Palo Alto Firewalls PCNSE Prep Part 1

Palo Alto Firewalls PCNSE exam preparation Part 1

Created byInfini Tech

Last updated 11/2023

English

What you'll learn

Understand Palo Alto Firewalls Deployment Methods
Understand how to deploy Palo Alto Firewalls in AWS
Understand Palo Alto Firewalls Security Policies
Understand Palo Alto Firewalls NAT configuration
Understand User ID Integration
Configure user ID integration using User ID Agent
Configure Captive Portal to authenticate users
Understand Captive Portal different methods including, redirection, transparent and SSO with examples
Understand security zones and traffic processing in PaloAlto Firewalls
Understand the packet flow through the PaloAlto Firewalls
Understand AntiySpyware and DNS Sinkholing
Configure AntiSpyware

Course content

9 sections • 79 lectures • 11h 49m total length

Introduction to Palo12:57
This lecture provides an overview of the Palo Alto Networks platform architecture. It discusses how Palo Alto Networks introduced the concept of next-generation firewalls that can identify applications based on signatures rather than just ports and protocols. It covers key features like application identification, user identification, and content identification that allow the firewall to deeply inspect traffic in a single pass. The lecture also describes different Palo Alto Networks firewall platforms like the PA, VM, and CN series that are suited for different network and cloud environments. It provides details on specific firewall models like the PA-220, PA-400, PA-1400, and PA-3400 series and how they are designed for different use cases and throughput requirements.
Quiz Intro
Script to launch in gcp1:49
Initial Configuration and Setup GCP if applicable16:28
This lecture describes how to set up a lab environment using VMware Workstation or Google Cloud Platform to practice configuring Palo Alto firewalls. It provides instructions on downloading and installing VMware Workstation or Eve-NG, downloading the Palo Alto VM image, and importing it into Eve-NG. It then gives detailed steps on configuring networking in Eve-NG and the Palo Alto VM to allow management access, including creating interfaces, NAT rules, DHCP, and firewall rules. The lecture demonstrates how to log into the Palo Alto management interface and make some basic configurations.
Quiz Initial Deployment
Gui tour17:55
This lecture provided an overview of the Palo Alto Networks firewall graphical user interface (GUI). It discussed the different tabs and sections in the GUI including the dashboard, monitor, policies, objects, and others. It explained the purpose and functionality of key areas like security policies, network address translation, authentication policies, decryption, and application identification. The lecture also reviewed the various configuration objects that can be created like addresses, services, tags, and security profiles. It provided examples of how many of these objects are used and the level of customization available.
Quiz Gui tour
The network tab in details12:41
This lecture covered the network tab in the Palo Alto firewall interface. It discussed how to configure interfaces, VLANs, zones, virtual routers, static routes, IPsec tunnels, GRE tunnels, DHCP, DNS, global protect for remote access VPN, QoS, interface management settings, and other network-related settings. The goal was to explain all the components in the network tab and how they can be used to configure the firewall's network settings and connectivity.
Quiz Network Tab
The device setup tab16:45
This lecture covers the configuration options available on the device tab of a Palo Alto Networks firewall. It begins with an overview of the setup area where general device settings like the hostname, login banner, authentication methods, and session timeouts can be configured.
It then discusses the operations tab and how the candidate and running configurations work. Features like loading named configurations, exporting device states, and committing changes were explained.
Also, the lecture reviewes the services, interfaces, and telemetry tabs. For services, configuring DNS, NTP, and firewall-initiated traffic was mentioned. Telemetry collects device data and sends it to the Cortex data lake for monitoring apps.
Other topics covered included content ID customization, URL filtering, HTTP/SSL inspection settings, wildfire analysis configuration, and session handling options. Networking protocols like SNMP and security features like an HSM were also briefly discussed.
This lecture provides a comprehensive overview of the different areas that make up the device tab in the Palo Alto Networks firewall GUI and how many of the core configuration options within each section can be customized.
Quiz Device setup tab
The device tab tour 28:37
This lecture provides an overview of the remaining configuration areas on a Palo Alto Networks firewall. Some of the key areas discussed included:
- High availability clustering options
- Configuration audit for comparing config versions
- Password profiles for account password policies
- Administrator accounts and roles
- Authentication methods and profiles
- User identification and mapping
- Device quarantine in response to violations
- Certificate and SSH configuration
- Log settings for sending logs to different locations
- Software updates
Quiz device tab2
Segmentation - Zoning3:25
This lecture discusses the concept of zones in network segmentation using a next generation firewall. A zone is a grouping of interfaces that represents a segment of the network connected to and controlled by the firewall. Traffic can only flow between zones if there is a security policy rule allowing it, which provides the first line of defense. More granular zones provide greater control over access and more protection against lateral malware movement. The lecture provides an example network diagram segmented into a users zone and restricted zone, with traffic between them requiring specific rules to allow. Zones are used to reduce the likelihood of successful attacks by restricting traffic flows.
Quiz - Segmentation Zoning
Statefullness4:09
This lecture discusses how a stateful firewall keeps track of network connections like TCP streams, UDP datagrams, and ICMP messages. It applies labels like "listen", "established", or "closing" and maintains state table entries for allowed TCP and UDP traffic. This allows related return traffic to pass without additional rules and improves performance over standard inspection. The firewall handles TCP, UDP, and ICMP differently based on whether they are connection-oriented or connectionless. TCP connections are tracked from initial three-way handshake through final FIN packets. UDP uses timers to keep sessions in the table during inactive periods. ICMP is separate and allows control messages like ping responses to pass bidirectionally.
Quiz - Statefulness
Interzone and Intra Zone traffic example9:00
Here is a summary of the key points covered in this lecture:
- Zones group interfaces to represent network segments connected to and controlled by the firewall. This allows segmentation of the network.
- Traffic can only flow between zones if allowed by a security policy rule, providing the first line of defense.
- More granular zoning provides greater control over access to sensitive resources and protection against lateral malware movement.
- The default is to deny inter-zone traffic without a rule, while allowing intra-zone traffic by default within the same zone.
- Network segmentation using zones reduces the attack surface by restricting unauthorized traffic flows between zones.
- Examples provided include separating users, servers and a restricted zone, with rules needed to allow traffic between the restricted zone and others.
- Granular zoning with precise rules governing inter-zone traffic limits the spread of threats and unauthorized access across the network.
Quiz - Interzone and intrazone
Licenses and subscriptions8:43
This lecture goes over the licenses and subscriptions you can get with Palo Alto firewalls.
Quiz Licenses and subscriptions

Firewall processing6:44
This lecture explains the Palo Alto firewall processing of the traffic, where does the firewall and network address translation falls in the processing of traffic flowing across the firewall.
Quiz
Nat basics3:44
This lecture goes over network address translations basics.
Quiz Nat Basics
Source NAT6:58
This lecture goes over the different source network address translation supported by the Palo Alto firewall.
Quiz source nat
Destination NAT6:32
This lecture goes over the concept of destination network address translation.
Quiz Destination NAT
AWS Concepts7:41
This lecture goes over the basic concepts you need to understand to deploy Palo Alto firewalls in AWS.
Quiz AWS concepts
AWS Setup - 17:24
This lecture goes over the basic setup of AWS to deploy a palo alto firewall.
AWS Setup - 212:43
This lecture goes over the basic setup of AWS to deploy a palo alto firewall.
AWS Setup - 313:20
This lecture goes over the setup of the firewall in EVE-ng to connect to the AWS firewall.
AWS Setup - 413:17
This lecture goes over the basic setup of AWS to deploy a palo alto firewall.
System Update and Security Rules Processing11:12
This lecture goes over the basics to update the Palo Alto firewall.
Application Identification7:10
This lecture goes over the application identification concept of the Palo Alto firewall. It explains how palo alto firewall inspect traffic for applications.
Quiz
Application identification and service ports4:25
This lecture goes over the application database, default application ports and protocols.
Quiz application database
Traffic flow processing and application identification6:18
This lecture discusses how a firewall processes network traffic. It examines how the firewall identifies sessions based on information like source/destination IP addresses and ports. It also looks at how the firewall handles encrypted traffic and determines whether to decrypt it. The lecture covers the different states of connections like initializing, opening, and active. It analyzes how the firewall performs functions like application inspection, policy enforcement, quality of service shaping, and forwarding traffic through interfaces.
Quiz processing stages

Lab testing using eve-ng and AWS PAN5:26
This lecture goes over how to setup eve-ng to use AWS firewall for feature testing.
Launching AWS using terraform and boostrap your firewall to connect to eve-ng18:18
This lecture covers the terraform and bootstrapping process of the Palo Alto firewall in AWS.
Download the software needed for eve-ng setup3:58
This lecture explains how to download the software needed for the EVE-NG Vms.
Create disk files and folders for the lab images8:59
This lecture explores the creation of disk files for different operating systems to be used for lab testing.
Installing the VMs we need for the lab5:39
This lecture reviews the installation of vms needed for the lab testing.
Launching the environment in AWS using terraform13:02
This lecture covers the installation of vms needed for the lab testing.
Getting the tunnel established between EVE-NG and AWS17:04
This lecture covers how to setup a connection from eve-ng to AWS.

Different User Identification Methods10:09
This lecture reviews the different methods for identifying users and mapping them to IP addresses on a network. It discusses using a user ID agent to monitor domain controllers and servers for login events, handling multi-user systems like Terminal Services, extracting client IP addresses from HTTP proxies, using captive portal for authentication, integrating with existing network services, and how the GlobalProtect VPN provides user mappings. The goals were to explain how user mapping works and the various techniques that can be used.
User ID agent install4:44
This lecture aims to review how to configure the client-based user ID agent. It will cover the steps to install the agent software on a Windows domain controller server, download the agent from the Palo Alto Networks customer support portal, and get the user ID agent configured and running correctly.
User ID agent review9:46
The goal of this lecture is to configure the user ID agent to collect user to IP mappings from the domain controllers. This is needed because by default Windows does not log successful login and logout events. The steps covers included enabling audit policies on the domain controllers to log these events, discovering the domain controllers with the user ID agent, and configuring various user ID agent settings like probing and timeouts.
user ID agent connecting to the firewall in AWS7:00
This lecture discusses how to add a user ID agent to a Palo Alto Networks firewall configured in AWS. It explains that the user ID agent is configured under "Data Redistribution" instead of the old "User ID Agent" section. The lecture shows how to specify the IP address and port of the Windows domain controller to map users to. It also covers creating a service route to direct traffic to the domain controller through the correct interface, since the management interface is public by default. The traffic flow through the firewall, Ubuntu VM, and VPN tunnel to the on-premises domain controller is explained. Finally, it mentions that an inbound firewall rule needed to be added to the domain controller to allow traffic to port 5007 and confirm the user ID agent connection.
User ID agent testing events9:12
This lecture demonstrates how to configure a Windows desktop to join a domain and verify user identification on a Palo Alto Networks firewall. The speaker logged into the desktop as an administrator and joined it to the domain. Then a new user called "test user one" was created. Logging in as that user, the firewall logs showed both logins and IP addresses. For user identification to work, the appropriate zone on the firewall needs the "enable user ID identification" setting enabled. After enabling this, traffic logs included the source user column showing the correct user behind each IP address.
User ID agent service account10:45
This lecture explains how to create a service account to use for the user ID agent service.
Group Mappings10:24
This lecture demonstrates how to configure userid group mapping.
Captive portal concepts5:23
This lecture explains the concepts of using captive portal to identify users.
URL auth profile redirect demo9:18
This lecture demonstrates using captive portal in redirect mode.
Auth transparent-demo9:46
This lecture demonstrates using transparent mode captive portal for user authentication.
Captive portal SSO setting up the lab7:00
Captive portal SSO setting up Active Directory Certificate Services7:08
This lecture goes over creating certificate services to leverage in captive portal.
Uer ID kerberos SSO demo on computer4:12
This lecture finishes up the example on using user ID identification transparently using kerberos for SSO.

Deployment Options2:44
This lecture explores the different deployment options.
Layer 2 deployment7:11
This lecture explains the layer 2 deployment option.
Virtual deployment deployment option13:34
This lecture provides deployment of virtual wire deployment
Virtual Wire Concepts6:41
this lecture explains the virtual wire concept.
Virtual Wire example13:34
This lecture provides an example of virtual wire deployment.
Tap Mode Deployment6:25
This lecture provides example on the tap deployment mode.

AWS instance connectivity6:27
This lecture will go over the aws setup to demonstrate the features that require a license.
DNS Security17:00
This lecture goes over the Palo Alto firewall DNS security feature.
DNS sinkhole4:47
This lecture explains the concept of dns sinkhole.
DNS Security and DNS sinkhole demo9:33
This lecture goes over a demo on the dns sinkhole option.
Setup SSL decryption for AntiVirus12:46
This lecture goes over the pre-requisite to enable SSL decryption to test the antivirus functionality.
Setup antivirus and test using eicar file8:57
This lecture goes over a simple example on testing antivirus protection.
Wildfire intro4:05
This lecture explains the concepts behind the wildfire feature.
Wildfire demo5:39
This lecture goes over a wildfire example.
Intrusion Prevention, vulnerability protection, intro7:06
This lecture goes over the Intrusion Prevention feature.
Intrusion prevention, vulnerability protection fine tuning4:19
This lecture explains the IPS fine tunning.
File Blocking Overview4:15
This lecture explains the file blocking feature.
Data Filtering Intro and Demo11:27
This lecture explains the data filtering option.
Zone and Dos Protection Overview13:40
This lecture explains the Zone protection and DDos protection.
Zone and Dos Protection Continued9:37
This lecture expands on the topic of threat prevention and DoS protection.
Packet Buffer Protection8:49
This lecture explains what is packet buffer protection and why it is needed.

SSL general concepts - encryption and decryption7:29
This lecture goes over the SSL decryption basic concepts.
Chain Of Trust4:41
This lecture explains the chain of trust.
SSL TLS Overview4:21
This lecture goes over an overview on the SSL/TLS concepts.
SSL TLS version 1.2 protocol10:15
This lecture dives into the TLS1.2 protocol.
SSL TLS Key Exchange Methods11:15
This lecture explores the different cipher suites used by SSL.
SSL Decryption Example firewall self signed certificate18:41
This lecture goes over an example on the setup decryption.
TLS Cipher Suite AEAD13:29
This lecture explains the next step in the SSL decryption process.
HTTP2 protocol17:39
This lecture explains the HTTP2 protocol.
HTTPS ALPN Extension5:37
This lecture expains the ALPN extension and it's relevance to SSL decryption.
SSH Proxy5:09
This lecture explains how the firewall inspects SSH traffic.
Quic Protocol14:40
This lecture explains the Quic protocol and why it needs to be blocked in order to prevent malicious traffic from taking advantage of this protocol..

Requirements

Students needs to be familiar with firewall concepts
Students needs to understand Networking Fundamentals
Students need to understand basic networking

Description

PaloAlto firewalls are true Next Generation firewalls built from the ground up to address legacy firewalls issues. It is the first firewall platform to make decisions based on applications not just ports and protocols. The PCNSE exam requires deep understanding of the topics.

I will show you how to create an eve-ng environment and setup a lab where you can launch the environment in AWS using terraform. This way you can start and stop the environment to minimize the charges. I will show you how you can you use a combination of eve-ng and AWS setup deployed using terraform to test the functionality of AWS using a licensed version.

Topics covered

Understand the Basic concepts of the Palo Alto Firewall.
Review the GUI to understand all the areas of configuration.
Understand how to setup the Palo Alto firewall in AWS.
Understand how to setup an EVE-NG instance in your home lab and connect it to an instance in AWS for practicing.
Understand Basic NAT configuration.
Understand User ID topics, agent, agentless and captive portal.
Understand DNS security and how to configure DNS sinkhole and DNS security features.
Understand SSL Decryption Concepts
Understand the different deployment options.
Understand the core threat prevention features.

Who this course is for:

This Class is Suited for students who want to get deeper understanding on configuration Palo Alto Firewalls
This class is for students who want to see PaloAlto firewalls configuration examples

Palo Alto Firewalls PCNSE Prep Part 1

What you'll learn

Explore related topics

Course content

Paloalto Intro and basic concepts11 lectures • 1hr 52min

Basic Foundational concepts and AWS setup for practice13 lectures • 1hr 47min

Create your own LAB using eve-ng and AWS7 lectures • 1hr 12min

User ID Integration Basics13 lectures • 1hr 45min

Content Inspection URL Filtering2 lectures • 21min

Deployment Options6 lectures • 50min

Threat Prevention15 lectures • 2hr 8min

SSL Decryption Concepts11 lectures • 1hr 53min

Final Thoughts1 lecture • 1min

Requirements

Description

Who this course is for: