Palo Alto PCNSA & PCNSE combo

This course covers all topics required for the Palo Alto Networks Certified Network Security Administrator and Expert (PCNSA+PCNSE) certification. The following topics are general guidelines to better reflect the contents of the course and for clarity purposes, the guidelines below may change at any time without notice.

(PCNSA+PCNSE): Course Topics

Device Management and Services.

• Demonstrate knowledge of firewall management interfaces.
  • Management interfaces.
  • Methods of access.
  • Access restrictions.
  • Identity-management traffic flow.
  • Management services.
  • Service routes.
• Provision local administrators.
  • Authentication profile.
  • Authentication sequence.
• Assign role-based authentication.
• Maintain firewall configurations.
  • Running configuration.
  • Candidate configuration.
  • Discern when to use load, save, import, and export.
  • Differentiate between configuration states.
  • Back up Panorama configurations and firewalls from Panorama.
• Push policy updates to Panorama-managed firewalls.
  • Device groups and hierarchy.
  • Where to place policies.
  • Implications of Panorama management.
  • Impact of templates, template stacks, and hierarchy.
• Schedule and install dynamic updates.
  • From Panorama.
  • From the firewall.
  • Scheduling and staggering updates on an HA pair.
• Create and apply security zones to policies.
  • Identify zone types.
  • External types.
  • Layer 2.
  • Layer 3.
  • TAP.
  • VWire.
  • Tunnel.
• Identify and configure firewall interfaces.
  • Different types of interfaces.
  • How interface types affect Security policies.
• Maintain and enhance the configuration of a virtual or logical router.
  • Steps to create a static route.
  • How to use the routing table.
  • What interface types can be added to a virtual or logical router.
  • How to configure route monitoring.

Managing Objects.

• Create and maintain address and address group objects.
  • How to tag objects.
  • Differentiate between address objects.
  • Static groups versus dynamic groups.
• Create and maintain services and service groups.
• Create and maintain external dynamic lists.
• Configure and maintain application filters and application groups.
  • When to use filters versus groups.
  • The purpose of application characteristics as defined in the App-ID database.

Policy Evaluation and Management.

• Develop the appropriate application-based Security policy.
  • Create an appropriate App-ID rule.
  • Rule shadowing.
  • Group rules by tag.
  • The potential impact of App-ID updates on existing Security policy rules.
  • Policy usage statistics.
• Differentiate specific security rule types.
  • Interzone.
  • Intrazone.
  • Universal.
• Configure Security policy match conditions, actions, and logging options.
  • Application filters and groups.
  • Logging options.
  • App-ID.
  • User-ID.
  • Device-ID.
  • Application filter in policy.
  • Application group in policy.
  • EDLs.
• Identify and implement proper NAT policies.
  • Destination.
  • Source.
• Optimize Security policies using appropriate tools.
  • Policy test match tool.
  • Policy Optimizer.

Securing Traffic.

• Compare and contrast different types of Security profiles.
  • Antivirus.
  • Anti-Spyware.
  • Vulnerability Protection.
  • URL Filtering.
  • WildFire Analysis.
• Create, modify, add, and apply the appropriate Security profiles and groups.
  • Antivirus.
  • Anti-Spyware.
  • Vulnerability Protection.
  • URL Filtering.
  • WildFire Analysis.
  • Configure threat prevention policy.
• Differentiate between Security profile actions.
• Use information available in logs.
  • Traffic.
  • Threat.
  • Data.
  • System logs.
• Enable DNS Security to control traffic based on Topics.
  • Configure DNS Security.
  • Apply DNS Security in policy.
• Create and deploy URL-filtering-based controls.
  • Apply a URL profile in a Security policy.
  • Create a URL Filtering profile.
  • Create a custom URL category.
  • Control traffic based on a URL category.
  • Why a URL was blocked.
  • How to allow a blocked URL.
  • How to request a URL recategorization.
• Differentiate between group mapping and IP-to-user mapping within policies and logs.
  • How to control access to specific locations.
  • How to apply specific policies.
  • Identify users within the ACC and the monitor tab.

Identify how Palo Alto Networks products work together to improve PAN-OS services

• Security components
• Firewall components
• Panorama components
• PAN-OS subscriptions and the features they enable
• Plugin components
• Heatmap and BPA reports
• Artificial intelligence operations (AIOps)/Telemetry
• IPv6
• Internet of things (IoT)

Determine and assess appropriate interfaces or zone types for various environments

• Layer 2 interface
• Layer 3 interfaces
• Virtual wire (vwire) interfaces
• Tap interfaces
• Subinterfaces
• Tunnel interfaces
• Aggregate interfaces
• Loopback interfaces
• Decrypt mirror interfaces
• VLAN interfaces

Identify decryption deployment strategies

• Risks and implications of enabling decryption
• Use cases
• Decryption types
• Decryption profiles and certificates
• Create a decryption policy in the firewall
• Configure SSH Proxy

Enforce User-ID

• Methods of building user-to-IP mappings
• Determine if User-ID agent or agentless should be used
• Compare and contrast User-ID agents
• Methods of User-ID redistribution
• Methods of group mapping
• Server profile and authentication profile

Determine how and when to use the Authentication policy

• Purpose of, and use case for, the Authentication policy
• Dependencies
• Captive portal versus GlobalProtect (GP) client

Differentiate between the fundamental functions that reside on the management plane and data plane

Define multiple virtual systems (multi-vsys) environment

• User-ID hub
• Inter-vsys routing
• Service routes

Configure Management Profiles

• Interface Management Profile
• SSL/TLS profile

Deploy and configure Security Profiles

• Custom configuration of different Security Profiles and Security Profile Croups
• Relationship between URL filtering and credential theft prevention
• Use of username and domain name in HTTP header insertion
• DNS Security
• How to tune or add exceptions to a Security Profile
• Compare and contrast threat prevention and advanced threat prevention
• Compare and contrast URL Filtering and Advanced URL Filtering

Configure zone protections, packet buffer protection, and DoS protection

• Customized values versus default settings
• Classified versus aggregate profile values
• Layer 3 and Layer 4 header inspection

Design the deployment configuration of a Palo Alto Networks firewall

• Advanced high availability (HA) deployments
• HA Pair
• Zero-Touch Provisioning
• Bootstrapping

Configure authorization, authentication, and device access

• Role-based access control for authorization
• Different methods used to authenticate
• The Authentication Sequence
• The device access method

Configure and manage certificates

• Usage
• Profiles
• Chains

Configure routing

• Dynamic routing
• Redistribution Profiles
• Static routes
• Route monitoring
• Policy-based forwarding
• Virtual routers versus logical routers

Configure NAT

• NAT policy rules
• Security rules
• Source NAT
• No-NAT Policies
• Use session browser to find NAT rule name
• U-Turn NAT
• Check HIT counts

Configure site-to-site tunnels

• IPsec components
• Static peers and dynamic peers for IPsec
• IPsec tunnel Monitor Profiles
• IPsec tunnel testing
• Generic Routing Encapsulation
• One-to-one and one-to-many tunnels
• Determine when to use proxy IDs

Configure service routes

• Default
• Custom
• Destination
• Custom routes for different virtual systems versus destination routes
• How to verify service routes

Configure application-based QoS

• Enablement requirements
• QoS policy rule
• Add a Differentiated Services Code Point/ToS component
• Qos Profile
• Determine how to control bandwidth use on a per-application basis
• Use QoS to monitor bandwidth utilization

Configure App-lD

• Create security rules with App-lD
• Convert port and protocol rules to App-lD rules
• Identify the impact of application override to overall firewall functionality
• Create custom apps and threats
• Review App-lD dependencies

Configure GlobalProtect

• GlobalProtect licensing
• Configure the gateway and the portal
• GlobalProtect agent
• Differentiate between logon methods
• Configure clientless VPN
• HIP
• Configure multiple gateway agent profiles
• split tunneling

Configure decryption

• Inbound decryption
• SSL forward proxy
• SSL decryption exclusions
• SSH proxy

Configure User-ID

• User-ID agent and agentless
• User-ID group mapping
• Shared User-ID mapping across virtual systems
• Data redistribution
• User-ID methods
• Benefits of using dynamic user groups (DUGs) in policy rules
• Requirements to support dynamic user groups
• How GlobalProtect internal and external gateways can be used

Configure WildFire

• Submission profile
• Action profile
• Submissions and verdicts
• Signature actions
• File types and file sizes
• Update schedule
• Forwarding of decrypted traffic

Configure Web Proxy

• Transparent proxy
• Explicit proxy

Configure templates and template stacks

• Components configured in a template
• How the order of templates in a stack affects the configuration push to a firewall
• Overriding a template value in a stack
• Configure variables in templates
• Relationship between Panorama and devices for dynamic update versions, policy implementation, and HA peers

Configure device groups

• Device group hierarchies
• Identify what device groups contain
• Differentiate between different use cases for pre-rules, local rules, default rules, and post-rules
• Identify the impact of configuring a primary device
• Assign firewalls to device groups
• References

Manage firewall configurations within Panorama

• Licensing
• Commit recovery feature
• Automatic commit recovery
• Commit types and schedules
• Configuration backups
• Commit type options
• Manage dynamic updates for Panorama and Panorama-managed devices
• Software and dynamic updates
• Import firewall configurations into Panorama
• Configure Log Collectors
• Check firewall health and status from Panorama
• Configure role-based access control on Panorama

Manage and configure log forwarding

• Identify log types and criticalities
• Manage external services
• Create and manage tags
• Log monitoring
• Customize logging and reporting settings
• References
• Plan and execute the process to upgrade a Palo Alto Networks system
• Single firewall
• High availability pairs
• Panorama push
• Dynamic updates
• References

Manage HA functions

• Link monitoring
• Path monitoring
• HA links
• Failover
• Active/active and active/passive
• HA interfaces
• Clustering
• Election setting

Troubleshooting

• Troubleshoot site-to-site tunnels
• IPSec
• GRE
• One-to-one and one-to-many tunnels
• Phase 1 issues:
• Route-based versus policy-based remote hosts
• Tunnel monitoring

Troubleshoot interfaces

• Transceivers
• Settings
• Aggregate interfaces, LACP
• Counters
• Tagging
• 6.2.6 References

Troubleshoot Decryption

• Inbound decryption
• SSL forward proxy

SSH proxy

• Identify what cannot be decrypted and configure exclusions and bypasses
• Certificates

Troubleshoot routing

• Dynamic routing
• Redistribution profiles
• Static routes
• Route monitoring
• Policy-based forwarding
• Multicast routing
• Service routes

General Troubleshooting

• Logs
• Packet capture (pcap)
• Reports

Troubleshoot resource protections

• Zone Protection profiles
• DoS protections
• Packet buffer protections

Troubleshoot GlobalProtect

• Portal and Gateway
• Access to resources
• GlobalProtect client

Troubleshoot policies

• NAT
• Security
• Decryption
• Authentication

Troubleshoot HA functions

• Monitor
• Failover triggers

Palo Alto Networks Certified Network Security Administrator (PCNSA) course: Lab topics

• Lab 1. Configure Interface Management.
• Lab 2. Palo Alto User Management.
• Lab 3. Configuration Management.
• Lab 4. Initial Configuration.
• Lab 5. Local AAA.
• Lab 6. Configuring Security Policy.
• Lab 7. Configure Static NAT.
• Lab 8. Configure Dynamic NAT.
• Lab 9. Configure PAT.
• Lab 10. Configure Application and URL filtering.
• Lab 11. Configuring DOS and Zone Protection.
• Lab 12. Configure User ID.
• Lab 13. Monitoring Using CLI.
• Lab 14. Initial Configuration of Palo Alto firewall
• Lab 15. Configuring PA FW High Availabiltiy
• Lab 16. Using template stacks with panorama
• Lab 17. Using Device groups with panorama
• Lab 18. Managing FWs with Panorama
• Lab 19. Managing PA FW Digital certificates
• Lab 20. Enforcing Palo Alto FW User-ID
• Lab 21. Configuring PA FW Admin authentication
• Lab 22. Implement routing for PA FW
• Lab 23. Configure PA FW QoS
• Lab 24. Configuring PA FW L2 interfaces
• Lab 25. Configuring PA FW zone, vulnerability and DoS protection
• Lab 26. Implementing PA FW Virtual wires
• Lab 27. Implementing PA FW App-ID
• Lab 28. Configure PA FW Source and destination NAT
• Lab 29. Configure PA FW VLAN, TAP and aggregate interfaces
• Lab 30. Configuring PA FW Decryption services
• Lab 31. Configuring static PA FW S2S VPNs
• Lab 32. Configuring PA FW S2S VPNs with certificates
• Lab 33. Configuring a IPSEC VPN
• Lab 34. Using LSVPNs with GlobalProtect
• Lab 35. Using PA FW AV and Wildfire
• Lab 36. Using Palo Alto ZTP
• Lab 37. Troubleshooting
• Lab 38. Using PA FW Anti-Spyware
• Lab 39. Using IPv6 with PA FW