PCNSA Certification: Firewall Deployment

Questions and Answers

Which firewall management interface separates management functions from network traffic processing?

• Data Port
• Service Route
• Management (MGT) Port (correct)
• Console Port

Which method is the default for accessing the web interface on a Palo Alto Networks firewall?

• SSH
• HTTP
• Telnet
• HTTPS (correct)

Which CLI command is used to access configuration mode from the operational mode?

• configure (correct)
• edit
• admin
• set

What is the purpose of service routes on a Palo Alto Networks firewall?

To direct management traffic through data ports. (D)

Which feature allows you to restrict access to a specific service on a firewall interface by IP address?

Interface Management profile (D)

What is the functionality of an authentication sequence?

Defines the order in which authentication profiles are processed. (B)

When configuring role-based access control, what privilege does a Superuser have that a Device Administrator does not?

Ability to define new administrator accounts. (C)

What is the function of the candidate configuration in a Palo Alto Networks firewall?

It is where configuration changes are made before being committed. (B)

Which action restores the candidate configuration to the last saved state?

Revert to last saved configuration (B)

What is the main benefit of using Panorama for managing multiple firewalls?

Provides centralized management and reporting. (C)

In a device group hierarchy, where are settings inherited from?

The shared location (A)

When setting up scheduled dynamic updates from Panorama, which action automatically installs the update on firewalls and Log Collectors?

Download and Install (A)

Which update type includes antivirus signatures: new and updated?

Antivirus (D)

What must you configure to enable use of an interface for services such as DNS and Palo Alto Networks update servers?

Service Route (B)

Which zone type is used for interfaces that will switch traffic between other Layer 2 interfaces?

Layer 2 (C)

What element is required to complete the virtual wire configuration?

Two Virtual Wire Interfaces (D)

Which address object type allows specifying a user-friendly domain name with automatically updated IP address resolution?

FQDN (A)

Which of the following is a characteristic of External Dynamic Lists(EDLs)?

Are hosted on an external web server. (D)

What is a key difference between application filters and application groups?

Application filters automatically update with new applications, while application groups are static. (D)

Which Security policy rule type is best suited to manage traffic between different zones?

Interzone (D)

Which of the following access methods is only available as part of either a Security policy or DoS profiles?

SYN cookies (B)

When configuring destination NAT with Dynamic IP and session distribution, what type of address object is needed to specify the destination?

FQDN (C)

What log displays entries when traffic matches one of the Security profiles attached to a Security policy rule on the firewall?

Threat (B)

What is the purpose of TCP Timeout in a service object?

Sets the maximum time a TCP session can remain open with no data transfer. (B)

When upgrading a high availability (HA) pair, why is preemption often disabled?

To prevent automatic failover during the upgrade process (A)

In a Palo Alto Networks firewall, what does the action 'sinkhole' do in a DNS Security profile?

Forwards DNS queries for malicious domains to a specified IP address. (D)

You want to ensure traffic logs are written only when a web category has been explicitly reached. Which action would you perform?

Disable Container page logging (A)

Before upgrading PAN-OS in a High Availability pair, the running configuration file should be backed up. What is the procedure to accomplish this task?

Device > Setup > Operations > Export named configuration snapshot (C)

What is the purpose of the "App-ID" column in traffic logs?

To identify if application's traffic is being blocked. (A)

What should be done if you use a Palo Alto Networks firewall in a High Availability configuration and the second firewall continues to show an error message? Select the BEST possible option.

Resync (D)

You have the task of finding all administrative accounts in the 'techlab' domain that have the 'superuser' role, how would you proceed?

Use the show command in the CLI, filtering by domain and role. (A)

You are assisting with the implementation of a Palo Alto Networks next-generation firewall for a client. A requirement is that local accounts MUST NOT be used. How can this be ensured?

Remove the ability to use local authentication all together. (C)

Flashcards

What is the MGT port?

An out-of-band port used for firewall administration.

Methods to access firewalls

Web interface, CLI, Panorama, and XML API.

Web Interface Protocol

HTTPS is the default; HTTP is less secure.

What is Panorama?

Provides centralized, web-based management for multiple firewalls.

What is the XML API?

Provides an interface for accessing firewall configurations and status.

Management Access Services

HTTPS, SSH, Ping, Telnet, HTTP, SNMP, Response Pages, User-ID.

Interface Management Profile

Protects firewall from unauthorized access by defining protocols, services, and IP addresses.

What is DNS?

Translates domain names to IP addresses.

What does DHCP provide?

An IP address and configuration settings.

What are service routes?

Communication between firewall and servers goes through data ports.

Authentication Profiles

Used for administrator accounts, SSL-VPN access, and Captive Portal.

What is Role-Based Authentication?

Determines what the administrator can view and modify.

Firewall configuration stages

Running, candidate, saved, and versioned.

Activate Candidate Configuration

A commit

Revert to last saved configuration

Restores the default snapshot of the candidate configuration.

Revert to running configuration

Restores the current running configuration.

Save named configuration snapshot

Creates a new candidate configuration snapshot under a distinct name.

Load configuration version

Replaces the current candidate configuration with a previous version.

Export device state

Exports firewall state information as a file.

Device Groups

They can nest device groups in a tree hierarchy.

Templates

They enable firewalls to operate on the network.

Template stacks

They provide the ability to layer multiple templates.

Schedule and install dynamic updates

Automate application and threat downloads.

Security zones

A logical way to group physical and virtual interfaces.

What is an Intrazone rule?

Allows traffic within the same zone.

What is an Interzone rule?

Allows traffic between two different zones.

Types of address objects

Destination, IP Range and IP Wildcard Mask.

Static address group

Can include static, dynamic address objects or groups.

Dynamic address group

Populates with lookups for tags and tagged objects.

Services

You can limit the port with services to the applications traffic

Service groups

Categorize services with the same security settings into service groups.

External dynamic lists (EDLs)

The firewall imports objects from a txt file from an external server.

Application filters

Dynamically categorize applications based on Category, Subcategory, Tags, Risk, and Characteristic.

Application groups

An administrator can manually categorize multiple applications into groups based on App-IDs.

Shadow rules

Rules broader, rule more specific

Policy Usage Statistics

You can reset the rule hits count, and the data will not be stored

Type of Security Rules

Security policies allow you to enforce the rules and then take action.

App-ID

It determines what an application is, irrespective of port, protocol, encryption.

User-ID

Helps identify users on a network. Better visibility and policy control.

Study Notes

PCNSA Study Guide

• The PCNSA certification validates skills for Next-Generation Firewall (NGFW) deployment and operation
• Certified individuals have proven their knowledge of the NGFW feature set and product portfolio core components

Exam Format

• The PCNSA exam contains 60-75 questions
• Candidates have 5 minutes to review the NDA
• Candidates have 80 minutes to complete the exam questions
• There are 5 minutes to complete a survey

Exam Weighting

• Device Management and Services: 22%
• Managing Objects: 20%
• Policy Evaluation and Management: 28%
• Securing Traffic: 30%
• The exam is based on Product version 11.0

Skills Needed

• A candidate should understand Palo Alto Networks firewall and centralized management components
• A candidate should be able to configure operate and identify problems with the firewall
• A candidate should have experience with App-ID and User-ID, profiles, and Objects
• A candidate must have 2-3 years of experience in the Networking or Security industries
• A candidate should have 6 months of experience with the Palo Alto Networks product portfolio or NGFW administration and configuration

Competencies Required

• A candidate should be able to configure and operate Palo Alto Networks product portfolio components
• A candidate should understand the unique aspects of the Palo Alto Networks product portfolio and how to administer it
• A candidate should understand the networking and security policies used by PAN-OS software

Recommended Training

• The "Firewall Essentials: Configuration and Management (EDU-210)" course is highly recommended

Management Interfaces

• Palo Alto Networks firewalls have an out-of-band management (MGT) port for firewall administration functions
• The MGT port uses the control plane, separating management from network-traffic-processing (data plane) functions
• Separation safeguards access and enhances performance
• Initial configuration tasks are done from the MGT port, even when using an in-band data port
• A serial/console port enables initial configuration with Secure Shell (SSH) or Telnet
• MGT port access to the internet is needed for retrieving licenses and updating threat and application signatures
• Service routes enable in-band data ports on the data plane to access external services if external access via the MGT port is not wanted

Methods of Access

• The four methods for accessing Palo Alto Networks Next-Generation Firewalls are:
• Web interface
• CLI
• Panorama
• XML API

Initial Firewall Access Information

• Gather the following information for the MGT port to gain access to the firewall for the first time
• If the firewall is a DHCP client, the information is collected automatically via DHCP
• IP address
• Netmask
• Default gateway
• Domain Name System (DNS) server address
• Connect a computer to the firewall using an RJ-45 Ethernet cable or a serial cable to setup the initial access

Web Interface

• It can be used to configure and monitor using HTTP or HTTPS via a web browser
• HTTPS is the default method
• HTTP is a less secure method

CLI

• It is a text-based configuration and monitoring of the serial console port or MGT port using SSH or Telnet
• It offers access to debugging information
• Requires CLI access enabled

Management interface

• It is in operational mode by default
• Has basic networking commands, system commands, and more advanced system commands
• You can access configuration mode by typing the "configure" command in operational mode
• Enables modification of configuration parameters, verification of candidate configuration, and "commit config"

The PAN-OS XML API can be used to automate tasks

• Creating, updating, and modifying firewall and Panorama configurations
• Executing operational mode commands, such as restarting the system or validating configurations
• Retrieving reports
• Managing users through User-ID
• Updating dynamic objects without having to modify or commit new configurations

Access Restrictions

• Data interfaces are used as management interfaces when the MGT interface is down
• Data interfaces can be configured to bind various services
• HTTPS (default)
• SSH (default)
• Ping (default)
• Telnet
• HTTP
• SNMP
• Response Pages
• User-ID

Interface Management Profile

• An Interface Management profile protects the firewall from unauthorized access
• It defines the protocols, services, and IP addresses that a firewall interface permits for management
• An access control list can be included the "Permitted IP Addresses" field, restricting access to specified IP addresses
• The firewall denies management access by default if no Interface Management profile is assigned

Identity-Management Traffic Flow

• Create an Out Of Band network where the management interfaces of security appliances and services live
• This prevents service compromise and creates challenges, as your appliances may need to access resources unavailable on the secured network
• A service route can be configured to redirect connections originating from the management plane via the backplane to the data plane

Management Services

• Palo Alto Networks firewalls integrate with:
  • DNS
  • DHCP
  • NTP
• DNS and NTP must be set up during the initial firewall configuration

DNS

• It is a protocol that translates a user-friendly domain name to an IP address
• At least one DNS server must be configured to resolve hostnames

Configuring DNS

• Select Device > Setup > Services > Services gear icon.
• On the Services tab, for DNS, click Servers
• Enter the Primary and Secondary DNS Server addresses
• Click OK and Commit

DHCP

• A Palo Alto Networks firewall can act as a DHCP client (host) to request an IP address and other settings
• DHCP use saves time and effort because users need not know the network addressing plan
• DHCP can dynamically learn configuration parameters
  • IP address for MGT port
  • Netmask
  • Default gateway
  • At least one DNS server address

NTP

• It is optional but recommended
• NTP information can be obtained via DHCP if the firewall is configured as a DHCP client

Configuring NTP

• Select Device > Setup > Services > Services gear icon.

Service Routes

• Firewalls default to using the management interface for communication with various servers
• These include external dynamic lists (EDLs), DNS, email, and update servers as well to connect to Panorama
• Service routes enable communication between the firewall and servers through the data ports on the data plane
• Configured data ports require appropriate security policy rules before external servers are accessed

Configuring Service Routes

• Go to Device > Setup > Services > Service Route Configuration > Customize
• Configure the appropriate service routes
• For non-predefined services, manually enter the destination addresses on the Destination tab

Provision Local Administrators

• It involves the Authentication profile which provides authentication settings to apply to administrator accounts, SSL-VPN access, and Captive Portal

Authentication Sequence

• One must assign admin roles for external admin accounts to a security authentication sequence, involving multiple authentication profiles in an order/sequence
  • Firewall checks against each authentication profile until it authenticates
  • It directly references an authentication profile if an external administrator account does not reference a security authentication sequence
  • A user is denied access only if all profiles fail to authenticate

Assign Role-Based Authentication

• A role determines what an administrator can view and modify

Predefined Roles

• Superuser has full access and defines new accounts and virtual systems (requires superuser privileges)
• Superuser (read-only) has read-only access
• Device administrator has full access except for defining new accounts or virtual systems
• Device administrator (read-only) has read-only access except for password profiles (no access) and administrator accounts (only logged-in account is visible)
• Virtual system administrator has access to specific virtual systems (if Multi Virtual System Capability is enabled)
• Virtual system administrator (read-only) has read-only access to specific virtual systems (if Multi Virtual System Capability is enabled)

Maintain firewall configurations which involves:

• The firewall runs a candidate configuration in memory on the control plane, activated by a commit that installs the running configuration on the data plane

Running Configuration

• It is saved within running-config.xml
• Exists in data-plane memory to control firewall traffic
• Requires a commit operation
• The firewall automatically saves a new timestamped version after changes are committed
  • "Load configuration version" can load a previous version of the running configuration/you can queue multiple commits and the firewall prioritizes them

Candidate Configuration

• The act of saving doesn't activate changes;
• A commit must trigger activating the changes, which can be committed via the web UI or CLI
• The candidate is saved as 'snapshot.xml', either as a default or a customized name
• It's imperative to perform a manual saving since the firewall often defaults to the candidate configuration
  • "Revert to last saved configuration'' may be used to revert the candidate configuration to the current snapshot using the "Revert to last saved configuration''

Discernment for various functions using "Device>Setup>Operations" like:

• Revert reverts to last saved config
• Save creates a snapshot
• Load imports and overrides
• Export is a mode to extract named config
• Import is used when required

Revert To Last Saved Configuration

This restores the default "snapshot.xml" of the candidate configuration

• It also restores the last saved candidate configuration
• The first message asks to continue with the revert to last safe; the second informs which files have been reverted.

Revert to Running Configuration

• It restores current running config and undoes any changes after last commit
  • The first meessage asks to continue with the revert; the second signals when the firewall has been reverted

Save Named Configuration Snapshot

• It creates a candidate config snapshot while not overwriting the default snapshot
  • Enter a custom name/select extant snaps to re-write
  • Useful function when creating a backup file, test configuration, re-modification or testing in a lab

Load Named Configuration Snapshot

Load current config from something like the custom snaps, and over-writing the candidate config

Load Configuration Version

• It simply overwrites the extant candidate config with a current version of firewall.

Export Operations

• It exports the running config, a candidate config snapshot, or previously imported config
  • You are to save the snapshot locally for backups and to build other firewall configs.

Export Configuration Version

• It saves the version of the extant config as an XML file

Export Device State

• It gives all state info of the firewall to include device group and template
• The GlobalProtect portal also includes the bundle of certs, and satellite authentication info. and the state info is restored via replacement and importing the state bundle

Import file

• It either has a running or candidate config to then load a candidate config

Import device state

• A special import function that adds state info from firewall using the export file
• It includes running config, and applicable pushes from Panorama; the BFD may contain cert info and the same portal, bundles everything and loads on the state

Panorama config Backups

• It has the running config made up of active settings, and candidate for copy of active config with inactive aspects

• Saving gives versions of the extant config

• After a commit on the firewall 5.0 or later, it gives a backup of firewalls config which is then triggered by most commits.

  • Panorama stores to 100 backups or more while exporting as the main function

Panorama Virtualization Support

• VMWare photos are'nt supported for Panorama on VMWare ESXi and Air; the best functions are saved to any network location

Push Policy Updates

• Device Group Hierarchy has been created to nest groups in a "tree form" to a maximum of 4 levels, using rules and group objects.

Levels of Hierarchy

• Ancestors include, Parent, Grandparent
• Descendant has Child, Grandchild
• Groups inherit settings from the shared locations for similar groupings

Device Policy Requirements

• With Device Policy Requirements a group sets config policies with redundancy
  • Shared settings, then groups with specific parameters
  • All functions follow locations for device groups at all levels
  • Without such you need to custom locate functions that follow settings for devices

Where to Place Policies

• Group devices perform layer approach for managing policies across a netwrork
• Firewall performs rules by layer and type, with a priority top to bottom
• A firewall receives traffic and does the 1st action in evaluated rule which does a match and disregards similar factors

Centralized Deployment and Configuration

• It simplifies rapid deployment using Panorama for both firewalls, and staging devices.

Log functions

• It does aggregates for central analysts. – It has comprehensive view for user to help prevent threats while emposing policies.

Distributed Admin

– It delegats, restricted access, and has global and local components

Templates And Stacks

• It gives parameters (enables) for firewalls, and templates in PAN-OS (Network or Device);
• It also gives zones and configures serves for syslongs

Template stacks layers templates using the combinaton to simplify settings, and is in top-down priorirt, with priority driven elements.

• Variables allows groups with the value for stack or template based on various needs
• IP Address is edited for these parameters

Accommodation in Firewalls

• "Panos" includes more broad config and lets you push basic rules and to over-ride individual functions
• It must restore template values afterwards to create a default, and force with a particular traffic location

Defining a stack

• When set, ensure all are the same or near to parameters , so to reduce adding stacks

Dynamic Content: Schedule and Install

To enhance protection, keep all firewalls up to date with "the works'' like content/software

Dynamic Updates From Panorama

• All such needs to be scheduled, automatically to download from "work", so schedule with the following factors:

settings

• Name is specific for each scheduled job to 31 characters/must be unique with standard params
• Disabled enables disabling jobs
• Download sources has to then "hit"/get from the "network" update sources
• SCP/Security functions then allows the device to downlad content from the SCP only
• "Pathing" requires the firewall to enter into a path using various methods
• The "type" is like the name implies to include the "what"
• "Recurrence," is then time to have it run over and do so in accordance with the "server" timer
• "Time factor" requires date/time from the 24-hour clock
• NewApps enables "enables app", to allow protection
• There will be an action used to then trigger the download and install parameters
  • Donwload is just a "download'
  • Download/SCP will then just transfer from one server to another

Devices and Logs

• Devices are selected and then the firewall then gets it
• Log collectors are the main collectors with all managed collectors that are needed

From the Firewall-The Following diagram illustrates how updated in formation is always made from the firewall

• Antivirus has New/updates sigs and generated "commands" you find the "thing" on firewalls You must enable Threat and prevention to get New Sigs

  • Has NEW/Updates monthly All things are up and weekly while new "whatevers" can have retrieval in under 30 minutes. New content is very reliant to subscrition

Additional dynamic config

• " Global Protect Data" Contains vendor-unique info re: data coming and has to work with a network factor and it then has to make "updates"/set up the method

• "Global " does the same, but it uses VPN so set the data

"Pan/works!" url filtering

All is re-written every single moments It works also as if you send a request to the cloud, so it checks things and goes to the source

Wildfire cloud

It's used as real malware and signs the code to detect viruses

WF and VPN private will check that's why we're using it.

Scchedule and Stagger

• Always watch released codes of new apps and understand what's important

You need to use the new release functions and install to be updated after the system

What to do:

1, back up the currrent code, follow it after

2, "De-select"/ select-Support: Generates a text to support function (and click yes)

3, ensure each firewall is operating on the latest releases: (Application and Threats) to specify version and see when things are all there (from there get other info if needed)

• If all is done you can now select/ get to "get-going"/to look at "available updates," after the file downloads, go to" to to action and view the code

5, look at step that's "Pan Works 11.0" you can run through that

6, deselect preemption

7, pause the primary/HA

• To do this follow, Device/High with actions and suspend it a long and ensure all are well

Then use secondary

Make sure you complete all then. Set the peers "happy" again now Run config on secondary "go get it"/install to the peer to follow and re-enable and test now.

• Select and device go

• Check that the device follows it all.

• Do as described, select a name, ensure "high", commit and re-enable/validate all and again test

The End

Additional steps:

• Be able to regen as they have new protocols!
• Use the "commance" command to show all the "show" for verifciation

"""413"" Reference

• Watch the set for various factors.

Make zone and config policies

Security zones are the next "group" to be able to better manage traffic that has different needs

• Zones have same code, use (for things like "tap, L2" , etc) and is limited when and where data can go

What To Watch

There are ""External code"", that exist on the outside

L2 and ""3

There work as a switch, or in L"3"" has multiple ""code"" or VLANS

And here are"" 5 ""factors, "vwire, tap"" etc.

There has ""tap"' set there, with a monitor connection that it then analyzes""."

What to find here as well- the "tap is set".

With""6""the ""vwire or Vwire"" and more of that. It has" "2 factors (virtual ""whatevers"" that can be different), and is managed with security and ID factors as long as sessions are set to do it.

Also 3 ""Code"", factors with each that has VPN""s".

Here set the code like "3" and now go.