Palo Alto Firewalls Configuration By Example - PCNSE Prep
4.4 (2,303 ratings)
Course Ratings are calculated from individual students’ ratings and a variety of other signals, like age of rating and reliability, to ensure that they reflect course quality fairly and accurately.
12,210 students enrolled

Palo Alto Firewalls Configuration By Example - PCNSE Prep

Deep dive in Policies and Network Configuration of PaloAlto Firewalls by example
4.4 (2,302 ratings)
Course Ratings are calculated from individual students’ ratings and a variety of other signals, like age of rating and reliability, to ensure that they reflect course quality fairly and accurately.
12,208 students enrolled
Created by Infini Tech
Last updated 12/2018
Current price: $139.99 Original price: $199.99 Discount: 30% off
5 hours left at this price!
30-Day Money-Back Guarantee
This course includes
  • 26 hours on-demand video
  • 2 articles
  • 15 downloadable resources
  • Full lifetime access
  • Access on mobile and TV
  • Certificate of Completion
Training 5 or more people?

Get your team access to 4,000+ top Udemy courses anytime, anywhere.

Try Udemy for Business
What you'll learn
  • Understand Palo Alto Firewalls Deployment Methods
  • Understand how to deploy Palo Alto Firewalls in both Azure and AWS
  • Understand Palo Alto Firewalls Security Policies
  • Understand Palo Alto Firewalls NAT configuration
  • Understand Palo Alto Firewalls Network Configuration
  • Understand User ID Integration
  • Configure user ID integration using User ID Agent
  • Configure Captive Portal to authenticate users
  • Understand Captive Portal different methods including, redirection, transparent and SSO with examples
  • Understand the difference betwen NAT Source, Destination, UTurn
  • Understand security zones and traffic processing in PaloAlto Firewalls
  • Understand the packet flow through the PaloAlto Firewalls
  • Understand Threat Prevention capabilities of the PaloAlto Firewalls
  • Understand AntiSpyware, AntiVirus, IPS configuration
  • Understand AntiySpyware and DNS Sinkholing
  • Configure AntiSpyware, Antivirus and IPS
  • Understand PaloAlto firewall AntiSpyware policy using example configuration
  • Understand how to configure wildfire
  • Understand how to configure Data Leakage Protection
  • Configuring SSL Decryption
  • Understand SSL Decryption
  • Understand SSL decryption using a PaloAlto firewall SSL decryption example
  • Understand how to prevent Split Brain situation with firewalls in Active / Passive HA
  • PaloAlto Firewalls U-turn NAT configuration example
  • Understand the difference between Inbound and Outbound proxy
  • Understand the concept of Virtual Routers
  • Configuration of BGP and OSPF example
  • Configuration of multiple ISP with different failover scenarios
  • Configuration of policy based forwarding using different scenarios
  • Configure VPN IPSEc L2L tunnel on Paloato Firewall with different scenarios
  • Understand the difference between IKEv1 and IKEv2 and how to deploy Palo Alto firewall with IKEv2 and the benefits
  • Understand the difference between IKEv1 main mode and aggressive mode with scenarios
  • Understand IKE PFS and how to configure it
  • UnderstISEand and Configure High Availability Active / Passive
  • Understand and Configure High Availability Active / Active with Floating IP Arp load sharing
  • Understand Active Active NAT configuration with examples
  • Understand and Configure IPv6 on PaloAlto Firewalls
  • Understand how to deploy DHCPv6 Relay on PaloAlto firewalls
  • Understand and Configure IPv6 on Palo Alto firewalls with examples.
  • Understand How to configure IPV6 NPTv6 and NAT64
  • Understand how to configure Palo Alto firewall in Azure with example
  • Understand Panorama Concepts, device groups, templates, template stacks
  • Understand QoS configuration Concepts and how you can configure QoS Marking
  • Understand QoS classification and markings
  • Understand QoS for IPSEc tunnel, bidirectional QoS enforcement, QoS markings and QoS copy Tos Header
  • Understand how to deploy Palo Alto firewall in Google Cloud
  • Students needs to be familiar with firewall concepts
  • Students needs to understand Networking Fundamentals
  • Students need to understand basic networking

PaloAlto firewalls are true Next Generation firewalls built from the ground up to address legacy firewalls issues. It is the first firewall platform to make decisions based on applications not just ports and protocols. The PCNSE exam requires deep understanding of the topics. Exam dumps is not the way to go. You need to practice  the concepts and be clear on how to configure this feature rich firewall platform. You need to study the concepts. This class guide you through the configuration of different features and how to practice on AWS and Unetlab. This class covers many topics required for PCNSE7 or PCNSE8 and new topics are added frequently.

This course dives deeper into Palo Alto firewalls policies and network configuration to give the students a clear understanding on several topics. Topics covered include Security Policies configuration, SSL Decryption, Routing configuration, IPsec configuration, IPv6 configuration, High Availability configuration, QoS and other real world
configuration examples.

This online class will help in preparing the student for the PCNSE certification by covering topics in the depth that Palo Alto expects the candidates to know.

There are no materials included with this class.

Students are expected to have understanding of network terminology and be familiar with stateful firewall concepts, network address translation and routing protocols.

There are a lot of topics covered, please click on show full curriculum to see the topics covered.

You get a certificate of completion after you complete this class

Who this course is for:
  • This Class is Suited for students who want to get deeper understanding on configuration Palo Alto Firewalls
  • This class is for students who want to see PaloAlto firewalls configuration examples
Course content
Expand all 153 lectures 26:05:38
+ Paloalto Intro and Deployment Options
13 lectures 02:10:35

High level overview of the Palo Alto firewall and differentiation between other vendors. Also, show the different platforms that Palo Alto and their specifications.

Palo Alto Firewalls overview
Firewalls Overview Quiz
4 questions

This lecture discussions the different deployment options in order to prepare the students for the configuration of different deployment on the web UI.

Deployment Options

This lecture explains Layer 2 deployment purpose and how it can be use to introduce Palo Alto firewalls seamlessly on a network. Two examples are show, layer 2 interfaces in access and layer 2 in trunk mode.

Layer 2 deployment

Showing an example on how to configure the Palo Alto firewall in Layer 3 setup where it's routing traffic between different interfaces and zones.

Layer 3 deployment

This lecture demonstrates layer 2 mode with spanning tree and interface redundancy.

Layer 2 deployment and spanning tree

This lecture discusses features and limitations of layer 2 deployment and demonstrates those in the lab.

Layer 2 Features and Limitations with demonstration

This lecture explains virtual wire deployment and provides a couple of scenario, one with straight virtual wire one interface to another interface and another scenario showing virtual-wires with vlan trunking. It also explains the spanning-tree default behavior of the Palo Alto firewalls in virtual-wire mode and how to change this behavior if so required.

Virtual Wire deployment

This lecture explains virtual wire with IP classify, what is the purpose of IP classify and how does it work. It walks the students through configuring this feature for a firewall shared among multiple customers. This lecture also explains the concept of virtual systems.

Virtual Wire IP Classify

Showing an example on how to configure the Palo Alto firewall in Tap Mode and why would you use TAP mode in your deployment.

Tap Mode deployment
Deployment Options Quiz
8 questions

Understand basic setup to get the firewall configured with management IP address, so you can manage it remotely.

Initial Configuration
+ Lab and AWS Palo Alto instance(s) Setup
8 lectures 01:01:05
AWS Note

This lecture shows you how to create a PaloAlto VM instance in Amazon to practice.

Create an Amazon AWS instance to practice

This lecture shows the student how to provision a windows domain controller to prepare for lab testing of the Palo Alto firewall in Amazon AWS.

Setup Amazon AWS for lab testing, add a windows AD server

This lecture shows the student how to setup the Amazon AWS VPC to route traffic through the Palo Alto AWS instance.

AWS VPC setup, routing setup, route traffic through the AWS instance

This lecture walks the student through creating a DMZ segment and routing it through the AWS firewall.

Create a DMZ segment in Amazon AWS, add a server to DMZ segment

AWS routing and default gateway requirement to route traffic through the Palo Alto firewall.

AWS routing issue to be aware of
Unetlab EVE-NG name change

This lecture shows you what software you need to have to setup a test environment so you can practice the different scenarios discussed in the class. It goes over the general steps to setup unetlab (now EVE-NG) to create your own test environment to practice the many scenarios in this class.

Create your own test lab to practice
+ Basic Administrative Tasks
7 lectures 42:01

This lecture shows the students the basic settings needed for the PaloAlto firewall out of the box to get up and running

Basic Settings

This lecture shows the student how to commit changes and other basic settings.

Changes and Committing changes

This lecture shows the student how to configure local admin account in the firewall and authenticate them using a radius server.

Local Administrator Account with External Authentication

This lecture shows the student how to use the Radius server to dynamically assign local admin users from active directory and give them the appropriate rule without creating any local accounts on the firewall. This facilitates managing administrators on firewalls without touching firewall configuration for each newly added administrator.

External Authentication Using Radius Server

This lecture shows the student how to check the licenses, upgrade the system and install activate global protect client.

System software Upgrade / Downgrade, global protect client install

This lecture shows the student the basic step of enabling dynamic updates to maintain the firewall threats, app-id, wildfire, and global protect dat files.

Dynamic Updates

Understand the management profile and what is needed as far as configuration to enable user ID, response pages and pings. Also understand the precautions to ensure that only authorized users can manage the firewall.

Interface Management Profile
Quiz Basic Setup
4 questions
+ Security Policy Configuration
11 lectures 01:18:54

Understand security zones and how traffic is processed as it relates to security zones, and security policies.

Security Zones and Traffic Processing

This lecture takes you through the life of a packet from the time it enters the firewall, how it's processed from ingress to egress.

Packet Flow
Quick knowledge check 1 Quiz
8 questions

Demoing using application ID features in security policy to restrict bad application while allowing legitimate applications.

Rules based on application using App-ID

This lecture demo how to deal with applications that are running on non-standard ports and security policy configuration relating to this issue.

Security Policy Rules for applications not running on application default ports

Explaining Application Override Policy and the benefit of using it to identify internal application for better reporting and control. Showing an example of implementing Application Override Policy

Application Override Policies - Custom Applications

Demoing using URL filtering to protect users from threats and restrict traffic to business legitimate URLs. Showing the difference between URL rules, allow, block, continue, override, alert.

URL Filtering Rules and Options
Knowledge check 2 Quiz
5 questions

Demoing how to create customer URL category for classifying internal URLs. This can be used to restrict who can access URLs belonging to that category, coupled with UserID which is discussed in the next section.

Custom URL Category

Demoing creating address objects, address groups to utilize in your security policy

Using Address Objects

Demoing creating service object and service group objects to utilize in your security policy.

Using Service Objects

Demoing using dynamic block lists to protect against bad players including known ones from internet sources or internally deemed risky IP addresses. How to use an internal server to dynamically block IP addresses without touching firewall configuration.

Using Dynamic Block Lists

Demoing how to use tags to simplify readability of your security policy.

Using Tags
Knowledge check 3 Quiz
6 questions
+ User ID integration
11 lectures 01:22:14

Lecture aimed at explaining to the student the User ID and the different methods that can be used to collect user IDs. Each of those methods will be demonstrated in the following lectures.

User ID integration

Demo of how to configure your domain controller to log events pertinent to User Identification. Show how to configure the user ID agent on a server to collect logs and send it to the PaloAlto firewall. Show how to configure the PaloAlto firewall to talk to the User ID agent and get the events relating to user logon.

Preview 10:19

Show how to configure the PaloAlto firewall to talk to the User ID agent and get the events relating to user logon.

Configure the firewall to use user ID agent

Configuration Example of Integrated User ID agent in Palo Alto firewall. Demo of how to configure and utilize the integrated User ID agent on the firewall itself to collect user to IP mappings. The Palo Alto firewall has an integrated User ID agent that can be configured to connect directly to Active Directory Servers and gather users logon events and Kerbereos events and extract User and IP address to be utilized by the Palo Alto firewall for security policy decisions.

Configuring integrated User ID agent

Demo of how to configure the firewall to integrate with LDAP to get user to group mapping and utilize this information in your security policy. This lecture provide a configuration example of setting the Palo Alto firewall to talk to an LDAP server to get the Active Directory groups.

Group to User ID mapping

Demo of how to utilize user to group mapping in your security policy. This lecture goes over configuration example of LDAP on PaloAlto firewalls to map user IDs to Active Directory groups. This allows the Palo Alto firewall to make security policy decisions based on Active Directory group membership.

Making decisions based on user group membership example

Demo showing the configuration of the firewall to utilize Captive Portal to get User ID information for users that failed identification using the AD agent.

Preview 06:13

Demo of how to utilize the Captive portal in transparent mode.

User ID mapping using CaptivePortal in Transparent Mode

This lecture shows an example of how to configure PaloAlto firewall to utilize Captive Portal integration with AD and get Single Sign On SSO information automatically from the user without prompting them to login to the Captive Portal.

Captive Portal using Broswer Challenge SSO example

Demo of how to configure PaloAlto firewalls to utilize the XML API to send user to ip mapping to the firewall, this feature allows to integrate with non supported User ID solution out of the box. This lecture goes over a scenario of configuration example of PaloAlto firewall user ID using XML provided information.

Relaying UserID information using XML example

This lecture provide a configuration example of how to send syslog information to the PaloAlto firewall to extract User ID information. This example shows a Cisco ASA sending syslog information for Anyconnect VPN users to get their User ID information. Demo of how to utilize Syslog events to map user to IP addresses, example showing integration with Cisco ASA syslog events. Many companies still use Anyconnect on Cisco ASA; however, this doesn't prevent them from putting the ASA behind the Palo Alto firewall to benefit from Next Generation Features.

User ID mapping using Syslog Messages example
+ Threat Prevention
11 lectures 01:30:37

Understanding PaloAlto Antivirus protection feature and demoing how to configure it to protect your users from viruses.

AntiVirius configuration

Understanding AntiSpyware and DNS sinkholing and demoing configuring those features to protect from spywares on your network.

Preview 11:36

Demoing how to create custom anti-spyware signatures in your firewall to customize antispyware rules.

Creating custom Anti-Spyware signatures

Demoing the Vulnerability protection "IPS" feature of the PaloAlto firewall and how to create custom IPS signatures.

Configuring Vulnerability Protection and Custom Signatures

Demoing using File Blocking to protect against malicious files and restrict download / upload of files by certain users.

File Policies

Demo on how to configure Widfire protection and utilize sandboxing for fast response on newly discovered malwares.

Configuring Wildfire

Demo on how to access the wildfire portal and showing what it looks like.

Wildfire Portal

Demo of how to utilize the Data Filtering feature in the PaloAlto firewall for DLP protection.

Configuring Data Filtering - Data Leakage Prevention

Demoing of Data Leakage protection to protect against leakage of Credit Card information and block such data from leaving the network.

Data leakage demo - Credit Card Numbers Detection and Blocking

Understand the DoS protection feature of the PaloAlto firewall.

Denial Of Service Protection

Demoing how to configure DoS protection on the PaloAlto firewall.

Implementing Zone and Host Denial Of Service Protection
+ SSL Decryption
6 lectures 56:27

Understand the SSL decryption concepts, preparing the students to show the configuration of SSL Decryption.

Certificates, Certificate of Autorities, and Decryption Concepts

Demo of how to create self generated certificate for proxying ssl traffic and the caveats of using a self generated certificates.

SSL Forward Proxy - Trust Certificate - Local Cert on PaloAlto

Demoing the difference between SSL Trust and SSL Untrust certificate and the purpose of each.

SSL Forward Proxy - Untrust Certificate - Local Cert on PaloAlto

Demoing how to create an internal PKI subordinate CA and how to utilize this to simplify the SSL decryption process for internal users that have computers member of the AD domain.

SSL Forward Proxy Using an Internal PKI Subordinate CA

Demoing of the SSL decryption feature in action, blocking threats in traffic.

SSL Forward Proxy Blocking Threats in Encrypted Traffic - Demo

Understanding SSL inbound inspection and the purpose of using it to protect publicly hosted ssl servers in your environment.

SSL Inbound Inspection
+ Network Address Translation
11 lectures 02:14:33

Understand Dynamic NAT, ALG, Dynamic NAT Pools concepts

Understanding Dynamic NAT and port

This lecture demonstrates how to configure dynamic NAT and dynamic NAT pools

Dynamic NAT and port configuration examples

Dynamic NAT caveats for multiple ISP configuration.

Dynamic NAT and port Egress Interface Multipe ISP consideration

This lecture explains the difference between dynamic IP and dynamic IP and port showing example. It also explains the purpose and configuration of Dynamic IP with fallback.

What is the difference between Dynamic IP and Dynamic IP and port with examples

This lecture explains Static NAT and static bidirectional NAT  with example.

Static NAT concepts and example

This lecture explains static NAT with port translation and the use cases of it with example.

Static NAT with Port Translation Use Case and scenario example

This is a continuation of the previous lectur.

Static NAT with Port Translation Use Case and scenario example - part 2

Demoing how to configure the PaloAlto firewall for destination NAT and how to configure the security policy correctly to reflect the actual NAT traffic.

Destination NAT and Destination NAT with Port Address Translation

Understand Uturn NAT and demo how to configure Uturn NAT to configure certain corner case scenario where Uturn NAT is needed.

UTurn NAT with port translation

Demoing how to configure source and destination nat simultaneously on traffic to understand how to deal with certain NAT corner scenarios.

Source and Destination NAT

This lecture explains the new feature in 8.1 of Dynamic Destination NAT.

New in Version 8.1 Dynamic Destination NAT
+ Basic and Intermediate Networking
11 lectures 01:29:26

Demoing using the PaloAlto firewall as a DHCP server for your hosts

DHCP Services

Demoing the default route configuration

Default Route

Demoing how to configure OSPF  on the PaloAlto firewall to utilize dynamic routing to avoid using static routes and accommodate different network condition changes.

OSPF Routing

Demoing how to configure BGP on the PaloAlto firewall to interface with a service provider

BGP Routing

Demoing how to configure BGP to advertise networks to service provider.

BGP Advertise

Demoing the user of multiple virtual routers in your environment and why would that be beneficial.

Using Multiple Virtual Routers

Demoing the use of multiple virtual routers and how does this setup apply to NAT configuration and security policy configuration.

Multiple Virtual Routers NAT and Security Policy Example

Demoing how to configure the firewall to integrate with 2 service providers and failover using BGP.

Multiple ISP Failover Scenario using BGP

Demoing how to configure multiple ISP failover using floating static routes.

Multiple ISP Failover using floating Static Route

Demoing how to use policy based forwarding to failover between multiple ISPs.

Multiple ISP Failover using Policy Based Forwarding

Demoing how to configure load sharing to effectively utilize multiple service provider connections in active active fashion.

Multiple ISP Load Sharing using Policy Based Forwarding
+ High Availability
10 lectures 02:24:44

Understand the terminologies of High Availability, the difference between HA1 and HA2 interfaces. The purpose of HA1 and HA2 interfaces. Understand concepts behind high availability to pave the way to show the configuration example of active/passive setup.

High Availability Overview

Lab demonstration of active/passive setup between 2 PaloAlto firewalls, configuring HA1 and HA2, configuring preemption, HA groups and all settings required to enable two PaloAlto firewalls to start synchornizing their configuration and sessions as well as preempt active/passive in case of failover.

Active Passive Configuration Configuration Example

Showing the student what happens when HA1 interfaces go down without a backup or heartbeat backup. Showing students synchornization on HA1 as well as the way firewalls perform when they are in active/standby pair. Further, showing the student how to avoid split brain situations.

High Availability Active / Passive different failure scenarios HA1 HA2 heartbeat

Demoing using HA1 Backup and HA2 backup as a failsafe mechanism to protect against HA1 and HA2 failure

High Availability Active / Passive HA1-backup, HA2-backup configuration

This lecture demos Link monitoring using Link Groups and explain the purpose of Link Groups. This lecture demos the Path monitoring and explain the purpose of Path monitoring. This lecture shows operational commands for manual HA failover.

High Availabilit active / passive link and path monitoring, HA operations

Explaining active-active concepts to prepare for a configuration demo of active active with floating IP

Active Active High availability intro, Floating IP

Configuration demo of using 2 active firewalls to load share traffic by utilizing Floating IP addresses.

Understand Natting in the case of active-active, understand session owner options. Understand failover in the case of a firewall failure.

Active Active with Floating IP configuration example

Understand active/active session owner, session setup scenarios. Configuration example for using session owner, session setup different scenarios.

Active Active session owner, session setup using IP modulus, failover example

Configuration example of configuring Static NAT in active/active high-availbility scenario and some caveats relating to this setup. Best practice scenario on how to set it up to avoid asymmetric path ssues.

Active Active Static Nat Configuration Example using NAT HA binding Primary

Configuration of Arp Load sharing with Active / Active high availability example. In this scenario, a Palo Alto pair of firewalls are configured in Active/active high-availability with a destination NAT that is shared by the two firewalls using arp load sharing.

Active Active High Availability Arp Load Sharing Configuration Example