Pse Softwarefirewall P Studyguide

PSE Software Firewall Professional
Study Guide
July 2022
Strata by Palo Alto Networks | PSE Software Firewall Professional

Table of Contents
How to Use This Study Guide 5
What Has Changed in This Study Guide 5
About the PSE Software Firewall Professional Exam 5

Exam Format 5
How to Take This Exam 6
Disclaimer 6
Audience and Qualifications 6

Skills Required 6
Recommended Training 6
Introduction 7
Domain 1: Technical Business Value 8

1.1 Describe the requirements and components of auto scaling 8
1.1.1 References 18
1.2 Explain the value and operational efficiency of dynamic address groups (DAGs) 18
1.2.1 References 19
1.3 Describe various plugin options and deployment methods 19
1.3.1 References 23
1.4 Describe the process of segmentation 23
1.4.1 References 25
1.5 Describe centralized security visibility and deployment models 26
1.5.1 References 27
1.6 Explain how to realize return on investment (ROI) by leveraging Palo Alto Networks
software next-generation firewall (NGFW) 27
1.6.1 References 28
1.7 Identify the benefits of Palo Alto Networks solutions to address customer concerns or
indifference 28
1.7.1 References 29
1.8 Summary of Key Ideas 29
1.9 Sample Questions 30
Domain 2: Competitive Differentiators 32

2.1 Compare and contrast the capabilities of cloud-delivered VM-Series, CN-Series, and
NGFW 32
2.1.1 References 39
2.2 Create and apply flex credits to software firewalls 39
2.2.1 References 44
2.3 Describe the importance of third-party integrations 45
2.3.1 References 47
Strata by Palo Alto Networks | PSE Software Firewall Professional 2

2.4 Explain the benefits of cloud-delivered security services (CDSS) and Advanced URL
Filtering (AURLF) 47
2.4.1 References 49
2.5 Describe the benefits of automation as applied by Palo Alto Networks 49
2.5.1 Terraform 50
2.5.2 Ansible 51
2.5.3 Dynamic responses to threats 52
2.5.4 References 53
Domain 3: Architecture and Planning 55

3.1 Compare and contrast VM-Series deployment options 55
3.2.1 References 58
3.2 Describe CN-Series deployment tool options 58
3.2.1 YAML Ain’t Markup Language (YAML) 59
3.2.2 Terraform Templates 59
3.2.3 Differentiation 59
3.2.4 References 60
3.3 Describe CN-Series sizing, capabilities, and features 60
3.3.1 References 71
3.4 Explain various segmentation models, including east-west and north-south
segmentation design per CNet, VNet, and pod 72
3.4.1 References 75
3.5 Describe the concept of growth planning with Kubernetes 76
3.5.1 References 76
3.6 Describe placement considerations of Layer 2 and Layer 3 deployments 76
3.6.1 References 78
Domain 4: Demonstration and Evaluation 81

4.1 Create, apply, and upgrade licenses 81
4.1.1 References 85
4.2 Execute a successful proof of concept (POC) 85
4.2.1 References 86
4.3 Apply the appropriate deployment / configuration tool for various environments 86
4.3.1 References 92
4.4 Use, deploy, and tag Panorama plugins 93
4.4.1 References 94
4.5 Deploy VM-Series and CN-Series 94
4.5.1 References 96
4.6 Spin up, locate, and demonstrate demo, lab, or Ultimate Test Drive 96

4.6.1 References 98
Domain 5: Network Security Best Practices 101

5.1 Explain why intrazone policies in cloud are a best practice 101
5.1.1 Reference 102
5.2 Describe the use of object tagging and DAGs 102
5.2.1 References 103
5.3 Explain how Zero Trust relates to VM-Series and CN-Series cloud deployments 103
5.3.1 Reference 107
5.4 Leverage automation tools to deploy Palo Alto Networks solutions 108
5.4.1 Reference 108
5.5 Compare and contrast Prisma Cloud Compute (PCC) and CN-Series 108
5.5.1 References 109
Appendix A: Sample Questions with Answers 112
Appendix B: Sample Test 119
Appendix C: Answers to the Sample Test 122
Appendix D: Glossary 125
Appendix E: What’s Different in This Study Guide 133
Continuing Your Learning Journey with Palo Alto Networks 134

How to Use This Study Guide
Welcome to the Palo Alto Networks® PSE Software Firewall Professional Study Guide. The purpose
of this guide is to help you prepare for your Palo Alto Networks Systems Engineer: Software Firewall
Professional exam, abbreviated as PSE: Software Firewall Professional.
You can read through this study guide from start to finish, or you may jump straight to topics you
would like to study. Hyperlinked cross-references will help you locate important definitions and
background information from earlier sections.
What Has Changed in This Study Guide
No changes.
About the PSE Software Firewall Professional Exam

The PSE: Software Firewall Professional exam is intended to test your knowledge and
understanding of five knowledge domains as they pertain to Palo Alto Networks software firewalls.
The knowledge domains are designed to illustrate a Systems Engineer’s understanding of the
software firewall portfolio strategy and the recommended implementations for various elements of
the portfolio. For specific topics, refer to the exam blueprint and the sections outlined within this
document.
Related training resources are available from Palo Alto Networks on Beacon:
https://beacon.paloaltonetworks.com/student/collection/1047805-software-firewall?sid=cb6be9c1-99
cc-403c-9687-69d95bc21600&sid_i=0
Exam Format
The exam format is 60 multiple-choice questions. Candidates will have five minutes to complete
the Non-Disclosure Agreement, 80 minutes (1 hour, 20 minutes) to complete the exam questions,
and five minutes to complete an exit survey.
The approximate distribution of items by topic (Exam Domain) and topic weightings are shown
in the following table.
Exam Domain Weight (%)
Technical Business Value 20%
Competitive Differentiators 18%
Architecture and Planning 22%
Demonstration and Evaluation 20%
Network Security Best Practices 20%

TOTAL 100%
How to Take This Exam
The exam is available through the third-party Pearson VUE testing platform.
To register for the exam, visit: https://home.pearsonvue.com/paloaltonetworks
Disclaimer
This study guide is intended to provide information about the objectives covered by this exam,
related resources, and recommended courses. The material contained within this study guide is not
intended to guarantee that a passing score will be achieved on the exam. Palo Alto Networks
recommends that candidates thoroughly understand the objectives indicated in this guide and use
the resources and courses recommended in this guide where needed to gain that understanding.
Audience and Qualifications

This exam is designed for the individuals with the following job roles:
● Pre-Sales Engineers
● Systems Engineers / Solutions Architects
● Global Systems Integrator Engineers
Skills Required
● You can describe the technical business value of various software firewall tools and
processes.
● You have experience in the planning and architectural designing of VM-Series, CN-Series,
and cloud-delivered next-generation firewalls (NGFWs).
● You have passed the PSE: Foundation course, PSE: Strata Associate exam (strongly
recommended), and PSE: Software Firewall Associate exam.
Recommended Training
Palo Alto Networks strongly recommends that you attend the following instructor-led training
courses or equivalent digital-learning courses:
● PSE: Strata Associate course
● PSE: Software Firewall Associate course
● SE Bootcamp (internal only)

Introduction
With more and more organizations opting for end-to-end digital transformations, cloud technology
has emerged as a C-suite agenda, placed right at the core of this transformation. As part of this
transformation, organizations have started renting servers at a colocation facility, using data-center
services managed by a third party, and using public cloud-based services from hosts like Amazon.
However, with various attackers looking to exploit these systems with known and unknown
vulnerabilities, malware, etc., protecting the cloud-based assets is a challenge for security teams.
In the last decade, many network security and firewall security appliances have flooded the global
IT security market. Palo Alto Networks has managed to break into this saturated market with its
state-of-the-art products to provide ironclad security to your virtual assets.
Palo Alto Networks software next-generation firewalls (NGFWs) provide a wide variety of products to
cover most of your security requirements within multiple environments. Their close integration with
leading public clouds such as AWS, Azure, Google Cloud Platform (GCP), etc., provides secure and
easy-to-deploy firewalls that can be configured centrally. Palo Alto Networks software firewalls
include the VM-Series firewalls, CN-Series firewalls, and Cloud NGFW.
The VM-Series firewalls protect private and public cloud deployments with segmentation and
threat prevention. The CN-Series next-generation container firewalls secure Kubernetes
environments. The Cloud NGFW for AWS protects AWS deployments with network security
delivered as a managed cloud service by Palo Alto Networks.
This Palo Alto Networks Software Firewall study guide provides a detailed overview of how to
protect public and private clouds, virtualized data centers, branch locations, and containerized
environments with virtual, container, and cloud next-generation firewalls.

Domain 1: Technical Business Value
1.1 Describe the requirements and components of auto scaling
A software firewall is a network security solution designed specifically for environments in which
deploying hardware firewalls is difficult or impossible, such as public and private clouds,
software-defined networks (SDNs), and software-defined wide-area networks (SD-WANs).
Similar to hardware firewalls, software firewalls grant or reject network access to traffic flows
between untrusted zones and trusted zones. Unlike hardware firewalls, which are physically located
on-premises in data centers, software firewalls are ideal for securing virtual environments. Software
firewalls can also be deployed as virtualized instances of next-generation firewalls.
Palo Alto Networks VM-Series virtualized next-generation firewalls protect applications, data, and
users across a wide range of public cloud, virtualization, and branch environments. They provide all
the capabilities of the physical Palo Alto Networks next-generation firewall in a virtual machine
form factor.
These virtualized instances of the industry-leading next-generation firewall provide application and
user visibility for informed security decisions, segment networks for security and compliance,
prevent advanced attacks within allowed application flows, control application access with
user-based policies, and ensure policy consistency through Panorama™ network security
management to secure environments vital for competitiveness and innovation.
Next-generation firewall security can be delivered to Kubernetes environments as well by deploying

CN-Series NGFWs. The benefits of these software firewalls include: Layer 7 visibility in a Kubernetes
environment; key subscriptions being inline for runtime security; and that the capability of auto
scaling based on the needs of DevOps.

If firewalls cannot match the speed of application deployment and keep up with the traffic, they
start becoming bottlenecks. Auto scaling is an inherent feature of Palo Alto Networks firewalls that
makes them dynamic. Auto scaling firewalls secure traffic to your highly available, internet-facing
applications when demand spikes, and they maintain cost efficiency when demand drops by
scaling in application workloads.
VM-Series
VM-Series is the virtualized form factor of the Palo Alto Networks next generation firewall. To meet
the growing need for inline security across diverse cloud and virtualization use cases, you can
deploy the VM-Series firewall on a wide range of private and public cloud computing environments.
For more details on VM-Series and its deployment, refer to Section 2.1.
Auto Scaling the VM-Series on AWS

The Palo Alto Networks auto scaling templates for AWS help you to configure and deploy VM-Series
firewalls to protect applications deployed in AWS. These templates leverage AWS scalability features
to independently and automatically scale VM-Series firewalls to meet surges in application
workload resource demand.
● VM-Series automation capabilities include the PAN-OS® API and bootstrapping.

● AWS automation technology includes CloudFormation templates and scripts for AWS
services such as Lambda, auto scaling groups (ASGs), Elastic Load Balancing (ELB), S3,
and Simple Notification Service (SNS).
The templates are available on the Palo Alto Networks GitHub repository for Auto Scaling VM-Series
Firewalls in AWS.
Configuration on AWS with a Gateway Load Balancer

The Palo Alto Networks auto scaling templates for AWS help you integrate and configure the
VM-Series firewall with a Gateway Load Balancer (GWLB) to protect applications deployed in AWS.
This solution provides a security virtual private cloud (VPC) template and an application template.
The security VPC template deploys the VM-Series firewall auto scaling group, a GWLB, a GWLB
endpoint (GWLBE), GWLBE subnet, security attachment subnet, and a NAT gateway for each
availability zone. Download the CloudFormation templates from the Palo Alto Networks GitHub
Repository.

Key Idea
● All VM-Series firewall interfaces must be assigned an IPv4 address when deployed
in a public cloud environment. IPv6 addresses are not supported.
The VM-Series Auto Scaling template for integration with an AWS GWLB includes the following
building blocks:
BUILDING BLOCK DESCRIPTION
PAN Components ● Panorama running 10.0.2 or later

● PAN-OS 10.0.2 or later
● VM-Series plugin 2.0.2 or later installed on
Panorama
Firewall template Based on the number of availability zones (AZs) you

(Community supported template) choose, the firewall-new-vpc-v3.0.template deploys
the following:
● Subnets for Lambda management, transit

gateway attachments, GWLB endpoints, and
NAT gateways, as well as trust subnets
● Routes tables for each subnet
● Transit gateway attachments and route
tables
● NAT and internet gateways
● An auto scaling group with one VM-Series
firewall per AZ
● One GWLB and a GWLB endpoint in each
AZ
The template supports a maximum of four AZs.
The VPC Classless Inter-Domain Routing (CIDR) for

the firewall template should be larger than /23.
Due to the variations in the production environment

components such as subnets, availability zones,
route tables, and security groups, you must deploy
the firewall-new-vpc-v3.0.template in a new VPC.
The VM-Series Auto Scaling template for AWS does

not deploy a transit gateway or Panorama. You must
deploy a transit gateway and Panorama before
launching firewall-new-vpc-v3.0.template.
Application template Based on the number of AZs you choose, the

(Community supported template) panw-aws-app-v3.0.template deploys the following:
● Subnets for Lambda, transit gateway

attachments, GWLB endpoints,
application load balancers
● Routes tables for each subnet, as well as
an inbound route table associated with
the internet gateway to direct inbound
traffic to the GWLB endpoint.

● One application load balancer
● One internet gateway
● An auto scaling group with one Ubuntu
instance per AZ.
The VPC CIDR for the application template should

be larger than /23.
The application template is intended to be used as
an example for validating the security template.
Lambda functions AWS Lambda provides robust, event-driven

automation without the need for complex
orchestration software. In addition to deploying the
components described in the rows above, the
firewall-new-vpc-v3.0.template performs the
following functions:
● Adds or removes an interface (ENI) when

a firewall is launched or terminated
● Deletes all the associated resources
when you delete a stack or terminate an
instance
● Removes a firewall as a Panorama
managed device when there is a scale-in
event
● Deactivates the license when a scale-in
event results in a firewall termination
● Monitors the transit gateway periodically
for new attachments or detachments
and updates the route tables accordingly
in the security VPC
Bootstrap files This solution requires the init-cfg.txt file and the
The bootstrap.xml file provided in the GitHub bootstrap.xml file so that the VM-Series firewall has
repository is provided for testing and evaluation the basic configuration for handling traffic.
only. For a production deployment, you must modify
● The init-cfg.txt file includes the
the sample credentials in the bootstrap.xml prior to
mgmt-interface-swap operational
launch.
command to enable the firewall to
receive data-plane traffic on its primary
interface. This auto scaling solution
requires swapping the data-plane and
management interfaces to enable the
GWLB to forward web traffic to the auto
scaling tier of VM-Series firewalls.
● The bootstrap.xml file enables basic
connectivity for the firewall network
interfaces and allows the firewall to
connect to the AWS CloudWatch
namespace that matches the stack
name you enter when you launch the
template.

Configuration on AWS with an Auto Scaling Group
The VM-Series auto scaling templates enable you to deploy a single auto scaling group (ASG) of
VM-Series firewalls to secure inbound traffic from the internet to your application workloads on
AWS. You can deploy the VM-Series firewall ASG and the application workloads within a single VPC
as shown:
You can also deploy the firewall ASG in a centralized VPC and your application workloads in
separate VPCs within the same region. These will form a hub-and-spoke architecture, as shown:

The hub-and-spoke architecture enables you to streamline the delivery of centralized security and
connectivity for AWS deployments with multiple applications, VPCs, or accounts. This architecture
can increase agility―your network security administrators can manage the firewall VPC, and
DevOps administrators or application developers can focus on managing the application VPCs.
Auto Scaling the VM-Series on Azure

Palo Alto Networks provides templates to help you deploy an auto scaling tier of VM-Series firewalls
leveraging several Azure services such as Virtual Machine Scale Sets (VMSSs), Application Insights,
Azure Load Balancers, Azure functions, Panorama and the Panorama plugin for Azure, and the
VM-Series automation capabilities, including the PAN-OS API and bootstrapping. These templates
allow you to leverage the scalability features on Azure that are designed to manage sudden surges
in demand for application workload resources by independently scaling the VM-Series firewalls with
the changing workloads.

VM-Series Virtual Firewalls Integration with Azure Gateway Load Balancer
Load balancing is critical for evenly distributing loads of incoming network traffic across a group of
backend resources or servers. With Azure Load Balancer, you can scale your applications and create
highly available services.
But as organizations move more and more workloads into the cloud, setting up security becomes a
top-of-mind concern. With this integration, VM-Series virtual next-generation firewalls augment
native Microsoft Azure network security capabilities with next-generation threat protection. This
includes preventing exploits, malware, previously unknown threats, and data exfiltration to keep
apps and data in Azure safe.
Palo Alto Networks offers the VM-Series software firewall integration with Azure Gateway Load
Balancer, which provides simplified connectivity while ensuring secure support for critical
zone-based policies for internet ingress traffic.

VM-Series virtual firewalls working in tandem with Azure Gateway Load Balancer
Preserve Full Visibility on Packet Sources

Truly securing traffic ingress requires complete visibility of the source’s identity as the traffic travels
to its destination in the cloud. This source visibility was previously difficult to achieve with inbound
traffic. When VM-Series firewalls are deployed behind a public standard load balancer, the source IP
addresses of inbound traffic are replaced with the IP address of the load balancer. As a result,
application source identity is obfuscated.
But with the new VM-Series and Azure Gateway Load Balancer integration, traffic packet headers
and payload are kept intact, which provides complete visibility of the source’s identity as traffic
travels to its destination.
Discover Zone-Based Policy Support for Internet Ingress Traffic

The integration is designed to be fast and nondisruptive. You can continue to use your Hub VNET
for centralizing your security by leveraging the Azure Gateway Load Balancer to scale and
load-balance traffic across a stack of VM-Series firewalls. Plus, Gateway Load Balancer helps
segment internet-bound traffic from the VNET-bound traffic.

What this means is that you can now assign a trust zone to the VNET-bound traffic and the
untrust-zone for the internet-bound traffic—and enhance security posture by continuing to author
next-generation zone-based policies.
In addition, the VM-Series integration with Azure Gateway Load Balancer is also designed to provide
the following customer benefits:
● Scale with ease while managing costs

● Improve VM-Series availability
● Flow symmetry
Configuration on Azure
Key Idea
● If you have more than one VMSS in an Azure subscription, you must use a
single Panorama appliance to manage them.
If the deployed firewall reaches the configured threshold and a scale-out event occurs, a new
instance of the VM-Series firewall will be launched. The deployed firewall is bootstrapped, and it will
connect to Panorama to obtain its licenses and configuration.
When a scale-in event occurs, the Panorama plugin deactivates licenses on the firewall, and the IP
address of the firewall is removed from the VMSS. The internal load balancer will no longer route
traffic to the firewall.
Auto Scaling the VM-Series on Google Cloud Platform (GCP)

The Panorama plugin for Google Cloud Platform (GCP) version 2.0.0 assists you in deploying the
VM-Series firewalls and managing them by securing VM monitoring or auto scaling deployments in GCP.
With Panorama maintaining your GCP managed instance groups, you can create
application-enablement policies that protect and control the network.
Configuration on GCP
Palo Alto Networks provides auto scaling templates for GCP, which you can download from
https://github.com/PaloAltoNetworks/GCP-AutoScaling. Each folder is a template directory
containing several files; however, you only need to edit the following YAML files:
● Firewall Templates: These templates help you create VM-Series firewalls and other
deployment resources. You can use them to create new networks and the familiar
subnetworks for the VM-Series firewall: management, untrust, and trust. They also help
you deploy a Cloud publish/subscribe (Pub/Sub) messaging service to relay information
from GCP to the Panorama plugin for GCP. With this infrastructure in place, the plugin
can:
○ Leverage dynamic address groups to apply Security policy on inbound traffic routed
to services running on GCP
○ Use auto scale metrics to deploy VM-Series firewalls to meet increased demand for
application workload resources or to eliminate firewalls that are no longer needed.

● Application Template: The application directory provides a sample application template.
Configure and deploy an internal load balancer (ILB) to enable your application servers to
subscribe to the Pub/Sub service and communicate with your VM-Series firewalls and the
GCP plugin on Panorama. To customize the application template, edit the firewall
deployment template and the application template in apps.yaml.
CN-Series
The Palo Alto Networks CN-Series container firewall is the first next-generation firewall
purpose-built to secure Kubernetes orchestration environments from network-based attacks.
The Palo Alto Networks CN-Series containerized firewall is the best-in-class next generation firewall
purpose built to secure the Kubernetes environment from network based attacks. The CN-Series
firewall enables network security teams to gain layer-7 visibility into Kubernetes environments,
provide inline threat protection for containerized applications deployed anywhere, and dynamically
scale security without compromising DevOps agility.
For more details on CN-Series and its deployment, refer to Section 2.1
Auto Scaling CN-Series using Horizontal Pod Auto Scaling

The horizontal pod autoscaler (HPA) is a Kubernetes resource available in all cloud environments that
automatically scales the number of CN-MGMT and CN-NGFW pods in a deployment based on monitored
metrics.
HPA uses two standard metrics across all cloud environments—CPU and memory utilization—as well as
custom metrics specific to each cloud environment. Each cloud requires specific YAML files to enable
HPA in Azure Kubernetes Services (AKS), Elastic Kubernetes Services (EKS), and Google Kubernetes
Engine (GKE).
Configuration
HPA retrieves metrics data from a monitoring adapter in the cloud environment, such as
CloudWatch in EKS, to determine when to scale up or down based on the thresholds you define.
You must modify the necessary YAML files to set the minimum and a maximum number of replicas,
the thresholds for each metric, and which metrics are used in auto scaling your firewalls.
Scaling is determined by dividing the total metric by the metric threshold and then deploying
enough pods to bring the metric down to the configured threshold across all CN-NGFW pods in the
cluster. However, the cluster will not deploy more CN-NGFW pods than the specified maxReplicas
defined. If more than one metric exceeds the threshold at the same time, the cluster will deploy the
necessary number of pods to address the higher metric.
By default, the HPA adapter polls the metrics adapter every 15 seconds. If the metrics you have
specified exceed the configured threshold for the time specified in stabilizationWindowSeconds
inside the scaleUp, the cluster will deploy an additional CN-NGFW pod. The cluster then waits for
the time specified in stabilizationWindowSeconds inside the scaleDown before deciding whether
additional CN-NGFW pods are required. By default, one pod is deployed at a time.
1.1.1 References
● Auto Scaling the VM-Series Firewall on Azure

https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-serie
s-firewall-on-azure/autoscaling-the-vm-series-firewall-on-azure
● VM-Series Auto Scaling Templates for AWS Version 2.1
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/set-up-the-vm-seri
es-firewall-on-aws/auto-scale-vm-series-firewalls-with-the-amazon-elb/vm-series-auto-scale
-template-for-aws-version-v21
● VM-Series Auto Scaling Group with AWS Gateway Load Balancer
es-firewall-on-aws/vm-series-integration-with-gateway-load-balancer/vm-series-auto-scalin
g-group-with-gateway-load-balancer
● Auto Scaling the VM-Series Firewall on Google Cloud Platform
https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-serie
s-firewall-on-google-cloud-platform/autoscaling-on-google-cloud-platform
● Enable Horizontal Pod Autoscaling on the CN-Series
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/secure-kubernetes-
workloads-with-cn-series/enable-horizontal-pod-autoscaling-on-the-cn-series
1.2 Explain the value and operational efficiency of dynamic address groups (DAGs)
To simplify the creation of Security policies, all the IP addresses, FQDNs, etc., that require the same
security settings can be combined into address groups. An address group can be static or dynamic.
A dynamic address group (DAG) populates its members dynamically using tag-based filtering
criteria. A DAG allows you to:
● Create a policy that automatically adapts to changes—adding, moving, or deleting servers

● Apply different rules to the same asset based on tags that define its role based on the
network, the operating system, or the kinds of traffic it processes
Dynamic address groups are very useful if you have an extensive virtual infrastructure where
changes in virtual machine location/IP address/Cluster (Pods) are frequent. For example, in an
environment that needs to provision new virtual machines frequently, a DAG could be referenced
as a match condition within a Security policy rule that applies to traffic from or to the new machine.
This would allow the dynamic addition or removal of the virtual device without the need to
manually add the device’s information directly to the rule each time a change is required.
The tag-based filter uses logical (“and” and “or”) operators. All IP addresses or address groups that
match the filtering criteria become members of the dynamic address group.
You can associate (register) tags with a firewall statically or dynamically. Static tags are a part of the
configuration on the firewall, whereas dynamic tags are a part of the runtime configuration. As a
result, once a policy rule referencing a DAG using dynamic tags is committed to a firewall, a commit
is not required to update dynamic tags with any subsequent changes. The changes are dynamically
applied to the DAG and referenced by the policy rule as appropriate.
To use a dynamic address group in the policy, you must complete the following tasks:
● Define a dynamic address group and reference it in a policy rule.

● Notify the firewall of the IP addresses and the corresponding tags so that members of the
dynamic address group can be formed. You can do this using external scripts that use
the XML API on the firewall or, for a VMware-based environment, you can select
DeviceVM Information Sources to configure settings on the firewall.
To dynamically register tags, you can use the XML API or the VM Monitoring agent on the firewall or
on the User-ID agent. Each tag is a metadata element or attribute-value pair that is registered on
the firewall or Panorama.
Each registered IP address can have up to 32 tags, such as the operating system, the data center, or
the virtual switch to which it belongs. Within 60 seconds of receiving an API call containing tag
updates, the firewall registers the IP address and associated tags and automatically updates the
membership information for the DAGs.
DAGs can also include statically defined address objects. If you create an address object and apply
the same tags that you have assigned to a DAG, the DAG will include all static and dynamic objects
that match the tags. You can, therefore, use tags to pull together both dynamic and static objects
within the same address group.
1.2.1 References
● Use Dynamic Address Groups in Policy
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/monitor-changes-in-the-
virtual-environment/use-dynamic-address-groups-in-policy
● Objects > Address Groups
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/objects/objects-a
ddress-groups
1.3 Describe various plugin options and deployment methods
VM-Series Plugin
The VM-Series plugin for VM-Series firewalls is a single plugin that enables integration with public
cloud environments, such as GCP, Azure, and AWS, and private cloud hypervisors such as KVM, ESXi,
and others. The VM-Series plugin is pre-installed on the VM-Series firewall; you can upgrade or
downgrade it, but you cannot delete it. When you deploy the firewall, the built-in plugin
automatically detects the virtual environment on which the firewall is deployed and loads up the
plugin components that enable you to manage interactions within that environment.
The plugin also enables publishing custom metrics to cloud-monitoring services (such as AWS
CloudWatch), bootstrapping, configuring user credential provisioning information from public
cloud environments, and seamless updates for cloud libraries or agents on PAN-OS. For example,
when you deploy the VM-Series firewall on GCP, the VM-Series firewall loads the plugin components
that enable integration with GCP. You can then use the VM-Series plugin to configure the VM-Series
firewall on GCP to publish metrics to Google Stackdriver Monitoring.
Similarly, for VM-Series firewalls deployed on Azure, the VM-Series plugin enables you to configure
the firewall to publish metrics to Azure Application Insights or set up the details that the firewalls
need to function as a high availability (HA) pair.

You can manually upgrade the VM-Series plugin independently of PAN-OS, enabling Palo Alto
Networks to accelerate the release of new features, fixes, or integrations with new cloud providers or
hypervisors. Each plugin version provides PAN-OS compatibility information and includes new
features or bug fixes for one or more cloud environments. Each PAN-OS release includes a specific
VM-Series plugin version that corresponds to the PAN-OS software version. When you downgrade
to an earlier PAN-OS software version, the plugin version is downgraded to a compatible version.
You can upgrade or downgrade the VM-Series plugin locally on the virtual firewall or manage the
plugin version centrally from Panorama.
Key Idea
● The VM-Series plugin does not manage capabilities that are common to both
VM-Series firewalls and hardware-based firewalls. For example, VM Monitoring is
not part of the VM-Series plugin because it is a core PAN-OS feature that helps
you enforce policy consistently on your virtual machine workloads from both
VM-Series firewalls and hardware-based firewalls.
● The VM-Series plugin does not manage Panorama plugins. For the difference
between the VM-Series plugin and Panorama plugins, see VM-Series Plugin and
Panorama Plugins.
Panorama Plugins
On Panorama, the VM-Series plugin is available but is not pre-installed. If you choose to use
Panorama to manage the integrations on your firewalls, install the VM-Series plugin on Panorama
to establish communication with the VM-Series plugin on your firewalls.
Key Idea
● For plugin installations required on both Panorama and managed firewalls, the
plugin version installed on Panorama must be equal to or higher than the plugin
version installed on managed firewalls.
The Panorama plugins are for both hardware-based firewalls and VM-Series firewalls. Because
Panorama plugins are optional, you can add, remove, reinstall, or upgrade them on Panorama.
Panorama plugins are not built in; you must install a plugin to enable communication with the
environment you need. For example, you use the Cloud Services plugin on Panorama to enable the
setup between Panorama/firewalls and the Cortex Data Lake. The GCP plugin on Panorama enables
communication between Panorama and your GCP deployment so that you can secure the traffic
entering or exiting a service deployed in GCP.
Panorama extensible plugin architecture enables integration and configuration of the following:
● AIOps—The AIOps plugin enables you to enforce best practice checks by validating your
commits and letting you know if a policy needs work before you push it to Panorama.
● AWS—The AWS plugin enables you to monitor your EC2 workloads on AWS. With the
plugin, you can enable communication between Panorama (running PAN-OS 8.1.3 or
later) and your AWS VPCs so that Panorama can collect a predefined set of attributes (or
metadata elements) as tags for your EC2 instances and register the information to your

Palo Alto Networks firewalls. When you reference these tags in dynamic address groups
and match against them in Security policy rules, you can consistently enforce policy
across all assets deployed within your VPCs.
● Azure—The Azure plugin enables you to monitor your virtual machines on the Azure
public cloud. With the plugin, you can enable communication between Panorama
(running PAN-OS 8.1.6 or later) and your Azure subscriptions so that Panorama can collect
a predefined set of attributes (or metadata elements) as tags for your Azure virtual
machines and register the information to your Palo Alto Networks firewalls. When you
reference these tags in dynamic address groups and match against them in Security
policy rules, you can consistently enforce policies across all assets deployed within VNets
in your subscriptions.
● Cisco ACI—The Cisco ACI plugin enables you to monitor endpoints in your Cisco ACI
fabric. With the plugin, you enable communication between Panorama (8.1.6 or later) and
your Cisco APIC so that Panorama can collect endpoint information as tags for your
endpoint groups and register the information to your Palo Alto Networks firewalls. When
you reference these tags in dynamic address groups and match against them in Security
policy rules, you can consistently enforce policies across all assets deployed within your
Cisco ACI fabric.
● Cisco TrustSec—The Cisco TrustSec plugin enables monitoring of endpoints in your

Cisco TrustSec environment. With the plugin, you enable communication between
Panorama and your Cisco pxGrid server so that Panorama can collect endpoint
information as tags for your endpoints and register the information to your Palo Alto
Networks firewalls. When you reference these tags in dynamic address groups and match
against them in Security policy rules, you can consistently enforce policy across all assets
deployed within your Cisco TrustSec environment.
● Cloud Services—The Cloud Services plugin enables the use of the Cortex Data Lake and
Prisma® Access. The Cortex Data Lake solves operational logging challenges, and the
Prisma Access cloud service extends your security infrastructure to your remote network
locations and mobile workforce.
● GCP—The GCP plugin enables you to secure Kubernetes services in a Google Kubernetes
Engine (GKE) cluster. You can configure the Panorama plugin for GCP to connect to your
GKE cluster and learn about the services that are exposed to the internet.
● Interconnect—The Panorama Interconnect plugin enables you to manage large-scale

firewall deployments. Use the Interconnect plugin to set up a two-tier Panorama
deployment (on Panorama running PAN-OS 8.1.3 or later) for a horizontal scale-out
architecture. With the Interconnect plugin, you can deploy a Panorama Controller with
up to 64 Panorama nodes or 32 Panorama HA pairs to centrally manage a large number
of firewalls.
● Nutanix—The Panorama plugin for Nutanix enables VM Monitoring in your Nutanix

environment. It allows you to track the virtual machine inventory within your Nutanix
Prism Central so that you can consistently enforce a Security policy that automatically

adapts to changes within your Nutanix environment. As virtual machines are provisioned,
deprovisioned, or moved, this solution allows you to collect the IP addresses and
associated sets of attributes (or metadata elements) as tags. You can then use the tags to
define dynamic address groups and use them in the Security policy. The Panorama
plugin for Nutanix requires Panorama 9.0.4 or later.
● SD-WAN—The Software-Defined Wide Area Network (SD-WAN) plugin allows you to use
multiple internet and private services to create an intelligent and dynamic WAN, which
helps lower costs and maximize application quality and usability. Instead of using costly
and time-consuming Multiprotocol Label Switching (MPLS) with components such as
routers, firewalls, WAN path controllers, and WAN optimizers, SD-WAN on a Palo Alto
Networks firewall allows you to use less expensive internet services and fewer pieces of
equipment.
● VMware NSX—The VMware NSX plugin enables integration between the VM-Series
firewall on VMware NSX with VMware NSX Manager. This integration allows you to deploy
the VM-Series firewall as a service on a cluster of ESXi servers.
● VMware vCenter—The Panorama plugin for VMware vCenter allows you to monitor the
virtual machines in your vCenter environment. The plugin retrieves IP addresses of virtual
machines in your vCenter environment and converts them to tags that you can use to
build policy using dynamic address groups.
● IPS Signature Converter—The IPS Signature Converter plugin for Panorama provides an
automated solution for converting rules from third-party intrusion prevention
systems—Snort and Suricata—into custom Palo Alto Networks threat signatures. You can
then register these signatures on firewalls that belong to device groups you specify and
use them to enforce policy in Vulnerability Protection and Anti-Spyware Security profiles.
● Kubernetes—The Kubernetes plugin for Panorama enables you to establish connectivity

with the Kubernetes clusters. It helps you manage licensing and configure policies for
visibility, control, and threat inspection of traffic between pods or services, and for
inbound or outbound traffic for applications or services deployed on Kubernetes clusters.
This Kubernetes plugin is required to manage the CN-Series firewalls. Panorama provides
a consistent management solution to incorporate Kubernetes context into policies, and it
allows other Palo Alto Networks firewalls in the environment to use these context-infused
policies for a uniform network security posture.
Refer to the Palo Alto Networks Compatibility Matrix for details on the different plugin versions and
compatibility information.
1.3.1 References
● VM-Series Plugin
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/about-the-vm-serie
s-firewall/vm-series-plugin
● VM-Series and Panorama Plugins Release Notes
https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes

● Panorama Plugins
https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/p
alo-alto-networks-vm-series-and-panorama-plugins/plugins
1.4 Describe the process of segmentation
Network segmentation is an architectural approach that divides a network into multiple segments
or subnets, each acting as its own small network. This allows network administrators to control the
flow of traffic between subnets based on granular policies. Organizations use segmentation to
improve monitoring, boost performance, localize technical issues and—most importantly—enhance
security.
Segmentation helps network security personnel prevent unauthorized users―curious insiders as

well as malicious attackers—from gaining access to valuable assets, such as personal information,
corporate financial records, and highly confidential intellectual property.
Securing applications and services depends upon the NGFW’s ability to have visibility and control of
the traffic to and from the application and traffic between an application’s components. To provide
the required visibility and control, you should segment data and applications in the private data
center and public-cloud provider behind a next-generation firewall.
One of the most common ways to segment data is based on sensitivity levels. With greater data
sensitivity, additional policies and protection are necessary, including a stricter definition of what is
permitted to access the application. The data-sensitivity level information of an application allows
you to group applications and services with common security and traffic-flow requirements. For
instance, you should not group an application or service that is at the highest level of sensitivity
with any other application. You should even separate high-sensitivity services from other
components of their application if those other components have a reduced security requirement.
The sensitivity levels are as follows:
● Low—Applications and information whose loss of availability would have a limited impact
on the organization or its customers
● Moderate—Infrastructure, applications, and systems whose loss of integrity and
availability would impact the organization or its customers
● High—Any information falling under statutory requirements for notification in the case of
a breach
How you create the network segments for an application depends upon the infrastructure on
which it is built. The Palo Alto Networks portfolio allows segmentation in a variety of locations
within your environment:
● Data center—The PA-Series and VM-Series are ML-powered NGFWs. The PA-Series are
physical appliances that you typically deploy at the data-center perimeter. The VM-Series
are virtualized-form-factor, ML-powered next-generation firewalls that you typically
deploy within the data center, providing a more granular layer of segmentation.

● Public cloud—The VM-Series are virtualized-form-factor, ML-powered NGFWs. You deploy
these in a variety of public, private, and hybrid cloud environments. The VM-Series images
are often available from the public-cloud service-provider stores.
● Containers—Palo Alto Networks provides two methods for segmenting workloads within
Kubernetes clusters: the CN-Series NGFW and Prisma Cloud Identity-Based
Microsegmentation. The CN-Series are containerized-form-factor NGFWs. They provide
advanced Layer 7 network security and threat protection. In Kubernetes clusters, Prisma
Cloud Identity-Based Microsegmentation gives you the ability to provide segmentation
based on the individual workload identity instead of IP addresses.
To define the source and destination networks for securing traffic flows, the NGFW uses zones and
dynamic address groups. Zones are used in static environments, and dynamic address groups allow
the Security policy to stay in sync with dynamic virtual environments in both the data center and
the public cloud.
App-ID identifies the applications in the traffic between network segments and enables the NGFW
to limit the communication between network segments to specific applications. Because the Zero
Trust Security policy in the data center denies all traffic between segments, use App-ID to explicitly
define the intersegment traffic required for the applications to function and administrators to
manage the applications.
Network segmentation can be implemented as either physical or logical segmentation

As the name implies, physical segmentation involves breaking down a larger network into a
collection of smaller subnets. It is relatively straightforward to administer because the topology is
fixed in the architecture. A physical or virtual firewall acts as the subnet gateway, controlling which
traffic comes in and goes out.
Logical segmentation creates subnets using one of two primary methods: virtual local area
networks (VLANs) or network addressing schemes. VLAN-based approaches are straightforward to
implement because the VLAN tags automatically route traffic to the appropriate subnet. Network
addressing schemes are equally effective but require more detailed understanding of networking
theory.
Logical segmentation is more flexible than physical segmentation because it does not require
wiring or physical movement of components. Automated provisioning can greatly simplify the
configuration of subnets.
Moving to a segmentation architecture provides an opportunity to simplify the management of

firewall policies. An emerging best practice is to use a single consolidated policy for subnet access
control as well as threat detection and mitigation, rather than performing these functions in
different parts of the network. This approach reduces the attack surface and strengthens the
organization’s security posture.
Microsegmentation
Microsegmentation is a security method of managing network access between workloads. It
enables administrators to manage Security policies that limit traffic based on the principle of least
privilege based on an endpoint’s identity and Zero Trust without the need to re-architect.

Organizations use microsegmentation to reduce the attack surface, improve breach containment,
and strengthen regulatory compliance.
Microsegmentation is a fine-grained application segmentation method that is decoupled from the

network infrastructure design. This allows for a much higher degree of isolation and is ideal for
ensuring least-privileged workload access.
Microsegmentation helps provide consistent security across private and public clouds by virtue of
three key principles:
● Visibility—A microsegmentation solution should deliver visibility into all network traffic
inside and across data centers and clouds. Although there are several ways to monitor
traffic, the most effective measure is to see traffic coupled with workload context (e.g.,
cloud, application, orchestrators) as opposed to logs containing only IP addresses and
ports.
● Granular security—Granular security means that network administrators can strengthen
and pinpoint security by creating specific policies for critical applications. The goal is to
prevent lateral movement of threats with policies that precisely control traffic in and out
of specific workloads, such as weekly payroll runs or updates to human-resources
databases.
● Dynamic adaptation—Microsegmentation offers protection for dynamic environments.
For instance, cloud native architectures like containers and Kubernetes can spin up and
down in a matter of seconds. The IP addresses assigned to cloud workloads are
ephemeral, rendering IP-based rule management impossible. With microsegmentation,
Security policies are expressed in terms of identities or attributes (env=prod, app=hrm,
etc.) rather than network constructs (e.g., 10.100.0.10 tcp/80). Changes to the application
or infrastructure trigger automatic revisions to Security policies in real time, requiring no
human intervention.
Prisma Cloud Identity-Based Microsegmentation and the CN-Series NGFWs support capabilities for
enabling microsegmentation at the container level. The combination of both network
segmentation and microsegmentation provides coarse-grained isolation of similar applications
across your entire environment and fine-grained, identity-based microsegmentation that prevents
lateral attacks for hosts and containers.
1.4.1 References
● Zero Trust Enterprise
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/
pan/en_US/resources/guides/zero-trust-overview
● Network Segmentation Using Zones
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-prot
ection/network-segmentation-using-zones
● What Is Network Segmentation?
https://www.paloaltonetworks.com/cyberpedia/what-is-network-segmentation
● What is microsegmentation?
https://www.paloaltonetworks.com/cyberpedia/what-is-microsegmentation

● Prisma Cloud Microsegmentation Administrator's Guide
https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-microsegment
ation
● Prisma Cloud: Cloud Network Security training:
https://beacon.paloaltonetworks.com/student/collection/963302-prisma-cloud-cloud-networ
k-security?sid=276822f4-4675-4c2b-b4f5-5af9e0a83a03&sid_i=4
1.5 Describe centralized security visibility and deployment models
All Palo Alto Networks firewalls can generate logs that provide an audit trail of firewall activities. For
centralized logging and reporting, you must forward the logs generated on the firewalls to your
on-premises infrastructure, which includes the Panorama management server and Log Collectors,
or send the logs to the cloud-based Cortex Data Lake. Optionally, you can configure Panorama to
forward the logs to external logging solutions, such as syslog servers.
Panorama aggregates logs from all managed firewalls and provides visibility across all the traffic on
the network. It also provides an audit trail for all policy modifications and configuration changes
made to the managed firewalls. In addition to aggregating logs, Panorama can forward them as
SNMP traps, email notifications, syslog messages, and HTTP payloads to an external server.
Panorama uses two sources for generating reports: the local Panorama database and the remote
firewalls that it manages. The Panorama database refers to the local storage on Panorama that is
allocated for storing both summarized logs and some detailed logs. If you have a distributed Log
Collection deployment, the Panorama database includes the local storage on Panorama and all the
managed Log Collectors. Panorama summarizes the information—traffic, application,
threat—collected from all managed firewalls at 15-minute intervals. However, if you prefer not to
forward logs to Panorama, Panorama can directly access the remote firewall and run reports on
data that is stored locally on the managed firewalls.
Key Idea
● You should forward logs to Panorama or to external storage for many reasons,
including compliance, redundancy, running analytics, centralized monitoring,
and reviewing threat behaviors and long-term patterns, and due to limited
storage on the firewalls.
For centralized logging and reporting, you also have the option of using the cloud-based Cortex
Data Lake. This option allows your managed firewalls to forward logs to the Cortex Data Lake
infrastructure instead of Panorama or managed Log Collectors.
The Application Command Center (ACC) on Panorama provides a single pane for unified reporting
across all the firewalls. It enables you to centrally monitor network activity to analyze, investigate,
and report on traffic and potential security incidents.
1.5.1 References
● Manage Log Collection

https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-log-collection
● Centralized Logging and Reporting
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/ce
ntralized-logging-and-reporting
1.6 Explain how to realize return on investment (ROI) by leveraging Palo Alto Networks
software next-generation firewall (NGFW)
Recent data breaches and cybersecurity events impacting the global community have placed a
spotlight on corporate and government IT security teams and have renewed scrutiny on the
policies and practices that keep sensitive data out of the hands of cybercriminals and other bad
actors. Reducing costs, achieving a rapid return on investment (ROI), and increasing security and IT
operations efficiency for better business outcomes are all typical mandates for cybersecurity
investments, but if the investment does not ultimately improve organizational security, are those
other goals relevant?
Deploying Palo Alto Networks for network security brings significant financial and organizational
benefits for the organization. These benefits are spread across nine different categories, including
efficiency gains for IT, security, and end users; cost savings from sunsetting legacy technology; and
the reduced risk of a data breach.
To find out how much ROI you can get by utilizing the Palo Alto Networks firewalls, use this
interactive ROI calculator, based upon the Forrester Consulting study The Total Economic Impact™
of VM-Series Virtual Firewalls, which was commissioned by Palo Alto Networks. By answering a few
simple questions, you will immediately see your virtualized security savings potential. Plus, you can
also download a complimentary, in-depth estimate tailored to your organization’s needs, showing
how ML-Powered VM-Series virtual NGFWs can pay for themselves while protecting your data and
workloads in public clouds, private clouds, hybrid clouds, and branch environments.

1.6.1 References
● Calculate Your Organization’s Big Virtual Firewall ROI Potential
https://www.paloaltonetworks.com/blog/network-security/calculate-virtual-firewalls-roi-pote
ntial/
● Maximize Your Security ROI: 2021 Forrester Consulting TEI Study
https://www.paloaltonetworks.com/blog/network-security/maximize-your-security-roi-forrest
er-tei/
● Maximize the ROI of Detection & Response
https://start.paloaltonetworks.com/maximize-the-roi-of-detection-and-response.html
1.7 Identify the benefits of Palo Alto Networks solutions to address customer concerns or
indifference
The successful exam candidate should be able to match customer requirements and strategies to
the appropriate firewall form factor. Hardware appliances are required for certain performance
characteristics such as throughput and connections per second. However, VM-Series firewalls are

the appropriate choice in various customer scenarios. VM-Series firewalls provide security for public
cloud environments, private cloud and hybrid environments, at branches, and for DevOps.
Public cloud virtual firewalls help meet customer security responsibilities in public cloud
environments by securing operating systems, platforms, access control, data, intellectual property,
source code, and content. VM-Series virtual firewalls boost regulatory compliance by providing
protection across public clouds and other environments to protect data, regardless of where it
resides.
Private cloud and hybrid cloud virtual firewalls secure virtualized compute resources and
hypervisors. Virtual firewalls provide lateral movement protection by inspecting traffic flows inside
private clouds, which can help simplify microsegmentation and reduce the attack surface.
Deploying VM-Series virtual firewalls boosts SDN security in virtual environments that are built with
software-defined networking fabrics such as VMware NSX® and Nutanix Flow.
Branch virtual firewalls isolate and protect critical systems. Virtual firewalls deliver local branch
segmentation and threat prevention to ensure regulatory compliance and consistent branch
network security from the same console that is used to manage other environments. Branch
locations also benefit from the virtualized form factor of VM-Series firewalls, which are deployable
on a white box or existing servers to minimize space requirements.
DevOps virtual firewalls protect application development speed. Virtual firewalls provide
on-demand auto scaling to ensure security when you need it most. With automated network
security, you can integrate security provisioning directly into DevOps workflows and continuous
integration/continuous development pipelines without slowing the pace of business.
Key Idea
● Virtual firewalls provide on-demand auto scaling to ensure security.
1.7.1 References
● VM-Series on VMware NSX | Prisma - Palo Alto Networks Datasheet

https://www.paloaltonetworks.com/resources/techbriefs/vm-series-for-nsx-solution-brief
1.8 Summary of Key Ideas
● All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a
public cloud environment. IPv6 addresses are not supported.
● If you have more than one VMSS in an Azure subscription, you must use a single Panorama
appliance to manage them.
● The VM-Series plugin does not manage capabilities that are common to both VM-Series
firewalls and hardware-based firewalls. For example, VM Monitoring is not part of the
VM-Series plugin because it is a core PAN-OS feature that helps you enforce policy
consistently on your virtual machine workloads from both VM-Series firewalls and
hardware-based firewalls.
● The VM-Series plugin does not manage Panorama plugins. For the difference between the
VM-Series plugin and Panorama plugins, see VM-Series Plugin and Panorama Plugins.

● For plugin installations required on both Panorama and managed firewalls, the plugin
version installed on Panorama must be equal to or higher than the plugin version installed
on managed firewalls.
● You should forward logs to Panorama or to external storage for many reasons, including
compliance, redundancy, running analytics, centralized monitoring, and reviewing threat
behaviors and long-term patterns, and due to limited storage on the firewalls.
● Virtual firewalls provide on-demand auto scaling to ensure security.
1.9 Sample Questions
1. In AWS, which of the following publishes metrics for auto scaling?

a. AWS S3 Bucket
b. AWS Lambda
c. AWS CloudWatch
d. AWS Auto Scaling Groups (ASG)
2. While defining an address group, each registered IP address can have up to how many tags?
a. 32
b. 64
c. 16
d. 8
3. The VM-Series plugin enables integration with:

a. Public clouds
b. Private clouds
c. Public and private clouds
d. Hypervisors
4. Which two statements are true for Panorama plugins? (Choose two)
a. Panorama plugins are available for both VM-Series and Hardware-based Firewall.
b. Panorama plugins are optional and can be removed.
c. Panorama plugins are built-in.
d. Panorama plugin versions are independent of Panorama version.
5. Which three statements are true with respect to VM-Series plugin upgrades? (Choose three.)
a. The plugin can be upgraded manually independently of PAN-OS.
b. The plugin can be upgraded locally in the virtual firewall.
c. A PAN-OS upgrade is mandatory to upgrade the VM-Series plugin.
d. Upgrades can be managed centrally through Panorama.
e. Every plugin version is compatible with all the PAN-OS versions.
6. What are three advantages of network segmentation? (Choose three.)

a. It boosts performance.
b. It makes managing firewall policies easier.
c. It localizes technical issues.
d. It makes virtual clouds more secure.
e. It can be implemented only as physical segmentation.

7. What is used to aggregate logs from all the managed firewalls and provide visibility into all
data traffic?
a. Cortex Data Lake
b. Panorama
c. Application Command Center
d. Dedicated Log Collectors
8. Which two parameters are considered while estimating ROI using Palo Alto Networks
VM-Series Virtual Firewalls Estimator? (Choose two.)
a. Number of firewalls to be deployed
b. Number of NetOps and SecOps staff in the organization
c. Quantity of data to be inspected
d. Amount spent on physical firewalls over a life cycle of five years

Domain 2: Competitive Differentiators
Three frequent cloud service provider (CSP) customer security challenges are:
● Slowing operations with multiple security tools

● Struggling to ensure a consistent network security posture
● Facing ongoing, on-demand scalability challenges
To get past these common obstacles:
● Deploy virtual firewalls with Next-Generation Firewall capabilities

● Leverage security solutions that work with multiple public cloud vendors
● Seamlessly integrate network security into DevOps workflows
Taking a layered approach to public cloud network security requires:
● Complete Visibility: Public cloud security requires complete visibility of all application
traffic, including flows that might be encrypted; this is necessary to determine what an
application really is, regardless of the port, protocol, or encryption type.
● Threat Prevention: Implementing threat prevention capabilities is necessary to identify and
stop known and unknown attacks.
● Exfiltration Prevention: Preventing sensitive data from leaving the environment is crucial
for maintaining public cloud security.
● Compliance: Achieving and maintaining compliance helps to mitigate risk throughout
decentralized environments through comprehensive reporting.
● Multicloud Support and Management: Manage public cloud network security consistently
across AWS, Azure, GCP, and others from the same console used to manage on-premises,
private cloud, and branch security postures.
2.1 Compare and contrast the capabilities of cloud-delivered VM-Series, CN-Series, and NGFW
VM-Series
VM-Series is the virtualized form factor of the Palo Alto Networks Next-Generation Firewall. It is
positioned for use in a cloud environment where it can protect and secure east-west and
north-south traffic. To meet the growing need for inline security across diverse cloud and
virtualization use cases, you can deploy the VM-Series firewall on a wide range of private and public
cloud computing environments such as VMware, Cisco ACI and Enterprise Network Compute
System (ENCS), KVM, OpenStack, AWS, Microsoft public and private cloud, Oracle Cloud
Infrastructure (OCI), Alibaba Cloud, and GCP.
The VM-Series supports all the next-generation firewall and advanced threat prevention features
available in our physical form factor appliances, allowing you to safely enable applications flowing
into and across your private, public, and hybrid cloud computing environments.
Automation features such as VM Monitoring, dynamic address groups, and a REST-based API allow
you to proactively monitor virtual machine (VM) changes and dynamically feed that context into
Security policies, thereby eliminating the policy lag that may occur when your VMs change.

The VM-Series supports the following hypervisors:
● VMWare ESXi and NSX

● Citrix SDX
● KVM (Centos/RHEL)
● Ubuntu
● Amazon Web Services
Key Idea
● For the best instance types for optimal VM-Series capacity and performance, see
the VM-Series Capacity & Performance document.
Use Cases of VM-Series

1. Secure Public Clouds
Virtual firewalls can secure public cloud services from providers such as GCP, AWS, and
Azure. These firewalls typically act as guest virtual machines within public cloud
environments and can provide visibility across multiple cloud service provider (CSP)
deployments.
Virtual firewalls also help organizations:
● Meet public cloud user security obligations—CSPs are typically responsible for
lift-and-shift applications, software-as-a-service (SaaS) applications, and cloud
infrastructure (database, storage and networking). However, organizations using
these services are usually responsible for the security of the operating systems,
platforms, access control, data, intellectual property, source code, and
customer-facing content that typically sit on top of the infrastructure.
● Ensure compliance with regulatory standards—Virtual firewalls can be deployed to

implement threat prevention capabilities and segmentation to meet regulatory
standards such as GDPR, PCI DSS, HIPAA, and SWIFT.
● Boost the built-in security features unique to each public cloud platform—Some
virtual firewalls provide inline threat prevention to secure the flow of traffic moving
laterally within a cloud environment, augmenting the basic, built-in security unique
to each CSP.
2. Extend Security to Branches and Software-Defined Environments

Virtual firewalls can help secure virtual branch offices as well as software-defined networks
and software-defined wide-area networks – SDNs and SD-WANs, respectively. In SDN
environments, software and virtualization control networking and data-routing activities
within servers. Similarly, SD-WAN environments use software and virtualization to provide
network connectivity for dispersed locations, such as branch offices.
Deploying virtual firewalls in these environments allows organizations to secure the

perimeter, segment the network, and protect their branch locations.

In software-defined environments, advanced virtual firewalls are used to:
● Provide consistent network security—Virtual firewalls can help organizations

manage branch network security from the same console they use to manage other
environments. This can include support for SDN and SD-WAN solutions from Cisco,
Citrix, Nutanix, and VMware.
● Isolate critical systems, such as point of sale—Virtual firewalls can be used for
segmentation and threat prevention as well as to ensure compliance in branch
locations with systems that require isolation, such as point-of-sale (POS) systems.
● Insert inline security into SD-WAN environments—Like their hardware siblings,

virtual firewalls can be deployed to secure the flow of live network traffic, which can
be vital for privacy and compliance in branch locations.
● Prepare for future public cloud moves—Use of virtual firewalls in these

environments can set the security stage for planned moves of applications to public
clouds.
3. Safeguard Private Cloud Assets

Virtual firewalls meet the security needs of private clouds, which are on-demand compute
environments used by a single organization. In these environments, virtual firewalls can
help:
● Maximize investment in highly virtualized environments—Creating and managing

private clouds can be a capital-intensive undertaking. In these environments, virtual
firewalls are typically deployed to secure virtualized compute resources and
hypervisors, such as VMware ESXi, KVM, Nutanix AHV, Microsoft Hyper-V® and Azure
Stack.
● Reduce time-consuming manual securing provisioning—Some virtual firewalls

come with policy-based automatic provisioning of network security capabilities.
These can secure assets accurately and cost-effectively while also simplifying
segmentation and microsegmentation processes—that is, isolating workloads from
one another and then securing them individually.
Container Security Risks and the need for the CN-Series NGFW
Container adoption is on the rise. According to a Gartner report, by the end of 2023, more than 75%
of global organizations will be running containerized applications in production. However, with this
move, comes new security and data risks for an organization.
Organizations with containerized applications face the following three risks:
● Containers are subject to the same network-based attacks that plague legacy
workloads: Containers are not aliens. They are just another way to deploy applications.
Regardless of whether applications are running on bare-metal servers, virtual machines or

containers, they run on the same network stack and protocols. That means containerized
apps face the same threats that have traditionally plagued legacy apps running on bare
metal and virtual machines.
● Lack of protection against unpatched and unknown vulnerabilities: Patching can be a

manual and time-consuming process. When a vulnerability is identified and the patch is
available, it can take weeks and months to patch hundreds of vulnerable applications spread
across a deployment. While agent-based deploy-time (shift-left) security products help to
identify and patch known vulnerabilities at scale, applications are helpless against unknown
and unpatched vulnerabilities. For example, the infamous Log4j security vulnerability existed
but remained unknown for several years until identified in December 2021. That means that
supposedly “up-to-date” organizations are subject to unknown vulnerability exploits.
● Fragmented point security products lead to inconsistent security posture and east-west
network attacks: Until now, network security teams were not equipped with the right tools
to secure containers without slowing DevOps speed and agility. Hence, they started relying
on DevOps to secure containers. This leads to the network security team securing only some
parts of the infrastructure with DevOps then securing the container infrastructure, often
with suboptimal security products. Inconsistent security leads to holes in the network and
an increased risk of attacks as container apps have dependencies on legacy apps. Attackers
exploit these dependencies along with allowed network communications to laterally
propagate threats (east-west) in the environment.
CN-Series is the container-native version of the ML-powered NGFW designed specifically for
Kubernetes environments. The Palo Alto Networks CN-Series containerized firewall is the
best-in-class next generation firewall purpose built to secure the Kubernetes environment from
network based attacks. The CN-Series firewall enables network security teams to gain layer-7
visibility into Kubernetes environments, provide inline threat protection for containerized
applications deployed anywhere, and dynamically scale security without compromising DevOps
agility. Deploy the CN-Series to:
● Secure traffic between pods in different trust zones and namespaces

● Protect against known and zero-day malware
● Block data exfiltration from your containerized environments
Using Panorama as the centralized management platform, your network security teams can
consistently manage firewall policies for physical, virtual, container, and public cloud workloads
from a single interface.
CN-Series provides Layer 7 traffic visibility, including the container source IP of outbound traffic, to
detect and prevent threats traveling between namespace boundaries. CN-Series firewalls enforce
enterprise-level network security and threat protection in container traffic, which helps you elevate
the overall security posture by sharing Kubernetes contextual information with other Palo Alto
Networks firewalls.
The Palo Alto Networks CN-Series container firewall is the first next-generation firewall
purpose-built to secure Kubernetes orchestration environments from network-based attacks. The
CN-Series firewall enables network security teams to:

● Gain Layer-7 visibility and enforcement using native Kubernetes context to protect against
known and unknown threats
● Provide inline threat protection for containerized applications deployed anywhere (on-prem
or in-cloud)
● Deploy and scale network security without compromising DevOps speed and agility
● Consistently secure legacy and modern microservices-based apps through unified
management
CN-Series is meant to ensure frictionless continuous integration / continuous development (CI/CD)

pipeline deployment while delivering unparalleled runtime network protection through unified
management across all multiple firewalls.
Here are some key Kubernetes terms for better understanding of concepts:
● Cluster—The foundation of your containerized environment; all your containerized

applications run on top of a cluster.
● Node—A node might be a virtual or physical machine, depending on the cluster, that
contains the necessary services required for pods.
● Pod—The smallest computing unit that you can deploy and manage in Kubernetes. The
CN-Series firewall is deployed in a distributed PAN-OS architecture as two pods:
CN-MGMT and CN-NGFW.
● Namespace—A namespace is a virtual cluster that is backed by a physical cluster. In an
environment with many users spread across multiple teams and functions, a namespace
can be used to separate them within a single cluster.
● Container Network Interface (CNI)—A plugin that configures network interfaces for
containers. Additionally, the CNI removes the allocated resources used for networking
when a container is deleted.
● DaemonSet—In a Kubernetes deployment, a DaemonSet ensures that some or all nodes
run a copy of a particular pod. And as nodes are added to a Kubernetes cluster, a copy of
the specified pod is added to each new node. When you deploy the CN-Series firewall as
a DaemonSet, a copy of the CN-NGFW pod is deployed on each node in your cluster (up
to 30 nodes per CN-MGMT pair).
● Kubernetes Service—An abstraction that exposes an application running on a set of
pods as a network service. When you deploy the CN-Series as a service, you need to
define the number of CN-NGFW pods to be deployed when setting up your YAML files.
● Horizontal Pod Autoscaler (HPA)—Automatically scales the number of pods in a
deployment, replica set, or stateful set based on various metrics such as CPU utilization or
session utilization.
Use Cases of CN-Series

There are three use cases in which customers most often employ CN-Series container firewalls. All
of them involve the insertion of threat protection—and other advanced security services—at the
trust boundaries of cloud native applications.
1. East-West Layer 7 Traffic Protection

You can use CN-Series to insert Layer 7 traffic protection and advanced threat protection
into your Kubernetes environments. Doing so secures the allowed connections between two
containerized applications of different trust levels; it can also secure the allowed connections
between containers and other workload types.
Other microsegmentation products provide granular protection at Layers 3 and 4 to block

traffic between workloads that should not be able to communicate. The critical difference is
that CN-Series can inspect and control allowed traffic at Layer 7 and enable Palo Alto
Networks Threat Prevention subscription service to detect and stop threats that may be
attempting to move laterally across the environment. The two types of solutions can be used
together.
2. Outbound Traffic Protection
The second prominent use case is securing outbound traffic from container environments to
the internet or developer resources hosted in sites like GitHub. Palo Alto Networks URL

Filtering service provides guardrails for developers and other users to ensure that they are
not connecting to potentially malicious sites. A CN-Series firewall’s ability to inspect traffic
content, coupled with our DNS Security service, guards against data exfiltration and ensures
that critical information stays in the environment where it belongs.
Although some customers may prefer to use their perimeter firewalls in their on-prem data
centers, customers running Kubernetes environments in the public cloud will require
CN-Series.
3. Inbound Threat Prevention
Last but not least is the traditional inbound perimeter use case. Network security teams can
prevent threats riding on inbound traffic to the container environment with Palo Alto
Networks Threat Prevention and WildFire malware analysis services. Again, depending on
the customer’s environment and overall architecture, they may elect to do this with their
perimeter firewalls on-prem. Still, a CN-Series or VM-Series would be required to do this in
public cloud environments.
All these use cases can be addressed regardless of whether the apps are hosted in an
on-prem data center or a public cloud.
Cloud NGFW
Cloud NGFW for AWS is Palo Alto Networks ML-Powered NGFW capabilities delivered as a fully
managed cloud native service by Palo Alto Networks on the Amazon Web Services (AWS) platform.
This deployment model combines the power of the Palo Alto NGFW with the ease of use of AWS.
The Cloud NGFW service provides advanced application visibility and access control using Palo Alto
Networks App-ID and URL filtering technologies. It provides threat prevention and detection
through cloud-delivered security services and threat prevention signatures.
On Cloud NGFW, you define Security policy rules and group them in a rulestack. The NGFW applies
your Security policy to the traffic received by the NGFW endpoints and enforces that policy. When
creating your NGFW, you must specify a VPC and local rulestack. Additionally, you must also specify
how and where the associated NGFW endpoints are deployed.

NGFW endpoints intercept traffic and route it to the NGFW for inspection and policy enforcement.
There are two management modes that you can use to create endpoints.
● In a service-managed mode, the Cloud NGFW tenant automatically creates an endpoint in
each subnet you specify. The NGFW service retrieves a list of subnets from the VPC you
specified; from that list, you need to choose the subnets that should have an endpoint.
● In a customer-managed mode, you choose existing availability zones that need to be
secured in your specified VPC and then manually create the NGFW endpoints in existing
subnets in the chosen zones. After the NGFW has been created, you must use the AWS
console to complete the process of creating NGFW endpoints.
After creating an NGFW and NGFW endpoints, you must update your AWS route tables to ensure
that traffic is sent to the NGFW. Which route tables you update and how you update them depends
on your specific deployment. See Direct Traffic to Cloud NGFW for AWS for deployment examples
with example route tables for more details.
2.1.1 References
● CN- Series Key Concepts
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/cn-series-firewall-for-
kubernetes/cn-series-key-concepts#id06ceee36-7674-4392-9b25-8a322528b771
● Getting Started with Cloud NGFW for AWS
https://docs.paloaltonetworks.com/cloud-ngfw/aws/cloud-ngfw-on-aws/getting-started-with
-cloud-ngfw-for-aws
● Cloud NGFW and Cloud NGFW Endpoints
https://docs.paloaltonetworks.com/cloud-ngfw/aws/cloud-ngfw-on-aws/create-cloud-ngfw-in
stances-and-endpoints
● CN-Series
https://docs.paloaltonetworks.com/cn-series
● CN-Series Deployment Guide
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment
● VM-Series
https://docs.paloaltonetworks.com/vm-series
● Why Native Security Controls in Public Clouds Are Not Enough
https://www.paloaltonetworks.com/resources/ebooks/native-security-not-enough
2.2 Create and apply flex credits to software firewalls
Software NGFW credits can be used to fund Software NGFWs (VM-Series and CN-Series),
cloud-delivered security services (CDSS), or virtual Panorama appliances in networks with or
without internet access.
Create a deployment profile to configure one or more firewalls based on PAN-OS version, the
number of vCPUs per firewall, the total number of firewalls supported by the deployment profile,
Panorama management or log collection, and security services. All the VMs that a deployment
profile creates share the same authcode.

Software NGFW credits are term-based. Terms can be defined for any amount of time between one
and five years. Both allocated and unallocated credits expire at the end of the agreed-upon term.
You can purchase additional credits for a credit pool, but the expiration date must be the same as
the target pool. Use Software NGFW Credit Estimator to calculate and get credits for your
deployment profile.
Activate Credits
Within your organization, you can create many accounts, each with a different purpose. During
activation, you can choose only one account per default credit pool. Once the credit pool is active,
users granted the credit administrator role can allocate the credits for deployments, and even
transfer credits to other pools. If you have an existing cloud service provider (CSP) account and are a
superuser or an admin, the system automatically adds the credit admin role to your profile. If you
do not have an existing account, the CSP creates an account for you and adds the credit admin role
to your profile.
You (the purchaser) receive an email detailing the subscription, the credit pool ID, the subscription
start and end date, the number of credits purchased, and the description of the default credit pool
(the credit pool created when you activate your credits).
Key Idea
● While activating credits, always retain the confirmation email with subscription
details for future reference.
Step 1: In the email, click Start Activation to view your available credit pools.
Step 2: Select the credit pool you want to activate. You can use the search field to filter your account
list by number or name.
If you have purchased multiple credit pools, both are automatically selected. The check
marks represent activation links for onboarding credits.
You are prompted to authenticate or sign in.
Key Idea
● If you deselect a credit pool, you see a reminder that if you want to activate those
credits, you must return to the email and click the Start Activation link.
Step 3: Select Start Activation.
Step 4: Select the support account (you can search by account number or name).
Step 5: Select the default credit pool.
Step 6: Select Deposit Credits.

You see a message that the deposit was successful.
Step 7: (optional) If this is your first credit activation, you see the Create Deployment Profile dialog.
Create a CN-Series Deployment Profile

Step 1: If you already have a credit pool, log in to the account. From the dashboard, select Assets >
Software NGFW Credits > Prisma NGFW Credits > Create New Profile.
If you have just activated a credit pool, you see the Create Deployment Profile form.
1. Select the CN-Series firewall type.

2. Select PAN-OS 10.2 and above.
3. Click Next.
Step 2: Create a CN-Series profile.
1. Name the Profile.
2. In the Total vCPUs field, Enter the total number of vCPUs across all CN-NGFW.
3. Select a Security Use Case from the drop-down. Each Security Use Case in the
drop-down automatically selects a number of descriptions that are recommended

for the chosen use case. If you select Custom, you can specify the subscriptions that
you would like to use in your deployment.
4. (optional) Use Credits to Enable VM Panorama— For Management or Dedicated

Log Collector.
Step 3: (optional) Hover over the question mark following Protect more, save more to see how your
credit allocation affects savings.
Step 4: Click Calculate Estimated Cost to view the credit total and the number of credits available
before the deployment. (optional) Hover over the question mark following the estimate to view the
credit breakdown for each component.
Step 5: (optional) If you used credits to Enable a Panorama VM, complete the following steps to
provision Panorama and generate a serial number.
1. Select Assets > Software NGFW Credits > Prisma NGFW Credits and locate your
deployment profile.
2. On the far right, select the vertical ellipsis and select Provision Panorama.
3. Click Provision to generate a serial number.

4. Record or copy the serial number to apply to your Panorama instance.

5. Register Panorama.
Once you have applied the serial number to Panorama, Panorama will contact the licensing update
server and retrieve the license.
Create a VM-Series Deployment Profile

Step 1: If you already have a credit pool, log in to the account. From the dashboard, select Assets >
Software NGFW Credits > Create Deployment Profile.
If you have just activated a credit pool, you see the Create Deployment Profile form.
1. Select the VM-Series firewall type.

2. Select the PAN-OS version:
○ Fixed Models (VM-Series Models)
○ Flexible vCPUs (PAN-OS 10.0.4 and above)
3. Click Next.
Step 2: Create a VM-Series profile.
1. Name the Profile.
2. In the Number of Firewalls field, enter the number of firewalls this profile deploys,
assuming you have sufficient credits. You do not have to deploy them all at once.
3. For Firewall Model, choose a VM-Series model.
Planned vCPU/Firewall (PAN-OS 10.0.4 or above).
Enter the number of vCPUs per firewall.

Security Use Case: Choose a use case.
4. Customize Subscriptions.
After selecting a use case, you can add or remove security services.
5. (optional) Use Credits to Enable VM Panorama.
Choose the Panorama use case(s)—Management and/or Log Collector.
Step 3: (optional) Hover over the question mark following Protect more, save more to see how your
credit allocation affects savings.
Step 4: Click Calculate Estimated Cost to view the credit total and the number of credits available
before the deployment.
(optional) Hover over the question mark following the estimate to view the credit breakdown for
each component.
Step 5: Create the Deployment Profile.
You might have to wait several seconds for the profile to appear in the Current Deployment
Profiles tab list. Before the allocation is complete, the Credits Consumed/Allocated column
shows 0 and Update Pending. Scroll to the bottom and go to the last page to find your
profile.
To view your deployment profile later, click the Details button on the parent credit pool and
select Current Deployment Profiles.
● Note the Auth Code for your profile on the far right; Software NGFW credit auth
codes start with D.
● The Credits Consumed/Allocated column shows 0 and Update Pending before the
allocation is complete.
● The Audit Trail tab shows Credit Transactions and the Deployment Profiles you
manage. You can also search for a profile by time in this tab.
Use search to locate your profile and expand the row to view the configuration you specified
when you created the profile.
2.2.1 References
● Activate Credits
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/license-the-cn-series
-firewall/activate-credits
Activate Credits Video Pt. 1
https://www.youtube.com/watch?v=0cAcLt8Lm84
Activate Credits Video Pt. 2
https://www.youtube.com/watch?v=guojHvWIuwM
● Create a CN-Series Deployment Profile

https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/license-the-cn-series
-firewall/create-a-deployment-profile-cn-series#idd20d9f6b-0856-4308-84da-a7368b5bf005
● Create a VM- Series Deployment Profile
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/license-the-vm-seri
es-firewall/software-ngfw/create-a-deployment-profile-vm-series
2.3 Describe the importance of third-party integrations
Partner Interoperability for VM-series Firewalls

Palo Alto Networks offers two tiers of support for third-party partner platforms for the VM-Series
next-generation firewall: Palo Alto Networks Certified and Partner-Qualified. The VM-Series firewall
provides the same security features and functionality regardless of support tier; the difference lies
in the types of issues Palo Alto Networks is able to help you resolve.
● Partner Qualified—Palo Alto Networks Customer Support assists you with any issue directly
related to the VM-Series firewall. VM-Series issues are defined as issues that occur after a
packet enters the firewall. This does not include issues related to a partner platform.
VM-Series issues include:
○ PAN-OS configuration
○ VM-Series upgrades
○ VM-Series licensing
○ VM-Series documentation
● Palo Alto Networks Certified—Palo Alto Networks Customer Support assists with all
VM-Series firewall issues as well as issues related to the partner platform. Platform issues are
defined as issues that involve a packet outside of the VM-Series firewall, such as arriving at or
leaving the firewall or hypervisor or an issue with the hardware configuration.
Platform issues include:
○ Network interfaces not recognized by the VM-Series firewall

○ VM-Series firewall not booting
○ Platform configuration
○ Bootstrapping of the VM-Series firewall
○ Connections to other networking devices
○ High availability
○ I/O Acceleration (DPDK, SR-IOV, and PCI passthrough)
Palo Alto Certified Integrations

Refer to the tables for details about hardware platforms and software versions on which you can
deploy the VM-Series firewall.
The partner software version and the PAN-OS version columns display the range of versions and the
minimum version in parentheses. For example, where the PAN-OS Version column displays PAN-OS
9.1.x (9.1.0), it indicates that the integration supports PAN-OS 9.1 releases beginning with PAN-OS
9.1.0.

Ciena—The following table shows the Ciena products with which VM-Series firewalls interoperate.
HARDWARE HYPERVISOR SAOS SAOS PAN-OS DEPLOYMENT DOCUMENTATION

SUPPORTED TESTED VERSION MODES
SOFTWARE SOFTWARE (MINIMUM) SUPPORTED
VERSION VERSION
(MINIMUM) (MINIMUM)
3906mvi and KVM 18.x.x 18.06.x 9.1.x (9.1.0) Layer 3 mode Ciena
3926mvi (18.06.00) (18.06.00) on the VM-50, documentation
VM-100, and
VM-300
VirtIO and
DPDK mode.
Cisco Cloud Services Platform—The following table shows the Cisco Cloud Services Platform (CSP)
products with which VM-Series firewalls interoperate.
HARDWARE HYPERVISOR CSP CSP TESTED PAN-OS DEPLOYMENT DOCUMENTATION

SUPPORTED SOFTWARE VERSION MODES
SOFTWARE VERSION (MINIMUM) SUPPORTED
VERSION (MINIMUM)
(MINIMUM)
CSP5400 KVM 2.x.x (2.4.0) 2.4.x (2.4.0) 9.1.x (9.1.0) Layer 2, Layer Set Up the
Series 3, Virtual wire VM-Series
deployments Firewall on Cisco
CSP2100 on all CSP (PAN-OS
Series VM-Series 10.2)
models except
VM-50
VM-Series
Firewalls in an
HA
configuration
SR-IOV, Packet
MMAP, and
DPDK mode
CSP5400 KVM 4.6.x (4.6) 4.6.x 10.1.x (10.1.0) Layer 2, Layer Set Up the
Series (4.6.1-FC1) 3, Virtual wire VM-Series
deployments Firewall on Cisco
on all CSP (PAN-OS
VM-Series 10.2)
models except
VM-50
VM-Series
Firewalls in an
HA
configuration

SR-IOV, Packet
MMAP, and
DPDK mode
Juniper NFX Network Services Platform—The following table shows the Juniper NFX Network
Services Platform products with which VM-Series firewalls interoperate.
HARDWARE HYPERVISOR JUNOS JUNOS PAN-OS DEPLOYMENT DOCUMENTATION

SOFTWARE TESTED VERSION MODES
VERSION SOFTWARE (MINIMUM) SUPPORTED
(MINIMUM) VERSION
(MINIMUM)
NFX 250 KVM 15.1X53-D470. - 9.1.x (9.1.0) Layer 2, Layer Juniper NFX
x 3, Virtual wire documentation
(15.1X53-D470 DPDK mode

.5)
NSX SD-WAN by VeloCloud—The following table shows the NSX SD-WAN by VeloCloud products
with which VM-Series firewalls interoperate.
HARDWARE HYPERVISOR VCE VCE TESTED PAN-OS DEPLOYMENT DOCUMENTATION

SOFTWARE SOFTWARE VERSION MODES
VERSION VERSION (MINIMUM) SUPPORTED
(MINIMUM) (MINIMUM)
Edge 520v KVM 3.x.x (3.2.0) 3.3.x (3.3.1) 9.1.x (9.1.0) Virtual wire NSX SD-WAN by
deployments VeloCloud
Edge 840 documentation
DPDK mode
2.3.1 References
● Partner Interoperability for VM-Series Firewalls
https://docs.paloaltonetworks.com/compatibility-matrix/vm-series-firewalls/vm-series-partne
r-interoperability
2.4 Explain the benefits of cloud-delivered security services (CDSS) and Advanced URL
Filtering (AURLF)
Cloud delivered security services (CDSS)

CDSS provides enhanced security by unlocking certain firewall features, enables the firewall to
leverage a Palo Alto Networks cloud-delivered service, or both. There are many current CDSSs.
Currently, Palo Alto Networks has the following:
● Threat Prevention—Goes beyond the traditional intrusion prevention system (IPS) solutions
to automatically prevent all known threats across all traffic in a single pass.
● IoT Security—Protects Internet-of-Things (IoT) and Operational Technology (OT) devices
across your organization with the industry’s first turnkey IoT security solution.

● WildFire—Ensures that files are safe by automatically detecting and preventing unknown
malware with cloud-based analysis.
● Data Loss Prevention—Enables cloud-based protection against unauthorized access,
misuse, extraction, and sharing of sensitive information.
● URL Filtering—Enables the safe use of the internet by preventing access to known and new
malicious websites before users can visit them.
● DNS Security—Disrupts attacks that use Domain Name System (DNS) for command and
control and data theft, without requiring any changes to your infrastructure.
● Prisma SaaS—A cloud access security broker (CASB) that provides advanced capabilities in
risk discovery, data loss prevention, compliance assurance, data governance, user behavior
monitoring, and advanced threat prevention.
● GlobalProtect—Protects your mobile workforce by extending the firewall to all users
regardless of location by establishing a secure IPSec/SSL VPN connection.
● SD-WAN—An end-to-end SD-WAN architecture that provides intelligent and dynamic path
selection on top of the security that PAN-OS software delivers.
Advanced URL Filtering (AURLF)

Palo Alto Networks URL filtering solution, AURLF, is a subscription service that defends your
network from web-based threats by giving your users safe access to the web while delivering
granular policy controls to precisely define how they interact and access online content. This service
provides all of the functionality offered by the legacy URL Filtering subscription by delivering a URL
categorization database, while also bringing the added benefit of full web-content inspection using
inline ML-based web security engines to prevent evasive and unknown web threats.
Key Idea
● Legacy URL Filtering subscription holders can continue using their URL Filtering
deployment until the end of the license term.
With AURLF enabled, URL requests are:
● Compared against the PAN-DB URL database, which contains millions of websites that have
been categorized. You can use these URL categories in URL Filtering profiles or as match
criteria to enforce Security policy. You can also use URL filtering to enforce safe search
settings for your users and to prevent credential theft based on URL category.
● Analyzed in real time using the cloud-based Advanced URL Filtering detection modules to
provide protection against new and unknown threats that do not currently exist in the URL
filtering database.
● Inspected for phishing and malicious JavaScript using local inline categorization, a
firewall-based analysis solution, which can block unknown malicious web pages in real time.
If the network security requirements in your enterprise prohibit the firewalls from directly accessing
the internet, Palo Alto Networks provides an offline URL filtering solution with the PAN-DB Private
Cloud. This allows you to deploy a PAN-DB private cloud on one or more M-600 appliances that
function as PAN-DB servers within your network; however, it does not support any of the
cloud-based URL analysis features found in the AURLF solution.

2.4.1 References
● Cloud Delivered Security Services
https://beacon.paloaltonetworks.com/student/collection/747959-cloud-delivered-security-ser
vices?sid_i=0
● URL Filtering
https://docs.paloaltonetworks.com/url-filtering
● About Palo Alto Networks URL filtering Solution
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/url-filtering-overvie
w
2.5 Describe the benefits of automation as applied by Palo Alto Networks
Automation
Automation levels the playing field, reduces the volume of threats, and allows for faster prevention
of new and previously unknown threats. Many security vendors look at automation to become more
efficient and as a means to save in manpower or headcount. Automation should also be viewed as a
tool that can, and should, be used to better predict behaviors and execute protections faster. If
implemented appropriately and with the right tools, automation can aid in the prevention of
successful cyberattacks. The following are four ways in which automation should be used:
● Correlating Data
Many security vendors collect substantial amounts of threat data. However, data provides
little value unless it is organized into actionable next steps.
To do this effectively, organizations first need to collect threat data across all attack vectors
and from security technologies within their own infrastructure, as well as global threat
intelligence outside of their infrastructure.
Then, they need to identify groups of threats that behave similarly within the massive
amounts of data and use that to predict the attacker’s next step. When using this approach,
more data collected results in more accurate results and reduces the likelihood that the
groups identified are merely an anomaly. Consequently, the analysis must also have enough
computing power to scale to today’s threat volume—something that is impossible to do
manually. Machine learning and automation allow data sequencing to happen faster, more
effectively, and more accurately.
Finally, combining this approach with dynamic threat analysis is the only way to accurately
detect sophisticated and never-before-seen threats.
● Generating Protections Faster Than Attacks Can Spread

Once a threat is identified, protections need to be created and distributed faster than an
attack can spread throughout the organization’s networks, endpoints, or cloud. Because of
the time penalty that analysis adds, the best place to stop the newly discovered attack is not
at the location where it was discovered but at the attack’s predicted next step. Manually
creating a full set of protections for the different security technologies and enforcement
points capable of countering future behaviors is not only a slow-moving, lengthy process but
also is extremely difficult when correlating different security vendors in your environment

without the right control and resources. Automation can expedite the process of creating
protections without straining resources, all while keeping pace with the attack.
● Implementing Protections Faster Than Attacks Can Progress

Once protections are created, they need to be implemented to prevent the attack from
progressing further through its life cycle. Protections should be enforced not only in the
location where the threat was identified, but also across all technologies within the
organization to provide consistent protection against the attack’s current and future
behaviors. Utilizing automation in the distribution of protections is the only way to move
faster than an automated and well-coordinated attack and stop it. With automated big-data
attack sequencing and automated generation and distribution of protections, you are able
to more accurately predict the next step of an unknown attack and move fast enough to
prevent it.
● Detecting Infections Already in Your Network

To stop an attack before data leaves the network, you must respond faster than the attack
itself. To identify an infected host or suspicious behaviors, you must be able to analyze data
from your environment backward and forward in time, looking for a combination of
behaviors that indicate that a host in your environment has been infected. Similar to
analyzing unknown threats attempting to enter the network, manually correlating and
analyzing data across your network, endpoints, and clouds is difficult to scale. Automation
allows for faster analysis and, should a host on your network be compromised, faster
detection and intervention.
2.5.1 Terraform
Terraform is a powerful open-source tool that is used to build and deploy infrastructure safely and
efficiently. It is cloud platform agnostic (unlike AWS cloud formation templates (CFTs) or Azure
Resource Manager (ARM) templates), provides for the definition of infrastructure as code, and
produces immutable infrastructure deployments. The Palo Alto Networks Terraform automation
project offers Terraform templates to assist in deploying agile infrastructures based on the Palo Alto
Networks next-generation firewalls in the cloud.
Terraform Quickstart
The Palo Alto Networks Repository of Terraform Templates to Secure Workloads on AWS and Azure,
https://github.com/PaloAltoNetworks/terraform-templates, contains templates to deploy three-tier
and two-tier applications along with the Palo Alto Networks firewall on cloud platforms such as
AWS and Azure. Terraform is licensed under Mozilla Public License v2.0.
Key Idea
● Each of the subrepos contain a README with instructions on usage and

deployment.
This repository contains the following subrepositories:

● aws_elb_autoscale
○ Deploy a three-tier application.
○ Deploy an external load balancer that sits in front of the PAN firewalls (FWs).
○ Deploy the PAN FW into an auto scale group.
○ Deploy an internal load balancer that sits behind the PAN FW and fronts the web tier.
○ Deploy the Lambda functions to configure the PAN FWs.
● aws_two_tier_no_bootstrap_with_ansible
○ Deploy a two-tier application.
○ Deploy the web instances into a secure subnet.
○ Deploy the PAN FW with interfaces on the untrust, trust, and management subnets.
○ Deploy an application on the backend trust subnets.
○ Configure the VM-Series with Ansible.
○ Invoke Ansible directly from Terraform.
● aws_two_tier
● azure_two_tier_sample
● Automated Terraform and Ansible one-click deployment for AWS and Azure.
2.5.2 Ansible
Ansible is a very powerful open-source automation language. It uses modules to communicate with
vendor-specific devices. What makes Ansible unique is that it is also a deployment and
orchestration tool. Ansible helps provide large productivity gains to a wide variety of automation
challenges. The Palo Alto Networks Ansible integration project utilizes Ansible to help organizations
automate configuration and management of the Palo Alto Networks Platform.
Ansible Quickstart
A collection of Ansible modules are available to automate configuration and operational tasks on
Palo Alto Networks next-generation firewalls—both physical and virtualized form factor. The
underlying protocol uses API calls that are wrapped within the Ansible framework.
● Free software: Apache 2.0 License

● Palo Alto Networks Ansible Collection: https://paloaltonetworks.github.io/pan-os-ansible/
● PANW community supported live page: http://live.paloaltonetworks.com/ansible
You can use the Palo Alto Networks Ansible collection to automate configuration and operational
tasks on Palo Alto Networks next-generation firewalls using the PAN-OS API.
It is available under the Apache 2.0 license.
● https://github.com/PaloAltoNetworks/pan-os-ansible/

Installation
The recommended way to install the modules is installing the Palo Alto Networks Ansible Galaxy
collection:
- ansible-galaxy collection install paloaltonetworks.panos
Then, in your playbooks, you can specify that you want to use the panos collection like so:
collections:
- paloaltonetworks.panos
2.5.3 Dynamic responses to threats
Palo Alto Networks regularly posts updates that include new and modified applications, threat
protection, and GlobalProtect data files through dynamic updates. The firewall can retrieve these
updates and use them to enforce policy, without requiring configuration changes. Applications and
Threats content updates deliver the very latest application and threat signatures to the firewall. The
applications portion of the package includes new and modified App-IDs and does not require a
license. The full Applications and Threats content package, which also includes new and modified
threat signatures, requires a Threat Prevention license. As the firewall automatically retrieves and
installs the latest application and threat signatures (based on your custom settings), it starts
enforcing Security policy based on the latest App-IDs and threat protection without any additional
configuration.
New and modified threat signatures and modified App-IDs are released at least weekly and often
more frequently. New App-IDs are released on the third Tuesday of every month.
Key Idea
● In rare cases, publication of the update that contains new App-IDs may be
delayed one or two days.
Because new App-IDs can change how the Security policy enforces traffic, this limited release of
new App-IDs is intended to provide you with a predictable window in which you can prepare and
update your Security policy. Additionally, content updates are cumulative; this means that the latest
content update always includes the application and threat signatures released in previous versions.
Because application and threat signatures are delivered in a single package—the same decoders
that enable application signatures to identify applications also enable threat signatures to inspect
traffic—you need to consider whether you want to deploy the signatures together or separately.
How you choose to deploy content updates depends on your organization’s network security and
application availability requirements. As a starting point, identify your organization as having one of
the following postures (or perhaps both, depending on firewall location):
● An organization with a security-first posture prioritizes protection using the latest threat
signatures over application availability. You are primarily using the firewall for its threat

prevention capabilities. Any changes to App-ID that impact how a Security policy enforces
application traffic is secondary.
● A mission-critical network prioritizes application availability over protection using the latest
threat signatures. Your network has zero tolerance for downtime. The firewall is deployed
inline to enforce security policy, and if you are using App-ID in a Security policy, any change
a content release introduces that affects App-ID could cause downtime.
2.5.4 References
● 4 Ways Cybersecurity Automation Should be Used
https://www.paloaltonetworks.com/cyberpedia/4-ways-cybersecurity-automation-should-be-
used
● Infrastructure as Code
https://panos.pan.dev/docs/automation/
● Applications and Threats Content Updates
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/software-and-content-updat
es/app-and-threat-content-updates
● For the best instance types for optimal VM-Series capacity and performance, see the
VM-Series Performance and Capacity document.
● While activating credits, always retain for future reference the confirmation email with
subscription details.
● If you deselect a credit pool, you see a reminder that if you want to activate those credits,
you must return to the email and click the Start Activation link.
● Legacy URL Filtering subscription holders are able to continue using their URL Filtering
deployment until the end of the license term.
● Each of the subrepositories contain a README with instructions on usage and deployment.
● In rare cases, publication of the update that contains new App-IDs may be delayed one or
two days.
1. Which security service assists file safety by automatically detecting unknown malware?
a. URL Filtering
b. WildFire
c. App-ID
d. Threat Prevention
2. Which profile is used to categorize content?

a. URL Filtering
b. Threat Prevention
c. Zero Trust
d. Data Loss Prevention
3. Ansible is used for what purpose?

a. Providing PAN-OS application signature updates

b. Automating device configuration
c. Optimizing firewall resource consumption
d. Identifying transit traffic
4. Which of the following is a package manager for containers?

a. Terraform
b. Helm
c. Ansible
d. YAML
5. What is the basic operational unit of Kubernetes?

a. Node
b. Container
c. Kubernetes service
d. Pod
6. VM-Series is applicable for which of the following traffic scenarios?

a. Inbound
b. North-south and east-west
c. East-west only
d. Outbound
7. What is the order of Kubernetes constructs from smallest to largest in terms of size and
scope?
a. Node, namespace, pod, cluster
b. Namespace, node, cluster, pod
c. Pod, node, namespace, cluster
d. Pod, node, cluster, namespace
8. Which environment uses software and virtualization to provide network connectivity for
dispersed locations?
a. On-premise
b. SDN
c. SD-WAN
d. Nutanix
9. After deselecting a credit pool, you see a reminder to activate those credits. What will be
your next step?
a. Select the credit pool you want to activate.
b. Deposit credits.
c. Purchase a different credit pool.
d. Return to your email and click the Start Activation link.

Domain 3: Architecture and Planning
3.1 Compare and contrast VM-Series deployment options
The VM-Series firewall is distributed in the Open Virtualization Alliance (OVA) format, a standard
method of packaging and deploying virtual machines. You can install this solution on any x86
device that is capable of running VMware ESXi.
You can deploy any VM-Series model as a guest virtual machine on VMware ESXi. It is ideal for cloud
or networks where a virtual form factor is required.
VM-Series for AWS

You can deploy the VM-Series firewall in the public AWS cloud and AWS GovCloud. You can then
configure it to secure access to the applications that are deployed on EC2 instances and placed into
a VPC on AWS.
The AWS Gateway Load Balancer (GWLB) is an AWS-managed service that allows you to deploy a
stack of VM-Series firewalls and operate them in a horizontally scalable and fault-tolerant manner.
You can then expose the AWS GWLB with the stack of firewalls as a VPC endpoint service for traffic
inspection and threat prevention. By creating GWLB endpoints (GWLBEs) for the VPC endpoint
service, you can easily insert an auto scaling VM-Series firewall stack in the outbound, east-west,
and inbound traffic paths of your applications.
Integrating VM-Series firewalls with GWLB:
● Provides simplified connectivity

● Offers performance at scale

● Is cost-effective
You can deploy any VM-Series model, except the VM-50, on EC2 instances on the AWS Cloud.
VM-Series for Microsoft Azure

VM-Series firewall on Azure brings the security features of the Palo Alto Networks Next-Generation
Firewall as a virtual machine into the Azure Marketplace. It provides a complete set of security
functionality to ensure that your virtual-machine workloads and data are protected. The capabilities
that the firewall enables are different from native security features such as Security Groups, Web
Application Firewalls, and native, port-based firewalls.
On Azure, the VM-Series firewall is available in the bring-your-own-license (BYOL) model or in the
pay-as-you-go (PAYG) hourly model.
Microsoft Azure allows you to deploy the firewall to secure your workloads within the virtual
network in the cloud so that you can deploy a public cloud solution or extend the on-premises IT
infrastructure to create a hybrid solution. For more information on GWLB based architecture, refer
to section 1.1

You can deploy any VM-Series model, except the VM-50, on the Azure VNet.
VM-Series for Google Cloud Platform

You can deploy a VM-Series firewall on a Google Compute Engine instance on the Google Cloud
Platform.
You can deploy any VM-Series model, except the VM-50 and the VM-50 Lite, on Google Compute
Engine instances.
Google Cloud Intrusion Detection System (Cloud IDS) is the first network threat detection system
delivered as a native Google Cloud service, built with the industry-leading security technologies of
Palo Alto Networks. Cloud IDS is the result of a year-long joint design and engineering effort
between Google Cloud and Palo Alto Networks that was focused on combining the best-in-class
security of Palo Alto Networks with the simplicity and scale of Google Cloud native services.
Cloud IDS can analyze the raw traffic data from Google Cloud workloads and provide contextually
rich application and threat information. More importantly, organizations can monitor even the
traffic traversing within the VPC boundary using Cloud IDS. This capability complements the
visibility and protection that VM-Series virtual firewalls provide with traffic crossing the VPC
boundary.
Based on this more in-depth inspection, customers can choose to enable alerts for a wide range of
security issues, for example:
● High-priority security alerts: Attacks for known exploits—for example, an attempt to exploit
CVE-2017-5638 for Apache Struts-based web servers running in GCP.
● Traffic to inappropriate, malicious destinations and command-and-control systems:
Detect whether the source/destination is inappropriate or malicious, whether there are
geoblocking restrictions to be met, or whether there is Bitcoin traffic or an SSH session to a
known command-and-control (C2) domain.
VM-Series for Kernel Virtualization Module (KVM)

Kernel-based Virtual Machine (KVM) is an open-source virtualization module for servers running
Linux distributions. The VM-Series firewall can be deployed on a Linux server that is running the
KVM hypervisor.
You can deploy any VM-Series model on a Linux server that is running the KVM hypervisor.
VM-Series for Microsoft Hyper-V

The VM-Series firewall can be deployed on a server running Microsoft Hyper-V. Hyper-V is packaged
as a standalone hypervisor or as an add-on/role for Windows Server.
You can deploy any VM-Series model on a Windows Server 2012 R2 server with the Hyper-V role
add-on enabled or a standalone Hyper-V 2012 R2 server.
VM-Series on VMware NSX-T

The VM-Series firewall on VMware NSX-T integrates Palo Alto next-generation firewalls and
Panorama with ESXi host servers to provide comprehensive visibility and safe application
enablement of all north-south traffic in your NSX-T software-defined datacenter.

You can deploy the VM-100, VM-300, VM-500, or VM-700 in your NSX-T environment.
3.2.1 References
● VM-Series Deployments
s-firewall/vm-series-deployments#idbc049c9e-8fdf-40c3-b70a-00176813948e
● VM-Series for AWS
https://live.paloaltonetworks.com/t5/blogs/vm-series-and-aws-gateway-load-balancer-integr
ation-overview/ba-p/367897
● VM-Series for Azure
https://www.paloaltonetworks.com/blog/network-security/vm-series-azure-gateway-load-bal
ancer/
3.2 Describe CN-Series deployment tool options
CN-Series firewalls can be used to secure traffic between containers within the same cluster, as well
as between containers and other workload types such as virtual machines and bare metal servers.
If you are on the OpenShift environment, see Deploy the CN-Series on OpenShift. For securing 5G
traffic, see Secure 5G With the CN-Series Firewall.
Key Idea
● You need standard Kubernetes tools such as kubectl or Helm to deploy and
manage your Kubernetes clusters, apps, and firewall services. Panorama is not
designed to be an orchestrator for Kubernetes cluster deployment and
management. Templates for cluster management are provided by Managed
Kubernetes providers. Palo Alto Networks provides community-supported
templates for deploying CN-Series with Helm and Terraform.
Refer to the links below to learn about CN-Series Firewalls and the options available for deploying
on different cloud platforms:
● Deploy the CN-Series Firewall with Rancher Orchestration

● Deploy the CN-Series Firewall on GKE
● Deploy the CN-Series Firewall on EKS
● Deploy the CN-Series Firewall as a Kubernetes Service
● Deploy the CN-Series Firewall as a DaemonSet
● Deploy the CN-Series Firewall as a Kubernetes CNF
● Deploy the Kubernetes CNF L3 in Standalone Mode
● Deploy the CN-Series on OpenShift
● Deploy CN-Series Firewalls with a Template
For more details about CN-Series deployment, refer to CN-Series deployment guide.

Key Idea
● Before moving from deploying CN-Series as a DaemonSet to CN-Series as a

Service or vice versa, you must delete and reapply plugin-serviceaccount.yaml.
○ When you deploy CN-Series as a DaemonSet,
pan-plugin-cluster-mode-secret must not exist.
○ When you deploy CN-Series as a Kubernetes Service,
pan-plugin-cluster-mode-secret must be present.
3.2.1 YAML Ain’t Markup Language (YAML)

YAML is a popular data-serialization language for writing configuration files. It is a well-known
programming language and is human-readable, which makes it easier to comprehend. Its ability to
combine with other programming languages makes YAML flexible, as well.
YAML is used by the Ansible automation tool for creating automation processes in the form of
Ansible Playbooks because of its adaptability and accessibility.
YAML 3.0.x
CN-Series YAML 3.0.x should be used with the CN-Series running PAN-OS 10.1 or PAN-OS 10.2.
VERSION WHAT’S NEW
3.0.2 Adds support for K8s 1.22 on the CN-Series on AWS

EKS. This support also requires CN-Series
PAN-MGMT-INIT version 3.0.2.
3.0.1 ● Adds support for K8s 1.22 on the CN-Series

on all platforms except AWS EKS. This
support also requires CN-Series
PAN-MGMT-INIT version 3.0.1.
● Adds support for OpenShift for the CN-Series
deployed as a Kubernetes service. This
requires PAN-CNI 3.0.2 or later.
● CN-120: Adds pod affinity for CN-MGMT and
CN-NGFW pods in CN-Series deployed in
CNF mode.
3.2.2 Terraform Templates

The CN-Series deployment repository contains Terraform plans to deploy a GKE, EKS, or AKS cluster.
These plans ensure that the cluster node sizing and CNIs support a CN-Series firewall deployment
within the cluster. The repository also provides a CN-Series firewall deployment plan and a sample
PHP guestbook application that you can secure with the firewall.
3.2.3 Differentiation
The following are differences between Helm and Terraform:
● Terraform is a relatively new Kubernetes provider, while Helm is a mature tool with a tried
and tested Kubernetes capability.

● Terraform does not install anything within the Kubernetes cluster. Helm installs Tiller server
within the cluster and connects it with K8s API.
● Helm cannot install a Kubernetes cluster, whereas Terraform can.
● In modularity terms, Terraform relies on modules, while Helm uses sub-charts.
● Terraform uses the JSON/HCL file format, while Helm uses standard manifests and
Go-templates.
● Terraform maintains Kubernetes objects, while Helm maintains K8s objects.
● Terraform has limited options at runtime, whereas Helm’s Tiller server provides numerous
capabilities at runtime.
● Helm has limited options for environment variables, while Terraform supports environment
variables.
● Terraform modules in the registry do not work on Kubernetes, whereas in Helm, stable and
incubator charts offer a rich set of packages.
● Rolling back with Helm is far easier, but maintaining it can take up precious resources. In
Terraform, rolling back is complex, but takes up only a few resources.
3.2.4 References
● Deploy the CN-Series Firewall
workloads-with-cn-series/deploy-the-cn-series-firewalls
● Deploy CN-Series Firewall With and Without the Helm Repository
workloads-with-cn-series/deploy-the-cn-series-firewalls/deploy-cn-series-firewalls-with-a-te
mplate/deploy-cn-series-firewalls-with-helm-charts-and-templates/deploy-cn-series-firewall
s-with-and-without-the-helm-repository
3.3 Describe CN-Series sizing, capabilities, and features
The CN-Series firewall is the containerized next-generation firewall that provides visibility and
security for your containerized application workloads on Kubernetes clusters. The CN-Series firewall
uses native Kubernetes constructs and Palo Alto Networks components to make this possible.
Size and Scale Security Based on Immediate Needs—In Minutes

The CN-Series firewalls help you to:
● Match software firewalls and security services with the speed and flexibility needed for
rapidly changing requirements.
● Maximize your ROI on security investments with the industry’s most flexible way to adopt
software NGFWs and security services.
● Discover unmatched flexibility with easy scaling and sizing of VM-Series virtual and
CN-Series container NGFWs, cloud-delivered security services, and VM Panorama for
management and log collection.
Three simple steps let you choose and deploy the right firewalls and security services you need at
any given time:
1. Procure Software NGFW credits.

2. Allocate or reallocate credits across different deployments to activate your choice of security
products and your choice of security services in just minutes.
3. Manage and monitor credits via the Palo Alto Networks Customer Support Portal.
As needs change, you can reallocate Software NGFW credits to new and other
firewall-as-a-platform solutions without having to go through additional procurement cycles.
CN-Series Capabilities
Whatever the security needs of your container environment, the CN-Series is built to deliver the
following:
A. Inline Network Security Visibility and Control
● Threat prevention and sandboxing: Threat Prevention and WildFire services can be
enabled on CN-Series firewalls to block exploits, prevent malware, and stop both
known and unknown advanced threats.
● Exfiltration prevention and URL filtering: The CN-Series enables content inspection
and SSL decryption, preventing sensitive information from leaving your network.
Advanced URL Filtering uses machine learning to categorize URLs and block access
to malicious sites that deliver malware or steal credentials. Automation ensures that
protections are always up to date.
● Flexible tag-based policy model: You can define CN-Series firewall policies by
application, user, content, native Kubernetes labels, and other metadata to deliver
flexible policies aligned with business needs.
B. Automated Deployment and Configuration
● Kubernetes-orchestrated deployment: CN-Series firewalls run as a DaemonSet,

allowing a single command from within Kubernetes to deploy firewalls on all nodes
in a cluster at once.
● DevOps-friendly configuration: All configuration of CN-Series firewalls is specified in

a YAML file and can be easily integrated into infrastructure deployment files for fast,
repeatable deployments. Configuration templates can be found in our official
CN-Series GitHub repository.
● Community-supported Kubernetes Helm chart: For development teams using

Helm to manage their Kubernetes applications, a CN-Series Helm Chart has been
created to simplify firewall deployment and management.
C. Flexible and Consistent CNI Integration
● Simple insertion: The CN-Series supports multiple CNI plugins for use in different
types of Kubernetes deployments.

D. Kubernetes Support for Cloud and On-Premises Environments
● Public cloud: You can deploy CN-Series firewalls in hosted container environments
such as GKE, AKS, Amazon EKS, and Red Hat OpenShift. For detailed platform
support information, refer to the table below.
● On-premises: You can also deploy CN-Series firewalls into Kubernetes environments
hosted on-premises.
Refer to the link below for details on the deployment of the CN-Series in supported
environments.
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/cn-series-fire
wall-for-kubernetes/cn-series-deployment-environments
Table: CN-Series Support Matrix
Product Versions(s)
Containerized PAN-OS 9.2.0
Panorama Kubernetes 1.0.0
Container Runtime Docker, CRI-0
Native Kubernetes 1.14-1.18
Cloud Provider-Managed Kubernetes * OpenShift 4.2, 4.4, 4.5,

AWS EKS (1.14-1.17)
Azure AKS (1.14-1.18)
GCP GKE (1.14-1.17)
Customer-Managed Kubernetes†
Kubernetes Host VM OS Ubuntu 16.04, 18.04, RHEL/CentOS
CNI CNI Spec 0.3.0 and higher, which support CNI

chaining (e.g., Calico, Flannel, Weave)
* Recommended versions for Kubernetes, Calico, etc.
† In customer-managed deployments, Kubernetes can be deployed using any orchestrator (e.g., Rancher, Kubespray) and
deployed in a public or private cloud as long as Kubernetes, CNI, and host OS versions are from table above.
Virtualization Features
● CN-Series Firewall as a Kubernetes Container Network Function (CNF):

You can now deploy the CN-Series CNF in your Kubernetes environment.
CN-Series-as-a-DaemonSet and CN-Series-as-a-Kubernetes-service deployment modes

provide an automated security deployment and leverage the auto scaling capabilities of
Kubernetes. However, these deployment modes have limited insertion options and do not

support I/O acceleration. In addition, they limit the achievable throughput for the
application pods that require inspection and use multiple network interfaces.
Traditionally, customers have two deployment options based on their operational and
budgetary considerations.
Option 1 - Distributed deployments/DaemonSet deployment mode: One option is to

deploy the CN-Series data plane as a DaemonSet.
Pros:
● Traffic latency is reduced because the CN-Series data plane is deployed per node.
This places security enforcement as close to the workloads as possible while
minimizing traffic latency.
● Pricing is node-based, which simplifies upfront forecasting by reducing the need to
predict throughput requirements for the firewall.
Cons:
● Compute resources will need to be allocated on every node to the firewalls, making
this a resource-intensive option.
● Cost prohibitive in large environments due to the number of firewalls required.
Option 2 - Clustered deployments/Kubernetes Service Deployment Mode: You can

deploy the CN-Series data plane as a native Kubernetes service in a dedicated security node.
Pros:
● Kubernetes-native auto scale capabilities are leveraged to elastically scale CN-Series
deployments.
● Compute efficiency is maximized by allowing Kubernetes to deploy CN-Series
firewalls based on available resources.
● This option is cost-effective due to the need for fewer firewalls.
Cons:
● Network latency is potentially increased due to traffic hairpinning.

Option 3 - CN-Series: Deploying the CN-series as a Kubernetes CNF resolves these
challenges. Traffic that uses Service Function Chaining (SFC) through external entities such
as a cloud provider's native routing, vRouters, and top-of-ack (ToR) switches as the
CN-series-as-a-Kubernetes-CNF mode of deployment does not impact the application pods.
Benefits:
● Both containerized and non-containerized workloads are protected.
● Network deployment options are expanded for public and private clouds.

● Traffic is secured more efficiently and may experience performance increases.
For more information, see Deploying the CN-Series Firewall as a Kubernetes-CNF.
● HA Support for CN-Series Firewall as a Kubernetes CNF:

High availability (HA) is a configuration in which two firewalls are placed in a group and their
configuration is synchronized to prevent a single point of failure on your network. A
heartbeat connection between the firewall peers ensures seamless failover if a peer goes
down. Setting up the firewalls in a two-device cluster provides redundancy and allows you to
ensure business continuity.
You can now deploy the CN-Series as a Kubernetes CNF in HA. This mode of deployment
supports only active/passive HA with session and configuration synchronization.
When you deploy the CN-Series as a Kubernetes CNF in HA, there will be two
PAN-CN-MGMT-CONFIGMAP, PAN-CN-MGMT, and PAN-CN-NGFW YAML files each, one set
for active node and one for passive node.
For more information, see High Availability Support for deploying the CN-Series Firewall as a
Kubernetes CNF.
● HA Support for CN-Series Firewall on AWS EKS

To ensure redundancy, you can deploy the CN-Series firewalls on AWS in an active/passive
HA configuration. The active peer continuously synchronizes its configuration and session
information with the identically configured passive peer. A heartbeat connection between
the two devices ensures failover if the active device goes down. You can deploy the
CN-Series firewall on AWS EKS in HA through secondary IP move.
To ensure that all traffic to your internet-facing applications passes through the firewall, you
can configure AWS ingress routing. This capability allows you to associate route tables with
the AWS internet gateway and add route rules to redirect the application traffic through the
CN-Series firewall.
This redirection ensures that all internet traffic passes through the firewall without having to
reconfigure the application endpoints.
When the active peer goes down, the passive peer detects this failure and becomes active.
Additionally, it:
○ Triggers API calls to the AWS infrastructure to move the configured secondary IP
addresses from the data-plane interfaces of the failed peer to itself
○ Updates the route tables to ensure that traffic is directed to the active firewall
instance
These two operations ensure that inbound and outbound traffic sessions are restored after
failover. The HA configuration allows you to take advantage of Data Plane Development Kit
(DPDK) to improve the performance of your CN-Series firewall instances.

AWS requires that all API requests must be cryptographically signed using credentials
issued by AWS. In order to enable API permissions for the CN-Series firewalls that will be
deployed as an HA pair, you must create a policy and attach that policy to a role in the AWS
Identity and Access Management (IAM) service. The role must be attached to the CN-Series
firewalls at launch. The policy gives the IAM role permissions for initiating API actions
required to move interfaces or secondary IP addresses from the active peer to the passive
peer when failover is triggered.
The devices in an HA pair can be assigned a device priority value to indicate a preference for
which device should assume the active role and manage traffic upon failover. If you need to
use a specific device in the HA pair for actively securing traffic, you must enable the
preemptive behavior on both the firewalls and assign a device priority value for each device.
The device with the lower numerical value, and therefore higher priority, is designated as
active and manages all traffic on the network. The other device is in a passive state and
synchronizes configuration and state information with the active device so that it is ready to
transition to an active state should a failure occur.
For more information, see High Availability support for CN-Series Firewall on AWS EKS.
● DPDK Support for CN-Series Firewall

The Kubernetes CNF mode of CN-Series now supports Data Plane Development Kit (DPDK)
and allows the application pods to use DPDK. DPDK enables fast packet processing in
data-plane applications by bypassing multiple layers of kernel networking stacks and
communicating directly with the network hardware.
See Configure DPDK on CN-Series Firewall for instructions to set up DPDK.
● Daemonset(vWire) IPv6 Support

In the Kubernetes Daemonset mode, application pods can have IPv4 and IPv6 addresses on
either one or many interfaces with the Multus environment. If the application pods have
IPv6 addresses, you can still secure those interfaces using the Kubernetes Daemonset mode.
Additionally, with the Kubernetes plugin supporting DAG-to-IPv6 address mapping, you can
use DAGs for Security policy.
Key Idea
● IPv6 addresses are supported only in the k8s-Daemonset mode, not in the
k8s-CNF or k8s-service mode.
● Panorama Plugin for Kubernetes 3.0.0

The Kubernetes 3.0.0 plugin supports the following functionalities:
○ Retrieve IPv6 Addresses for Multus CNI Setup

In a Multus CNI setup, each pod has multiple interfaces, and these interfaces can
have IPv6 or IPv4 addresses. The Kubernetes 3.0.0 plugin queries and collects the
IPv4 and IPv6 addresses for Multus CNI.
○ Tag Pruning

Tag pruning increases the scalability of the plugin and the number of tags that the
plugin collects. It enables the plugin to collect a larger number of tags and push
them to Panorama without IP addresses. Panorama has a 10MB payload limitation;
with tag pruning, the plugin can send empty tags to Panorama and only send IP
addresses for tags that are used in Security policies. In case of a shared device group
on Panorama, the plugin cannot learn the DAGs, and hence the IP addresses will not
be pushed.
○ Service Account Validation

The Kubernetes 3.0.0 plugin supports service account file validation as a pre-commit,
where the validation takes place after the user adds a service account file and
commits the credentials. By using this method, the plugin can implement periodic
checks for service accounts and update their status accordingly.

○ Dashboard
For tags not used in device-group Security policies, Panorama only holds tags
without IP addresses. With tag Pruning, the plugin pushes the IP/tag mappings on to
the plugin UI, and you will be able to navigate the Dashboard to see the IP/tag
mappings. You will have the option to view IP addresses (IPv4 and IPv6) associated
with all tags learnt by the plugin and then look for the tags associated with each IP
address when you click Associated tags.

The Kubernetes 3.0.0 plugin works only with Panorama 10.2 and PAN-OS 10.2 devices.
However, it can manage 10.1 firewall devices on 10.2 Panorama.

Key Idea
● To upgrade to a Kubernetes 3.0.0 plugin, download it and upgrade your
Panorama to 10.2. This will automatically install the downloaded plugin. However,
if you have not downloaded the plugin before upgrading the Panorama, the
upgrade will be stopped.
● You cannot use a Kubernetes 2.0.0 plugin with Panorama 10.2.
● You will find four default templates on Panorama after downgrading the
Kubernetes 3.0.0. plugin. The unnecessary templates can be deleted manually.
● L3 IPV4 Support for CN-Series

With the Kubernetes CNF, CN-Series now supports the traffic through a vRouter, where
static routes are configured to redirect traffic to the data-plane interfaces of the firewall. For
reverse direction, the traffic is redirected to the same firewall using Layer 3 policy-based
routing (PBR) with IPv4 IP addresses. IP addresses to the interfaces in a K8s environment are
typically programmed through the CNI using DHCP.
In Kubernetes CNF mode, only one CN-NFGW pod is supported with an CN-MGMT pod.
CN-Series supports Static and Connected routes and BGP protocol. OSPF is supported on
Native/OnPrem environments, but not supported on public clouds, due to the limitation in
the cloud infrastructure. Bidirectional Forwarding Detection (BFD) and tunnel interfaces are
not supported.

Key Idea
● vWire can still be used on data-plane ports where an external ToR is configured to
manage L1 PBR.
● Support for 47 Data-Plane Cores in VM-Series and CN-Series Firewalls

Starting with PAN-OS 10.2, VM-Series and CN-Series firewalls support a maximum of 47
data-plane cores. Increasing the number of data-plane cores improves performance.
Key Idea
● For VM-Series, if you have NUMA performance optimization enabled with custom
data-plane core settings, the NUMA setting takes precedence.
For more information, see Enable NUMA Performance Optimization on
VM-Series.
3.3.1 References
● CN-Series Supported Scale Factors
https://docs.paloaltonetworks.com/content/techdocs/en_US/cn-series/10-0/cn-series-deploy
ment/cn-series-supported-scale-factors.html#ida75c6278-e6db-488c-acf2-855d5cee3b18
● CN-Series Capabilities
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/
pan/en_US/resources/datasheets/cn-series-container-firewall
● Virtualization features

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-new-features/virtualization-features
3.4 Explain various segmentation models, including east-west and north-south segmentation
design per CNet, VNet, and pod
Workload
A workload can be broadly defined as the resources and processes needed to run an application.
Hosts, virtual machines, and containers are a few examples of workloads.
Companies can run workloads across data centers and hybrid cloud and multicloud environments.
Most organizations' applications are becoming increasingly distributed across different cloud native
compute architectures, based on business needs.
Beyond Perimeter Security

Perimeter security makes up a significant part of most organizations’ network security controls.
Network security devices such as network firewalls inspect “north-south” (client-to-server) traffic
that crosses the security perimeter, and they stop bad traffic. Assets within the perimeter are
implicitly trusted, and thus “east-west” (workload-to-workload) traffic may go without inspection.
For most organizations, east-west communications make up the majority of data-center and cloud
traffic patterns. Because perimeter-focused defenses do not have visibility into east-west traffic,
malicious actors use this as an opportunity to move laterally across workloads.
The network creates reliable pathways between workloads. Microsegmentation creates isolation
and determines whether two endpoints should access each other. Enforcing segmentation with
least-privileged access reduces the scope of lateral movement and contains data breaches.

Network Segmentation Challenges
Network segmentation is an approach that divides a network into multiple smaller segments. This
comes with following benefits:
● Performance: Subdividing the network into smaller subnets and VLANs reduces the scope
of broadcast packets and improves network performance.
● Security: Network security teams can apply access control lists (ACLs) to VLANs and subnets
to isolate machines on different network segments. In the event of a data breach, ACLs can
prevent the threat from spreading to other network segments.
Leveraging network segmentation for security purposes comes with challenges. Often
segmentation needs don’t match the network architecture. Re-architecting the networks or
reconfiguring VLANs and subnets to meet segmentation requirements is difficult and consumes a
lot of time.
Microsegmentation, also referred to as Zero Trust or identity-based segmentation, delivers on

segmentation requirements without the need to re-architect. Security teams can isolate workloads
in a network to limit the effect of malicious lateral movement.
Microsegmentation controls can be assimilated into three categories:
● Agent-based solutions use a software agent on the workload and enforce granular isolation
to individual hosts and containers. Agent-based solutions may leverage the built-in
host-based firewall or derive isolation abilities based on workload identity or attributes.
● Network-based segmentation controls rely on the network infrastructure. This style
leverages physical and virtual devices, such as load-balancers, switches, software-defined
networks (SDNs), and overlay networks to enforce policy.
● Native cloud controls leverage capabilities embedded in the cloud service provider (e.g.,
Amazon security group, Azure firewall, or Google Cloud firewall).

Microsegmentation helps provide consistent security across private and public clouds alike by
virtue of three key principles: visibility, granular security, and dynamic adaptation. For more details,
visit Section 1.4.
Benefits of Microsegmentation
Organizations that adopt microsegmentation realize tangible benefits:
● Reduced attack surface: Microsegmentation provides visibility into the complete network
environment without slowing development or innovation. Application developers can
integrate Security policy definition early in the development cycle and ensure that neither
application deployments nor updates create new attack vectors. This is particularly
important in the fast-moving world of DevOps.
● Improved breach containment: Microsegmentation gives security teams the ability to

monitor network traffic against predefined policies as well as shorten the time to respond to
and remediate data breaches.
● Stronger regulatory compliance: Using microsegmentation, regulatory officers can create

policies that isolate systems subject to regulations from the rest of the infrastructure.
Granular control of communications with regulated systems reduces the risk of
noncompliant usage.
● Simplified policy management: Moving to a microsegmented network or Zero Trust

security model provides an opportunity to simplify policy management. Some
microsegmentation solutions offer automated application discovery and policy suggestions
based on learned application behavior.
Use Cases
The range of use cases for microsegmentation is vast and growing. Here are some representative
examples:
● Development and production systems: In the best-case scenario, organizations carefully

separate development and test environments from production systems. However, these
measures may not prevent careless activity, such as developers taking customer information
from production databases for testing. Microsegmentation can enforce a more disciplined
separation by granularly limiting connections between the two environments.
● Security for soft assets: Companies have a huge financial and reputational incentive to
protect “soft” assets, such as confidential customer and employee information, intellectual
property, and company financial data. Microsegmentation adds another level of security to
guard against exfiltration and other malicious actions that can cause downtime and
interfere with business operations.
● Hybrid cloud management: Microsegmentation can provide seamless protection for

applications that span multiple clouds and implement uniform security policies across
hybrid environments composed of multiple data centers and cloud service providers.

● Incident response: As noted earlier, microsegmentation limits lateral movement of threats
and the impact of breaches. In addition, microsegmentation solutions provide log
information to help incident response teams better understand attack tactics and telemetry
to help pinpoint policy violations to specific applications.
3.4.1 References
● What is Microsegmentation?
paloaltonetworks.com/cyberpedia/what-is-microsegmentation
3.5 Describe the concept of growth planning with Kubernetes
The scale numbers that the different components require to Secure Kubernetes Workloads with
CN-Series are listed in the following sections:
● Scale Supported on the CN-Series Components

● Scale Supported on the Kubernetes Plugin on Panorama
● CN-Series Key Performance Metrics
3.5.1 References
● CN-Series Firewall for Kubernetes

kubernetes
3.6 Describe placement considerations of Layer 2 and Layer 3 deployments
A virtual wire interface will allow Layer 2 and Layer 3 packets from connected devices to pass
transparently if the policies applied to the zone or interface allow the traffic. The virtual wire
interfaces themselves do not participate in routing or switching.
For example, the firewall does not decrement the time to live (TTL) in a traceroute packet going
over the virtual link because the link is transparent and does not count as a hop. Packets such as
Operations, Administration, and Maintenance (OAM) protocol data units (PDUs), for example, do not
terminate at the firewall. Thus, the virtual wire allows the firewall to maintain a transparent
presence acting as a pass-through link, while still providing security, NAT, and QoS services.
For bridge protocol data units (BPDUs) and other Layer 2 control packets (which are typically
untagged) to pass through a virtual wire, the interfaces must by default be attached to a virtual
wire object that allows untagged traffic. If the virtual wire object Tag Allowed field is empty, the
virtual wire allows untagged traffic.
For routing (Layer 3) control packets to pass through a virtual wire, you must apply a Security policy
rule that allows the traffic to pass through. For example, apply a Security policy rule that allows an
application such as BGP or OSPF.
Layer 2 Deployment

In a Layer 2 deployment, the firewall provides switching between two or more networks. You must
assign a group of interfaces to a common VLAN object for the firewall to switch between them.
Choose this option when switching is required.
Layer 2 Deployment
Key Idea
● Firewalls in Layer 2 or virtual wire mode can inspect and provide threat
prevention for tagged or untagged traffic.
A design consideration for implementing Layer 2 interfaces is whether or not you need to segregate
all virtual machines from each other. A Software NGFW can perform this segregation on the
network by manipulating VLAN tags and preserving the existing Layer 3 gateways. The basis for this
design is providing maximum flexibility with regard to VM-Series placement, guest VM protection,
and the inherent networking capabilities of the selected cloud.
The following documents describe the different types of Layer 2 interfaces you can configure for
each type of deployment you need, including details on using virtual LANs (VLANs) for traffic and
policy separation among groups. The following documents describe how the firewall rewrites the
inbound port VLAN ID number in a Cisco per-VLAN spanning tree (PVST+) or Rapid PVST+ bridge
protocol data unit (BPDU).
● Layer 2 Interfaces with No VLANs

● Layer 2 Interfaces with VLANs
● Configure a Layer 2 Interface
● Configure a Layer 2 Interface, Subinterface, and VLAN
● Manage Per-VLAN Spanning Tree (PVST+) BPDU Rewrite
Layer 3 Deployment
In a Layer 3 deployment, the firewall routes traffic between multiple ports. This deployment requires
that you assign an IP address to each interface and configure virtual routers to route the traffic.
Choose this option when routing is required.

Layer 3 Deployment
Key Idea
● Layer 3 interfaces allow traffic to be routed between network segments, while

having the firewall apply a full suite of security features to inspect traffic for
potential threats.
The following documents describe how to configure Layer 3 interfaces and how to use Neighbor
Discovery Protocol (NDP) to provision IPv6 hosts and view the IPv6 addresses of devices on the link
local network to quickly locate devices.
● Configure Layer 3 Interfaces

● Manage IPv6 Hosts Using NDP
3.6.1 References
● Layer 2 and Layer 3 Packets over a Virtual Wire
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/configure-interfac
es/virtual-wire-interfaces/layer-2-and-layer-3-packets-over-a-virtual-wire
● Layer 2 Interfaces
es/layer-2-interfaces
● Layer 3 Interfaces
es/layer-3-interfaces
● You need standard Kubernetes tools such as kubectl or Helm to deploy and manage your
Kubernetes clusters, apps, and firewall services. Panorama is not designed to be an
orchestrator for Kubernetes cluster deployment and management. Templates for cluster
management are provided by Managed Kubernetes providers. Palo Alto Networks provides
community-supported templates for deploying CN-Series with Helm and Terraform.
● Before moving from deploying CN-Series as a DaemonSet to CN-Series as a Service or vice
versa, you must delete and reapply plugin-serviceaccount.yaml.
○ When you deploy CN-Series as a DaemonSet, pan-plugin-cluster-mode-secret must
not exist.
○ When you deploy CN-Series as a Kubernetes service, pan-plugin-cluster-mode-secret
must be present.

● IPv6 addresses are supported only in the k8s-Daemonset mode, not in the k8s-CNF or
k8s-service mode.
● To upgrade to a Kubernetes 3.0.0 plugin, download it and upgrade your Panorama to 10.2.
This will automatically install the downloaded plugin. However, if you have not downloaded
the plugin before upgrading the Panorama, the upgrade will be stopped.
● You cannot use a Kubernetes 2.0.0 plugin with Panorama 10.2.
● You will find four default templates on Panorama after downgrading the Kubernetes 3.0.0.
plugin. The unnecessary templates can be deleted manually.
● vWire can still be used on data-plane ports where an external ToR is configured to manage
L1 PBR.
● For VM-Series, if you have NUMA performance optimization enabled with custom
data-plane core settings, the NUMA setting takes precedence.
For more information, see Enable NUMA Performance Optimization on VM-Series.
● Firewalls in Layer 2 or virtual wire mode can inspect and provide threat prevention for
tagged or untagged traffic.
● Layer 3 interfaces allow traffic to be routed between network segments while having the
firewall apply a full suite of security features to inspect traffic for potential threats.
1. Threat Prevention and WildFire services enabled on CN-Series firewalls:

(choose three.)
a. Block exploits
b. Prevent malware
c. Ensures that protections are always up to date
d. Stop only known advanced threats
e. Stop both known and unknown advanced threats
2. Where can you download Configuration templates?

a. Palo Alto Networks Customer Support Portal
b. Palo Alto Networks public documentation
c. GitHub repository
d. Marketplace
3. CN-Series as a Kubernetes CNF in HA mode of deployment supports _______ with session

and configuration synchronization.
a. Active/active HA
b. Active/passive HA
c. Passive/passive HA
d. 1:n/n:1
4. How many default templates can you find on Panorama after downgrading the Kubernetes
plugin from 3.0.0?
a. Five
b. Four
c. Two
d. Six
5. In Kubernetes CNF mode, which protocol is supported on Native/OnPrem environments, but

not on public clouds?
a. BGP

b. BFD
c. Tunnel interface
d. OSPF
6. Which mode of deployment allows the firewall to route traffic between multiple ports?
a. Tap mode
b. Layer 2
c. Virtual wire
d. Layer 3
7. Which threat detection system can monitor the traffic traversing within the VPC boundary?
a. Advanced URL Filtering
b. Cloud IDS
c. Threat monitoring
d. Global Protect
8. After git cloning the repository from GitHub, what do you need to do immediately to deploy
the CN-Series firewall?
a. Change into a local directory for the cloned repository.
b. Change to the subdirectory for your deployment.
c. Edit the values.yaml file.
d. Generate the VM auth key on Panorama.
9. VM-Series can be deployed on which three of the following platforms? (Choose three.)
a. XenServer
b. NSX-T
c. AWS
d. Azure
e. On-Premises
10. In which layer, the firewall is capable of inspecting and providing threat prevention for
tagged or untagged traffic?
a. Layer 3
b. Layer 7
c. Layer 4
d. Layer 2

Domain 4: Demonstration and Evaluation
4.1 Create, apply, and upgrade licenses
Installing licenses
Every instance of Panorama requires valid licenses that entitle you to manage firewalls and obtain
support. Before you can begin using Panorama for centralized management, logging, and
reporting, you are required to register, activate, and retrieve the Panorama device management
and support licenses. The Firewall Device Management license enforces the maximum number of
firewalls that Panorama can manage. This license is based on firewall serial numbers and enables
Panorama software updates and dynamic content updates such as the updates for the latest
Applications and Threats signatures. Remember, Panorama virtual appliances on AWS and Azure
must be purchased from Palo Alto Networks and cannot be purchased on the AWS or Azure
marketplaces.
After upgrading your Panorama virtual appliance, you are prompted if:
● A capacity license has not been successfully installed, or

● The total number of firewalls being managed by Panorama exceeds the device
management license.
In both cases, You have 180 days from the date of upgrade to install a valid device management
license if no license has been installed. If the number of managed firewalls exceeds the device
management license, you have 180 days to delete firewalls to meet the device management license
requirements or upgrade your device management license. All commits fail if a valid device
management license is not installed, or the existing device management license limit is not met,
within 180 days of upgrade. To purchase a device management license, contact your Palo Alto
Networks sales representative or authorized reseller.
Key Idea
● If you are running an evaluation license for firewall management on your

Panorama virtual appliance and want to apply a Panorama license that you
purchased, perform the tasks Register Panorama and Activate/Retrieve a Firewall
Management License when the Panorama Virtual Appliance is
Internet-connected.
● Panorama can manage firewalls and collect logs even when the support license
expires. However, in that case, software and content updates will be unavailable.
The software and content versions on Panorama must be the same or later than
the versions on the managed firewalls; otherwise, errors will occur. For details, see
Panorama, Log Collector, Firewall, and WildFire Version Compatibility.
You can migrate VM-ELA or perpetual virtual Panorama licensing to Software Next-Generation
Firewall (Software NGFW) licensing.
Use the following procedure to migrate:
● A Panorama with access to the Customer Support Portal

● A Panorama HA pair that can access the CSP

● An HA pair that cannot access the CSP to a flexible license
1. Select Assets > Software NGFW Credits and click the Details link on the credit pool you
used to create your profile.
2. On the far right, click the vertical ellipsis (More Options) and select Provision Panorama and
then click Migrate Existing.
The CSP displays all virtual Panorama devices associated with your account.
3. Select the check box for each virtual Panorama to be migrated.
4. Click Migrate.
Verify that the Current Support Expiration Date has been updated. Additionally, you can
expand each row to view the individual licenses applied to the selected Panorama.
Complete the following procedure to migrate a standalone Panorama that cannot access the CSP
to a flexible license:
1. On your Panorama, upgrade if necessary, and note the serial number and the current
support expiration date.
2. In the CSP, select Assets > Software NGFW Credits and click the Details link on a credit
pool. Select a deployment profile or create one.
3. On the far right, click the vertical ellipsis (More Options), select Provision Panorama, and
select Migrate Existing.
The CSP displays all virtual Panorama devices associated with your account.

4. Select each virtual Panorama to be migrated and click Migrate.
5. On Panorama, replace the serial number with the serial number from the Panorama you
provisioned in the CSP. Wait one minute, then refresh the page.
6. In the CSP, select your provisioned Panorama and download all licenses (the support license,
the management license) and Panorama as a log manager if your deployment profile
includes it. Securely pass the licenses to your Panorama.
7. Upload all Software NGFW licenses.
8. Verify that the Current Support Expiration Date has been updated. Additionally, you can
expand each row to view the support license and/or logging license applied to the selected
Panorama.
Install Content Updates and Software Upgrades for Panorama

A valid support subscription enables access to the Panorama software image and release notes. To
take advantage of the latest fixes and security enhancements, upgrade to the latest software and
content updates that your reseller or a Palo Alto Networks Systems Engineer recommends for your
deployment. The procedure to install software and content updates depends on whether
Panorama has a direct connection to the internet and whether it has an HA configuration. See the
following documents for more details:
● Upgrade Panorama with an Internet Connection

● Upgrade Panorama Without an Internet Connection
● Install Content Updates Automatically for Panorama without an Internet Connection
● Upgrade Panorama in an HA Configuration
● Migrate Panorama Logs to the New Log Format
● Upgrade Panorama for Increased Device Management Capacity
● Upgrade Panorama and Managed Devices in FIPS-CC Mode
● Downgrade from Panorama 10.2
Manage Licenses and Updates

You can use the Panorama management server to centrally manage licenses, software updates,
and content updates on firewalls and Dedicated Log Collectors. To activate licenses or install
updates on the Panorama management server, refer to the above information in this section.
When you deploy licenses or updates, Panorama checks in with the Palo Alto Networks licensing
server or update server, verifies the request validity, and then allows retrieval and installation of the
license or update. This capability facilitates deployment by eliminating the need to repeat the same
tasks on each firewall or Dedicated Log Collector. It is particularly useful for managing firewalls that
do not have direct internet access or for managing Dedicated Log Collectors, which do not have a
web interface.
Before deploying updates, see Panorama, Log Collector, Firewall, and WildFire Version Compatibility
for important details about update version compatibility.
Panorama automatically performs a daily check-in with the licensing server, retrieves license
updates and renewals, and pushes them to the firewalls. The check-in is hard-coded to occur
between 1 a.m. and 2 a.m.; you cannot change this schedule.

Key Idea
● You cannot use Panorama to activate the support license for firewalls. You must
access the firewalls individually to activate their support licenses.
Use the following steps to retrieve new licenses using an authentication code and push the license
keys to managed firewalls.
Activate newly purchased licenses

1. Select Panorama > Device Deployment > Licenses and Activate.
2. Enter the Auth Code that Palo Alto Networks provided for each firewall that has a new
license.
3. Activate the license.
4. (WildFire subscriptions only) Perform a commit on each firewall that has a new WildFire
subscription to complete the activation:
● Commit any pending changes. You must access each firewall web interface to do
this.
● If no configuration changes are pending, make a minor change and Commit. For
example, update a rule description and commit the change. If the firewalls belong to
the same device group, you can push the rule change from Panorama to initiate a
commit on all those firewalls instead of accessing each firewall separately.
Key Idea
● Check that the WildFire Analysis profile rules include the advanced file types that
the WildFire subscription supports.
Use the following steps to manually update the license status of firewalls with or without direct
internet access.
Update the license status of firewalls

1. Select Panorama > Device Deployment > Licenses.
Each entry on the page indicates whether the license is active or inactive and displays the
expiration date for active licenses.
2. If you previously activated auth codes for the support subscription directly on the firewalls,
click Refresh and select the firewalls from the list. Panorama retrieves the license, deploys it
to the firewalls, and updates the licensing status on the Panorama web interface.
3. (Enterprise Data Loss Prevention (DLP) license only) Push the updated license to the
managed firewalls that are leveraging Enterprise DLP.
● Select Commit and Commit to Panorama.

● Select Commit > Push to Devices and Edit Selections.
● Select Templates and select the template stack associated with the managed
firewalls leveraging Enterprise DLP.
● Click OK to continue.
● Push the template configuration to successfully update the Enterprise DLP license.

4.1.1 References
● Register Panorama and Install Licenses
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/set-up-panorama/regist
er-panorama-and-install-licenses
● Migrate Panorama to a Software NGFW License
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/license-the-vm-seri
es-firewall/software-ngfw/migrate-panorama-to-a-flexible-license
● Install Content Updates and Software Upgrades for Panorama
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-panorama/install-c
ontent-and-software-updates-for-panorama#id8b92a813-8235-40fc-bd19-4815c8dc0269
● Manage Licenses on Firewalls Using Panorama
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-licenses-and-u
pdates/manage-licenses-on-firewalls-using-panorama
4.2 Execute a successful proof of concept (POC)
A proof of concept (POC) is the most effective test you can run to make sure you are getting the
right NGFW for your environment.
Candidates preparing for this topic should know how to select the right product and configuration
for basic threat prevention and detection for both out-of-band and inline firewalls in the customer
environment.
Successful candidates should be able to work closely with customers to prepare the list of items to
be addressed in a POC. Here are some very important considerations:
● Does a customer environment require a chassis-based firewall or a non-chassis-based

firewall?
● When can, should, or must a customer use a specific firewall family, such as the PA-7000?
● Which cloud-delivered security services are required to provide the required customer
protection?
● What are the required configurations for firewalls and cloud-delivered security services?
Candidates should know about common testing approaches, such as Breaking Point, and should
be able to incorporate the customer’s testing approach into the list of items addressed by the POC.
Candidates should be able to explain to customers the impact of Palo Alto Networks threat
handling on these tests’ performance, such as disabled old signatures for out-of-use viruses or
known issues that impact performance. Candidates should be able to match firewall choices to the
testing approaches that are used in the POC, and match firewall and cloud-delivered security
services to the list of items to be addressed by the POC.
In firewall sales opportunities in which a customer and sales team determine that a POC might be
helpful, many data-center customers know what they want to run through their firewalls and want
to see how a Palo Alto Networks firewall handles that traffic. For example, customers often need to
run specific loads of traffic through the firewall and ensure that the POC firewall properly filters and
monitors those traffic loads. Palo Alto Networks has a POC team to ensure that the firewall and its
configuration can handle customer throughput requirements.

While many customers may know what performance and functionality they need from a firewall,
they often may not know how to formalize specific success criteria for a POC. For that reason, the
POC team should be engaged as soon as a POC opportunity is recognized as a necessary part of
the sales cycle. The POC team should help define POC success criteria, select and configure
firewalls so that they meet that criteria, and drive the POC to a successful result.
Multiple sources are available for providing exposure to Palo Alto Networks technologies. For lab
environments, you can leverage resources at Qwiklabs. Current information about Qwiklabs can be
found at:
● AWS QwikLab Registration
● AWS CloudNGFW QwikLab
● AWS GWLB QwikLab with VM-Series
● AWS CN-Series QwikLab
Refer to the following link if you wish to perform customized testing of any next-generation firewall
appliances in your environment:
https://start.paloaltonetworks.com/next-generation-firewall-proof-of-concept-evaluation
4.2.1 References
● Threat Signatures
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/learn-more-
about-and-assess-threats/learn-more-about-threat-signatures
4.3 Apply the appropriate deployment / configuration tool for various environments
When you are registering a new device (at the end of the registration process), an optional step
prompts you to run Day 1 Configuration.

The Day 1 Configuration tool helps you configure your devices for threat prevention using
best-practice recommendations from Palo Alto Networks.
Why Use Day 1 Configuration Templates?

Instead of extensive and detailed "how-to" documentation, Day 1 Configuration templates provide
an easy-to-implement configuration model that is related to use case. The emphasis is on key
security elements, such as dynamic updates, Security profiles, rules, and logging that should be
consistent across deployments.
Day 1 Configuration templates use common best-practice recommendations and compile them.
These templates can be loaded into Panorama or a next-generation firewall. Benefits of Day 1
Configuration templates include:
● Faster time to implement

● Reduced configuration errors
● Improved security posture
Day 1 Configuration in Network Security

If you have already registered a device, you can access the Day 1 Configuration tool from Assets >
Network Security.
Then, select the Day 1 Configuration icon for an NGFW.

Day 1 Configuration in Tools
Or, if you have already registered a device, you can access the Day 1 Configuration tool from Tools >
Run Day 1 Configuration.
Day 1 Configuration in Devices

Or, if you have already registered a device, you can access the Day 1 Configuration tool from Devices
> Run Day 1 Config.

What Are the Day 1 Configuration Steps?
Day 1 Configuration prompts you to enter a PAN-OS version.
1. Specify the same PAN-OS version you selected during Device Registration.
2. Enter a hostname for your device.
3. Enter IP information and log server information for the device.

Some values have been provided as examples below.

Finally, click Generate Config File. The newly generated config file is then downloaded via your
browser. If you have downloads blocked, make sure to allow the download or add an exception.
Import and load the prepared Day 1 Configuration file onto your firewall.
Key Idea
● A Day 1 Configuration template only supports IPv4. If you need IPv6, you must
configure it by CLI instead of the automated configuration tool. You can also
configure IPv6 after the IPv4 configuration using the GUI or CLI.
4.3.1 References
● Day 1 Configuration
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM2lCAG

4.4 Use, deploy, and tag Panorama plugins
Panorama Plugins
The architecture of the Panorama extensible plugin enables support for third-party integration
plugins, such as VMware NSX, and other Palo Alto Networks products, such as the GlobalProtect
cloud service. With this modular architecture, you can take advantage of new capabilities without
waiting for a new PAN-OS version.
To understand the Panorama plugins in detail, refer to Section 1.3.
Deployment and tagging

You can install one or more of the available plugins on Panorama to enable integration on the
GlobalProtect cloud service, Cortex Data Lake, or VMware NSX, or for monitoring your virtual
machines on AWS or Azure public cloud.
For the cloud services plugin, you must activate a valid authentication code on the Customer
Support Portal and select the region—Americas or Europe—to which you want to send logs.
Key Idea
● If you have a version of a plugin currently installed and you install a new version of
the plugin, Panorama replaces the currently installed version.
Step 1: Download the plugin.
1. Select Panorama > Plugins.
2. Select Check Now to retrieve a list of available updates.

3. Select Download in the Action column to download the plugin.
Refer to the Compatibility Matrix for the minimum supported PAN-OS version for each
Panorama plugin.
Step 2: Install the plugin.
Select the version of the plugin and click Install in the Action column to install the plugin.
Panorama will alert you when the installation is complete. For more details, refer to install the
VMware NSX plugin or the Cloud Services plugin.
Key Idea
● When installing the plugin for the first time on a Panorama HA pair, first install
the plugin on the passive peer. The peer will transition to a nonfunctional state.
After you successfully install the plugin on the active peer, the passive peer
returns to a functional state.
4.4.1 References
● Panorama Plugins
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-plugins
● Install Panorama Plugins
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-plugins/abo
ut-panorama-plugins/install-panorama-plugins
4.5 Deploy VM-Series and CN-Series
VM-Series
● VM-Series firewalls support two license types (BYOL and PAYG) and two different licensing
models—Software Next-Generation Firewall credits for flexible configurations that you
specify with a deployment profile, and fixed VM-Series model configurations. Both models
also license security services and other features.
● You can deploy the VM-Series firewall on the following platforms:
○ VM-Series for VMware vSphere Hypervisor (ESXi) and vCloud Air

You can deploy any VM-Series model as a guest virtual machine on VMware ESXi; this
arrangement is ideal for cloud or networks where a virtual form factor is required.
For details, see Set Up a VM-Series Firewall on an ESXi Server and Set Up the
VM-Series Firewall on vCloud Air.
○ VM-Series on VMware NSX-T

You can deploy the VM-100, VM-300, VM-500, or VM-700 in your NSX-T environment.
For details, see Set Up the VM-Series Firewall on VMware NSX-T (North-South).
○ VM-Series for Amazon Web Services (AWS)

You can deploy any VM-Series model, except the VM-50, on EC2 instances on the
AWS Cloud.
For details, see Set Up the VM-Series Firewall on AWS.

○ VM-Series for Google Cloud Platform
You can deploy any VM-Series model, except the VM-50 and the VM-50 Lite, on
Google Compute Engine instances. For details, see Set Up the VM-Series Firewall on
Google Cloud Platform.
○ VM-Series for Kernel Virtualization Module (KVM)

You can deploy any VM-Series model on a Linux server that is running the KVM
hypervisor. For details, see Set Up the VM-Series Firewall on KVM.
○ VM-Series for Microsoft Hyper-V

You can deploy any VM-Series model on a Windows Server 2012 R2 server with the
Hyper-V role add-on enabled or a standalone Hyper-V 2012 R2 server. For details, see
Set Up the VM-Series Firewall on Hyper-V.
○ VM-Series for Microsoft Azure

You can deploy any VM-Series model, except the VM-50, on the Azure VNet.
For details, see Set up the VM-Series Firewall on Azure.
CN-Series
To deploy the CN-Series firewall, you must complete the following tasks:
● If not done already, License the CN-Series Firewall. Generate your authorization code and
have it available when you are ready to deploy the CN-Series firewall.
● Review the CN-Series Prerequisites before you begin your deployment. Make sure you
understand the system requirements needed to deploy the CN-Series firewall.
● Prepare the components.

○ Generate a VM Auth Key on Panorama.
○ (Optional) Generate the Auto-Registration PIN for the CN-Series.
○ Create Service Accounts for Cluster Authentication.
○ Deploy Panorama to configure, deploy, and manage your CN-Series firewall
deployment. For more information about deploying and setting up a Panorama
appliance, see Set Up Panorama.
○ Install the Kubernetes Plugin and Set up Panorama for CN-Series.
○ Get the Images and Files for the CN-Series Deployment. Access the Palo Alto
Networks Customer Support Portal to download the Docker files and GitHub to get
the YAML files required to deploy the CN-Series firewall in your Kubernetes
environment.
● Deploy the CN-Series firewall.

○ Edit the YAML files to fit your deployment. Review the Editable Parameters in
CN-Series Deployment YAML Files before you deploy the CN-Series firewall. Many of
the parameters set in the YAML files must be modified to successfully deploy the
CN-Series firewall.
○ Deploy the CN-Series Firewall as a Kubernetes Service.
○ Deploy the CN-Series Firewall as a DaemonSet.

○ (Optional) If you are deploying your CN-Series firewall as a Kubernetes service, you
can Enable Horizontal Pod Autoscaling on the CN-Series. Horizontal pod auto scaling
(HPA) allows your CN-Series firewall deployment to autoscale dynamically along with
your Kubernetes environment.
○ If you are deploying your CN-Series in an OpenShift environment, see Deploy the
CN-Series on OpenShift.
○ If you are securing 5G traffic with your CN-Series firewall, see Secure 5G With the
CN-Series Firewall.

● After you have deployed your CN-Series firewall, use Panorama to configure Security policies
that enable traffic enforcement and push those policies to the firewall.
Refer to the link below for details on the deployment of the CN-Series in supported environments.
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/cn-series-firewall-for-kubern
etes/cn-series-deployment-environments
4.5.1 References
● VM-Series Deployments
s-firewall/vm-series-deployments
● CN-Series Deployment guide
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment
● CN-Series Deployment—Supported Environments
kubernetes/cn-series-deployment-environments
● CN-Series Deployment Checklist
workloads-with-cn-series/cn-series-deployment-checklist
4.6 Spin up, locate, and demonstrate demo, lab, or Ultimate Test Drive
Multiple sources are available for providing exposure to Palo Alto Networks technologies. For lab
environments, you can leverage resources at Qwiklabs. Current information about Qwiklabs can be
found at:
● AWS QwikLab Registration
● AWS CloudNGFW QwikLab
● AWS GWLB QwikLab with VM-Series
● AWS CN-Series QwikLab
Ultimate Test Drives (UTDs) are guided, hands-on experiences designed to familiarize participants
with Palo Alto Networks technology and to enhance their understanding of how our products work
and how they can improve an organization’s security posture.
Each UTD addresses a different topic. All workshops take place in a virtual lab environment with
step-by-step directions and an expert instructor to guide the participants.

Format
● Technical
● Hands-on lab, activities, and tasks
● Guided experience
● Runs on Cloudshare platform
Delivery
● Virtual: Webinar format (exclusively online) with SE instructor (2-3 hour session, 50 people
max.)
OR
● Live: In-person, on-site event with SE instructor (2-3 hour session)
What kinds of UTDs does Palo Alto Networks provide?
Who delivers UTD?

Palo Alto Networks SE delivered
● A Palo Alto Networks SE is the instructor (for new prospects or existing accounts).
Partner SE delivered
● A Partner SE is the instructor (for partners, prospects or customers).
Virtual UTD—pre-scheduled managed online event
● Regional scheduled events open to the public

● Delivered online (webinar format)
What is a Universal Test Drive?

● Exciting and immersive!
● A conversion and demand-generation tool
● A virtual lab environment—read/write access
● An evaluation-acceleration tool

● A way to expose customers to new products and solutions
What is UTD not?

● A training tool
● A full demonstration of our platform
● Full coverage of our products
How does the UTD benefit your customer?

● Hands-on experience. Guided technical overview of products and solutions to build
understanding and comfort.
● Quick and easy. Simple, free, walk-through of product features, UI, and benefits.
● Convenient. No setup, a virtual environment, a step-by step-guide.
How does the UTD benefit you?

● Generates services and product opportunities. Provides insight into other areas of our
technology to expand deals.
● Accelerates deals. Demonstrates technology to speed up the evaluation process.
● Breakes through noise in the market. Clearly shows the power of our technology.
There is a 51 percent win rate for initial business opportunities that run a UTD.
4.6.1 References
● Ultimate Test Drive (UTD)
https://beacon.paloaltonetworks.com/student/path/825466?sid=8785726e-8520-4469-b6e7-4
e5bfe8c7e00&sid_i=0
● If you are running an evaluation license for firewall management on your Panorama virtual
appliance and want to apply a Panorama license that you purchased, perform the tasks
Register Panorama and Activate/Retrieve a Firewall Management License when the
Panorama Virtual Appliance is Internet-connected.
● Panorama can manage firewalls and collect logs even when the support license expires.
However, in that case, software and content updates will be unavailable. The software and
content versions on Panorama must be the same or later than the versions on the managed
firewalls; otherwise, errors will occur. For details, see Panorama, Log Collector, Firewall, and
WildFire Version Compatibility.
● You cannot use Panorama to activate the support license for firewalls. You must access the
firewalls individually to activate their support licenses.
● Check that the WildFire Analysis profile rules include the advanced file types that the
WildFire subscription supports.
● A Day 1 Configuration template only supports IPv4. If you need IPv6, you must configure it by
CLI instead of the automated configuration tool. You can also configure IPv6 after the IPv4
configuration using the GUI or CLI.
● If you have a version of a plugin currently installed and you install a new version of the
plugin, Panorama replaces the currently installed version.
● When installing the plugin for the first time on a Panorama HA pair, first install the plugin on
the passive peer. The peer will transition to a nonfunctional state. After you successfully
install the plugin on the active peer, the passive peer returns to a functional state.

1. Where can you purchase Panorama virtual appliances on Azure?

a. AWS Marketplace
b. Palo Alto Networks
c. Azure Marketplace
d. Third-party websites
2. If no license has been installed, within how many days from the upgrade date can you install
a valid device management license?
a. 180
b. 90
c. 150
d. 100
3. Panorama automatically performs a daily check-in with the licensing server. The check-in is
hard-coded to occur between which hours?
a. 12:00 a.m. to 1:00 a.m.
b. 12:00 a.m. to 12:30 a.m.
c. 1:00 a.m. to 1:30 a.m.
d. 1:00 a.m. to 2:00 a.m.
4. A Day 1 Configuration template supports which of the following?

a. IPv4
b. IPv6
c. MAC routing
d. VWire routing
5. Which three plugin configuration options are supported for use in Panorama? (Choose
three.)
a. Cisco ACI
b. GCP
c. OCI
d. AMC
e. VMware NSX
6. Where can you download the Docker files for CN-Series deployment?
d. Marketplace
7. Which three statements are true for Ultimate Test Drive? (Choose three.)
a. It is a conversion and demand-generation tool.
b. It is a training tool.
c. It is an evaluation-acceleration tool.
d. It is a full demonstration of our platform
e. It is a way to expose customers to new products and solutions.
8. In a Day 1 Configuration template, where can you configure IPv6 after the IPv4
configuration?
a. GUI
b. CLI

c. Cortex
d. Both GUI and CLI
9. What is the win rate for initial business opportunities that run a UTD?
a. 71%
b. 68%
c. 51%
d. 88%

Domain 5: Network Security Best Practices
5.1 Explain why intrazone policies in cloud are a best practice
The default security rules are appended to the end of the normal security rules, as shown below:
● A green cog image next to the “intrazone-default” rule name indicates the rule is predefined
or from Panorama. A tool tip is available on the image.
● A double cog image next to the “interzone-default” rule name indicates that the rule is in
the current virtual system and overriding the values of another rule from Panorama.
● The “intrazone-default” rule action is allow.
● The “interzone-default” rule action is deny.
The table below describes various rule types.
Rule Type Description
Universal A Security policy allowing traffic destined between two zones, whether from the same
zone or a different zone. This policy applies the rule to all matching interzone and
intrazone traffic in the specified source and destination zones.
For example, if you create a universal role with source zones A and B and destination
zones A and B, the rule would apply to all traffic:
● Within zone A
● Within zone B
● From zone A to zone B
● From zone B to zone A
Intrazone A Security policy allowing traffic within the same zone. This policy applies the rule to all
matching traffic within the specified source zones (cannot specify a destination zone for
intrazone rules).
For example, if you set the source zone to A and B, the rule would apply to all traffic
within zone A and zone B, but not to traffic between zones A and B.
Interzone A Security policy allowing traffic between two different zones. However, the traffic
between the same zone will not be allowed when created with this type. This policy
applies the rule to all matching traffic between the specified source and destination
zones.
For example, if you set the source zone to A, B, and C and the destination zone to A and
B, the rule would apply to traffic from:
● Zone A to zone B
● Zone B to zone A
● Zone C to zone A
● Zone C to zone B
It will NOT apply to traffic within zones A, B, or C.
A user-defined security rule can be configured as universal, intrazone, or interzone.
When a rule is configured as intrazone, the destination zone cannot be changed, and its value
comes from the source zone.

You cannot change the predefined or Panorama-pushed intrazone-default and interzone-default
rules, names, or functions. This is indicated by a green border around the editor and the Read Only
wording in the title.
To make a change to predefined or Panorama-pushed intrazone-default or interzone-default rules,

you must override these rules.
You can override these rules if there is a green single cog image next to the rule name.
The override action will bring up a security rule editor with two tabs.
● On the General tab, only the Tags field can be modified.

● On the Actions tab, only the Profile Setting and Log Setting fields can be modified.
To get back the predefined or Panorama-pushed value, perform the revert action.
On Panorama, the default rules are visible in a separate tree node, below the security pre and post
rules. The green single cog image next to the name indicates that the rule is from an ancestor
device group or is shared or predefined.
A double cog image next to the name indicates that the rule is overriding that of an ancestor device
group rule, shared rule, or predefined rule.
Key Idea
● You can use Panorama to configure Security policy rules.
5.1.1 Reference
● What are Universal, Intrazone and Interzone Rules

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC
5.2 Describe the use of object tagging and DAGs
DAGs allow you to create a policy that automatically adapts to changes such as adding, moving, or
deleting servers. They also provide the flexibility to apply different rules to the same server based on
tags that define the server’s role in the network, the operating system, or the different kinds of
traffic it processes.
Membership in a DAG is determined using tag names or tag-based filters. Either external software
or the firewall can automatically add a tag to an IP address, and then you can associate that tag
with a dynamic address group. For example, VMware NSX software can assign a tag to the IP
address of a newly created virtual machine, or the auto-tagging capability included in the log
forwarding feature of the firewall can add a tag to an IP address.
Auto-tagging allows the firewall or Panorama to tag a policy object when it receives a log that
matches specific criteria and establishes IP-address-to-tag or user-to-tag mapping.

When the firewall generates a threat log, you can configure the firewall to tag the source IP address
or source user in the Threat log with a specific tag name. You can use these tags to automatically
populate policy objects such as DAGs, which you can then use to automate security actions in
Security, Authentication, or Decryption policies. For example, when you create a filter for the URL
logs for “yes” in the Credential Detected column, you can apply a tag that enforces an
Authentication policy that requires the user to authenticate using multi-factor authentication
(MFA).
Redistribute the mappings across your network by registering the IP-address-to-tag and
user-to-tag mappings to a PAN-OS integrated User-ID agent on the firewall or Panorama or a
remote User-ID agent using an HTTP Server profile. The firewall can automatically remove a tag
associated with an IP address or user when you configure a timeout as part of a built-in action as a
part of log forwarding settings.
For example, if the firewall detects that a user has potentially compromised credentials, you could
configure the firewall to require MFA authentication for that user for a given period, then configure
a timeout to remove the user from the MFA requirement group.
Key Idea
● Dynamic user groups do not support auto-tagging from HIP Match logs.
5.2.1 References
● Dynamic Address Groups

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/monitor-changes-in-the
-virtual-environment/use-dynamic-address-groups-in-policy
● Auto-Tagging
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-auto-tagging-to-aut
omate-security-actions
5.3 Explain how Zero Trust relates to VM-Series and CN-Series cloud deployments
Zero Trust is a business-driven, strategic approach to securing your most critical data, applications,
assets, and services (DAAS) as well as your users based on what is important to your business, in a
protected surface. Zero Trust strategy is infrastructure-neutral, so you can apply it to all physical and
virtual locations—network, public cloud, private cloud, and endpoint.
The concept behind Zero Trust is simple: trust is a vulnerability.
Trust nothing in the digital environment—packets, identities, devices, or services—and verify

everything. There is no such thing as default trust. Eliminating trust helps prevent successful data
breaches, simplifies operations through automation and a reduced rulebase, and simplifies
regulatory compliance and audits because Zero Trust environments are designed for compliance
and easy auditing.
Zero Trust strategy is not something you implement once and copy from network to network
because each environment and protect surface is different. As businesses change over time, the

goals and DAAS elements also change. Strategy is always business-specific, and security strategy is
specific to protecting what is important to your business.
Five-step methodology for implementing a Zero Trust strategy

The five-step methodology for implementing a Zero Trust strategy presents a logical path to protect
your environment, data, applications, assets, services, and users.
This methodology works whether you are implementing a Zero Trust strategy in the cloud, on a
private network, or on endpoints, regardless of infrastructure.
Step 1: Define your protect surface.

Step 2: Map the protect surface transaction flows.
Step 3: Architect a Zero Trust network.
Step 4: Create the Zero Trust Policy.
Step 5: Monitor and maintain the network.
Step 1: Define Your Protect Surface

A protect surface is what is valuable to your business—DAAS elements you need to protect to
ensure normal business operation.
Defining your protect surface enables you to focus on defending what really matters to your
business instead of trying to identify and protect the entire attack surface or focusing on just the
perimeter. The protect surface is also much smaller than the attack surface or the perimeter, so it is
easier to protect.
Define your protect surface based on the most crucial DAAS elements for your business:
● Data: What data needs to be protected? Think about intellectual property such as
proprietary code or processes, personally identifiable information (PII), payment card
information (PCI), and personal health information (PHI) such as Health Insurance
Portability and Accountability Act (HIPAA) information.
● Applications: Which applications consume sensitive information? Which applications are
critical for your business functions?
● Assets: Which assets are the most sensitive? Depending on your business, that could be
Supervisory Control and Data Acquisition (SCADA) controls, POS terminals, medical
equipment, manufacturing equipment, and groups of critical servers.
● Services: Which services can attackers exploit to disrupt IT operations and negatively
impact the business?
Step 2: Map the Protect Surface Transaction Flows

Map the transaction flows or interactions between your critical DAAS elements and users to
understand their interdependencies—who has business reasons to access each element, in what
manner, and at what time. Mapping helps you understand how to create a Security policy that
allows only authorized users access to specific data and assets using the specified applications. (This
is the principle of least privilege.)
There are many ways to map transaction flows. Some techniques for defining your protect surface
apply, as well:

● Leverage existing flow diagrams if you have them (compliance and auditing sometimes
require businesses to create flow diagrams).
● Work with application, network, and enterprise architects, as well as business
representatives, to understand the purpose of applications and the transaction flow they
envision.
● Insert one or more next-generation firewalls transparently into your network in virtual
wire mode to gain visibility into traffic. Check Traffic logs to view and analyze traffic.
● Use third-party tools from Palo Alto Networks integrated partners.
● Use log information from the Cortex Data Lake to gain visibility into, and map, transaction
flows. The Cortex Data Lake aggregates logs from the Next-Generation Firewall,
VM-Series firewalls, Prisma Access, and Cortex XDR.
● Map the flow of application data across the network, the computing objects required for
each application, and who uses each application.
● Find out who uses the data, where you collect, store, use, and transfer the data, and how
the data is stored, encrypted, archived, or destroyed after use.
● For each asset, find out its location, who uses it, when they use it, and where the asset fits
into workflows.
● Map the service workflows across the environment.
Step 3: Architect a Zero Trust Network

Armed with an understanding of your protect surface and transaction flows, begin architecting
your Zero Trust network. Architect the business-critical protect surfaces you identified in Step 1 from
the inside out. Keep in mind ease of operation and maintenance, as well as flexibility to
accommodate protect surface and business changes. Run the Best Practice Assessment tool to set
a best-practice configuration baseline and measure progress toward your Zero Trust goals.
The cornerstone of the architecture is segmentation gateways—physical or virtual Palo Alto

Networks next-generation firewalls that connect your network segments and enforce Layer 7 policy.
Run all traffic through a segmentation gateway, place segmentation gateways as close as possible
to the resources they protect, and use them in conjunction with other Palo Alto Networks
capabilities to automate as much as possible. Next-generation firewalls:
● Create a microperimeter in Layer 7 policy around each protect surface. This prevents
lateral movement because the microperimeter provides granular policy controls for who
(User-ID) accesses what applications (App-ID) and resources in what manner
(Content-ID) and at what time through the segmentation gateway. Segment based on
how transactions flow across your network and how your users and applications access
data and services.
● Aggregate security capabilities into a single control point for all traffic entering and
exiting the protect surface. The segmentation gateway should enforce policy, decrypt
encrypted traffic, and apply protections such as:
○ DNS Security (use the DNS Security service, which provides multiple real-time threat
intelligence sources, infinitely scalable real-time analysis of DNS requests, and
advanced DNS signatures).
○ Intrusion prevention (Vulnerability Protection, Anti-Spyware, and Antivirus profiles).
■ Blocking potentially dangerous file types

■ Preventing unknown and Day 1 threats (WildFire)
■ URL Filtering
■ Data Loss Prevention (DLP)
● Decrypt and inspect traffic at Layer 7 in real time.
● Log every session, then send the logs to the Cortex Data Lake from Panorama for
managed firewalls, from individual firewalls, from Prisma Access (formerly GlobalProtect
cloud service), and from Cortex XDR to centralize and aggregate your on-premises and
virtual (private and public cloud) log storage for physical and VM-Series firewalls.
● Use APIs for tight integration with third-party defense tools from partners.
● Automate feedback loops that detect events and automate responses.
● Use templates and template stacks in Panorama to automate policy deployment.
● Use tools such as Ansible, Terraform, and Python to automate, orchestrate, and accelerate
protecting Prisma Cloud deployments.
Palo Alto Networks enables you to architect your Zero Trust environment and apply consistent
security across all locations:
● Panorama centralizes management policy control for multiple next-generation firewalls

and increases operational efficiency compared to managing firewalls individually.
● Corporate network and data center: Use next-generation firewalls to segment the
network into microperimeters for your protect surfaces.
● Public cloud: Use Prisma Access, which uses on-premises or VM-Series next-generation
firewalls, and Prisma Cloud (an API-based cloud infrastructure security solution) to
implement Zero Trust policy in cloud environments. VPCs define protection boundaries
to segment workloads.
● Private cloud: Use VM-Series firewalls to implement Zero Trust policy.
● Branch office and mobile users: Use Prisma Access to provide cloud-based security and
to avoid round-trips to corporate network resources. Configure Prisma Access for users
and also Prisma Access for networks to secure branches. Alternatively, use an
on-premises next-generation firewall with the GlobalProtect subscription service to
extend security policy and enforcement to remote users and branch offices.
● Endpoints: Layer protection by using the Next-Generation Firewall for segmentation and
the first layer of protection, and using Cortex XDR agent for the second layer of
protection. Enforce consistent policy using GlobalProtect (on-premises installation) or
Prisma Access (installed using Panorama and managed for you in the cloud) VPNs to
extend policy to remote endpoints and enable policy to move with the user. Prisma
Access requires the GlobalProtect app on mobile-user endpoints. In all cases, install the
GlobalProtect app on managed endpoints and use GlobalProtect Clientless VPN on
unmanaged endpoints (endpoints on which you cannot or do not want to place an

agent, such as partner systems or personal devices). Apply multi-factor authentication
when appropriate to protect high-value assets.
● SaaS applications: Use Prisma SaaS to scan, analyze, classify, and help protect SaaS
applications. Redirect SaaS application traffic for unmanaged devices through your
next-generation firewall.
Step 4: Create the Zero Trust Policy

Zero Trust policy consists of allow rules that allow only authorized users to access specific resources
using the specified applications at the right time in the right places. If traffic does not match a rule,
the firewall automatically blocks the traffic. This is important because:
● It is much easier to know the applications you want to allow to support your business than
to take on the never-ending task of identifying and blocking all the applications you do
not want to allow.
● All breaches and malicious activity happen on allow rules. Focus security on traffic you
allow, and allow only the traffic required for business.
Zero Trust policy is based on the Kipling Method. Answering Rudyard Kipling’s six-tuple of
questions, “who, what, when, where, why, and how,” shows you how to decide whether to allow or
block traffic and how to create a Security policy that safeguards each protect surface.
Step 5: Monitor and Maintain the Network

Security is an iterative process because logging and monitoring reveal improvements to make in
sync with your business and network changes over time. Follow the operational processes you
developed when architecting the network to maintain and continually update prevention controls.
Key Idea
● Zero Trust policy is based on the Kipling Method.
The way you apply the methodology depends on what you are protecting and your business
requirements—what’s critical to your business—but the outcomes you are working toward are the
same:
● Segment the network effectively and efficiently to prevent lateral movement.

● Protect business-critical data and systems from unauthorized applications and users.
● Protect business-critical applications from unauthorized access and usage.
● Enforce policy seamlessly across networks, cloud, and endpoints to simplify management
and apply consistent policy everywhere.
5.3.1 Reference
● What is Zero Trust for the Cloud?
https://docs.paloaltonetworks.com/best-practices/10-1/zero-trust-best-practices/zero-trust-be
st-practices/what-is-zero-trust-and-why-do-i-need-it

5.4 Leverage automation tools to deploy Palo Alto Networks solutions
The Palo Alto Networks auto scaling templates for AWS help you to configure and deploy VM-Series
firewalls to protect applications deployed in AWS. The templates leverage AWS scalability features
to independently and automatically scale VM-Series firewalls deployed in AWS to meet surges in
application workload resource demand.
● The VM-Series automation capabilities include the PAN-OS API and bootstrapping (using a
bootstrap file for version 2.0 and Panorama for version 2.1).
● AWS automation technology includes CloudFormation templates and scripts for AWS
services such as Lambda, auto scaling groups (ASGs), Elastic Load Balancing (ELB), S3, and
SNS.
The templates are available on the Palo Alto Networks GitHub repository for Auto Scaling VM-Series
Firewalls in AWS:
● Version 2.0 provides a firewall template and an application template. These templates and
the supporting scripts deploy VM-Series firewalls, an internet-facing firewall, an internal
firewall, and application ASGs in one or more VPCs.
In version 2.0, Palo Alto Networks supports the firewall template while the application
template is community-supported. See VM-Series Auto Scaling Template for AWS Version
2.0 for deployment details.
● Version 2.1 includes two firewall templates and five application templates. It adds support for
deployment in a single VPC and adds support for a load balancer sandwich topology that
enables you to deploy the VM-Series firewalls in a front-end VPC and the back-end
applications in one or more application VPCs connected by VPC peering or AWS
PrivateLink.
In version 2.1, you can implement both application load balancers (ALBs) and network load
balancers (NLBs) in VPCs.
Key Idea
● VM-Series automation capabilities include the PAN-OS API and bootstrapping.
5.4.1 Reference
● Auto Scaling VM-Series Firewalls with the Amazon ELB Service
es-firewall-on-aws/auto-scale-vm-series-firewalls-with-the-amazon-elb
5.5 Compare and contrast Prisma Cloud Compute (PCC) and CN-Series
Prisma Cloud provides comprehensive visibility and threat detection to mitigate risks and secure
your workloads in a hybrid and multi-cloud environment. If your organization is leveraging public
cloud platforms and a rich set of microservices to rapidly build and deliver applications, Prisma
Cloud offers cloud native application security controls for public cloud platforms, hosts, containers,
and serverless technologies.

Prisma Cloud Compute Edition delivers cloud workload protection platform(CWPP) for modern
enterprises, providing holistic protection across hosts, containers, and serverless deployments in
any cloud, throughout the application life cycle. Prisma Cloud Compute Edition is cloud native and
API-enabled, protecting all your workloads regardless of their underlying compute technology or
the cloud in which they run. The CN-Series is the industry’s first ML-powered firewall that helps
enforce enterprise-level network security and threat protection in container traffic across
Kubernetes namespace boundaries. CN-Series provides inline traffic filtering. The CN-Series
container firewalls help network security teams safeguard developers with deep security
integration into Kubernetes orchestration. Deploy the CN-Series to secure traffic between pods in
different trust zones and namespaces, for protection against known and zero-day malware, and to
block data exfiltration from your containerized environments.
Key Idea
● Prisma Cloud Compute Edition is cloud native and API-enabled.

● CN-Series provides inline traffic filtering.
5.5.1 References
● Prisma Cloud Compute
https://www.paloaltonetworks.com/resources/datasheets/prisma-cloud-compute-edition-aa
g
● CN- Series
https://docs.paloaltonetworks.com/cn-series
● You can use Panorama to configure Security policy rules.

● Dynamic user groups do not support auto-tagging from HIP Match logs.
● Zero Trust policy is based on the Kipling Method.
● VM-Series automation capabilities include the PAN-OS API and bootstrapping.
● Prisma Cloud Compute Edition is cloud native and API-enabled.
● CN-Series provides inline traffic filtering.
1. Which three of the following are cloud policy rule types? (Choose three.)
a. Intrazone
b. Interzone
c. Zero Trust
d. Universal
2. Which Security policy rule type allows traffic from a zone to the same zone?
a. Intrazone
b. Interzone
c. Zero Trust
d. Universal

3. What does SCADA stand for?
a. Supervisory Communication and Data Acquisition
b. Supervisory Control and Data Acquisition
c. Supervisory Central and Data Acquisition
d. Supervisory Control and Data Association
4. Which of the following allows the firewall or Panorama to tag a policy object when it receives
a log that matches specific criteria?
a. A DAG
b. Zero Trust
c. Universal policy
d. Auto-tagging
5. What does CWPP stand for?

a. Cloud Workload Private Platform
b. Cloud Workload Public Platform
c. Cloud Workload Protection Platform
d. Cloud Workload Prevention Platform
6. Zero Trust policy is based on which method?

a. Bootstrap Method
b. Discovery Method
c. Kipling Method
d. Authentication Method
7. What are three of the DAAS elements? (Choose three.)

a. Data
b. Applications
c. Automation
d. Services
8. What can be autoscaled to ensure security when you need it most?

a. DNS Security
b. A dynamic address group
c. A virtual firewall
d. The Bootstrap Method
9. Intrusion prevention includes: (Choose three.)

a. Blocking potentially dangerous file types
b. Infinitely scalable real-time analysis of DNS requests
c. URL Filtering
d. Data Loss Prevention (DLP)
10. The virtual firewalls of which two cloud types secure virtualized compute resources and
hypervisors? (Choose two.)
a. Private cloud
b. Protected cloud
c. Public cloud

d. Hybrid cloud

Appendix A: Sample Questions with Answers
Below are the questions offered throughout the study guide, with the correct answers indicated.
Domain 1
1. In AWS,which of the following publishes metrics for auto scaling?

a. AWS S3 Bucket
b. AWS Lambda
c. AWS CloudWatch
d. AWS Auto Scaling Groups (ASG)
2. While defining an address group, each registered IP address can have up to how many tags?
a. 32
b. 64
c. 16
d. 8
3. VM-Series Plugin enables integration with:

a. Public Clouds
b. Private Clouds
c. Public and Private cloud
d. Hypervisors
4. Which two statements are true for Panorama plugins? (Choose two)
a. Panorama plugins are available for both VM-Series and Hardware-based Firewall.
b. Panorama plugins are optional and can be removed.
c. Panorama plugins are built-in.
d. Panorama plugin versions are independent of Panorama version.
5. Which three statements are true with respect to VM-Series plugin upgrades? (Choose three.)
a. Can be upgraded manually independent of PAN-OS.
b. Can be upgraded locally in the virtual firewall.
c. PAN-OS Upgrade is mandatory to upgrade VM-Series plugins
d. Upgrades can be managed centrally through Panorama.
e. Every plugin version is compatible with all the PAN-OS versions.
6. What are three advantages of network segmentation? (Choose three.)

a. It boosts performance
b. It makes managing firewall policies easier
c. It helps localizing technical issues
d. It makes virtual clouds more secure
e. It can be implemented only as physical segmentation.
7. What is used to aggregate logs from all the managed firewalls and provide visibility into all
data traffic?
a. Cortex data Lake
b. Panorama

c. Application Command Center
d. Dedicated log collectors
8. Which two parameters are considered while estimating ROI using Palo Alto Networks
VM-Series Virtual Firewalls Estimator? (Choose two.)
a. No. of firewalls to be deployed
b. No. of NetOps and SecOps staff in the organization
c. Quantity of data to be inspected
d. Amount spent on physical firewalls over a life cycle of 5 years.
Domain 2
1. Which security service assists file safety by automatically detecting unknown malware?
a. URL Filtering
b. WildFire
c. App-ID
d. Threat Prevention
2. Which profile is used to categorize content?

a. URL Filtering
b. Threat Prevention
c. Zero Trust
d. Data Loss Prevention
3. Ansible is used for what purpose?

a. Providing PAN-OS application signature updates
b. Automating device configuration
c. Optimizing firewall resource consumption
d. Identifying transit traffic
4. Which of the following is a package manager for containers?

a. Terraform
b. Helm
c. Ansible
d. YAML
5. What is the basic operational unit of Kubernetes?

a. Node
b. Container
c. Kubernetes service
d. Pod
6. VM-Series is applicable for which of the following traffic scenarios?

a. Inbound
b. North-south and east-west
c. East-west only

d. Outbound
7. What is the order of Kubernetes constructs from smallest to largest in terms of size and
scope?
a. Node, namespace, pod, cluster
b. Namespace, node, cluster, pod
c. Pod, node, namespace, cluster
d. Pod, node, cluster, namespace
8. Which environment uses software and virtualization to provide network connectivity for
dispersed locations?
a. On-premise
b. SDN
c. SD-WAN
d. Nutanix
9. After deselecting a credit pool, you see a reminder to activate those credits. What will be
your next step?
a. Select the credit pool you want to activate.
b. Deposit credits.
c. Purchase a different credit pool.
d. Return to your email and click the Start Activation link.
Domain 3
1. Threat Prevention and WildFire services enabled on CN-Series firewalls:

(choose three.)
a. block exploits
b. prevent malware
c. Ensures that protections are always up to date
d. Stop only known advanced threats
e. Stop both known and unknown advanced threats
2. Where can you download Configuration templates?

d. Marketplace
3. CN-Series as a Kubernetes CNF in HA mode of deployment supports _______ with session

and configuration synchronization.
a. Active/active HA
b. Active/passive HA
c. Passive/passive HA
d. 1:n/n:1
4. How many default templates can you find on Panorama after downgrading the Kubernetes
plugin from 3.0.0?
a. Five

b. Four
c. Two
d. Six
5. In Kubernetes CNF mode, which protocol is supported on Native/OnPrem environments, but

not on public clouds?
a. BGP
b. BFD
c. tunnel interface
d. OSPF
6. Which mode of deployment allows the firewall to route traffic between multiple ports?
a. Tap mode
b. Layer 2
c. Virtual wire
d. Layer 3
7. Which threat detection system can monitor the traffic traversing within the VPC boundary?
b. Cloud IDS
c. Threat monitoring
d. Global Protect
8. After git cloning the repository from GitHub, what do you need to do immediately to deploy
the CN-Series firewall?
a. Change into a local directory for the cloned repository.
b. Change to the subdirectory for your deployment.
c. Edit the values.yaml file.
d. Generate the VM auth key on Panorama.
9. VM-Series can be deployed on which three of the following platforms? (Choose three.)
a. XenServer
b. NSX-T
c. AWS
d. Azure
e. On-Premises
10. In which layer, the firewall is capable of inspecting and providing threat prevention for
tagged or untagged traffic?
a. Layer 3
b. Layer 7
c. Layer 4
d. Layer 2
Domain 4
1. Where can you purchase Panorama virtual appliances on Azure?

a. AWS Marketplace
b. Palo Alto Networks

c. Azure Marketplace
d. Third-party websites
2. If no license has been installed, within how many days from the upgrade date can you install
a valid device management license?
a. 180
b. 90
c. 150
d. 100
3. Panorama automatically performs a daily check-in with the licensing server. The check-in is
hard-coded to occur between which hours?
a. 12:00 a.m. to 1:00 a.m.
b. 12:00 a.m. to 12:30 a.m.
c. 1:00 a.m. to 1:30 a.m.
d. 1:00 a.m. to 2:00 a.m.
4. A Day 1 Configuration template supports which of the following?

a. IPv4
b. IPv6
c. MAC routing
d. VWire routing
5. Which three plugin configuration options are supported for use in Panorama? (Choose
three.)
a. Cisco ACI
b. GCP
c. OCI
d. AMC
e. VMware NSX
6. Where can you download the Docker files for CN-Series deployment?
d. Marketplace
7. Which three statements are true for Ultimate Test Drive? (Choose three.)
a. It is a conversion and demand-generation tool.
b. It is a training tool.
c. It is an evaluation acceleration tool.
d. It is a full demonstration of our platform
e. It is a Way to expose customers to new products and solutions
8. In a Day 1 Configuration template, where can you configure IPv6 after the IPv4
configuration?
a. GUI
b. CLI
c. Cortex
d. Both GUI and CLI
9. What is the win rate for initial business opportunities that run a UTD?
a. 71%

b. 68%
c. 51%
d. 88%
Domain 5
1. Which three of the following are cloud policy rule types? (Choose three.)
a. Intrazone
b. Interzone
c. Zero Trust
d. Universal
2. Which Security policy rule type allows traffic from a zone to the same zone?
a. Intrazone
b. Interzone
c. Zero Trust
d. Universal
3. What does SCADA stand for?

a. Supervisory Communication and Data Acquisition
b. Supervisory Control and Data Acquisition
c. Supervisory Central and Data Acquisition
d. Supervisory Control and Data Association
4. Which of the following allows the firewall or Panorama to tag a policy object when it receives
a log that matches specific criteria?
a. A DAG
b. Zero Trust
c. Universal policy
d. Auto-tagging
5. What does CWPP stand for?

a. Cloud Workload Private Platform
b. Cloud Workload Public Platform
c. Cloud Workload Protection Platform
d. Cloud Workload Prevention Platform
6. Zero Trust policy is based on which method?

a. Bootstrap Method
b. Discovery Method
c. Kipling Method
d. Authentication Method
7. What are three of the DAAS elements? (Choose three.)

a. Data
b. Applications
c. Automation
d. Services

8. What can be autoscaled to ensure security when you need it most?
a. DNS Security
b. A dynamic address group
c. A virtual firewall
d. The Bootstrap Method
9. Intrusion prevention includes: (Choose three.)

a. Blocking potentially dangerous file types
b. infinitely scalable real-time analysis of DNS requests
c. URL Filtering
d. Data Loss Prevention (DLP)
10. The virtual firewalls of which two cloud types secure virtualized compute resources and
hypervisors? (Choose two.)
a. Private cloud
b. Protected cloud
c. Public cloud
d. Hybrid cloud

Appendix B: Sample Test
These questions are intended to simulate taking the PSE Software Firewall Professional exam. They
are not the same as the sample questions provided earlier in this study guide.
1. Which of the following is a valid CN-MGMT metric to auto scale CN-Series firewall?
a. mgmtplanecpuutilizationpct
b. panthroughput
c. panpacketrate
d. pandataplaneslots
2. What does VPC stand for?

a. Virtual Public Cloud
b. Virtual Prisma Cloud
c. Virtual Private Cloud
d. Virtual Protected Cloud
3. In network segmentation, what are two advantages of subdividing the network into smaller
subnets and VLANs? (Choose two.)
a. It reduces the scope of broadcast packets.
b. You can isolate machines on different network segments.
c. It improves network performance.
d. It prevents a threat from spreading to other network segments.
4. Which three statements are true for the UTD? (Choose three.)
a. It is available to both prospects and customers.
b. It is free to use.
c. It can be delivered in person or online (webinar style).
d. It provides full coverage of our products.
e. It is a full demonstration of our platform.
5. Which of the following is an architecture-based approach to enhance network security?

a. Identity allocation
b. Network segmentation
c. Advance URL Filtering
d. DNS sinkholing
6. Terraform templates may be used to secure workloads on which two platforms? (Choose
two.)
a. AWS
b. Azure
c. Jenkins
d. GitHub
7. VM-Series automation methods include which of the following? (Choose two.)

a. Zero Trust
b. PAN-OS API

c. URL Filtering
d. Bootstrapping
8. Which two statements are true for CN-Series deployment modes? (Choose two.)
a. They provide an automated security deployment.
b. They provide unlimited insertion options.
c. They leverage the auto scaling capabilities of Kubernetes.
d. They support I/O acceleration.
9. Microsegmentation helps provide consistent security across private and public clouds by
virtue of which three principles? (Choose three.)
a. Visibility
b. Granular security
c. Dynamic adaptation
d. Threat prevention
e. Exfiltration prevention
10. Which statement is true regarding CN-Series firewall licensing?

a. A single license is needed per management plane.
b. Credits are used to scale the data plane and add subscriptions.
c. Panorama manages the licenses.
d. A license is needed for both the management plane and data plane.
11. Which Palo Alto Networks service provides protection against new and unknown threats?
b. DNS Security
c. GlobalProtect
d. Prisma SaaS
12. Panorama Supports forwarding logs to:

a. Cortex Data Lake
b. A Log Collector
c. Either a Log Collector, the Cortex Data Lake, or both in parallel.
d. The Application Command Center
13. Which platform cannot run a VM-Series firewall natively?

a. NSX
b. OCI
c. Xen
d. GCP
14. Logical segmentation can be achieved using:

a. User-ID
b. Subnets
c. Timestamps
d. App-ID
15. What is Ansible?

a. It is a collection of scripts for collecting data.
b. It is an orchestration engine for task automation such as device configuration.
c. It is a module used to facilitate communication between network devices.
d. It is an open-source container orchestration system for automating software
deployment, scaling, and management.
16. Which Kubernetes auto scaling method allows your CN-Series firewall deployment to auto
scale dynamically along with your Kubernetes environment?
a. Horizontal pod auto scaling
b. Vertical cluster auto scaling
c. Cluster auto scaling
d. Namespace auto scaling
17. Where can you access the Day 1 Configuration? (Choose three.)
a. Assets > Network Security
b. Activate Products
c. Tools > Run Day 1 Configuration
d. Devices > Run Day 1 Config
e. Groups
18. Which two standards does HPA use for scaling?

a. CPU Utilization
b. Memory Utilization
c. Packet Buffer Utilization
d. Session Utilization
19. Where can you find the YAML files required to deploy the CN-Series firewall in your
Kubernetes environment?
d. Marketplace
20. Virtual wire interfaces will forward traffic from which of the following connected device
types?
a. Layer 2 switches
b. Layer 3 routers
c. Layer 7 firewalls
d. Layer 4 multiplexing
e. Layer 6 encryption

Appendix C: Answers to the Sample Test
Below are the answers to the sample test from Appendix B.
1. Which of the following is a valid CN-MGMT metric to auto scale CN-Series firewall?
a. mgmtplanecpuutilizationpct
b. panthroughput
c. panpacketrate
d. pandataplaneslots
2. What does VPC stand for?

a. Virtual Public Cloud
b. Virtual Prisma Cloud
c. Virtual Private Cloud
d. Virtual Protected Cloud
3. In network segmentation, what are two advantages of subdividing the network into smaller
subnets and VLANs? (Choose two.)
a. It reduces the scope of broadcast packets.
b. You can isolate machines on different network segments.
c. It improves network performance.
d. It prevents a threat from spreading to other network segments.
4. Which three statements are true for the UTD? (Choose three.)
a. It is available to both prospects and customers.
b. It is free to use.
c. It can be delivered in person or online (webinar style).
d. It provides full coverage of our products.
e. It is a full demonstration of our platform.
5. Which of the following is an architecture-based approach to enhance network security?

a. Identity allocation
b. Network segmentation
c. Advance URL Filtering
d. DNS sinkholing
6. Terraform templates may be used to secure workloads on which two platforms? (Choose
two.)
a. AWS
b. Azure
c. Jenkins
d. GitHub
7. VM-Series automation methods include which of the following? (Choose two.)

a. Zero Trust
b. PAN-OS API
c. URL Filtering
d. Bootstrapping

8. Which two statements are true for CN-Series deployment modes? (Choose two.)
a. They provide an automated security deployment.
b. They provide unlimited insertion options.
c. They leverage the auto scaling capabilities of Kubernetes.
d. They support I/O acceleration.
9. Microsegmentation helps provide consistent security across private and public clouds by
virtue of which three principles? (Choose three.)
a. Visibility
b. Granular security
c. Dynamic adaptation
d. Threat prevention
e. Exfiltration prevention
10. Which statement is true regarding CN-Series firewall licensing?

a. A single license is needed per management plane.
b. Credits are used to scale the data plane and add subscriptions.
c. Panorama manages the licenses.
d. A license is needed for both the management plane and data plane.
11. Which Palo Alto Networks service provides protection against new and unknown threats?
b. DNS Security
c. GlobalProtect
d. Prisma SaaS
12. Panorama Supports forwarding logs to:

a. Cortex Data Lake
b. A Log Collector
c. Either a Log Collector, the Cortex Data Lake, or both in parallel.
d. The Application Command Center
13. Which platform cannot run a VM-Series firewall natively?

a. NSX
b. OCI
c. Xen
d. GCP
14. Logical segmentation can be achieved using:

a. User-ID
b. Subnets
c. Timestamps
d. App-ID
15. What is Ansible?

a. It is a collection of scripts for collecting data.
b. It is an orchestration engine for task automation such as device configuration.
c. It is a module used to facilitate communication between network devices.

d. It is an open-source container orchestration system for automating software
deployment, scaling, and management.
16. Which Kubernetes auto scaling method allows your CN-Series firewall deployment to auto
scale dynamically along with your Kubernetes environment?
a. Horizontal pod auto scaling
b. Vertical cluster auto scaling
c. Cluster auto scaling
d. Namespace auto scaling
17. Where can you access the Day 1 Configuration? (Choose three.)
a. Assets > Network Security
b. Activate Products
c. Tools > Run Day 1 Configuration
d. Devices > Run Day 1 Config
e. Groups
18. Which two standards does HPA use for scaling?

a. CPU Utilization
b. Memory Utilization
c. Packet Buffer Utilization
d. Session Utilization
19. Where can you find the YAML files required to deploy the CN-Series firewall in your
Kubernetes environment?
d. Marketplace
20. Virtual wire interfaces will forward traffic from which of the following connected device
types?
a. Layer 2 switches
b. Layer 3 routers
c. Layer 7 firewalls
d. Layer 4 multiplexing
e. Layer 6 encryption

Appendix D: Glossary
● Access token - A virtual credential that can be used by an application to access an API. It
can either be an opaque string or a JSON Web Token.
● Access Control Lists (ACLs) - A set of rules that help to control network traffic and reduce
network attacks.
● Application Load Balancers (ALBs) - A feature of Elastic Load Balancer. See Elastic Load
Balancing (ELB).
● Application Programming Interface (API) - Enables two or more softwares to

communicate with each other by working as an intermediary.
● App-ID - A patented traffic-classification system available only in Palo Alto Networks

firewalls. It determines what an application is, irrespective of port, protocol, encryption (SSH
or SSL) or any other evasive tactic used by the application. It applies multiple classification
mechanisms—application signatures, application protocol decoding, and heuristics—to the
network traffic stream to accurately identify applications.
● Application Gateway - Used to help users access a web app. An application gateway creates
a temporary pinhole for a limited time and exclusively for transferring data or controlling
network traffic.
● Auto Scaling Groups (ASGs) - A logical grouping used in auto scaling and management.
● Azure Kubernetes Service (AKS) - A way to deploy Kubernetes on Azure and manage
Kubernetes environments hosted on Azure.
● Azure Resource Manager (ARM) Templates - Provide users with the ability to manage and
scale Azure services on a public or private cloud.
● Bootstrapping - Allows you to create a repeatable and streamlined process of deploying

new VM-Series firewalls on a network by creating a package with the model configuration
for the network and then using that package to deploy VM-Series firewalls.
● Breaking point - A network security test solution that simulates the good application traffic,
the bad malicious attack traffic, and the ugly malformed traffic to validate the network
performance and security posture, reduce risk, and increase attack readiness.
● Bridge protocol data unit (BPDU) - A data message used to detect loops in a network. A
BPDU contains information about ports, switches, port priority, and addresses.
● Bring your own license (BYOL) - A licensing model that allows flexible use of licenses
owned by a company.
● Cloud-Delivered Security Services (CDSS) - A group of services provided by Palo Alto

Networks to make cloud applications secure. CDSS include:
○ Advance URL Filtering

○ DNS Security
○ Enterprise DLP
○ IoT Protection
○ SaaS Security
○ Threat Prevention
○ WildFire
● CloudFormation - A service by AWS that helps set up and model resources to reduce the
time spent in managing resources. CloudFormation templates can be used to autoscale
firewalls in AWS.
● CloudWatch - A monitoring and management service by AWS that provides actionable data
such as metrics and logs to better manage and optimize resources.
● Cloud Workload Protection Platform(CWPP) - Central to Palo Alto Networks strategy to

help organizations secure infrastructure, applications, and data across hybrid and
multicloud environments.
● Command-line interface (CLI) - A utility that allows the user to monitor and configure the
device.
● Container - An isolated environment in which an application or part of an application can

run. The processes that run inside a container are isolated from processes running in other
containers on the same server.
● Cortex Data Lake - A service by Palo Alto Networks that provides cloud-based, centralized
log storage and aggregation for on-premises and virtual firewalls, Prisma Access, and
cloud-delivered services such as Cortex XDR. The service is secure, resilient, and
fault-tolerant, and it ensures that logging data is up to date and available when needed. It
provides a scalable logging infrastructure that alleviates the need to plan and deploy Log
Collectors to meet log retention needs.
● CN-Series - The container-native version of the ML-Powered Next-Generation Firewall,

designed specifically for Kubernetes environments.
● CNI - Container Network Interface, which is a framework for the dynamic configuration of
networking resources.
● CRI-O - The name derives from CRI plus Open Container Initiative (OCI) because CRI-O is
strictly focused on OCI-compliant runtimes and container images. Allows you to run
containers directly from Kubernetes, without any unnecessary code or tooling.
● Daemonset - A controller that manages pods like Deployments, ReplicaSets, and

StatefulSets.
● Data loss prevention (DLP) - A security strategy that ensures that sensitive or confidential
information does not leak outside of the corporate network in a way that is unsafe or
noncompliant.

● Day 1 Configuration - A tool that helps build a sturdy baseline configuration by providing
best-practice configuration templates as a foundation on which you can build the rest of the
configuration.
● DevOps - A practice that unites development and operations teams throughout the
software-delivery process, enabling them to discover and remediate issues earlier, automate
testing and deployment, and reduce time to market.
● Docker - A software framework for building, running, and managing containers.
● Dynamic Host Configuration Protocol (DHCP) - Provides a framework for passing

configuration information to hosts on a TCP/IP network.
● EC2 - A service that provides scalable computing capacity to launch virtual machines. EC2,
or the AWS Elastic Compute Cloud, categorizes instance families—General Purpose,
Compute Optimized, Memory Optimized, Accelerate Networking, and Storage
Optimized—to fit different use cases and application profiles.
● Elastic Kubernetes Service (EKS) - A Kubernetes conformant to run Kubernetes on AWS.
● ELB - Elastic Load Balancing, which automatically distributes application traffic for multiple
targets and virtual appliances in one or more availability zones.
● Endpoint - Refers to any remote computing device—such as a desktop, laptop, mobile

phone, and so on—that communicates with a network.
● Enterprise Network Compute System (ENCS) - A branch virtualization tool by Cisco that
can help deploy network services in minutes.
● ESXi - Elastic Sky X Integrated. A hypervisor that runs directly on system hardware without
the need for an operating system.
● Exploit - A piece of code or a program that takes advantage of a weakness in an application

or system. Exploits are typically divided into the resulting behavior after the vulnerability is
exploited, such as arbitrary code execution, privilege escalation, denial of service, or data
exposure.
● GitHub - A website and cloud-based service that helps developers store and manage their
code, as well as track and control changes to their code.
● GlobalProtect - Provides a complete infrastructure for managing your mobile workforce to

enable secure access for all your users, regardless of what endpoints they are using or where
they are located. It includes the following components:
○ GlobalProtect Portal
○ GlobalProtect Gateways
○ GlobalProtect App
● Google Cloud Platform (GCP) - A suite of cloud computing services offered by Google that
runs on the same infrastructure that Google uses internally for its end-user products, such as
Google Search, Gmail, Google Drive, and YouTube.

● Google Kubernetes Engine (GKE) - A fully managed Kubernetes service that helps you
deploy Kubernetes on GCP.
● Graphical user interface (GUI) - An interface through which a user interacts with electronic
devices such as computers and smartphones using icons, menus, and other visual indicators
or representations.
● High availability (HA) - A deployment in which two firewalls are placed in a group and their
configuration is synchronized to prevent a single point of failure on your network. A
heartbeat connection between the firewall peers ensures seamless failover in the event that
a peer goes down.
● HTTP - Hypertext Transfer Protocol (HTTP). This is an application-layer protocol model for
distributed, collaborative, hypermedia information systems.
● Hub-and-Spoke Architecture - Hub-and-spoke is a type of message-oriented broker. It uses

a central message broker, and the communication between each application is done via this
broker.
● Hyper-V - A standalone hypervisor or an add-on/role for Windows Server.
● Hypervisor - Technology that allows multiple virtual (or guest) operating systems to run
concurrently on a single physical host computer.
● Instance - A copy of a software or application running on a physical or virtual machine.
● Internet Protocol (IP) address - A 32-bit or 128-bit identifier assigned to a networked device
for communications at the Network layer of the OSI model or the Internet layer of the TCP/IP
model. See also Open Systems Interconnection (OSI) model and Transmission Control
Protocol/Internet Protocol (TCP/IP) model.
● Kernel-based Virtual Machine (KVM) - An open-source virtualization module for servers

running Linux distributions.
● Lambda - An event-driven, serverless computing platform that is part of Amazon Web

Services. Lambda layers are ZIP archives that contain libraries, custom runtimes, or other
dependencies. These layers let you add reusable components to your functions and focus
deployment packages on business logic.
● Load Balancer - A traffic cop for networks to balance the load on various VPCs inside an
application. It is used to scale up and down any application based on demand.
● Log - A detailed audit trail of all the changes made to a network.
● Malware - A file or code, typically delivered over a network, that infects, explores, steals, or
conducts virtually any behavior an attacker wants.
● Mean time to resolution (MTTR) - The average time to fully recover from a failure.

● MFA - Multi-factor authentication (MFA). An electronic authentication method in which
access is granted to a user only after successful presentation of two or more pieces of
evidence to an authentication mechanism: knowledge, possession, and inherence.
● Monolithic architecture - A traditional software-development model that describes the

development of an application as a single block.
● Network Address Translation (NAT) - A method of mapping an IP address or IP address

space into another by modifying network address information in the IP header of packets. A
common use for NAT is to obscure the real IP address of a host that needs access to public
addresses.
● Net present value (NPV) - The total value of all future cash flows generated by a project.
● NLBs - Network Load Balancers
● NSX-T - Offers a flexible software-defined infrastructure to create environments for cloud

native applications. It makes networking and security operations easier.
● OAM - Operations, administration, and maintenance
● OpenShift - A cloud-based Kubernetes platform that helps developers build applications. It

offers automated installation, upgrades, and life-cycle management throughout the
container stack.
● Oracle Cloud Infrastructure (OCI) - A set of products and services that allow customers to
manage and scale their networks.
● OVA - Open Virtualization Alliance
● PAN-DB - A URL and IP database from Palo Alto Networks, integrated with PAN-OS.
● PAN-OS - The software that runs all Palo Alto Networks next-generation firewalls. By
leveraging the key technologies that are built into PAN‑OS—App‑ID, Content‑ID, Device-ID,
and User‑ID—you can have complete visibility and control of the applications in use across
all users and devices in all locations all the time.
● Panorama - A centralized management system that provides global visibility and control
over multiple Palo Alto Networks next-generation firewalls through an easy-to-use
web-based interface.
● Persistent Volume (PV) - A piece of storage inside the cluster that has been provisioned by
administrators or dynamically provisioned by storage classes.
● Plugin - A software add-on that adds a feature to an existing program. Plugins help you use
functionalities that are not native to an application, without upgrading or changing the
entire application.
● POC (Proof of Concept) - The most effective test you can run to make sure you are getting
the right NGFW for your environment.

● Pod - The smallest building block of a Kubernetes cluster. A pod can contain one or more
containers.
● Private cloud - A cloud computing model that consists of a cloud infrastructure used
exclusively by a single organization.
● Protect surface - In a Zero Trust architecture, the protect surface consists of the most
critical and valuable data, assets, application, and services on a network.
● Protocol data units (PDUs) - Chunks of information that are sent between various entities
within networks. This information can be used to control things like addresses or data. In
layered systems, a PDU represents a unit of data specified in the protocol of a given layer,
which includes protocol control information and user data.
● Public cloud - A cloud computing deployment model that consists of a cloud infrastructure
open to use by the general public.
● Pub/sub - Also known as publish/subscribe messaging, this is a messaging service used in

serverless or microservices architectures.
● Quality of Service - The use of mechanisms or technologies to control traffic and ensure the
performance of critical applications on a network with limited capacity.
● Representational State Transfer (REST) API - Allows for interaction with RESTful web
services. It works on the REST Architecture, hence the name. The Panorama REST API allows
you to manage firewalls and Panorama through a third-party service, application, or script.
● Routes - Predefined paths for data-packet traffic to flow between or across multiple
networks.
● SaaS - Software as a service (SaaS). A software licensing method that provides software
licensing on a subscription basis. It uses a delivery model that is centrally hosted.
● Secure Sockets Layer (SSL) proxy - Performs Secure Sockets Layer encryption and
decryption between server and client.
● Security policy - Protects network assets from threats and disruptions and helps to
optimally allocate network resources for enhancing productivity and efficiency in business
processes. On a Palo Alto Networks firewall, individual Security policy rules determine
whether to block or allow a session based on traffic attributes, such as the source and
destination security zone, the source and destination IP address, the application, the user,
and the service.
● Simple Network Management Protocol (SNMP) - Used to manage and monitor LAN or
WAN networks.
● Simple Notification Service (SNS) - An AWS service used to send notifications directly to
the customers.
● Simple Storage Service (S3) - Ascalable and affordable storage service by AWS.

● Software-Defined Network (SDN) - A networking approach that uses software-based
controllers or APIs to communicate with underlying hardware infrastructure and direct
traffic on a network.
● Software-Defined Wide Area Network (SD-WAN) - A technology that allows you to use
multiple internet and private services to create an intelligent and dynamic WAN. It helps
lower costs and maximize application quality and usability.
● Stateful set - The workload API object used to manage stateful applications.
● Subnet IP address (SNIP) - An IP address that is owned and used by the Citrix ADC to
communicate with the Citrix servers. The Citrix ADC proxies client connections to servers by
using the subnet IP address as the source IP address.
● Tags - Used to identify the purpose of a rule or a configuration object and better organize
your rulebase. You can tag objects to group related items and add color to the tag to visually
distinguish them for easy scanning. You can create tags for the following objects: address
objects, address groups, user groups, zones, service groups, and policy rules.
● Template stack - Used to configure the setting that enables firewalls to operate on
networks. Templates are the basic building blocks you use to configure the Network and
Device tabs on Panorama. Template stacks give you the ability to layer multiple templates
and create a combined configuration. They simplify management by allowing you to define
a common base configuration for all devices attached to the template stack.
● Threat signature - A typical footprint or pattern associated with a malicious attack on a

computer network or system. There are three types of Palo Alto Networks threat signatures,
each designed to detect different types of threats as the firewall scans network traffic:
○ Antivirus signatures - Detect viruses and malware found in executables and file types.
○ Anti-spyware signatures - Detect command-and-control activity, where spyware on

an infected client is collecting data without the user's consent and/or
communicating with a remote attacker.
○ Vulnerability signatures - Detect system flaws that an attacker might otherwise

attempt to exploit.
● Throughput - A measure of the number of data packets that can be processed in a unit of
time. It is the rate of successful packet deliveries over a channel.
● Ultimate Test Drives (UTDs) - Guided, hands-on experiences designed to familiarize

participants with Palo Alto Networks technology and to enhance their understanding of
how our products work and how they can improve an organization’s security posture.
● User defined routing (UDR) table - Used to route traffic in a subnet in Azure. In the absence
of UDR, Azure uses the default routes.
● Virtual LAN (VLAN) - A logical overlay network that isolates the traffic for each group of
devices that share a physical LAN and groups them together.

● Virtual Machine Scale Sets (VMSS) - A native service of Azure that allows you to create and
manage a group of load-balanced virtual machines.
● Virtual Private Cloud (VPC) - An on-demand configurable pool of shared resources

allocated within a public cloud environment, providing a certain level of isolation between
the different organizations using the resources.
● Visibility - A firewall’s ability to track and log the traffic irrespective of its origin or
destination.
● VM authentication key - Allows Panorama to authenticate the newly bootstrapped

VM-Series firewall.
● VM Monitoring - Provides an automated way to gather information on the VM inventory on

each monitored source (host). As virtual machines (guests) are deployed or moved, the
firewall collects a predefined set of attributes (or metadata elements) as tags; these tags can
then be used to define dynamic address groups and be matched against in policy.
● VMware ESXi - An operating-system-independent hypervisor, based on the VMkernel

operating system, that communicates with agents operating on top of it.
● VNet - One of the fundamental building blocks of Azure private network. VNet, or Azure
Virtual Network, enables services like Azure Virtual Machines to communicate securely with
both on-premises and external networks.
● WildFire - Identifies previously unknown malware and generates signatures that Palo Alto
Networks firewalls can use to detect and block the malware.
● XSOAR Marketplace - The central location for installing, exchanging, contributing, and
managing your content, including playbooks, integrations, automations, fields, layouts, and
more.
● YAML - A data-serialization language that is commonly used in configuration files. The

acronym stands for “yet another markup language” or “YAML ain't markup language.”
● Zero Trust - A business-driven, strategic approach to secure your most critical data,
applications, assets, and services (DAAS).

Appendix E: What’s Different in This Study Guide
As this is the first release of this Study Guide, there are no changes of note.

Continuing Your Learning Journey with Palo Alto Networks
Training from Palo Alto Networks and our Authorized Training Partners delivers the knowledge and
expertise to prepare you to protect our way of life in the digital age. Our trusted security
certifications give you the Palo Alto Networks product portfolio knowledge necessary to prevent
successful cyberattacks and to safely enable applications. A full description of offerings can be
found at the Palo Alto Networks Education Services main site.
Digital Learning
For those of you who want to keep up to date on our technology, a learning library of free digital
learning is available. These on-demand, self-paced digital-learning classes are a helpful way to
reinforce the key information for those who have been to the formal hands-on classes. They also
serve as a useful overview and introduction to working with our technology for those unable to
attend a hands-on, instructor-led class. More information can be found at the Palo Alto Networks
Education Services site (https://www.paloaltonetworks.com/services/education) and also at Beacon
(https://beacon.paloaltonetworks.com/student/catalog).
Simply register in Beacon and you will be given access to our digital-learning portfolio. These online
classes cover foundational material and contain narrated slides, knowledge checks, and, where
applicable, demos for you to access.
New courses are being added often, so check back to see new curriculum available.
Instructor-Led Training
Looking for a hands-on, instructor-led course in your area?
Palo Alto Networks Authorized Training Partners (ATPs) are located globally and offer a breadth of
solutions from onsite training to public, open-environment classes. About 42 authorized training
centers are delivering online courses in 14 languages and at convenient times for most major
markets worldwide.
For class schedule, location, and training offerings, see:

https://www.paloaltonetworks.com/services/education/atc-locations.
Learning Through the Community

You also can learn from your peers and other experts in the field. Check out our community site at
https://live.paloaltonetworks.com, where you can:
● Discover reference material

● Learn best practices
● Learn what is trending

Pse Softwarefirewall P Studyguide

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Pse Softwarefirewall P Studyguide

Uploaded by

Copyright:

Available Formats

PSE Software Firewall Professional

Strata by Palo Alto Networks | PSE Software Firewall Professional

About the PSE Software Firewall Professional Exam 5

Audience and Qualifications 6

Domain 1: Technical Business Value 8

Domain 2: Competitive Differentiators 32

Strata by Palo Alto Networks | PSE Software Firewall Professional 2

Domain 3: Architecture and Planning 55

Domain 4: Demonstration and Evaluation 81

Strata by Palo Alto Networks | PSE Software Firewall Professional 3

Domain 5: Network Security Best Practices 101

Appendix A: Sample Questions with Answers 112

Appendix B: Sample Test 119

Appendix C: Answers to the Sample Test 122

Appendix D: Glossary 125

Appendix E: What’s Different in This Study Guide 133

Continuing Your Learning Journey with Palo Alto Networks 134

Strata by Palo Alto Networks | PSE Software Firewall Professional 4

What Has Changed in This Study Guide

About the PSE Software Firewall Professional Exam

Exam Domain Weight (%)

Technical Business Value 20%

Competitive Differentiators 18%

Architecture and Planning 22%

Demonstration and Evaluation 20%

Network Security Best Practices 20%

Strata by Palo Alto Networks | PSE Software Firewall Professional 5

How to Take This Exam

Audience and Qualifications

Strata by Palo Alto Networks | PSE Software Firewall Professional 6

Strata by Palo Alto Networks | PSE Software Firewall Professional 7

1.1 Describe the requirements and components of auto scaling

Next-generation firewall security can be delivered to Kubernetes environments as well by deploying

Strata by Palo Alto Networks | PSE Software Firewall Professional 8

Auto Scaling the VM-Series on AWS

● VM-Series automation capabilities include the PAN-OS® API and bootstrapping.

Configuration on AWS with a Gateway Load Balancer

Strata by Palo Alto Networks | PSE Software Firewall Professional 9

BUILDING BLOCK DESCRIPTION

PAN Components ● Panorama running 10.0.2 or later

Firewall template Based on the number of availability zones (AZs) you

● Subnets for Lambda management, transit

The template supports a maximum of four AZs.

The VPC Classless Inter-Domain Routing (CIDR) for

Due to the variations in the production environment

The VM-Series Auto Scaling template for AWS does

Application template Based on the number of AZs you choose, the

● Subnets for Lambda, transit gateway

Strata by Palo Alto Networks | PSE Software Firewall Professional 10

The VPC CIDR for the application template should

Lambda functions AWS Lambda provides robust, event-driven

● Adds or removes an interface (ENI) when

Strata by Palo Alto Networks | PSE Software Firewall Professional 11

Strata by Palo Alto Networks | PSE Software Firewall Professional 12

Auto Scaling the VM-Series on Azure

Strata by Palo Alto Networks | PSE Software Firewall Professional 13

Strata by Palo Alto Networks | PSE Software Firewall Professional 14

Preserve Full Visibility on Packet Sources

Discover Zone-Based Policy Support for Internet Ingress Traffic

Strata by Palo Alto Networks | PSE Software Firewall Professional 15

● Scale with ease while managing costs

Auto Scaling the VM-Series on Google Cloud Platform (GCP)

Strata by Palo Alto Networks | PSE Software Firewall Professional 16