Palo Alto Firewalls Configuration By Example - PCNSE Prep

Deep dive in Policies and Network Configuration of PaloAlto Firewalls by example
4.4 (68 ratings)
Instead of using a simple lifetime average, Udemy calculates a
course's star rating by considering a number of different factors
such as the number of ratings, the age of ratings, and the
likelihood of fraudulent ratings.
635 students enrolled
84% off
Take This Course
  • Lectures 128
  • Length 21.5 hours
  • Skill Level Intermediate Level
  • Languages English
  • Includes Lifetime access
    30 day money back guarantee!
    Available on iOS and Android
    Certificate of Completion
Wishlisted Wishlist

How taking a course works


Find online courses made by experts from around the world.


Take your courses with you and learn anywhere, anytime.


Learn and practice real-world skills and achieve your goals.

About This Course

Published 8/2016 English

Course Description

PaloAlto firewalls are true Next Generation firewalls built from the ground up to address legacy firewalls issues. It is the first firewall platform to make decisions based on applications not just ports and protocols. The PCNSE exam requires deep understanding of the topics. Exam dumps is not the way to go. You need to practice  the concepts and be clear on how to configure this feature rich firewall platform. You need to study the concepts. This class guide you through the configuration of different features and how to practice on AWS and Unetlab. This class covers some topics in PCNSE7 and new topics are added frequently.

This course dives deeper into Palo Alto firewalls policies and network configuration to give the students a clear understanding on several topics. Topics covered include Security Policies configuration, SSL Decryption, Routing configuration, IPsec configuration, IPv6 configuration, High Availability configuration and other real world
configuration examples.

This online class will help in preparing the student for the PCNSE certification by covering topics in the depth that Palo Alto expects the candidates to have.

There are no materials included with this class.

Students are expected to have understanding of network terminology and be familiar with stateful firewall concepts, network address translation and routing protocols.

There are a lot of topics covered, please click on show full curriculum to see the topics covered.

You get a certificate of completion after you complete this class

What are the requirements?

  • Students needs to be familiar with firewall concepts
  • Students needs to understand Networking Fundamentals
  • Students need to understand basic networking

What am I going to get from this course?

  • Understand Palo Alto Firewalls Deployment Methods
  • Understand Palo Alto Firewalls Security Policies
  • Understand Palo Alto Firewalls NAT configuration
  • Understand Palo Alto Firewalls Network Configuration
  • Understand User ID Integration
  • Configure user ID integration using User ID Agent
  • Configure Captive Portal to authenticate users
  • Understand Captive Portal different methods including, redirection, transparent and SSO with examples
  • Understand the difference betwen NAT Source, Destination, UTurn
  • Understand security zones and traffic processing in PaloAlto Firewalls
  • Understand the packet flow through the PaloAlto Firewalls
  • Understand Threat Prevention capabilities of the PaloAlto Firewalls
  • Understand AntiSpyware, AntiVirus, IPS configuration
  • Understand AntiySpyware and DNS Sinkholing
  • Configure AntiSpyware, Antivirus and IPS
  • Understand PaloAlto firewall AntiSpyware policy using example configuration
  • Understand how to configure wildfire
  • Understand how to configure Data Leakage Protection
  • Configuring SSL Decryption
  • Understand SSL Decryption
  • Understand SSL decryption using a PaloAlto firewall SSL decryption example
  • PaloAlto Firewalls U-turn NAT configuration example
  • Understand the difference between Inbound and Outbound proxy
  • Understand the concept of Virtual Routers
  • Configuration of BGP and OSPF example
  • Configuration of multiple ISP with different failover scenarios
  • Configuration of policy based forwarding using different scenarios
  • Configure VPN IPSEc L2L tunnel on Paloato Firewall with different scenarios
  • Understand the difference between IKEv1 and IKEv2 and how to deploy Palo Alto firewall with IKEv2 and the benefits
  • Understand the difference between IKEv1 main mode and aggressive mode with scenarios
  • Understand IKE PFS and how to configure it
  • Understand and Configure High Availability Active / Passive
  • Understand how to prevent Split Brain situation with firewalls in Active / Passive HA
  • Understand and Configure High Availability Active / Active with Floating IP Arp load sharing
  • Understand Active Active NAT configuration with examples
  • Understand and Configure IPv6 on PaloAlto Firewalls
  • Understand how to deploy DHCPv6 Relay on PaloAlto firewalls
  • Understand and Configure IPv6 on Palo Alto firewalls with examples.
  • Understand How to configure IPV6 NPTv6 and NAT64

Who is the target audience?

  • This Class is Suited for students who want to get deeper understanding on configuration Palo Alto Firewalls
  • This class is for students who want to see PaloAlto firewalls configuration examples

What you get with this course?

Not for you? No problem.
30 day money back guarantee.

Forever yours.
Lifetime access.

Learn on the go.
Desktop, iOS and Android.

Get rewarded.
Certificate of completion.


Section 1: Paloalto Intro and Deployment Options
Palo Alto Certification - what does it take.

High level overview of the Palo Alto firewall and differentiation between other vendors. Also, show the different platforms that Palo Alto and their specifications.

Firewalls Overview Quiz
4 questions

This lecture discussions the different deployment options in order to prepare the students for the configuration of different deployment on the web UI.


This lecture explains Layer 2 deployment purpose and how it can be use to introduce Palo Alto firewalls seamlessly on a network. Two examples are show, layer 2 interfaces in access and layer 2 in trunk mode.


Showing an example on how to configure the Palo Alto firewall in Layer 3 setup where it's routing traffic between different interfaces and zones.


This lecture demonstrates layer 2 mode with spanning tree and interface redundancy.


This lecture discusses features and limitations of layer 2 deployment and demonstrates those in the lab.


This lecture explains virtual wire deployment and provides a couple of scenario, one with straight virtual wire one interface to another interface and another scenario showing virtual-wires with vlan trunking. It also explains the spanning-tree default behavior of the Palo Alto firewalls in virtual-wire mode and how to change this behavior if so required.


This lecture explains virtual wire with IP classify, what is the purpose of IP classify and how does it work. It walks the students through configuring this feature for a firewall shared among multiple customers. This lecture also explains the concept of virtual systems.


Showing an example on how to configure the Palo Alto firewall in Tap Mode and why would you use TAP mode in your deployment.

Deployment Options Quiz
8 questions

Understand basic setup to get the firewall configured with management IP address, so you can manage it remotely.

Section 2: Lab and AWS Palo Alto instance(s) Setup

This lecture shows you how to create a PaloAlto VM instance in Amazon to practice.


This lecture shows the student how to provision a windows domain controller to prepare for lab testing of the Palo Alto firewall in Amazon AWS.


This lecture shows the student how to setup the Amazon AWS VPC to route traffic through the Palo Alto AWS instance.


This lecture walks the student through creating a DMZ segment and routing it through the AWS firewall.


AWS routing and default gateway requirement to route traffic through the Palo Alto firewall.


This lecture shows you what software you need to have to setup a test environment so you can practice the different scenarios discussed in the class. It goes over the general steps to setup unetlab to create your own test environment to practice the many scenarios in this class.

Section 3: Basic Administrative Tasks

This lecture shows the students the basic settings needed for the PaloAlto firewall out of the box to get up and running


This lecture shows the student how to commit changes and other basic settings.


This lecture shows the student how to configure local admin account in the firewall and authenticate them using a radius server.


This lecture shows the student how to use the Radius server to dynamically assign local admin users from active directory and give them the appropriate rule without creating any local accounts on the firewall. This facilitates managing administrators on firewalls without touching firewall configuration for each newly added administrator.


This lecture shows the student how to check the licenses, upgrade the system and install activate global protect client.


This lecture shows the student the basic step of enabling dynamic updates to maintain the firewall threats, app-id, wildfire, and global protect dat files.


Understand the management profile and what is needed as far as configuration to enable user ID, response pages and pings. Also understand the precautions to ensure that only authorized users can manage the firewall.

Quiz Basic Setup
4 questions
Section 4: Security Policy Configuration

Understand security zones and how traffic is processed as it relates to security zones, and security policies.


This lecture takes you through the life of a packet from the time it enters the firewall, how it's processed from ingress to egress.

Quick knowledge check 1 Quiz
8 questions

Demoing using application ID features in security policy to restrict bad application while allowing legitimate applications.


This lecture demo how to deal with applications that are running on non-standard ports and security policy configuration relating to this issue.


Explaining Application Override Policy and the benefit of using it to identify internal application for better reporting and control. Showing an example of implementing Application Override Policy


Demoing using URL filtering to protect users from threats and restrict traffic to business legitimate URLs. Showing the difference between URL rules, allow, block, continue, override, alert.

Knowledge check 2 Quiz
5 questions

Demoing how to create customer URL category for classifying internal URLs. This can be used to restrict who can access URLs belonging to that category, coupled with UserID which is discussed in the next section.


Demoing creating address objects, address groups to utilize in your security policy


Demoing creating service object and service group objects to utilize in your security policy.


Demoing using dynamic block lists to protect against bad players including known ones from internet sources or internally deemed risky IP addresses. How to use an internal server to dynamically block IP addresses without touching firewall configuration.


Demoing how to use tags to simplify readability of your security policy.

Knowledge check 3 Quiz
6 questions
Section 5: User ID integration

Lecture aimed at explaining to the student the User ID and the different methods that can be used to collect user IDs. Each of those methods will be demonstrated in the following lectures.


Demo of how to configure your domain controller to log events pertinent to User Identification. Show how to configure the user ID agent on a server to collect logs and send it to the PaloAlto firewall. Show how to configure the PaloAlto firewall to talk to the User ID agent and get the events relating to user logon.


Show how to configure the PaloAlto firewall to talk to the User ID agent and get the events relating to user logon.


Configuration Example of Integrated User ID agent in Palo Alto firewall. Demo of how to configure and utilize the integrated User ID agent on the firewall itself to collect user to IP mappings. The Palo Alto firewall has an integrated User ID agent that can be configured to connect directly to Active Directory Servers and gather users logon events and Kerbereos events and extract User and IP address to be utilized by the Palo Alto firewall for security policy decisions.


Demo of how to configure the firewall to integrate with LDAP to get user to group mapping and utilize this information in your security policy. This lecture provide a configuration example of setting the Palo Alto firewall to talk to an LDAP server to get the Active Directory groups.


Demo of how to utilize user to group mapping in your security policy. This lecture goes over configuration example of LDAP on PaloAlto firewalls to map user IDs to Active Directory groups. This allows the Palo Alto firewall to make security policy decisions based on Active Directory group membership.


Demo showing the configuration of the firewall to utilize Captive Portal to get User ID information for users that failed identification using the AD agent.


Demo of how to utilize the Captive portal in transparent mode.


This lecture shows an example of how to configure PaloAlto firewall to utilize Captive Portal integration with AD and get Single Sign On SSO information automatically from the user without prompting them to login to the Captive Portal.


Demo of how to configure PaloAlto firewalls to utilize the XML API to send user to ip mapping to the firewall, this feature allows to integrate with non supported User ID solution out of the box. This lecture goes over a scenario of configuration example of PaloAlto firewall user ID using XML provided information.


This lecture provide a configuration example of how to send syslog information to the PaloAlto firewall to extract User ID information. This example shows a Cisco ASA sending syslog information for Anyconnect VPN users to get their User ID information. Demo of how to utilize Syslog events to map user to IP addresses, example showing integration with Cisco ASA syslog events. Many companies still use Anyconnect on Cisco ASA; however, this doesn't prevent them from putting the ASA behind the Palo Alto firewall to benefit from Next Generation Features.

Section 6: Threat Prevention

Understanding PaloAlto Antivirus protection feature and demoing how to configure it to protect your users from viruses.


Understanding AntiSpyware and DNS sinkholing and demoing configuring those features to protect from spywares on your network.


Demoing how to create custom anti-spyware signatures in your firewall to customize antispyware rules.


Demoing the Vulnerability protection "IPS" feature of the PaloAlto firewall and how to create custom IPS signatures.


Demoing using File Blocking to protect against malicious files and restrict download / upload of files by certain users.


Demo on how to configure Widfire protection and utilize sandboxing for fast response on newly discovered malwares.


Demo on how to access the wildfire portal and showing what it looks like.


Demo of how to utilize the Data Filtering feature in the PaloAlto firewall for DLP protection.


Demoing of Data Leakage protection to protect against leakage of Credit Card information and block such data from leaving the network.


Understand the DoS protection feature of the PaloAlto firewall.


Demoing how to configure DoS protection on the PaloAlto firewall.

Section 7: SSL Decryption

Understand the SSL decryption concepts, preparing the students to show the configuration of SSL Decryption.


Demo of how to create self generated certificate for proxying ssl traffic and the caveats of using a self generated certificates.


Demoing the difference between SSL Trust and SSL Untrust certificate and the purpose of each.


Demoing how to create an internal PKI subordinate CA and how to utilize this to simplify the SSL decryption process for internal users that have computers member of the AD domain.


Demoing of the SSL decryption feature in action, blocking threats in traffic.


Understanding SSL inbound inspection and the purpose of using it to protect publicly hosted ssl servers in your environment.

Section 8: Network Address Translation

Understand Dynamic NAT, ALG, Dynamic NAT Pools concepts


This lecture demonstrates how to configure dynamic NAT and dynamic NAT pools


Dynamic NAT caveats for multiple ISP configuration.


This lecture explains the difference between dynamic IP and dynamic IP and port showing example. It also explains the purpose and configuration of Dynamic IP with fallback.


This lecture explains Static NAT and static bidirectional NAT  with example.


This lecture explains static NAT with port translation and the use cases of it with example.


This is a continuation of the previous lectur.


Demoing how to configure the PaloAlto firewall for destination NAT and how to configure the security policy correctly to reflect the actual NAT traffic.


Understand Uturn NAT and demo how to configure Uturn NAT to configure certain corner case scenario where Uturn NAT is needed.


Demoing how to configure source and destination nat simultaneously on traffic to understand how to deal with certain NAT corner scenarios.

Section 9: Basic and Intermediate Networking
Section Update

Demoing using the PaloAlto firewall as a DHCP server for your hosts


Demoing the default route configuration


Demoing how to configure OSPF  on the PaloAlto firewall to utilize dynamic routing to avoid using static routes and accommodate different network condition changes.


Demoing how to configure BGP on the PaloAlto firewall to interface with a service provider


Demoing how to configure BGP to advertise networks to service provider.


Demoing the user of multiple virtual routers in your environment and why would that be beneficial.


Demoing the use of multiple virtual routers and how does this setup apply to NAT configuration and security policy configuration.


Demoing how to configure the firewall to integrate with 2 service providers and failover using BGP.


Demoing how to configure multiple ISP failover using floating static routes.

Students Who Viewed This Course Also Viewed

  • Loading
  • Loading
  • Loading

Instructor Biography

Infinity Technology Services, Network Security Classes Focusing On NextGen Products

Classes offered by instructor with industry proven experience. He started his career as a help desk technician and progressed to desktop support then systems administration. With interest into networking, he obtained his CCNA and CCNP - 15 years ago. After obtaining his certification he moved to a technical manager position managing both systems and network infrastructure. He shifted his focus to security as his specialization and obtained the CISSP certification. The CISSP is the industry leading information security certification.

Technical hands-on passion led him to move back to the ranks and become an engineer honing his skills in the network security field. He mastered the Cisco ASA firewalls and Cisco security components and obtained the CCIE security, CCNP security and other security specialization certification.

For the past several years he has been working for a value added re-seller supporting Cisco, PaloAlto, and Fortinet security solutions. He became PaloAlto certified and sourcefire SSFIPS and SSFAMP certified.

"It is difficult and expensive to get hands on material covering the latest products like Sourcefire, PaloAlto, and Fortinet. I am making those classes to give students the education they need at a reasonable cost - with practical experience backing it."

Ready to start learning?
Take This Course