Docsity
Log inSign up
Docsity
Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity

Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan

Guidelines and tips
Guidelines and tips
Sell on Docsity
Sell on Docsity
Log inSign up

Prepare for your exams

Study with the several resources on Docsity

Find documents

Prepare for your exams with the study notes shared by other students like you on Docsity

Search Store documents

The best documents sold by students who completed their studies

Search through all study resources
Docsity AINEW

Summarize your documents, ask them questions, convert them into quizzes and concept maps

Explore questions

Clear up your doubts by reading the answers to questions asked by your fellow students

Earn points to download

Earn points by helping other students or get them with a premium plan

Share documents
download point icon20 Points

For each uploaded document

Answer questions
download point icon5 Points

For each given answer (max 1 per day)

All the ways to get free points
Get points immediately

Choose a premium plan with all the points you need

Study Opportunities

Choose your next study program

Get in touch with the best universities in the world. Search through thousands of universities and official partners

Community

Ask the community

Ask the community for help and clear up your study doubts

University Rankings

Discover the best universities in your country according to Docsity users

Free resources

Our save-the-student-ebooks!

Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors

From our blog

Exams and Study
Go to the blog

PCNSE7 Study meterial, Exams of Aeronautical Engineering

NIIT UniversityAeronautical Engineering

PCNSE7 Study meterial for Palo Alto firewall

Typology: Exams

2016/2017

Uploaded on 08/30/2017

Subhasish
Subhasish 🇮🇳

1 document

1 / 136

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
!
!
! !
PALO%ALTO%
NETWORKS%%
PCNSE7%%
STUDY%GUIDE%
!March!2017!
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e
pf2f
pf30
pf31
pf32
pf33
pf34
pf35
pf36
pf37
pf38
pf39
pf3a
pf3b
pf3c
pf3d
pf3e
pf3f
pf40
pf41
pf42
pf43
pf44
pf45
pf46
pf47
pf48
pf49
pf4a
pf4b
pf4c
pf4d
pf4e
pf4f
pf50
pf51
pf52
pf53
pf54
pf55
pf56
pf57
pf58
pf59
pf5a
pf5b
pf5c
pf5d
pf5e
pf5f
pf60
pf61
pf62
pf63
pf64

Partial preview of the text

Download PCNSE7 Study meterial and more Exams Aeronautical Engineering in PDF only on Docsity!

PALO ALTO

NETWORKS

PCNSE

STUDY GUIDE

March 2017

Palo Alto Networks, Inc. www.paloaltonetworks.com ©2016 Palo Alto Networks – all rights reserved. Aperture, AutoFocus, GlobalProtect, Palo Alto Networks, PAN-OS, Panorama, Traps, and WildFire are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners.

PALO ALTO NETWORKS PCNSE7 STUDY GUIDE iii

2 PALO ALTO NETWORKS®

Qualifications

You should have three to five years’ experience working in the Networking or Security industries and the equivalent of 6 months’ experience working full-time with the Palo Alto Networks security platform.

Skills Required

  • You can plan, deploy, configure, and troubleshoot Palo Alto Networks Security platform components.
  • You have product expertise and understand the unique aspects of the next-generation security platform and how to deploy one appropriately.
  • You understand networking and security policies used by PAN-OS® software.

Recommended Training

Palo Alto Networks strongly recommends that the candidate attend the following courses: Firewall 8.0 Essentials: Configuration and Management (EDU- 210 ), Panorama: Manage Multiple Firewalls (EDU-221), and Firewall: Debug and Troubleshoot (EDU-311). Courses do not cover everything that a PCNSE7 needs to know, but they’re the most efficient way to start learning. When you have the basics mastered, you should spend time on our platform practicing using the information in the 7.1 version of the Administrator’s Guide. Find the guide here: https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os The Administrator’s Guide contains specific configuration information and some “best practice” configuration settings. Remember also that a number of supplemental documents are on the learning site. We suggest that all candidates take advantage of this free resource.

About This Document

Efforts have been made to introduce all relevant information that might be found in a PCNSE Certification Test. This document should not be considered a definitive test preparation guide but an introduction to the knowledge required. This document contains many references to outside information that should be considered essential to completing your understanding.

  • Palo Alto Networks PCNSE7 Study Guide Contents
  • Overview
    • Exam Details
    • Intended Audience
    • Qualifications
    • Skills Required.............................................................................................................................
    • Recommended Training..............................................................................................................
    • About This Document
  • Architecture and Design
    • Identify how Palo Alto Networks products work together to detect and prevent threats.
      • Preventing Successful Cyberattacks
    • platform. How to architect a solution to meet the business requirements and leverage the security
      • Choosing the Appropriate Firewall
      • Security Policy
      • Security Zones
      • Traffic Processing Sequence
    • Evaluate high availability (HA) designs and configurations for various deployments.
      • High Availability
      • Active/Passive Clusters
      • Active/Active Clusters
      • Failover
      • Additional High Availability Information
    • deployment. Identify the appropriate interface type and configuration for a specified network
      • Types of Interfaces
      • Decrypt Mirror
      • LACP Protocol ii PALO ALTO NETWORKS®
      • Virtual Interfaces...................................................................................................................
      • Loopback Interfaces
      • Tunnel Interfaces
      • Interface Configurations
      • Additional Information..........................................................................................................
    • Panorama. Identify how to design a scalable solution for administering Palo Alto Networks devices using
      • Panorama Overview
      • Log Aggregation
      • Templates and Device Groups
    • Identify deployment strategies for virtualized environments.
      • Virtual Firewalls
    • Section 1 Sample Questions
  • Core Concepts
    • traditional firewall. Identify the key features of a next-generation Layer 7 firewall and its advantages over a
      • App-ID™
      • User-ID™
      • Content-ID™
    • Identify the correct order of the policy evaluation based on the packet flow architecture.
      • Policies
      • Evaluation Order
      • CLI Test Command
    • Palo Alto Networks threat prevention components.................................................................
      • Advanced Persistent Threats
      • Security Policies and Profiles
    • Identify methods for mapping users to IP addresses and for troubleshooting related issues.
      • User-ID™ and Mapping Users
      • Additional Information..........................................................................................................
    • Alto Networks firewall. Identify the fundamental functions residing on the management and dataplanes of a Palo
      • Management and Dataplanes
    • How to control bandwidth use on a per-application basis.
      • Additional Information..........................................................................................................
    • Identify the fundamental functions and concepts of WildFire.
      • WildFire Overview.................................................................................................................
      • Additional Information..........................................................................................................
    • Section 2 Sample Questions
  • Management
    • firewall. Identify the required settings and steps necessary to provision and deploy a next-generation
      • Steps to Connect the Firewall
      • Installing and Activating Licenses..........................................................................................
      • Dynamic Updates
      • Firewall Configuration
    • Determine how to leverage Panorama to centrally manage device configurations and logs.
      • Panorama Overview
      • Storage of Saved Configurations
      • Log Event Aggregation
    • Update a Palo Alto Networks system to the latest version of code or content.
      • Standalone Firewalls
      • HA Firewalls
      • Upgrading Firewalls Under Panorama Management
      • HA Cluster Firewall Updates Managed by Panorama
    • state of stability and continuity. Identify how configuration management operations are used to ensure desired operational
      • Running Configuration and Candidate Configuration
    • Identify methods for authorization, authentication, and device administration.
      • Administrative Accounts
      • Authentication
    • Identify the proper use of public key infrastructure components. iv PALO ALTO NETWORKS®
      • Certificate Management
    • Section 3 Sample Questions
  • Networking
    • Configure and troubleshoot interface components.
      • Traffic Ports
      • Management Port
      • Troubleshooting Tools
    • Identify the configurations settings that are required to enable IPv6 features.
      • IPv6 Configuration
    • Configure and troubleshoot routing.
      • Routing Configuration
      • Troubleshooting Routing
    • Identify the configuration settings for site-to-site VPN.
      • IPSec Tunnel Interfaces
      • CLI Troubleshooting Commands
    • Identify the configuration settings for SSL/remote access VPN.
      • GlobalProtect Overview
      • Additional Information..........................................................................................................
    • servers. Identify ways to mitigate resource exhaustion (because of denial-of-service) in application
      • Resource Exhaustion
      • DoS and ZPP
      • DoS policies invoke protections specified in DoS Protection profiles.
      • Additional Information..........................................................................................................
    • Section 4 Sample Questions
  • Policies and Procedures
    • Identify the deployment, configuration, and management features of the security rulebase.
      • Security Policy Overview
      • Security Policy: Allow
      • Security Policy: Deny
    • Identify the deployment, configuration, and management of Security profiles and options. PALO ALTO NETWORKS PCNSE7 STUDY GUIDE v
      • Security Profile Overview
      • WildFire Analysis Profiles
      • URL Filtering Profiles
    • Identify the deployment, configuration, and management features of the NAT rulebase.
      • NAT Overview
      • Dynamic IP and Port NAT
    • Identify decryption deployment strategies.
      • Packet Visibility
      • Decryption
      • Keys and Certificates
      • Decryption Policies................................................................................................................
      • SSL Forward Proxy
      • App-ID and Encryption
    • Identify application override configuration and use.
      • Use Cases
    • Section 5 Sample Questions
  • Logs and Stats
    • Identify considerations for configuring external log forwarding.
      • Direct Firewall Log Forwarding
      • Forwarding of Logs to Panorama
    • Interpret log files, reports, and graphs to determine traffic and threat trends.
      • PDF Reports
      • User/Group Activity Report
      • PDF Summary Report
      • Application Command Center
      • Automated Correlation Engine
    • Identify the configuration requirements used to perform a packet capture.
      • Automatic Threat Detection Captures
      • Manual Packet Captures
    • Section 6 Sample Questions vi PALO ALTO NETWORKS®
  • Further Resources
    • Disclaimer
  • Appendix A: Answers to Sample Questions
    • Section 1 Answers...................................................................................................................
    • Section 2 Answers...................................................................................................................
    • Section 3 Answers...................................................................................................................
    • Section 4 Answers...................................................................................................................
    • Section 5 Answers...................................................................................................................
    • Section 6 Answers...................................................................................................................
  • Appendix B: Glossary......................................................................................
  • Continuing Your Learning Journey with Palo Alto Networks
    • E-Learning
    • Instructor-Led Training:
    • Learning Through the Community
  • PALO ALTO NETWORKS PCNSE7 STUDY GUIDE
PALO ALTO NETWORKS PCNSE7 STUDY GUIDE 5

By employing the Palo Alto Networks Threat Intelligence Cloud, businesses leverage the global threat community to detect unknown threats and to convert them into known, stoppable threats.

How to architect a solution to meet the business requirements

and leverage the security platform.

Choosing the Appropriate Firewall

Feature and performance requirements impact the choice of firewall model. All Palo Alto Networks firewalls run the same version of PAN-OS® software, ensuring the same primary feature set. When you investigate which model fits a given need, evaluate throughput, maximum concurrent sessions, and connections per second with App-ID, threat prevention, and decryption features enabled. Note that there are two published throughput statistics: firewall throughput and threat prevention throughput. Threat prevention throughput is the expected throughput with all of the defensive options, and firewall throughput is the throughput with no defense options enabled. The following link provides a PDF features summary of all firewall models including throughput: https://www.paloaltonetworks.com/resources/datasheets/product-summary-specsheet

6 PALO ALTO NETWORKS®

The Single Pass Architecture means packets should have to traverse the architecture only once. The Palo Alto Networks firewall was designed to use an efficient system referred to as Next Generation Processing. Next Generation Processing allows the system to perform packet evaluation, application identification, policy decisions, and content scanning in a single efficient processing pass. Palo Alto Networks firewalls contain Next Generation Security features consisting of:

  • App-ID: Scanning of traffic to identify the application that is involved, regardless of the protocol
  • Content-ID: Scanning of indicated traffic for security threats, data leak prevention, and URL filtering; e.g., virus, spyware, unwanted file transfers, specific data patterns, vulnerability attacks, and appropriate browsing access
  • User-ID: Matching of a user to an IP address (or multiple IP addresses).

Security Policy

The Security policy consists of numerous security rules that are the keystone of the firewall’s ability to enable or block sessions. Numerous match conditions can be used when creating these rules. Security zones, source and destination IP address, application (App-ID), source user (User-ID), service (port), HIP match, and URL categories in the case of web traffic all can serve as traffic matching criteria for allow/block decision making. Allowed sessions can be scanned

8 PALO ALTO NETWORKS®

Profile settings for a Security policy rule that enable Content-ID threat scanning

Security Zones

Palo Alto Networks firewalls are zone based. In order for traffic to pass, the deployment requires that security zones be implemented. These zones act as a logical way to group physical and virtual interfaces. Zones also are required to control and log the traffic that traverses the interfaces. An interface must be of the same type as the zone it is assigned (TAP, Virtual Wire, Layer 2, or Layer 3). In order to pass traffic through an interface, it must be assigned to a zone. A zone can have multiple interfaces of the same type assigned to it, but an interface can belong to only one zone. All sessions on the firewall are defined by the source and destination zones. Rules can use these defined zones to allow or deny traffic, apply QoS, or perform NAT. All traffic can flow freely within a zone, which is referred to as intrazone traffic. Traffic between zones (interzone traffic) is denied by default. Traffic will be allowed to travel only between zones if a security rule is defined and the rule matches all of the conditions of the session. For interzone traffic, Security

PALO ALTO NETWORKS PCNSE7 STUDY GUIDE 9

policy rules must reference a source zone and destination zone (not interfaces) to allow or deny traffic. Security policies are used to create a positive (whitelist) and/or negative (blacklist) enforcement model for traffic flowing through the firewall. In order for the firewall to properly evaluate, configure, and maintain Security policies, the necessary security rules must be in place. These rules are enumerated from the top down, and the first rules with the appropriate matching conditions will allow or deny the matching traffic. If the logging is enabled on the matching rule, and the traffic crosses a zone, the action for that session is logged. These logs are extremely useful for adjusting the positive/negative enforcement model. The log information can be used to characterize traffic, providing specific usage information and allowing precise policy creation and control. Palo Alto Networks firewall logs, Application Command Center, App Scope, and other reporting tools all work to precisely describe traffic and usage patterns.

Traffic Processing Sequence

The Palo Alto Networks firewall processes can be visualized using the following graphical representation. Your understanding of this linear version of the traffic flow can be very useful when you set up the initial configuration and when you adjust the rules after installation. Note that the graphical representation is a simplified version of the complete flow that can be found in document #1628, Day in the Life of a Packet : https://live.paloaltonetworks.com/t5/Learning- Articles/Packet-Flow-Sequence-in-PAN-OS/ta-p/56081?attachment-id=

PALO ALTO NETWORKS PCNSE7 STUDY GUIDE 11

Active/Active Clusters

Active/active consists of a cluster of two firewalls attached with three cables: HA1, HA2, and HA3. It is recommended only when load-balancing technology randomizes the routing of traffic between the firewalls. Please see the following additional documentation for active/active: https://live.paloaltonetworks.com/t5/Documentation-Articles/Configuring-Active-Active- HA-PAN-OS- 4 - 0/ta-p/58158?attachment-id=

Failover

The high availability process can be monitored and triggered by a number of different methods. To avoid a split brain scenario, you should use all of the methods, which include the use of a simple heartbeat, path monitoring, and link monitoring. In an active/passive HA pair only the active firewall processes traffic. High Availability failover support in both active/active and active/passive clusters includes all firewall features and is non-disruptive to user sessions. Active/passive clusters include two interconnections between firewalls to synchronize all data required for failover support.

12 PALO ALTO NETWORKS®

The HA1 and HA2 links work together to keep the HA firewalls perfectly syncronized..

Additional High Availability Information

Active/passive High Availability configuration details can be found here: https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-High- Availability-on-PAN-OS/ta-p/ Configuration synchronization is discussed here: https://live.paloaltonetworks.com/t5/Learning-Articles/Information-Synchronized-in-an-HA- Pair/ta-p/ and: https://live.paloaltonetworks.com/t5/Documentation-Articles/High-Availability- Synchronization/ta-p/61190?attachment-id= An active/active overview can be found here. This document refers to an older version of PAN-OS® software with an outdated UI, but the concepts remain the same for PAN-OS® 7.1: https://live.paloaltonetworks.com/t5/Documentation-Articles/Configuring-Active-Active-HA- PAN-OS- 4 - 0/ta-p/58158?attachment-id=