Palo Alto Networks Certified Network
Security Administrator
(PCNSA)
Study Guide
Jan 2023
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
Table of Contents
How to Use This Study Guide
About the PCNSA Exam
2
2
Exam Format
2
How to Take This Exam
3
Disclaimer
3
Audience and Qualifications
3
Intended Audience
3
Skills Required
3
Competencies Required
4
Recommended Training
Domain 1: Device Management and Services
4
4
1.1 Demonstrate the knowledge of firewall management interfaces
4
1.1.1 Management interfaces
4
1.1.2 Methods of access
5
1.1.3 Access restrictions
8
1.1.4 Identity-management traffic flow
9
1.1.5 Management services
9
1.1.6 Service routes
10
1.1.7 References
11
1.2 Provision local administrators
11
1.2.1 Authentication profile
11
1.2.2 Authentication sequence
11
1.2.3 Reference
11
1.3 Assign role-based authentication
12
1.4 Maintain firewall configurations
13
1.4.1 Running configuration
14
1.4.2 Candidate configuration
15
1.4.3 Discern when to use load, save, import, and export
17
1.4.4 Differentiate between configuration states
17
1.4.5 Backup Panorama configurations and firewalls from Panorama
21
1.4.6 References
22
1.5 Push policy updates to Panorama-managed firewalls
23
1.5.1 Device groups and hierarchy
23
1.5.2 Where to place policies
24
1.5.3 Implications of Panorama management
26
1.5.4 Impact of templates, template stacks, and hierarchy
26
1.5.5 References
29
1.6 Schedule and install dynamic updates
29
1.6.1 From Panorama
29
1.6.2 From the firewall
30
1.6.3 Scheduling and staggering updates on an HA pair
32
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
2
1.6.4 References
37
1.7 Create and apply security zones to policies
37
1.7.1 Identify zone types
37
1.7.2 External types
37
1.7.3 Layer 2
37
1.7.4 Layer 3
38
1.7.5 Tap
38
1.7.6 VWire
38
1.7.7 Tunnel
39
1.7.8 References
39
1.8 Identify and configure firewall interfaces
39
1.8.1 Different types of interfaces
39
1.8.2 How interface types affect Security policies
40
1.8.3 References
43
1.9 Maintain and enhance the configuration of a virtual or logical router
43
1.9.1 Steps to create a static route
43
1.9.2 How to use the routing table
45
1.9.3 What interface types can be added to a virtual or logical router
45
1.9.4 How to configure route monitoring
46
Domain 2: Managing Objects
46
2.1 Create and maintain address and address group objects
46
2.1.1 How to tag objects
46
2.1.2 Differentiate between address objects
46
2.1.3 Static groups versus dynamic groups
48
2.1.4 References
49
2.2 Create and maintain services and service groups
49
2.2.1 References
52
2.3 Create and maintain external dynamic lists
52
2.3.1 References
52
2.4 Configure and maintain application filters and application groups
52
2.4.1 When to use filters versus groups
1
2.4.2 The purpose of application characteristics as defined in the App-ID database
54
2.4.3 References
54
Domain 3: Policy Evaluation and Management
54
3.1 Develop the appropriate application-based Security policy
54
3.1.1 Create an appropriate App-ID rule
54
3.1.2 Rule shadowing
55
3.1.3 Group rules by tag
55
3.1.4 The potential impact of App-ID updates to existing Security policy rules
55
3.1.5 Policy usage statistics
56
3.1.6 References
58
3.2 Differentiate specific security rule types
58
3.2.1 Interzone
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
59
3
3.2.2 Intrazone
59
3.2.3 Universal
60
3.2.4 References
61
3.3 Configure security policy match conditions, actions, and logging options
61
3.3.1 Application filters and groups
61
3.3.2 Logging options
61
3.3.3 App-ID
63
3.3.4 User-ID
64
3.3.5 Device-ID
65
3.3.6 Application filter in policy
65
3.3.7 Application group in policy
66
3.3.8 EDLs
66
3.3.9 References
66
3.4 Identify and implement proper NAT policies
67
3.4.1 Destination
67
3.4.2 Source
68
3.4.3 References
69
3.5 Optimize Security policies using appropriate tools
69
3.5.1 Policy test match tool
69
3.5.2 Policy Optimizer
70
3.5.3 References
70
Domain 4: Securing Traffic
70
4.1 Compare and contrast different types of Security profiles
70
4.1.1 Antivirus
70
4.1.2 Anti-Spyware
71
4.1.3 Vulnerability Protection
72
4.1.4 URL Filtering
72
4.1.5 WildFire Analysis
72
4.1.6 Reference
73
4.2 Create, modify, add, and apply the appropriate Security profiles and groups
73
4.2.1 Antivirus
73
4.2.2 Anti-Spyware
73
4.2.3 Vulnerability Protection
73
4.2.4 URL Filtering
74
4.2.5 WildFire Analysis
74
4.2.6 Configure Threat Prevention policy
75
4.2.7 References
76
4.3 Differentiate between Security profile actions
76
4.3.1 Reference
77
4.4 Use information available in logs
77
4.4.1 Traffic
77
4.4.2 Threat
77
4.4.3 Data
78
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
4
4.4.4 System logs
79
4.4.5 Reference
79
4.5 Enable DNS Security to control traffic based on domains
80
4.5.1 Configure DNS Security
80
4.5.2 Apply DNS Security in policy
80
4.5.3 References
81
4.6 Create and deploy URL-filtering-based controls
82
4.6.1 Apply a URL profile in a Security policy
82
4.6.2 Create a URL Filtering profile
82
4.6.3 Create a custom URL category
85
4.6.4 Control traffic based on a URL category
86
4.6.5 Why a URL was blocked
86
4.6.6 How to allow a blocked URL
87
4.6.7 How to request a URL recategorization
87
4.6.8 References
88
4.7 Differentiate between group mapping and IP-to-user mapping within policies and logs
89
4.7.1 How to control access to specific locations
89
4.7.2 How to apply to specific policies
90
4.7.3 Identify users within the ACC and the monitor tab
90
4.7.4 References
91
Continuing Your Learning Journey with Palo Alto Networks
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
91
5
How to Use This Study Guide
Welcome to the Palo Alto Networks Certified Security Administrator Study Guide. The purpose of this
guide is to help you prepare for your PCNSA: Palo Alto Networks Certified Security Administrator exam
and achieve your PCNSA certification.
You can read through this study guide from start to finish, or you may jump straight to topics you would
like to study. Hyperlinked cross-references will help you locate important definitions and background
information from earlier sections.
About the PCNSA Exam
The PCNSA certification validates the knowledge and skills required for network security administrators
responsible for deploying and operating Palo Alto Networks Next-Generation Firewalls (NGFWs). PCNSA
certified individuals have demonstrated knowledge of the Palo Alto Networks NGFW feature set and in
the Palo Alto Networks product portfolio core components.
More information is available from the Palo Alto Networks public page at:
https://www.paloaltonetworks.com/services/education/palo-alto-networks-certified-network-security-ad
ministrator
PCNSA technical documentation is located at:
https://beacon.paloaltonetworks.com/student/collection/668330-palo-alto-networks-certified-network-s
ecurity-administrator-pcnsa?sid=997e3b6e-0839-4c30-a393-e134fbad744a&sid_i=0
Exam Format
The test format is 60-75 items. Candidates will have five minutes to review the NDA, 80 minutes to
complete the exam questions, and five minutes to complete a survey at the end of the exam.
The approximate distribution of items by topic (Exam Domain) and topic weightings are shown in the
following table.
This exam is based on Product version 11.0.
Exam Domain
Weight (%)
Device Management and Services
22%
Managing Objects
20%
Policy Evaluation and Management
28%
Securing Traffic
30%
TOTAL
100%
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
6
How to Take This Exam
The exam is available through the third-party Pearson VUE testing platform.
To register for the exam, visit: https://home.pearsonvue.com/paloaltonetworks
Disclaimer
This study guide is intended to provide information about the objectives covered by this exam, related
resources, and recommended courses. The material contained within this study guide is not intended
to guarantee that a passing score will be achieved on the exam. Palo Alto Networks recommends that
candidates thoroughly understand the objectives indicated in this guide and use the resources and
courses recommended in this guide where needed to gain that understanding.
Audience and Qualifications
Intended Audience
Security administrators responsible for operating and managing the Palo Alto Networks Next
Generation Firewall.
Skills Required
●
●
You understand Palo Alto Networks firewall and centralized management components and,
with minimum assistance, can configure, operate, and identify problems with configuring and
operating the firewall as well as configure firewall policies, specifically App-ID and User-ID (those
capabilities not tied to a subscription) as well as profiles and objects.
You have 2 to 3 years’ experience working in the Networking or Security industries, the
equivalent of 6 months’ experience working full-time with the Palo Alto Networks product
portfolio and/or at least 6 months’ experience in Palo Alto Networks NGFW administration and
configuration.
Competencies Required
●
●
●
Able to configure and operate Palo Alto Networks product portfolio components.
An understanding of the unique aspects of the Palo Alto Networks product portfolio and how to
administer one appropriately.
An understanding of the networking and security policies used by PAN-OS software.
Recommended Training
Palo Alto Networks strongly recommends that you attend the following instructor-led training courses
or equivalent digital-learning courses:
●
Firewall Essentials: Configuration and Management (EDU-210) course
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
7
Domain 1: Device Management and Services
1.1 Demonstrate the knowledge of firewall management interfaces
1.1.1 Management interfaces
All Palo Alto Networks firewalls provide an out-of-band management (MGT) port that can be used to
perform firewall administration functions. The MGT port uses the control plane, thus separating the
management functions of the firewall from the network-traffic-processing functions (data plane). This
separation between the control plane and the data plane helps safeguard access to the firewall and
enhances performance. When using the web interface, perform all the initial configuration tasks from
the MGT port even if you plan to use an in-band data port for managing the firewall. A serial/console
port is also available to accomplish the initial configuration of the firewall by using Secure Shell (SSH) or
Telnet.
Some management tasks, such as retrieving licenses and updating the threat and application
signatures on the firewall, require access to the internet, typically via the MGT port. If you do not want to
enable external access via the MGT port, you can set up an in-band data port on the data plane to
provide access to the required external services by using the service routes. Service routes are explained
in detail later.
1.1.2 Methods of access
The four methods used to access the Palo Alto Networks Next-Generation Firewalls are:
●
●
●
●
Web interface
CLI
Panorama
XML API
To gain access to the firewall for the first time, the first step is to gather the following information for the
MGT port. Note that if the firewall is set up as a Dynamic Host Configuration Protocol (DHCP) client, the
following information will be included automatically via DHCP:
●
●
●
●
IP address
Netmask
Default gateway
Domain Name System (DNS) server address (at least one)
The second step is to connect a computer to the firewall by using either an RJ-45 Ethernet cable or a
serial cable.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
8
An RJ-45 Ethernet cable connects the computer to the firewall MGT port. From a browser, navigate to
https://192.168.1.1. Note that you might need to change the IP address on the computer to an address in
the 192.168.1.0/24 subnet, such as 192.168.1.2, to access this URL.
To perform the initial configuration via the CLI or to know the address served to the MGT port via DHCP
for accessing the web interface, connect the serial cable from the computer to the firewall console port
by using a terminal emulation software, such as SSH or Telnet. The default connection parameters are
9600-8-N-1.
The third step is to log in to the firewall. The default username is “admin,” and the default password is
“admin”. Starting with PAN-OS 9.1, you will be forced to change the admin account password the first
time you log in to the web interface.
Web interface: The web interface is used to configure and monitor HTTP or HTTPS by using a web
browser. HTTPS is the default method; HTTP is available as a less secure method than HTTPS.
CLI: The CLI is a text-based configuration and monitoring of the serial console port or the MGT port
using SSH or Telnet. The Palo Alto Networks firewall CLI offers access to debugging information;
experienced administrators often use it for troubleshooting. The account used for authenticating the
CLI must have CLI access enabled.
The CLI is in operational mode by default. The commands available within the context of operational
mode include basic networking commands such as ping and traceroute, basic system commands such
as show, and more advanced system commands such as debug. The commands used to shutdown and
restart the system are also available from within operational mode.
You can access configuration mode by typing the configure command while in operational mode.
Configuration mode enables you to display and modify the configuration parameters of the firewall,
verify the candidate configuration, and commit config.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
9
The following image shows a sample CLI screen with the first lines of show system state while in
operational mode:
Panorama: Panorama is a Palo Alto Networks product that provides centralized and web-based
management, reporting, and logging for multiple firewalls. Panorama is used for centralized policy and
firewall management to increase operational efficiency in managing and maintaining a distributed
network of firewalls. If six or more firewalls are deployed on a network, Panorama is used to reduce the
complexity and administrative overhead needed to manage configuration, policies, software, and
dynamic content updates. The Panorama web interface is similar to the firewall web interface but with
additional management functions.
XML API: The XML API provides an interface that is based on representational state transfer (REST) to
access firewall configurations, operational status, reports, and packet captures from the firewall. An API
browser is available on the firewall at https://<firewall>/api, where <firewall> is the hostname or IP
address of the firewall. You can use this API to access and manage the firewall through a third-party
service, application, or script.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
10
The PAN-OS XML API can be used to automate tasks, such as:
●
●
●
●
●
Creating, updating, and modifying firewall and Panorama configurations
Executing operational mode commands, such as restarting the system or validating
configurations
Retrieving reports
Managing users through User-ID
Updating dynamic objects without having to modify or commit new configurations
1.1.3 Access restrictions
The management of Palo Alto Networks firewalls is not limited to using a dedicated management
(MGT) interface or console port. Data interfaces on the data plane also can be used as management
interfaces. If the MGT interface is down, you can continue to manage the firewall by allowing
management access over another data interface. Each data interface includes the following
configurations for binding various services to them:
●
●
●
●
●
●
●
●
HTTPS (default)
SSH (default)
Ping (default)
Telnet
HTTP
SNMP
Response Pages
User-ID
An Interface Management profile protects the firewall from unauthorized access by defining the
protocols, services, and IP addresses that a firewall interface permits for management. For example, you
might want to prevent users from accessing the firewall web interface over the ethernet1/1 interface but
allow that interface to receive SNMP queries from the network monitoring system. In this case, you
enable SNMP and disable HTTP/HTTPS in an Interface Management profile and assign the profile to
ethernet1/1.
HTTPS includes the web interface service and should be included in at least one data interface. The
Permitted IP Addresses field allows an access control list to be included, thus restricting access to only
the specified IP addresses for any interface with this profile assigned. If no IP addresses are added to the
list of permitted IP addresses, then any IP address is allowed. After at least one IP address is added to
the list, only those added IP addresses are allowed access.
You can assign an Interface Management profile to Layer 3 Ethernet interfaces (including subinterfaces)
and to logical interfaces, such as aggregate group, virtual local area network (VLAN), loopback, and
tunnel interfaces. If you do not assign an Interface Management profile to an interface, the firewall
denies management access for all the IP addresses, protocols, and services by default.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
11
1.1.4 Identity-management traffic flow
In many network environments, it's good practice to create an Out Of Band network where the
management interfaces of your security appliances and services live so they cannot be compromised
by a user with a lot of spare time to try and guess passwords.
This can create challenges, as your appliances may need to access resources that are not available on
the secured network. One example is Palo Alto Networks' integrated User Identification mechanisms,
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
12
where either the firewall reads security audit logs on an Active Directory server, or the server gets an
agent software installed that does the reading and sends the output back to the firewall. If the AD
server is not connected to the secured network, a different route needs to be taken to get the
information on the firewall.
To assist this, a service route can be configured that redirects connections originating from the
management plane, via the backplane, to the dataplane. This will force the outgoing connection to
egress from a normal network interface without exposing the management interface. This will work for
both the installed UID agent software and the clientless configuration on the firewall.
1.1.5 Management services
Palo Alto Networks firewalls integrate with three key services: DNS, DHCP, and NTP. DNS and NTP must
be set up during the initial firewall configuration.
DNS: DNS is a protocol that translates (resolves) a user-friendly domain name such as
www.paloaltonetworks.com to an IP address so that users can access computers, websites, services, or
other resources on the Internet or on private networks. You must configure the firewall with at least one
DNS server so that it can resolve hostnames.
Configuring DNS
To configure DNS, select Device > Setup > Services > Services_gear_icon. On the Services tab, for DNS,
click Servers and enter the Primary DNS Server addresses and Secondary DNS Server addresses. Click
OK and Commit.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
13
DHCP
A Palo Alto Networks firewall acting as a DHCP client (host) can request a DHCP server for an IP address
and other configuration settings. The use of DHCP saves time and effort because users need not know
the network addressing plan or other options, such as the default gateway being inherited from the
DHCP server.
The configuration parameters that DHCP can learn dynamically include:
● IP address for MGT port
● Netmask
● Default gateway
● At least one DNS server address
NTP
NTP client information is optional but recommended. The NTP information can be obtained via DHCP if
the firewall is configured as a DHCP client.
Configuring NTP
Select Device > Setup > Services > Services_gear_icon.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
14
1.1.6 Service routes
By default, the firewall uses the management interface to communicate with various servers, including
those for external dynamic lists (EDLs), DNS, email, and Palo Alto Networks update servers. It also uses
the management interface to communicate with Panorama. Service routes are used so that the
communication between the firewall and servers goes through the data ports on the data plane. These
data ports require appropriate security policy rules before the external servers can be accessed.
Configuring service routes
Go to Device > Setup > Services > Service Route Configuration > Customize and configure the
appropriate service routes. See the following figure:
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
15
To configure service routes for non-predefined services, you can manually enter the destination
addresses on the Destination tab, as shown below:
In this example, the service route for 192.168.27.33 is configured to source from the data plane’s
ethernet1/2 interface, which has a source IP address of 192.168.27.254.
1.1.7 References
●
Management Interfaces,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manageme
nt-interfaces
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
16
1.2 Provision local administrators
1.2.1 Authentication profile
Authentication profiles provide authentication settings that you can apply to administrator accounts,
SSL-VPN access, and Captive Portal. Refer to the following authentication profile configuration
screenshot:
Authentication profiles
An Authentication profile references a server profile:
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
17
A server profile includes the server name, its IP address, the service port that it is listening to, and other
values. An example of an LDAP server profile is as follows:
1.2.2 Authentication sequence
Admin roles for external administrator accounts can be assigned to an authentication sequence, which
includes a sequence of one or more authentication profiles that are processed in a specific order. The
firewall checks against each authentication profile within the authentication sequence until one
authentication profile successfully authenticates the user. If an external administrator account does not
reference an authentication sequence, it directly references an authentication profile instead. A user is
denied access only if authentication fails for all the profiles in the authentication sequence. A depiction
of an authentication sequence is as follows:
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
18
1.2.3 Reference
●
Administrative Role Types,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/firewall-administration/manage-fir
ewall-administrators/administrative-role-types
1.3 Assign role-based authentication
The role determines what the administrator can view and modify.
If you select Role Based, then you select a custom role profile from the drop-down list.
If you select Dynamic, then you can select one of the following predefined roles:
●
●
●
●
●
●
Superuser — Has full access to the firewall and can define new administrator accounts and
virtual systems. You must have superuser privileges to create an administrative user with
superuser privileges.
Superuser (read-only) — Has read-only access to the firewall.
Device administrator — Has full access to all the firewall settings except for defining new
accounts or virtual systems.
Device administrator (read-only) — Has read-only access to all the firewall settings except
password profiles (no access) and administrator accounts (only the logged-in account is visible).
Virtual system administrator — Has access to specific virtual systems on the firewall to create
and manage specific aspects of virtual systems (if Multi Virtual System Capability is enabled). A
virtual system administrator doesn’t have access to network interfaces, virtual routers, IPSec
tunnels, VLANs, virtual wires, GRE tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Virtual system administrator (read-only) — Has read-only access to specific virtual systems on
the firewall to view specific aspects of virtual systems (if Multi Virtual System Capability is
enabled). A virtual system administrator with read-only access doesn’t have access to network
interfaces, virtual routers, IPSec tunnels, VLANs, virtual wires, GRE tunnels, DHCP, DNS Proxy,
QoS, LLDP, or network profiles.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
19
1.4 Maintain firewall configurations
All configuration changes in a Palo Alto Networks firewall are done to a candidate configuration, which
resides in memory on the control plane. A commit activates the changes since the last commit and
installs the running configuration on the data plane, where it will become a running configuration.
1.4.1 Running configuration
The running configuration is saved within a file named running-config.xml. The running configuration
exists in data-plane memory, where it is used to control firewall traffic and operate the firewall. A
commit operation is necessary to write the candidate configuration to the running configuration.
After you commit the changes, the firewall automatically saves a new version of the running
configuration that is timestamped. You can load a previous version of the running configuration by
using the Load configuration version option. The firewall queues the commit requests so that you can
initiate a new commit while a previous commit is in progress. The firewall performs the commits in the
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
20
order they are initiated but prioritizes the commits, such as FQDN refreshes, which the firewall initiates
automatically.
If a system event or administrator action causes a firewall to reboot, the firewall automatically reverts to
the current version of the running configuration.
1.4.2 Candidate configuration
The act of saving changes to the candidate configuration does not activate those changes. A commit
must be performed on the firewall to activate the changes and to cause the candidate configuration to
become a running configuration. The commit can be done either via the web interface or the CLI.
You can save the candidate configuration as either a default snapshot file (snapshot.xml) or a
custom-named snapshot file (<custom_name>.xml). However, a firewall does not automatically save the
candidate configuration to persistent storage; you must manually save the candidate configuration. If
the firewall reboots before you commit the changes, you can revert the candidate configuration to the
current snapshot to restore the changes made between the last commit and the last snapshot by using
the Revert to last saved configuration option.
1.4.3 Discern when to use load, save, import, and export
Palo Alto Networks firewall configurations are managed using five categories located under Device >
Setup > Operations, which are described in the next sections:
●
●
●
●
●
Revert
Save
Load
Export
Import
1.4.4 Differentiate between configuration states
Revert to last saved configuration
This option restores the default snapshot (snapshot.xml) of the candidate configuration (the snapshot
you create or overwrite when you click Device > Setup > Operations > Save candidate configuration
or Save at the top right of the web interface). This option restores the last saved candidate configuration
from the local drive. The current candidate configuration is overwritten. This quick restore is useful
when you work on “hot” boxes.
The first message asks if you want to continue with the revert:
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
21
The second message informs you which file has been reverted:
Revert to running configuration
This option restores the current running configuration. This operation undoes all the changes made to
the candidate configuration after the last commit and restores the config from the running-config.xml
file.
The first message asks if you want to continue with the revert:
The second message informs you the firewall is being reverted.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
22
Save named configuration snapshot
This option creates a candidate configuration snapshot that does not overwrite the default snapshot
(snapshot.xml). You enter a custom name for the snapshot or select an existing snapshot to overwrite.
This function is useful when you create a backup file or a test configuration file that can be downloaded
for further modification or for testing in the lab environment.
Save candidate configuration
This option creates or overwrites the default snapshot (snapshot.xml) of the candidate configuration
(the snapshot you create or overwrite when you click Device > Setup > Operations > Save candidate
configuration or Save at the top right of the web interface).
Load named configuration snapshot
This option overwrites the current candidate configuration with one of the following:
●
●
●
Custom-named candidate configuration snapshot (instead of the default snapshot)
Custom-named running configuration that is imported
Current running configuration (running-config.xml)
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
23
Load configuration version
This option overwrites the current candidate configuration with a previous version of the running
configuration that is stored on the firewall. The firewall creates a timestamped version of the running
configuration whenever a commit is made.
Export named configuration snapshot
This option exports the current running configuration, a candidate configuration snapshot, or a
previously imported configuration (candidate or running). The firewall exports the configuration as an
XML file with the specified name. You can save the snapshot in any network location. These exports are
often used as backups. These XML files also can be used as templates for building other firewall
configurations.
Export configuration version
This option exports a version of the running configuration as an XML file.
Export device state
This option exports the firewall state information as a file. In addition to the running configuration, the
state information includes device group and template settings pushed from Panorama if applicable. If
the firewall is a GlobalProtect portal, the bundle also includes certificate information, a list of satellites
that the portal manages, and satellite authentication information. If you replace a firewall or portal, you
can restore the exported information on the replacement by importing the state bundle.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
24
Import named configuration snapshot
This option imports a running or candidate configuration as an XML file from any network location such
as a host computer. The XML file can then be loaded as a candidate configuration and even as a
running configuration if required.
Import device state
This option imports the state information file exported from a firewall by using the Export device state
option. The state information includes the running configuration and, if applicable, the device group
and template settings pushed from Panorama. If the firewall is a GlobalProtect portal, the bundle also
includes certificate information, a list of satellites, and satellite authentication information. If you replace
a firewall or portal, you can restore the information on the replacement by importing the state bundle.
1.4.5 Backup Panorama configurations and firewalls from Panorama
The running configuration on Panorama comprises all of the settings that you have committed and
that are active. The candidate configuration is a copy of the running configuration plus any inactive
changes that you made since the last commit. Saving backup versions of the running or candidate
configuration enables you to restore those versions later. For example, if a commit validation shows that
the current candidate configuration has more errors than you want to fix, you can restore a previous
configuration. You can also revert to the current running configuration without first saving a backup.
After a commit is performed on a local firewall that runs PAN-OS 5.0 or later, a backup of the firewall’s
running configuration is sent to Panorama. Any commits performed on the local firewall will trigger the
backup, including the commits an administrator performs locally on the firewall, or the automatic
commits the PAN-OS initiates (for example, an FQDN refresh). By default, Panorama stores up to 100
backups for each firewall though this is configurable. To store Panorama and firewall configuration
backups on an external host, you can schedule exports from Panorama or export on demand. You can
also import configurations from firewalls into the Panorama device groups and templates to Transition
a Firewall to Panorama Management.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
25
VMware snapshot functionality is not supported for a Panorama virtual appliance deployed on VMware
ESXi and vCloud Air. Taking snapshots of a Panorama virtual appliance can impact performance, result
in intermittent and inconsistent packet loss, and cause Panorama to become unresponsive.
Additionally, you may lose access to the Panorama CLI and web interface, and switching to Panorama
mode is not supported. Instead, save and export your named configuration snapshot to any network
location.
1.4.6 References
●
Manage Configuration Backups,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/firewall-administration/manage-co
nfiguration-backups
1.5 Push policy updates to Panorama-managed firewalls
1.5.1 Device groups and hierarchy
Device Group Hierarchy can be created to nest device groups in a tree hierarchy of up to four levels, with
the lower-level groups inheriting the settings (policy rules and objects) of the higher-level groups. At the
bottom level, a device group can have parent, grandparent, and great-grandparent device groups
(ancestors). At the top level, a device group can have child, grandchild, and great-grandchild device
groups (descendants). All device groups inherit settings from the shared location—a container at the
top of the hierarchy for configurations, which is common to all the device groups.
Creating a device group hierarchy helps in organizing firewalls based on common policy requirements
without redundant configuration. For example, you could configure shared settings that are global to all
the firewalls, configure device groups with function-specific settings at the first level, and configure
device groups with location-specific settings at lower levels. Without a hierarchy, you would have to
configure both function- and location-specific settings for every device group in a single level under
Shared.
1.5.2 Where to place policies
Device groups provide a way to implement a layered approach for managing policies across a network
of managed firewalls. A firewall evaluates policy rules by layer (shared, device group, and local) and by
type (pre-rules, post-rules, and default rules) in the following order from top to bottom. When the
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
26
firewall receives traffic, it performs the action defined in the first evaluated rule that matches the traffic
and disregards all the subsequent rules.
Whether you view rules on a firewall or in Panorama, the web interface displays them in evaluation
order. All the shared, device-group, and default rules that the firewall inherits from Panorama are
shaded in orange. Local firewall rules display between the pre- and post-rules.
EVALUATION ORDER
RULE SCOPE AND DESCRIPTION
Shared pre-rules
Panorama pushes shared pre-rules
to all the firewalls in all the device
groups. Panorama pushes
device-group-specific pre-rules to
all the firewalls in a particular
device group and its descendant
device groups.
If a firewall inherits rules from the
device groups at multiple levels in
the device group hierarchy, it
evaluates the pre-rules from the
highest to the lowest level. This
means that the firewall first
evaluates the shared rules and
then evaluates the rules of device
groups with no descendants.
Device group pre-rules
Local firewall rules
ADMINISTRATION DEVICE
These rules are visible on firewalls,
but you can only manage them in
Panorama.
You can use the pre-rules to
enforce the acceptable use policy
of an organization. For example, a
pre-rule might block access to
specific URL categories or allow
DNS traffic for all the users.
Local rules are specific to a single
firewall or virtual system (vsys).
A local firewall administrator or a
Panorama administrator who
switches to a local firewall context
can edit the local firewall rules.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
27
Device group post-rules
Shared post-rules
Intrazone-default
Panorama pushes the shared
post-rules to all the firewalls in all
the device groups. Panorama
pushes the device-group-specific
post-rules to all the firewalls in a
particular device group and its
descendant device groups.
If a firewall inherits rules from
device groups at multiple levels in
the device-group hierarchy, it
evaluates the post-rules from the
lowest to the highest level. This
means that the firewall first
evaluates the rules of device
groups with no descendants and
then evaluates the shared rules.
Post-rules typically include the
rules to deny access to traffic,
based on the App-ID™ signatures,
User-ID™ information (users or
user groups), or service.
The default rules apply only to the
Security rulebase and are
predefined on Panorama (at the
Shared level) and the firewall (in
each vsys). These rules specify how
PAN-OS handles traffic that
doesn’t match any other rule.
The intrazone-default rule allows
all the traffic within a zone. The
interzone-default rule denies all
the traffic between zones.
If you override the default rules,
their order of precedence that runs
from the lowest context to the
highest overridden settings at the
firewall level take precedence over
the settings at the device-group
level, which take precedence over
the settings at the shared level.
These rules are visible on firewalls,
but you can only manage them in
Panorama.
Default rules are initially
read-only, either because they are
part of the predefined
configuration or because
Panorama pushed them to the
firewalls. However, you can
override the rule settings for tags,
action, logging, and security
profiles. The context determines
the level at which you can
override the rules:Panorama — At
the shared or device-group level,
you can override the default rules
that are part of the predefined
configuration.
●
Firewall — You can
override the default rules
that are part of the
predefined configuration
on the firewall or vsys, or
that Panorama pushed
from the shared location
or a device group.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
28
1.5.3 Implications of Panorama management
Panorama enables you to configure, manage, and monitor your Palo Alto Networks firewalls effectively
with central oversight. The three main areas in which Panorama adds value are:
Centralized configuration and deployment—To simplify central management and rapid deployment
of the firewalls and WildFire appliances on your network, use Panorama for pre-staging the firewalls
and WildFire appliances for deployment. You can then assemble the firewalls into groups, create
templates to apply a base network and device configuration, and use device groups to administer
globally shared and local policy rules.
●
Aggregated logging with central oversight for analysis and reporting—Collect information
on activity across all the managed firewalls on the network and centrally analyze, investigate,
and report on the data. This comprehensive view of network traffic, user activity, and associated
risks empowers you to respond to potential threats by using the rich set of policies to securely
enable applications on your network.
●
Distributed administration—Delegate or restrict access to global and local firewall
configurations and policies.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
29
1.5.4 Impact of templates, template stacks, and hierarchy
You use templates and template stacks to configure the settings that enable firewalls to operate on the
network. Templates are the basic building blocks you use to configure the Network and Device tabs on
Panorama. You can use templates to define interface and zone configurations, manage server profiles
for logging and syslog access, or define VPN configurations. Template stacks provide the ability to layer
multiple templates and create a combined configuration. Template stacks simplify management
because they allow you to define a common base configuration for all the devices attached to the
template stack and provide the ability to layer templates to create a combined configuration. This
enables you to define templates with location- or function-specific settings and then stack the
templates in descending order of priority so that the firewalls inherit the settings based on the order of
the templates in the stack.
Both templates and template stacks support variables. Variables allow you to create placeholder objects
with their value specified in the template or template stack, based on the configuration needs. Create a
template or template stack variable to replace the IP addresses, Group IDs, and interfaces in the
configurations. Template variables are inherited by the template stack, and you can override them to
create a template stack variable. However, templates do not inherit the variables defined in the
template stack. When a variable is defined in the template or template stack and pushed to the firewall,
the value defined for the variable is displayed on the firewall.
You can use templates to accommodate the firewalls that have unique settings. Alternatively, you can
push a broader, common base configuration and then override certain pushed settings with
firewall-specific values on individual firewalls. When you override a setting on the firewall, the firewall
saves that setting to its local configuration and Panorama no longer manages the setting. To restore
template values after you override them, use Panorama to force the template or template stack
configuration onto the firewall. For example, after you define a common NTP server in a template and
override the NTP server configuration on a firewall to accommodate a local time zone, you can later
revert to the NTP server defined in the template.
When defining a template stack, consider assigning firewalls that are the same hardware model and
require access to similar network resources, such as gateways and syslog servers. This enables you to
avoid the redundancy of adding every setting to every template stack. The following figure illustrates an
example configuration in which you assign data center firewalls in the Asia-Pacific (APAC) region to a
stack with global settings—one template with APAC-specific settings and one template with
data-center-specific settings. To manage firewalls in an APAC branch office, you can then reuse the
global and APAC-specific templates by adding them to another stack that includes a template with
branch-specific settings. Templates in a stack have a configurable priority order that ensures Panorama
pushes only one value for any duplicate setting. Panorama evaluates the templates listed in a stack
configuration from top to bottom with the higher templates having priority. The following figure
illustrates a data center stack in which the data-center template has a higher priority than the global
template; Panorama pushes the idle timeout value from the data-center template and ignores the
value from the global template.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
30
You cannot use templates or template stacks to set the firewall modes: virtual private network (VPN)
mode, multiple virtual systems (multi-vsys) mode, or operational modes (normal or FIPS-CC mode).
However, you can assign firewalls that have non-matching modes to the same template or stack. In
such cases, Panorama pushes mode-specific settings only to the firewalls that support those modes. As
an exception, you can configure Panorama to push the settings of the default vsys in a template to the
firewalls that don’t support virtual systems or that don’t have any virtual systems configured.
1.5.5 References
●
●
●
Device Group Hierarchy,
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/panorama-overview/centrali
zed-firewall-configuration-and-update-management/device-groups/device-group-hierarchy
Panorama,
https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panorama-overview/about-p
anorama#id52537f5d-4ddc-4701-b7e0-4d31476c2eb1_idd89f295d-bd7a-47cb-adad-3e1323ba6ec5
Templates and Template Stacks,
https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/panorama-overview/centrali
zed-firewall-configuration-and-update-management/templates-and-template-stacks
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
31
1.6 Schedule and install dynamic updates
To always ensure protection from the latest threats (including those not yet discovered), you must keep
the firewalls up to date with the latest content and software updates published by Palo Alto Networks.
Palo Alto Networks regularly posts updates for application detection, threat protection, and
GlobalProtect data files through dynamic updates.
1.6.1 From Panorama
To schedule an automatic download and installation of an update, click Schedules, click Add, and
configure the settings as described in the following table:
DYNAMIC UPDATE SCHEDULE SETTINGS
Name
Enter a name to identify the scheduled job (up to 31 characters). The name is case-sensitive,
must be unique, and can contain only letters, numbers, hyphens, and underscores.
Disabled
Select to disable the scheduled job.
Download Source
Select the download source for the content update. You can select to download content
updates from the Palo Alto Networks Updates Server or from a Secure Copy Protocol (SCP)
server.
SCP Profile (SCP
only)
Select a configured SCP profile from which to download.
SCP Path (SCP only)
Enter the specific path on the SCP server from which to download the content update.
Type
Select the type of content update to schedule: App, App and Threat, Antivirus, WildFire, or
URL Database.
Recurrence
Select the interval at which Panorama checks in with the update server. The recurrence
options vary by update type.
Time
For a daily update, select the Time from the 24-hour clock.
For a weekly update, select the Day of the week, and the Time from the 24-hour clock.
Disable new apps in
content update
You can disable new apps in content updates only if you set the update Type to App or App
and Threat and only if Action is set to Download and Install.
Select to disable applications in the update that are new relative to the last installed update.
This protects against the latest threats while giving you the flexibility to enable the
applications after preparing any policy updates. Then, to enable applications, log in to the
firewall, select DeviceDynamic Updates, click Apps in the Features column to display the
new applications, and click Enable/Disable for each application you want to enable.
Action
●
●
●
Download Only — Panorama™ will download the scheduled update. You must
manually install the update on the firewalls and Log Collectors.
Download and Install — Panorama will download and automatically install the
scheduled update.
Download and SCP — Panorama will download and transfer the content update
package to the specified SCP server.
Devices
Select Devices and then select the firewalls that will receive the scheduled content updates.
Log Collectors
Select Log Collectors and then select the managed collectors that will receive the
scheduled content updates.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
32
1.6.2 From the firewall
The following diagram illustrates how updated information is often made available to the firewall:
The following content updates are available, depending on which subscriptions you have:
●
Antivirus: Includes new and updated antivirus signatures, including WildFire signatures and
automatically generated command-and-control (C2) signatures. WildFire signatures detect
malware seen first by firewalls from around the world. You must have a Threat Prevention
subscription to get these updates. New antivirus signatures are published daily.
●
Applications: Includes new and updated application signatures. New applications are published
monthly, and modified applications are published weekly.
●
Applications and Threats: Includes new and updated application and threat signatures,
including those that detect spyware and vulnerabilities. This update is available if you have a
Threat Prevention subscription (and you get it instead of the Applications update). New and
modified threat signatures and modified applications signatures are published weekly; new
application signatures are published monthly. The firewall can retrieve the latest update within
30 minutes of availability.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
33
●
GlobalProtect Data File: Contains vendor-specific information for defining and evaluating the
host information profile (HIP) data returned by GlobalProtect clients. You must have a
GlobalProtect license (subscription) and create an update schedule to receive these updates.
●
GlobalProtect Clientless VPN: Contains new and updated application signatures to enable
clientless VPN access to common web applications from the GlobalProtect portal. You must
have a GlobalProtect license (subscription) and create an update schedule to receive these
updates and enable clientless VPN to function.
●
Palo Alto Networks (PAN-DB) URL Filtering: Every five to ten minutes, a new version is
published, which contains updated categorization data and an incremented version number.
Each time the Palo Alto Networks firewall sends a request to the cloud, the firewall checks the
current version number. If the number is different, the firewall upgrades the device’s version to
the current cloud version. The primary purpose of the frequency of updates is to leverage native
integration with WildFire, which creates new signatures and records malicious URLs every five
minutes.
●
WildFire: Provides real-time malware and antivirus signatures created as a result of the analysis
done by the WildFire cloud service and is available with a WildFire subscription. As a best
practice, schedule the firewall to retrieve WildFire updates every minute. If you have a Threat
Prevention subscription and not a WildFire subscription, you must wait 24 to 48 hours for the
WildFire signatures to be added into the antivirus update.
●
WF-Private: Provides malware signatures generated by an on-premises WildFire appliance.
1.6.3 Scheduling and staggering updates on an HA pair
Always review content Release Notes for the list of the newly identified and modified applications and
threat signatures that the content release introduces; refer to the image below:
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
34
You can download updates directly from the Palo Alto Networks update server. You can also download
the updates to another system, such as a user desktop or a Panorama management appliance, and
then upload them to the firewall. Whether you download an update through the web or upload an
update from Panorama, the update will appear in the list of available updates at Device > Dynamic
Updates. Click Install to install the updates.
Software updates
PAN-OS updates are managed in the Device > Software section of the web interface. You must
perform a final system reboot to place the new PAN-OS software into production. This reboot is
disruptive and should be done during a change control window.
The software downloads are done over the MGT interface by default. A data interface can be used to
download the software by using a service route. The latest version of applications and threats must be
installed to complete the software installation. If your firewall does not have internet access from the
management port, you can download the software image from the Palo Alto Networks Support Portal
and then manually upload it to your firewall.
Before you upgrade to a newer version of software:
●
●
●
Always review the release notes to determine any impact of upgrading to a newer version of
software.
Ensure that the firewall is connected to a reliable power source. A loss of power during an
upgrade can make the firewall unusable.
Although the firewall automatically creates a configuration backup, follow best practice and
create and externally store a backup before you upgrade.
Use the following procedure to upgrade a pair of firewalls in a high availability (HA) configuration.
This procedure applies to both active/passive and active/active configurations. To avoid downtime when
upgrading firewalls that are in a HA configuration, update one HA peer at a time. For active/active
firewalls, it doesn’t matter which peer you upgrade first (but for simplicity, this procedure shows you
how to upgrade the active-primary peer first). For active/passive firewalls, you must suspend (fail over)
and upgrade the active (primary) peer first. After you upgrade the primary peer, you must unsuspend
the primary peer to return it to a functional state (passive). Next, you must suspend the passive
(secondary) peer to make the primary peer active again. After the primary peer is active and the
secondary peer is suspended, you can continue the upgrade. To prevent failover during the upgrade of
the HA peers, you must make sure preemption is disabled before proceeding with the upgrade. You
only need to disable preemption on one peer in the pair.
When upgrading HA firewalls across multiple feature PAN-OS releases, you must upgrade each HA peer
to the same feature PAN-OS release on your upgrade path before continuing. For example, when you
are upgrading HA peers from PAN-OS 10.0 to PAN-OS 10.2, you must upgrade both HA peers to PAN-OS
10.1 before you can continue upgrading to the target PAN-OS 10.2 release. When HA peers are two or
more feature releases apart, the firewall with the older release installed enters a suspended state with
the message Peer version too old.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
35
Step 1: Save a backup of the current configuration file.
Perform these steps on each firewall in the pair:
1. Select Device > Setup > Operations and click Export named configuration snapshot.
2.
Select the XML file that contains your running configuration (for example, running-config.xml)
and click OK to export the configuration file.
3.
Save the exported file to a location external to the firewall. You can use this backup to restore the
configuration if you have problems with the upgrade.
Step 2: Select DeviceSupport and Generate Tech Support File.
Click Yes when prompted to generate the tech support file.
Step 3: Ensure that each firewall in the HA pair is running the latest content release version.
1.
Select Device > Dynamic Updates and check which Applications or Applications and Threats
to determine which update is currently installed.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
36
2.
If the firewalls are not running the minimum required content release version or a later version
required for PAN-OS 11.0, Check Now to retrieve a list of available updates.
3.
Locate and Download the desired content release version.
After you successfully download a content update file, the link in the Action column changes
from Download to Install for that content release version.
4. Install the update. You must install the update on both peers.
Step 4: Determine the Upgrade Path to PAN-OS 11.0.
You cannot skip the installation of any feature release versions in the path from the currently running
PAN-OS version to PAN-OS 11.0
Step 5: If you are leveraging Cortex Data Lake (CDL), Install a Device Certificate on each HA peer.
The firewall automatically switches to using the device certificate for authentication with CDL ingestion
and query endpoints on upgrade to PAN-OS 11.0.
Step 6: Disable preemption on the first peer in each pair. You only need to disable this setting on one
firewall in the HA pair but ensure that the commit is successful before you proceed with the upgrade.
1.
Select Device > High Availability and edit the Election Settings.
2.
If enabled, disable (clear) the Preemptive setting and click OK.
3.
Commit the change.
Step 7: Suspend the primary HA peer to force a failover.
For firewalls in an active/passive HA configuration, suspend and upgrade the active HA peer first.
For firewalls in an active/active HA configuration, suspend and upgrade the active-primary HA peer first.
1.
Select Device > High Availability > Operational Commands and Suspend local device for high
availability.
2.
In the bottom-right corner, verify that the state is suspended.
The resulting failover should cause the secondary HA peer to transition to Active state.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
37
Step 8: Install PAN-OS 11.0 on the suspended HA peer.
1.
On the primary HA peer, select Device > Software and click Check Now for the latest updates.
Note that only the versions for the next available PAN-OS release are displayed. For example, if
the PAN-OS 11.0 is installed on the firewall, then only PAN-OS 11.0 releases are displayed.
2.
Locate and Download PAN-OS 11.0.0
3.
After you download the image (or, for a manual upgrade, after you upload the image), Install the
image.
4. After the installation completes successfully, reboot using one of the following methods:
● If you are prompted to reboot, click Yes.
● If you are not prompted to reboot, select Device > Setup > Operations and Reboot
Device.
5.
After the device finishes rebooting, view the High Availability widget on the Dashboard and
verify that the device you just upgraded is in sync with the peer.
Step 9: Restore HA functionality to the primary HA peer.
● Select Device > High Availability > Operational Commands and Make local device
functional for high availability.
● In the bottom-right corner, verify that the state is Passive. For firewalls in an active/active
configuration, verify that the state is Active.
● Wait for the HA peer running configuration to synchronize.
In the Dashboard, monitor the Running Config status in the High Availability widget.
Step 10: On the secondary HA peer, suspend the HA peer.
● Select Device > High Availability > Operational Commands and Suspend local device for high
availability.
● In the bottom-right corner, verify that the state is suspended.
The resulting failover should cause the primary HA peer to transition to Active state.
Step 11: Install PAN-OS 11.0 on the secondary HA peer.
1.
On the secondary peer, select Device > Software and click Check Now for the latest updates.
2.
Locate and Download PAN-OS 11.0.0.
3.
After you download the image, Install it.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
38
4. After the installation completes successfully, reboot using one of the following methods:
● If you are prompted to reboot, click Yes.
● If you are not prompted to reboot, select Device > Setup > Operations and Reboot
Device.
Step 12: Restore HA functionality to the secondary HA peer.
1.
Select Device > High Availability > Operational Commands and Make local device functional
for high availability.
2.
In the bottom-right corner, verify that the state is Passive. For firewalls in an active/active
configuration, verify that the state is Active.
3.
Wait for the HA peer running configuration to synchronize.
In the Dashboard, monitor the Running Config status High Availability widget.
Step 13: Re-enable preemption on the HA peer where it was disabled in the previous step.
1.
Select Device > High Availability and edit the Election Settings.
2.
Enable (check) the Preemptive setting and click OK.
3.
Commit the change.
Step 14: Regenerate or re-import all certificates to adhere to OpenSSL Security Level 2.
On upgrade to PAN-OS 11.0, it is required that all certificates meet the following minimum
requirements:
● RSA 2048 bits or greater, or ECDSA 256 bits or greater
● Digest of SHA256 or greater
Step 15: Verify that both peers are passing traffic as expected.
In an active/passive configuration, only the active peer should be passing traffic; in an active/active
configuration, both peers should be passing traffic.
Run the following CLI commands to confirm that the upgrade succeeded:
●
(Active peers only) To verify that active peers are passing traffic, run the show session all
command.
●
To verify session synchronization, run the show high-availability interface ha2 command
and make sure that the hardware interface counters on the CPU table are increasing as follows:
○ In an active/passive configuration, only the active peer shows packets transmitted; the
passive peer will show only packets received.
○ In an active/active configuration, you will see packets received and packets transmitted on
both peers.
1.6.4 References
●
Schedule Dynamic Content Updates,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/panorama-web-interfa
ce/panorama-device-deployment/schedule-dynamic-content-updates
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
39
1.7 Create and apply security zones to policies
1.7.1 Identify zone types
Security zones are a logical way to group physical and virtual interfaces on the firewall to control and log
the traffic that traverses specific interfaces on the network. An interface on the firewall must be
assigned to a security zone before the interface can process traffic. A zone can have multiple interfaces
of the same type assigned to it (for example, tap, Layer 2, or Layer 3 interfaces), but an interface can
belong to only one zone.
1.7.2 External types
An external zone is a security object that is associated with a specific virtual system it can reach; the
zone is external to the virtual system. A virtual system can have only one external zone, regardless of
how many security zones the virtual system has. External zones are required to allow traffic between
zones in different virtual systems, without the traffic leaving the firewall.
1.7.3 Layer 2
Layer 2 interfaces are used to switch traffic between other Layer 2 interfaces. Before switching can take
place, each Layer 2 interface must be assigned to a VLAN object. Assignment of interfaces that belong
to the same VLAN but exist in different Layer 2 zones enables you to analyze, shape, manage, and
decrypt the traffic. When a zone is created for a Layer 2 interface, the zone’s type will be set to “Layer 2”
and it can only be assigned to Layer 2 interfaces. A zone’s type must match the interface’s type to which
the zone is assigned.
1.7.4 Layer 3
Layer 3 zone is used when routing between two or more networks.
The next figure shows that the Layer 3 zone allows five interface types: Layer 3 (Ethernet1/4 and 1/5),
loopback, SD-WAN, tunnel, and VLAN.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
40
1.7.5 Tap
A Tap interface monitors traffic that is connected to a network switch's MIRROR/SPAN port. This
mirrored traffic is forwarded by a switch port to a firewall’s Tap interface and is analyzed for App-ID,
User-ID, Content-ID, and other traffic—just like any other normal data traffic that would pass through
the firewall. Before traffic can be logged, you must configure a security policy that includes the Tap
zone. When a zone is created for a Tap interface, the zone’s type will be set to “Tap” and it can only be
assigned to Tap interfaces. A zone’s type must match the interface’s type to which the zone is assigned.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
41
1.7.6 VWire
A Virtual Wire interface is used to pass traffic through a firewall by binding two Ethernet interfaces and
allowing traffic to pass between them. Virtual Wire interfaces are often placed between an existing
firewall and a secured network to enable analysis of the traffic before actually migrating from a legacy
firewall to a Palo Alto Networks firewall.
●
Two Virtual Wire interfaces, each in a virtual wire zone (the zone can be the same or different),
and a virtual wire object are required to complete a virtual wire configuration. The following
figure shows one interface in one zone (Internet) and the other interface in another zone (Inside).
If both interfaces are in different zones (interzone traffic), all the traffic will be inspected by
security policy rules until sessions can be established, and then you can check for User-ID,
App-ID, and Content-ID and perform logging, QoS, decryption, LLDP, zone protection, DoS
protection, and NAT.
●
If both interfaces are in the same zone (intrazone traffic), all the traffic would be allowed by
default, and sessions can be easily established. However, you also can check for User-ID, App-ID,
and Content-ID and perform logging, QoS, decryption, LLDP, zone protection, DoS protection,
and NAT.
●
Virtual Wire interfaces can be subdivided into Virtual Wire subinterfaces that can be used to
classify traffic according to VLAN tags, IP addresses, IP ranges, or subnets. Using subinterfaces
enables you to separate traffic into different zones for more granular control than regular
(non-subinterface) Virtual Wire interfaces.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
42
1.7.7 Tunnel
A Tunnel interface is a logical (virtual) interface used with VPN tunnels to deliver encrypted traffic
between two endpoints. The Tunnel interface must belong to a security zone before a policy can be
applied, and it must be assigned to a virtual router to use the existing routing infrastructure. When a
zone is created for a Tunnel interface, the zone’s type will be set to “Layer 3” and it can only be assigned
to Layer 3 or Tunnel interfaces.
1.7.8 References
●
●
Security Zone Overview,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/network/network-zone
s/security-zone-overview
External Zone,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/virtual-systems/communication-be
tween-virtual-systems/inter-vsys-traffic-that-remains-within-the-firewall/external-zone
1.8 Identify and configure firewall interfaces
1.8.1 Different types of interfaces
The interface configurations of firewall data ports enable traffic to enter and exit the firewall. A Palo Alto
Networks firewall can operate in multiple deployments simultaneously because you can configure
interfaces to support different deployments. For example, you can configure the Ethernet interfaces on
a firewall for virtual wire, Layer 2, Layer 3, and tap mode deployments. The interfaces that the firewall
supports are:
●
●
Physical interfaces — The firewall supports two types of media— copper and fiber-optic—
which can send and receive traffic at different transmission rates. You can configure Ethernet
interfaces as various types: Tap, High Availability (HA), Log Card (interface and subinterface),
Decrypt Mirror, Virtual Wire (interface and subinterface), Layer 2 (interface and subinterface),
Layer 3 (interface and subinterface), and Aggregate Ethernet (AE). The available interface types
and transmission speeds vary according to the hardware model.
Logical interfaces — These include VLAN interfaces, loopback interfaces, and tunnel interfaces.
You must set up the physical interface before defining a VLAN or a tunnel interface.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
43
1.8.2 How interface types affect Security policies
PAN-OS software has various Ethernet interface types: Tap, Virtual Wire, Layer 2, Layer 3, and HA. (HA
interfaces are not discussed in this section). A firewall can be configured with multiple instances of each
interface type to accommodate its functional requirements within a network. The following figure
shows how a firewall can be used in Tap, Virtual Wire, and Layer 2 or Layer 3 mode.
Ethernet interface types
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
44
Other available interface types include the following:
●
Decrypt Mirror: This feature enables decrypted traffic from a firewall to be copied and sent to a
traffic collection tool that can receive raw packet captures, such as NetWitness or Solera, for
archival and analysis. Decrypt Mirror is often used to route decrypted traffic through an external
interface to a data loss prevention (DLP) service. DLP is a product category for products that
scan internet-bound traffic for keywords and patterns that identify sensitive information. Note
that a free license is required to use this feature. This feature is not available on the VM-Series
firewalls.
●
Log Card: This interface is for the PA-7000 Series firewalls only. A log card data port performs log
forwarding for syslog, email, Simple Network Management Protocol (SNMP), and WildFire file
forwarding. One data port on a PA-7000 must be configured as a Log Card interface because the
MGT interface cannot handle all the logged traffic.
●
Aggregate: This interface is used to bundle multiple physical HA3, Virtual Wire, Layer 2, or Layer
3 interfaces into a logical interface for better performance (via load balancing) and redundancy
by using IEEE 802.1AX (LACP) link aggregation. The interface types to be bundled must be the
same. VM-Series models do not support the Aggregate Ethernet (AE) interface groups.
●
HA: Each HA interface has a specific function. One HA interface is for configuration
synchronization and heartbeats; the other HA interface is for state synchronization. If
active/active high availability is enabled, the firewall can also use a third HA interface to forward
packets.
●
Management: MGT interfaces are used to manage a firewall using a network cable.
●
Loopback: Loopback interfaces are Layer 3 virtual interfaces that connect to the virtual routers
in the firewall. Loopback interfaces are used for multiple network engineering and
implementation purposes. They can be destination configurations for DNS sinkholes,
GlobalProtect service interfaces (portals and gateways), routing identification, and more.
●
Tunnel: A Tunnel interface is a logical (virtual) interface used with VPN tunnels to deliver
encrypted traffic between two endpoints. The Tunnel interface must belong to a security zone
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
45
before policy can be applied, and it must be assigned to a virtual router to use the existing
routing infrastructure. A Tunnel interface does not require an IP address to route traffic between
the sites. An IP address is only required if you want to enable tunnel monitoring or if you are
using a dynamic routing protocol to route traffic across the tunnel.
●
SD-WAN: Create and configure a virtual SD-WAN interface to specify one or more physical,
SD-WAN-capable Ethernet interfaces that go to the same destination, such as to a specific hub
or to the internet. In fact, all the links in a virtual SD-WAN interface must be of the same type: all
VPN tunnel links or direct internet access (DIA) links. An SD-WAN interface definition works with
an SD-WAN Interface Profile that defines the characteristics of the ISP connections. Details
about these interfaces and their configuration are beyond the scope of the PCNSA certification.
1.8.3 References
●
Firewall Interfaces Overview,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/network/network-inter
faces/firewall-interfaces-overview
1.9 Maintain and enhance the configuration of a virtual or logical router
1.9.1 Steps to create a static route
Step 1: Select Network > Routing > Logical Routers and select the logical router.
Step 2: Select Static and Add an IPv4 or IPv6 static route by Name (maximum of 63 characters). The
name must start with an alphanumeric character, underscore (_), or hyphen (-), and can contain a
combination of alphanumeric characters, underscores, or hyphens. No dot (.) or space is allowed.
Step 3: For Destination, enter the route and netmask (for example, 192.168.2.0/24 for an IPv4 address or
2001:db8:123:1::0/64 for an IPv6 address). If you are creating a default route, enter the default route
(0.0.0.0/0 for an IPv4 address or ::/0 for an IPv6 address). Alternatively, you can select or create an
address object of type IP Netmask.
Step 4: For Interface, specify the outgoing interface for packets to use to go to the next hop. Specifying
an interface provides stricter control over which interface the firewall uses rather than using the
interface in the route table for the next hop of this static route.
Step 5: For Next Hop, select one of the following:
●
●
●
●
●
IP Address or IPv6 Address — Enter the IP address (for example, 192.168.56.1 or 2001:db8:49e:1::1)
when you want to route to a specific next hop. You must Enable IPv6 on the interface (when
you Configure Layer 3 Interfaces) to use an IPv6 next hop address. If you are creating a default
route, for Next Hop you must select IP Address and enter the IP address for your internet
gateway (for example, 192.168.56.1 or 2001:db8:49e:1::1). Alternatively, you can create an address
object of type IP Netmask. The address object must have a netmask of /32 for IPv4 or /128 for
IPv6.
Next LR — Select to make the next logical router (in the list of logical routers) the next hop.
FQDN — Enter a Fully Qualified Domain Name.
Discard — Select to drop packets that are addressed to this destination.
None — Select if there is no next hop for the route. For example, a point-to-point connection
does not require a next hop because there is only one way for packets to go.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
46
Step 6: Enter the Admin Dist for the static route (range is 10 to 240; default is 10). This value overrides
the Static or Static IPv6 administrative distance specified for the logical router.
Step 7: Enter a Metric for the static route (range is 1 to 65,535; default is 10).
Step 8: (Optional) If you want to use Bidirectional Forwarding Detection (BFD), select a BFD Profile you
created, or select the default profile, or create a BFD profile to apply to the static route; default is None
(Disable BFD).
1.9.2 How to use the routing table
By viewing the routing table, you can see whether the OSPF routes have been established. The routing
table is accessible from either the web interface or the CLI.
If you are using the CLI to view the routing table, use the following commands:
●
●
show routing route
show routing fib
If you are using the web interface to view the routing table, use the following workflow:
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
47
Step 1: Select Network > Virtual Routers and in the same row as the virtual router you are interested in,
click the More Runtime Stats link.
Step 2: Select Routing > Route Table and examine the Flags column of the routing table for routes
that were learned by OSPF.
1.9.3 What interface types can be added to a virtual or logical router
The PAN-OS software provides two virtual route engines—the BGP route engine that supports only BGP
and static routing and the legacy route engine that supports multiple dynamic routing protocols—of
which only one can run at a given time. The following firewall models support the BGP route engine:
●
●
●
●
PA-7000 Series
PA-5200 Series
PA-3200 Series
VM-Series
Although a supported firewall can have a configuration that uses the legacy route engine and a
configuration that uses the BGP route engine, only one route engine is in effect at a time. Each time
you change the engine that the firewall will use (enable or disable Advanced Routing to access the BGP
route engine or legacy route engine, respectively), you must commit the configuration and reboot the
firewall for the change to take effect.
The BGP route engine supports only one logical router (known as a virtual router on the legacy route
engine).
Both route engines obtain routes to remote subnets either by the manual addition of static routes or
the dynamic addition of routes using dynamic routing protocols. Each Layer 3 Ethernet, Loopback,
VLAN, and Tunnel interface defined on the firewall must be associated with a virtual router. Although
each interface can belong to only one virtual router, you can configure routing protocols and static
routes using either routing engine.
1.9.4 How to configure route monitoring
Path monitoring monitors upstream interfaces on remote, reliable devices by using ICMP pings. If path
monitoring fails, an associated static route is removed from the routing table. An alternative route can
then be used to route traffic.
This static route is removed from the routing table until reachability to the next hop is obtained.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
48
Domain 2: Managing Objects
2.1 Create and maintain address and address group objects
2.1.1 How to tag objects
You can tag objects to group-related items and add color to the tag to visually distinguish them for easy
scanning. You can create tags for address objects, address groups, user groups, zones, service groups,
and policy rules.
Firewalls and Panorama support both static and dynamic tags. Dynamic tags are registered from a
variety of sources and not displayed with the static tags because dynamic tags are not part of the
firewall or Panorama configuration. See Register IP Addresses and Tags Dynamically for information on
registering tags dynamically. The tags discussed in this section are statically added and are part of the
configuration.
You can apply one or more tags to objects and policy rules, up to a maximum of 64 tags per object.
Panorama supports a maximum of 10,000 tags, which you can distribute across Panorama (shared and
device groups) and the managed firewalls (including firewalls with multiple virtual systems).
Use tags to help identify the purpose of a rule or configuration object and better organize the rulebase.
To ensure that policy rules are properly tagged, see Enforce Policy Rule Description, Tag, and Audit
Comment. Additionally, you can View Rules by Tag Group by first creating and then setting the tag as
the Group tag.
2.1.2 Differentiate between address objects
An address object is a set of IP addresses that you can manage in one place and then use in multiple
firewall policy rules, filters, and other functions. The four types of address objects are:
●
●
●
●
IP Netmask
IP Range
IP Wildcard Mask
FQDN
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
49
Both IPv4 or IPv6 addresses are supported for the IP Netmask, IP Range, or FQDN address object types.
However, IP Wildcard Mask can only specify IPv4 addresses.
An address object of type IP Netmask requires entering the IP address or network by using a slash
notation to indicate the IPv4 network or the IPv6 prefix length. For example, 192.168.18.0/24 or
2001:db8:123:1::/64.
An address object of type IP Range requires entering the IPv4 or IPv6 range of addresses separated by a
hyphen.
An address object of type FQDN (for example, paloaltonetworks.com) provides further ease of use
because DNS provides the FQDN resolution to the IP addresses instead of requiring to know the IP
addresses and manually updating them every time the FQDN resolves new IP addresses.
An address object of type IP Wildcard Mask is useful for defining private IPv4 addresses to internal
devices. The addressing structure assigns meaning to certain bits in the address. For example, the IP
address of cash register 156 in the northeastern U.S. could be 10.132.1.156, based on these bit
assignments:
An address object of type IP Wildcard Mask specifies which source or destination addresses are subject
to a security policy rule. For example, in the mask 10.132.1.1/0.0.2.255, the zero (0) bit indicates that the bit
being compared must match the bit in the IP address that is covered by the zero. A one (1) bit in the
mask (a wildcard bit) indicates that the bit being compared need not match the bit in the IP address.
The following snippets of an IP address and wildcard mask illustrate how they yield four matches:
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
50
After you Create an Address Object:
●
●
You can reference an address object of type IP Netmask, IP Range, or FQDN in a policy rule for
Security, Authentication, NAT, NAT64, Decryption, DoS Protection, Policy-Based Forwarding
(PBF), QoS, Application Override, or Tunnel Inspection; or in a NAT address pool, VPN tunnel,
path monitoring, external dynamic list, Reconnaissance Protection, ACC global filter, log filter, or
custom report log filter.
You can reference an address object of type IP Wildcard Mask only in a Security policy rule.
2.1.3 Static groups versus dynamic groups
To simplify the creation of Security policies, addresses that require the same security settings can be
combined into address groups. In PAN-OS, we can create address objects, which can be further
categorized into address groups. The most common method is to use a static type address group.
However, the dynamic type address group provides slight ease of management along with scalability.
Static address group
A static address group can include static address objects, dynamic address groups, or a combination of
both.
Dynamic address group
A dynamic address group populates its members dynamically using lookups for tags and tag-based
filters. Dynamic address groups are very useful if you have an extensive virtual infrastructure in which
changes in virtual system location/IP address are frequent. For example, you have a sophisticated
failover set up or you provision new virtual systems frequently and would like to apply policy to all the
traffic from or to the new system without modifying the configuration/rules on the firewall.
Dynamic address groups can also include statically defined address objects. If you create an address
object and apply the same tags that are assigned to a dynamic address group, the dynamic address
group will include all of the static and dynamic objects that match the tags. You can therefore use tags
to place both dynamic and static objects in the same address group.
2.1.4 References
●
●
●
●
Use Tags to Group and Visually Distinguish Objects,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-tags-to-group-and-visu
ally-distinguish-objects
Create and Apply Tags,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-tags-to-group-and-visu
ally-distinguish-objects/create-and-apply-tags
Address Objects,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-address-object-to-repre
sent-ip-addresses/address-objects
Objects > Address Groups,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/objects/objects-addre
ss-groups
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
51
2.2 Create and maintain services and service groups
Services
When you define Security policies for specific applications, you can select one or more services to limit
the port numbers that the applications can use. The default service is any, which allows all the TCP and
UDP ports. The HTTP and HTTPS services are predefined, but you can add additional service definitions.
The services that are often assigned together can be combined into service groups to simplify the
creation of Security policies.
Additionally, you can use service objects to specify service-based session timeouts—this means that you
can apply different timeouts to different user groups even when those groups use the same TCP or
UDP service; or if you’re migrating from a port-based Security policy with custom applications to an
application-based Security policy, you can easily maintain your custom application timeouts.
The following table describes the service settings:
SERVICE SETTINGS
DESCRIPTION
Name
Enter the service name (up to 63 characters). This
name appears in the services list when defining
Security policies. The name is case-sensitive and must
be unique. Use only letters, numbers, spaces, hyphens,
and underscores.
Description
Enter a description for the service (up to 1,023
characters).
Shared
Select this option if you want the service object to be
available to:
●
●
Every vsys on a multi-vsys firewall. If you clear
this selection, the service object will be
available only to the Virtual System selected in
the Objects tab.
Every device group on Panorama. If you clear
this selection, the service object will be
available only to the Device Group selected in
the Objects tab.
Disable Override (Panorama only)
Select this option to prevent administrators from
overriding the settings of this service object in the
device groups that inherit the object. This selection is
cleared by default, which means that administrators
can override the settings for any device group that
inherits the object.
Protocol
Select the protocol used by the service TCP or UDP.
Destination Port
Enter the destination port number (0 to 65535) or
range of port numbers (port1-port2) used by the
service. Multiple ports or ranges must be separated by
commas. The destination port is required.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
52
Source Port
Enter the source port number (0 to 65535) or range of
port numbers (port1-port2) used by the service.
Multiple ports or ranges must be separated by
commas. The source port is optional.
Session Timeout
Define the session timeout for the service:
●
●
Inherit from application (default) — No
service-based timeouts are applied; the
application timeout is applied.
Override — Define a custom session timeout
for the service. Continue to populate the TCP
Timeout, TCP Half Closed, and TCP Time Wait
fields.
The following settings display only if you choose to override application timeouts and create custom
session timeouts for a service:
SERVICE SETTINGS
DESCRIPTION
TCP Timeout
Set the maximum length of time in seconds that a TCP
session can remain open after data transmission has
started. When this time expires, the session closes.
The range is 1 - 604800. The default value is 3600
seconds.
TCP Half Closed
Set the maximum length of time in seconds that a
session remains open when only one side of the
connection has attempted to close the connection.
This setting applies to:
●
●
The time period after the firewall receives the
first FIN packet (indicates that one side of the
connection is attempting to close the session)
but before it receives the second FIN packet
(indicates that the other side of the connection
is closing the session).
The time period before receiving an RST
packet (indicating an attempt to reset the
connection).
If the timer expires, the session closes. The range is 1 604800. The default value is 120 seconds.
TCP Time Wait
Select this option if you want the service object to be
available to:
●
●
Every vsys on a multi-vsys firewall. If you clear
this selection, the service object will be
available only to the Virtual System selected in
the Objects tab.
Every device group on Panorama. If you clear
this selection, the service object will be
available only to the Device Group selected in
the Objects tab.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
53
Service groups
To simplify the creation of Security policies, you can categorize the services that have the same security
settings into service groups. The following table describes the service group settings:
SERVICE SETTINGS
DESCRIPTION
Name
Enter the service name (up to 63 characters). This
name appears in the services list when defining
Security policies. The name is case-sensitive and must
be unique. Use only letters, numbers, spaces, hyphens,
and underscores..
Shared
Select this option if you want the service object to be
available to:
●
●
Every vsys on a multi-vsys firewall. If you clear
this selection, the service object will be
available only to the Virtual System selected in
the Objects tab.
Every device group on Panorama. If you clear
this selection, the service object will be
available only to the Device Group selected in
the Objects tab.
Disable Override (Panorama only)
Select this option to prevent administrators from
overriding the settings of this service object in the
device groups that inherit the object. This selection is
cleared by default, which means that administrators
can override the settings for any device group that
inherits the object.
Service
Click Add to add services to the group. Select from the
drop-down list, or click Service at the bottom of the
drop-down list and specify the settings.
2.2.1 References
●
●
Objects > Services,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/objects/objects-servic
es
Objects > Service Groups,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/objects/objects-servic
e-groups
2.3 Create and maintain external dynamic lists
An external dynamic list (EDL) is a text file that is hosted on an external web server. The firewall uses this
text file to import the following objects:
●
●
●
IP addresses
URLs
Domains
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
54
This arrangement allows the firewall to enforce a policy, based on the entries in the text file list. As you
update the list, the firewall dynamically imports the list and enforces the policy without the need to
make a configuration change or a commit.
The firewall supports the following types of external dynamic lists:
●
●
●
●
Predefined IP address
IP address
Domain
URL
You can add a maximum of 30 custom EDLs on your firewall. The EDL list limit is not applicable to
Panorama.
Built-in EDLs
An active Threat Prevention license is required to obtain the built-in EDLs of Palo Alto Networks. These
built-in EDLs protect networks against malicious hosts. Built-in EDLs include the following:
●
●
●
Palo Alto Networks Bulletproof IP Addresses
Palo Alto Networks High-Risk IP Addresses
Palo Alto Networks Known Malicious IP Addresses
With the Threat Prevention license, the firewall receives updates for these feeds in content updates. You
cannot modify the contents of built-in EDLs.
2.3.1 References
●
●
Formatting Guidelines for an External Dynamic List,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-an-external-dynamic-list
-in-policy/formatting-guidelines-for-an-external-dynamic-list
Built-in External Dynamic Lists,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-an-external-dynamic-list
-in-policy/built-in-edls
2.4 Configure and maintain application filters and application groups
2.4.1 When to use filters versus groups
Application filters
An administrator can dynamically categorize multiple applications into an application filter based on
the specific attributes Category, Subcategory, Tags, Risk, and Characteristic. For example, to allow all the
audio streaming applications, you could create an application filter that includes the subcategory of
audio-streaming, which automatically adds all the applications to the filter from the App-ID database
that are subcategorized as audio-streaming. The filter then gets added as an application to a Security
policy rule. Application filters simplify the process of ensuring that all the applications that meet any
attribute are added to a Security policy automatically.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
55
You can configure an application filter for a group of applications based on their assigned application
tags. Palo Alto Networks now assigns one or more predefined tags to applications in the App-ID
database. You also can create and assign your own custom tag to an application. You can build an
application filter by using these tags and then use the application filter in policy rules to control access
to the applications. If application tags are updated and are part of an application filter, then policy could
begin to treat such applications differently.
Application groups
An administrator can manually categorize multiple applications into an application group based on
App-IDs. This application group can then be added to one or more Security policy rules as required,
which streamlines firewall administration. Instead of a firewall administrator individually adding
different applications into a Security policy, only the application group needs to be added to the policy.
Application groups are often used to simplify Security, QoS, and PBF policy rule implementation.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
56
Nesting application groups and filters
An administrator can nest application groups and filters. Multiple applications and application filters
can be combined into an application group. One or more application groups can also be combined into
one application group. The final application group can then be added to a Security policy rule.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
57
2.4.2 The purpose of application characteristics as defined in the App-ID database
All applications in the App-ID database are defined by six properties:
Property
Definition
Category
Generates the Top Ten Application Categories chart within the Application Command
Center (ACC) and is available for filtering.
Subcategory
Also generates the Top Ten Application Categories chart within the ACC and is available
for filtering.
Technology
Is the most closely associated with the application.
Parent App
Specifies a parent application for this application. This setting applies when a session
matches both the parent and custom applications; however, the custom application is
reported because it is more specific.
Risk
Specifies a relative risk rating from 1 to 5, with 5 being the most risky.
Characteristics
Identifies some application property or behavior, such as certified for FedRAMP, or can be
used for evasion, or can use excessive bandwidth, and so on.
Application characteristics
All of the applications in the App-ID database are defined by the characteristics shown in the image
below:
2.4.3 References
●
●
Objects > Application Filters,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-web-interface-help/objects/objects-applic
ation-filters
Objects > Application Groups,
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/objects/objects-applica
tion-groups
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
58
Domain 3: Policy Evaluation and Management
3.1 Develop the appropriate application-based Security policy
3.1.1 Create an appropriate App-ID rule
To enable applications safely, you must classify all of the traffic, across all the ports, all the time. With App-ID,
the only applications that are typically classified as unknown traffic—tcp, udp or non-syn-tcp—in the ACC and
the Traffic logs are commercially available applications that have not yet been added to App-ID, internal or
custom applications on your network, or potential threats.
To ensure that the internal custom applications do not show up as unknown traffic, you need to create a
custom application. You can then exercise granular policy control over these applications to minimize the
range of unidentified traffic on the network, thereby reducing the attack surface. Creating a custom
application also allows identifying the application in the ACC and Traffic logs correctly, which enables you to
audit/report on the applications on the network.
3.1.2 Rule shadowing
A shadow-rule warning indicates that a broader rule matching the criteria is configured above a more
specific rule.
The following screenshot shows that no traffic will ever match the second rule, which specifically allows
Skype and Dropbox, because all of the applications have already been allowed by the first rule. Rule 2’s
“skype” shadows rule 3’s “skype.”
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
59
3.1.3 Group rules by tag
View the policy rulebase as tag groups to visually group rules based on the tagging structure created. In
this view, you can perform operational procedures, such as adding, deleting, and moving the rules in
the selected tag group easily. Viewing the rulebase as tag groups maintains the rule evaluation order
and a single tag might appear multiple times throughout the rulebase to visually preserve the rule
hierarchy.
You must create the tag before you can assign it as a group tag on a rule. Policy rules that are already
tagged on upgrade to PAN-OS 9.0 have the first tag automatically assigned as the Group tag. Before
upgrading to PAN-OS 9.0, review the tagged rules in the rulebase to ensure the rules are correctly
grouped. You need to manually edit each tag rule and configure the correct Group tag if the rules are
grouped incorrectly after upgrading to PAN-OS 9.0.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
60
3.1.4 The potential impact of App-ID updates to existing Security policy rules
Newly-categorized and modified App-IDs can change the way in which the firewall enforces traffic.
Review the content update policy to see how new and modified App-IDs impact your Security policy
and to easily make any necessary adjustments. You can review the content update policy for both
downloaded and installed content.
3.1.5 Policy usage statistics
The policy rule usage data enables you to validate rule additions and rule changes and monitor the time
frame in which a rule was used. For example, when you migrate port-based rules to app-based rules, you
create an app-based rule above the port-based rule and check for any traffic that matches the port-based
rule. After migration, the hit count data helps you determine if it is safe to remove the port-based rule by
confirming that the traffic matches the app-based rule instead of the port-based rule. The policy rule hit
count helps you determine whether a rule is effective for access enforcement.
You can reset the rule hit count data to validate an existing rule or gauge rule usage within a specified period
of time. Policy rule hit count data is not stored on the firewall or Panorama so that data is no longer available
after you reset (clear) the hit count.
After filtering the policy rulebase, administrators can delete, disable, enable, and tag policy rules directly from
the policy optimizer. For example, you can filter for unused rules and then tag them for review to determine if
they can be safely deleted or kept in the rulebase. By enabling administrators to take action directly from the
policy optimizer, you reduce the required management overhead by further simplifying the rule lifecycle
management and ensuring that the firewalls are not over-provisioned.
3.1.6 References
●
●
●
●
Create a Custom Application,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/use-application-objects-in-p
olicy/create-a-custom-application
View Rules by Tag Group,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-tags-to-group-and-visua
lly-distinguish-objects/view-rules-by-tag-group
See How New and Modified App-IDs Impact Your Security Policy,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/manage-new-app-ids-intro
duced-in-content-releases/review-new-app-id-impact-on-existing-policy-rules
View Policy Rule Usage,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/monitoring/view-policy-rule-usage
3.2 Differentiate specific security rule types
Security rule types
Security policies allow you to enforce rules and take action, and they can be as general or as specific as
needed. The list of policy rules is compared from the top down against the incoming traffic. The more
specific rules must precede the more general ones because the first rule that matches the traffic is
applied.
The default rules apply for the traffic that doesn’t match any user-defined rules. These default rules are
displayed at the bottom of the security rulebase. The default rules are predefined rules that are part of
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
61
the predefined configuration and are read-only by default; you can override them and change a limited
number of settings, including the tags, actions (allow or deny), log settings, and security profiles. The
names of the two default rules are intrazone-default and interzone-default.
3.2.1 Interzone
Interzone
Default rule displayed at the
bottom of the security
rulebase
A Security policy rule allowing traffic between two different zones.
However, the traffic within the same zone is not allowed when the
policy is created as type Interzone. Interzone rule types apply to all the
matching traffic between the specified source and destination zones.
For example, if the source zone is set to A, B, and C and the destination
zone to A and B, the rule applies to the traffic from zone A to zone B,
zone B to zone A, zone C to zone A, and zone C to zone B, but not to the
traffic within zones A, B, or C.
Traffic logging is not enabled by default. However, best practice is to log
the traffic.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
62
3.2.2 Intrazone
Intrazone
Default rule that is displayed
at the bottom of the security
rulebase
A Security policy rule allowing traffic within the same zone. Intrazone
rule types apply to all of the matching traffic within the specified
source zones (a destination zone cannot be specified for intrazone
rules).
For example, if the source zone is set to A and B, the rule would apply
to all the traffic within zone A and all the traffic within zone B, but not
to the traffic between zones A and B.
Traffic logging is not enabled by default. However, best practice is to
log the end-of-session traffic.
3.2.3 Universal
Universal
Exists above the
intrazone and interzone
Security policies
In a universal rule, by default, all the traffic is destined between two zones,
regardless of whether they are from the same zone or different zones.
Universal rule types apply to all the matching interzone and intrazone
traffic in the specified source and destination zones.
For example, if a universal rule is created with source zones A and B and
destination zones A and B, the rule applies to all the traffic within zone A,
within zone B, from zone A to zone B, and from zone B to zone A.
Traffic logging is enabled by default.
3.2.4 References
●
Universal, Intrazone and Interzone Rules,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
63
3.3 Configure security policy match conditions, actions, and logging options
3.3.1 Application filters and groups
Application filter
An application filter is an object that dynamically groups applications based on defined attributes, such
as category, subcategory, technology, risk factor, and characteristic. This is useful when you want to
enable safe access to applications that you do not explicitly sanction but want users to access. For
example, you may want to enable employees to choose their office programs, such as Evernote, Google
Docs, or Microsoft Office 365, for business use. To enable these types of applications safely, you can
create an application filter that matches the business-systems category and the office-programs
subcategory. As new applications and office programs emerge and new App-IDs get created, these
applications automatically match the filter you define; you do not need to make any additional changes
to the policy rulebase for safely enabling any application that matches the attributes defined for the
filter.
Application group
An application group is an object that contains the applications that you want to treat similarly in the
policy. Application groups are useful for enabling access to the applications that you explicitly sanction
for use within the organization. Grouping sanctioned applications simplifies the administration of your
rulebases. Instead of updating individual policy rules whenever there is a change in the applications you
support, you can update only the affected application groups.
When deciding how to group applications, consider how to enforce access to sanctioned applications
and create an application group that aligns with each policy goal. For example, some applications
should allow access only to your IT administrators and while other applications should be available to
any known user in the organization. In this case, you create separate application groups for each policy
goal. Although you generally want to enable access to applications only on the default port, you might
want to group applications that are an exception to this and enforce access to those applications in a
separate rule.
3.3.2 Logging options
You can configure the firewall to forward all or some log entries to external services. Forwarding of
firewall logs to your Panorama enables centralized collection and analysis of logs. Forwarding of firewall
logs to a syslog server enables off-firewall storage and backup, and centralized log analysis. For critical
firewall events such as the failure of a data plane interface or a critical threat, you can forward log
entries to an email server. You also can forward log entries to an HTTP server. If the HTTP server has an
API that can parse the log entries, you can configure the HTTP server to take an action based on a
firewall event. The firewall can also forward log entries to cloud-based Cortex Data Lake. Cortex Data
Lake enables you to aggregate, view, and analyze log data from many firewalls at the same time.
The firewall can work with an SNMP server that supports GET and TRAP operations. An SNMP server
can issue GET requests to the firewall that return operational statistics information. PAN-OS software
does not support the use of SNMP SET requests to configure a firewall. Before your SNMP server can
work with the firewall, you must load generic enterprise and PAN-OS MIBs on the SNMP server.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
64
Before you can forward log entries to an external service, you must configure the firewall with the
connection information of the server. Use a Server Profile to configure a firewall with the necessary
information to connect to the external service. You can configure the firewall to use UDP, TCP, or SSL to
connect to an external syslog server. The firewall can format the log entries according to the BSD or the
IETF standards. The Custom Log Format tab enables you to configure custom syslog formats that
enable the firewall to work with many different syslog vendor solutions.
A Log Forwarding Profile is also required to enable log forwarding to an external service. A Log
Forwarding Profile configures which logs or log entries to forward to which external services and does
not have to forward all logs to the same service.
After a Log Forwarding Profiles is created, you must apply it to either a Security policy rule or a security
zone. If you name a Log Forwarding Profile default, that profile will be selected automatically for the
Log Forwarding setting when a new Security policy rule is created. A profile named default also will be
selected automatically as the Log Setting when a new security zone is created. In either case, you can
override the default profile by selecting another profile.
3.3.3 App-ID
App-ID, a patented traffic-classification system available only in Palo Alto Networks firewalls, determines
what an application is, irrespective of port, protocol, encryption (SSH or SSL), or any other evasive tactic
used by the application. App-ID applies multiple classification mechanisms—application signatures,
application protocol decoding, and heuristics—to the network traffic stream to accurately identify
applications.
Here's how App-ID identifies applications traversing a network:
●
Traffic is matched against policy to check if it is allowed on the network.
●
Signatures are then applied to allowed traffic to identify the application based on unique
application properties and related transaction characteristics. The signature also determines if
the application is being used on its default port or is using a non-standard port. If the traffic is
allowed by policy, the traffic is scanned for threats and further analyzed for identifying the
application more granularly.
●
If App-ID determines that encryption (SSL or SSH) is in use and a Decryption policy rule is in
place, the session is decrypted and application signatures are applied again on the decrypted
flow.
●
Decoders for known protocols are then used to apply additional context-based signatures to
detect other applications that may be tunneling inside of the protocol (for example, Yahoo!
Instant Messenger is used across HTTP). Decoders validate that the traffic conforms to the
protocol specification and provide support for NAT traversal and opening dynamic pinholes for
applications, such as SIP and FTP.
●
For particularly evasive applications that cannot be identified through advanced signature and
protocol analysis, heuristics or behavioral analysis might be used to determine the identity of the
application.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
65
When the application is identified, the policy check determines how to treat the application; for
example—block, or allow and scan for threats, inspect for unauthorized file transfer and data patterns,
or shape using QoS.
3.3.4 User-ID
User-ID helps identify users on a network, through various techniques, to ensure that all the users
across all the locations using different access methods and operating systems, including Microsoft
Windows, Apple iOS, Mac OS, Android, and Linux/UNIX, are identified. Knowing who your users are
instead of just their IP addresses ensures the following:
●
Visibility — Improved visibility into user-based application usage gives a more relevant picture
of network activity. The power of User-ID becomes evident when you notice a strange or
unfamiliar application on the network. Using either ACC or the log viewer, the security team can
identify and discern the application, the user, the bandwidth and session consumption, the
source and destination of the application traffic, and any associated threats.
●
Policy control — Tying user information to Security policy rules improves the safe enablement
of applications traversing the network and ensures that only users who have a business need for
an application get access. For example, some applications, such as the SaaS applications that
enable access to Human Resources services (for example, Workday or ServiceNow) must be
available to any known user on your network. However, for more sensitive applications, you can
reduce the attack surface by ensuring that only users who need these applications can access
them. For example, while IT support personnel may legitimately need access to remote desktop
applications, the majority of users do not.
●
Logging, reporting, forensics — If a security incident occurs, forensics analysis and reporting
based on user information rather than just IP addresses provides a more complete picture of the
incident. For example, you can use the predefined User/Group Activity to see a summary of the
web activity of individual users or user groups, or you can see the SaaS Application Usage report
to see which users are transferring the most data over unsanctioned SaaS applications.
To enforce user- and group-based policies, the firewall must be able to map the IP addresses in the
packets it receives to usernames. User-ID provides many mechanisms to collect this User Mapping
information. For example, the User-ID agent monitors server logs for login events and listens for syslog
messages from authenticating services. To identify mappings for the IP addresses that the agent didn’t
map, you can configure an Authentication Policy to redirect HTTP requests to an Authentication Portal
login. You can tailor the user mapping mechanisms to suit your environment and even use different
mechanisms at different sites to ensure enabling safe access to applications for all of the users, across
all the locations, all the time.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
66
To enable user- and group-based policy enforcement, the firewall requires a list of all the available users
and their corresponding group memberships so that you can select groups when defining policy rules.
The firewall collects Group Mapping information by connecting directly to the LDAP directory server or
by using XML API integration with the directory server. User-ID does not work in environments where
the source IP addresses of users are subject to NAT translation before the firewall maps the IP addresses
to usernames.
3.3.5 Device-ID
By using Device-ID™ on the firewalls, you can get device context for all events on the network, obtain
policy rule recommendations for those devices, write policy rules based on devices, and enforce security
policy based on the recommendations.
Similar to how User-ID provides user-based policy and App-ID provides app-based policy, Device-ID
provides policy rules based on a device, regardless of any changes to its IP address or location. By
providing traceability for devices and associating network events with specific devices, Device-ID allows
you to gain context for how events relate to devices and write policies that are associated with devices,
instead of with users, locations, or IP addresses, which can change over time. You can use Device-ID in
Security, Decryption, QoS, and Authentication policies.
For Device-ID features to be available on a firewall, you must purchase an IoT Security subscription and
select the firewall during the IoT Security onboarding process. The two types of IoT Security
subscriptions are as follows:
●
●
IoT Security Subscription
IoT Security – Doesn’t Require Data Lake (DRDL) Subscription
With the first subscription, firewalls send data logs to the logging service, which streams them to IoT
Security for analysis and to a Cortex Data Lake instance for storage. The data lake instance can either be
a new or existing one. With the second subscription, firewalls send data logs to the logging service,
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
67
which streams them to IoT Security for analysis but not to a Cortex Data Lake instance for storage. It’s
important to note that both IoT Security and IoT Security (DRDL) subscriptions provide the same
functionality in terms of IoT Security and Device-ID.
3.3.6 Application filter in policy
Application filters are useful when you want to enable access to applications that match filter criteria
rather than match specific application names. Application filters may be used as a match condition
within your Security policy rules.
3.3.7 Application group in policy
Unlike the dynamic list of applications in an application filter, an application group is a static,
administrator-defined set of applications. Application groups enable you to create a logical grouping of
applications that can be applied to Security and QoS policy rules.
An application group is used when you want to treat a set of applications similarly in a policy.
Application groups ultimately simplify administration of your rulebases. Instead of you adding the same
list of applications to multiple rules, you can create an application group and add the group to multiple
rules. You must still issue a firewall commit after updating an application group.
3.3.8 EDLs
An external dynamic list (EDL) is a text file that is hosted on an external web server so that the firewall
can import objects—IP addresses, URLs, domains—included in the list and enforce policy. To enforce
policy on the entries included in the external dynamic list, you must reference the list in a supported
policy rule or profile. When multiple lists are referenced, you can prioritize the order of evaluation to
ensure that the most important EDLs are committed before capacity limits are reached. As you modify
the list, the firewall dynamically imports the list at the configured interval and enforces policy without
making a configuration change or a commit on the firewall. If the web server is unreachable, the firewall
uses the last successfully retrieved list to enforce a policy until the connection is restored with the web
server. In cases where authentication to the EDL fails, the security policy stops enforcing the EDL. To
retrieve the external dynamic list, the firewall uses the interface configured with the Palo Alto Networks
Services service route.
The firewall retains the last successfully retrieved EDL and continues operating with the most current
EDL information until connection is restored with the server hosting the EDL if:
●
●
●
You upgrade or downgrade the firewall.
You reboot the firewall, management plane, or data plane.
The server hosting the EDL becomes unreachable.
The firewall supports the following types of EDLs:
●
●
●
●
Predefined IP Address
Predefined URL List
IP Address
Domain
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
68
3.3.9 References
●
●
●
●
●
●
●
●
●
Forward traffic logs to a syslog server,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRxCAK
Create an Application Filter,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/use-application-objects-inpolicy/create-an-application-filter
How to Block Traffic Based on Application Filters with an Exception,
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXfCAK
Create an Application Group,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/use-application-objects-inpolicy/create-an-application-group
HTTP Header Logging,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/http-header-logging
App-ID Overview,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/app-id/app-id-overview#idf38e43a
6-446e-49e2-b652-6b1817df22b5
User-ID Overview,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/user-id-overview
Device-ID Overview,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/device-id/device-id-overview
External Dynamic List,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-an-external-dynamic-lis
t-in-policy/external-dynamic-list
3.4 Identify and implement proper NAT policies
3.4.1 Destination
Destination NAT (DNAT) is performed on incoming packets when the firewall translates a destination
address to a different destination address; for example, it translates a public destination address into a
private destination address. Destination NAT also offers the option to perform port forwarding or port
translation.
Destination NAT allows static and dynamic translation:
●
Static IP — You can configure a one-to-one, static translation in several formats. You can specify
the original packet to have a single destination IP address, a range of IP addresses, or an IP
netmask—as long as the translated packet is in the same format and specifies the same number
of IP addresses. The firewall statically translates an original destination address to the same
translated destination address each time. That is, if there is more than one destination address,
the firewall translates the first destination address configured for the original packet to the first
destination address configured for the translated packet and translates the second original
destination address configured to the second translated destination address configured, and so
on, always using the same translation.
If you use destination NAT to translate a static IPv4 address, you might also use DNS services on
one side of the firewall to resolve FQDNs for a client on the other side. When the DNS response
containing the IPv4 address traverses the firewall, the DNS server provides an internal IP address
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
69
to an external device, or vice versa. Beginning with PAN-OS 9.0.2 and in later 9.0 releases, you
can configure the firewall to rewrite the IP address in the DNS response (that matches the rule)
so that the client receives the appropriate address to reach the destination service.
●
Dynamic IP (with session distribution) — Destination NAT allows you to translate the original
destination address to a destination host or server that has a dynamic IP address, meaning an
address object that uses an FQDN, which can return multiple addresses from DNS. Dynamic IP
(with session distribution) only supports IPv4 addresses. Destination NAT using a dynamic IP
address is especially helpful in cloud deployments that use dynamic IP addressing.
If the translated destination address resolves to more than one address, the firewall distributes
the incoming NAT sessions among multiple addresses to provide improved session distribution.
Distribution is based on one of several methods: round robin (the default method), source IP
hash, IP modulo, IP hash, or least sessions. If a DNS server returns more than 32 IPv4 addresses
for an FQDN, the firewall uses the first 32 addresses in the packet.
Using Dynamic IP (with session distribution) allows you to translate multiple pre-NAT destination IP
addresses M to multiple post-NAT destination IP addresses N. A many-to-many translation implies that
M x N destination NAT translations use a single NAT rule.
For destination NAT, the best practice is to:
●
●
Use Static IP address translation for static IP addresses, which allows the firewall to check and
ensure that the number of original destination IP addresses equals the number of translated
destination IP addresses.
Use Dynamic IP (with session distribution) address translation only for FQDN-based dynamic
addresses (the firewall does not perform an IP address number check).
3.4.2 Source
Source NAT is typically used by internal users to access the internet; the source address is translated and
thereby kept private. The three types of source NAT are as follows:
●
Dynamic IP and Port (DIPP) — Allows multiple hosts to have their source IP addresses
translated to the same public IP address with different port numbers. The dynamic translation is
to the next available address in the NAT address pool, which you configure as a Translated
Address pool to an IP address, range of addresses, a subnet, or a combination of these.
As an alternative to using the next address in the NAT address pool, DIPP allows you to specify
the address of the Interface itself. The advantage of specifying the interface in the NAT rule is
that the NAT rule will be automatically updated to use any address subsequently acquired by
the interface. DIPP is sometimes referred to as interface-based NAT or network address port
translation (NAPT).
DIPP has a default NAT oversubscription rate, which is the number of times the same translated
IP address and port pair can be used concurrently.
●
Dynamic IP — Allows the one-to-one, dynamic translation of a source IP address only (no port
number) to the next available address in the NAT address pool. The size of the NAT pool should
be equal to the number of internal hosts that require address translations. By default, if the
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
70
source address pool is larger than the NAT address pool and eventually all of the NAT addresses
are allocated, new connections that need address translation are dropped. To override this
default behavior, use Advanced (Dynamic IP/Port Fallback) to enable the use of DIPP
addresses when necessary. In either event, as sessions terminate and the addresses in the pool
become available, they can be allocated to translate new connections.
●
Static IP — Allows the one-to-one, static translation of a source IP address but leaves the source
port unchanged. A common scenario for a static IP translation is an internal server that must be
available to the internet.
3.4.3 References
●
●
Destination NAT,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/source-nat-and-de
stination-nat/destination-nat
Source NAT,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/nat/source-nat-and-de
stination-nat/source-nat
3.5 Optimize Security policies using appropriate tools
3.5.1 Policy test match tool
Test the policy rules in your running configuration to ensure that your policies appropriately allow and
deny traffic and access to applications and websites in compliance with your business needs and
requirements. You can test and verify that your policy rules are allowing and denying the correct traffic
by executing policy match tests for your firewalls directly from the web interface. This feature is found
under Device > Troubleshooting. When the feature is used, you will need to enter the required
information to perform the policy match test. As an example, to run a NAT policy match test:
1.
2.
3.
4.
5.
6.
Select Test—Select NAT Policy Match.
From—Select the zone traffic is originating from.
To—Select the target zone of the traffic.
Source—Enter the IP address from which traffic originated.
Destination—Enter the IP address of the target device for the traffic.
Destination Port—Enter the port used for the traffic. This port varies depending on the IP
protocol used in the following step.
7. Protocol—Enter the IP protocol used for the traffic.
8. If necessary, enter any additional information relevant for your NAT policy rule testing.
Below is an example of a NAT Policy Match Result:
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
71
3.5.2 Policy Optimizer
Policy Optimizer provides a simple workflow to migrate your legacy security policy rulebase to an
App-ID based rulebase, which improves your security by reducing the attack surface and gaining
visibility into applications so you can safely enable them. Policy Optimizer identifies port-based rules so
you can convert them to application-based allow rules or add applications from a port-based rule to an
existing application-based rule without compromising application availability. It also identifies
over-provisioned App-ID based rules (App-ID rules configured with unused applications). Policy
Optimizer helps you prioritize which port-based rules to migrate first, identify application-based rules
that allow applications you don’t use, and analyze rule usage characteristics such as hit count.
Converting port-based rules to application-based rules improves the security posture because you can
select applications to allow and also deny all the other applications, therefore eliminating all unwanted
and potentially malicious traffic from your network. Combined with restricting application traffic to its
default ports (set the Service to application-default), converting to application-based rules also
prevents evasive applications from running on non-standard ports.
Use this feature to:
●
Migrate port-based rules to application-based rules — Instead of combing through traffic logs
and manually mapping applications to port-based rules, use Policy Optimizer to identify
port-based rules and list the applications that match each rule, so you can select the
applications you want to allow and safely enable them. Converting the legacy port-based rules
to application-based allow rules supports your business applications and enables you to block
any applications associated with malicious activity.
●
Identify over-provisioned application-based rules — Rules that are too broad allow
applications you don’t use on your network, which increases the attack surface and the risk of
inadvertently allowing malicious traffic.
●
Add App-ID Cloud Engine (ACE) applications to Security policy rules — If you have a SaaS
Security Inline subscription, you can use Policy Optimizer’s New App Viewer to manage
cloud-delivered App-IDs in security policy. The ACE documentation describes how to use Policy
Optimizer to gain visibility into and control the cloud-delivered App-IDs.
3.5.3 References
●
●
Security Policy Rule Optimization,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/app-id/security-policy-rule-optimiz
ation
Test Policy Rules,
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/test-policy-rule-traffic-match
es
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
72
Domain 4: Securing Traffic
4.1 Compare and contrast different types of Security profiles
4.1.1 Antivirus
Antivirus Security profiles protect against viruses, worms, and Trojans, along with spyware downloads.
The Palo Alto Networks antivirus solution uses a stream-based malware prevention engine that inspects
traffic the moment the first packet is received to provide protection for clients without significantly
impacting the performance of the firewall. This profile scans for a variety of malware in executables, PDF
files, HTML, and JavaScript, and it includes support for scanning compressed files and data-encoding
schemes. The profile also enables the scanning of decrypted content if decryption is enabled on the
firewall.
The default profile inspects all the listed protocol decoders for viruses and generates alerts for the SMTP,
IMAP, and POP3 protocols while blocking the FTP, HTTP, and SMB protocols. You can configure the
action for a decoder or antivirus signature and specify how the firewall responds to threats, such as
Default, Allow, Alert, Drop, Reset Client, Resent Server, and Reset Both.
Customized profiles can be used to minimize antivirus inspection for traffic between more trusted
security zones. They also can be used to maximize the inspection of traffic received from less-trusted
zones, such as the internet, and the traffic sent to highly sensitive destinations such as server farms.
The Palo Alto Networks WildFire system also provides signatures for the persistent threats that are more
evasive and have not yet been discovered by other antivirus solutions. As WildFire discovers threats,
signatures are quickly created and then integrated into the standard antivirus signatures, which Threat
Prevention subscribers can then download daily (sub-hourly for WildFire subscribers).
4.1.2 Anti-Spyware
Anti-Spyware Security profiles block spyware on compromised hosts from trying to communicate with
external command-and-control (C2) servers, thus enabling you to detect malicious traffic leaving the
network from infected clients. You can apply various levels of protection between security zones. For
example, you might have custom Anti-Spyware profiles that minimize inspection between more trusted
zones while maximizing inspection on traffic received from less trusted zones, such as the
internet-facing zones. When the firewall is managed by a Panorama management server, the Threat ID
is mapped to the corresponding custom threat on the firewall to enable the firewall to generate a threat
log populated with the configured custom Threat ID.
4.1.3 Vulnerability Protection
Vulnerability Protection Security profiles stop attempts to exploit system flaws or gain unauthorized
access to systems. Anti-Spyware Security profiles identify infected hosts as the traffic leaves the
network, but Vulnerability Protection Security profiles protect against threats entering the network. For
example, Vulnerability Protection Security profiles protect against buffer overflows, illegal code
execution, and other attempts to exploit system vulnerabilities. The default Vulnerability Protection
Security profile protects clients and servers from all the known critical-, high-, and medium-severity
threats. You also can create exceptions that enable you to change the response to a specific signature.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
73
4.1.4 URL Filtering
The URL Filtering Security profile determines web access and credential-submission permissions for
each URL category. By default, site access for all the URL categories is set to “allow” when you create a
new URL Filtering Security profile. By default, no allowed traffic will be logged. You can customize the
URL Filtering Security profile with custom site access settings for each category or use the predefined
default URL Filtering Security profile on the firewall to allow access to all the URL categories except the
following threat-prone categories, which the profile blocks: abused-drugs, adult, gambling, hacking,
malware, phishing, questionable, and weapons.
For each URL category, select User Credential Submissions to allow or disallow users from submitting
valid corporate credentials to a URL in that category. This action will help prevent credential phishing.
Management of the sites to which users can submit credentials requires User-ID, and you must first set
up credential phishing prevention. URL categories with the Site Access set to “block” automatically are
also set to block user credential submissions.
4.1.5 WildFire Analysis
WildFire turns every Palo Alto Networks platform deployment into a distributed sensor and
enforcement point to stop zero-day malware and exploits before they can spread and become
successful. Within the WildFire environment, threats are detonated, intelligence is extracted, and
preventions are automatically orchestrated across the Palo Alto Networks next-generation security
product portfolio as soon as a signature is generated, thus minimizing the window in which malware
can infiltrate your network. WildFire goes beyond traditional approaches. The service employs a unique,
multitechnique approach that combines dynamic and static analysis, innovative machine-learning
techniques, and a groundbreaking bare metal analysis environment to detect unknown threats and
prevent even the most evasive threats. The following illustration depicts WildFire, its information
sources, and the services it supports.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
74
4.1.6 Reference
●
Security Profiles,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/security-profiles
4.2 Create, modify, add, and apply the appropriate Security profiles and groups
Use the following steps to create a Security profile group and add it to a Security policy.
Step 1: Create a Security profile group.
●
●
●
●
●
Select Objects > Security Profile Groups and Add a new Security profile group.
Give the profile group a descriptive Name, such as Threats.
If the firewall is in Multiple Virtual System Mode, enable the profile to be Shared by all virtual
systems.
Add existing profiles to the group.
Click OK to save the profile group.
Step 2: Add a Security profile group to a Security policy.
●
●
●
●
●
Select Policies > Security and Add or modify a Security policy rule.
Select the Actions tab.
In the Profile Setting section, select Group for the Profile Type.
In the Group Profile drop-down, select the group you created (for example, select the
best-practice group).
Click OK to save the policy and commit your changes.
Step 3: Save your changes. Click Commit.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
75
4.2.1 Antivirus
The Antivirus Profiles scan the firewall for viruses on the defined traffic. Set the applications that should
be inspected for viruses and the action to take when a virus is detected. The default profile inspects all
of the listed protocol decoders for viruses and generates alerts for the SMTP, IMAP, and POP3 protocols
while blocking the FTP, HTTP, and SMB protocols. You can configure the action for a decoder or
Antivirus signature and specify how the firewall responds to a threat event:
●
●
●
●
●
●
●
Default — Specifies a default action internally for each threat signature and Antivirus signature
defined by Palo Alto Networks. Typically, the default action is an alert or a Reset Both. The default
action is displayed in parenthesis, such as default (alert) in the threat or Antivirus signature.
Allow — Permits the application traffic. It does not generate logs related to signatures or profiles.
Alert — Generates an alert for each application traffic flow. The alert is saved in the threat log.
Drop — Drops the application traffic.
Reset Client — Resets the client-side connection for TCP and drops the connection for UDP.
Reset Server — Resets the server-side connection for TCP and drops the connection for UDP.
Reset Both — Resets the connection on both client and server ends for TCP and drops the
connection for UDP.
4.2.2 Anti-Spyware
The Anti-Spyware profile detects the connections initiated by spyware and various types of C2 malware
installed on the network systems. You can define custom Anti-Spyware profiles or choose one of the
following predefined profiles when applying Anti-Spyware to a Security policy rule:
●
●
Default — Uses the default action for every signature, as specified by Palo Alto Networks when
the signature is created.
Strict — Overrides the default action of the critical-, high-, and medium-severity threats to the
block action, regardless of the action defined in the signature file. This profile still uses the
default action for the low- and informational-severity signatures.
4.2.3 Vulnerability Protection
The Vulnerability Protection profile determines the level of protection against buffer overflows, illegal
code execution, and other attempts to exploit system vulnerabilities. There are two predefined profiles
available for the Vulnerability Protection feature: Default and Strict.
4.2.4 URL Filtering
URL Filtering profiles enable you to monitor and control how users access the web over HTTP and
HTTPS. The firewall comes with a default profile that is configured to block websites, such as known
malware sites, phishing sites, and adult content sites. You can use the default profile in a Security policy,
clone it to be used as a starting point for new URL Filtering profiles, or add a new URL profile that will
have all categories set to allow for visibility into the traffic on your network. You can then customize the
newly added URL profiles and add lists of specific websites that should always be blocked or allowed,
which provides more granular control over the URL categories.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
76
4.2.5 WildFire Analysis
Use a WildFire analysis profile to enable the firewall to forward unknown files or email links for WildFire
analysis. Specify files to be forwarded for analysis based on the application, file type, and transmission
direction (upload or download). Files or email links matched to the profile rule are either forwarded to
the WildFire public cloud or the WildFire private cloud (hosted with a WF-500 appliance), depending on
the analysis location defined for the rule. If a profile rule is set to forward files to the WildFire public
cloud, the firewall also forwards files that match the existing antivirus signatures, in addition to
unknown files.
You can also use the WildFire analysis profiles to set up a WildFire hybrid cloud deployment. If you are
using a WildFire appliance to analyze sensitive files locally (such as PDFs), you can specify for
less-sensitive files types (such as Portable Executable [PE] files) or file types that are not supported for
WildFire appliance analysis (such as APKs) to be analyzed by the WildFire public cloud. Using both the
WildFire appliance and the WildFire cloud for analysis allows you to benefit from a prompt verdict for
the files that have already been processed by the cloud and for the files that are not supported for
appliance analysis; doing so also frees up the appliance capacity to process sensitive content.
4.2.6 Configure Threat Prevention policy
The Palo Alto Networks next-generation firewall threat-intrusion-prevention subscriptions protect and
defend the network from commodity threats and advanced persistent threats (APTs) by using
multipronged detection mechanisms to combat the entire gamut of the threat landscape. The threat
prevention solution comprises the following two subscriptions:
●
●
Threat Prevention — The core Threat Prevention subscription is based on the signatures
generated from malicious traffic data collected from various Palo Alto Networks services. These
signatures are used by the firewall to enforce security policies based on specific threats, which
include C2, various types of known malware, and vulnerability exploits; combined with the
App-ID and User-ID identification technologies on the firewall, you can cross-reference context
data to produce fine-grained policies. As a part of the threat-mitigation policies, you can also
identify and block known or risky file types and IP addresses of which several premade
categories are available, including lists specifying bulletproof service providers and known
malicious IPs. In cases where specialized tools and software are used, you can create your own
vulnerability signatures to customize the intrusion prevention capabilities for your network’s
unique requirements.
Advanced Threat Prevention — The Advanced Threat Prevention cloud service uses inline
deep-learning and machine-learning models for real-time enforcement of evasive and
never-before-seen, unknown C2 threats. As an ultra low-latency native cloud service, this
extensible and infinitely scalable solution is always kept up to date with model training
improvements. The Advanced Threat Prevention license includes all of the benefits included
with Threat Prevention.
4.2.7 References
●
●
Create a Security Profile Group,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/security-profiles/create-a-se
curity-profile-group
Security Profiles,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/security-profiles
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
77
4.3 Differentiate between Security profile actions
The action specifies how the firewall responds to a threat event. Every threat or virus signature that is
defined by Palo Alto Networks includes a default action, typically either set to alert, which informs you
the option you have enabled for notification, or to Reset Both, which resets both sides of the
connection. However, you can define or override the action on the firewall. The following actions are
applicable when defining Antivirus Profiles, Anti-Spyware Profiles, Vulnerability Protection Profiles,
Custom Spyware Objects, Custom Vulnerability Objects, or DoS Protection Profiles:
ACTION
DESCRIPTION
ANTIVIRU
S
PROFILE
ANTI-SPYWARE
PROFILE
VULNERABILITY
PROTECTION
PROFILE
CUSTOM
OBJECT—
SPYWARE
AND
VULNERA
BILITY
Default
DOS
PROTECTION
PROFILE
Takes the default
action specified
internally for each
threat signature.
For antivirus
profiles, it takes the
default action for
the virus signature.
✓
✓
✓
—
Allow
Permits the
application traffic.
✓
✓
✓
✓
—
Alert
Generates an alert
for each
application traffic
flow. The alert is
saved in the threat
log.
✓
✓
✓
✓
✓
Generates an
alert when
the attack
volume (CPS)
reaches the
Alarm
threshold set
in the profile.
Drop
Drops the
application traffic.
✓
✓
✓
✓
—
Reset
Client
Resets the
client-side
connection for
TCP.
✓
✓
✓
✓
—
✓
✓
✓
✓
—
Random
Early Drop
The connection is
dropped for UDP.
Reset
Server
Resets the
client-side
connection for
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
78
TCP.
The connection is
dropped for UDP.
Reset
Both
Resets the
client-side
connection for
TCP.
✓
✓
✓
✓
—
The connection is
dropped for UDP.
Block IP
Blocks traffic from
either a source or a
source-destination
pair. It is
configurable for a
specified period of
time.
—
✓
✓
✓
✓
Sinkhole
Directs DNS
queries for
malicious domains
to a sinkhole IP
address.
—
—
—
—
—
The action is
available for Palo
Alto Networks DNS
signatures and for
custom domains
included in the
Objects > External
Dynamic Lists.
Random
Early
Drop
Causes the firewall
to drop packets
randomly when
the connections
per second reach
the Activate Rate
threshold in a DoS
Protection profile
applied to a DoS
Protection rule.
—
—
—
—
✓
SYN
Cookies
Causes the firewall
to generate SYN
cookies to
authenticate a SYN
from a client when
the connections
per second reach
the Activate Rate
Threshold in a DoS
Protection profile
applied to a DoS
Protection rule.
—
—
—
—
✓
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
79
4.3.1 Reference
●
Actions in Security Profiles,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/objects/objects-securi
ty-profiles/actions-in-security-profiles
4.4 Use information available in logs
4.4.1 Traffic
Traffic logs display an entry for the start and end time of each session. Each entry includes the date and
time; source and destination zones, addresses and ports; application name; security rule applied to the
traffic flow; rule action (allow, deny, or drop); ingress and egress interface; number of bytes; and session
end reason.
The Type column indicates whether the entry is for the start or end of the session. The Action column
indicates whether the firewall allowed, denied, or dropped the session. A drop indicates that the
security rule that blocked the traffic specified any application, while a deny indicates that the rule
identified a specific application. If the firewall drops traffic before identifying the application, such as
when a rule drops all of the traffic for a specific service, the Application column displays not-applicable.
Click
beside an entry to view additional details about the session, such as whether an ICMP entry
aggregates multiple sessions between the same source and destination (in which case the Count
column value is greater than one).
4.4.2 Threat
Threats are recorded and logged in a Threat log. A Threat log displays entries when the traffic matches
one of the Security profiles attached to a Security policy rule on the firewall. Each entry includes the
date and time; type of threat (such as virus or spyware); threat description or URL (Name column);
source and destination zones, addresses, and ports; application name; alarm action (such as allow or
block); and severity level. The Threat log is used as the source of information that is displayed on the
ACC (Application Control Center) tab.
Threat levels are based on the following five levels of severity:
SEVERITY
DESCRIPTION
Critical
Serious threats, such as those that affect the default installations of widely deployed
software, result in root compromise of servers, and make the exploit code widely available
to attackers. The attacker usually does not need any special authentication credentials or
knowledge about the individual victims, and the target does not need to be manipulated
into performing any special functions.
High
Threats that have the ability to become critical but have mitigating factors, such as being
difficult to exploit, not resulting in elevated privileges, or not having a large victim pool.
●
Medium
WildFire Submissions log entries with a malicious verdict and an action set to
“allow” are logged as High.
Minor threats which pose minimal impact, such as DoS attacks that do not compromise
the target or exploits that require an attacker to reside on the same LAN as the victim.
Medium threats only affect non-standard configurations or obscure applications, and
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
80
provide very limited access.
●
Low
Warning-level threats that have very little impact on an organization's infrastructure. Low
threats usually require local or physical system access and might often result in victim
privacy or DoS issues and information leakage.
●
●
Informational
Threat log entries with a malicious verdict and an action set to “block” or “alert,”
based on the existing WildFire signature severity, are logged as Medium.
Data Filtering profile matches are logged as Low.
WildFire Submissions log entries with a grayware verdict and any action are
logged as Low.
Suspicious events that do not pose an immediate threat but are reported to call attention
to deeper problems that could exist.
●
●
●
●
URL Filtering log entries are logged as Informational.
WildFire Submissions log entries with a benign verdict and any action are logged
as Informational.
WildFire Submissions log entries with any verdict and an action set to “block” and
forward are logged as Informational.
Log entries with any verdict and an action set to “block” are logged as
Informational.
4.4.3 Data
Data Filtering logs display entries for the security rules that help prevent sensitive information such as
credit card numbers from leaving the area that the firewall protects.
This log type also shows information for File Blocking Profiles. For example, if a rule blocks .exe files, the
log shows the blocked files.
4.4.4 System logs
The System logs display entries for each system event on the firewall. Each entry includes the date and
time, event severity, and event description. The following table summarizes the System log severity
levels. For a partial list of System log messages and their corresponding severity levels, refer to System
Log Events.
SEVERITY
DESCRIPTION
Critical
Hardware failures, including HA failover and link failures
High
Serious issues, including dropped connections with external devices,
such as LDAP and RADIUS servers
Medium
Mid-level notifications, such as antivirus package upgrades
Low
Minor-severity notifications, such as user password changes
Informational
Log in/log off, administrator name or password change, any
configuration change, and all other events not covered by the other
severity levels
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
81
4.4.5 Reference
●
●
Set Up Date Filtering,
https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/threat-prevention/set-up-data-filter
ing
Log Types and Severity Levels,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/monitoring/view-and-manage-log
s/log-types-and-severity-levels
4.5 Enable DNS Security to control traffic based on domains
4.5.1 Configure DNS Security
Before you enable and configure DNS Security, you must obtain and install a Threat Prevention (or
Advanced Threat Prevention) license as well as a DNS Security license in addition to any platform
licenses from where it is operated. Licenses are activated from the Palo Alto Networks Customer
Support Portal and must be active before DNS analysis can take place. Additionally, DNS Security
(similar to other Palo Alto Networks security services) is administered through Security profiles, which in
turn is dependent on the configuration of network enforcement policies as defined through Security
policy rules. Before enabling DNS Security, it is recommended that you become familiar with the core
components of the security platform in which the Security subscriptions are enabled.
To enable and configure a DNS Security subscription to function optimally within the network security
deployment, refer to the tasks below. While it may not be necessary to implement all of the processes
shown here, Palo Alto Networks recommends reviewing all of the tasks to become familiar with the
available options for a successful deployment.
4.5.2 Apply DNS Security in policy
To enable DNS sinkholing for domain queries by using DNS Security, you must activate your DNS
Security subscription, create (or modify) an Anti-Spyware policy to reference the DNS Security service,
configure the log severity and policy settings for each DNS signature category, and then attach the
profile to a Security policy rule.
Step 1: Activate the subscription licenses.
Step 2: Verify that the paloalto-dns-security App-ID in your security policy is configured to enable traffic
from the DNS Security cloud security service.
If the firewall deployment routes management traffic through an internet-facing perimeter firewall
configured to enforce App-ID security policies, you must allow the App-IDs on the perimeter firewall;
failure to do so will prevent DNS Security connectivity.
Step 3: Configure the DNS Security signature policy settings to send malware DNS queries to the
defined sinkhole, using the following steps:
●
●
●
●
Select Objects > Security Profiles > Anti-Spyware.
Create or modify an existing profile, or select one of the existing default profiles and clone it.
Name the profile and, optionally, provide a description.
Select the DNS Policies tab.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
82
●
●
●
In the Signature Source column, beneath the DNS Security heading, there are individually
configurable DNS signature sources that allow you to define separate policy actions as well as
log severity levels.
○ Specify the log severity level that is recorded when the firewall detects a domain
matching a DNS signature. For more information about the various log severity levels,
refer to Threat Severity Levels.
○ Select an action to be taken when DNS lookups are made to known malware sites for the
DNS Security signature source. The options are allow, block, sinkhole, or default. Verify
that the action is set to sinkhole.
○ You can fully bypass DNS traffic inspection by configuring your DNS Security
Anti-Spyware profile using the following settings:
■ A policy action of Allow with a corresponding log severity of None for each DNS
signature source.
■ Removal of all the DNS Domain/FQDN Allow List entries in the DNS Exceptions
tab.
○ From the Packet Capture drop-down list, select single-packet to capture the first packet
of the session or extended-capture to set between 1-50 packets. You can then use the
packet captures for further analysis.
In the DNS Sinkhole Settings section, verify that Sinkhole is enabled. For your convenience, the
default sinkhole address (sinkhole.paloaltonetworks.com) is set to access a Palo Alto Networks
server. Palo Alto Networks can automatically refresh this address through content updates.
Click OK to save the Anti-Spyware profile.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
83
Step 4: Attach the Anti-Spyware profile to a Security policy rule, using the following steps:
●
●
●
●
●
Select Policies > Security.
Select or create a Security Policy Rule.
On the Actions tab, select the Log at Session End check box to enable logging.
In the Profile Setting section, click the Profile Type drop-down list to view all Profiles. From the
Anti-Spyware drop-down list, select the new or modified profile.
Click OK to save the policy rule.
4.5.3 References
●
●
●
●
●
Configure DNS Security,
https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security
Enable DNS Security,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/dns-security/ena
ble-dns-security
Create Domain Exceptions and Allow | Block Lists,
https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/create-do
main-signature-exceptions-and-allow-lists#tabs-id61d52481-57ae-4e96-951f-fb1e5ab53f6a
Test Connectivity to the DNS Security Service,
https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/test-conn
ectivity-to-the-dns-security-service#id14bb1bce-6200-4e65-9acd-7df9061c3c74
Configure Lookup Timeout,
https://docs.paloaltonetworks.com/dns-security/administration/configure-dns-security/configurelookup-timeout#ideba313e5-ba4c-456b-a90f-33ff2c78c838
4.6 Create and deploy URL-filtering-based controls
4.6.1 Apply a URL profile in a Security policy
You can use URL filtering profiles not only to control access to web content, but also to control how
users interact with the web content.
WHAT ARE YOU LOOKING FOR?
SEE
Control access to websites based on URL category.
URL Filtering Categories
Detect corporate credential submissions, and then
decide the URL categories to which users can submit
credentials.
User Credential Detection
URL Filtering Categories
Block search results if the end user is not using the
strictest safe search settings.
URL Filtering Settings
Enable logging of HTTP headers.
URL Filtering Settings
Control access to websites by using custom HTTP
Headers.
HTTP Header Insertion
Enable cloud and local inline categorization to analyze
web pages in real time for malicious content.
Inline Categorization
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
84
Looking for more?
●
●
●
●
Learn more about how to configure URL
Filtering.
Use URL categories to prevent credential
phishing.
To create custom URL categories, select
Objects > Custom Objects > URL Category.
To import a list of URLs that you want to
enforce, select Objects > External Dynamic
Lists.
4.6.2 Create a URL Filtering profile
After determining the URL Filtering policy requirements, you should have a basic understanding of the
types of websites your users are accessing. Use this information to create a URL Filtering profile that
defines how the firewall handles traffic to specific URL categories. You can also restrict the sites to which
users can submit corporate credentials and enforce strict safe search. Then, to enforce these settings,
apply the URL Filtering profile to the Security policy rules that allow web access.
Step 1: Create a URL Filtering profile.
Select Objects > Security Profiles > URL Filtering and Add or modify a URL Filtering profile.
Step 2: Define site access for each URL category.
Select Categories and set the Site Access for each URL category:
●
●
●
●
●
Select allow for traffic destined for that URL category; allowed traffic is not logged.
Select alert to have visibility into sites that users are accessing. Traffic matching that category is
allowed, but a URL Filtering log is generated to record when a user accesses a site in that
category.
Select block to deny access to traffic that matches that category and enable logging of the
blocked traffic.
Select continue to display a page to users with a warning and require them to click Continue to
proceed to a site in that category.
Select override to only allow access if users provide a configured password.
Step 3: Configure the URL Filtering profile to detect corporate credential submissions to websites that
are in the allowed URL categories by using the following steps:
●
●
Select User Credential Detection.
Select one of the methods to check for corporate credential submissions to web pages from the
User Credential Detection drop-down:
○ Use IP User Mapping — Checks for valid corporate username submissions and verifies
that the username matches the user logged in to the source IP address of the session.
The firewall matches the submitted username against its IP address-to-username
mapping table. You can use any of the user-mapping methods described in Map IP
Addresses to Users.
○ Use Domain Credential Filter — Checks for valid corporate usernames and password
submissions and verifies that the username maps to the IP address of the logged-in user.
See Configure User Mapping Using the Windows User-ID Agent for instructions on how
to set up User-ID to enable this method.
○ Use Group Mapping — Checks for valid username submissions based on the
user-to-group mapping table populated when you configure the firewall to map users to
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
85
●
groups. With group mapping, you can apply credential detection to any part of the
directory or to a specific group, such as the IT group that has access to your most
sensitive applications.
Set the Valid Username Detected Log Severity that the firewall uses to log the detection of
corporate credential submissions (default is medium).
Step 4: Configure the URL Filtering profile to detect phishing and malicious JavaScript in real time by
using Local Inline Categorization.
Step 5: Allow or block users from submitting corporate credentials to sites based on the URL category
to prevent credential phishing.
●
●
For each URL category to which you allow Site Access, select how you want to treat User
Credential Submissions from the drop-down list:
○ Alert — Allow users to submit credentials to the website but generate a URL filtering
alert log each time a user submits credentials to the sites in this URL category.
○ Allow (default) — Allow users to submit credentials to the website.
○ Block — Display the Anti-Phishing Block Page to block users from submitting credentials
to the website.
○ Continue — Present the Anti-Phishing Continue Page to require users to click Continue
to access the site.
Configure the URL Filtering profile to detect corporate credential submissions to websites that
are in the allowed URL categories.
Step 6: Define URL category exception lists to specify websites that should always be blocked or
allowed, regardless of the URL category. For example, to reduce URL filtering logs, you may want to add
your corporate websites to the Allow list so that no logs are generated for those sites or, if a website is
being overused and is not work-related, you can add that site to the block list.
The policy actions configured for custom URL categories have priority enforcement over the matching
URLs in the external dynamic lists. All traffic to the websites in the block list will always be blocked,
regardless of the action for the associated category, and all traffic to the URLs in the allow list will always
be allowed.
Step 7: Enable Safe Search Enforcement.
Step 8: Log only Container Pages for URL filtering events.
●
●
Select URL Filtering Settings. Enable Log container page only (default) so that the firewall logs
only the main page that matches the category, not the subsequent pages or categories that are
loaded within the container page.
To enable logging for all the pages and categories, disable the Log container page only option.
Step 9: Enable HTTP Header Logging for one or more of the supported HTTP header fields. Select URL
Filtering Settings and then select one or more of the following fields to log:
●
●
●
User-Agent
Referer
X-Forwarded-For
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
86
Step 10: Save the URL Filtering profile and click OK.
Step 11: Apply the URL Filtering profile to the Security policy rules that allow traffic from clients in the
trust zone to the internet by using the following steps:
●
●
●
●
●
Select Policies > Security. Then, select a Security policy rule to modify.
On the Actions tab, edit the Profile Setting.
For Profile Type, select Profiles. A list of profiles appears.
For the URL Filtering profile, select the profile you just created.
Click OK to save your changes.
Step 12: Commit the configuration.
Step 13: Test your URL filtering configuration.
Step 14: (Best Practice) Enable Hold Client Request for category lookup, using the following steps, to
block client requests while the firewall performs URL category lookups:
●
●
●
Select Device > Setup > Content-ID.
Select Hold Client Request for category lookup.
Commit your changes.
Step 15: Set the amount of time, in seconds, before a URL category lookup times out.
●
●
●
●
Select Device > Setup > Content-ID > gear icon.
Enter a number for Category lookup timeout (sec).
Click OK.
Commit your changes.
4.6.3 Create a custom URL category
You can create a custom URL filtering object to specify exceptions to the URL category enforcement
and to create a custom URL category, based on multiple URL categories:
●
●
Define exceptions to the URL category enforcement — Create a custom list of URLs for using
as match criteria in a Security policy rule. This is an effective way to specify exceptions to URL
categories to enforce specific URLs differently than the URL category in which they belong. For
example, you might block the social-networking category but allow access to LinkedIn.
Define a custom URL category based on multiple PAN-DB categories — This allows you to
target the enforcement for websites that match a set of categories. The website or page must
match all of the categories defined as part of the custom category.
Follow these steps to create a custom URL category and define how the firewall should enforce the
custom URL category:
Step 1: Select Objects > Custom Objects > URL Category.
Step 2: Add or modify a custom URL category and give the category a descriptive Name.
Step 3: Set the category Type to either Category Match or URL List:
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
87
●
●
URL List — Add the URLs that should enforce differently than the URL category in which they
belong. Use this list type to define exceptions to the URL category enforcement or define a list of
URLs as belonging to a custom category. Consult URL Category Exceptions for referring to the
guidelines on creating URL list entries.
Category Match — Provide targeted enforcement for the websites that match a set of
categories. The website or page must match all of the categories defined in the custom
category.
Step 4: Select OK to save the custom URL category.
Step 5: Select Objects > Security Profiles > URL Filtering and Add or modify a URL Filtering profile.
Your new custom category is now displayed under Custom URL Categories, as shown:
Step 6: Decide how to enforce Site Access and User Credential Submissions for the custom URL
category. Attach the URL Filtering profile to a Security policy rule to enforce any traffic that matches the
rule.
Select Policies > Security > Actions and specify the Security policy rule to enforce traffic based on the
URL Filtering profile you just updated. Make sure to Commit your changes.
4.6.4 Control traffic based on a URL category
Every URL can have up to four categories, including a risk category that indicates the likelihood a site
will be exposed to threats. More granular URL categorizations allow moving beyond a basic
“block-or-allow” approach toward web access. You can control how your users interact with online
content that, while necessary for business, is more likely to be used as part of a cyberattack.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
88
Prevent credential phishing by enabling the firewall to detect corporate credential submissions to sites,
and then control those submissions based on the URL category. Block users from submitting
credentials to malicious and untrusted sites, warn users against entering corporate credentials on
unknown sites or reusing corporate credentials on non-corporate sites, and explicitly allow users to
submit credentials to corporate and sanctioned sites.
4.6.5 Why a URL was blocked
You can exclude specific websites from the URL category enforcement, ensuring that these websites
are blocked or allowed regardless of the policy action associated with its URL categories. For example,
you might block the social-networking URL category but allow access to LinkedIn. To create exceptions
to the URL category policy enforcement:
●
●
Add the IP addresses or URLs of sites you want to block or allow to a custom URL category of
type URL List (Objects > Custom Objects > URL Category). Then, define site access for the
category in a URL Filtering profile. Finally, attach the profile to a Security policy rule.
Add the URLs of the sites you want to block or allow to an external dynamic list of type URL List
(Objects > External Dynamic Lists). Then, use the external dynamic list in a URL Filtering profile
or as match criteria in a Security policy rule. The benefit of using an external dynamic list is that
you can update the list without performing a configuration change or commit on the firewall.
Basic Guidelines for URL Category Exception Lists
Consider the potential matches that an entry might have before adding it to a URL category exception
list. The following guidelines specify how to create an entry that blocks or allows the websites and
pages you intend:
●
●
●
●
●
List all the entries are case-insensitive.
Omit http and https from all the URL entries.
Each URL entry can be up to 255 characters in length.
Enter an exact match to the IP address or URL you want to block or allow or use wildcards to
create a pattern match.
Consider adding the URLs that are most commonly used to access a website or page to your
exception list (for example, blog.paloaltonetworks.com and paloaltonetworks.com/blog) if the
original entry is accessible from more than one URL. Note that the entry example.com is distinct
from www.example.com. The domain name is the same, but the second entry contains the www
subdomain.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
89
4.6.6 How to allow a blocked URL
The firewall provides the following two predefined response pages that display by default when a user
attempts to browse a site in a category that is configured using one of the block actions in the URL
Filtering profile (block, continue, or override) or when Container Pages is enabled:
●
URL Filtering and category match block page
Access is blocked by a URL Filtering profile or because the URL category is blocked by a Security
policy rule.
●
URL Filtering continue and override page
A page with an initial block policy that allows users to bypass the block by clicking Continue.
With URL Admin Override enabled (Allow Password Access to Certain Sites), after clicking
Continue, the user must supply a password to override the policy that blocks the URL.
4.6.7 How to request a URL recategorization
If you think that a URL is not categorized accurately, you can request us to categorize it differently.
Submit a change request directly in the firewall or use Test A Site. A change request triggers
PAN-DB—the URL Filtering cloud—to do an immediate analysis of the URL for which you’re suggesting
a category change. If PAN-DB validates that the new category suggestion is accurate, the change
request is approved. If PAN-DB does not find the new category suggestion to be accurate, the change
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
90
request is reviewed by human editors from the Palo Alto Networks threat research and data science
teams.
After you’ve submitted a change request, you’ll receive an email confirming that we’ve received your
request. When we’ve completed our investigation, you’ll receive a second email confirming the results.
You cannot request to change the risk category a URL receives (high risk, medium risk, or low risk) or for
the URLs categorized as insufficient content or newly-registered domains.
Make a change request online
Visit Palo Alto Networks URL Filtering Test A Site to make a change request online.
Step 1: Go to Test A Site.
You don’t need to log in to submit a change request, though you will need to provide your email ID as
part of completing the change request form. If you decide not to log in, you’ll need to take a CAPTCHA
test to confirm that you’re a human being (log in to avoid the CAPTCHA test).
Step 2: Enter a URL to check its categories:
Step 3: Review the URL categories, and if you don’t think that they’re accurate, select Request Change.
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
91
Step 4: Continue to populate and submit the change request form.
Include at least one (and up to two) new category suggestions and leave an (optional) comment to tell
us more about your suggestion.
4.6.8 References
●
●
●
●
●
●
●
Objects > Security Profiles > URL Filtering,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/objects/objects-securi
ty-profiles-url-filtering
Configure URL Filtering,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/configure-url-filtering
Create a Custom URL Catogory,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/custom-url-categories
URL Filtering Use Cases,
https://docs.paloaltonetworks.com/advanced-url-filtering/administration/url-filtering-basics/url-fil
tering-use-cases
URL Category Exceptions,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/block-and-allow-lists
URL Filtering Response Pages,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/url-filtering-response-p
ages
Request to Change the Category for a URL,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/url-category-change
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
92
4.7 Differentiate between group mapping and IP-to-user mapping within policies and logs
Group mapping
Defining policy rules based on group membership rather than on individual users simplifies
administration because you don’t have to update the rules whenever new users are added to a group.
When configuring group mapping, you can limit which groups will be available in policy rules. You can
specify the groups that already exist in your directory service or define custom groups based on the
LDAP filters. Defining custom groups can be quicker than creating new groups or changing existing
ones on an LDAP server, and doesn’t require an LDAP administrator to intervene. User-ID maps all the
LDAP directory users who match the filter to the custom group. Log queries and reports that are based
on user groups will include custom groups.
Map IP addresses to users
User-ID provides different methods for mapping IP addresses to usernames. Before you begin
configuring user mapping, consider where your users are logging in from, what services they are
accessing, and what applications and data you need to control access to. This will inform which types of
agents or integrations would best allow you to identify your users.
User-ID logs display information about IP address-to-username mappings and Authentication
Timestamps, such as the sources of the mapping information and the times when users authenticated.
4.7.1 How to control access to specific locations
Create the Security policy rules to safely enable User-ID between network zones and to prevent User-ID
traffic from egressing your network. This is done by using the username or user group name as a match
condition of your Security policy rules.
Ensure that the User-ID application (paloalto-userid-agent) is only allowed in the zones where your
agents (both your Windows agents and your PAN-OS integrated agents) are monitoring services and
distributing mappings to firewalls. Specifically:
●
●
●
Allow the paloalto-userid-agent application between the zones where your agents reside and
the zones where the monitored servers reside (or even better, between the specific systems
that host the agent and the monitored servers).
Allow the paloalto-userid-agent application between the agents and the firewalls that need
the user mappings and between firewalls that are redistributing user mappings and the
firewalls they are redistributing the information to.
Deny the paloalto-userid-agent application to any external zone, such as your internet zone.
4.7.2 How to apply to specific policies
User-ID information can be used as a match condition for rules of the following Policy types:
● Policy Based Forwarding (PBF)
● Security
● SSL/SSH Decryption
● Quality of Service (QoS)
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
93
4.7.3 Identify users within the ACC and the monitor tab
Administrators should select the LDAP Server profile they configured earlier and complete the domain
settings. The Group Include List tab shows the available groups in the domain. The administrator can
choose which groups to monitor and which ones to ignore, as shown:
To learn more about the methods to map users and groups for collecting User-ID information, see the
following information:
● The “Block Threats by Identifying Users” module in the EDU-210 training, Firewall Essentials:
Configuration and Management
● User-ID in the PAN-OS Administrator’s Guide
4.7.4 References
●
●
●
●
●
Enabling User-ID,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/enable-user-id
Group Mapping,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/user-id-concepts/group-m
apping
Policy Types,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/policy-types
User-ID Logs,
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/view-and-manage-logs/
log-types-and-severity-levels/user-id-logs
Map IP Addresses to Users,
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/map-ip-addresses-to-users
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
94
Continuing Your Learning Journey with Palo Alto Networks
Training from Palo Alto Networks and our Authorized Training Partners delivers the knowledge and
expertise to prepare you to protect our way of life in the digital age. Our trusted security certifications
give you the Palo Alto Networks product portfolio knowledge necessary to prevent successful
cyberattacks and to safely enable applications.
Digital Learning
For those of you who want to keep up to date on our technology, a learning library of free digital
learning is available. These on-demand, self-paced digital-learning classes are a helpful way to reinforce
the key information for those who have been to the formal hands-on classes. They also serve as a useful
overview and introduction to working with our technology for those unable to attend a hands-on,
instructor-led class.
Simply register in Beacon and you will be given access to our digital-learning portfolio. These online
classes cover foundational material and contain narrated slides, knowledge checks, and, where
applicable, demos for you to access.
New courses are being added often, so check back to see new curriculum available.
Instructor-Led Training
Looking for a hands-on, instructor-led course in your area?
Palo Alto Networks Authorized Training Partners (ATPs) are located globally and offer a breadth of
solutions from onsite training to public, open-environment classes. About 42 authorized training
centers are delivering online courses in 14 languages and at convenient times for most major markets
worldwide. For class schedule, location, and training offerings, see
https://www.paloaltonetworks.com/services/education/atc-locations.
Learning Through the Community
You also can learn from peers and other experts in the field. Check out our communities site at
https://live.paloaltonetworks.com, where you can:
●
Discover reference material
●
Learn best practices
●
Learn what is trending
Palo Alto Networks Certified Network Security Administrator (PCNSA) | Study Guide
95