upgrade a pair of firewalls in a high availability (HA) configuration.
This procedure applies to both active/passive and active/active configurations. To avoid downtime
when upgrading firewalls that are in a HA configuration, update one HA peer at a time. For
active/active firewalls, it doesn’t matter which peer you upgrade first (but for simplicity, this
procedure shows you how to upgrade the active-primary peer first). For active/passive firewalls, you
must suspend (fail over) and upgrade the active (primary) peer first. After you upgrade the primary
peer, you must unsuspend the primary peer to return it to a functional state (passive). Next, you
must suspend the passive (secondary) peer to make the primary peer active again. After the
primary peer is active and the secondary peer is suspended, you can continue the upgrade. To
prevent failover during the upgrade of the HA peers, you must make sure preemption is disabled
before proceeding with the upgrade. You only need to disable preemption on one peer in the pair.
When upgrading HA firewalls across multiple feature PAN-OS releases, you must upgrade each HA
peer to the same feature PAN-OS release on your upgrade path before continuing. For example,
when you are upgrading HA peers from PAN-OS 10.0 to PAN-OS 10.2, you must upgrade both HA
peers to PAN-OS 10.1 before you can continue upgrading to the target PAN-OS 10.2 release. When
HA peers are two or more feature releases apart, the firewall with the older release installed enters a
suspended state with the message Peer version too old.
Step 1: Save a backup of the current configuration file.
Perform these steps on each firewall in the pair:

1. Select Device > Setup > Operations and click Export named configuration snapshot.
2. Select the XML file that contains your running configuration (for example,
running-config.xml) and click OK to export the configuration file.
3. Save the exported file to a location external to the firewall. You can use this backup to restore
the configuration if you have problems with the upgrade.
Step 2: Select DeviceSupport and Generate Tech Support File.

Click Yes when prompted to generate the tech support file.
Step 3: Ensure that each firewall in the HA pair is running the latest content release version.
1. Select Device > Dynamic Updates and check which Applications or Applications and
Threats to determine which update is currently installed.
2. If the firewalls are not running the minimum required content release version or a later
version required for PAN-OS 11.0, Check Now to retrieve a list of available updates.
3. Locate and Download the desired content release version.

After you successfully download a content update file, the link in the Action column changes
from Download to Install for that content release version.
4. Install the update. You must install the update on both peers.
Step 4: Determine the Upgrade Path to PAN-OS 11.0.

You cannot skip the installation of any feature release versions in the path from the currently
running PAN-OS version to PAN-OS 11.0
Step 5: If you are leveraging Cortex Data Lake (CDL), Install a Device Certificate on each HA peer.
The firewall automatically switches to using the device certificate for authentication with CDL
ingestion and query endpoints on upgrade to PAN-OS 11.0.
Step 6: Disable preemption on the first peer in each pair. You only need to disable this setting on
one firewall in the HA pair but ensure that the commit is successful before you proceed with the
upgrade.
1. Select Device > High Availability and edit the Election Settings.
2. If enabled, disable (clear) the Preemptive setting and click OK.
3. Commit the change.
Step 7: Suspend the primary HA peer to force a failover.

For firewalls in an active/passive HA configuration, suspend and upgrade the active HA peer first.
For firewalls in an active/active HA configuration, suspend and upgrade the active-primary HA peer
first.
1. Select Device > High Availability > Operational Commands and Suspend local device for
high availability.
2. In the bottom-right corner, verify that the state is suspended.

The resulting failover should cause the secondary HA peer to transition to Active state.
Step 8: Install PAN-OS 11.0 on the suspended HA peer.
1. On the primary HA peer, select Device > Software and click Check Now for the latest
updates.
Note that only the versions for the next available PAN-OS release are displayed. For example,
if the PAN-OS 11.0 is installed on the firewall, then only PAN-OS 11.0 releases are displayed.
2. Locate and Download PAN-OS 11.0.0
3. After you download the image (or, for a manual upgrade, after you upload the image), Install
the image.
4. After the installation completes successfully, reboot using one of the following methods:
● If you are prompted to reboot, click Yes.
● If you are not prompted to reboot, select Device > Setup > Operations and Reboot
Device.
5. After the device finishes rebooting, view the High Availability widget on the Dashboard and
verify that the device you just upgraded is in sync with the peer.
Step 9: Restore HA functionality to the primary HA peer.
● Select Device > High Availability > Operational Commands and Make local device
functional for high availability.
● In the bottom-right corner, verify that the state is Passive. For firewalls in an
active/active configuration, verify that the state is Active.
● Wait for the HA peer running configuration to synchronize.
In the Dashboard, monitor the Running Config status in the High Availability
widget.
Step 10: On the secondary HA peer, suspend the HA peer.

● Select Device > High Availability > Operational Commands and Suspend local device for
high availability.
● In the bottom-right corner, verify that the state is suspended.
The resulting failover should cause the primary HA peer to transition to Active state.
Step 11: Install PAN-OS 11.0 on the secondary HA peer.
1. On the secondary peer, select Device > Software and click Check Now for the latest
updates.
2. Locate and Download PAN-OS 11.0.0.
3. After you download the image, Install it.
4. After the installation completes successfully, reboot using one of the following methods:
● If you are prompted to reboot, click Yes.
● If you are not prompted to reboot, select Device > Setup > Operations and Reboot
Device.
Step 12: Restore HA functionality to the secondary HA peer.
1. Select Device > High Availability > Operational Commands and Make local device
functional for high availability.
2. In the bottom-right corner, verify that the state is Passive. For firewalls in an active/active
configuration, verify that the state is Active.
3. Wait for the HA peer running configuration to synchronize.

In the Dashboard, monitor the Running Config status High Availability widget.
Step 13: Re-enable preemption on the HA peer where it was disabled in the previous step.
1. Select Device > High Availability and edit the Election Settings.
2. Enable (check) the Preemptive setting and click OK.
3. Commit the change.
Step 14: Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.
On upgrade to PAN-OS 11.0, it is required that all certificates meet the following minimum
requirements:
● RSA 2048 bits or greater, or ECDSA 256 bits or greater
● Digest of SHA256 or greater
Step 15: Verify that both peers are passing traffic as expected.
In an active/passive configuration, only the active peer should be passing traffic; in an active/active
configuration, both peers should be passing traffic.
Run the following CLI commands to confirm that the upgrade succeeded:
● (Active peers only) To verify that active peers are passing traffic, run the show session all
command.
● To verify session synchronization, run the show high-availability interface ha2

command and make sure that the hardware interface counters on the CPU table are
increasing as follows:
○ In an active/passive configuration, only the active peer shows packets transmitted;
the passive peer will show only packets received.
○ In an active/active configuration, you will see packets received and packets transmitted on
both peers.
1.6.4 References
● Schedule Dynamic Content Updates,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/panorama-web-in
terface/panorama-device-deployment/schedule-dynamic-content-updates
1.7 Create and apply security zones to policies
1.7.1 Identify zone types

Security zones are a logical way to group physical and virtual interfaces on the firewall to control
and log the traffic that traverses specific interfaces on the network. An interface on the firewall must
be assigned to a security zone before the interface can process traffic. A zone can have multiple
interfaces of the same type assigned to it (for example, tap, Layer 2, or Layer 3 interfaces), but an
interface can belong to only one zone.
1.7.2 External types

An external zone is a security object that is associated with a specific virtual system it can reach; the
zone is external to the virtual system. A virtual system can have only one external zone, regardless of
how many security zones the virtual system has. External zones are required to allow traffic
between zones in different virtual systems, without the traffic leaving the firewall.
1.7.3 Layer 2
Layer 2 interfaces are used to switch traffic between other Layer 2 interfaces. Before switching can
take place, each Layer 2 interface must be assigned to a VLAN object. Assignment of interfaces that
belong to the same VLAN but exist in different Layer 2 zones enables you to analyze, shape,
manage, and decrypt the traffic. When a zone is created for a Layer 2 interface, the zone’s type will
be set to “Layer 2” and it can only be assigned to Layer 2 interfaces. A zone’s type must match the
interface’s type to which the zone is assigned.
1.7.4 Layer 3
Layer 3 zone is used when routing between two or more networks.
The next figure shows that the Layer 3 zone allows five interface types: Layer 3 (Ethernet1/4 and 1/5),
loopback, SD-WAN, tunnel, and VLAN.
1.7.5 Tap
A Tap interface monitors traffic that is connected to a network switch's MIRROR/SPAN port. This
mirrored traffic is forwarded by a switch port to a firewall’s Tap interface and is analyzed for App-ID,
User-ID, Content-ID, and other traffic—just like any other normal data traffic that would pass
through the firewall. Before traffic can be logged, you must configure a security policy that includes
the Tap zone. When a zone is created for a Tap interface, the zone’s type will be set to “Tap” and it
can only be assigned to Tap interfaces. A zone’s type must match the interface’s type to which the
zone is assigned.
1.7.6 VWire
A Virtual Wire interface is used to pass traffic through a firewall by binding two Ethernet interfaces
and allowing traffic to pass between them. Virtual Wire interfaces are often placed between an
existing firewall and a secured network to enable analysis of the traffic before actually migrating
from a legacy firewall to a Palo Alto Networks firewall.
● Two Virtual Wire interfaces, each in a virtual wire zone (the zone can be the same or
different), and a virtual wire object are required to complete a virtual wire configuration. The
following figure shows one interface in one zone (Internet) and the other interface in
another zone (Inside). If both interfaces are in different zones (interzone traffic), all the traffic
will be inspected by security policy rules until sessions can be established, and then you can
check for User-ID, App-ID, and Content-ID and perform logging, QoS, decryption, LLDP, zone
protection, DoS protection, and NAT.
● If both interfaces are in the same zone (intrazone traffic), all the traffic would be allowed by
default, and sessions can be easily established. However, you also can check for User-ID,
App-ID, and Content-ID and perform logging, QoS, decryption, LLDP, zone protection, DoS
protection, and NAT.
● Virtual Wire interfaces can be subdivided into Virtual Wire subinterfaces that can be used to
classify traffic according to VLAN tags, IP addresses, IP ranges, or subnets. Using
subinterfaces enables you to separate traffic into different zones for more granular control
than regular (non-subinterface) Virtual Wire interfaces.
1.7.7 Tunnel
A Tunnel interface is a logical (virtual) interface used with VPN tunnels to deliver encrypted traffic
between two endpoints. The Tunnel interface must belong to a security zone before a policy can be
applied, and it must be assigned to a virtual router to use the existing routing infrastructure. When
a zone is created for a Tunnel interface, the zone’s type will be set to “Layer 3” and it can only be
assigned to Layer 3 or Tunnel interfaces.
1.7.8 References
● Security Zone Overview,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/network/network-
zones/security-zone-overview
● External Zone,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/virtual-systems/communicatio
n-between-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone
1.8 Identify and configure firewall interfaces
1.8.1 Different types of interfaces

The interface configurations of firewall data ports enable traffic to enter and exit the firewall. A Palo
Alto Networks firewall can operate in multiple deployments simultaneously because you can
configure interfaces to support different deployments. For example, you can configure the Ethernet
interfaces on a firewall for virtual wire, Layer 2, Layer 3, and tap mode deployments. The interfaces
that the firewall supports are:
● Physical interfaces — The firewall supports two types of media— copper and fiber-optic—
which can send and receive traffic at different transmission rates. You can configure
Ethernet interfaces as various types: Tap, High Availability (HA), Log Card (interface and
subinterface), Decrypt Mirror, Virtual Wire (interface and subinterface), Layer 2 (interface and
subinterface), Layer 3 (interface and subinterface), and Aggregate Ethernet (AE). The
available interface types and transmission speeds vary according to the hardware model.
● Logical interfaces — These include VLAN interfaces, loopback interfaces, and tunnel
interfaces. You must set up the physical interface before defining a VLAN or a tunnel
interface.
1.8.2 How interface types affect Security policies
PAN-OS software has various Ethernet interface types: Tap, Virtual Wire, Layer 2, Layer 3, and HA.
(HA interfaces are not discussed in this section). A firewall can be configured with multiple
instances of each interface type to accommodate its functional requirements within a network. The
following figure shows how a firewall can be used in Tap, Virtual Wire, and Layer 2 or Layer 3 mode.
Ethernet interface types
Other available interface types include the following:
● Decrypt Mirror: This feature enables decrypted traffic from a firewall to be copied and sent
to a traffic collection tool that can receive raw packet captures, such as NetWitness or Solera,
for archival and analysis. Decrypt Mirror is often used to route decrypted traffic through an
external interface to a data loss prevention (DLP) service. DLP is a product category for
products that scan internet-bound traffic for keywords and patterns that identify sensitive
information. Note that a free license is required to use this feature. This feature is not
available on the VM-Series firewalls.
● Log Card: This interface is for the PA-7000 Series firewalls only. A log card data port performs
log forwarding for syslog, email, Simple Network Management Protocol (SNMP), and
WildFire file forwarding. One data port on a PA-7000 must be configured as a Log Card
interface because the MGT interface cannot handle all the logged traffic.
● Aggregate: This interface is used to bundle multiple physical HA3, Virtual Wire, Layer 2, or
Layer 3 interfaces into a logical interface for better performance (via load balancing) and
redundancy by using IEEE 802.1AX (LACP) link aggregation. The interface types to be
bundled must be the same. VM-Series models do not support the Aggregate Ethernet (AE)
interface groups.
● HA: Each HA interface has a specific function. One HA interface is for configuration
synchronization and heartbeats; the other HA interface is for state synchronization. If
active/active high availability is enabled, the firewall can also use a third HA interface to
forward packets.
● Management: MGT interfaces are used to manage a firewall using a network cable.
● Loopback: Loopback interfaces are Layer 3 virtual interfaces that connect to the virtual
routers in the firewall. Loopback interfaces are used for multiple network engineering and
implementation purposes. They can be destination configurations for DNS sinkholes,
GlobalProtect service interfaces (portals and gateways), routing identification, and more.
● Tunnel: A Tunnel interface is a logical (virtual) interface used with VPN tunnels to deliver
encrypted traffic between two endpoints. The Tunnel interface must belong to a security
zone before policy can be applied, and it must be assigned to a virtual router to use the
existing routing infrastructure. A Tunnel interface does not require an IP address to route
traffic between the sites. An IP address is only required if you want to enable tunnel
monitoring or if you are using a dynamic routing protocol to route traffic across the tunnel.
● SD-WAN: Create and configure a virtual SD-WAN interface to specify one or more physical,
SD-WAN-capable Ethernet interfaces that go to the same destination, such as to a specific
hub or to the internet. In fact, all the links in a virtual SD-WAN interface must be of the same
type: all VPN tunnel links or direct internet access (DIA) links. An SD-WAN interface
definition works with an SD-WAN Interface Profile that defines the characteristics of the ISP
connections. Details about these interfaces and their configuration are beyond the scope of
the PCNSA certification.
1.8.3 References
● Firewall Interfaces Overview,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/network/network-i
nterfaces/firewall-interfaces-overview
1.9 Maintain and enhance the configuration of a virtual or logical router
1.9.1 Steps to create a static route

Step 1: Select Network > Routing > Logical Routers and select the logical router.
Step 2: Select Static and Add an IPv4 or IPv6 static route by Name (maximum of 63 characters).
The name must start with an alphanumeric character, underscore (_), or hyphen (-), and can contain
a combination of alphanumeric characters, underscores, or hyphens. No dot (.) or space is allowed.
Step 3: For Destination, enter the route and netmask (for example, 192.168.2.0/24 for an IPv4
address or 2001:db8:123:1::0/64 for an IPv6 address). If you are creating a default route, enter the
default route (0.0.0.0/0 for an IPv4 address or ::/0 for an IPv6 address). Alternatively, you can select or
create an address object of type IP Netmask.
Step 4: For Interface, specify the outgoing interface for packets to use to go to the next hop.
Specifying an interface provides stricter control over which interface the firewall uses rather than
using the interface in the route table for the next hop of this static route.
Step 5: For Next Hop, select one of the following:
● IP Address or IPv6 Address — Enter the IP address (for example, 192.168.56.1 or

2001:db8:49e:1::1) when you want to route to a specific next hop. You must Enable IPv6 on
the interface (when you Configure Layer 3 Interfaces) to use an IPv6 next hop address. If you
are creating a default route, for Next Hop you must select IP Address and enter the IP
address for your internet gateway (for example, 192.168.56.1 or 2001:db8:49e:1::1). Alternatively,
you can create an address object of type IP Netmask. The address object must have a
netmask of /32 for IPv4 or /128 for IPv6.
● Next LR — Select to make the next logical router (in the list of logical routers) the next hop.
● FQDN — Enter a Fully Qualified Domain Name.
● Discard — Select to drop packets that are addressed to this destination.
● None — Select if there is no next hop for the route. For example, a point-to-point connection
does not require a next hop because there is only one way for packets to go.
Step 6: Enter the Admin Dist for the static route (range is 10 to 240; default is 10). This value
overrides the Static or Static IPv6 administrative distance specified for the logical router.
Step 7: Enter a Metric for the static route (range is 1 to 65,535; default is 10).
Step 8: (Optional) If you want to use Bidirectional Forwarding Detection (BFD), select a BFD Profile
you created, or select the default profile, or create a BFD profile to apply to the static route; default
is None (Disable BFD).
1.9.2 How to use the routing table
By viewing the routing table, you can see whether the OSPF routes have been established. The
routing table is accessible from either the web interface or the CLI.
If you are using the CLI to view the routing table, use the following commands:
● show routing route

● show routing fib
If you are using the web interface to view the routing table, use the following workflow:
Step 1: Select Network > Virtual Routers and in the same row as the virtual router you are
interested in, click the More Runtime Stats link.
Step 2: Select Routing > Route Table and examine the Flags column of the routing table for routes
that were learned by OSPF.
1.9.3 What interface types can be added to a virtual or logical router
The PAN-OS software provides two virtual route engines—the BGP route engine that supports only
BGP and static routing and the legacy route engine that supports multiple dynamic routing
protocols—of which only one can run at a given time. The following firewall models support the
BGP route engine:
● PA-7000 Series
● PA-5200 Series
● PA-3200 Series
● VM-Series
Although a supported firewall can have a configuration that uses the legacy route engine and a
configuration that uses the BGP route engine, only one route engine is in effect at a time. Each time
you change the engine that the firewall will use (enable or disable Advanced Routing to access the
BGP route engine or legacy route engine, respectively), you must commit the configuration and
reboot the firewall for the change to take effect.
The BGP route engine supports only one logical router (known as a virtual router on the legacy
route engine).
Both route engines obtain routes to remote subnets either by the manual addition of static routes
or the dynamic addition of routes using dynamic routing protocols. Each Layer 3 Ethernet,
Loopback, VLAN, and Tunnel interface defined on the firewall must be associated with a virtual
router. Although each interface can belong to only one virtual router, you can configure routing
protocols and static routes using either routing engine.
1.9.4 How to configure route monitoring

Path monitoring monitors upstream interfaces on remote, reliable devices by using ICMP pings. If
path monitoring fails, an associated static route is removed from the routing table. An alternative
route can then be used to route traffic.
This static route is removed from the routing table until reachability to the next hop is obtained.
1.10 Sample Questions
1. What are two firewall management methods? (Choose two.)

a. CLI
b. Remote desktop protocol (RDP)
c. VPN
d. XML API
2. Which two devices are used to connect a computer to the firewall for management
purposes? (Choose two.)
a. Rollover cable
b. Serial cable
c. RJ-45 Ethernet cable
d. USB cable
3. What is the default IP address assigned to the MGT interfaces of a Palo Alto Networks
firewall?
a. 192.168.1.1
b. 192.168.1.254
c. 10.0.0.1
d. 10.0.0.254
4. What are the two default services that are available on the MGT interface? (Choose two.)
a. HTTPS
b. SSH
c. HTTP
d. Telnet
5. Service routes may be used to forward which two traffic types out of a data port? (Choose
two.)
a. External dynamic lists
b. MineMeld
c. Skype
d. Palo Alto Networks updates
6. Which command must be performed on the firewall to activate any changes?

a. Commit
b. Save
c. Load
d. Import
7. Which command backs up configuration files to a remote network device?

a. Import
b. Load
c. Copy
d. Export
8. The command load named configuration snapshot overwrites the current candidate
configuration with which three items? (Choose three.)
a. Custom-named candidate configuration snapshot (instead of the default snapshot)
b. Custom-named running configuration that the user imported
c. Snapshot.xml
d. Current running configuration (running-config.xml)
e. Palo Alto Networks updates
9. Which three actions should you complete before you upgrade to a newer version of
software? (Choose three.)
a. Review the release notes to determine any impact of upgrading to a newer version of
software.
b. Ensure that the firewall is connected to a reliable power source.
c. Export the device state.
d. Create and externally store a backup before you upgrade.
e. Put the firewall in maintenance mode.
10. Which two default zones are included with the PAN-OS software? (Choose two.)
a. Interzone
b. Extrazone
c. Intrazone
d. Extranet
11. Which two statements about interfaces are correct? (Choose two.)
a. Interfaces must be configured before the user can create a zone.
b. Interfaces do not have to be configured before the user can create a zone.
c. An interface can belong to only one zone.
d. An interface can belong to multiple zones.
12. Which two interface types can belong in a Layer 3 zone? (Choose two.)
a. Loopback
b. Tap
c. Tunnel
d. Virtual Wire
13. What can be used to control traffic through zones?

a. Access lists
b. Security policy lists
c. Security policy rules
d. Access policy rules
14. For inbound inspection, which two actions can be performed with a Tap interface? (Choose
two.)
a. Encrypt traffic
b. Decrypt traffic
c. Allow or block traffic
d. Log traffic
15. Which two actions can be performed with a Virtual Wire interface? (Choose two.)
a. NAT
b. Route
c. Switch
d. Log traffic
16. Which two actions can be performed with a Layer 3 interface? (Choose two.)
a. NAT
b. Route
c. Switch
d. Create a virtual wire object
17. Layer 3 interfaces support which two items? (Choose two.)

a. NAT
b. IPv6
c. Switching
d. Spanning tree
18. Layer 3 interfaces support which three advanced settings? (Choose three.)
a. IPv4 addressing
b. IPv6 addressing
c. NDP configuration
d. Link speed configuration
e. Link duplex configuration
19. Layer 2 interfaces support which three items? (Choose three.)

a. Spanning tree blocking
b. Traffic examination
c. Forwarding of spanning tree BPDUs
d. Traffic shaping via QoS
e. Firewall management
f. Routing
20. Which two interface types support subinterfaces? (Choose two.)
a. Virtual Wire
b. Layer 2
c. Loopback
d. Tunnel
21. Which two statements are true regarding Layer 3 interfaces? (Choose two.)
a. You can configure a Layer 3 interface with one or more IP addresses as a DHCP client.
b. A Layer 3 interface can only have one DHCP assigned address.
c. You can assign only one IPv4 address to the same interface.
d. You can enable an interface to send IPv4 router advertisements by selecting the
Enable Router Advertisement check box on the Router Advertisement tab.
e. You can apply an Interface Management profile to the interface.
22. Which statement is true regarding aggregate Ethernet interfaces?

a. Members of an aggregate interface group can be of different media types.
b. An aggregate interface group can be set to a type of tap.
c. Ethernet interfaces that are members of an aggregate interface group must have the
same transmission speeds.
d. A Layer 3 aggregate interface group can have more than one IP assigned to it.
e. Members of aggregate Ethernet interfaces can be assigned to different virtual
routers.
23. What is the default administrative distance of a static route within the PAN-OS software?
a. 1
b. 5
c. 10
d. 100
24. Which two dynamic routing protocols are available in the PAN-OS software? (Choose two.)
a. RIP1
b. RIPv2
c. OSPFv3
d. EIGRP
25. Which value is used to distinguish the preference of routing protocols?

a. Metric
b. Weight
c. Distance
d. Cost
e. Administrative distance
26. Which value is used to distinguish the best route within the same routing protocol?
a. Metric
b. Weight
c. Distance
d. Cost
27. In path monitoring, what is used to monitor remote network devices?
a. Ping
b. SSL
c. HTTP
d. HTTPS
e. Link state
Domain 2: Managing Objects
2.1 Create and maintain address and address group objects
2.1.1 How to tag objects

You can tag objects to group-related items and add color to the tag to visually distinguish them for
easy scanning. You can create tags for address objects, address groups, user groups, zones, service
groups, and policy rules.
Firewalls and Panorama support both static and dynamic tags. Dynamic tags are registered from a
variety of sources and not displayed with the static tags because dynamic tags are not part of the
firewall or Panorama configuration. See Register IP Addresses and Tags Dynamically for information
on registering tags dynamically. The tags discussed in this section are statically added and are part
of the configuration.
You can apply one or more tags to objects and policy rules, up to a maximum of 64 tags per object.
Panorama supports a maximum of 10,000 tags, which you can distribute across Panorama (shared
and device groups) and the managed firewalls (including firewalls with multiple virtual systems).
Use tags to help identify the purpose of a rule or configuration object and better organize the
rulebase. To ensure that policy rules are properly tagged, see Enforce Policy Rule Description, Tag,
and Audit Comment. Additionally, you can View Rules by Tag Group by first creating and then
setting the tag as the Group tag.
2.1.2 Differentiate between address objects

An address object is a set of IP addresses that you can manage in one place and then use in
multiple firewall policy rules, filters, and other functions. The four types of address objects are:
● IP Netmask
● IP Range
● IP Wildcard Mask
● FQDN
Both IPv4 or IPv6 addresses are supported for the IP Netmask, IP Range, or FQDN address object
types. However, IP Wildcard Mask can only specify IPv4 addresses.
An address object of type IP Netmask requires entering the IP address or network by using a slash
notation to indicate the IPv4 network or the IPv6 prefix length. For example, 192.168.18.0/24 or
2001:db8:123:1::/64.
An address object of type IP Range requires entering the IPv4 or IPv6 range of addresses separated
by a hyphen.
An address object of type FQDN (for example, paloaltonetworks.com) provides further ease of use
because DNS provides the FQDN resolution to the IP addresses instead of requiring to know the IP
addresses and manually updating them every time the FQDN resolves new IP addresses.
An address object of type IP Wildcard Mask is useful for defining private IPv4 addresses to internal
devices. The addressing structure assigns meaning to certain bits in the address. For example, the
IP address of cash register 156 in the northeastern U.S. could be 10.132.1.156, based on these bit
assignments:
An address object of type IP Wildcard Mask specifies which source or destination addresses are
subject to a security policy rule. For example, in the mask 10.132.1.1/0.0.2.255, the zero (0) bit indicates
that the bit being compared must match the bit in the IP address that is covered by the zero. A one
(1) bit in the mask (a wildcard bit) indicates that the bit being compared need not match the bit in
the IP address. The following snippets of an IP address and wildcard mask illustrate how they yield
four matches:
After you Create an Address Object:
● You can reference an address object of type IP Netmask, IP Range, or FQDN in a policy rule
for Security, Authentication, NAT, NAT64, Decryption, DoS Protection, Policy-Based
Forwarding (PBF), QoS, Application Override, or Tunnel Inspection; or in a NAT address pool,
VPN tunnel, path monitoring, external dynamic list, Reconnaissance Protection, ACC global
filter, log filter, or custom report log filter.
● You can reference an address object of type IP Wildcard Mask only in a Security policy rule.
2.1.3 Static groups versus dynamic groups

To simplify the creation of Security policies, addresses that require the same security settings can
be combined into address groups. In PAN-OS, we can create address objects, which can be further
categorized into address groups. The most common method is to use a static type address group.
However, the dynamic type address group provides slight ease of management along with
scalability.
Static address group

A static address group can include static address objects, dynamic address groups, or a
combination of both.
Dynamic address group

A dynamic address group populates its members dynamically using lookups for tags and tag-based
filters. Dynamic address groups are very useful if you have an extensive virtual infrastructure in
which changes in virtual system location/IP address are frequent. For example, you have a
sophisticated failover set up or you provision new virtual systems frequently and would like to apply
policy to all the traffic from or to the new system without modifying the configuration/rules on the
firewall.
Dynamic address groups can also include statically defined address objects. If you create an
address object and apply the same tags that are assigned to a dynamic address group, the
dynamic address group will include all of the static and dynamic objects that match the tags. You
can therefore use tags to place both dynamic and static objects in the same address group.
2.1.4 References
● Use Tags to Group and Visually Distinguish Objects,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-tags-to-group-and-
visually-distinguish-objects
● Create and Apply Tags,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-tags-to-group-and-
visually-distinguish-objects/create-and-apply-tags
● Address Objects,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-address-object-to-r
epresent-ip-addresses/address-objects
● Objects > Address Groups,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/objects/objects-a
ddress-groups
2.2 Create and maintain services and service groups
Services
When you define Security policies for specific applications, you can select one or more services to
limit the port numbers that the applications can use. The default service is any, which allows all the
TCP and UDP ports. The HTTP and HTTPS services are predefined, but you can add additional
service definitions. The services that are often assigned together can be combined into service
groups to simplify the creation of Security policies.
Additionally, you can use service objects to specify service-based session timeouts—this means that
you can apply different timeouts to different user groups even when those groups use the same
TCP or UDP service; or if you’re migrating from a port-based Security policy with custom
applications to an application-based Security policy, you can easily maintain your custom
application timeouts.
The following table describes the service settings:
SERVICE SETTINGS DESCRIPTION
Name Enter the service name (up to 63 characters). This

name appears in the services list when defining
Security policies. The name is case-sensitive and
must be unique. Use only letters, numbers, spaces,
hyphens, and underscores.
Description Enter a description for the service (up to 1,023

characters).
Shared Select this option if you want the service object to be

available to:
● Every vsys on a multi-vsys firewall. If you

clear this selection, the service object will be
available only to the Virtual System selected
in the Objects tab.
● Every device group on Panorama. If you clear
this selection, the service object will be
available only to the Device Group selected
in the Objects tab.
Disable Override (Panorama only) Select this option to prevent administrators from
overriding the settings of this service object in the
device groups that inherit the object. This selection
is cleared by default, which means that
administrators can override the settings for any
device group that inherits the object.
Protocol Select the protocol used by the service TCP or UDP.
Destination Port Enter the destination port number (0 to 65535) or

range of port numbers (port1-port2) used by the
service. Multiple ports or ranges must be separated
by commas. The destination port is required.
Source Port Enter the source port number (0 to 65535) or range

of port numbers (port1-port2) used by the service.
Multiple ports or ranges must be separated by
commas. The source port is optional.
Session Timeout Define the session timeout for the service:
● Inherit from application (default) — No

service-based timeouts are applied; the
application timeout is applied.
● Override — Define a custom session
timeout for the service. Continue to populate
the TCP Timeout, TCP Half Closed, and TCP
Time Wait fields.
The following settings display only if you choose to override application timeouts and create custom
session timeouts for a service:
TCP Timeout Set the maximum length of time in seconds that a

TCP session can remain open after data transmission
has started. When this time expires, the session
closes.
The range is 1 - 604800. The default value is 3600
seconds.
TCP Half Closed Set the maximum length of time in seconds that a
session remains open when only one side of the
connection has attempted to close the connection.
This setting applies to:
● The time period after the firewall receives

the first FIN packet (indicates that one side
of the connection is attempting to close the
session) but before it receives the second
FIN packet (indicates that the other side of
the connection is closing the session).
● The time period before receiving an RST
packet (indicating an attempt to reset the
connection).
If the timer expires, the session closes. The range is 1

- 604800. The default value is 120 seconds.
TCP Time Wait Select this option if you want the service object to be
available to:

in the Objects tab.
in the Objects tab.
Service groups
To simplify the creation of Security policies, you can categorize the services that have the same
security settings into service groups. The following table describes the service group settings:
Name Enter the service name (up to 63 characters). This

name appears in the services list when defining
Security policies. The name is case-sensitive and
must be unique. Use only letters, numbers, spaces,
hyphens, and underscores..
Shared Select this option if you want the service object to be
available to:

in the Objects tab.
in the Objects tab.
Disable Override (Panorama only) Select this option to prevent administrators from
overriding the settings of this service object in the
device groups that inherit the object. This selection
is cleared by default, which means that
administrators can override the settings for any
device group that inherits the object.
Service Click Add to add services to the group. Select from

the drop-down list, or click Service at the bottom of
the drop-down list and specify the settings.
2.2.1 References
● Objects > Services,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/objects/objects-se
rvices
● Objects > Service Groups,
rvice-groups
2.3 Create and maintain external dynamic lists
An external dynamic list (EDL) is a text file that is hosted on an external web server. The firewall uses
this text file to import the following objects:
● IP addresses
● URLs
● Domains
This arrangement allows the firewall to enforce a policy, based on the entries in the text file list. As
you update the list, the firewall dynamically imports the list and enforces the policy without the
need to make a configuration change or a commit.
The firewall supports the following types of external dynamic lists:
● Predefined IP address
● IP address
● Domain
● URL
You can add a maximum of 30 custom EDLs on your firewall. The EDL list limit is not applicable to
Panorama.
Built-in EDLs
An active Threat Prevention license is required to obtain the built-in EDLs of Palo Alto Networks.
These built-in EDLs protect networks against malicious hosts. Built-in EDLs include the following:
● Palo Alto Networks Bulletproof IP Addresses

● Palo Alto Networks High-Risk IP Addresses
● Palo Alto Networks Known Malicious IP Addresses
With the Threat Prevention license, the firewall receives updates for these feeds in content updates.
You cannot modify the contents of built-in EDLs.
2.3.1 References
● Formatting Guidelines for an External Dynamic List,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-an-external-dynami
c-list-in-policy/formatting-guidelines-for-an-external-dynamic-list
● Built-in External Dynamic Lists,
c-list-in-policy/built-in-edls
2.4 Configure and maintain application filters and application groups
2.4.1 When to use filters versus groups
Application filters
An administrator can dynamically categorize multiple applications into an application filter based
on the specific attributes Category, Subcategory, Tags, Risk, and Characteristic. For example, to
allow all the audio streaming applications, you could create an application filter that includes the
subcategory of audio-streaming, which automatically adds all the applications to the filter from the
App-ID database that are subcategorized as audio-streaming. The filter then gets added as an
application to a Security policy rule. Application filters simplify the process of ensuring that all the
applications that meet any attribute are added to a Security policy automatically.
You can configure an application filter for a group of applications based on their assigned
application tags. Palo Alto Networks now assigns one or more predefined tags to applications in the
App-ID database. You also can create and assign your own custom tag to an application. You can
build an application filter by using these tags and then use the application filter in policy rules to
control access to the applications. If application tags are updated and are part of an application
filter, then policy could begin to treat such applications differently.
Application groups
An administrator can manually categorize multiple applications into an application group based on
App-IDs. This application group can then be added to one or more Security policy rules as required,
which streamlines firewall administration. Instead of a firewall administrator individually adding
different applications into a Security policy, only the application group needs to be added to the
policy.
Application groups are often used to simplify Security, QoS, and PBF policy rule implementation.
Nesting application groups and filters

An administrator can nest application groups and filters. Multiple applications and application
filters can be combined into an application group. One or more application groups can also be
combined into one application group. The final application group can then be added to a Security
policy rule.
2.4.2 The purpose of application characteristics as defined in the App-ID database
All applications in the App-ID database are defined by six properties:
Property Definition
Category Generates the Top Ten Application Categories chart within the Application
Command Center (ACC) and is available for filtering.
Subcategory Also generates the Top Ten Application Categories chart within the ACC and is
available for filtering.
Technology Is the most closely associated with the application.
Parent App Specifies a parent application for this application. This setting applies when a
session matches both the parent and custom applications; however, the
custom application is reported because it is more specific.
Risk Specifies a relative risk rating from 1 to 5, with 5 being the most risky.
Characteristics Identifies some application property or behavior, such as certified for

FedRAMP, or can be used for evasion, or can use excessive bandwidth, and so
on.
Application characteristics
All of the applications in the App-ID database are defined by the characteristics shown in the image
below:
2.4.3 References
● Objects > Application Filters,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/objects/objects-ap
plication-filters
● Objects > Application Groups,
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-ap
plication-groups
1. Which two statements are true about a Role Based Admin Role Profile role? (Choose two.)
a. It is a built-in role.
b. It can be used for CLI commands.
c. It can be used for XML API.
d. Superuser is an example of such a role.
2. The management console supports which two authentication types? (Choose two.)
a. RADIUS
b. SMB
c. LDAP
d. TACACS+
e. AWS
3. Which two Dynamic Admin Role types are available on the PAN-OS software? (Choose two.)
a. Superuser
b. Superuser (write-only)
c. Device user
d. Device administrator (read-only)
4. Which type of profile does an authentication sequence include?

a. Security
b. Authorization
c. Admin
d. Authentication
5. An Authentication profile includes which other type of profile?

a. Server
b. Admin
c. Customized
d. Built-In
6. Which profile is used to override global minimum password complexity requirements?

a. Authentication
b. Local
c. User
d. Password
7. What does an application filter enable an administrator to do?

a. Manually categorize multiple service filters.
b. Dynamically categorize multiple service filters.
c. Dynamically categorize multiple applications.
d. Manually categorize multiple applications.
8. Which two items can be added to an application group? (Choose two.)

a. Application groups
b. Application services
c. Application filters
d. Application categories
9. What are two application characteristics? (Choose two.)

a. Stateful
b. Excessive bandwidth use
c. Intensive
d. Evasive
Domain 3: Policy Evaluation and Management
3.1 Develop the appropriate application-based Security policy
3.1.1 Create an appropriate App-ID rule

To enable applications safely, you must classify all of the traffic, across all the ports, all the time. With
App-ID, the only applications that are typically classified as unknown traffic—tcp, udp or non-syn-tcp—in
the ACC and the Traffic logs are commercially available applications that have not yet been added to
App-ID, internal or custom applications on your network, or potential threats.
To ensure that the internal custom applications do not show up as unknown traffic, you need to create a
custom application. You can then exercise granular policy control over these applications to minimize
the range of unidentified traffic on the network, thereby reducing the attack surface. Creating a custom
application also allows identifying the application in the ACC and Traffic logs correctly, which enables you
to audit/report on the applications on the network.
3.1.2 Rule shadowing

A shadow-rule warning indicates that a broader rule matching the criteria is configured above a
more specific rule.
The following screenshot shows that no traffic will ever match the second rule, which specifically
allows Skype and Dropbox, because all of the applications have already been allowed by the first
rule. Rule 2’s “skype” shadows rule 3’s “skype.”
3.1.3 Group rules by tag
View the policy rulebase as tag groups to visually group rules based on the tagging structure
created. In this view, you can perform operational procedures, such as adding, deleting, and moving
the rules in the selected tag group easily. Viewing the rulebase as tag groups maintains the rule
evaluation order and a single tag might appear multiple times throughout the rulebase to visually
preserve the rule hierarchy.
You must create the tag before you can assign it as a group tag on a rule. Policy rules that are
already tagged on upgrade to PAN-OS 9.0 have the first tag automatically assigned as the Group
tag. Before upgrading to PAN-OS 9.0, review the tagged rules in the rulebase to ensure the rules are
correctly grouped. You need to manually edit each tag rule and configure the correct Group tag if
the rules are grouped incorrectly after upgrading to PAN-OS 9.0.
3.1.4 The potential impact of App-ID updates to existing Security policy rules
Newly-categorized and modified App-IDs can change the way in which the firewall enforces traffic.
Review the content update policy to see how new and modified App-IDs impact your Security
policy and to easily make any necessary adjustments. You can review the content update policy for
both downloaded and installed content.
3.1.5 Policy usage statistics

The policy rule usage data enables you to validate rule additions and rule changes and monitor the time
frame in which a rule was used. For example, when you migrate port-based rules to app-based rules, you
create an app-based rule above the port-based rule and check for any traffic that matches the
port-based rule. After migration, the hit count data helps you determine if it is safe to remove the
port-based rule by confirming that the traffic matches the app-based rule instead of the port-based rule.
The policy rule hit count helps you determine whether a rule is effective for access enforcement.
You can reset the rule hit count data to validate an existing rule or gauge rule usage within a specified
period of time. Policy rule hit count data is not stored on the firewall or Panorama so that data is no
longer available after you reset (clear) the hit count.
After filtering the policy rulebase, administrators can delete, disable, enable, and tag policy rules directly
from the policy optimizer. For example, you can filter for unused rules and then tag them for review to
determine if they can be safely deleted or kept in the rulebase. By enabling administrators to take action
directly from the policy optimizer, you reduce the required management overhead by further simplifying
the rule lifecycle management and ensuring that the firewalls are not over-provisioned.
3.1.6 References
● Create a Custom Application,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/use-application-objects
-in-policy/create-a-custom-application
● View Rules by Tag Group,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-tags-to-group-and-v
isually-distinguish-objects/view-rules-by-tag-group
● See How New and Modified App-IDs Impact Your Security Policy,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/manage-new-app-ids-i
ntroduced-in-content-releases/review-new-app-id-impact-on-existing-policy-rules
● View Policy Rule Usage,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/view-policy-rule-us
age
3.2 Differentiate specific security rule types
Security rule types

Security policies allow you to enforce rules and take action, and they can be as general or as specific
as needed. The list of policy rules is compared from the top down against the incoming traffic. The
more specific rules must precede the more general ones because the first rule that matches the
traffic is applied.
The default rules apply for the traffic that doesn’t match any user-defined rules. These default rules
are displayed at the bottom of the security rulebase. The default rules are predefined rules that are
part of the predefined configuration and are read-only by default; you can override them and
change a limited number of settings, including the tags, actions (allow or deny), log settings, and
security profiles. The names of the two default rules are intrazone-default and interzone-default.
3.2.1 Interzone
Interzone A Security policy rule allowing traffic between two different zones.
However, the traffic within the same zone is not allowed when the
policy is created as type Interzone. Interzone rule types apply to all the
Default rule displayed at the
matching traffic between the specified source and destination zones.
bottom of the security
rulebase
For example, if the source zone is set to A, B, and C and the destination
zone to A and B, the rule applies to the traffic from zone A to zone B,
zone B to zone A, zone C to zone A, and zone C to zone B, but not to the
traffic within zones A, B, or C.
Traffic logging is not enabled by default. However, best practice is to log

the traffic.
3.2.2 Intrazone
Intrazone
A Security policy rule allowing traffic within the same zone. Intrazone
rule types apply to all of the matching traffic within the specified
Default rule that is displayed source zones (a destination zone cannot be specified for intrazone
at the bottom of the security
rules).
rulebase
For example, if the source zone is set to A and B, the rule would apply
to all the traffic within zone A and all the traffic within zone B, but not
to the traffic between zones A and B.
Traffic logging is not enabled by default. However, best practice is to

log the end-of-session traffic.
3.2.3 Universal
Universal
In a universal rule, by default, all the traffic is destined between two zones,
regardless of whether they are from the same zone or different zones.
Exists above the Universal rule types apply to all the matching interzone and intrazone
intrazone and interzone
traffic in the specified source and destination zones.
Security policies
For example, if a universal rule is created with source zones A and B and
destination zones A and B, the rule applies to all the traffic within zone A,
within zone B, from zone A to zone B, and from zone B to zone A.
Traffic logging is enabled by default.
3.2.4 References
● Universal, Intrazone and Interzone Rules,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC
3.3 Configure security policy match conditions, actions, and logging options
3.3.1 Application filters and groups
Application filter
An application filter is an object that dynamically groups applications based on defined attributes,
such as category, subcategory, technology, risk factor, and characteristic. This is useful when you
want to enable safe access to applications that you do not explicitly sanction but want users to
access. For example, you may want to enable employees to choose their office programs, such as
Evernote, Google Docs, or Microsoft Office 365, for business use. To enable these types of
applications safely, you can create an application filter that matches the business-systems category
and the office-programs subcategory. As new applications and office programs emerge and new
App-IDs get created, these applications automatically match the filter you define; you do not need
to make any additional changes to the policy rulebase for safely enabling any application that
matches the attributes defined for the filter.
Application group
An application group is an object that contains the applications that you want to treat similarly in
the policy. Application groups are useful for enabling access to the applications that you explicitly
sanction for use within the organization. Grouping sanctioned applications simplifies the
administration of your rulebases. Instead of updating individual policy rules whenever there is a
change in the applications you support, you can update only the affected application groups.
When deciding how to group applications, consider how to enforce access to sanctioned
applications and create an application group that aligns with each policy goal. For example, some
applications should allow access only to your IT administrators and while other applications should
be available to any known user in the organization. In this case, you create separate application
groups for each policy goal. Although you generally want to enable access to applications only on
the default port, you might want to group applications that are an exception to this and enforce
access to those applications in a separate rule.
3.3.2 Logging options

You can configure the firewall to forward all or some log entries to external services. Forwarding of
firewall logs to your Panorama enables centralized collection and analysis of logs. Forwarding of
firewall logs to a syslog server enables off-firewall storage and backup, and centralized log analysis.
For critical firewall events such as the failure of a data plane interface or a critical threat, you can
forward log entries to an email server. You also can forward log entries to an HTTP server. If the
HTTP server has an API that can parse the log entries, you can configure the HTTP server to take an
action based on a firewall event. The firewall can also forward log entries to cloud-based Cortex
Data Lake. Cortex Data Lake enables you to aggregate, view, and analyze log data from many
firewalls at the same time.
The firewall can work with an SNMP server that supports GET and TRAP operations. An SNMP server
can issue GET requests to the firewall that return operational statistics information. PAN-OS
software does not support the use of SNMP SET requests to configure a firewall. Before your SNMP
server can work with the firewall, you must load generic enterprise and PAN-OS MIBs on the SNMP
server.
Before you can forward log entries to an external service, you must configure the firewall with the
connection information of the server. Use a Server Profile to configure a firewall with the necessary
information to connect to the external service. You can configure the firewall to use UDP, TCP, or
SSL to connect to an external syslog server. The firewall can format the log entries according to the
BSD or the IETF standards. The Custom Log Format tab enables you to configure custom syslog
formats that enable the firewall to work with many different syslog vendor solutions.
A Log Forwarding Profile is also required to enable log forwarding to an external service. A Log
Forwarding Profile configures which logs or log entries to forward to which external services and
does not have to forward all logs to the same service.
After a Log Forwarding Profiles is created, you must apply it to either a Security policy rule or a
security zone. If you name a Log Forwarding Profile default, that profile will be selected
automatically for the Log Forwarding setting when a new Security policy rule is created. A profile
named default also will be selected automatically as the Log Setting when a new security zone is
created. In either case, you can override the default profile by selecting another profile.
3.3.3 App-ID
App-ID, a patented traffic-classification system available only in Palo Alto Networks firewalls,
determines what an application is, irrespective of port, protocol, encryption (SSH or SSL), or any
other evasive tactic used by the application. App-ID applies multiple classification
mechanisms—application signatures, application protocol decoding, and heuristics—to the
network traffic stream to accurately identify applications.
Here's how App-ID identifies applications traversing a network:
● Traffic is matched against policy to check if it is allowed on the network.
● Signatures are then applied to allowed traffic to identify the application based on unique
application properties and related transaction characteristics. The signature also determines
if the application is being used on its default port or is using a non-standard port. If the
traffic is allowed by policy, the traffic is scanned for threats and further analyzed for
identifying the application more granularly.
● If App-ID determines that encryption (SSL or SSH) is in use and a Decryption policy rule is in
place, the session is decrypted and application signatures are applied again on the
decrypted flow.
● Decoders for known protocols are then used to apply additional context-based signatures to
detect other applications that may be tunneling inside of the protocol (for example, Yahoo!
Instant Messenger is used across HTTP). Decoders validate that the traffic conforms to the
protocol specification and provide support for NAT traversal and opening dynamic pinholes
for applications, such as SIP and FTP.
● For particularly evasive applications that cannot be identified through advanced signature
and protocol analysis, heuristics or behavioral analysis might be used to determine the
identity of the application.
When the application is identified, the policy check determines how to treat the application; for
example—block, or allow and scan for threats, inspect for unauthorized file transfer and data
patterns, or shape using QoS.
3.3.4 User-ID
User-ID helps identify users on a network, through various techniques, to ensure that all the users
across all the locations using different access methods and operating systems, including Microsoft
Windows, Apple iOS, Mac OS, Android, and Linux/UNIX, are identified. Knowing who your users are
instead of just their IP addresses ensures the following:
● Visibility — Improved visibility into user-based application usage gives a more relevant
picture of network activity. The power of User-ID becomes evident when you notice a
strange or unfamiliar application on the network. Using either ACC or the log viewer, the
security team can identify and discern the application, the user, the bandwidth and session
consumption, the source and destination of the application traffic, and any associated
threats.
● Policy control — Tying user information to Security policy rules improves the safe
enablement of applications traversing the network and ensures that only users who have a
business need for an application get access. For example, some applications, such as the
SaaS applications that enable access to Human Resources services (for example, Workday or
ServiceNow) must be available to any known user on your network. However, for more
sensitive applications, you can reduce the attack surface by ensuring that only users who
need these applications can access them. For example, while IT support personnel may
legitimately need access to remote desktop applications, the majority of users do not.
● Logging, reporting, forensics — If a security incident occurs, forensics analysis and

reporting based on user information rather than just IP addresses provides a more complete
picture of the incident. For example, you can use the predefined User/Group Activity to see a
summary of the web activity of individual users or user groups, or you can see the SaaS
Application Usage report to see which users are transferring the most data over
unsanctioned SaaS applications.
To enforce user- and group-based policies, the firewall must be able to map the IP addresses in the
packets it receives to usernames. User-ID provides many mechanisms to collect this User Mapping
information. For example, the User-ID agent monitors server logs for login events and listens for
syslog messages from authenticating services. To identify mappings for the IP addresses that the
agent didn’t map, you can configure an Authentication Policy to redirect HTTP requests to an
Authentication Portal login. You can tailor the user mapping mechanisms to suit your environment
and even use different mechanisms at different sites to ensure enabling safe access to applications
for all of the users, across all the locations, all the time.
To enable user- and group-based policy enforcement, the firewall requires a list of all the available
users and their corresponding group memberships so that you can select groups when defining
policy rules. The firewall collects Group Mapping information by connecting directly to the LDAP
directory server or by using XML API integration with the directory server. User-ID does not work in
environments where the source IP addresses of users are subject to NAT translation before the
firewall maps the IP addresses to usernames.
3.3.5 Device-ID
By using Device-ID™ on the firewalls, you can get device context for all events on the network,
obtain policy rule recommendations for those devices, write policy rules based on devices, and
enforce security policy based on the recommendations.
Similar to how User-ID provides user-based policy and App-ID provides app-based policy, Device-ID
provides policy rules based on a device, regardless of any changes to its IP address or location. By
providing traceability for devices and associating network events with specific devices, Device-ID
allows you to gain context for how events relate to devices and write policies that are associated
with devices, instead of with users, locations, or IP addresses, which can change over time. You can
use Device-ID in Security, Decryption, QoS, and Authentication policies.
For Device-ID features to be available on a firewall, you must purchase an IoT Security subscription
and select the firewall during the IoT Security onboarding process. The two types of IoT Security
subscriptions are as follows:
● IoT Security Subscription

● IoT Security – Doesn’t Require Data Lake (DRDL) Subscription
With the first subscription, firewalls send data logs to the logging service, which streams them to
IoT Security for analysis and to a Cortex Data Lake instance for storage. The data lake instance can
either be a new or existing one. With the second subscription, firewalls send data logs to the
logging service, which streams them to IoT Security for analysis but not to a Cortex Data Lake
instance for storage. It’s important to note that both IoT Security and IoT Security (DRDL)
subscriptions provide the same functionality in terms of IoT Security and Device-ID.
3.3.6 Application filter in policy
Application filters are useful when you want to enable access to applications that match filter
criteria rather than match specific application names. Application filters may be used as a match
condition within your Security policy rules.
3.3.7 Application group in policy

Unlike the dynamic list of applications in an application filter, an application group is a static,
administrator-defined set of applications. Application groups enable you to create a logical
grouping of applications that can be applied to Security and QoS policy rules.
An application group is used when you want to treat a set of applications similarly in a policy.
Application groups ultimately simplify administration of your rulebases. Instead of you adding the
same list of applications to multiple rules, you can create an application group and add the group
to multiple rules. You must still issue a firewall commit after updating an application group.
3.3.8 EDLs
An external dynamic list (EDL) is a text file that is hosted on an external web server so that the
firewall can import objects—IP addresses, URLs, domains—included in the list and enforce policy. To
enforce policy on the entries included in the external dynamic list, you must reference the list in a
supported policy rule or profile. When multiple lists are referenced, you can prioritize the order of
evaluation to ensure that the most important EDLs are committed before capacity limits are
reached. As you modify the list, the firewall dynamically imports the list at the configured interval
and enforces policy without making a configuration change or a commit on the firewall. If the web
server is unreachable, the firewall uses the last successfully retrieved list to enforce a policy until the
connection is restored with the web server. In cases where authentication to the EDL fails, the
security policy stops enforcing the EDL. To retrieve the external dynamic list, the firewall uses the
interface configured with the Palo Alto Networks Services service route.
The firewall retains the last successfully retrieved EDL and continues operating with the most
current EDL information until connection is restored with the server hosting the EDL if:
● You upgrade or downgrade the firewall.

● You reboot the firewall, management plane, or data plane.
● The server hosting the EDL becomes unreachable.
The firewall supports the following types of EDLs:
● Predefined IP Address
● Predefined URL List
● IP Address
● Domain
3.3.9 References
● Forward traffic logs to a syslog server,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRxCAK
● Create an Application Filter,
-in-policy/create-an-application-filter
● How to Block Traffic Based on Application Filters with an Exception,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXfCAK
● Create an Application Group,
-in-policy/create-an-application-group
● HTTP Header Logging,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/http-header-loggi
ng
● App-ID Overview,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/app-id-overview#idf38
e43a6-446e-49e2-b652-6b1817df22b5
● User-ID Overview,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/user-id-overview
● Device-ID Overview,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/device-id/device-id-overview
● External Dynamic List,
c-list-in-policy/external-dynamic-list
3.4 Identify and implement proper NAT policies
3.4.1 Destination
Destination NAT (DNAT) is performed on incoming packets when the firewall translates a
destination address to a different destination address; for example, it translates a public destination
address into a private destination address. Destination NAT also offers the option to perform port
forwarding or port translation.
Destination NAT allows static and dynamic translation:
● Static IP — You can configure a one-to-one, static translation in several formats. You can
specify the original packet to have a single destination IP address, a range of IP addresses, or
an IP netmask—as long as the translated packet is in the same format and specifies the
same number of IP addresses. The firewall statically translates an original destination
address to the same translated destination address each time. That is, if there is more than
one destination address, the firewall translates the first destination address configured for
the original packet to the first destination address configured for the translated packet and
translates the second original destination address configured to the second translated
destination address configured, and so on, always using the same translation.
If you use destination NAT to translate a static IPv4 address, you might also use DNS services
on one side of the firewall to resolve FQDNs for a client on the other side. When the DNS
response containing the IPv4 address traverses the firewall, the DNS server provides an
internal IP address to an external device, or vice versa. Beginning with PAN-OS 9.0.2 and in
later 9.0 releases, you can configure the firewall to rewrite the IP address in the DNS
response (that matches the rule) so that the client receives the appropriate address to reach
the destination service.
● Dynamic IP (with session distribution) — Destination NAT allows you to translate the
original destination address to a destination host or server that has a dynamic IP address,
meaning an address object that uses an FQDN, which can return multiple addresses from
DNS. Dynamic IP (with session distribution) only supports IPv4 addresses. Destination NAT
using a dynamic IP address is especially helpful in cloud deployments that use dynamic IP
addressing.
If the translated destination address resolves to more than one address, the firewall
distributes the incoming NAT sessions among multiple addresses to provide improved
session distribution. Distribution is based on one of several methods: round robin (the
default method), source IP hash, IP modulo, IP hash, or least sessions. If a DNS server returns
more than 32 IPv4 addresses for an FQDN, the firewall uses the first 32 addresses in the
packet.
Using Dynamic IP (with session distribution) allows you to translate multiple pre-NAT destination
IP addresses M to multiple post-NAT destination IP addresses N. A many-to-many translation
implies that M x N destination NAT translations use a single NAT rule.
For destination NAT, the best practice is to:
● Use Static IP address translation for static IP addresses, which allows the firewall to check
and ensure that the number of original destination IP addresses equals the number of
translated destination IP addresses.
● Use Dynamic IP (with session distribution) address translation only for FQDN-based
dynamic addresses (the firewall does not perform an IP address number check).
3.4.2 Source
Source NAT is typically used by internal users to access the internet; the source address is translated
and thereby kept private. The three types of source NAT are as follows:
● Dynamic IP and Port (DIPP) — Allows multiple hosts to have their source IP addresses
translated to the same public IP address with different port numbers. The dynamic
translation is to the next available address in the NAT address pool, which you configure as a
Translated Address pool to an IP address, range of addresses, a subnet, or a combination of
these.
As an alternative to using the next address in the NAT address pool, DIPP allows you to
specify the address of the Interface itself. The advantage of specifying the interface in the
NAT rule is that the NAT rule will be automatically updated to use any address subsequently
acquired by the interface. DIPP is sometimes referred to as interface-based NAT or network
address port translation (NAPT).
DIPP has a default NAT oversubscription rate, which is the number of times the same
translated IP address and port pair can be used concurrently.
● Dynamic IP — Allows the one-to-one, dynamic translation of a source IP address only (no
port number) to the next available address in the NAT address pool. The size of the NAT pool
should be equal to the number of internal hosts that require address translations. By default,
if the source address pool is larger than the NAT address pool and eventually all of the NAT
addresses are allocated, new connections that need address translation are dropped. To
override this default behavior, use Advanced (Dynamic IP/Port Fallback) to enable the use
of DIPP addresses when necessary. In either event, as sessions terminate and the addresses
in the pool become available, they can be allocated to translate new connections.
● Static IP — Allows the one-to-one, static translation of a source IP address but leaves the
source port unchanged. A common scenario for a static IP translation is an internal server
that must be available to the internet.
3.4.3 References
● Destination NAT,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/source-nat-an
d-destination-nat/destination-nat
● Source NAT,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/source-nat-an
d-destination-nat/source-nat
3.5 Optimize Security policies using appropriate tools
3.5.1 Policy test match tool

Test the policy rules in your running configuration to ensure that your policies appropriately allow
and deny traffic and access to applications and websites in compliance with your business needs
and requirements. You can test and verify that your policy rules are allowing and denying the
correct traffic by executing policy match tests for your firewalls directly from the web interface. This
feature is found under Device > Troubleshooting. When the feature is used, you will need to enter
the required information to perform the policy match test. As an example, to run a NAT policy
match test:
1. Select Test—Select NAT Policy Match.

2. From—Select the zone traffic is originating from.
3. To—Select the target zone of the traffic.
4. Source—Enter the IP address from which traffic originated.
5. Destination—Enter the IP address of the target device for the traffic.
6. Destination Port—Enter the port used for the traffic. This port varies depending on the IP
protocol used in the following step.
7. Protocol—Enter the IP protocol used for the traffic.
8. If necessary, enter any additional information relevant for your NAT policy rule testing.
Below is an example of a NAT Policy Match Result:
3.5.2 Policy Optimizer

Policy Optimizer provides a simple workflow to migrate your legacy security policy rulebase to an
App-ID based rulebase, which improves your security by reducing the attack surface and gaining
visibility into applications so you can safely enable them. Policy Optimizer identifies port-based
rules so you can convert them to application-based allow rules or add applications from a
port-based rule to an existing application-based rule without compromising application availability.
It also identifies over-provisioned App-ID based rules (App-ID rules configured with unused
applications). Policy Optimizer helps you prioritize which port-based rules to migrate first, identify
application-based rules that allow applications you don’t use, and analyze rule usage characteristics
such as hit count.
Converting port-based rules to application-based rules improves the security posture because you
can select applications to allow and also deny all the other applications, therefore eliminating all
unwanted and potentially malicious traffic from your network. Combined with restricting
application traffic to its default ports (set the Service to application-default), converting to
application-based rules also prevents evasive applications from running on non-standard ports.
Use this feature to:
● Migrate port-based rules to application-based rules — Instead of combing through traffic

logs and manually mapping applications to port-based rules, use Policy Optimizer to
identify port-based rules and list the applications that match each rule, so you can select the
applications you want to allow and safely enable them. Converting the legacy port-based
rules to application-based allow rules supports your business applications and enables you
to block any applications associated with malicious activity.
● Identify over-provisioned application-based rules — Rules that are too broad allow
applications you don’t use on your network, which increases the attack surface and the risk
of inadvertently allowing malicious traffic.
● Add App-ID Cloud Engine (ACE) applications to Security policy rules — If you have a SaaS
Security Inline subscription, you can use Policy Optimizer’s New App Viewer to manage
cloud-delivered App-IDs in security policy. The ACE documentation describes how to use
Policy Optimizer to gain visibility into and control the cloud-delivered App-IDs.
3.5.3 References
● Security Policy Rule Optimization,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/security-policy-rule-opti
mization
● Test Policy Rules,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/test-policy-rule-traffic-m
atches
1. What will be the result of one or more occurrences of shadowing?

a. A failed commit
b. An invalid configuration
c. A warning
d. An alarm window
2. Which column in the Applications and Threats screen includes the options Review Apps and
Policies?
a. Features
b. Type
c. Version
d. Action
3. Which link can you select in the web interface to minimize the risk of installing new App-ID
updates?
a. Enable new apps in content update
b. Disable new apps in App-ID database
c. Disable new apps in content update
d. Enable new apps in App-ID database
4. Which two protocols are implicitly allowed when you select the facebook-base application?
(Choose two.)
a. Web-browsing
b. Chat
c. Gaming
d. SSL
5. What are the two default (predefined) Security policy rule types in PAN-OS software?
(Choose two.)
a. Universal
b. Interzone
c. Intrazone
d. Extrazone
6. Which type of Security policy rules most often exist above the two predefined Security
policies?
a. Intrazone
b. Interzone
c. Universal
d. Global
7. What does the TCP Half Closed setting mean?

a. Maximum length of time that a session remains in the session table between
reception of the first FIN and reception of the third FIN or RST.
b. Minimum length of time that a session remains in the session table between
reception of the first FIN and reception of the second FIN or RST.
c. Maximum length of time that a session remains in the session table between
d. Minimum length of time that a session remains in the session table between

a. Stateful
c. Intensive
d. Evasive
9. Which two HTTP Header Logging options are within a URL Filtering profile? (Choose two.)
a. User-Agent
b. Safe Search
c. URL redirection
d. X-Forwarded-For
10. What are two source NAT types? (Choose two.)

a. Universal
b. Static
c. Dynamic
d. Extrazone
11. Which phrase is a simple way to remember how to configure Security policy rules where
NAT was implemented?
a. Post-NAT IP, pre-NAT zone
b. Post-NAT IP, post-NAT zone
c. Pre-NAT IP, post-NAT zone
d. Pre-NAT IP, pre-NAT zone
12. What are two types of destination NAT? (Choose two.)

a. Dynamic IP (with session distribution)
b. DIPP
c. Global
d. Static
13. The Policy Optimizer does not analyze which statistics?
a. Applications allowed through port-based Security policy rules.
b. The usage of existing App-IDs in Security policy rules.
c. Which users matched Security policies.
d. Existing Security policy rule App-IDs that have not matched processed traffic.
e. Days since the latest new application discovery in a port-based Security policy rule.
Domain 4: Securing Traffic
4.1 Compare and contrast different types of Security profiles
4.1.1 Antivirus
Antivirus Security profiles protect against viruses, worms, and Trojans, along with spyware
downloads. The Palo Alto Networks antivirus solution uses a stream-based malware prevention
engine that inspects traffic the moment the first packet is received to provide protection for clients
without significantly impacting the performance of the firewall. This profile scans for a variety of
malware in executables, PDF files, HTML, and JavaScript, and it includes support for scanning
compressed files and data-encoding schemes. The profile also enables the scanning of decrypted
content if decryption is enabled on the firewall.
The default profile inspects all the listed protocol decoders for viruses and generates alerts for the
SMTP, IMAP, and POP3 protocols while blocking the FTP, HTTP, and SMB protocols. You can
configure the action for a decoder or antivirus signature and specify how the firewall responds to
threats, such as Default, Allow, Alert, Drop, Reset Client, Resent Server, and Reset Both.
Customized profiles can be used to minimize antivirus inspection for traffic between more trusted
security zones. They also can be used to maximize the inspection of traffic received from
less-trusted zones, such as the internet, and the traffic sent to highly sensitive destinations such as
server farms.
The Palo Alto Networks WildFire system also provides signatures for the persistent threats that are
more evasive and have not yet been discovered by other antivirus solutions. As WildFire discovers
threats, signatures are quickly created and then integrated into the standard antivirus signatures,
which Threat Prevention subscribers can then download daily (sub-hourly for WildFire subscribers).
4.1.2 Anti-Spyware
Anti-Spyware Security profiles block spyware on compromised hosts from trying to communicate
with external command-and-control (C2) servers, thus enabling you to detect malicious traffic
leaving the network from infected clients. You can apply various levels of protection between
security zones. For example, you might have custom Anti-Spyware profiles that minimize inspection
between more trusted zones while maximizing inspection on traffic received from less trusted
zones, such as the internet-facing zones. When the firewall is managed by a Panorama
management server, the Threat ID is mapped to the corresponding custom threat on the firewall to
enable the firewall to generate a threat log populated with the configured custom Threat ID.
4.1.3 Vulnerability Protection

Vulnerability Protection Security profiles stop attempts to exploit system flaws or gain unauthorized
access to systems. Anti-Spyware Security profiles identify infected hosts as the traffic leaves the
network, but Vulnerability Protection Security profiles protect against threats entering the network.
For example, Vulnerability Protection Security profiles protect against buffer overflows, illegal code
execution, and other attempts to exploit system vulnerabilities. The default Vulnerability Protection
Security profile protects clients and servers from all the known critical-, high-, and medium-severity
threats. You also can create exceptions that enable you to change the response to a specific
signature.
4.1.4 URL Filtering

The URL Filtering Security profile determines web access and credential-submission permissions
for each URL category. By default, site access for all the URL categories is set to “allow” when you
create a new URL Filtering Security profile. By default, no allowed traffic will be logged. You can
customize the URL Filtering Security profile with custom site access settings for each category or
use the predefined default URL Filtering Security profile on the firewall to allow access to all the
URL categories except the following threat-prone categories, which the profile blocks:
abused-drugs, adult, gambling, hacking, malware, phishing, questionable, and weapons.
For each URL category, select User Credential Submissions to allow or disallow users from
submitting valid corporate credentials to a URL in that category. This action will help prevent
credential phishing.
Management of the sites to which users can submit credentials requires User-ID, and you must first
set up credential phishing prevention. URL categories with the Site Access set to “block”
automatically are also set to block user credential submissions.
4.1.5 WildFire Analysis

WildFire turns every Palo Alto Networks platform deployment into a distributed sensor and
enforcement point to stop zero-day malware and exploits before they can spread and become
successful. Within the WildFire environment, threats are detonated, intelligence is extracted, and
preventions are automatically orchestrated across the Palo Alto Networks next-generation security
product portfolio as soon as a signature is generated, thus minimizing the window in which
malware can infiltrate your network. WildFire goes beyond traditional approaches. The service
employs a unique, multitechnique approach that combines dynamic and static analysis, innovative
machine-learning techniques, and a groundbreaking bare metal analysis environment to detect
unknown threats and prevent even the most evasive threats. The following illustration depicts
WildFire, its information sources, and the services it supports.
4.1.6 Reference
● Security Profiles,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/security-profiles
4.2 Create, modify, add, and apply the appropriate Security profiles and groups
Use the following steps to create a Security profile group and add it to a Security policy.
Step 1: Create a Security profile group.
● Select Objects > Security Profile Groups and Add a new Security profile group.
● Give the profile group a descriptive Name, such as Threats.
● If the firewall is in Multiple Virtual System Mode, enable the profile to be Shared by all virtual
systems.
● Add existing profiles to the group.
● Click OK to save the profile group.
Step 2: Add a Security profile group to a Security policy.
● Select Policies > Security and Add or modify a Security policy rule.
● Select the Actions tab.
● In the Profile Setting section, select Group for the Profile Type.
● In the Group Profile drop-down, select the group you created (for example, select the
best-practice group).
● Click OK to save the policy and commit your changes.
Step 3: Save your changes. Click Commit.
4.2.1 Antivirus
The Antivirus Profiles scan the firewall for viruses on the defined traffic. Set the applications that
should be inspected for viruses and the action to take when a virus is detected. The default profile
inspects all of the listed protocol decoders for viruses and generates alerts for the SMTP, IMAP, and
POP3 protocols while blocking the FTP, HTTP, and SMB protocols. You can configure the action for a
decoder or Antivirus signature and specify how the firewall responds to a threat event:
● Default — Specifies a default action internally for each threat signature and Antivirus
signature defined by Palo Alto Networks. Typically, the default action is an alert or a Reset
Both. The default action is displayed in parenthesis, such as default (alert) in the threat or
Antivirus signature.
● Allow — Permits the application traffic. It does not generate logs related to signatures or
profiles.
● Alert — Generates an alert for each application traffic flow. The alert is saved in the threat
log.
● Drop — Drops the application traffic.
● Reset Client — Resets the client-side connection for TCP and drops the connection for UDP.
● Reset Server — Resets the server-side connection for TCP and drops the connection for
UDP.
● Reset Both — Resets the connection on both client and server ends for TCP and drops the
connection for UDP.
4.2.2 Anti-Spyware
The Anti-Spyware profile detects the connections initiated by spyware and various types of C2
malware installed on the network systems. You can define custom Anti-Spyware profiles or choose
one of the following predefined profiles when applying Anti-Spyware to a Security policy rule:
● Default — Uses the default action for every signature, as specified by Palo Alto Networks
when the signature is created.
● Strict — Overrides the default action of the critical-, high-, and medium-severity threats to
the block action, regardless of the action defined in the signature file. This profile still uses
the default action for the low- and informational-severity signatures.
4.2.3 Vulnerability Protection

The Vulnerability Protection profile determines the level of protection against buffer overflows,
illegal code execution, and other attempts to exploit system vulnerabilities. There are two
predefined profiles available for the Vulnerability Protection feature: Default and Strict.
4.2.4 URL Filtering

URL Filtering profiles enable you to monitor and control how users access the web over HTTP and
HTTPS. The firewall comes with a default profile that is configured to block websites, such as known
malware sites, phishing sites, and adult content sites. You can use the default profile in a Security
policy, clone it to be used as a starting point for new URL Filtering profiles, or add a new URL profile
that will have all categories set to allow for visibility into the traffic on your network. You can then
customize the newly added URL profiles and add lists of specific websites that should always be
blocked or allowed, which provides more granular control over the URL categories.
4.2.5 WildFire Analysis
Use a WildFire analysis profile to enable the firewall to forward unknown files or email links for
WildFire analysis. Specify files to be forwarded for analysis based on the application, file type, and
transmission direction (upload or download). Files or email links matched to the profile rule are
either forwarded to the WildFire public cloud or the WildFire private cloud (hosted with a WF-500
appliance), depending on the analysis location defined for the rule. If a profile rule is set to forward
files to the WildFire public cloud, the firewall also forwards files that match the existing antivirus
signatures, in addition to unknown files.
You can also use the WildFire analysis profiles to set up a WildFire hybrid cloud deployment. If you
are using a WildFire appliance to analyze sensitive files locally (such as PDFs), you can specify for
less-sensitive files types (such as Portable Executable [PE] files) or file types that are not supported
for WildFire appliance analysis (such as APKs) to be analyzed by the WildFire public cloud. Using
both the WildFire appliance and the WildFire cloud for analysis allows you to benefit from a prompt
verdict for the files that have already been processed by the cloud and for the files that are not
supported for appliance analysis; doing so also frees up the appliance capacity to process sensitive
content.
4.2.6 Configure Threat Prevention policy

The Palo Alto Networks next-generation firewall threat-intrusion-prevention subscriptions protect
and defend the network from commodity threats and advanced persistent threats (APTs) by using
multipronged detection mechanisms to combat the entire gamut of the threat landscape. The
threat prevention solution comprises the following two subscriptions:
● Threat Prevention — The core Threat Prevention subscription is based on the signatures
generated from malicious traffic data collected from various Palo Alto Networks services.
These signatures are used by the firewall to enforce security policies based on specific
threats, which include C2, various types of known malware, and vulnerability exploits;
combined with the App-ID and User-ID identification technologies on the firewall, you can
cross-reference context data to produce fine-grained policies. As a part of the
threat-mitigation policies, you can also identify and block known or risky file types and IP
addresses of which several premade categories are available, including lists specifying
bulletproof service providers and known malicious IPs. In cases where specialized tools and
software are used, you can create your own vulnerability signatures to customize the
intrusion prevention capabilities for your network’s unique requirements.
● Advanced Threat Prevention — The Advanced Threat Prevention cloud service uses inline
deep-learning and machine-learning models for real-time enforcement of evasive and
never-before-seen, unknown C2 threats. As an ultra low-latency native cloud service, this
extensible and infinitely scalable solution is always kept up to date with model training
improvements. The Advanced Threat Prevention license includes all of the benefits included
with Threat Prevention.
4.2.7 References
● Create a Security Profile Group,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/security-profiles/create-
a-security-profile-group
● Security Profiles,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/security-profiles
4.3 Differentiate between Security profile actions
The action specifies how the firewall responds to a threat event. Every threat or virus signature that
is defined by Palo Alto Networks includes a default action, typically either set to alert, which informs
you the option you have enabled for notification, or to Reset Both, which resets both sides of the
connection. However, you can define or override the action on the firewall. The following actions are
applicable when defining Antivirus Profiles, Anti-Spyware Profiles, Vulnerability Protection Profiles,
Custom Spyware Objects, Custom Vulnerability Objects, or DoS Protection Profiles:
ACTION DESCRIPTION ANTIVIRU ANTI-SPYWARE VULNERABILITY CUSTOM DOS

S PROFILE PROTECTION OBJECT— PROTECTION
PROFILE PROFILE SPYWARE PROFILE
AND
VULNERA
BILITY
Default Takes the default ✓ ✓ ✓ — Random

action specified Early Drop
internally for each
threat signature.
For antivirus
profiles, it takes the
default action for
the virus signature.
Allow Permits the ✓ ✓ ✓ ✓ —

application traffic.
Alert Generates an alert ✓ ✓ ✓ ✓ ✓

for each Generates an
application traffic alert when
flow. The alert is the attack
saved in the threat volume (CPS)
log. reaches the
Alarm
threshold set
in the profile.
Drop Drops the ✓ ✓ ✓ ✓ —

application traffic.
Reset Resets the ✓ ✓ ✓ ✓ —
Client client-side
connection for
TCP.
The connection is
dropped for UDP.

Server client-side
connection for
TCP.
The connection is
dropped for UDP.

Both client-side
connection for
TCP.
The connection is
dropped for UDP.
Block IP Blocks traffic from — ✓ ✓ ✓ ✓

either a source or a
source-destination
pair. It is
configurable for a
specified period of
time.
Sinkhole Directs DNS — — — — —

queries for
malicious domains
to a sinkhole IP
address.
The action is
available for Palo
Alto Networks DNS
signatures and for
custom domains
included in the
Objects > External
Dynamic Lists.
Random Causes the firewall — — — — ✓

Early to drop packets
Drop randomly when
the connections
per second reach
the Activate Rate
threshold in a DoS
Protection profile
applied to a DoS
Protection rule.
SYN Causes the firewall — — — — ✓
Cookies to generate SYN
cookies to
authenticate a SYN
from a client when
the connections
per second reach
the Activate Rate
Threshold in a DoS
Protection profile
applied to a DoS
Protection rule.
4.3.1 Reference
● Actions in Security Profiles,
curity-profiles/actions-in-security-profiles
4.4 Use information available in logs
4.4.1 Traffic
Traffic logs display an entry for the start and end time of each session. Each entry includes the date
and time; source and destination zones, addresses and ports; application name; security rule
applied to the traffic flow; rule action (allow, deny, or drop); ingress and egress interface; number of
bytes; and session end reason.
The Type column indicates whether the entry is for the start or end of the session. The Action
column indicates whether the firewall allowed, denied, or dropped the session. A drop indicates
that the security rule that blocked the traffic specified any application, while a deny indicates that
the rule identified a specific application. If the firewall drops traffic before identifying the
application, such as when a rule drops all of the traffic for a specific service, the Application column
displays not-applicable.
Click beside an entry to view additional details about the session, such as whether an ICMP
entry aggregates multiple sessions between the same source and destination (in which case the
Count column value is greater than one).
4.4.2 Threat
Threats are recorded and logged in a Threat log. A Threat log displays entries when the traffic
matches one of the Security profiles attached to a Security policy rule on the firewall. Each entry
includes the date and time; type of threat (such as virus or spyware); threat description or URL
(Name column); source and destination zones, addresses, and ports; application name; alarm action
(such as allow or block); and severity level. The Threat log is used as the source of information that is
displayed on the ACC (Application Control Center) tab.
Threat levels are based on the following five levels of severity:
SEVERITY DESCRIPTION
Critical Serious threats, such as those that affect the default installations of widely deployed
software, result in root compromise of servers, and make the exploit code widely
available to attackers. The attacker usually does not need any special authentication
credentials or knowledge about the individual victims, and the target does not need
to be manipulated into performing any special functions.
High Threats that have the ability to become critical but have mitigating factors, such as
being difficult to exploit, not resulting in elevated privileges, or not having a large
victim pool.
● WildFire Submissions log entries with a malicious verdict and an action set
to “allow” are logged as High.
Medium Minor threats which pose minimal impact, such as DoS attacks that do not
compromise the target or exploits that require an attacker to reside on the same
LAN as the victim. Medium threats only affect non-standard configurations or
obscure applications, and provide very limited access.
● Threat log entries with a malicious verdict and an action set to “block” or
“alert,” based on the existing WildFire signature severity, are logged as
Medium.
Low Warning-level threats that have very little impact on an organization's infrastructure.
Low threats usually require local or physical system access and might often result in
victim privacy or DoS issues and information leakage.
● Data Filtering profile matches are logged as Low.

● WildFire Submissions log entries with a grayware verdict and any action are
logged as Low.
Informational Suspicious events that do not pose an immediate threat but are reported to call
attention to deeper problems that could exist.
● URL Filtering log entries are logged as Informational.

● WildFire Submissions log entries with a benign verdict and any action are
logged as Informational.
● WildFire Submissions log entries with any verdict and an action set to
“block” and forward are logged as Informational.
● Log entries with any verdict and an action set to “block” are logged as
Informational.
4.4.3 Data
Data Filtering logs display entries for the security rules that help prevent sensitive information such
as credit card numbers from leaving the area that the firewall protects.
This log type also shows information for File Blocking Profiles. For example, if a rule blocks .exe files,
the log shows the blocked files.
4.4.4 System logs
The System logs display entries for each system event on the firewall. Each entry includes the date
and time, event severity, and event description. The following table summarizes the System log
severity levels. For a partial list of System log messages and their corresponding severity levels, refer
to System Log Events.
SEVERITY DESCRIPTION
Critical Hardware failures, including HA failover and link failures
High Serious issues, including dropped connections with external devices,

such as LDAP and RADIUS servers
Medium Mid-level notifications, such as antivirus package upgrades
Low Minor-severity notifications, such as user password changes
Informational Log in/log off, administrator name or password change, any

configuration change, and all other events not covered by the other
severity levels
4.4.5 Reference
● Set Up Date Filtering,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/set-up-data-
filtering
● Log Types and Severity Levels,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/view-and-manage
-logs/log-types-and-severity-levels
4.5 Enable DNS Security to control traffic based on domains
4.5.1 Configure DNS Security

Before you enable and configure DNS Security, you must obtain and install a Threat Prevention (or
Advanced Threat Prevention) license as well as a DNS Security license in addition to any platform
licenses from where it is operated. Licenses are activated from the Palo Alto Networks Customer
Support Portal and must be active before DNS analysis can take place. Additionally, DNS Security
(similar to other Palo Alto Networks security services) is administered through Security profiles,
which in turn is dependent on the configuration of network enforcement policies as defined
through Security policy rules. Before enabling DNS Security, it is recommended that you become
familiar with the core components of the security platform in which the Security subscriptions are
enabled.
To enable and configure a DNS Security subscription to function optimally within the network
security deployment, refer to the tasks below. While it may not be necessary to implement all of the
processes shown here, Palo Alto Networks recommends reviewing all of the tasks to become
familiar with the available options for a successful deployment.
4.5.2 Apply DNS Security in policy
To enable DNS sinkholing for domain queries by using DNS Security, you must activate your DNS
Security subscription, create (or modify) an Anti-Spyware policy to reference the DNS Security
service, configure the log severity and policy settings for each DNS signature category, and then
attach the profile to a Security policy rule.
Step 1: Activate the subscription licenses.
Step 2: Verify that the paloalto-dns-security App-ID in your security policy is configured to enable
traffic from the DNS Security cloud security service.
If the firewall deployment routes management traffic through an internet-facing perimeter firewall
configured to enforce App-ID security policies, you must allow the App-IDs on the perimeter
firewall; failure to do so will prevent DNS Security connectivity.
Step 3: Configure the DNS Security signature policy settings to send malware DNS queries to the
defined sinkhole, using the following steps:
● Select Objects > Security Profiles > Anti-Spyware.

● Create or modify an existing profile, or select one of the existing default profiles and clone it.
● Name the profile and, optionally, provide a description.
● Select the DNS Policies tab.
● In the Signature Source column, beneath the DNS Security heading, there are individually
configurable DNS signature sources that allow you to define separate policy actions as well
as log severity levels.
○ Specify the log severity level that is recorded when the firewall detects a domain
matching a DNS signature. For more information about the various log severity
levels, refer to Threat Severity Levels.
○ Select an action to be taken when DNS lookups are made to known malware sites for
the DNS Security signature source. The options are allow, block, sinkhole, or default.
Verify that the action is set to sinkhole.
○ You can fully bypass DNS traffic inspection by configuring your DNS Security
Anti-Spyware profile using the following settings:
■ A policy action of Allow with a corresponding log severity of None for each
DNS signature source.
■ Removal of all the DNS Domain/FQDN Allow List entries in the DNS
Exceptions tab.
○ From the Packet Capture drop-down list, select single-packet to capture the first
packet of the session or extended-capture to set between 1-50 packets. You can
then use the packet captures for further analysis.
● In the DNS Sinkhole Settings section, verify that Sinkhole is enabled. For your convenience,
the default sinkhole address (sinkhole.paloaltonetworks.com) is set to access a Palo Alto
Networks server. Palo Alto Networks can automatically refresh this address through content
updates.
● Click OK to save the Anti-Spyware profile.
Step 4: Attach the Anti-Spyware profile to a Security policy rule, using the following steps:
● Select Policies > Security.

● Select or create a Security Policy Rule.
● On the Actions tab, select the Log at Session End check box to enable logging.
● In the Profile Setting section, click the Profile Type drop-down list to view all Profiles. From
the Anti-Spyware drop-down list, select the new or modified profile.
● Click OK to save the policy rule.
4.5.3 References
● Configure DNS Security,
https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security
● Enable DNS Security,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/dns-security
/enable-dns-security
● Create Domain Exceptions and Allow | Block Lists,
https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/create
-domain-signature-exceptions-and-allow-lists#tabs-id61d52481-57ae-4e96-951f-fb1e5ab53f6a
● Test Connectivity to the DNS Security Service,
https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/test-c
onnectivity-to-the-dns-security-service#id14bb1bce-6200-4e65-9acd-7df9061c3c74
● Configure Lookup Timeout,
https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/config
ure-lookup-timeout#ideba313e5-ba4c-456b-a90f-33ff2c78c838
4.6 Create and deploy URL-filtering-based controls
4.6.1 Apply a URL profile in a Security policy

You can use URL filtering profiles not only to control access to web content, but also to control how
users interact with the web content.
WHAT ARE YOU LOOKING FOR? SEE
Control access to websites based on URL category. URL Filtering Categories
Detect corporate credential submissions, and then User Credential Detection

decide the URL categories to which users can URL Filtering Categories
submit credentials.
Block search results if the end user is not using the URL Filtering Settings
strictest safe search settings.
Enable logging of HTTP headers. URL Filtering Settings
Control access to websites by using custom HTTP HTTP Header Insertion

Headers.
Enable cloud and local inline categorization to Inline Categorization

analyze web pages in real time for malicious content.
Looking for more? ● Learn more about how to configure URL

Filtering.
● Use URL categories to prevent credential
phishing.
● To create custom URL categories, select
Objects > Custom Objects > URL Category.
● To import a list of URLs that you want to
enforce, select Objects > External Dynamic
Lists.
4.6.2 Create a URL Filtering profile
After determining the URL Filtering policy requirements, you should have a basic understanding of
the types of websites your users are accessing. Use this information to create a URL Filtering profile
that defines how the firewall handles traffic to specific URL categories. You can also restrict the sites
to which users can submit corporate credentials and enforce strict safe search. Then, to enforce
these settings, apply the URL Filtering profile to the Security policy rules that allow web access.
Step 1: Create a URL Filtering profile.

Select Objects > Security Profiles > URL Filtering and Add or modify a URL Filtering profile.
Step 2: Define site access for each URL category.

Select Categories and set the Site Access for each URL category:
● Select allow for traffic destined for that URL category; allowed traffic is not logged.
● Select alert to have visibility into sites that users are accessing. Traffic matching that
category is allowed, but a URL Filtering log is generated to record when a user accesses a
site in that category.
● Select block to deny access to traffic that matches that category and enable logging of the
blocked traffic.
● Select continue to display a page to users with a warning and require them to click
Continue to proceed to a site in that category.
● Select override to only allow access if users provide a configured password.
Step 3: Configure the URL Filtering profile to detect corporate credential submissions to websites
that are in the allowed URL categories by using the following steps:
● Select User Credential Detection.

● Select one of the methods to check for corporate credential submissions to web pages from
the User Credential Detection drop-down:
○ Use IP User Mapping — Checks for valid corporate username submissions and
verifies that the username matches the user logged in to the source IP address of the
session. The firewall matches the submitted username against its IP
address-to-username mapping table. You can use any of the user-mapping methods
described in Map IP Addresses to Users.
○ Use Domain Credential Filter — Checks for valid corporate usernames and
password submissions and verifies that the username maps to the IP address of the
logged-in user. See Configure User Mapping Using the Windows User-ID Agent for
instructions on how to set up User-ID to enable this method.
○ Use Group Mapping — Checks for valid username submissions based on the
user-to-group mapping table populated when you configure the firewall to map
users to groups. With group mapping, you can apply credential detection to any part
of the directory or to a specific group, such as the IT group that has access to your
most sensitive applications.
● Set the Valid Username Detected Log Severity that the firewall uses to log the detection of
corporate credential submissions (default is medium).
Step 4: Configure the URL Filtering profile to detect phishing and malicious JavaScript in real time
by using Local Inline Categorization.
Step 5: Allow or block users from submitting corporate credentials to sites based on the URL
category to prevent credential phishing.
● For each URL category to which you allow Site Access, select how you want to treat User
Credential Submissions from the drop-down list:
○ Alert — Allow users to submit credentials to the website but generate a URL filtering
alert log each time a user submits credentials to the sites in this URL category.
○ Allow (default) — Allow users to submit credentials to the website.
○ Block — Display the Anti-Phishing Block Page to block users from submitting
credentials to the website.
○ Continue — Present the Anti-Phishing Continue Page to require users to click
Continue to access the site.
● Configure the URL Filtering profile to detect corporate credential submissions to websites
that are in the allowed URL categories.
Step 6: Define URL category exception lists to specify websites that should always be blocked or
allowed, regardless of the URL category. For example, to reduce URL filtering logs, you may want to
add your corporate websites to the Allow list so that no logs are generated for those sites or, if a
website is being overused and is not work-related, you can add that site to the block list.
The policy actions configured for custom URL categories have priority enforcement over the
matching URLs in the external dynamic lists. All traffic to the websites in the block list will always be
blocked, regardless of the action for the associated category, and all traffic to the URLs in the allow
list will always be allowed.
Step 7: Enable Safe Search Enforcement.
Step 8: Log only Container Pages for URL filtering events.
● Select URL Filtering Settings. Enable Log container page only (default) so that the firewall
logs only the main page that matches the category, not the subsequent pages or categories
that are loaded within the container page.
● To enable logging for all the pages and categories, disable the Log container page only
option.
Step 9: Enable HTTP Header Logging for one or more of the supported HTTP header fields. Select
URL Filtering Settings and then select one or more of the following fields to log:
● User-Agent
● Referer
● X-Forwarded-For
Step 10: Save the URL Filtering profile and click OK.
Step 11: Apply the URL Filtering profile to the Security policy rules that allow traffic from clients in
the trust zone to the internet by using the following steps:
● Select Policies > Security. Then, select a Security policy rule to modify.
● On the Actions tab, edit the Profile Setting.
● For Profile Type, select Profiles. A list of profiles appears.
● For the URL Filtering profile, select the profile you just created.
● Click OK to save your changes.
Step 12: Commit the configuration.
Step 13: Test your URL filtering configuration.
Step 14: (Best Practice) Enable Hold Client Request for category lookup, using the following steps,
to block client requests while the firewall performs URL category lookups:
● Select Device > Setup > Content-ID.

● Select Hold Client Request for category lookup.
● Commit your changes.
Step 15: Set the amount of time, in seconds, before a URL category lookup times out.
● Select Device > Setup > Content-ID > gear icon.

● Enter a number for Category lookup timeout (sec).
● Click OK.
● Commit your changes.
4.6.3 Create a custom URL category

You can create a custom URL filtering object to specify exceptions to the URL category
enforcement and to create a custom URL category, based on multiple URL categories:
● Define exceptions to the URL category enforcement — Create a custom list of URLs for
using as match criteria in a Security policy rule. This is an effective way to specify exceptions
to URL categories to enforce specific URLs differently than the URL category in which they
belong. For example, you might block the social-networking category but allow access to
LinkedIn.
● Define a custom URL category based on multiple PAN-DB categories — This allows you
to target the enforcement for websites that match a set of categories. The website or page
must match all of the categories defined as part of the custom category.
Follow these steps to create a custom URL category and define how the firewall should enforce the
custom URL category:
Step 1: Select Objects > Custom Objects > URL Category.
Step 2: Add or modify a custom URL category and give the category a descriptive Name.
Step 3: Set the category Type to either Category Match or URL List:
● URL List — Add the URLs that should enforce differently than the URL category in which
they belong. Use this list type to define exceptions to the URL category enforcement or
define a list of URLs as belonging to a custom category. Consult URL Category Exceptions for
referring to the guidelines on creating URL list entries.
● Category Match — Provide targeted enforcement for the websites that match a set of
categories. The website or page must match all of the categories defined in the custom
category.
Step 4: Select OK to save the custom URL category.
Step 5: Select Objects > Security Profiles > URL Filtering and Add or modify a URL Filtering
profile.
Your new custom category is now displayed under Custom URL Categories, as shown:
Step 6: Decide how to enforce Site Access and User Credential Submissions for the custom URL
category. Attach the URL Filtering profile to a Security policy rule to enforce any traffic that matches
the rule.
Select Policies > Security > Actions and specify the Security policy rule to enforce traffic based on
the URL Filtering profile you just updated. Make sure to Commit your changes.
4.6.4 Control traffic based on a URL category

Every URL can have up to four categories, including a risk category that indicates the likelihood a
site will be exposed to threats. More granular URL categorizations allow moving beyond a basic
“block-or-allow” approach toward web access. You can control how your users interact with online
content that, while necessary for business, is more likely to be used as part of a cyberattack.
Prevent credential phishing by enabling the firewall to detect corporate credential submissions to
sites, and then control those submissions based on the URL category. Block users from submitting
credentials to malicious and untrusted sites, warn users against entering corporate credentials on
unknown sites or reusing corporate credentials on non-corporate sites, and explicitly allow users to
submit credentials to corporate and sanctioned sites.
4.6.5 Why a URL was blocked
You can exclude specific websites from the URL category enforcement, ensuring that these
websites are blocked or allowed regardless of the policy action associated with its URL categories.
For example, you might block the social-networking URL category but allow access to LinkedIn. To
create exceptions to the URL category policy enforcement:
● Add the IP addresses or URLs of sites you want to block or allow to a custom URL category of
type URL List (Objects > Custom Objects > URL Category). Then, define site access for the
category in a URL Filtering profile. Finally, attach the profile to a Security policy rule.
● Add the URLs of the sites you want to block or allow to an external dynamic list of type URL
List (Objects > External Dynamic Lists). Then, use the external dynamic list in a URL
Filtering profile or as match criteria in a Security policy rule. The benefit of using an external
dynamic list is that you can update the list without performing a configuration change or
commit on the firewall.
Basic Guidelines for URL Category Exception Lists

Consider the potential matches that an entry might have before adding it to a URL category
exception list. The following guidelines specify how to create an entry that blocks or allows the
websites and pages you intend:
● List all the entries are case-insensitive.

● Omit http and https from all the URL entries.
● Each URL entry can be up to 255 characters in length.
● Enter an exact match to the IP address or URL you want to block or allow or use wildcards to
create a pattern match.
● Consider adding the URLs that are most commonly used to access a website or page to your
exception list (for example, blog.paloaltonetworks.com and paloaltonetworks.com/blog) if
the original entry is accessible from more than one URL. Note that the entry example.com is
distinct from www.example.com. The domain name is the same, but the second entry
contains the www subdomain.
4.6.6 How to allow a blocked URL

The firewall provides the following two predefined response pages that display by default when a
user attempts to browse a site in a category that is configured using one of the block actions in the
URL Filtering profile (block, continue, or override) or when Container Pages is enabled:
● URL Filtering and category match block page

Access is blocked by a URL Filtering profile or because the URL category is blocked by a
Security policy rule.
● URL Filtering continue and override page
A page with an initial block policy that allows users to bypass the block by clicking Continue.
With URL Admin Override enabled (Allow Password Access to Certain Sites), after clicking
Continue, the user must supply a password to override the policy that blocks the URL.
4.6.7 How to request a URL recategorization

If you think that a URL is not categorized accurately, you can request us to categorize it differently.
Submit a change request directly in the firewall or use Test A Site. A change request triggers
PAN-DB—the URL Filtering cloud—to do an immediate analysis of the URL for which you’re
suggesting a category change. If PAN-DB validates that the new category suggestion is accurate,
the change request is approved. If PAN-DB does not find the new category suggestion to be
accurate, the change request is reviewed by human editors from the Palo Alto Networks threat
research and data science teams.
After you’ve submitted a change request, you’ll receive an email confirming that we’ve received
your request. When we’ve completed our investigation, you’ll receive a second email confirming the
results.
You cannot request to change the risk category a URL receives (high risk, medium risk, or low risk)
or for the URLs categorized as insufficient content or newly-registered domains.
Make a change request online
Visit Palo Alto Networks URL Filtering Test A Site to make a change request online.
Step 1: Go to Test A Site.

You don’t need to log in to submit a change request, though you will need to provide your email ID
as part of completing the change request form. If you decide not to log in, you’ll need to take a
CAPTCHA test to confirm that you’re a human being (log in to avoid the CAPTCHA test).
Step 2: Enter a URL to check its categories:
Step 3: Review the URL categories, and if you don’t think that they’re accurate, select Request
Change.
Step 4: Continue to populate and submit the change request form.

Include at least one (and up to two) new category suggestions and leave an (optional) comment to
tell us more about your suggestion.
4.6.8 References
● Objects > Security Profiles > URL Filtering,
curity-profiles-url-filtering
● Configure URL Filtering,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/configure-url-filteri
ng
● Create a Custom URL Catogory,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/custom-url-catego
ries
● URL Filtering Use Cases,
https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-basics/u
rl-filtering-use-cases
● URL Category Exceptions,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/block-and-allow-lis
ts
● URL Filtering Response Pages,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/url-filtering-respon
se-pages
● Request to Change the Category for a URL,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/url-category-chan
ge
4.7 Differentiate between group mapping and IP-to-user mapping within policies and logs
Group mapping
Defining policy rules based on group membership rather than on individual users simplifies
administration because you don’t have to update the rules whenever new users are added to a
group. When configuring group mapping, you can limit which groups will be available in policy
rules. You can specify the groups that already exist in your directory service or define custom
groups based on the LDAP filters. Defining custom groups can be quicker than creating new
groups or changing existing ones on an LDAP server, and doesn’t require an LDAP administrator to
intervene. User-ID maps all the LDAP directory users who match the filter to the custom group. Log
queries and reports that are based on user groups will include custom groups.
Map IP addresses to users

User-ID provides different methods for mapping IP addresses to usernames. Before you begin
configuring user mapping, consider where your users are logging in from, what services they are
accessing, and what applications and data you need to control access to. This will inform which
types of agents or integrations would best allow you to identify your users.
User-ID logs display information about IP address-to-username mappings and Authentication

Timestamps, such as the sources of the mapping information and the times when users
authenticated.
4.7.1 How to control access to specific locations

Create the Security policy rules to safely enable User-ID between network zones and to prevent
User-ID traffic from egressing your network. This is done by using the username or user group
name as a match condition of your Security policy rules.
Ensure that the User-ID application (paloalto-userid-agent) is only allowed in the zones where your
agents (both your Windows agents and your PAN-OS integrated agents) are monitoring services
and distributing mappings to firewalls. Specifically:
● Allow the paloalto-userid-agent application between the zones where your agents reside
and the zones where the monitored servers reside (or even better, between the specific
systems that host the agent and the monitored servers).
● Allow the paloalto-userid-agent application between the agents and the firewalls that
need the user mappings and between firewalls that are redistributing user mappings
and the firewalls they are redistributing the information to.
● Deny the paloalto-userid-agent application to any external zone, such as your internet
zone.
4.7.2 How to apply to specific policies

User-ID information can be used as a match condition for rules of the following Policy types:
● Policy Based Forwarding (PBF)
● Security
● SSL/SSH Decryption
● Quality of Service (QoS)
4.7.3 Identify users within the ACC and the monitor tab
Administrators should select the LDAP Server profile they configured earlier and complete the
domain settings. The Group Include List tab shows the available groups in the domain. The
administrator can choose which groups to monitor and which ones to ignore, as shown:
To learn more about the methods to map users and groups for collecting User-ID information, see
the following information:
● The “Block Threats by Identifying Users” module in the EDU-210 training, Firewall Essentials:
Configuration and Management
● User-ID in the PAN-OS Administrator’s Guide
4.7.4 References
● Enabling User-ID,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/enable-user-id
● Group Mapping,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/user-id-concepts/grou
p-mapping
● Policy Types,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/policy-types
● User-ID Logs,
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/view-and-manage-l
ogs/log-types-and-severity-levels/user-id-logs
● Map IP Addresses to Users,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-u
sers
1. If you have a Threat Prevention subscription but not a WildFire subscription, how long must
you wait for the WildFire signatures to be added into the antivirus update?
a. 1 to 2 hours
b. 2 to 4 hours
c. 10 to 12 hours
d. 24 to 48 hours
2. What are two benefits of Vulnerability Protection Security profiles? (Choose two.)
a. They prevent compromised hosts from trying to communicate with external C2
servers.
b. They protect against viruses, worms, and Trojans.
c. They prevent exploitation of system flaws.
d. They prevent unauthorized access to systems.
3. Which two actions are available for Antivirus Security profiles? (Choose two.)
a. Continue
b. Allow
c. Block IP
d. Alert
4. Which two actions are required to implement DNS Security inspections of traffic? (Choose
two.)
a. Add an Anti-Spyware Security profile with DNS remediations to a Security policy
b. Enable the Advanced DNS Security check box in General Settings
c. Configure an Anti-Spyware Security profile with DNS remediations
d. Enter the address for the Secure DNS service in the firewall’s DNS settings
5. Which two types of attacks does the PAN-DB prevent? (Choose two.)
a. Phishing site
b. HTTP-based command and control
c. Infected JavaScript
d. Flood attacks
6. Which two valid URLs can be used in a custom URL category? (Choose two.)
a. ww.youtube.**
b. www.**.com
c. www.youtube.com
d. *youtube*
e. *.youtube.com
7. A URL Filtering Profile is part of which type of identification?

a. App-ID
b. Content-ID
c. User-ID
d. Service
8. What are the two components of Denial-of-Service Protection? (Choose two.)
a. Zone Protection Profile
b. DoS Protection Profile and policy rules
c. Load protection
d. Reconnaissance protection
Appendix A: Sample Questions with Answers

Below are the questions offered throughout the study guide, with the correct answers indicated.
Domain 1
1. What are two firewall management methods? (Choose two.)

a. CLI
b. RDP
c. VPN
d. XML API
2. Which two devices are used to connect a computer to the firewall for management
purposes? (Choose two.)
a. Rollover cable
b. Serial cable
c. RJ-45 Ethernet cable
d. USB cable
3. What is the default IP address assigned to the MGT interfaces of a Palo Alto Networks
firewall?
a. 192.168.1.1
b. 192.168.1.254
c. 10.0.0.1
d. 10.0.0.254
4. What are the two default services that are available on the MGT interface? (Choose two.)
a. HTTPS
b. SSH
c. HTTP
d. Telnet
5. Service routes may be used to forward which two traffic types out of a data port? (Choose
two.)
a. External dynamic lists
b. MineMeld
c. Skype
d. Palo Alto Networks updates
6. Which command must be performed on the firewall to activate any changes?

a. Commit
b. Save
c. Load
d. Import
7. Which command backs up configuration files to a remote network device?

a. Import
b. Load
c. Copy
d. Export
8. The command load named configuration snapshot overwrites the current candidate
configuration with which three items? (Choose three.)
a. Custom-named candidate configuration snapshot (instead of the default
snapshot)
b. Custom-named running configuration that you imported
c. Snapshot.xml
d. Current running configuration (running-config.xml)
e. Palo Alto Networks updates
9. Which three actions should you complete before you upgrade to a newer version of
software? (Choose three.)
a. Review the release notes to determine any impact of upgrading to a newer
version of software.
b. Ensure that the firewall is connected to a reliable power source.
c. Export the device state.
d. Create and externally store a backup before you upgrade.
e. Put the firewall in maintenance mode.
10. Which two default zones are included with the PAN-OS software? (Choose two.)
a. Interzone
b. Extrazone
c. Intrazone
d. Extranet
11. Which two statements about interfaces are correct? (Choose two.)
a. Interfaces must be configured before you can create a zone.
b. Interfaces do not have to be configured before you can create a zone.
c. An interface can belong to only one zone.
d. An interface can belong to multiple zones.
12. Which two interface types can belong in a Layer 3 zone? (Choose two.)
a. Loopback
b. Tap
c. Tunnel
d. Virtual Wire
13. What can be used to control traffic through zones?

a. Access lists
b. Security policy lists
c. Security policy rules
d. Access policy rules
14. For inbound inspection, which two actions can be performed with a Tap interface? (Choose
two.)
a. Encrypt traffic
b. Decrypt traffic
c. Allow or block traffic
d. Log traffic
15. Which two actions can be performed with a Virtual Wire interface? (Choose two.)
a. NAT
b. Route
c. Switch
d. Log traffic
16. Which two actions can be performed with a Layer 3 interface? (Choose two.)
a. NAT
b. Route
c. Switch
d. Create a virtual wire object
17. Layer 3 interfaces support which two items? (Choose two.)

a. NAT
b. IPv6
c. Switching
d. Spanning tree
18. Layer 3 interfaces support which three advanced settings? (Choose three.)
a. IPv4 addressing
b. IPv6 addressing
c. NDP configuration
d. Link speed configuration
e. Link duplex configuration
19. Layer 2 interfaces support which three items? (Choose three.)

a. Spanning tree blocking
b. Traffic examination
c. Forwarding of spanning tree BPDUs
d. Traffic shaping via QoS
e. Firewall management
f. Routing
20. Which two interface types support subinterfaces? (Choose two.)

a. Virtual Wire
b. Layer 2
c. Loopback
d. Tunnel
21. Which two statements are true regarding Layer 3 interfaces? (Choose two.)
a. You can configure a Layer 3 interface with one or more IP addresses as a DHCP client.
b. A Layer 3 interface can only have one DHCP assigned address.
c. You can assign only one IPv4 address to the same interface.
d. You can enable an interface to send IPv4 router advertisements by selecting the
Enable Router Advertisement check box on the Router Advertisement tab.
e. You can apply an Interface Management profile to the interface.
22. Which statement is true regarding aggregate Ethernet interfaces?

a. Members of an aggregate interface group can be of different media types.
b. An aggregate interface group can be set to a type of tap.
c. Ethernet interfaces that are members of an aggregate interface group must have the
same transmission speeds.
d. A Layer 3 aggregate interface group can have more than one IP assigned to it.
e. Members of aggregate Ethernet interfaces can be assigned to different virtual
routers.
23. What is the default administrative distance of a static route within the PAN-OS software?
a. 1
b. 5
c. 10
d. 100
24. Which two dynamic routing protocols are available in the PAN-OS software? (Choose two.)
a. RIP1
b. RIPv2
c. OSPFv3
d. EIGRP
25. Which value is used to distinguish the preference of routing protocols?

a. Metric
b. Weight
c. Distance
d. Cost
26. Which value is used to distinguish the best route within the same routing protocol?
a. Metric
b. Weight
c. Distance
d. Cost
27. In path monitoring, what is used to monitor remote network devices?

a. Ping
b. SSL
c. HTTP
d. HTTPS
e. link state
Domain 2
1. Which two statements are true about a Role Based Admin Role Profile role? (Choose two.)
a. It is a built-in role.
b. It can be used for CLI commands.
c. It can be used for XML API.
d. Superuser is an example of such a role.
2. The management console supports which two authentication types? (Choose two.)
a. RADIUS
b. SMB
c. LDAP
d. TACACS+
e. AWS
3. Which two Dynamic Admin Role types are available on the PAN-OS software? (Choose two.)
a. Superuser
b. Superuser (write-only)
c. Device user
d. Device administrator (read-only)
4. Which type of profile does an authentication sequence include?

a. Security
b. Authorization
c. Admin
d. Authentication
5. An Authentication profile includes which other type of profile?

a. Server
b. Admin
c. Customized
d. Built-In
6. Which profile is used to override global minimum password complexity requirements?

a. Authentication
b. Local
c. User
d. Password
7. What does an application filter enable an administrator to do?
a. Manually categorize multiple service filters.
b. Dynamically categorize multiple service filters.
c. Dynamically categorize multiple applications.
d. Manually categorize multiple applications.
8. Which two items can be added to an application group? (Choose two.)

a. Application groups
b. Application services
c. Application filters
d. Application categories

a. Stateful
c. Intensive
d. Evasive
Domain 3
1. What will be the result of one or more occurrences of shadowing?

a. A failed commit
b. An invalid configuration
c. A warning
d. An alarm window
2. Which column in the Applications and Threats screen includes the options Review Apps and
Policies?
a. Features
b. Type
c. Version
d. Action
3. Which link can you select in the web interface to minimize the risk of installing new App-ID
updates?
a. Enable new apps in content update.
b. Disable new apps in App-ID database.
c. Disable new apps in content update.
d. Enable new apps in App-ID database.
4. Which two protocols are implicitly allowed when you select the facebook-base application?
(Choose two.)
a. Web-browsing
b. Chat
c. Gaming
d. SSL
5. What are the two default (predefined) Security policy rule types in PAN-OS software?
(Choose two.)
a. Universal
b. Interzone
c. Intrazone
d. Extrazone
6. Which type of Security policy rules most often exist above the two predefined Security
policies?
a. Intrazone
b. Interzone
c. Universal
d. Global
7. What does the TCP Half Closed setting mean?

a. Maximum length of time that a session remains in the session table between
b. Minimum length of time that a session remains in the session table between
c. Maximum length of time that a session remains in the session table between
d. Minimum length of time that a session remains in the session table between

a. Stateful
c. Intensive
d. Evasive
9. Which two HTTP Header Logging options are within a URL Filtering profile? (Choose two.)
a. User-Agent
b. Safe Search
c. URL redirection
d. X-Forwarded-For
10. What are two source NAT types? (Choose two.)

a. Universal
b. Static
c. Dynamic
d. Extrazone
11. Which phrase is a simple way to remember how to configure Security policy rules where
NAT was implemented?
a. Post-NAT IP, pre-NAT zone
b. Post-NAT IP, post-NAT zone
c. Pre-NAT IP, post-NAT zone
d. Pre-NAT IP, pre-NAT zone
12. What are two types of destination NAT? (Choose two.)
a. Dynamic IP (with session distribution)
b. DIPP
c. Global
d. Static IP
13. The Policy Optimizer does not analyze which statistics?

a. Applications allowed through port-based Security policy rules
b. The usage of existing App-IDs in Security policy rules
c. Which users matched Security policies
d. Existing Security policy rule App-IDs that have not matched processed traffic
e. Days since the latest new application discovery in a port-based Security policy rule
Domain 4
1. If you have a Threat Prevention subscription but not a WildFire subscription, how long must
you wait for the WildFire signatures to be added into the antivirus update?
a. 1 to 2 hours
b. 2 to 4 hours
c. 10 to 12 hours
d. 24 to 48 hours
2. What are two benefits of Vulnerability Protection Security profiles? (Choose two.)
a. They prevent compromised hosts from trying to communicate with external C2
servers.
b. They protect against viruses, worms, and Trojans.
c. They prevent exploitation of system flaws.
d. They prevent unauthorized access to systems.
3. Which two actions are available for Antivirus Security profiles? (Choose two.)
a. Continue
b. Allow
c. Block IP
d. Alert
4. Which two actions are required to implement DNS Security inspections of traffic? (Choose
two.)
a. Add an Anti-Spyware Security profile with DNS remediations to a Security policy
b. Enable the Advanced DNS Security check box in General Settings
c. Configure an Anti-Spyware Security profile with DNS remediations
d. Enter the address for the Secure DNS service in the firewall’s DNS settings
5. Which two types of attacks does the PAN-DB prevent? (Choose two.)
a. Phishing site
b. HTTP-based command and control
c. Infected JavaScript
d. Flood attacks
6. Which two valid URLs can be used in a custom URL category? (Choose two.)
a. ww.youtube.**
b. www.**.com
c. www.youtube.com
d. *youtube*
e. *.youtube.com
7. A URL Filtering Profile is part of which type of identification?

a. App-ID
b. Content-ID
c. User-ID
d. Service
8. What are the two components of Denial-of-Service Protection? (Choose two.)

a. Zone Protection Profile
b. DoS Protection Profile and policy rules
c. Load protection
d. Reconnaissance protection
Continuing Your Learning Journey with Palo Alto Networks
Training from Palo Alto Networks and our Authorized Training Partners delivers the knowledge and
expertise to prepare you to protect our way of life in the digital age. Our trusted security
certifications give you the Palo Alto Networks product portfolio knowledge necessary to prevent
successful cyberattacks and to safely enable applications.
Digital Learning
For those of you who want to keep up to date on our technology, a learning library of free digital
learning is available. These on-demand, self-paced digital-learning classes are a helpful way to
reinforce the key information for those who have been to the formal hands-on classes. They also
serve as a useful overview and introduction to working with our technology for those unable to
attend a hands-on, instructor-led class.
Simply register in Beacon and you will be given access to our digital-learning portfolio. These online
classes cover foundational material and contain narrated slides, knowledge checks, and, where
applicable, demos for you to access.
New courses are being added often, so check back to see new curriculum available.
Instructor-Led Training
Looking for a hands-on, instructor-led course in your area?
Palo Alto Networks Authorized Training Partners (ATPs) are located globally and offer a breadth of
solutions from onsite training to public, open-environment classes. About 42 authorized training
centers are delivering online courses in 14 languages and at convenient times for most major
markets worldwide. For class schedule, location, and training offerings, see
https://www.paloaltonetworks.com/services/education/atc-locations.
Learning Through the Community

You also can learn from peers and other experts in the field. Check out our communities site at
https://live.paloaltonetworks.com, where you can:
● Discover reference material
● Learn best practices
● Learn what is trending

Pcnsa Study Guide PAN OS v11.0 1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pcnsa Study Guide PAN OS v11.0 1

Uploaded by

Copyright:

Available Formats

Palo Alto Networks Certified Network

About the PCNSA Exam 6

Audience and Qualifications 7

Domain 1: Device Management and Services 8

Domain 2: Managing Objects 57

Domain 3: Policy Evaluation and Management 69

Domain 4: Securing Traffic 86

Appendix A: Sample Questions with Answers 111

Continuing Your Learning Journey with Palo Alto Networks 120

About the PCNSA Exam

PCNSA technical documentation is located at:

This exam is based on Product version 11.0.

Exam Domain Weight (%)

Device Management and Services 22%

Managing Objects 20%

Policy Evaluation and Management 28%

Securing Traffic 30%

Audience and Qualifications

● Firewall Essentials: Configuration and Management (EDU-210) course

1.1 Demonstrate the knowledge of firewall management interfaces

1.1.1 Management interfaces

1.1.2 Methods of access

● Creating, updating, and modifying firewall and Panorama configurations

1.1.3 Access restrictions

1.1.5 Management services

The configuration parameters that DHCP can learn dynamically include:

● IP address for MGT port

1.1.6 Service routes

Configuring service routes

1.2 Provision local administrators

1.2.1 Authentication profile

An Authentication profile references a server profile:

1.3 Assign role-based authentication

1.4 Maintain firewall configurations

1.4.3 Discern when to use load, save, import, and export

1.4.4 Differentiate between configuration states

Revert to last saved configuration

Revert to running configuration

The second message informs you the firewall is being reverted.

Save named configuration snapshot

Save candidate configuration

Load named configuration snapshot

● Custom-named candidate configuration snapshot (instead of the default snapshot)

Export named configuration snapshot

Export configuration version

Export device state

Import named configuration snapshot

Import device state

1.4.5 Backup Panorama configurations and firewalls from Panorama

1.5 Push policy updates to Panorama-managed firewalls

1.5.1 Device groups and hierarchy

Panorama pushes shared pre-rules

If a firewall inherits rules from the

Device group pre-rules You can use the pre-rules to

A local firewall administrator or a

Panorama pushes the shared

1.5.3 Implications of Panorama management

● Centralized configuration and deployment — To simplify central management and rapid

● Distributed administration — Delegate or restrict access to global and local firewall

1.6.1 From Panorama

DYNAMIC UPDATE SCHEDULE SETTINGS

Disabled Select to disable the scheduled job.

Action ● Download Only — Panorama™ will download the scheduled update.

1.6.2 From the firewall