PCNSE 100% PASSED
AutoFocus - ✔✔The AutoFocus threat intelligence service enables security teams to prioritize their
response to unique, targeted attacks and gain the intelligence, analytics and context needed to protect
your organization. It provides context around an attack spotted in your traffic and threat logs, such as
the malware family, campaign, or malicious actor targeting your organization. AutoFocus correlates and
gains intelligence from:
o WildFire® service - the industry's largest threat analysis environment
o PAN-DB URL filtering service
o MineMeld application for AutoFocus, enabling aggregation and correlation of any third-party threat
intelligence source directly in AutoFocus
o Traps advanced endpoint protection
o Aperture SaaS-protection service
o Unit 42 threat intelligence and research team
o Intelligence from technology partners
o Palo Alto Networks global passive DNS network
GlobalProtect Secure Mobile Workforce - ✔✔GlobalProtect cloud service reduces the operational
burden associated with securing your remote networks and mobile users by leveraging a cloud-based
security infrastructure managed by Palo Alto Networks.Uses client software to build secure personal
VPN tunnels to the firewall.
URL Filtering Web Security - ✔✔A firewall subscription/license. Most attacks and exposure to malicious
content occurs during the normal course of web browsing activities, which requires the ability to allow
safe, secure web access for all users. URL Filtering with PAN-DB automatically prevents attacks that
leverage the web as an attack vector, including phishing links in emails, phishing sites, HTTP-based
command and control, malicious sites and pages that carry exploit kits. Focuses on preventing access to
PHISHING WEBSITES!!!
,Active/Active HA - ✔✔Both Active, used in specific circumstances, such as asynchronous routing
setups. Both individually maintain routing and session tables, sync'd to the other. HIGHER RISK!
Active/Passive HA - ✔✔One active, one standby firewall. Easiest to manage. Network, Objects, Policies
Certificates and Session Table changes are synced.
Single Pass Architecture (SP3) - ✔✔How a Palo Alto FW processes a packet with different variables
which include: SRC/DST Zones, SRC/DST IPs, App-ID, User-ID, Content ID.
User-ID - ✔✔Matching of a user to an IP address (or multiple IP addresses) allowing your Security policy
to be based on who is behind the traffic, not the device. Can utilize Active Directory, a Captive Portal,
etc.
Content-ID - ✔✔Scanning of traffic for security threats (e.g., data leak prevention and URL filtering.
virus, spyware, unwanted file transfers, specific data patterns, vulnerability attacks, and appropriate
browsing access
App-ID - ✔✔Scanning of traffic to identify the application that is involved, regardless of the protocol or
port number used. Port number is used as secondary enforcement. ALWAYS ON and will show up in
Traffic logs regardless of Security Policy settings.
Security Policies - ✔✔ACLs that determine the firewall's ability to enable or block sessions. Security
zones, source and destination IP address, application (App-ID), source user (User-ID), service (port), HIP
match, and URL categories in the case of web traffic all can serve as traffic matching criteria for
allow/block decision-making.
Security Zones - ✔✔Zones designate a network segment that has similar security classification (i.e.,
Users, Data Center, DMZ Servers, Remote Users). All traffic must have a SRC/DST Zone.
,Panorama - ✔✔Panorama is the Palo Alto Networks enterprise management solution. Once Panorama
and firewalls are linked, Panorama is the single interface to manage the entire enterprise. Should be
implemented as a high availability cluster consisting of 2 identical platforms.
HA Monitoring - ✔✔• During Boot, a FW looks for an HA Peer; after 60 seconds, if a peer hasn't been
discovered, the FW will boot as Active.
• If a peer is found, it will negotiate with the peer.
If Preempt is active, determine who has highest priority - this FW becomes active.
•When a HA pair is stood up, a manual sync will need need to be done by a "sync to peer" push.
HA Monitoring Status Colors - ✔✔Green: Good
Yellow: Warning (normal state for a standby firewall in an A/P pair)
Red: Error to be resolved
HA States - ✔✔○ Initial - Transient state when it joins an HA pair
○ Active - normal state, primary and processing traffic
○ Passive - normal traffic is discarded, may process LLDP and LACP traffic
○ Suspended - administratively disabled
○ Non-functional - FW is non-functional and will need to have the issues resolved before it can return to
service.
Which two firewall features support Floating IP Addresses in an active/active HA pair? - ✔✔Source NAT
and VPN Endpoints
How do firewalls in an Active/Passive HA pair synchronize their configurations? - ✔✔An administrator
commits changes to one and it automatically synchronizes with the other
, Layer 2 Interface - ✔✔-When your organization wants to divide a LAN into separate virtual LANs
(VLANs) to keep traffic and policies for different departments separate, you can logically group Layer 2
hosts into VLANs and thus divide a Layer 2 network segment into broadcast domains. For example, you
can create VLANs for the Finance and Engineering departments
- VLAN interface required for each VLAN.
- Inline and can block traffic.
Virtual Wire Interface - ✔✔- "Bump on the wire"
- Inline Mode
- Can block traffic
- Good transition from legacy to NGFW.
Tap Interface - ✔✔- Copy traffic from your network using port mirroring.
- Cannot Block traffic, just reporting.
- Visibility into network applications, vulnerabilities and threats.
Layer 3 Interface - ✔✔- Firewall is acting as a L3 router.
- Looks at traffic as it traverses inbound and outbound.
- Inline and can block traffic.
- Routing between interfaces.
Decryption Mirror - ✔✔Provides the capability to create a copy of decrypted traffic from a firewall and
send it to a traffic collection tool that is capable of receiving raw packet captures such as WireShark.
RECORDS ALL DECRYPTED TRAFFIC.
Interface VLANs - ✔✔Logical interfaces specifically serving as interconnects between on-board virtual
switches (VLANs) and virtual routers, which allows traffic to move from Layer 2 to Layer 3 within the
firewall. (SVI in Cisco Terms)
AutoFocus - ✔✔The AutoFocus threat intelligence service enables security teams to prioritize their
response to unique, targeted attacks and gain the intelligence, analytics and context needed to protect
your organization. It provides context around an attack spotted in your traffic and threat logs, such as
the malware family, campaign, or malicious actor targeting your organization. AutoFocus correlates and
gains intelligence from:
o WildFire® service - the industry's largest threat analysis environment
o PAN-DB URL filtering service
o MineMeld application for AutoFocus, enabling aggregation and correlation of any third-party threat
intelligence source directly in AutoFocus
o Traps advanced endpoint protection
o Aperture SaaS-protection service
o Unit 42 threat intelligence and research team
o Intelligence from technology partners
o Palo Alto Networks global passive DNS network
GlobalProtect Secure Mobile Workforce - ✔✔GlobalProtect cloud service reduces the operational
burden associated with securing your remote networks and mobile users by leveraging a cloud-based
security infrastructure managed by Palo Alto Networks.Uses client software to build secure personal
VPN tunnels to the firewall.
URL Filtering Web Security - ✔✔A firewall subscription/license. Most attacks and exposure to malicious
content occurs during the normal course of web browsing activities, which requires the ability to allow
safe, secure web access for all users. URL Filtering with PAN-DB automatically prevents attacks that
leverage the web as an attack vector, including phishing links in emails, phishing sites, HTTP-based
command and control, malicious sites and pages that carry exploit kits. Focuses on preventing access to
PHISHING WEBSITES!!!
,Active/Active HA - ✔✔Both Active, used in specific circumstances, such as asynchronous routing
setups. Both individually maintain routing and session tables, sync'd to the other. HIGHER RISK!
Active/Passive HA - ✔✔One active, one standby firewall. Easiest to manage. Network, Objects, Policies
Certificates and Session Table changes are synced.
Single Pass Architecture (SP3) - ✔✔How a Palo Alto FW processes a packet with different variables
which include: SRC/DST Zones, SRC/DST IPs, App-ID, User-ID, Content ID.
User-ID - ✔✔Matching of a user to an IP address (or multiple IP addresses) allowing your Security policy
to be based on who is behind the traffic, not the device. Can utilize Active Directory, a Captive Portal,
etc.
Content-ID - ✔✔Scanning of traffic for security threats (e.g., data leak prevention and URL filtering.
virus, spyware, unwanted file transfers, specific data patterns, vulnerability attacks, and appropriate
browsing access
App-ID - ✔✔Scanning of traffic to identify the application that is involved, regardless of the protocol or
port number used. Port number is used as secondary enforcement. ALWAYS ON and will show up in
Traffic logs regardless of Security Policy settings.
Security Policies - ✔✔ACLs that determine the firewall's ability to enable or block sessions. Security
zones, source and destination IP address, application (App-ID), source user (User-ID), service (port), HIP
match, and URL categories in the case of web traffic all can serve as traffic matching criteria for
allow/block decision-making.
Security Zones - ✔✔Zones designate a network segment that has similar security classification (i.e.,
Users, Data Center, DMZ Servers, Remote Users). All traffic must have a SRC/DST Zone.
,Panorama - ✔✔Panorama is the Palo Alto Networks enterprise management solution. Once Panorama
and firewalls are linked, Panorama is the single interface to manage the entire enterprise. Should be
implemented as a high availability cluster consisting of 2 identical platforms.
HA Monitoring - ✔✔• During Boot, a FW looks for an HA Peer; after 60 seconds, if a peer hasn't been
discovered, the FW will boot as Active.
• If a peer is found, it will negotiate with the peer.
If Preempt is active, determine who has highest priority - this FW becomes active.
•When a HA pair is stood up, a manual sync will need need to be done by a "sync to peer" push.
HA Monitoring Status Colors - ✔✔Green: Good
Yellow: Warning (normal state for a standby firewall in an A/P pair)
Red: Error to be resolved
HA States - ✔✔○ Initial - Transient state when it joins an HA pair
○ Active - normal state, primary and processing traffic
○ Passive - normal traffic is discarded, may process LLDP and LACP traffic
○ Suspended - administratively disabled
○ Non-functional - FW is non-functional and will need to have the issues resolved before it can return to
service.
Which two firewall features support Floating IP Addresses in an active/active HA pair? - ✔✔Source NAT
and VPN Endpoints
How do firewalls in an Active/Passive HA pair synchronize their configurations? - ✔✔An administrator
commits changes to one and it automatically synchronizes with the other
, Layer 2 Interface - ✔✔-When your organization wants to divide a LAN into separate virtual LANs
(VLANs) to keep traffic and policies for different departments separate, you can logically group Layer 2
hosts into VLANs and thus divide a Layer 2 network segment into broadcast domains. For example, you
can create VLANs for the Finance and Engineering departments
- VLAN interface required for each VLAN.
- Inline and can block traffic.
Virtual Wire Interface - ✔✔- "Bump on the wire"
- Inline Mode
- Can block traffic
- Good transition from legacy to NGFW.
Tap Interface - ✔✔- Copy traffic from your network using port mirroring.
- Cannot Block traffic, just reporting.
- Visibility into network applications, vulnerabilities and threats.
Layer 3 Interface - ✔✔- Firewall is acting as a L3 router.
- Looks at traffic as it traverses inbound and outbound.
- Inline and can block traffic.
- Routing between interfaces.
Decryption Mirror - ✔✔Provides the capability to create a copy of decrypted traffic from a firewall and
send it to a traffic collection tool that is capable of receiving raw packet captures such as WireShark.
RECORDS ALL DECRYPTED TRAFFIC.
Interface VLANs - ✔✔Logical interfaces specifically serving as interconnects between on-board virtual
switches (VLANs) and virtual routers, which allows traffic to move from Layer 2 to Layer 3 within the
firewall. (SVI in Cisco Terms)
