PCNSE Exam Dumps - Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 10.0

https://docs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/plan-sd-wan-configuration

https://live.paloaltonetworks.com/t5/Management-Articles/Show-System-Resource-Command-Displays-CPU-Utilization-of-9999/ta-p/58149

(https://live.paloaltonetworks. com/t5/Configuration-Articles/How-to-Configure-GlobalProtect/ta-p/58351)

The additional options of Browser and Satellite enable you to specify the authentication profile to use for specific scenarios. Select Browser to specify the authentication profile to use to authenticate a user accessing the portal from a web browser with the intent of downloading the GlobalProtect agent (Windows and Mac). Select Satellite to specify the authentication profile to use to authenticate the satellite.

Reference https://www.paloaltonetworks.com/documentation/71/pan-os/web-interface-help/globalprotect/network-globalprotect-portals

https://kn owledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVECA0

On a Palo Alto Networks firewall, a session is defined by two uni-directional flows each uniquely identified by a 6-tuple key: source-address, destination-address, source-port, destination-port, protocol, and security-zone.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVHCA0

http://live. paloaltonetworks.com//t5/image/serverpage/image-id/12862i950F549C7D4E6309

https://www.paloaltonetworks.com/documentatio n/71/pan-os/pan-os/user-id/configure-firewalls-to-redistribute-user-mapping-information

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/ user-id/deploy-user-id-in-a-large-scale-network/redistribute-user-mappings-and-authentication-timestamps/firewall-deployment-for-user-id-redistribution.html#ide3661b46-4722-4936-bb9b-181679306809

https://docs.paloaltonetworks.com/pan-os/10-0/pan-o s-admin/large-scale-vpn-lsvpn/configure-the-globalprotect-portal-for-lsvpn/define-the-satellite-configurations.html

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-new-features/globalprotect-features/identification-and-quarantine-of-compromised-devices.html

https://docs.paloaltonetworks.com/globalprotect/10-1/globalprotect-admin/host-information/quarantine-devices-using-host-i nformation/automatically-quarantine-a-device.html#idb42b2b82-b253-4be7-9840-1efa49dba3da

You can use the No Decryption tab to enable settings to block traffic that is matched to a decryption policy configured with the No Decrypt action ( Policies > Decryption > Action). Use these options to control server certificates for the session, though the firewall does not decrypt and inspect the session traffic. https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-web-interface -help/objects/objects-decryption-profile

Per the link https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/networking-features/ssl-ssh-session-en d-reasons

, receiving the decrypt-cert-validation error is valid for the following conditions: expired, untrusted issuer, unknown status, or status verification time-out. "Unsupported HSM" is not a valid reason for receiving a decrypt-cert-validation error.

https://docs.paloaltonetworks.com/panorama/9-0/panorama- admin/manage-log-collection/configure-log-forwarding-to-panorama.html

First of all you need to connect the Firewall to Panorama. Once that is done you configure your templates and device groups via Panorama and push that to the firewall. That includes policy and log forwarding. If you had misconfiguration on the firewall regarding logs that would be mitigated via Panorama push.

https://knowledgebase.paloalto networks.com/KCSArticleDetail?id=kA10g000000CldcCAC

Explanation : Dependencies : Before upgrade, make sure the firewall is running a version of app + threat (content version) that meets the minimum requirement of the new PAN-OS Upgrade.

NAT zones are just whatever interface traffic is going to. The source (the big cloud internet) is obviously internet, and the destination zone is the internet facing interface of the firewall, so the destination is also internet. It then is translated into an IP that the internal network can read.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRtCAK

Block sessions that use cipher suites you don’t support. You configure which cipher suites (encryption algorithms) to allow on the SSL Protocol Settings tab. Don’t allow users to connect to sites with weak cipher suites.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-web-interface-help/panorama-web-interface/panorama-templates/panorama-templates-template-variable.html

Unlike the App-ID engine, which inspects application packet contents for unique signature elements, the Application Override policy’s matching conditions are limited to header-based data only. Traffic matched by an Application Override policy is identified by the App-ID entered in the Application entry box.Choices are limited to applications currently in the App-ID database.Because this traffic bypasses all Layer 7 inspection, the resulting security is that of a Layer-4 firewall. Thus, this traffic should be trusted without the need for Content-ID inspection. The resulting application assignment can be used in other firewall functions such as Security policy and QoS.Use CasesThree primary uses cases for Application Override Policy are:▪

 To identify “Unknown” App-IDs with a different or custom application signature▪

 To re-identify an existing application signature▪

 To bypass the Signature Match Engine (within the SP3 architecture) to improve processing timesA discussion of typical uses of application override and specific implementation examples is here:https://live.paloalto networks.com/t5/Learning-Articles/Tips-amp-Tricks-How-to-Create-an-Application- Override/ta-p/65513

https://docs.paloaltonetworks.com/pan-os/8-0/pan-os-admin/networking/virtual-routers

https://docs.paloaltonetworks.com/pan-os/8- 0/pan-os-admin/firewall-administration/manage-firewall-administrators/administrative-authentication

The administrative accounts are defined on an external SAML, TACACS+, or RADIUS server. The server performs both authentication and authorization. For authorization, you define Vendor-Specific Attributes (VSAs) on the TACACS+ or RADIUS server, or SAML attributes on the SAML server. PAN-OS maps the attributes to administrator roles, access domains, user groups, and virtual systems that you define on the firewall. For details, see:

Configure SAML AuthenticationConfigure TACACS+ AuthenticationConfigure RADIUS Authentication

• An 

SD-WAN Interface Profile

 specifies the Tag that you apply to the physical interface, and also specifies the type of Link that interface is (ADSL/DSL, cable modem, Ethernet, fiber, LTE/3G/4G/5G, MPLS, microwave/radio, satellite, WiFi, or other). The Interface Profile is also where you specify the maximum upload and download speeds (in Mbps) of the ISP’s connection. You can also change whether the firewall monitors the path frequently or not; the firewall monitors link types appropriately by default.

• A Layer3 Ethernet 

Interface

 with an IPv4 address can support SD-WAN functionalities. You apply an SD-WAN Interface Profile to this interface (red arrow) to indicate the characteristics of the interface. The blue arrow indicates that physical Interfaces are referenced and grouped in a virtual SD-WAN Interface.

• A virtual 

SD-WAN Interface

 is a VPN tunnel or DIA group of one or more interfaces that constitute a numbered, virtual SD-WAN Interface to which you can route traffic. The paths belonging to an SD-WAN Interface all go to the same destination WAN and are all the same type (either DIA or VPN tunnel). (Tag A and Tag B indicate that physical interfaces for the virtual interface can have different tags.)

• A 

Path Quality Profile

 specifies maximum latency, jitter, and packet loss thresholds. Exceeding a threshold indicates that the path has deteriorated and the firewall needs to select a new path to the target. A sensitivity setting of high, medium, or low lets you indicate to the firewall which path monitoring parameter is more important for the applications to which the profile applies. The green arrow indicates that you reference a Path Quality Profile in one or more SD-WAN Policy Rules; thus, you can specify different thresholds for rules applied to packets having different applications, services, sources, destinations, zones, and users.

• A 

Traffic Distribution Profile

 specifies how the firewall determines a new best path if the current preferred path exceeds a path quality threshold. You specify which Tags the distribution method uses to narrow its selection of a new path; hence, the yellow arrow points from Tags to the Traffic Distribution profile. A Traffic Distribution profile specifies the distribution method for the rule.

• The preceding elements come together in 

SD-WAN Policy Rules

The purple arrow indicates that you reference a Path Qualify Profile and a Traffic Distribution profile in a rule, along with packet applications/services, sources, destinations, and users to specifically indicate when and how the firewall performs application-based SD-WAN path selection for a packet not belonging to a session.

https://d ocs.paloaltonetworks.com/sd-wan/1-0/sd-wan-admin/sd-wan-overview/sd-wan-configuration-elements.html

Reasons that sites break decryption technically include pinned certificates, client authentication, incomplete certificate chains, and unsupported ciphers. https://docs.pal oaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-exclusions/exclude-a-server-from-decryption.html

Example output:

> show system state filter-pretty sys.s1.p1.phy

sys.s1.p1.phy: {

link-partner: { },

media: CAT5,

type: Ethernet,

}

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cld3CAC

https://docs.paloaltonetworks.co m/pan-os/10-1/pan-os-admin/decryption/configure-ssl-forward-proxy.html

"When a firewall is enabled for multiple virtual systems, the virtual systems inherit the global service and service route settings." So you can define specific service routes if you want, but they start out as inherited from the global settings.

Creating the GlobalProtect portal is as simple as letting it know if you have accessed it already. A new gateway for accessing the GlobalProtect portal will appear. Client authentication can be used with an existing one.

https://www.nstec.com/how-to-configure -clientless-vpn-in-palo-alto/#5

UDP 4501 Used for IPSec tunnel connections between GlobalProtect apps and gateways. https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration /reference-port-number-usage/ports-used-for-globalprotect.html

https://docs.p aloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-mapping/globalprotect.html

Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known.

Because GlobalProtect users must authenticate to gain access to the network, the IP address-to-username mapping is explicitly known. This is the best solution in sensitive environments where you must be certain of who a user is in order to allow access to an application or service. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/user-id/user-id-concepts/user-map ping/globalprotect.html

"On sensitive and high security networks, WMI probing increases the overall attack surface, and administrators are recommended to disable WMI probing and instead rely upon User-ID mappings obtained from more isolated and trusted sources, such as domain controllers. If you are using the User-ID Agent to parse AD security event logs, syslog messages, or the XML API to obtain User-ID mappings, then WMI probing should be disabled. Captive portal can be used as a fallback mechanism to re-authenticate users where security event log data may be stale."

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVPCA0

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA1 0g000000ClFQCA0

You can also use Decryption Mirroring to forward decrypted traffic as plaintext to a third party solution for additional analysis and archiving.

Ref: https://docs.paloaltonetworks.com/p an-os/9-1/pan-os-admin/decryption/decryption-overview.html#idd71f8b4d-cd40-4c6c-905f-2f8c7fca6537

Access domains control administrative access to specific Device Groups and templates, and also control the ability to switch context to the web interface of managed firewalls. https://docs.paloaltonetworks.com/panorama/10-1/panorama-admin/panor ama-overview/role-based-access-control/access-domains.html

Both templates and template stacks support variables. Variables allow you to create placeholder objects with their value specified in the template or template stack based on your configuration needs. Create a template or template stack variable to replace IP addresses, Group IDs, and interfaces in your configurations. https://docs.paloaltonetworks.com/panorama/10-0/panorama-admin/manage-firewalls/manage-templates-and-template-stacks/override-a-template-setting.html

https://docs.paloaltonetwork s.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-access-route.html