Professional Documents
Culture Documents
Study Guide
July 2022
Recommended Training 6
Introduction 7
You can read through this study guide from start to finish, or you may jump straight to topics you
would like to study. Hyperlinked cross-references will help you locate important definitions and
background information from earlier sections.
No changes.
Related training resources are available from Palo Alto Networks on Beacon:
https://beacon.paloaltonetworks.com/student/collection/1047805-software-firewall?sid=cb6be9c1-99
cc-403c-9687-69d95bc21600&sid_i=0
Exam Format
The exam format is 60 multiple-choice questions. Candidates will have five minutes to complete
the Non-Disclosure Agreement, 80 minutes (1 hour, 20 minutes) to complete the exam questions,
and five minutes to complete an exit survey.
The approximate distribution of items by topic (Exam Domain) and topic weightings are shown
in the following table.
The exam is available through the third-party Pearson VUE testing platform.
To register for the exam, visit: https://home.pearsonvue.com/paloaltonetworks
Disclaimer
This study guide is intended to provide information about the objectives covered by this exam,
related resources, and recommended courses. The material contained within this study guide is not
intended to guarantee that a passing score will be achieved on the exam. Palo Alto Networks
recommends that candidates thoroughly understand the objectives indicated in this guide and use
the resources and courses recommended in this guide where needed to gain that understanding.
Skills Required
● You can describe the technical business value of various software firewall tools and
processes.
● You have experience in the planning and architectural designing of VM-Series, CN-Series,
and cloud-delivered next-generation firewalls (NGFWs).
● You have passed the PSE: Foundation course, PSE: Strata Associate exam (strongly
recommended), and PSE: Software Firewall Associate exam.
Recommended Training
Palo Alto Networks strongly recommends that you attend the following instructor-led training
courses or equivalent digital-learning courses:
● PSE: Strata Associate course
● PSE: Software Firewall Associate course
● SE Bootcamp (internal only)
However, with various attackers looking to exploit these systems with known and unknown
vulnerabilities, malware, etc., protecting the cloud-based assets is a challenge for security teams.
In the last decade, many network security and firewall security appliances have flooded the global
IT security market. Palo Alto Networks has managed to break into this saturated market with its
state-of-the-art products to provide ironclad security to your virtual assets.
Palo Alto Networks software next-generation firewalls (NGFWs) provide a wide variety of products to
cover most of your security requirements within multiple environments. Their close integration with
leading public clouds such as AWS, Azure, Google Cloud Platform (GCP), etc., provides secure and
easy-to-deploy firewalls that can be configured centrally. Palo Alto Networks software firewalls
include the VM-Series firewalls, CN-Series firewalls, and Cloud NGFW.
The VM-Series firewalls protect private and public cloud deployments with segmentation and
threat prevention. The CN-Series next-generation container firewalls secure Kubernetes
environments. The Cloud NGFW for AWS protects AWS deployments with network security
delivered as a managed cloud service by Palo Alto Networks.
This Palo Alto Networks Software Firewall study guide provides a detailed overview of how to
protect public and private clouds, virtualized data centers, branch locations, and containerized
environments with virtual, container, and cloud next-generation firewalls.
A software firewall is a network security solution designed specifically for environments in which
deploying hardware firewalls is difficult or impossible, such as public and private clouds,
software-defined networks (SDNs), and software-defined wide-area networks (SD-WANs).
Similar to hardware firewalls, software firewalls grant or reject network access to traffic flows
between untrusted zones and trusted zones. Unlike hardware firewalls, which are physically located
on-premises in data centers, software firewalls are ideal for securing virtual environments. Software
firewalls can also be deployed as virtualized instances of next-generation firewalls.
Palo Alto Networks VM-Series virtualized next-generation firewalls protect applications, data, and
users across a wide range of public cloud, virtualization, and branch environments. They provide all
the capabilities of the physical Palo Alto Networks next-generation firewall in a virtual machine
form factor.
These virtualized instances of the industry-leading next-generation firewall provide application and
user visibility for informed security decisions, segment networks for security and compliance,
prevent advanced attacks within allowed application flows, control application access with
user-based policies, and ensure policy consistency through Panorama™ network security
management to secure environments vital for competitiveness and innovation.
VM-Series
VM-Series is the virtualized form factor of the Palo Alto Networks next generation firewall. To meet
the growing need for inline security across diverse cloud and virtualization use cases, you can
deploy the VM-Series firewall on a wide range of private and public cloud computing environments.
For more details on VM-Series and its deployment, refer to Section 2.1.
The templates are available on the Palo Alto Networks GitHub repository for Auto Scaling VM-Series
Firewalls in AWS.
● All VM-Series firewall interfaces must be assigned an IPv4 address when deployed
in a public cloud environment. IPv6 addresses are not supported.
The VM-Series Auto Scaling template for integration with an AWS GWLB includes the following
building blocks:
Bootstrap files This solution requires the init-cfg.txt file and the
The bootstrap.xml file provided in the GitHub bootstrap.xml file so that the VM-Series firewall has
repository is provided for testing and evaluation the basic configuration for handling traffic.
only. For a production deployment, you must modify
● The init-cfg.txt file includes the
the sample credentials in the bootstrap.xml prior to
mgmt-interface-swap operational
launch.
command to enable the firewall to
receive data-plane traffic on its primary
interface. This auto scaling solution
requires swapping the data-plane and
management interfaces to enable the
GWLB to forward web traffic to the auto
scaling tier of VM-Series firewalls.
● The bootstrap.xml file enables basic
connectivity for the firewall network
interfaces and allows the firewall to
connect to the AWS CloudWatch
namespace that matches the stack
name you enter when you launch the
template.
The VM-Series auto scaling templates enable you to deploy a single auto scaling group (ASG) of
VM-Series firewalls to secure inbound traffic from the internet to your application workloads on
AWS. You can deploy the VM-Series firewall ASG and the application workloads within a single VPC
as shown:
You can also deploy the firewall ASG in a centralized VPC and your application workloads in
separate VPCs within the same region. These will form a hub-and-spoke architecture, as shown:
But as organizations move more and more workloads into the cloud, setting up security becomes a
top-of-mind concern. With this integration, VM-Series virtual next-generation firewalls augment
native Microsoft Azure network security capabilities with next-generation threat protection. This
includes preventing exploits, malware, previously unknown threats, and data exfiltration to keep
apps and data in Azure safe.
Palo Alto Networks offers the VM-Series software firewall integration with Azure Gateway Load
Balancer, which provides simplified connectivity while ensuring secure support for critical
zone-based policies for internet ingress traffic.
But with the new VM-Series and Azure Gateway Load Balancer integration, traffic packet headers
and payload are kept intact, which provides complete visibility of the source’s identity as traffic
travels to its destination.
In addition, the VM-Series integration with Azure Gateway Load Balancer is also designed to provide
the following customer benefits:
Configuration on Azure
Key Idea
● If you have more than one VMSS in an Azure subscription, you must use a
single Panorama appliance to manage them.
If the deployed firewall reaches the configured threshold and a scale-out event occurs, a new
instance of the VM-Series firewall will be launched. The deployed firewall is bootstrapped, and it will
connect to Panorama to obtain its licenses and configuration.
When a scale-in event occurs, the Panorama plugin deactivates licenses on the firewall, and the IP
address of the firewall is removed from the VMSS. The internal load balancer will no longer route
traffic to the firewall.
Configuration on GCP
Palo Alto Networks provides auto scaling templates for GCP, which you can download from
https://github.com/PaloAltoNetworks/GCP-AutoScaling. Each folder is a template directory
containing several files; however, you only need to edit the following YAML files:
● Firewall Templates: These templates help you create VM-Series firewalls and other
deployment resources. You can use them to create new networks and the familiar
subnetworks for the VM-Series firewall: management, untrust, and trust. They also help
you deploy a Cloud publish/subscribe (Pub/Sub) messaging service to relay information
from GCP to the Panorama plugin for GCP. With this infrastructure in place, the plugin
can:
○ Leverage dynamic address groups to apply Security policy on inbound traffic routed
to services running on GCP
○ Use auto scale metrics to deploy VM-Series firewalls to meet increased demand for
application workload resources or to eliminate firewalls that are no longer needed.
CN-Series
The Palo Alto Networks CN-Series container firewall is the first next-generation firewall
purpose-built to secure Kubernetes orchestration environments from network-based attacks.
The Palo Alto Networks CN-Series containerized firewall is the best-in-class next generation firewall
purpose built to secure the Kubernetes environment from network based attacks. The CN-Series
firewall enables network security teams to gain layer-7 visibility into Kubernetes environments,
provide inline threat protection for containerized applications deployed anywhere, and dynamically
scale security without compromising DevOps agility.
For more details on CN-Series and its deployment, refer to Section 2.1
HPA uses two standard metrics across all cloud environments—CPU and memory utilization—as well as
custom metrics specific to each cloud environment. Each cloud requires specific YAML files to enable
HPA in Azure Kubernetes Services (AKS), Elastic Kubernetes Services (EKS), and Google Kubernetes
Engine (GKE).
Configuration
HPA retrieves metrics data from a monitoring adapter in the cloud environment, such as
CloudWatch in EKS, to determine when to scale up or down based on the thresholds you define.
You must modify the necessary YAML files to set the minimum and a maximum number of replicas,
the thresholds for each metric, and which metrics are used in auto scaling your firewalls.
Scaling is determined by dividing the total metric by the metric threshold and then deploying
enough pods to bring the metric down to the configured threshold across all CN-NGFW pods in the
cluster. However, the cluster will not deploy more CN-NGFW pods than the specified maxReplicas
defined. If more than one metric exceeds the threshold at the same time, the cluster will deploy the
necessary number of pods to address the higher metric.
By default, the HPA adapter polls the metrics adapter every 15 seconds. If the metrics you have
specified exceed the configured threshold for the time specified in stabilizationWindowSeconds
inside the scaleUp, the cluster will deploy an additional CN-NGFW pod. The cluster then waits for
the time specified in stabilizationWindowSeconds inside the scaleDown before deciding whether
additional CN-NGFW pods are required. By default, one pod is deployed at a time.
1.1.1 References
● Auto Scaling the VM-Series Firewall on Azure
1.2 Explain the value and operational efficiency of dynamic address groups (DAGs)
To simplify the creation of Security policies, all the IP addresses, FQDNs, etc., that require the same
security settings can be combined into address groups. An address group can be static or dynamic.
A dynamic address group (DAG) populates its members dynamically using tag-based filtering
criteria. A DAG allows you to:
Dynamic address groups are very useful if you have an extensive virtual infrastructure where
changes in virtual machine location/IP address/Cluster (Pods) are frequent. For example, in an
environment that needs to provision new virtual machines frequently, a DAG could be referenced
as a match condition within a Security policy rule that applies to traffic from or to the new machine.
This would allow the dynamic addition or removal of the virtual device without the need to
manually add the device’s information directly to the rule each time a change is required.
The tag-based filter uses logical (“and” and “or”) operators. All IP addresses or address groups that
match the filtering criteria become members of the dynamic address group.
You can associate (register) tags with a firewall statically or dynamically. Static tags are a part of the
configuration on the firewall, whereas dynamic tags are a part of the runtime configuration. As a
result, once a policy rule referencing a DAG using dynamic tags is committed to a firewall, a commit
is not required to update dynamic tags with any subsequent changes. The changes are dynamically
applied to the DAG and referenced by the policy rule as appropriate.
To use a dynamic address group in the policy, you must complete the following tasks:
To dynamically register tags, you can use the XML API or the VM Monitoring agent on the firewall or
on the User-ID agent. Each tag is a metadata element or attribute-value pair that is registered on
the firewall or Panorama.
Each registered IP address can have up to 32 tags, such as the operating system, the data center, or
the virtual switch to which it belongs. Within 60 seconds of receiving an API call containing tag
updates, the firewall registers the IP address and associated tags and automatically updates the
membership information for the DAGs.
DAGs can also include statically defined address objects. If you create an address object and apply
the same tags that you have assigned to a DAG, the DAG will include all static and dynamic objects
that match the tags. You can, therefore, use tags to pull together both dynamic and static objects
within the same address group.
1.2.1 References
● Use Dynamic Address Groups in Policy
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/monitor-changes-in-the-
virtual-environment/use-dynamic-address-groups-in-policy
● Objects > Address Groups
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/objects/objects-a
ddress-groups
VM-Series Plugin
The VM-Series plugin for VM-Series firewalls is a single plugin that enables integration with public
cloud environments, such as GCP, Azure, and AWS, and private cloud hypervisors such as KVM, ESXi,
and others. The VM-Series plugin is pre-installed on the VM-Series firewall; you can upgrade or
downgrade it, but you cannot delete it. When you deploy the firewall, the built-in plugin
automatically detects the virtual environment on which the firewall is deployed and loads up the
plugin components that enable you to manage interactions within that environment.
The plugin also enables publishing custom metrics to cloud-monitoring services (such as AWS
CloudWatch), bootstrapping, configuring user credential provisioning information from public
cloud environments, and seamless updates for cloud libraries or agents on PAN-OS. For example,
when you deploy the VM-Series firewall on GCP, the VM-Series firewall loads the plugin components
that enable integration with GCP. You can then use the VM-Series plugin to configure the VM-Series
firewall on GCP to publish metrics to Google Stackdriver Monitoring.
Similarly, for VM-Series firewalls deployed on Azure, the VM-Series plugin enables you to configure
the firewall to publish metrics to Azure Application Insights or set up the details that the firewalls
need to function as a high availability (HA) pair.
Key Idea
● The VM-Series plugin does not manage capabilities that are common to both
VM-Series firewalls and hardware-based firewalls. For example, VM Monitoring is
not part of the VM-Series plugin because it is a core PAN-OS feature that helps
you enforce policy consistently on your virtual machine workloads from both
VM-Series firewalls and hardware-based firewalls.
● The VM-Series plugin does not manage Panorama plugins. For the difference
between the VM-Series plugin and Panorama plugins, see VM-Series Plugin and
Panorama Plugins.
Panorama Plugins
On Panorama, the VM-Series plugin is available but is not pre-installed. If you choose to use
Panorama to manage the integrations on your firewalls, install the VM-Series plugin on Panorama
to establish communication with the VM-Series plugin on your firewalls.
Key Idea
● For plugin installations required on both Panorama and managed firewalls, the
plugin version installed on Panorama must be equal to or higher than the plugin
version installed on managed firewalls.
The Panorama plugins are for both hardware-based firewalls and VM-Series firewalls. Because
Panorama plugins are optional, you can add, remove, reinstall, or upgrade them on Panorama.
Panorama plugins are not built in; you must install a plugin to enable communication with the
environment you need. For example, you use the Cloud Services plugin on Panorama to enable the
setup between Panorama/firewalls and the Cortex Data Lake. The GCP plugin on Panorama enables
communication between Panorama and your GCP deployment so that you can secure the traffic
entering or exiting a service deployed in GCP.
Panorama extensible plugin architecture enables integration and configuration of the following:
● AIOps—The AIOps plugin enables you to enforce best practice checks by validating your
commits and letting you know if a policy needs work before you push it to Panorama.
● AWS—The AWS plugin enables you to monitor your EC2 workloads on AWS. With the
plugin, you can enable communication between Panorama (running PAN-OS 8.1.3 or
later) and your AWS VPCs so that Panorama can collect a predefined set of attributes (or
metadata elements) as tags for your EC2 instances and register the information to your
● Azure—The Azure plugin enables you to monitor your virtual machines on the Azure
public cloud. With the plugin, you can enable communication between Panorama
(running PAN-OS 8.1.6 or later) and your Azure subscriptions so that Panorama can collect
a predefined set of attributes (or metadata elements) as tags for your Azure virtual
machines and register the information to your Palo Alto Networks firewalls. When you
reference these tags in dynamic address groups and match against them in Security
policy rules, you can consistently enforce policies across all assets deployed within VNets
in your subscriptions.
● Cisco ACI—The Cisco ACI plugin enables you to monitor endpoints in your Cisco ACI
fabric. With the plugin, you enable communication between Panorama (8.1.6 or later) and
your Cisco APIC so that Panorama can collect endpoint information as tags for your
endpoint groups and register the information to your Palo Alto Networks firewalls. When
you reference these tags in dynamic address groups and match against them in Security
policy rules, you can consistently enforce policies across all assets deployed within your
Cisco ACI fabric.
● Cloud Services—The Cloud Services plugin enables the use of the Cortex Data Lake and
Prisma® Access. The Cortex Data Lake solves operational logging challenges, and the
Prisma Access cloud service extends your security infrastructure to your remote network
locations and mobile workforce.
● GCP—The GCP plugin enables you to secure Kubernetes services in a Google Kubernetes
Engine (GKE) cluster. You can configure the Panorama plugin for GCP to connect to your
GKE cluster and learn about the services that are exposed to the internet.
● SD-WAN—The Software-Defined Wide Area Network (SD-WAN) plugin allows you to use
multiple internet and private services to create an intelligent and dynamic WAN, which
helps lower costs and maximize application quality and usability. Instead of using costly
and time-consuming Multiprotocol Label Switching (MPLS) with components such as
routers, firewalls, WAN path controllers, and WAN optimizers, SD-WAN on a Palo Alto
Networks firewall allows you to use less expensive internet services and fewer pieces of
equipment.
● VMware NSX—The VMware NSX plugin enables integration between the VM-Series
firewall on VMware NSX with VMware NSX Manager. This integration allows you to deploy
the VM-Series firewall as a service on a cluster of ESXi servers.
● VMware vCenter—The Panorama plugin for VMware vCenter allows you to monitor the
virtual machines in your vCenter environment. The plugin retrieves IP addresses of virtual
machines in your vCenter environment and converts them to tags that you can use to
build policy using dynamic address groups.
● IPS Signature Converter—The IPS Signature Converter plugin for Panorama provides an
automated solution for converting rules from third-party intrusion prevention
systems—Snort and Suricata—into custom Palo Alto Networks threat signatures. You can
then register these signatures on firewalls that belong to device groups you specify and
use them to enforce policy in Vulnerability Protection and Anti-Spyware Security profiles.
Refer to the Palo Alto Networks Compatibility Matrix for details on the different plugin versions and
compatibility information.
1.3.1 References
● VM-Series Plugin
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/about-the-vm-serie
s-firewall/vm-series-plugin
● VM-Series and Panorama Plugins Release Notes
https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes
Network segmentation is an architectural approach that divides a network into multiple segments
or subnets, each acting as its own small network. This allows network administrators to control the
flow of traffic between subnets based on granular policies. Organizations use segmentation to
improve monitoring, boost performance, localize technical issues and—most importantly—enhance
security.
Securing applications and services depends upon the NGFW’s ability to have visibility and control of
the traffic to and from the application and traffic between an application’s components. To provide
the required visibility and control, you should segment data and applications in the private data
center and public-cloud provider behind a next-generation firewall.
One of the most common ways to segment data is based on sensitivity levels. With greater data
sensitivity, additional policies and protection are necessary, including a stricter definition of what is
permitted to access the application. The data-sensitivity level information of an application allows
you to group applications and services with common security and traffic-flow requirements. For
instance, you should not group an application or service that is at the highest level of sensitivity
with any other application. You should even separate high-sensitivity services from other
components of their application if those other components have a reduced security requirement.
The sensitivity levels are as follows:
● Low—Applications and information whose loss of availability would have a limited impact
on the organization or its customers
● Moderate—Infrastructure, applications, and systems whose loss of integrity and
availability would impact the organization or its customers
● High—Any information falling under statutory requirements for notification in the case of
a breach
How you create the network segments for an application depends upon the infrastructure on
which it is built. The Palo Alto Networks portfolio allows segmentation in a variety of locations
within your environment:
● Data center—The PA-Series and VM-Series are ML-powered NGFWs. The PA-Series are
physical appliances that you typically deploy at the data-center perimeter. The VM-Series
are virtualized-form-factor, ML-powered next-generation firewalls that you typically
deploy within the data center, providing a more granular layer of segmentation.
● Containers—Palo Alto Networks provides two methods for segmenting workloads within
Kubernetes clusters: the CN-Series NGFW and Prisma Cloud Identity-Based
Microsegmentation. The CN-Series are containerized-form-factor NGFWs. They provide
advanced Layer 7 network security and threat protection. In Kubernetes clusters, Prisma
Cloud Identity-Based Microsegmentation gives you the ability to provide segmentation
based on the individual workload identity instead of IP addresses.
To define the source and destination networks for securing traffic flows, the NGFW uses zones and
dynamic address groups. Zones are used in static environments, and dynamic address groups allow
the Security policy to stay in sync with dynamic virtual environments in both the data center and
the public cloud.
App-ID identifies the applications in the traffic between network segments and enables the NGFW
to limit the communication between network segments to specific applications. Because the Zero
Trust Security policy in the data center denies all traffic between segments, use App-ID to explicitly
define the intersegment traffic required for the applications to function and administrators to
manage the applications.
Logical segmentation creates subnets using one of two primary methods: virtual local area
networks (VLANs) or network addressing schemes. VLAN-based approaches are straightforward to
implement because the VLAN tags automatically route traffic to the appropriate subnet. Network
addressing schemes are equally effective but require more detailed understanding of networking
theory.
Logical segmentation is more flexible than physical segmentation because it does not require
wiring or physical movement of components. Automated provisioning can greatly simplify the
configuration of subnets.
Microsegmentation
Microsegmentation is a security method of managing network access between workloads. It
enables administrators to manage Security policies that limit traffic based on the principle of least
privilege based on an endpoint’s identity and Zero Trust without the need to re-architect.
Microsegmentation helps provide consistent security across private and public clouds by virtue of
three key principles:
● Visibility—A microsegmentation solution should deliver visibility into all network traffic
inside and across data centers and clouds. Although there are several ways to monitor
traffic, the most effective measure is to see traffic coupled with workload context (e.g.,
cloud, application, orchestrators) as opposed to logs containing only IP addresses and
ports.
● Granular security—Granular security means that network administrators can strengthen
and pinpoint security by creating specific policies for critical applications. The goal is to
prevent lateral movement of threats with policies that precisely control traffic in and out
of specific workloads, such as weekly payroll runs or updates to human-resources
databases.
● Dynamic adaptation—Microsegmentation offers protection for dynamic environments.
For instance, cloud native architectures like containers and Kubernetes can spin up and
down in a matter of seconds. The IP addresses assigned to cloud workloads are
ephemeral, rendering IP-based rule management impossible. With microsegmentation,
Security policies are expressed in terms of identities or attributes (env=prod, app=hrm,
etc.) rather than network constructs (e.g., 10.100.0.10 tcp/80). Changes to the application
or infrastructure trigger automatic revisions to Security policies in real time, requiring no
human intervention.
Prisma Cloud Identity-Based Microsegmentation and the CN-Series NGFWs support capabilities for
enabling microsegmentation at the container level. The combination of both network
segmentation and microsegmentation provides coarse-grained isolation of similar applications
across your entire environment and fine-grained, identity-based microsegmentation that prevents
lateral attacks for hosts and containers.
1.4.1 References
● Zero Trust Enterprise
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/
pan/en_US/resources/guides/zero-trust-overview
● Network Segmentation Using Zones
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-prot
ection/network-segmentation-using-zones
● What Is Network Segmentation?
https://www.paloaltonetworks.com/cyberpedia/what-is-network-segmentation
● What is microsegmentation?
https://www.paloaltonetworks.com/cyberpedia/what-is-microsegmentation
All Palo Alto Networks firewalls can generate logs that provide an audit trail of firewall activities. For
centralized logging and reporting, you must forward the logs generated on the firewalls to your
on-premises infrastructure, which includes the Panorama management server and Log Collectors,
or send the logs to the cloud-based Cortex Data Lake. Optionally, you can configure Panorama to
forward the logs to external logging solutions, such as syslog servers.
Panorama aggregates logs from all managed firewalls and provides visibility across all the traffic on
the network. It also provides an audit trail for all policy modifications and configuration changes
made to the managed firewalls. In addition to aggregating logs, Panorama can forward them as
SNMP traps, email notifications, syslog messages, and HTTP payloads to an external server.
Panorama uses two sources for generating reports: the local Panorama database and the remote
firewalls that it manages. The Panorama database refers to the local storage on Panorama that is
allocated for storing both summarized logs and some detailed logs. If you have a distributed Log
Collection deployment, the Panorama database includes the local storage on Panorama and all the
managed Log Collectors. Panorama summarizes the information—traffic, application,
threat—collected from all managed firewalls at 15-minute intervals. However, if you prefer not to
forward logs to Panorama, Panorama can directly access the remote firewall and run reports on
data that is stored locally on the managed firewalls.
Key Idea
● You should forward logs to Panorama or to external storage for many reasons,
including compliance, redundancy, running analytics, centralized monitoring,
and reviewing threat behaviors and long-term patterns, and due to limited
storage on the firewalls.
For centralized logging and reporting, you also have the option of using the cloud-based Cortex
Data Lake. This option allows your managed firewalls to forward logs to the Cortex Data Lake
infrastructure instead of Panorama or managed Log Collectors.
The Application Command Center (ACC) on Panorama provides a single pane for unified reporting
across all the firewalls. It enables you to centrally monitor network activity to analyze, investigate,
and report on traffic and potential security incidents.
1.5.1 References
1.6 Explain how to realize return on investment (ROI) by leveraging Palo Alto Networks
software next-generation firewall (NGFW)
Recent data breaches and cybersecurity events impacting the global community have placed a
spotlight on corporate and government IT security teams and have renewed scrutiny on the
policies and practices that keep sensitive data out of the hands of cybercriminals and other bad
actors. Reducing costs, achieving a rapid return on investment (ROI), and increasing security and IT
operations efficiency for better business outcomes are all typical mandates for cybersecurity
investments, but if the investment does not ultimately improve organizational security, are those
other goals relevant?
Deploying Palo Alto Networks for network security brings significant financial and organizational
benefits for the organization. These benefits are spread across nine different categories, including
efficiency gains for IT, security, and end users; cost savings from sunsetting legacy technology; and
the reduced risk of a data breach.
To find out how much ROI you can get by utilizing the Palo Alto Networks firewalls, use this
interactive ROI calculator, based upon the Forrester Consulting study The Total Economic Impact™
of VM-Series Virtual Firewalls, which was commissioned by Palo Alto Networks. By answering a few
simple questions, you will immediately see your virtualized security savings potential. Plus, you can
also download a complimentary, in-depth estimate tailored to your organization’s needs, showing
how ML-Powered VM-Series virtual NGFWs can pay for themselves while protecting your data and
workloads in public clouds, private clouds, hybrid clouds, and branch environments.
1.7 Identify the benefits of Palo Alto Networks solutions to address customer concerns or
indifference
The successful exam candidate should be able to match customer requirements and strategies to
the appropriate firewall form factor. Hardware appliances are required for certain performance
characteristics such as throughput and connections per second. However, VM-Series firewalls are
Public cloud virtual firewalls help meet customer security responsibilities in public cloud
environments by securing operating systems, platforms, access control, data, intellectual property,
source code, and content. VM-Series virtual firewalls boost regulatory compliance by providing
protection across public clouds and other environments to protect data, regardless of where it
resides.
Private cloud and hybrid cloud virtual firewalls secure virtualized compute resources and
hypervisors. Virtual firewalls provide lateral movement protection by inspecting traffic flows inside
private clouds, which can help simplify microsegmentation and reduce the attack surface.
Deploying VM-Series virtual firewalls boosts SDN security in virtual environments that are built with
software-defined networking fabrics such as VMware NSX® and Nutanix Flow.
Branch virtual firewalls isolate and protect critical systems. Virtual firewalls deliver local branch
segmentation and threat prevention to ensure regulatory compliance and consistent branch
network security from the same console that is used to manage other environments. Branch
locations also benefit from the virtualized form factor of VM-Series firewalls, which are deployable
on a white box or existing servers to minimize space requirements.
DevOps virtual firewalls protect application development speed. Virtual firewalls provide
on-demand auto scaling to ensure security when you need it most. With automated network
security, you can integrate security provisioning directly into DevOps workflows and continuous
integration/continuous development pipelines without slowing the pace of business.
Key Idea
1.7.1 References
● All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a
public cloud environment. IPv6 addresses are not supported.
● If you have more than one VMSS in an Azure subscription, you must use a single Panorama
appliance to manage them.
● The VM-Series plugin does not manage capabilities that are common to both VM-Series
firewalls and hardware-based firewalls. For example, VM Monitoring is not part of the
VM-Series plugin because it is a core PAN-OS feature that helps you enforce policy
consistently on your virtual machine workloads from both VM-Series firewalls and
hardware-based firewalls.
● The VM-Series plugin does not manage Panorama plugins. For the difference between the
VM-Series plugin and Panorama plugins, see VM-Series Plugin and Panorama Plugins.
2. While defining an address group, each registered IP address can have up to how many tags?
a. 32
b. 64
c. 16
d. 8
4. Which two statements are true for Panorama plugins? (Choose two)
a. Panorama plugins are available for both VM-Series and Hardware-based Firewall.
b. Panorama plugins are optional and can be removed.
c. Panorama plugins are built-in.
d. Panorama plugin versions are independent of Panorama version.
5. Which three statements are true with respect to VM-Series plugin upgrades? (Choose three.)
a. The plugin can be upgraded manually independently of PAN-OS.
b. The plugin can be upgraded locally in the virtual firewall.
c. A PAN-OS upgrade is mandatory to upgrade the VM-Series plugin.
d. Upgrades can be managed centrally through Panorama.
e. Every plugin version is compatible with all the PAN-OS versions.
8. Which two parameters are considered while estimating ROI using Palo Alto Networks
VM-Series Virtual Firewalls Estimator? (Choose two.)
a. Number of firewalls to be deployed
b. Number of NetOps and SecOps staff in the organization
c. Quantity of data to be inspected
d. Amount spent on physical firewalls over a life cycle of five years
● Complete Visibility: Public cloud security requires complete visibility of all application
traffic, including flows that might be encrypted; this is necessary to determine what an
application really is, regardless of the port, protocol, or encryption type.
● Threat Prevention: Implementing threat prevention capabilities is necessary to identify and
stop known and unknown attacks.
● Exfiltration Prevention: Preventing sensitive data from leaving the environment is crucial
for maintaining public cloud security.
● Compliance: Achieving and maintaining compliance helps to mitigate risk throughout
decentralized environments through comprehensive reporting.
● Multicloud Support and Management: Manage public cloud network security consistently
across AWS, Azure, GCP, and others from the same console used to manage on-premises,
private cloud, and branch security postures.
2.1 Compare and contrast the capabilities of cloud-delivered VM-Series, CN-Series, and NGFW
VM-Series
VM-Series is the virtualized form factor of the Palo Alto Networks Next-Generation Firewall. It is
positioned for use in a cloud environment where it can protect and secure east-west and
north-south traffic. To meet the growing need for inline security across diverse cloud and
virtualization use cases, you can deploy the VM-Series firewall on a wide range of private and public
cloud computing environments such as VMware, Cisco ACI and Enterprise Network Compute
System (ENCS), KVM, OpenStack, AWS, Microsoft public and private cloud, Oracle Cloud
Infrastructure (OCI), Alibaba Cloud, and GCP.
The VM-Series supports all the next-generation firewall and advanced threat prevention features
available in our physical form factor appliances, allowing you to safely enable applications flowing
into and across your private, public, and hybrid cloud computing environments.
Automation features such as VM Monitoring, dynamic address groups, and a REST-based API allow
you to proactively monitor virtual machine (VM) changes and dynamically feed that context into
Security policies, thereby eliminating the policy lag that may occur when your VMs change.
Key Idea
● For the best instance types for optimal VM-Series capacity and performance, see
the VM-Series Capacity & Performance document.
● Meet public cloud user security obligations—CSPs are typically responsible for
lift-and-shift applications, software-as-a-service (SaaS) applications, and cloud
infrastructure (database, storage and networking). However, organizations using
these services are usually responsible for the security of the operating systems,
platforms, access control, data, intellectual property, source code, and
customer-facing content that typically sit on top of the infrastructure.
● Boost the built-in security features unique to each public cloud platform—Some
virtual firewalls provide inline threat prevention to secure the flow of traffic moving
laterally within a cloud environment, augmenting the basic, built-in security unique
to each CSP.
● Isolate critical systems, such as point of sale—Virtual firewalls can be used for
segmentation and threat prevention as well as to ensure compliance in branch
locations with systems that require isolation, such as point-of-sale (POS) systems.
Container Security Risks and the need for the CN-Series NGFW
Container adoption is on the rise. According to a Gartner report, by the end of 2023, more than 75%
of global organizations will be running containerized applications in production. However, with this
move, comes new security and data risks for an organization.
● Containers are subject to the same network-based attacks that plague legacy
workloads: Containers are not aliens. They are just another way to deploy applications.
Regardless of whether applications are running on bare-metal servers, virtual machines or
● Fragmented point security products lead to inconsistent security posture and east-west
network attacks: Until now, network security teams were not equipped with the right tools
to secure containers without slowing DevOps speed and agility. Hence, they started relying
on DevOps to secure containers. This leads to the network security team securing only some
parts of the infrastructure with DevOps then securing the container infrastructure, often
with suboptimal security products. Inconsistent security leads to holes in the network and
an increased risk of attacks as container apps have dependencies on legacy apps. Attackers
exploit these dependencies along with allowed network communications to laterally
propagate threats (east-west) in the environment.
CN-Series is the container-native version of the ML-powered NGFW designed specifically for
Kubernetes environments. The Palo Alto Networks CN-Series containerized firewall is the
best-in-class next generation firewall purpose built to secure the Kubernetes environment from
network based attacks. The CN-Series firewall enables network security teams to gain layer-7
visibility into Kubernetes environments, provide inline threat protection for containerized
applications deployed anywhere, and dynamically scale security without compromising DevOps
agility. Deploy the CN-Series to:
Using Panorama as the centralized management platform, your network security teams can
consistently manage firewall policies for physical, virtual, container, and public cloud workloads
from a single interface.
CN-Series provides Layer 7 traffic visibility, including the container source IP of outbound traffic, to
detect and prevent threats traveling between namespace boundaries. CN-Series firewalls enforce
enterprise-level network security and threat protection in container traffic, which helps you elevate
the overall security posture by sharing Kubernetes contextual information with other Palo Alto
Networks firewalls.
The Palo Alto Networks CN-Series container firewall is the first next-generation firewall
purpose-built to secure Kubernetes orchestration environments from network-based attacks. The
CN-Series firewall enables network security teams to:
Here are some key Kubernetes terms for better understanding of concepts:
The second prominent use case is securing outbound traffic from container environments to
the internet or developer resources hosted in sites like GitHub. Palo Alto Networks URL
Although some customers may prefer to use their perimeter firewalls in their on-prem data
centers, customers running Kubernetes environments in the public cloud will require
CN-Series.
Last but not least is the traditional inbound perimeter use case. Network security teams can
prevent threats riding on inbound traffic to the container environment with Palo Alto
Networks Threat Prevention and WildFire malware analysis services. Again, depending on
the customer’s environment and overall architecture, they may elect to do this with their
perimeter firewalls on-prem. Still, a CN-Series or VM-Series would be required to do this in
public cloud environments.
All these use cases can be addressed regardless of whether the apps are hosted in an
on-prem data center or a public cloud.
Cloud NGFW
Cloud NGFW for AWS is Palo Alto Networks ML-Powered NGFW capabilities delivered as a fully
managed cloud native service by Palo Alto Networks on the Amazon Web Services (AWS) platform.
This deployment model combines the power of the Palo Alto NGFW with the ease of use of AWS.
The Cloud NGFW service provides advanced application visibility and access control using Palo Alto
Networks App-ID and URL filtering technologies. It provides threat prevention and detection
through cloud-delivered security services and threat prevention signatures.
On Cloud NGFW, you define Security policy rules and group them in a rulestack. The NGFW applies
your Security policy to the traffic received by the NGFW endpoints and enforces that policy. When
creating your NGFW, you must specify a VPC and local rulestack. Additionally, you must also specify
how and where the associated NGFW endpoints are deployed.
After creating an NGFW and NGFW endpoints, you must update your AWS route tables to ensure
that traffic is sent to the NGFW. Which route tables you update and how you update them depends
on your specific deployment. See Direct Traffic to Cloud NGFW for AWS for deployment examples
with example route tables for more details.
2.1.1 References
● CN- Series Key Concepts
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/cn-series-firewall-for-
kubernetes/cn-series-key-concepts#id06ceee36-7674-4392-9b25-8a322528b771
● Getting Started with Cloud NGFW for AWS
https://docs.paloaltonetworks.com/cloud-ngfw/aws/cloud-ngfw-on-aws/getting-started-with
-cloud-ngfw-for-aws
● Cloud NGFW and Cloud NGFW Endpoints
https://docs.paloaltonetworks.com/cloud-ngfw/aws/cloud-ngfw-on-aws/create-cloud-ngfw-in
stances-and-endpoints
● CN-Series
https://docs.paloaltonetworks.com/cn-series
● CN-Series Deployment Guide
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment
● VM-Series
https://docs.paloaltonetworks.com/vm-series
● Why Native Security Controls in Public Clouds Are Not Enough
https://www.paloaltonetworks.com/resources/ebooks/native-security-not-enough
Software NGFW credits can be used to fund Software NGFWs (VM-Series and CN-Series),
cloud-delivered security services (CDSS), or virtual Panorama appliances in networks with or
without internet access.
Create a deployment profile to configure one or more firewalls based on PAN-OS version, the
number of vCPUs per firewall, the total number of firewalls supported by the deployment profile,
Panorama management or log collection, and security services. All the VMs that a deployment
profile creates share the same authcode.
Activate Credits
Within your organization, you can create many accounts, each with a different purpose. During
activation, you can choose only one account per default credit pool. Once the credit pool is active,
users granted the credit administrator role can allocate the credits for deployments, and even
transfer credits to other pools. If you have an existing cloud service provider (CSP) account and are a
superuser or an admin, the system automatically adds the credit admin role to your profile. If you
do not have an existing account, the CSP creates an account for you and adds the credit admin role
to your profile.
You (the purchaser) receive an email detailing the subscription, the credit pool ID, the subscription
start and end date, the number of credits purchased, and the description of the default credit pool
(the credit pool created when you activate your credits).
Key Idea
● While activating credits, always retain the confirmation email with subscription
details for future reference.
Step 1: In the email, click Start Activation to view your available credit pools.
Step 2: Select the credit pool you want to activate. You can use the search field to filter your account
list by number or name.
If you have purchased multiple credit pools, both are automatically selected. The check
marks represent activation links for onboarding credits.
Key Idea
● If you deselect a credit pool, you see a reminder that if you want to activate those
credits, you must return to the email and click the Start Activation link.
Step 4: Select the support account (you can search by account number or name).
Step 7: (optional) If this is your first credit activation, you see the Create Deployment Profile dialog.
If you have just activated a credit pool, you see the Create Deployment Profile form.
2. In the Total vCPUs field, Enter the total number of vCPUs across all CN-NGFW.
3. Select a Security Use Case from the drop-down. Each Security Use Case in the
drop-down automatically selects a number of descriptions that are recommended
Step 3: (optional) Hover over the question mark following Protect more, save more to see how your
credit allocation affects savings.
Step 4: Click Calculate Estimated Cost to view the credit total and the number of credits available
before the deployment. (optional) Hover over the question mark following the estimate to view the
credit breakdown for each component.
Step 5: (optional) If you used credits to Enable a Panorama VM, complete the following steps to
provision Panorama and generate a serial number.
1. Select Assets > Software NGFW Credits > Prisma NGFW Credits and locate your
deployment profile.
2. On the far right, select the vertical ellipsis and select Provision Panorama.
Once you have applied the serial number to Panorama, Panorama will contact the licensing update
server and retrieve the license.
If you have just activated a credit pool, you see the Create Deployment Profile form.
3. Click Next.
2. In the Number of Firewalls field, enter the number of firewalls this profile deploys,
assuming you have sufficient credits. You do not have to deploy them all at once.
4. Customize Subscriptions.
After selecting a use case, you can add or remove security services.
Step 3: (optional) Hover over the question mark following Protect more, save more to see how your
credit allocation affects savings.
Step 4: Click Calculate Estimated Cost to view the credit total and the number of credits available
before the deployment.
(optional) Hover over the question mark following the estimate to view the credit breakdown for
each component.
You might have to wait several seconds for the profile to appear in the Current Deployment
Profiles tab list. Before the allocation is complete, the Credits Consumed/Allocated column
shows 0 and Update Pending. Scroll to the bottom and go to the last page to find your
profile.
To view your deployment profile later, click the Details button on the parent credit pool and
select Current Deployment Profiles.
● Note the Auth Code for your profile on the far right; Software NGFW credit auth
codes start with D.
● The Credits Consumed/Allocated column shows 0 and Update Pending before the
allocation is complete.
● The Audit Trail tab shows Credit Transactions and the Deployment Profiles you
manage. You can also search for a profile by time in this tab.
Use search to locate your profile and expand the row to view the configuration you specified
when you created the profile.
2.2.1 References
● Activate Credits
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/license-the-cn-series
-firewall/activate-credits
Activate Credits Video Pt. 1
https://www.youtube.com/watch?v=0cAcLt8Lm84
Activate Credits Video Pt. 2
https://www.youtube.com/watch?v=guojHvWIuwM
● Create a CN-Series Deployment Profile
● Partner Qualified—Palo Alto Networks Customer Support assists you with any issue directly
related to the VM-Series firewall. VM-Series issues are defined as issues that occur after a
packet enters the firewall. This does not include issues related to a partner platform.
VM-Series issues include:
○ PAN-OS configuration
○ VM-Series upgrades
○ VM-Series licensing
○ VM-Series documentation
● Palo Alto Networks Certified—Palo Alto Networks Customer Support assists with all
VM-Series firewall issues as well as issues related to the partner platform. Platform issues are
defined as issues that involve a packet outside of the VM-Series firewall, such as arriving at or
leaving the firewall or hypervisor or an issue with the hardware configuration.
The partner software version and the PAN-OS version columns display the range of versions and the
minimum version in parentheses. For example, where the PAN-OS Version column displays PAN-OS
9.1.x (9.1.0), it indicates that the integration supports PAN-OS 9.1 releases beginning with PAN-OS
9.1.0.
3906mvi and KVM 18.x.x 18.06.x 9.1.x (9.1.0) Layer 3 mode Ciena
3926mvi (18.06.00) (18.06.00) on the VM-50, documentation
VM-100, and
VM-300
VirtIO and
DPDK mode.
Cisco Cloud Services Platform—The following table shows the Cisco Cloud Services Platform (CSP)
products with which VM-Series firewalls interoperate.
CSP5400 KVM 2.x.x (2.4.0) 2.4.x (2.4.0) 9.1.x (9.1.0) Layer 2, Layer Set Up the
Series 3, Virtual wire VM-Series
deployments Firewall on Cisco
CSP2100 on all CSP (PAN-OS
Series VM-Series 10.2)
models except
VM-50
VM-Series
Firewalls in an
HA
configuration
SR-IOV, Packet
MMAP, and
DPDK mode
CSP5400 KVM 4.6.x (4.6) 4.6.x 10.1.x (10.1.0) Layer 2, Layer Set Up the
Series (4.6.1-FC1) 3, Virtual wire VM-Series
deployments Firewall on Cisco
on all CSP (PAN-OS
VM-Series 10.2)
models except
VM-50
VM-Series
Firewalls in an
HA
configuration
Juniper NFX Network Services Platform—The following table shows the Juniper NFX Network
Services Platform products with which VM-Series firewalls interoperate.
NFX 250 KVM 15.1X53-D470. - 9.1.x (9.1.0) Layer 2, Layer Juniper NFX
x 3, Virtual wire documentation
NSX SD-WAN by VeloCloud—The following table shows the NSX SD-WAN by VeloCloud products
with which VM-Series firewalls interoperate.
Edge 520v KVM 3.x.x (3.2.0) 3.3.x (3.3.1) 9.1.x (9.1.0) Virtual wire NSX SD-WAN by
deployments VeloCloud
Edge 840 documentation
DPDK mode
2.3.1 References
● Partner Interoperability for VM-Series Firewalls
https://docs.paloaltonetworks.com/compatibility-matrix/vm-series-firewalls/vm-series-partne
r-interoperability
2.4 Explain the benefits of cloud-delivered security services (CDSS) and Advanced URL
Filtering (AURLF)
● Threat Prevention—Goes beyond the traditional intrusion prevention system (IPS) solutions
to automatically prevent all known threats across all traffic in a single pass.
● IoT Security—Protects Internet-of-Things (IoT) and Operational Technology (OT) devices
across your organization with the industry’s first turnkey IoT security solution.
Key Idea
● Legacy URL Filtering subscription holders can continue using their URL Filtering
deployment until the end of the license term.
● Compared against the PAN-DB URL database, which contains millions of websites that have
been categorized. You can use these URL categories in URL Filtering profiles or as match
criteria to enforce Security policy. You can also use URL filtering to enforce safe search
settings for your users and to prevent credential theft based on URL category.
● Analyzed in real time using the cloud-based Advanced URL Filtering detection modules to
provide protection against new and unknown threats that do not currently exist in the URL
filtering database.
● Inspected for phishing and malicious JavaScript using local inline categorization, a
firewall-based analysis solution, which can block unknown malicious web pages in real time.
If the network security requirements in your enterprise prohibit the firewalls from directly accessing
the internet, Palo Alto Networks provides an offline URL filtering solution with the PAN-DB Private
Cloud. This allows you to deploy a PAN-DB private cloud on one or more M-600 appliances that
function as PAN-DB servers within your network; however, it does not support any of the
cloud-based URL analysis features found in the AURLF solution.
Automation
Automation levels the playing field, reduces the volume of threats, and allows for faster prevention
of new and previously unknown threats. Many security vendors look at automation to become more
efficient and as a means to save in manpower or headcount. Automation should also be viewed as a
tool that can, and should, be used to better predict behaviors and execute protections faster. If
implemented appropriately and with the right tools, automation can aid in the prevention of
successful cyberattacks. The following are four ways in which automation should be used:
● Correlating Data
Many security vendors collect substantial amounts of threat data. However, data provides
little value unless it is organized into actionable next steps.
To do this effectively, organizations first need to collect threat data across all attack vectors
and from security technologies within their own infrastructure, as well as global threat
intelligence outside of their infrastructure.
Then, they need to identify groups of threats that behave similarly within the massive
amounts of data and use that to predict the attacker’s next step. When using this approach,
more data collected results in more accurate results and reduces the likelihood that the
groups identified are merely an anomaly. Consequently, the analysis must also have enough
computing power to scale to today’s threat volume—something that is impossible to do
manually. Machine learning and automation allow data sequencing to happen faster, more
effectively, and more accurately.
Finally, combining this approach with dynamic threat analysis is the only way to accurately
detect sophisticated and never-before-seen threats.
2.5.1 Terraform
Terraform is a powerful open-source tool that is used to build and deploy infrastructure safely and
efficiently. It is cloud platform agnostic (unlike AWS cloud formation templates (CFTs) or Azure
Resource Manager (ARM) templates), provides for the definition of infrastructure as code, and
produces immutable infrastructure deployments. The Palo Alto Networks Terraform automation
project offers Terraform templates to assist in deploying agile infrastructures based on the Palo Alto
Networks next-generation firewalls in the cloud.
Terraform Quickstart
The Palo Alto Networks Repository of Terraform Templates to Secure Workloads on AWS and Azure,
https://github.com/PaloAltoNetworks/terraform-templates, contains templates to deploy three-tier
and two-tier applications along with the Palo Alto Networks firewall on cloud platforms such as
AWS and Azure. Terraform is licensed under Mozilla Public License v2.0.
Key Idea
2.5.2 Ansible
Ansible is a very powerful open-source automation language. It uses modules to communicate with
vendor-specific devices. What makes Ansible unique is that it is also a deployment and
orchestration tool. Ansible helps provide large productivity gains to a wide variety of automation
challenges. The Palo Alto Networks Ansible integration project utilizes Ansible to help organizations
automate configuration and management of the Palo Alto Networks Platform.
Ansible Quickstart
A collection of Ansible modules are available to automate configuration and operational tasks on
Palo Alto Networks next-generation firewalls—both physical and virtualized form factor. The
underlying protocol uses API calls that are wrapped within the Ansible framework.
You can use the Palo Alto Networks Ansible collection to automate configuration and operational
tasks on Palo Alto Networks next-generation firewalls using the PAN-OS API.
● https://github.com/PaloAltoNetworks/pan-os-ansible/
Then, in your playbooks, you can specify that you want to use the panos collection like so:
collections:
- paloaltonetworks.panos
Palo Alto Networks regularly posts updates that include new and modified applications, threat
protection, and GlobalProtect data files through dynamic updates. The firewall can retrieve these
updates and use them to enforce policy, without requiring configuration changes. Applications and
Threats content updates deliver the very latest application and threat signatures to the firewall. The
applications portion of the package includes new and modified App-IDs and does not require a
license. The full Applications and Threats content package, which also includes new and modified
threat signatures, requires a Threat Prevention license. As the firewall automatically retrieves and
installs the latest application and threat signatures (based on your custom settings), it starts
enforcing Security policy based on the latest App-IDs and threat protection without any additional
configuration.
New and modified threat signatures and modified App-IDs are released at least weekly and often
more frequently. New App-IDs are released on the third Tuesday of every month.
Key Idea
● In rare cases, publication of the update that contains new App-IDs may be
delayed one or two days.
Because new App-IDs can change how the Security policy enforces traffic, this limited release of
new App-IDs is intended to provide you with a predictable window in which you can prepare and
update your Security policy. Additionally, content updates are cumulative; this means that the latest
content update always includes the application and threat signatures released in previous versions.
Because application and threat signatures are delivered in a single package—the same decoders
that enable application signatures to identify applications also enable threat signatures to inspect
traffic—you need to consider whether you want to deploy the signatures together or separately.
How you choose to deploy content updates depends on your organization’s network security and
application availability requirements. As a starting point, identify your organization as having one of
the following postures (or perhaps both, depending on firewall location):
● An organization with a security-first posture prioritizes protection using the latest threat
signatures over application availability. You are primarily using the firewall for its threat
2.5.4 References
● 4 Ways Cybersecurity Automation Should be Used
https://www.paloaltonetworks.com/cyberpedia/4-ways-cybersecurity-automation-should-be-
used
● Infrastructure as Code
https://panos.pan.dev/docs/automation/
● Applications and Threats Content Updates
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/software-and-content-updat
es/app-and-threat-content-updates
● For the best instance types for optimal VM-Series capacity and performance, see the
VM-Series Performance and Capacity document.
● While activating credits, always retain for future reference the confirmation email with
subscription details.
● If you deselect a credit pool, you see a reminder that if you want to activate those credits,
you must return to the email and click the Start Activation link.
● Legacy URL Filtering subscription holders are able to continue using their URL Filtering
deployment until the end of the license term.
● Each of the subrepositories contain a README with instructions on usage and deployment.
● In rare cases, publication of the update that contains new App-IDs may be delayed one or
two days.
1. Which security service assists file safety by automatically detecting unknown malware?
a. URL Filtering
b. WildFire
c. App-ID
d. Threat Prevention
7. What is the order of Kubernetes constructs from smallest to largest in terms of size and
scope?
a. Node, namespace, pod, cluster
b. Namespace, node, cluster, pod
c. Pod, node, namespace, cluster
d. Pod, node, cluster, namespace
8. Which environment uses software and virtualization to provide network connectivity for
dispersed locations?
a. On-premise
b. SDN
c. SD-WAN
d. Nutanix
9. After deselecting a credit pool, you see a reminder to activate those credits. What will be
your next step?
a. Select the credit pool you want to activate.
b. Deposit credits.
c. Purchase a different credit pool.
d. Return to your email and click the Start Activation link.
The VM-Series firewall is distributed in the Open Virtualization Alliance (OVA) format, a standard
method of packaging and deploying virtual machines. You can install this solution on any x86
device that is capable of running VMware ESXi.
You can deploy any VM-Series model as a guest virtual machine on VMware ESXi. It is ideal for cloud
or networks where a virtual form factor is required.
The AWS Gateway Load Balancer (GWLB) is an AWS-managed service that allows you to deploy a
stack of VM-Series firewalls and operate them in a horizontally scalable and fault-tolerant manner.
You can then expose the AWS GWLB with the stack of firewalls as a VPC endpoint service for traffic
inspection and threat prevention. By creating GWLB endpoints (GWLBEs) for the VPC endpoint
service, you can easily insert an auto scaling VM-Series firewall stack in the outbound, east-west,
and inbound traffic paths of your applications.
You can deploy any VM-Series model, except the VM-50, on EC2 instances on the AWS Cloud.
On Azure, the VM-Series firewall is available in the bring-your-own-license (BYOL) model or in the
pay-as-you-go (PAYG) hourly model.
Microsoft Azure allows you to deploy the firewall to secure your workloads within the virtual
network in the cloud so that you can deploy a public cloud solution or extend the on-premises IT
infrastructure to create a hybrid solution. For more information on GWLB based architecture, refer
to section 1.1
You can deploy any VM-Series model, except the VM-50 and the VM-50 Lite, on Google Compute
Engine instances.
Google Cloud Intrusion Detection System (Cloud IDS) is the first network threat detection system
delivered as a native Google Cloud service, built with the industry-leading security technologies of
Palo Alto Networks. Cloud IDS is the result of a year-long joint design and engineering effort
between Google Cloud and Palo Alto Networks that was focused on combining the best-in-class
security of Palo Alto Networks with the simplicity and scale of Google Cloud native services.
Cloud IDS can analyze the raw traffic data from Google Cloud workloads and provide contextually
rich application and threat information. More importantly, organizations can monitor even the
traffic traversing within the VPC boundary using Cloud IDS. This capability complements the
visibility and protection that VM-Series virtual firewalls provide with traffic crossing the VPC
boundary.
Based on this more in-depth inspection, customers can choose to enable alerts for a wide range of
security issues, for example:
● High-priority security alerts: Attacks for known exploits—for example, an attempt to exploit
CVE-2017-5638 for Apache Struts-based web servers running in GCP.
● Traffic to inappropriate, malicious destinations and command-and-control systems:
Detect whether the source/destination is inappropriate or malicious, whether there are
geoblocking restrictions to be met, or whether there is Bitcoin traffic or an SSH session to a
known command-and-control (C2) domain.
You can deploy any VM-Series model on a Linux server that is running the KVM hypervisor.
You can deploy any VM-Series model on a Windows Server 2012 R2 server with the Hyper-V role
add-on enabled or a standalone Hyper-V 2012 R2 server.
3.2.1 References
● VM-Series Deployments
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/about-the-vm-serie
s-firewall/vm-series-deployments#idbc049c9e-8fdf-40c3-b70a-00176813948e
● VM-Series for AWS
https://live.paloaltonetworks.com/t5/blogs/vm-series-and-aws-gateway-load-balancer-integr
ation-overview/ba-p/367897
● VM-Series for Azure
https://www.paloaltonetworks.com/blog/network-security/vm-series-azure-gateway-load-bal
ancer/
CN-Series firewalls can be used to secure traffic between containers within the same cluster, as well
as between containers and other workload types such as virtual machines and bare metal servers.
If you are on the OpenShift environment, see Deploy the CN-Series on OpenShift. For securing 5G
traffic, see Secure 5G With the CN-Series Firewall.
Key Idea
● You need standard Kubernetes tools such as kubectl or Helm to deploy and
manage your Kubernetes clusters, apps, and firewall services. Panorama is not
designed to be an orchestrator for Kubernetes cluster deployment and
management. Templates for cluster management are provided by Managed
Kubernetes providers. Palo Alto Networks provides community-supported
templates for deploying CN-Series with Helm and Terraform.
Refer to the links below to learn about CN-Series Firewalls and the options available for deploying
on different cloud platforms:
For more details about CN-Series deployment, refer to CN-Series deployment guide.
YAML is used by the Ansible automation tool for creating automation processes in the form of
Ansible Playbooks because of its adaptability and accessibility.
YAML 3.0.x
CN-Series YAML 3.0.x should be used with the CN-Series running PAN-OS 10.1 or PAN-OS 10.2.
3.2.3 Differentiation
● Terraform is a relatively new Kubernetes provider, while Helm is a mature tool with a tried
and tested Kubernetes capability.
3.2.4 References
● Deploy the CN-Series Firewall
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/secure-kubernetes-
workloads-with-cn-series/deploy-the-cn-series-firewalls
● Deploy CN-Series Firewall With and Without the Helm Repository
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/secure-kubernetes-
workloads-with-cn-series/deploy-the-cn-series-firewalls/deploy-cn-series-firewalls-with-a-te
mplate/deploy-cn-series-firewalls-with-helm-charts-and-templates/deploy-cn-series-firewall
s-with-and-without-the-helm-repository
The CN-Series firewall is the containerized next-generation firewall that provides visibility and
security for your containerized application workloads on Kubernetes clusters. The CN-Series firewall
uses native Kubernetes constructs and Palo Alto Networks components to make this possible.
● Match software firewalls and security services with the speed and flexibility needed for
rapidly changing requirements.
● Maximize your ROI on security investments with the industry’s most flexible way to adopt
software NGFWs and security services.
● Discover unmatched flexibility with easy scaling and sizing of VM-Series virtual and
CN-Series container NGFWs, cloud-delivered security services, and VM Panorama for
management and log collection.
Three simple steps let you choose and deploy the right firewalls and security services you need at
any given time:
As needs change, you can reallocate Software NGFW credits to new and other
firewall-as-a-platform solutions without having to go through additional procurement cycles.
CN-Series Capabilities
Whatever the security needs of your container environment, the CN-Series is built to deliver the
following:
● Threat prevention and sandboxing: Threat Prevention and WildFire services can be
enabled on CN-Series firewalls to block exploits, prevent malware, and stop both
known and unknown advanced threats.
● Exfiltration prevention and URL filtering: The CN-Series enables content inspection
and SSL decryption, preventing sensitive information from leaving your network.
Advanced URL Filtering uses machine learning to categorize URLs and block access
to malicious sites that deliver malware or steal credentials. Automation ensures that
protections are always up to date.
● Flexible tag-based policy model: You can define CN-Series firewall policies by
application, user, content, native Kubernetes labels, and other metadata to deliver
flexible policies aligned with business needs.
● Simple insertion: The CN-Series supports multiple CNI plugins for use in different
types of Kubernetes deployments.
● Public cloud: You can deploy CN-Series firewalls in hosted container environments
such as GKE, AKS, Amazon EKS, and Red Hat OpenShift. For detailed platform
support information, refer to the table below.
● On-premises: You can also deploy CN-Series firewalls into Kubernetes environments
hosted on-premises.
Refer to the link below for details on the deployment of the CN-Series in supported
environments.
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/cn-series-fire
wall-for-kubernetes/cn-series-deployment-environments
Product Versions(s)
Customer-Managed Kubernetes†
Virtualization Features
Traditionally, customers have two deployment options based on their operational and
budgetary considerations.
Benefits:
● Both containerized and non-containerized workloads are protected.
● Network deployment options are expanded for public and private clouds.
You can now deploy the CN-Series as a Kubernetes CNF in HA. This mode of deployment
supports only active/passive HA with session and configuration synchronization.
When you deploy the CN-Series as a Kubernetes CNF in HA, there will be two
PAN-CN-MGMT-CONFIGMAP, PAN-CN-MGMT, and PAN-CN-NGFW YAML files each, one set
for active node and one for passive node.
For more information, see High Availability Support for deploying the CN-Series Firewall as a
Kubernetes CNF.
To ensure that all traffic to your internet-facing applications passes through the firewall, you
can configure AWS ingress routing. This capability allows you to associate route tables with
the AWS internet gateway and add route rules to redirect the application traffic through the
CN-Series firewall.
This redirection ensures that all internet traffic passes through the firewall without having to
reconfigure the application endpoints.
When the active peer goes down, the passive peer detects this failure and becomes active.
Additionally, it:
○ Triggers API calls to the AWS infrastructure to move the configured secondary IP
addresses from the data-plane interfaces of the failed peer to itself
○ Updates the route tables to ensure that traffic is directed to the active firewall
instance
These two operations ensure that inbound and outbound traffic sessions are restored after
failover. The HA configuration allows you to take advantage of Data Plane Development Kit
(DPDK) to improve the performance of your CN-Series firewall instances.
The devices in an HA pair can be assigned a device priority value to indicate a preference for
which device should assume the active role and manage traffic upon failover. If you need to
use a specific device in the HA pair for actively securing traffic, you must enable the
preemptive behavior on both the firewalls and assign a device priority value for each device.
The device with the lower numerical value, and therefore higher priority, is designated as
active and manages all traffic on the network. The other device is in a passive state and
synchronizes configuration and state information with the active device so that it is ready to
transition to an active state should a failure occur.
For more information, see High Availability support for CN-Series Firewall on AWS EKS.
Additionally, with the Kubernetes plugin supporting DAG-to-IPv6 address mapping, you can
use DAGs for Security policy.
Key Idea
● IPv6 addresses are supported only in the k8s-Daemonset mode, not in the
k8s-CNF or k8s-service mode.
○ Tag Pruning
In Kubernetes CNF mode, only one CN-NFGW pod is supported with an CN-MGMT pod.
CN-Series supports Static and Connected routes and BGP protocol. OSPF is supported on
Native/OnPrem environments, but not supported on public clouds, due to the limitation in
the cloud infrastructure. Bidirectional Forwarding Detection (BFD) and tunnel interfaces are
not supported.
Key Idea
● For VM-Series, if you have NUMA performance optimization enabled with custom
data-plane core settings, the NUMA setting takes precedence.
For more information, see Enable NUMA Performance Optimization on
VM-Series.
3.3.1 References
● CN-Series Supported Scale Factors
https://docs.paloaltonetworks.com/content/techdocs/en_US/cn-series/10-0/cn-series-deploy
ment/cn-series-supported-scale-factors.html#ida75c6278-e6db-488c-acf2-855d5cee3b18
● CN-Series Capabilities
https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/
pan/en_US/resources/datasheets/cn-series-container-firewall
● Virtualization features
3.4 Explain various segmentation models, including east-west and north-south segmentation
design per CNet, VNet, and pod
Workload
A workload can be broadly defined as the resources and processes needed to run an application.
Hosts, virtual machines, and containers are a few examples of workloads.
Companies can run workloads across data centers and hybrid cloud and multicloud environments.
Most organizations' applications are becoming increasingly distributed across different cloud native
compute architectures, based on business needs.
For most organizations, east-west communications make up the majority of data-center and cloud
traffic patterns. Because perimeter-focused defenses do not have visibility into east-west traffic,
malicious actors use this as an opportunity to move laterally across workloads.
The network creates reliable pathways between workloads. Microsegmentation creates isolation
and determines whether two endpoints should access each other. Enforcing segmentation with
least-privileged access reduces the scope of lateral movement and contains data breaches.
● Performance: Subdividing the network into smaller subnets and VLANs reduces the scope
of broadcast packets and improves network performance.
● Security: Network security teams can apply access control lists (ACLs) to VLANs and subnets
to isolate machines on different network segments. In the event of a data breach, ACLs can
prevent the threat from spreading to other network segments.
Leveraging network segmentation for security purposes comes with challenges. Often
segmentation needs don’t match the network architecture. Re-architecting the networks or
reconfiguring VLANs and subnets to meet segmentation requirements is difficult and consumes a
lot of time.
● Agent-based solutions use a software agent on the workload and enforce granular isolation
to individual hosts and containers. Agent-based solutions may leverage the built-in
host-based firewall or derive isolation abilities based on workload identity or attributes.
● Network-based segmentation controls rely on the network infrastructure. This style
leverages physical and virtual devices, such as load-balancers, switches, software-defined
networks (SDNs), and overlay networks to enforce policy.
● Native cloud controls leverage capabilities embedded in the cloud service provider (e.g.,
Amazon security group, Azure firewall, or Google Cloud firewall).
Benefits of Microsegmentation
Organizations that adopt microsegmentation realize tangible benefits:
● Reduced attack surface: Microsegmentation provides visibility into the complete network
environment without slowing development or innovation. Application developers can
integrate Security policy definition early in the development cycle and ensure that neither
application deployments nor updates create new attack vectors. This is particularly
important in the fast-moving world of DevOps.
Use Cases
The range of use cases for microsegmentation is vast and growing. Here are some representative
examples:
● Security for soft assets: Companies have a huge financial and reputational incentive to
protect “soft” assets, such as confidential customer and employee information, intellectual
property, and company financial data. Microsegmentation adds another level of security to
guard against exfiltration and other malicious actions that can cause downtime and
interfere with business operations.
3.4.1 References
● What is Microsegmentation?
paloaltonetworks.com/cyberpedia/what-is-microsegmentation
The scale numbers that the different components require to Secure Kubernetes Workloads with
CN-Series are listed in the following sections:
3.5.1 References
A virtual wire interface will allow Layer 2 and Layer 3 packets from connected devices to pass
transparently if the policies applied to the zone or interface allow the traffic. The virtual wire
interfaces themselves do not participate in routing or switching.
For example, the firewall does not decrement the time to live (TTL) in a traceroute packet going
over the virtual link because the link is transparent and does not count as a hop. Packets such as
Operations, Administration, and Maintenance (OAM) protocol data units (PDUs), for example, do not
terminate at the firewall. Thus, the virtual wire allows the firewall to maintain a transparent
presence acting as a pass-through link, while still providing security, NAT, and QoS services.
For bridge protocol data units (BPDUs) and other Layer 2 control packets (which are typically
untagged) to pass through a virtual wire, the interfaces must by default be attached to a virtual
wire object that allows untagged traffic. If the virtual wire object Tag Allowed field is empty, the
virtual wire allows untagged traffic.
For routing (Layer 3) control packets to pass through a virtual wire, you must apply a Security policy
rule that allows the traffic to pass through. For example, apply a Security policy rule that allows an
application such as BGP or OSPF.
Layer 2 Deployment
Layer 2 Deployment
Key Idea
● Firewalls in Layer 2 or virtual wire mode can inspect and provide threat
prevention for tagged or untagged traffic.
A design consideration for implementing Layer 2 interfaces is whether or not you need to segregate
all virtual machines from each other. A Software NGFW can perform this segregation on the
network by manipulating VLAN tags and preserving the existing Layer 3 gateways. The basis for this
design is providing maximum flexibility with regard to VM-Series placement, guest VM protection,
and the inherent networking capabilities of the selected cloud.
The following documents describe the different types of Layer 2 interfaces you can configure for
each type of deployment you need, including details on using virtual LANs (VLANs) for traffic and
policy separation among groups. The following documents describe how the firewall rewrites the
inbound port VLAN ID number in a Cisco per-VLAN spanning tree (PVST+) or Rapid PVST+ bridge
protocol data unit (BPDU).
Layer 3 Deployment
In a Layer 3 deployment, the firewall routes traffic between multiple ports. This deployment requires
that you assign an IP address to each interface and configure virtual routers to route the traffic.
Choose this option when routing is required.
Key Idea
The following documents describe how to configure Layer 3 interfaces and how to use Neighbor
Discovery Protocol (NDP) to provision IPv6 hosts and view the IPv6 addresses of devices on the link
local network to quickly locate devices.
3.6.1 References
● Layer 2 and Layer 3 Packets over a Virtual Wire
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/configure-interfac
es/virtual-wire-interfaces/layer-2-and-layer-3-packets-over-a-virtual-wire
● Layer 2 Interfaces
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/configure-interfac
es/layer-2-interfaces
● Layer 3 Interfaces
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/configure-interfac
es/layer-3-interfaces
● You need standard Kubernetes tools such as kubectl or Helm to deploy and manage your
Kubernetes clusters, apps, and firewall services. Panorama is not designed to be an
orchestrator for Kubernetes cluster deployment and management. Templates for cluster
management are provided by Managed Kubernetes providers. Palo Alto Networks provides
community-supported templates for deploying CN-Series with Helm and Terraform.
● Before moving from deploying CN-Series as a DaemonSet to CN-Series as a Service or vice
versa, you must delete and reapply plugin-serviceaccount.yaml.
○ When you deploy CN-Series as a DaemonSet, pan-plugin-cluster-mode-secret must
not exist.
○ When you deploy CN-Series as a Kubernetes service, pan-plugin-cluster-mode-secret
must be present.
4. How many default templates can you find on Panorama after downgrading the Kubernetes
plugin from 3.0.0?
a. Five
b. Four
c. Two
d. Six
6. Which mode of deployment allows the firewall to route traffic between multiple ports?
a. Tap mode
b. Layer 2
c. Virtual wire
d. Layer 3
7. Which threat detection system can monitor the traffic traversing within the VPC boundary?
a. Advanced URL Filtering
b. Cloud IDS
c. Threat monitoring
d. Global Protect
8. After git cloning the repository from GitHub, what do you need to do immediately to deploy
the CN-Series firewall?
a. Change into a local directory for the cloned repository.
b. Change to the subdirectory for your deployment.
c. Edit the values.yaml file.
d. Generate the VM auth key on Panorama.
9. VM-Series can be deployed on which three of the following platforms? (Choose three.)
a. XenServer
b. NSX-T
c. AWS
d. Azure
e. On-Premises
10. In which layer, the firewall is capable of inspecting and providing threat prevention for
tagged or untagged traffic?
a. Layer 3
b. Layer 7
c. Layer 4
d. Layer 2
Installing licenses
Every instance of Panorama requires valid licenses that entitle you to manage firewalls and obtain
support. Before you can begin using Panorama for centralized management, logging, and
reporting, you are required to register, activate, and retrieve the Panorama device management
and support licenses. The Firewall Device Management license enforces the maximum number of
firewalls that Panorama can manage. This license is based on firewall serial numbers and enables
Panorama software updates and dynamic content updates such as the updates for the latest
Applications and Threats signatures. Remember, Panorama virtual appliances on AWS and Azure
must be purchased from Palo Alto Networks and cannot be purchased on the AWS or Azure
marketplaces.
After upgrading your Panorama virtual appliance, you are prompted if:
In both cases, You have 180 days from the date of upgrade to install a valid device management
license if no license has been installed. If the number of managed firewalls exceeds the device
management license, you have 180 days to delete firewalls to meet the device management license
requirements or upgrade your device management license. All commits fail if a valid device
management license is not installed, or the existing device management license limit is not met,
within 180 days of upgrade. To purchase a device management license, contact your Palo Alto
Networks sales representative or authorized reseller.
Key Idea
You can migrate VM-ELA or perpetual virtual Panorama licensing to Software Next-Generation
Firewall (Software NGFW) licensing.
1. Select Assets > Software NGFW Credits and click the Details link on the credit pool you
used to create your profile.
2. On the far right, click the vertical ellipsis (More Options) and select Provision Panorama and
then click Migrate Existing.
The CSP displays all virtual Panorama devices associated with your account.
3. Select the check box for each virtual Panorama to be migrated.
4. Click Migrate.
Verify that the Current Support Expiration Date has been updated. Additionally, you can
expand each row to view the individual licenses applied to the selected Panorama.
Complete the following procedure to migrate a standalone Panorama that cannot access the CSP
to a flexible license:
1. On your Panorama, upgrade if necessary, and note the serial number and the current
support expiration date.
2. In the CSP, select Assets > Software NGFW Credits and click the Details link on a credit
pool. Select a deployment profile or create one.
3. On the far right, click the vertical ellipsis (More Options), select Provision Panorama, and
select Migrate Existing.
The CSP displays all virtual Panorama devices associated with your account.
When you deploy licenses or updates, Panorama checks in with the Palo Alto Networks licensing
server or update server, verifies the request validity, and then allows retrieval and installation of the
license or update. This capability facilitates deployment by eliminating the need to repeat the same
tasks on each firewall or Dedicated Log Collector. It is particularly useful for managing firewalls that
do not have direct internet access or for managing Dedicated Log Collectors, which do not have a
web interface.
Before deploying updates, see Panorama, Log Collector, Firewall, and WildFire Version Compatibility
for important details about update version compatibility.
Panorama automatically performs a daily check-in with the licensing server, retrieves license
updates and renewals, and pushes them to the firewalls. The check-in is hard-coded to occur
between 1 a.m. and 2 a.m.; you cannot change this schedule.
● You cannot use Panorama to activate the support license for firewalls. You must
access the firewalls individually to activate their support licenses.
Use the following steps to retrieve new licenses using an authentication code and push the license
keys to managed firewalls.
Key Idea
● Check that the WildFire Analysis profile rules include the advanced file types that
the WildFire subscription supports.
Use the following steps to manually update the license status of firewalls with or without direct
internet access.
A proof of concept (POC) is the most effective test you can run to make sure you are getting the
right NGFW for your environment.
Candidates preparing for this topic should know how to select the right product and configuration
for basic threat prevention and detection for both out-of-band and inline firewalls in the customer
environment.
Successful candidates should be able to work closely with customers to prepare the list of items to
be addressed in a POC. Here are some very important considerations:
Candidates should know about common testing approaches, such as Breaking Point, and should
be able to incorporate the customer’s testing approach into the list of items addressed by the POC.
Candidates should be able to explain to customers the impact of Palo Alto Networks threat
handling on these tests’ performance, such as disabled old signatures for out-of-use viruses or
known issues that impact performance. Candidates should be able to match firewall choices to the
testing approaches that are used in the POC, and match firewall and cloud-delivered security
services to the list of items to be addressed by the POC.
In firewall sales opportunities in which a customer and sales team determine that a POC might be
helpful, many data-center customers know what they want to run through their firewalls and want
to see how a Palo Alto Networks firewall handles that traffic. For example, customers often need to
run specific loads of traffic through the firewall and ensure that the POC firewall properly filters and
monitors those traffic loads. Palo Alto Networks has a POC team to ensure that the firewall and its
configuration can handle customer throughput requirements.
Multiple sources are available for providing exposure to Palo Alto Networks technologies. For lab
environments, you can leverage resources at Qwiklabs. Current information about Qwiklabs can be
found at:
● AWS QwikLab Registration
● AWS CloudNGFW QwikLab
● AWS GWLB QwikLab with VM-Series
● AWS CN-Series QwikLab
Refer to the following link if you wish to perform customized testing of any next-generation firewall
appliances in your environment:
https://start.paloaltonetworks.com/next-generation-firewall-proof-of-concept-evaluation
4.2.1 References
● Threat Signatures
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/learn-more-
about-and-assess-threats/learn-more-about-threat-signatures
4.3 Apply the appropriate deployment / configuration tool for various environments
When you are registering a new device (at the end of the registration process), an optional step
prompts you to run Day 1 Configuration.
Day 1 Configuration templates use common best-practice recommendations and compile them.
These templates can be loaded into Panorama or a next-generation firewall. Benefits of Day 1
Configuration templates include:
1. Specify the same PAN-OS version you selected during Device Registration.
2. Enter a hostname for your device.
3. Enter IP information and log server information for the device.
Key Idea
● A Day 1 Configuration template only supports IPv4. If you need IPv6, you must
configure it by CLI instead of the automated configuration tool. You can also
configure IPv6 after the IPv4 configuration using the GUI or CLI.
4.3.1 References
● Day 1 Configuration
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM2lCAG
Panorama Plugins
The architecture of the Panorama extensible plugin enables support for third-party integration
plugins, such as VMware NSX, and other Palo Alto Networks products, such as the GlobalProtect
cloud service. With this modular architecture, you can take advantage of new capabilities without
waiting for a new PAN-OS version.
For the cloud services plugin, you must activate a valid authentication code on the Customer
Support Portal and select the region—Americas or Europe—to which you want to send logs.
Key Idea
● If you have a version of a plugin currently installed and you install a new version of
the plugin, Panorama replaces the currently installed version.
Select the version of the plugin and click Install in the Action column to install the plugin.
Panorama will alert you when the installation is complete. For more details, refer to install the
VMware NSX plugin or the Cloud Services plugin.
Key Idea
● When installing the plugin for the first time on a Panorama HA pair, first install
the plugin on the passive peer. The peer will transition to a nonfunctional state.
After you successfully install the plugin on the active peer, the passive peer
returns to a functional state.
4.4.1 References
● Panorama Plugins
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-plugins
● Install Panorama Plugins
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-plugins/abo
ut-panorama-plugins/install-panorama-plugins
VM-Series
● VM-Series firewalls support two license types (BYOL and PAYG) and two different licensing
models—Software Next-Generation Firewall credits for flexible configurations that you
specify with a deployment profile, and fixed VM-Series model configurations. Both models
also license security services and other features.
CN-Series
To deploy the CN-Series firewall, you must complete the following tasks:
● If not done already, License the CN-Series Firewall. Generate your authorization code and
have it available when you are ready to deploy the CN-Series firewall.
● Review the CN-Series Prerequisites before you begin your deployment. Make sure you
understand the system requirements needed to deploy the CN-Series firewall.
Refer to the link below for details on the deployment of the CN-Series in supported environments.
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/cn-series-firewall-for-kubern
etes/cn-series-deployment-environments
4.5.1 References
● VM-Series Deployments
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/about-the-vm-serie
s-firewall/vm-series-deployments
● CN-Series Deployment guide
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment
● CN-Series Deployment—Supported Environments
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/cn-series-firewall-for-
kubernetes/cn-series-deployment-environments
● CN-Series Deployment Checklist
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/secure-kubernetes-
workloads-with-cn-series/cn-series-deployment-checklist
4.6 Spin up, locate, and demonstrate demo, lab, or Ultimate Test Drive
Multiple sources are available for providing exposure to Palo Alto Networks technologies. For lab
environments, you can leverage resources at Qwiklabs. Current information about Qwiklabs can be
found at:
● AWS QwikLab Registration
● AWS CloudNGFW QwikLab
● AWS GWLB QwikLab with VM-Series
● AWS CN-Series QwikLab
Ultimate Test Drives (UTDs) are guided, hands-on experiences designed to familiarize participants
with Palo Alto Networks technology and to enhance their understanding of how our products work
and how they can improve an organization’s security posture.
Each UTD addresses a different topic. All workshops take place in a virtual lab environment with
step-by-step directions and an expert instructor to guide the participants.
Delivery
● Virtual: Webinar format (exclusively online) with SE instructor (2-3 hour session, 50 people
max.)
OR
● Live: In-person, on-site event with SE instructor (2-3 hour session)
● A Palo Alto Networks SE is the instructor (for new prospects or existing accounts).
Partner SE delivered
There is a 51 percent win rate for initial business opportunities that run a UTD.
4.6.1 References
● Ultimate Test Drive (UTD)
https://beacon.paloaltonetworks.com/student/path/825466?sid=8785726e-8520-4469-b6e7-4
e5bfe8c7e00&sid_i=0
● If you are running an evaluation license for firewall management on your Panorama virtual
appliance and want to apply a Panorama license that you purchased, perform the tasks
Register Panorama and Activate/Retrieve a Firewall Management License when the
Panorama Virtual Appliance is Internet-connected.
● Panorama can manage firewalls and collect logs even when the support license expires.
However, in that case, software and content updates will be unavailable. The software and
content versions on Panorama must be the same or later than the versions on the managed
firewalls; otherwise, errors will occur. For details, see Panorama, Log Collector, Firewall, and
WildFire Version Compatibility.
● You cannot use Panorama to activate the support license for firewalls. You must access the
firewalls individually to activate their support licenses.
● Check that the WildFire Analysis profile rules include the advanced file types that the
WildFire subscription supports.
● A Day 1 Configuration template only supports IPv4. If you need IPv6, you must configure it by
CLI instead of the automated configuration tool. You can also configure IPv6 after the IPv4
configuration using the GUI or CLI.
● If you have a version of a plugin currently installed and you install a new version of the
plugin, Panorama replaces the currently installed version.
● When installing the plugin for the first time on a Panorama HA pair, first install the plugin on
the passive peer. The peer will transition to a nonfunctional state. After you successfully
install the plugin on the active peer, the passive peer returns to a functional state.
2. If no license has been installed, within how many days from the upgrade date can you install
a valid device management license?
a. 180
b. 90
c. 150
d. 100
3. Panorama automatically performs a daily check-in with the licensing server. The check-in is
hard-coded to occur between which hours?
a. 12:00 a.m. to 1:00 a.m.
b. 12:00 a.m. to 12:30 a.m.
c. 1:00 a.m. to 1:30 a.m.
d. 1:00 a.m. to 2:00 a.m.
5. Which three plugin configuration options are supported for use in Panorama? (Choose
three.)
a. Cisco ACI
b. GCP
c. OCI
d. AMC
e. VMware NSX
6. Where can you download the Docker files for CN-Series deployment?
a. Palo Alto Networks Customer Support Portal
b. Palo Alto Networks public documentation
c. GitHub repository
d. Marketplace
7. Which three statements are true for Ultimate Test Drive? (Choose three.)
a. It is a conversion and demand-generation tool.
b. It is a training tool.
c. It is an evaluation-acceleration tool.
d. It is a full demonstration of our platform
e. It is a way to expose customers to new products and solutions.
8. In a Day 1 Configuration template, where can you configure IPv6 after the IPv4
configuration?
a. GUI
b. CLI
9. What is the win rate for initial business opportunities that run a UTD?
a. 71%
b. 68%
c. 51%
d. 88%
The default security rules are appended to the end of the normal security rules, as shown below:
● A green cog image next to the “intrazone-default” rule name indicates the rule is predefined
or from Panorama. A tool tip is available on the image.
● A double cog image next to the “interzone-default” rule name indicates that the rule is in
the current virtual system and overriding the values of another rule from Panorama.
● The “intrazone-default” rule action is allow.
● The “interzone-default” rule action is deny.
Universal A Security policy allowing traffic destined between two zones, whether from the same
zone or a different zone. This policy applies the rule to all matching interzone and
intrazone traffic in the specified source and destination zones.
For example, if you create a universal role with source zones A and B and destination
zones A and B, the rule would apply to all traffic:
● Within zone A
● Within zone B
● From zone A to zone B
● From zone B to zone A
Intrazone A Security policy allowing traffic within the same zone. This policy applies the rule to all
matching traffic within the specified source zones (cannot specify a destination zone for
intrazone rules).
For example, if you set the source zone to A and B, the rule would apply to all traffic
within zone A and zone B, but not to traffic between zones A and B.
Interzone A Security policy allowing traffic between two different zones. However, the traffic
between the same zone will not be allowed when created with this type. This policy
applies the rule to all matching traffic between the specified source and destination
zones.
For example, if you set the source zone to A, B, and C and the destination zone to A and
B, the rule would apply to traffic from:
● Zone A to zone B
● Zone B to zone A
● Zone C to zone A
● Zone C to zone B
It will NOT apply to traffic within zones A, B, or C.
When a rule is configured as intrazone, the destination zone cannot be changed, and its value
comes from the source zone.
You can override these rules if there is a green single cog image next to the rule name.
The override action will bring up a security rule editor with two tabs.
To get back the predefined or Panorama-pushed value, perform the revert action.
On Panorama, the default rules are visible in a separate tree node, below the security pre and post
rules. The green single cog image next to the name indicates that the rule is from an ancestor
device group or is shared or predefined.
A double cog image next to the name indicates that the rule is overriding that of an ancestor device
group rule, shared rule, or predefined rule.
Key Idea
5.1.1 Reference
DAGs allow you to create a policy that automatically adapts to changes such as adding, moving, or
deleting servers. They also provide the flexibility to apply different rules to the same server based on
tags that define the server’s role in the network, the operating system, or the different kinds of
traffic it processes.
Membership in a DAG is determined using tag names or tag-based filters. Either external software
or the firewall can automatically add a tag to an IP address, and then you can associate that tag
with a dynamic address group. For example, VMware NSX software can assign a tag to the IP
address of a newly created virtual machine, or the auto-tagging capability included in the log
forwarding feature of the firewall can add a tag to an IP address.
Auto-tagging allows the firewall or Panorama to tag a policy object when it receives a log that
matches specific criteria and establishes IP-address-to-tag or user-to-tag mapping.
Redistribute the mappings across your network by registering the IP-address-to-tag and
user-to-tag mappings to a PAN-OS integrated User-ID agent on the firewall or Panorama or a
remote User-ID agent using an HTTP Server profile. The firewall can automatically remove a tag
associated with an IP address or user when you configure a timeout as part of a built-in action as a
part of log forwarding settings.
For example, if the firewall detects that a user has potentially compromised credentials, you could
configure the firewall to require MFA authentication for that user for a given period, then configure
a timeout to remove the user from the MFA requirement group.
Key Idea
● Dynamic user groups do not support auto-tagging from HIP Match logs.
5.2.1 References
5.3 Explain how Zero Trust relates to VM-Series and CN-Series cloud deployments
Zero Trust is a business-driven, strategic approach to securing your most critical data, applications,
assets, and services (DAAS) as well as your users based on what is important to your business, in a
protected surface. Zero Trust strategy is infrastructure-neutral, so you can apply it to all physical and
virtual locations—network, public cloud, private cloud, and endpoint.
Zero Trust strategy is not something you implement once and copy from network to network
because each environment and protect surface is different. As businesses change over time, the
This methodology works whether you are implementing a Zero Trust strategy in the cloud, on a
private network, or on endpoints, regardless of infrastructure.
Defining your protect surface enables you to focus on defending what really matters to your
business instead of trying to identify and protect the entire attack surface or focusing on just the
perimeter. The protect surface is also much smaller than the attack surface or the perimeter, so it is
easier to protect.
Define your protect surface based on the most crucial DAAS elements for your business:
● Data: What data needs to be protected? Think about intellectual property such as
proprietary code or processes, personally identifiable information (PII), payment card
information (PCI), and personal health information (PHI) such as Health Insurance
Portability and Accountability Act (HIPAA) information.
● Applications: Which applications consume sensitive information? Which applications are
critical for your business functions?
● Assets: Which assets are the most sensitive? Depending on your business, that could be
Supervisory Control and Data Acquisition (SCADA) controls, POS terminals, medical
equipment, manufacturing equipment, and groups of critical servers.
● Services: Which services can attackers exploit to disrupt IT operations and negatively
impact the business?
There are many ways to map transaction flows. Some techniques for defining your protect surface
apply, as well:
● Create a microperimeter in Layer 7 policy around each protect surface. This prevents
lateral movement because the microperimeter provides granular policy controls for who
(User-ID) accesses what applications (App-ID) and resources in what manner
(Content-ID) and at what time through the segmentation gateway. Segment based on
how transactions flow across your network and how your users and applications access
data and services.
● Aggregate security capabilities into a single control point for all traffic entering and
exiting the protect surface. The segmentation gateway should enforce policy, decrypt
encrypted traffic, and apply protections such as:
○ DNS Security (use the DNS Security service, which provides multiple real-time threat
intelligence sources, infinitely scalable real-time analysis of DNS requests, and
advanced DNS signatures).
○ Intrusion prevention (Vulnerability Protection, Anti-Spyware, and Antivirus profiles).
■ Blocking potentially dangerous file types
● Log every session, then send the logs to the Cortex Data Lake from Panorama for
managed firewalls, from individual firewalls, from Prisma Access (formerly GlobalProtect
cloud service), and from Cortex XDR to centralize and aggregate your on-premises and
virtual (private and public cloud) log storage for physical and VM-Series firewalls.
● Use APIs for tight integration with third-party defense tools from partners.
● Use tools such as Ansible, Terraform, and Python to automate, orchestrate, and accelerate
protecting Prisma Cloud deployments.
Palo Alto Networks enables you to architect your Zero Trust environment and apply consistent
security across all locations:
● Corporate network and data center: Use next-generation firewalls to segment the
network into microperimeters for your protect surfaces.
● Public cloud: Use Prisma Access, which uses on-premises or VM-Series next-generation
firewalls, and Prisma Cloud (an API-based cloud infrastructure security solution) to
implement Zero Trust policy in cloud environments. VPCs define protection boundaries
to segment workloads.
● Branch office and mobile users: Use Prisma Access to provide cloud-based security and
to avoid round-trips to corporate network resources. Configure Prisma Access for users
and also Prisma Access for networks to secure branches. Alternatively, use an
on-premises next-generation firewall with the GlobalProtect subscription service to
extend security policy and enforcement to remote users and branch offices.
● Endpoints: Layer protection by using the Next-Generation Firewall for segmentation and
the first layer of protection, and using Cortex XDR agent for the second layer of
protection. Enforce consistent policy using GlobalProtect (on-premises installation) or
Prisma Access (installed using Panorama and managed for you in the cloud) VPNs to
extend policy to remote endpoints and enable policy to move with the user. Prisma
Access requires the GlobalProtect app on mobile-user endpoints. In all cases, install the
GlobalProtect app on managed endpoints and use GlobalProtect Clientless VPN on
unmanaged endpoints (endpoints on which you cannot or do not want to place an
● SaaS applications: Use Prisma SaaS to scan, analyze, classify, and help protect SaaS
applications. Redirect SaaS application traffic for unmanaged devices through your
next-generation firewall.
● It is much easier to know the applications you want to allow to support your business than
to take on the never-ending task of identifying and blocking all the applications you do
not want to allow.
● All breaches and malicious activity happen on allow rules. Focus security on traffic you
allow, and allow only the traffic required for business.
Zero Trust policy is based on the Kipling Method. Answering Rudyard Kipling’s six-tuple of
questions, “who, what, when, where, why, and how,” shows you how to decide whether to allow or
block traffic and how to create a Security policy that safeguards each protect surface.
Key Idea
The way you apply the methodology depends on what you are protecting and your business
requirements—what’s critical to your business—but the outcomes you are working toward are the
same:
5.3.1 Reference
● What is Zero Trust for the Cloud?
https://docs.paloaltonetworks.com/best-practices/10-1/zero-trust-best-practices/zero-trust-be
st-practices/what-is-zero-trust-and-why-do-i-need-it
The Palo Alto Networks auto scaling templates for AWS help you to configure and deploy VM-Series
firewalls to protect applications deployed in AWS. The templates leverage AWS scalability features
to independently and automatically scale VM-Series firewalls deployed in AWS to meet surges in
application workload resource demand.
● The VM-Series automation capabilities include the PAN-OS API and bootstrapping (using a
bootstrap file for version 2.0 and Panorama for version 2.1).
● AWS automation technology includes CloudFormation templates and scripts for AWS
services such as Lambda, auto scaling groups (ASGs), Elastic Load Balancing (ELB), S3, and
SNS.
The templates are available on the Palo Alto Networks GitHub repository for Auto Scaling VM-Series
Firewalls in AWS:
● Version 2.0 provides a firewall template and an application template. These templates and
the supporting scripts deploy VM-Series firewalls, an internet-facing firewall, an internal
firewall, and application ASGs in one or more VPCs.
In version 2.0, Palo Alto Networks supports the firewall template while the application
template is community-supported. See VM-Series Auto Scaling Template for AWS Version
2.0 for deployment details.
● Version 2.1 includes two firewall templates and five application templates. It adds support for
deployment in a single VPC and adds support for a load balancer sandwich topology that
enables you to deploy the VM-Series firewalls in a front-end VPC and the back-end
applications in one or more application VPCs connected by VPC peering or AWS
PrivateLink.
In version 2.1, you can implement both application load balancers (ALBs) and network load
balancers (NLBs) in VPCs.
Key Idea
5.4.1 Reference
● Auto Scaling VM-Series Firewalls with the Amazon ELB Service
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/set-up-the-vm-seri
es-firewall-on-aws/auto-scale-vm-series-firewalls-with-the-amazon-elb
5.5 Compare and contrast Prisma Cloud Compute (PCC) and CN-Series
Prisma Cloud provides comprehensive visibility and threat detection to mitigate risks and secure
your workloads in a hybrid and multi-cloud environment. If your organization is leveraging public
cloud platforms and a rich set of microservices to rapidly build and deliver applications, Prisma
Cloud offers cloud native application security controls for public cloud platforms, hosts, containers,
and serverless technologies.
Key Idea
5.5.1 References
● Prisma Cloud Compute
https://www.paloaltonetworks.com/resources/datasheets/prisma-cloud-compute-edition-aa
g
● CN- Series
https://docs.paloaltonetworks.com/cn-series
1. Which three of the following are cloud policy rule types? (Choose three.)
a. Intrazone
b. Interzone
c. Zero Trust
d. Universal
2. Which Security policy rule type allows traffic from a zone to the same zone?
a. Intrazone
b. Interzone
c. Zero Trust
d. Universal
4. Which of the following allows the firewall or Panorama to tag a policy object when it receives
a log that matches specific criteria?
a. A DAG
b. Zero Trust
c. Universal policy
d. Auto-tagging
10. The virtual firewalls of which two cloud types secure virtualized compute resources and
hypervisors? (Choose two.)
a. Private cloud
b. Protected cloud
c. Public cloud
Domain 1
2. While defining an address group, each registered IP address can have up to how many tags?
a. 32
b. 64
c. 16
d. 8
4. Which two statements are true for Panorama plugins? (Choose two)
a. Panorama plugins are available for both VM-Series and Hardware-based Firewall.
b. Panorama plugins are optional and can be removed.
c. Panorama plugins are built-in.
d. Panorama plugin versions are independent of Panorama version.
5. Which three statements are true with respect to VM-Series plugin upgrades? (Choose three.)
a. Can be upgraded manually independent of PAN-OS.
b. Can be upgraded locally in the virtual firewall.
c. PAN-OS Upgrade is mandatory to upgrade VM-Series plugins
d. Upgrades can be managed centrally through Panorama.
e. Every plugin version is compatible with all the PAN-OS versions.
7. What is used to aggregate logs from all the managed firewalls and provide visibility into all
data traffic?
a. Cortex data Lake
b. Panorama
8. Which two parameters are considered while estimating ROI using Palo Alto Networks
VM-Series Virtual Firewalls Estimator? (Choose two.)
a. No. of firewalls to be deployed
b. No. of NetOps and SecOps staff in the organization
c. Quantity of data to be inspected
d. Amount spent on physical firewalls over a life cycle of 5 years.
Domain 2
1. Which security service assists file safety by automatically detecting unknown malware?
a. URL Filtering
b. WildFire
c. App-ID
d. Threat Prevention
7. What is the order of Kubernetes constructs from smallest to largest in terms of size and
scope?
a. Node, namespace, pod, cluster
b. Namespace, node, cluster, pod
c. Pod, node, namespace, cluster
d. Pod, node, cluster, namespace
8. Which environment uses software and virtualization to provide network connectivity for
dispersed locations?
a. On-premise
b. SDN
c. SD-WAN
d. Nutanix
9. After deselecting a credit pool, you see a reminder to activate those credits. What will be
your next step?
a. Select the credit pool you want to activate.
b. Deposit credits.
c. Purchase a different credit pool.
d. Return to your email and click the Start Activation link.
Domain 3
4. How many default templates can you find on Panorama after downgrading the Kubernetes
plugin from 3.0.0?
a. Five
6. Which mode of deployment allows the firewall to route traffic between multiple ports?
a. Tap mode
b. Layer 2
c. Virtual wire
d. Layer 3
7. Which threat detection system can monitor the traffic traversing within the VPC boundary?
a. Advanced URL Filtering
b. Cloud IDS
c. Threat monitoring
d. Global Protect
8. After git cloning the repository from GitHub, what do you need to do immediately to deploy
the CN-Series firewall?
a. Change into a local directory for the cloned repository.
b. Change to the subdirectory for your deployment.
c. Edit the values.yaml file.
d. Generate the VM auth key on Panorama.
9. VM-Series can be deployed on which three of the following platforms? (Choose three.)
a. XenServer
b. NSX-T
c. AWS
d. Azure
e. On-Premises
10. In which layer, the firewall is capable of inspecting and providing threat prevention for
tagged or untagged traffic?
a. Layer 3
b. Layer 7
c. Layer 4
d. Layer 2
Domain 4
2. If no license has been installed, within how many days from the upgrade date can you install
a valid device management license?
a. 180
b. 90
c. 150
d. 100
3. Panorama automatically performs a daily check-in with the licensing server. The check-in is
hard-coded to occur between which hours?
a. 12:00 a.m. to 1:00 a.m.
b. 12:00 a.m. to 12:30 a.m.
c. 1:00 a.m. to 1:30 a.m.
d. 1:00 a.m. to 2:00 a.m.
5. Which three plugin configuration options are supported for use in Panorama? (Choose
three.)
a. Cisco ACI
b. GCP
c. OCI
d. AMC
e. VMware NSX
6. Where can you download the Docker files for CN-Series deployment?
a. Palo Alto Networks Customer Support Portal
b. Palo Alto Networks public documentation
c. GitHub repository
d. Marketplace
7. Which three statements are true for Ultimate Test Drive? (Choose three.)
a. It is a conversion and demand-generation tool.
b. It is a training tool.
c. It is an evaluation acceleration tool.
d. It is a full demonstration of our platform
e. It is a Way to expose customers to new products and solutions
8. In a Day 1 Configuration template, where can you configure IPv6 after the IPv4
configuration?
a. GUI
b. CLI
c. Cortex
d. Both GUI and CLI
9. What is the win rate for initial business opportunities that run a UTD?
a. 71%
Domain 5
1. Which three of the following are cloud policy rule types? (Choose three.)
a. Intrazone
b. Interzone
c. Zero Trust
d. Universal
2. Which Security policy rule type allows traffic from a zone to the same zone?
a. Intrazone
b. Interzone
c. Zero Trust
d. Universal
4. Which of the following allows the firewall or Panorama to tag a policy object when it receives
a log that matches specific criteria?
a. A DAG
b. Zero Trust
c. Universal policy
d. Auto-tagging
10. The virtual firewalls of which two cloud types secure virtualized compute resources and
hypervisors? (Choose two.)
a. Private cloud
b. Protected cloud
c. Public cloud
d. Hybrid cloud
1. Which of the following is a valid CN-MGMT metric to auto scale CN-Series firewall?
a. mgmtplanecpuutilizationpct
b. panthroughput
c. panpacketrate
d. pandataplaneslots
3. In network segmentation, what are two advantages of subdividing the network into smaller
subnets and VLANs? (Choose two.)
a. It reduces the scope of broadcast packets.
b. You can isolate machines on different network segments.
c. It improves network performance.
d. It prevents a threat from spreading to other network segments.
4. Which three statements are true for the UTD? (Choose three.)
a. It is available to both prospects and customers.
b. It is free to use.
c. It can be delivered in person or online (webinar style).
d. It provides full coverage of our products.
e. It is a full demonstration of our platform.
6. Terraform templates may be used to secure workloads on which two platforms? (Choose
two.)
a. AWS
b. Azure
c. Jenkins
d. GitHub
8. Which two statements are true for CN-Series deployment modes? (Choose two.)
a. They provide an automated security deployment.
b. They provide unlimited insertion options.
c. They leverage the auto scaling capabilities of Kubernetes.
d. They support I/O acceleration.
9. Microsegmentation helps provide consistent security across private and public clouds by
virtue of which three principles? (Choose three.)
a. Visibility
b. Granular security
c. Dynamic adaptation
d. Threat prevention
e. Exfiltration prevention
11. Which Palo Alto Networks service provides protection against new and unknown threats?
a. Advanced URL Filtering
b. DNS Security
c. GlobalProtect
d. Prisma SaaS
16. Which Kubernetes auto scaling method allows your CN-Series firewall deployment to auto
scale dynamically along with your Kubernetes environment?
a. Horizontal pod auto scaling
b. Vertical cluster auto scaling
c. Cluster auto scaling
d. Namespace auto scaling
17. Where can you access the Day 1 Configuration? (Choose three.)
a. Assets > Network Security
b. Activate Products
c. Tools > Run Day 1 Configuration
d. Devices > Run Day 1 Config
e. Groups
19. Where can you find the YAML files required to deploy the CN-Series firewall in your
Kubernetes environment?
a. Palo Alto Networks Customer Support Portal
b. Palo Alto Networks public documentation
c. GitHub repository
d. Marketplace
20. Virtual wire interfaces will forward traffic from which of the following connected device
types?
a. Layer 2 switches
b. Layer 3 routers
c. Layer 7 firewalls
d. Layer 4 multiplexing
e. Layer 6 encryption
1. Which of the following is a valid CN-MGMT metric to auto scale CN-Series firewall?
a. mgmtplanecpuutilizationpct
b. panthroughput
c. panpacketrate
d. pandataplaneslots
3. In network segmentation, what are two advantages of subdividing the network into smaller
subnets and VLANs? (Choose two.)
a. It reduces the scope of broadcast packets.
b. You can isolate machines on different network segments.
c. It improves network performance.
d. It prevents a threat from spreading to other network segments.
4. Which three statements are true for the UTD? (Choose three.)
a. It is available to both prospects and customers.
b. It is free to use.
c. It can be delivered in person or online (webinar style).
d. It provides full coverage of our products.
e. It is a full demonstration of our platform.
6. Terraform templates may be used to secure workloads on which two platforms? (Choose
two.)
a. AWS
b. Azure
c. Jenkins
d. GitHub
9. Microsegmentation helps provide consistent security across private and public clouds by
virtue of which three principles? (Choose three.)
a. Visibility
b. Granular security
c. Dynamic adaptation
d. Threat prevention
e. Exfiltration prevention
11. Which Palo Alto Networks service provides protection against new and unknown threats?
a. Advanced URL Filtering
b. DNS Security
c. GlobalProtect
d. Prisma SaaS
16. Which Kubernetes auto scaling method allows your CN-Series firewall deployment to auto
scale dynamically along with your Kubernetes environment?
a. Horizontal pod auto scaling
b. Vertical cluster auto scaling
c. Cluster auto scaling
d. Namespace auto scaling
17. Where can you access the Day 1 Configuration? (Choose three.)
a. Assets > Network Security
b. Activate Products
c. Tools > Run Day 1 Configuration
d. Devices > Run Day 1 Config
e. Groups
19. Where can you find the YAML files required to deploy the CN-Series firewall in your
Kubernetes environment?
a. Palo Alto Networks Customer Support Portal
b. Palo Alto Networks public documentation
c. GitHub repository
d. Marketplace
20. Virtual wire interfaces will forward traffic from which of the following connected device
types?
a. Layer 2 switches
b. Layer 3 routers
c. Layer 7 firewalls
d. Layer 4 multiplexing
e. Layer 6 encryption
● Access Control Lists (ACLs) - A set of rules that help to control network traffic and reduce
network attacks.
● Application Load Balancers (ALBs) - A feature of Elastic Load Balancer. See Elastic Load
Balancing (ELB).
● Application Gateway - Used to help users access a web app. An application gateway creates
a temporary pinhole for a limited time and exclusively for transferring data or controlling
network traffic.
● Auto Scaling Groups (ASGs) - A logical grouping used in auto scaling and management.
● Azure Kubernetes Service (AKS) - A way to deploy Kubernetes on Azure and manage
Kubernetes environments hosted on Azure.
● Azure Resource Manager (ARM) Templates - Provide users with the ability to manage and
scale Azure services on a public or private cloud.
● Breaking point - A network security test solution that simulates the good application traffic,
the bad malicious attack traffic, and the ugly malformed traffic to validate the network
performance and security posture, reduce risk, and increase attack readiness.
● Bridge protocol data unit (BPDU) - A data message used to detect loops in a network. A
BPDU contains information about ports, switches, port priority, and addresses.
● Bring your own license (BYOL) - A licensing model that allows flexible use of licenses
owned by a company.
● CloudFormation - A service by AWS that helps set up and model resources to reduce the
time spent in managing resources. CloudFormation templates can be used to autoscale
firewalls in AWS.
● CloudWatch - A monitoring and management service by AWS that provides actionable data
such as metrics and logs to better manage and optimize resources.
● Command-line interface (CLI) - A utility that allows the user to monitor and configure the
device.
● Cortex Data Lake - A service by Palo Alto Networks that provides cloud-based, centralized
log storage and aggregation for on-premises and virtual firewalls, Prisma Access, and
cloud-delivered services such as Cortex XDR. The service is secure, resilient, and
fault-tolerant, and it ensures that logging data is up to date and available when needed. It
provides a scalable logging infrastructure that alleviates the need to plan and deploy Log
Collectors to meet log retention needs.
● CNI - Container Network Interface, which is a framework for the dynamic configuration of
networking resources.
● CRI-O - The name derives from CRI plus Open Container Initiative (OCI) because CRI-O is
strictly focused on OCI-compliant runtimes and container images. Allows you to run
containers directly from Kubernetes, without any unnecessary code or tooling.
● Data loss prevention (DLP) - A security strategy that ensures that sensitive or confidential
information does not leak outside of the corporate network in a way that is unsafe or
noncompliant.
● DevOps - A practice that unites development and operations teams throughout the
software-delivery process, enabling them to discover and remediate issues earlier, automate
testing and deployment, and reduce time to market.
● EC2 - A service that provides scalable computing capacity to launch virtual machines. EC2,
or the AWS Elastic Compute Cloud, categorizes instance families—General Purpose,
Compute Optimized, Memory Optimized, Accelerate Networking, and Storage
Optimized—to fit different use cases and application profiles.
● ELB - Elastic Load Balancing, which automatically distributes application traffic for multiple
targets and virtual appliances in one or more availability zones.
● Enterprise Network Compute System (ENCS) - A branch virtualization tool by Cisco that
can help deploy network services in minutes.
● ESXi - Elastic Sky X Integrated. A hypervisor that runs directly on system hardware without
the need for an operating system.
● GitHub - A website and cloud-based service that helps developers store and manage their
code, as well as track and control changes to their code.
● Google Cloud Platform (GCP) - A suite of cloud computing services offered by Google that
runs on the same infrastructure that Google uses internally for its end-user products, such as
Google Search, Gmail, Google Drive, and YouTube.
● Graphical user interface (GUI) - An interface through which a user interacts with electronic
devices such as computers and smartphones using icons, menus, and other visual indicators
or representations.
● High availability (HA) - A deployment in which two firewalls are placed in a group and their
configuration is synchronized to prevent a single point of failure on your network. A
heartbeat connection between the firewall peers ensures seamless failover in the event that
a peer goes down.
● HTTP - Hypertext Transfer Protocol (HTTP). This is an application-layer protocol model for
distributed, collaborative, hypermedia information systems.
● Hypervisor - Technology that allows multiple virtual (or guest) operating systems to run
concurrently on a single physical host computer.
● Internet Protocol (IP) address - A 32-bit or 128-bit identifier assigned to a networked device
for communications at the Network layer of the OSI model or the Internet layer of the TCP/IP
model. See also Open Systems Interconnection (OSI) model and Transmission Control
Protocol/Internet Protocol (TCP/IP) model.
● Load Balancer - A traffic cop for networks to balance the load on various VPCs inside an
application. It is used to scale up and down any application based on demand.
● Malware - A file or code, typically delivered over a network, that infects, explores, steals, or
conducts virtually any behavior an attacker wants.
● Mean time to resolution (MTTR) - The average time to fully recover from a failure.
● Net present value (NPV) - The total value of all future cash flows generated by a project.
● Oracle Cloud Infrastructure (OCI) - A set of products and services that allow customers to
manage and scale their networks.
● PAN-DB - A URL and IP database from Palo Alto Networks, integrated with PAN-OS.
● PAN-OS - The software that runs all Palo Alto Networks next-generation firewalls. By
leveraging the key technologies that are built into PAN‑OS—App‑ID, Content‑ID, Device-ID,
and User‑ID—you can have complete visibility and control of the applications in use across
all users and devices in all locations all the time.
● Panorama - A centralized management system that provides global visibility and control
over multiple Palo Alto Networks next-generation firewalls through an easy-to-use
web-based interface.
● Persistent Volume (PV) - A piece of storage inside the cluster that has been provisioned by
administrators or dynamically provisioned by storage classes.
● Plugin - A software add-on that adds a feature to an existing program. Plugins help you use
functionalities that are not native to an application, without upgrading or changing the
entire application.
● POC (Proof of Concept) - The most effective test you can run to make sure you are getting
the right NGFW for your environment.
● Private cloud - A cloud computing model that consists of a cloud infrastructure used
exclusively by a single organization.
● Protect surface - In a Zero Trust architecture, the protect surface consists of the most
critical and valuable data, assets, application, and services on a network.
● Protocol data units (PDUs) - Chunks of information that are sent between various entities
within networks. This information can be used to control things like addresses or data. In
layered systems, a PDU represents a unit of data specified in the protocol of a given layer,
which includes protocol control information and user data.
● Public cloud - A cloud computing deployment model that consists of a cloud infrastructure
open to use by the general public.
● Quality of Service - The use of mechanisms or technologies to control traffic and ensure the
performance of critical applications on a network with limited capacity.
● Representational State Transfer (REST) API - Allows for interaction with RESTful web
services. It works on the REST Architecture, hence the name. The Panorama REST API allows
you to manage firewalls and Panorama through a third-party service, application, or script.
● Routes - Predefined paths for data-packet traffic to flow between or across multiple
networks.
● SaaS - Software as a service (SaaS). A software licensing method that provides software
licensing on a subscription basis. It uses a delivery model that is centrally hosted.
● Secure Sockets Layer (SSL) proxy - Performs Secure Sockets Layer encryption and
decryption between server and client.
● Security policy - Protects network assets from threats and disruptions and helps to
optimally allocate network resources for enhancing productivity and efficiency in business
processes. On a Palo Alto Networks firewall, individual Security policy rules determine
whether to block or allow a session based on traffic attributes, such as the source and
destination security zone, the source and destination IP address, the application, the user,
and the service.
● Simple Network Management Protocol (SNMP) - Used to manage and monitor LAN or
WAN networks.
● Simple Notification Service (SNS) - An AWS service used to send notifications directly to
the customers.
● Simple Storage Service (S3) - Ascalable and affordable storage service by AWS.
● Software-Defined Wide Area Network (SD-WAN) - A technology that allows you to use
multiple internet and private services to create an intelligent and dynamic WAN. It helps
lower costs and maximize application quality and usability.
● Stateful set - The workload API object used to manage stateful applications.
● Subnet IP address (SNIP) - An IP address that is owned and used by the Citrix ADC to
communicate with the Citrix servers. The Citrix ADC proxies client connections to servers by
using the subnet IP address as the source IP address.
● Tags - Used to identify the purpose of a rule or a configuration object and better organize
your rulebase. You can tag objects to group related items and add color to the tag to visually
distinguish them for easy scanning. You can create tags for the following objects: address
objects, address groups, user groups, zones, service groups, and policy rules.
● Template stack - Used to configure the setting that enables firewalls to operate on
networks. Templates are the basic building blocks you use to configure the Network and
Device tabs on Panorama. Template stacks give you the ability to layer multiple templates
and create a combined configuration. They simplify management by allowing you to define
a common base configuration for all devices attached to the template stack.
○ Antivirus signatures - Detect viruses and malware found in executables and file types.
● Throughput - A measure of the number of data packets that can be processed in a unit of
time. It is the rate of successful packet deliveries over a channel.
● User defined routing (UDR) table - Used to route traffic in a subnet in Azure. In the absence
of UDR, Azure uses the default routes.
● Virtual LAN (VLAN) - A logical overlay network that isolates the traffic for each group of
devices that share a physical LAN and groups them together.
● Visibility - A firewall’s ability to track and log the traffic irrespective of its origin or
destination.
● VNet - One of the fundamental building blocks of Azure private network. VNet, or Azure
Virtual Network, enables services like Azure Virtual Machines to communicate securely with
both on-premises and external networks.
● WildFire - Identifies previously unknown malware and generates signatures that Palo Alto
Networks firewalls can use to detect and block the malware.
● XSOAR Marketplace - The central location for installing, exchanging, contributing, and
managing your content, including playbooks, integrations, automations, fields, layouts, and
more.
● Zero Trust - A business-driven, strategic approach to secure your most critical data,
applications, assets, and services (DAAS).
Digital Learning
For those of you who want to keep up to date on our technology, a learning library of free digital
learning is available. These on-demand, self-paced digital-learning classes are a helpful way to
reinforce the key information for those who have been to the formal hands-on classes. They also
serve as a useful overview and introduction to working with our technology for those unable to
attend a hands-on, instructor-led class. More information can be found at the Palo Alto Networks
Education Services site (https://www.paloaltonetworks.com/services/education) and also at Beacon
(https://beacon.paloaltonetworks.com/student/catalog).
Simply register in Beacon and you will be given access to our digital-learning portfolio. These online
classes cover foundational material and contain narrated slides, knowledge checks, and, where
applicable, demos for you to access.
New courses are being added often, so check back to see new curriculum available.
Instructor-Led Training
Looking for a hands-on, instructor-led course in your area?
Palo Alto Networks Authorized Training Partners (ATPs) are located globally and offer a breadth of
solutions from onsite training to public, open-environment classes. About 42 authorized training
centers are delivering online courses in 14 languages and at convenient times for most major
markets worldwide.