Machine Translated by Google

PSE Software Firewall Professional

Study Guide
July 2022

Strata by Palo Alto Networks | PSE Software Firewall Professional

Machine Translated by Google

Table of Contents
How to Use This Study Guide 5
What Has Changed in This Study Guide 5

About the PSE Software Firewall Professional Exam 5

Exam Format 5
How to Take This Exam 6
Disclaimer 6

Audience and Qualifications 6

Skills Required 6

Recommended Training 6

Introduction 7

Domain 1: Technical Business Value 8

1.1 Describe the requirements and components of auto scaling 8
1.1.1 References 18
1.2 Explain the value and operational efficiency of dynamic address groups (DAGs) 18
1.2.1 References 19
1.3 Describes various plugin options and deployment methods 19
1.3.1 References 23
1.4 Describe the process of segmentation 23
1.4.1 References 25
1.5 Describes centralized security visibility and deployment models 26
1.5.1 References 27
1.6 Explain how to realize return on investment (ROI) by leveraging Palo Alto Networks
next-generation firewall (NGFW) software 27
1.6.1 References 28
1.7 Identify the benefits of Palo Alto Networks solutions to address customer concerns or
indifference 28
1.7.1 References 29
1.8 Summary of Key Ideas 1.9 29
Sample Questions 30

Domain 2: Competitive Differentiators 32

2.1 Compare and contrast the capabilities of cloud-delivered VM-Series, CN-Series, and
NGFW 32
2.1.1 References 39
2.2 Create and apply flex credits to software firewalls 39
2.2.1 References 44
2.3 Describe the importance of third-party integrations Four. Five

2.3.1 References 47

Strata by Palo Alto Networks | PSE Software Firewall Professional 2

Machine Translated by Google

2.4 Explain the benefits of cloud-delivered security services (CDSS) and Advanced URL
Filtering (AURLF) 47
2.4.1 References 49

2.5 Describe the benefits of automation as applied by Palo Alto Networks 49

2.5.1 Terraform fifty

2.5.2 Ansible 51

2.5.3 Dynamic responses to threats 2.5.4 52

References 53

2.6 Summary of Key Ideas 2.7 53

Sample Questions 53

Domain 3: Architecture and Planning 3.1 Compare and 55

contrast VM-Series deployment options 3.2.1 References 55
58

3.2 Describes CN-Series deployment tool options 3.2.1 YAML Ain't 58

Markup Language (YAML) 59

3.2.2 Terraform Templates 59

3.2.3 Differentiation 59
3.2.4 References 60

3.3 Describes CN-Series sizing, capabilities, and features 3.3.1 References 60

71

3.4 Explain various segmentation models, including east-west and north-south

segmentation design per CNet, VNet, and pod 72
3.4.1 References 75

3.5 Describe the concept of growth planning with Kubernetes 76

3.5.1 References 76

3.6 Describe placement considerations of Layer 2 and Layer 3 deployments 76

3.6.1 References 78

3.7 Summary of Key Ideas 3.8 78

Sample Questions 79

Domain 4: Demonstration and Evaluation 4.1 Create, apply, 81

and upgrade licenses 81
4.1.1 References 85

4.2 Execute a successful proof of concept (POC) 85

4.2.1 References 86

4.3 Apply the appropriate deployment / configuration tool for various environments 86
4.3.1 References 92

4.4 Use, deploy, and tag Panorama plugins 4.4.1 References 93

94

4.5 Deploy VM-Series and CN-Series 4.5.1 94

References 96

4.6 Spin up, locate, and demonstrate demo, lab, or Ultimate Test Drive 96

Strata by Palo Alto Networks | PSE Software Firewall Professional 3

Machine Translated by Google

4.6.1 References 98
4.7 Summary of Key Ideas 98
4.8 Sample Questions 99

Domain 5: Network Security Best Practices 101

5.1 Explain why intrazone policies in cloud are a best practice 101
5.1.1 Reference 102
5.2 Describe the use of object tagging and DAGs 102
5.2.1 References 103
5.3 Explain how Zero Trust relates to VM-Series and CN-Series cloud deployments 103
5.3.1 Reference 107
5.4 Leverage automation tools to deploy Palo Alto Networks solutions 5.4.1 Reference 108
108
5.5 Compare and contrast Prisma Cloud Compute (PCC) and CN-Series 108
5.5.1 References 109
5.6 Summary of Key Ideas 109
5.7 Sample Questions 109

Appendix A: Sample Questions with Answers 112

Appendix B: Sample Test 119

Appendix C: Answers to the Sample Test 122

Appendix D: Glossary 125

Appendix E: What's Different in This Study Guide 133

Continuing Your Learning Journey with Palo Alto Networks 134

Strata by Palo Alto Networks | PSE Software Firewall Professional 4

Machine Translated by Google

How to Use This Study Guide

Welcome to the Palo Alto Networks® PSE Software Firewall Professional Study Guide. The purpose of this guide is to help you prepare for
your Palo Alto Networks Systems Engineer: Software Firewall Professional exam, abbreviated as PSE: Software Firewall Professional.

You can read through this study guide from start to finish, or you may jump straight to topics you would like to study. Hyperlinked cross-
references will help you locate important definitions and background information from earlier sections.

What Has Changed in This Study Guide

No changes.

About the PSE Software Firewall Professional Exam

The PSE: Software Firewall Professional exam is intended to test your knowledge and understanding of five knowledge domains as they
pertain to Palo Alto Networks software firewalls.
The knowledge domains are designed to illustrate a Systems Engineer's understanding of the software firewall portfolio strategy and the
recommended implementations for various elements of the portfolio. For specific topics, refer to the exam blueprint and the sections outlined
within this document.

Related training resources are available from Palo Alto Networks on Beacon: https://
beacon.paloaltonetworks.com/student/collection/1047805-software-firewall?sid=cb6be9c1-99 cc-403c-9687-69d95bc21600&sid_i=0

Exam Format

The exam format is 60 multiple-choice questions. Candidates will have five minutes to complete the Non-Disclosure Agreement, 80 minutes (1
hour, 20 minutes) to complete the exam questions, and five minutes to complete an exit survey.

The approximate distribution of items by topic (Exam Domain) and topic weightings are shown in the following table.

Exam Domain Weight (%)

Technical Business Value twenty%

Competitive Differentiators 18%

Architecture and Planning 22%

Demonstration and Evaluation twenty%

Network Security Best Practices twenty%

Strata by Palo Alto Networks | PSE Software Firewall Professional 5

Machine Translated by Google

TOTAL 100%

How to Take This Exam

The exam is available through the third-party Pearson VUE testing platform.
To register for the exam, visit: https://home.pearsonvue.com/paloaltonetworks

Disclaimer

This study guide is intended to provide information about the objectives covered by this exam, related resources,
and recommended courses. The material contained within this study guide is not intended to guarantee that a
passing score will be achieved on the exam. Palo Alto Networks recommends that candidates thoroughly
understand the objectives indicated in this guide and use the resources and courses recommended in this guide
where needed to gain that understanding.

Audience and Qualifications

This exam is designed for the individuals with the following job roles:
• Pre-Sales Engineers •
Systems Engineers / Solutions Architects • Global
Systems Integrator Engineers

Skills Required
• You can describe the technical business value of various software firewall tools and
processes.
• You have experience in the planning and architectural designing of VM-Series, CN-Series,
and cloud-delivered next-generation firewalls (NGFWs).
• You have passed the PSE: Foundation course, PSE: Strata Associate exam (strongly recommended), and
PSE: Software Firewall Associate exam.

Recommended Training
Palo Alto Networks strongly recommends that you attend the following instructor-led training courses or equivalent digital-learning courses: •
PSE: Strata Associate course

• PSE: Software Firewall Associate course

• SE Bootcamp (internal only)

Strata by Palo Alto Networks | PSE Software Firewall Professional 6

Machine Translated by Google

Introduction
With more and more organizations opting for end-to-end digital transformations, cloud technology has emerged as a C-
suite agenda, placed right at the core of this transformation. As part of this transformation, organizations have started
renting servers at a colocation facility, using data-center services managed by a third party, and using public cloud-
based services from hosts like Amazon.

However, with various attackers looking to exploit these systems with known and unknown vulnerabilities, malware,
etc., protecting the cloud-based assets is a challenge for security teams.

In the last decade, many network security and firewall security appliances have flooded the global IT security market.
Palo Alto Networks has managed to break into this saturated market with its state-of-the-art products to provide ironclad
security to your virtual assets.

Palo Alto Networks software next-generation firewalls (NGFWs) provide a wide variety of products to cover most of
your security requirements within multiple environments. Their close integration with leading public clouds such as
AWS, Azure, Google Cloud Platform (GCP), etc., provides secure and easy-to-deploy firewalls that can be configured
centrally. Palo Alto Networks software firewalls include the VM-Series firewalls, CN-Series firewalls, and Cloud NGFW.

The VM-Series firewalls protect private and public cloud deployments with segmentation and threat prevention. The CN-
Series next-generation container firewalls secure Kubernetes environments. The Cloud NGFW for AWS protects AWS
deployments with network security delivered as a managed cloud service by Palo Alto Networks.

This Palo Alto Networks Software Firewall study guide provides a detailed overview of how to protect public and private
clouds, virtualized data centers, branch locations, and containerized environments with virtual, container, and cloud
next-generation firewalls.

Strata by Palo Alto Networks | PSE Software Firewall Professional 7

Machine Translated by Google

Domain 1: Technical Business Value

1.1 Describe the requirements and components of auto scaling

A software firewall is a network security solution designed specifically for environments in which deploying hardware firewalls is difficult or
impossible, such as public and private clouds, software-defined networks (SDNs), and software-defined wide-area networks (SD-WANs) .

Similar to hardware firewalls, software firewalls grant or reject network access to traffic flows between untrusted zones and trusted zones.
Unlike hardware firewalls, which are physically located on-premises in data centers, software firewalls are ideal for securing virtual
environments. Software firewalls can also be deployed as virtualized instances of next-generation firewalls.

Palo Alto Networks VM-Series virtualized next-generation firewalls protect applications, data, and users across a wide range of public cloud,
virtualization, and branch environments. They provide all the capabilities of the physical Palo Alto Networks next-generation firewall in a
virtual machine form factor.

These virtualized instances of the industry-leading next-generation firewall provide application and user visibility for informed security
decisions, segment networks for security and compliance, prevent advanced attacks within allowed application flows, control application
access with user-based policies, and ensure policy consistency through Panorama™ network security management to secure environments
vital for competitiveness and innovation.

Next-generation firewall security can be delivered to Kubernetes environments as well by deploying CN-Series NGFWs. The benefits of
these software firewalls include: Layer 7 visibility in a Kubernetes environment; key subscriptions being inline for runtime security; and that
the capability of auto scaling based on the needs of DevOps.

Strata by Palo Alto Networks | PSE Software Firewall Professional 8

Machine Translated by Google

If firewalls cannot match the speed of application deployment and keep up with the traffic, they start becoming bottlenecks. Auto scaling is an
inherent feature of Palo Alto Networks firewalls that makes them dynamic. Auto scaling firewalls secure traffic to your highly available, internet-
facing applications when demand spikes, and they maintain cost efficiency when demand drops by scaling in application workloads.

VM-Series

VM-Series is the virtualized form factor of the Palo Alto Networks next generation firewall. To meet the growing need for inline security across
diverse cloud and virtualization use cases, you can deploy the VM-Series firewall on a wide range of private and public cloud computing
environments.

For more details on VM-Series and its deployment, refer to Section 2.1.

Auto Scaling the VM-Series on AWS The Palo Alto

Networks auto scaling templates for AWS help you to configure and deploy VM-Series firewalls to protect applications deployed in AWS. These
templates leverage AWS scalability features to independently and automatically scale VM-Series firewalls to meet surges in application
workload resource demand.

• VM-Series automation capabilities include the PAN-OS® API and bootstrapping. • AWS automation technology
includes CloudFormation templates and scripts for AWS services such as Lambda, auto scaling groups (ASGs), Elastic Load
Balancing (ELB), S3, and Simple Notification Service (SNS).

The templates are available on the Palo Alto Networks GitHub repository for Auto Scaling VM-Series Firewalls in AWS.

Configuration on AWS with a Gateway Load Balancer The Palo Alto

Networks auto scaling templates for AWS help you integrate and configure the VM-Series firewall with a Gateway Load Balancer (GWLB) to
protect applications deployed in AWS.
This solution provides a secure virtual private cloud (VPC) template and an application template.
The security VPC template deploys the VM-Series firewall auto scaling group, a GWLB, a GWLB endpoint (GWLBE), GWLBE subnet, security
attachment subnet, and a NAT gateway for each availability zone. Download the CloudFormation templates from the Palo Alto Networks
GitHub Repository.

Strata by Palo Alto Networks | PSE Software Firewall Professional 9

Machine Translated by Google

Key Idea

• All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a public
cloud environment. IPv6 addresses are not supported.

The VM-Series Auto Scaling template for integration with an AWS GWLB includes the following building blocks:

BUILDING BLOCK DESCRIPTION

PAN Components • Panorama running 10.0.2 or later • PAN-OS 10.0.2

or later • VM-Series plugin 2.0.2 or
later installed on Panorama

Firewall template Based on the number of availability zones (AZs) you choose, the firewall-
(Community supported template) new-vpc-v3.0.template deploys the following:

• Subnets for Lambda management, transit gateway attachments,

GWLB endpoints, and
NAT gateways, as well as trust subnets • Routes
tables for each subnet • Transit gateway
attachments and route
tables •
NAT and internet gateways • An auto scaling
group with one VM-Series firewall per AZ • One GWLB and a GWLB
endpoint in each

AZ

The template supports a maximum of four AZs.

The VPC Classless Inter-Domain Routing (CIDR) for the firewall template
should be larger than /23.

Due to the variations in the production environment components such as

subnets, availability zones, route tables, and security groups, you must
deploy the firewall-new-vpc-v3.0.template in a new VPC.

The VM-Series Auto Scaling template for AWS does not deploy a transit
gateway or Panorama. You must deploy a transit gateway and Panorama
before launching firewall-new-vpc-v3.0.template.

Application template Based on the number of AZs you choose, the panw-aws-app-v3.0.template

(Community supported template) deploys the following:

• Subnets for Lambda, transit gateway attachments, GWLB

endpoints, application load balancers • Routes tables for
each subnet, as well as an inbound
route table associated with the internet gateway to direct inbound
traffic to the GWLB endpoint.

Strata by Palo Alto Networks | PSE Software Firewall Professional 10

Machine Translated by Google

• One application load balancer • One internet

gateway • An auto scaling group
with one Ubuntu instance per AZ.

The VPC CIDR for the application template should be larger than /23.

The application template is intended to be used as an example for validating

the security template.

Lambda functions AWS Lambda provides robust, event-driven automation without the need
for complex orchestration software. In addition to deploying the components
described in the rows above, the firewall-new-vpc-v3.0.template performs
the following functions:

• Adds or removes an interface (ENI) when

a firewall is launched or terminated
• Delete all the associated resources when you delete a stack or
terminate an instance

• Removes a firewall as a Panorama managed device when there is a

scale-in event

• Deactivates the license when a scale-in event results in a

firewall termination • Monitors the transit gateway
periodically for new attachments or detachments

and updates the route tables accordingly in the VPC

security

Bootstrap files The This solution requires the init-cfg.txt file and the bootstrap.xml file so that

bootstrap.xml file provided in the GitHub repository is provided for testing the VM-Series firewall has the basic configuration for handling traffic.

and evaluation only. For a production deployment, you must modify the
sample credentials in the bootstrap.xml prior to launch.
• The init-cfg.txt file includes the mgmt-interface-swap operational
command to enable the firewall to

receive data-plane traffic on its primary interface. This auto

scaling solution requires swapping the data-plane and
management interfaces to enable the GWLB to forward
web traffic to the auto

scaling tier of VM-Series firewalls. • The

bootstrap.xml file enables basic connectivity for the firewall
network interfaces and allows the firewall to

connect to the AWS CloudWatch

namespace that matches the stack name you enter when

you launch the template.

Strata by Palo Alto Networks | PSE Software Firewall Professional eleven

Machine Translated by Google

Configuration on AWS with an Auto Scaling Group

The VM-Series auto scaling templates enable you to deploy a single auto scaling group (ASG) of VM-Series firewalls to secure inbound traffic
from the internet to your application workloads on AWS. You can deploy the VM-Series firewall ASG and the application workloads within a
single VPC as shown:

You can also deploy the ASG firewall in a centralized VPC and your application workloads in separate VPCs within the same region. These
will form a hub-and-spoke architecture, as shown:

Strata by Palo Alto Networks | PSE Software Firewall Professional 12

Machine Translated by Google

The hub-and-spoke architecture enables you to streamline the delivery of centralized security and connectivity for
AWS deployments with multiple applications, VPCs, or accounts. This architecture can increase agility—your
network security administrators can manage the firewall VPC, and DevOps administrators or application
developers can focus on managing the application VPCs.

Auto Scaling the VM-Series on Azure

Palo Alto Networks provides templates to help you deploy an auto scaling tier of VM-Series firewalls leveraging
several Azure services such as Virtual Machine Scale Sets (VMSSs), Application Insights, Azure Load Balancers,
Azure functions, Panorama and the Panorama plugin for Azure, and the VM-Series automation capabilities,
including the PAN-OS API and bootstrapping. These templates allow you to leverage the scalability features on
Azure that are designed to manage sudden surges in demand for application workload resources by independently
scaling the VM-Series firewalls with the changing workloads.

Strata by Palo Alto Networks | PSE Software Firewall Professional 13

Machine Translated by Google

VM-Series Virtual Firewalls Integration with Azure Gateway Load Balancer

Load balancing is critical for evenly distributing loads of incoming network traffic across a group of backend
resources or servers. With Azure Load Balancer, you can scale your applications and create highly available
services.

But as organizations move more and more workloads into the cloud, setting up security becomes a top-of-mind
concern. With this integration, VM-Series virtual next-generation firewalls augment native Microsoft Azure network
security capabilities with next-generation threat protection. This includes preventing exploits, malware, previously
unknown threats, and data exfiltration to keep apps and data in Azure safe.

Palo Alto Networks offers the VM-Series software firewall integration with Azure Gateway Load Balancer, which
provides simplified connectivity while ensuring secure support for critical zone-based policies for internet ingress
traffic.

Strata by Palo Alto Networks | PSE Software Firewall Professional 14

Machine Translated by Google

VM-Series virtual firewalls working in tandem with Azure Gateway Load Balancer

Preserve Full Visibility on Packet Sources Truly securing

traffic ingress requires complete visibility of the source's identity as the traffic travels to its destination in the cloud. This source visibility was
previously difficult to achieve with inbound traffic. When VM-Series firewalls are deployed behind a public standard load balancer, the source
IP addresses of inbound traffic are replaced with the IP address of the load balancer. As a result, application source identity is obfuscated.

But with the new VM-Series and Azure Gateway Load Balancer integration, traffic packet headers and payload are kept intact, which provides
complete visibility of the source's identity as traffic travels to its destination.

Discover Zone-Based Policy Support for Internet Ingress Traffic The integration is
designed to be fast and nondisruptive. You can continue to use your VNET Hub for centralizing your security by leveraging the Azure Gateway
Load Balancer to scale and load-balance traffic across a stack of VM-Series firewalls. Plus, Gateway Load Balancer helps segment internet-
bound traffic from the VNET-bound traffic.

Strata by Palo Alto Networks | PSE Software Firewall Professional fifteen

Machine Translated by Google

What this means is that you can now assign a trust zone to the VNET-bound traffic and the untrust-zone for the internet-bound traffic—and
enhance security posture by continuing to author next-generation zone-based policies.

In addition, the VM-Series integration with Azure Gateway Load Balancer is also designed to provide the following customer benefits:

• Scale with ease while managing costs • Improve VM-

Series availability • Flow symmetry

Configuration on Azure

Key Idea

• If you have more than one VMSS in an Azure subscription, you must use a
single Panorama appliance to manage them.

If the deployed firewall reaches the configured threshold and a scale-out event occurs, a new instance of the VM-Series firewall will be
launched. The deployed firewall is bootstrapped, and it will connect to Panorama to obtain its licenses and configuration.

When a scale-in event occurs, the Panorama plugin deactivates licenses on the firewall, and the IP address of the firewall is removed from
the VMSS. The internal load balancer will no longer route traffic to the firewall.

Auto Scaling the VM-Series on Google Cloud Platform (GCP)

The Panorama plugin for Google Cloud Platform (GCP) version 2.0.0 assists you in deploying the VM-Series firewalls
and managing them by securing VM monitoring or auto scaling deployments in GCP.
With Panorama maintaining your GCP managed instance groups, you can create application-enablement policies that protect and control the
network.

Configuration on GCP Palo

Alto Networks provides auto scaling templates for GCP, which you can download from https://github.com/PaloAltoNetworks/GCP-AutoScaling.
Each folder is a template directory containing several files; However, you only need to edit the following YAML files:

• Firewall Templates: These templates help you create VM-Series firewalls and other deployment resources. You can use them to
create new networks and the familiar subnetworks for the VM-Series firewall: management, untrust, and trust. They also help
you deploy a Cloud publish/subscribe (Pub/Sub) messaging service to relay information from GCP to the Panorama plugin for
GCP. With this infrastructure in place, the plugin

dog:

• Leverage dynamic address groups to apply Security policy on inbound traffic routed
to services running on GCP
• Use auto scale metrics to deploy VM-Series firewalls to meet increased demand for application workload resources or to
eliminate firewalls that are no longer needed.

Strata by Palo Alto Networks | PSE Software Firewall Professional 16

Machine Translated by Google

• Application Template: The application directory provides a sample application template.

Configure and deploy an internal load balancer (ILB) to enable your application servers to subscribe
to the Pub/Sub service and communicate with your VM-Series firewalls and the GCP plugin on
Panorama. To customize the application template, edit the firewall deployment template and the
application template in apps.yaml.

CN-Series
The Palo Alto Networks CN-Series container firewall is the first next-generation firewall purpose-built to secure
Kubernetes orchestration environments from network-based attacks.

The Palo Alto Networks CN-Series containerized firewall is the best-in-class next generation firewall purpose built
to secure the Kubernetes environment from network based attacks. The CN-Series firewall enables network
security teams to gain layer-7 visibility into Kubernetes environments, provide inline threat protection for
containerized applications deployed anywhere, and dynamically scale security without compromising DevOps
agility.

For more details on CN-Series and its implementation, refer to Section 2.1

Auto Scaling CN-Series using Horizontal Pod Auto Scaling The horizontal pod
autoscaler (HPA) is a Kubernetes resource available in all cloud environments that automatically scales the number of CN-MGMT and CN-NGFW
pods in a deployment based on monitored metrics.

HPA uses two standard metrics across all cloud environments—CPU and memory utilization—as well as custom
metrics specific to each cloud environment. Each cloud requires specific YAML files to enable HPA in Azure Kubernetes
Services (AKS), Elastic Kubernetes Services (EKS), and Google Kubernetes Engine (GKE).

Configuration
HPA retrieves metrics data from a monitoring adapter in the cloud environment, such as CloudWatch in EKS, to
determine when to scale up or down based on the thresholds you define.
You must modify the necessary YAML files to set the minimum and a maximum number of replicas, the thresholds
for each metric, and which metrics are used in auto scaling your firewalls.

Scaling is determined by dividing the total metric by the metric threshold and then deploying enough pods to bring
the metric down to the configured threshold across all CN-NGFW pods in the cluster. However, the cluster will not
deploy more CN-NGFW pods than the specified maxReplicas defined. If more than one metric exceeds the
threshold at the same time, the cluster will deploy the necessary number of pods to address the higher metric.

By default, the HPA adapter polls the metrics adapter every 15 seconds. If the metrics you have specified exceed
the configured threshold for the time specified in stabilizationWindowSeconds inside the scaleUp, the cluster will
deploy an additional CN-NGFW pod. The cluster then waits for the time specified in stabilizationWindowSeconds
inside the scaleDown before deciding whether additional CN-NGFW pods are required. By default, one pod is
deployed at a time.

1.1.1 References

• Auto Scaling the VM-Series Firewall on Azure

Strata by Palo Alto Networks | PSE Software Firewall Professional 17

Machine Translated by Google

https://docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-series-firewall-on-
azure/autoscaling-the-vm-series-firewall -on-azure
• VM-Series Auto Scaling Templates for AWS Version 2.1
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/set-up-the-vm-seri es-firewall-
on-aws/auto-scale-vm-series-firewalls -with-the-amazon-elb/vm-series-auto-scale -template-for-aws-
version-v21 • VM-Series Auto
Scaling Group with AWS Gateway Load Balancer
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/set-up-the-vm-seri es-firewall-
on-aws/vm-series-integration-with-gateway -load-balancer/vm-series-auto-scalin g-group-with-gateway-
load-balancer
• Auto Scaling the VM - Series Firewall on Google Cloud Platform https://
docs.paloaltonetworks.com/vm-series/9-1/vm-series-deployment/set-up-the-vm-series-firewall-on -google-
cloud-platform/autoscaling-on-google-cloud-platform • Enable Horizontal Pod
Autoscaling on the CN-Series
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/secure-kubernetes- workloads-
with-cn-series/enable-horizontal-pod-autoscaling-on-the-cn- series

1.2 Explain the value and operational efficiency of dynamic address groups (DAGs)

To simplify the creation of Security policies, all the IP addresses, FQDNs, etc., that require the same security
settings can be combined into address groups. An address group can be static or dynamic.

A dynamic address group (DAG) populates its members dynamically using tag-based filtering criteria. A DAG
allows you to:

• Create a policy that automatically adapts to changes—adding, moving, or deleting servers • Apply
different rules to the same asset based on tags that define its role based on the
network, the operating system, or the kinds of traffic it processes

Dynamic address groups are very useful if you have an extensive virtual infrastructure where changes in virtual
machine location/IP address/Cluster (Pods) are frequent. For example, in an environment that needs to provision
new virtual machines frequently, a DAG could be referenced as a match condition within a Security policy rule
that applies to traffic from or to the new machine.
This would allow the dynamic addition or removal of the virtual device without the need to manually add the
device's information directly to the rule each time a change is required.

The tag-based filter uses logical (“and” and “or”) operators. All IP addresses or address groups that match the
filtering criteria become members of the dynamic address group.

You can associate (register) tags with a firewall statically or dynamically. Static tags are part of the configuration
on the firewall, whereas dynamic tags are part of the runtime configuration. As a result, once a policy rule
referencing a DAG using dynamic tags is committed to a firewall, a commit is not required to update dynamic
tags with any subsequent changes. The changes are dynamically applied to the DAG and referenced by the
policy rule as appropriate.

To use a dynamic address group in the policy, you must complete the following tasks:

• Define a dynamic address group and reference it in a policy rule.

Strata by Palo Alto Networks | PSE Software Firewall Professional 18

Machine Translated by Google

• Notify the firewall of the IP addresses and the corresponding tags so that members of the dynamic address group can be formed.
You can do this using external scripts that use the XML API on the firewall or, for a VMware-based environment, you can
select DeviceVM Information Sources to configure settings on the firewall.

To dynamically register tags, you can use the XML API or the VM Monitoring agent on the firewall or on the User-ID agent. Each tag is a
metadata element or attribute-value pair that is registered on the firewall or Panorama.

Each registered IP address can have up to 32 tags, such as the operating system, the data center, or the virtual switch to which it belongs.
Within 60 seconds of receiving an API call containing tag updates, the firewall registers the IP address and associated tags and automatically
updates the membership information for the DAGs.

DAGs can also include statically defined address objects. If you create an address object and apply the same tags that you have assigned
to a DAG, the DAG will include all static and dynamic objects that match the tags. You can, therefore, use tags to pull together both dynamic
and static objects within the same address group.

1.2.1 References

• Use Dynamic Address Groups in Policy

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/monitor-changes-in-the-virtual-environment/use-dynamic-
address-groups-in-policy
• Objects > Address Groups
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/objects/objects-a ddress-groups

1.3 Describes various plugin options and deployment methods

VM-Series Plugin The

VM-Series plugin for VM-Series firewalls is a single plugin that enables integration with public cloud environments, such as GCP, Azure, and
AWS, and private cloud hypervisors such as KVM, ESXi, and others. The VM-Series plugin is pre-installed on the VM-Series firewall; you
can upgrade or downgrade it, but you cannot delete it. When you deploy the firewall, the built-in plugin automatically detects the virtual
environment on which the firewall is deployed and loads up the plugin components that enable you to manage interactions within that
environment.

The plugin also enables publishing custom metrics to cloud-monitoring services (such as AWS CloudWatch), bootstrapping, configuring user
credential provisioning information from public cloud environments, and seamless updates for cloud libraries or agents on PAN-OS. For
example, when you deploy the VM-Series firewall on GCP, the VM-Series firewall loads the plugin components that enable integration with
GCP. You can then use the VM-Series plugin to configure the VM-Series firewall on GCP to publish metrics to Google Stackdriver Monitoring.

Similarly, for VM-Series firewalls deployed on Azure, the VM-Series plugin enables you to configure the firewall to publish metrics to Azure
Application Insights or set up the details that the firewalls need to function as a high availability (HA) pair.

Strata by Palo Alto Networks | PSE Software Firewall Professional 19

Machine Translated by Google

You can manually upgrade the VM-Series plugin independently of PAN-OS, enabling Palo Alto Networks to accelerate the release of new
features, fixes, or integrations with new cloud providers or hypervisors. Each plugin version provides PAN-OS compatibility information and
includes new features or bug fixes for one or more cloud environments. Each PAN-OS release includes a specific VM-Series plugin version
that corresponds to the PAN-OS software version. When you downgrade to an earlier PAN-OS software version, the plugin version is
downgraded to a compatible version.

You can upgrade or downgrade the VM-Series plugin locally on the virtual firewall or manage the plugin version centrally from Panorama.

Key Idea

• The VM-Series plugin does not manage capabilities that are common to both VM-Series firewalls and hardware-based
firewalls. For example, VM Monitoring is not part of the VM-Series plugin because it is a core PAN-OS feature that
helps you enforce policy consistently on your virtual machine workloads from both VM-Series firewalls and hardware-
based firewalls.

• The VM-Series plugin does not manage Panorama plugins. For the difference between the VM-Series plugin and
Panorama plugins, see VM-Series Plugin and Panorama Plugins.

Panorama Plugins On
Panorama, the VM-Series plugin is available but is not pre-installed. If you choose to use Panorama to manage the integrations on your
firewalls, install the VM-Series plugin on Panorama to establish communication with the VM-Series plugin on your firewalls.

Key Idea

• For plugin installations required on both Panorama and managed firewalls, the plugin version installed on Panorama
must be equal to or higher than the plugin version installed on managed firewalls.

The Panorama plugins are for both hardware-based firewalls and VM-Series firewalls. Because Panorama plugins are optional, you can add,
remove, reinstall, or upgrade them on Panorama.
Panorama plugins are not built in; you must install a plugin to enable communication with the environment you need. For example, you use
the Cloud Services plugin on Panorama to enable the setup between Panorama/firewalls and the Cortex Data Lake. The GCP plugin on
Panorama enables communication between Panorama and your GCP deployment so that you can secure the traffic entering or exiting a
service deployed in GCP.

Panorama extensible plugin architecture enables integration and configuration of the following:

• AIOps—The AIOps plugin enables you to enforce best practice checks by validating your commits and letting you know if a
policy needs work before you push it to Panorama.

• AWS—The AWS plugin enables you to monitor your EC2 workloads on AWS. With the plugin, you can enable communication
between Panorama (running PAN-OS 8.1.3 or later) and your AWS VPCs so that Panorama can collect a predefined set of
attributes (or metadata elements) as tags for your EC2 instances and register the information to your

Strata by Palo Alto Networks | PSE Software Firewall Professional twenty

Machine Translated by Google

Palo Alto Networks firewalls. When you reference these tags in dynamic address groups and match against them in Security
policy rules, you can consistently enforce policy across all assets deployed within your VPCs.

• Azure—The Azure plugin enables you to monitor your virtual machines on the Azure public cloud. With the plugin, you can enable
communication between Panorama (running PAN-OS 8.1.6 or later) and your Azure subscriptions so that Panorama can collect
a predefined set of attributes (or metadata elements) as tags for your Azure virtual machines and register the information to
your Palo Alto Networks firewalls. When you reference these tags in dynamic address groups and match against them in
Security policy rules, you can consistently enforce policies across all assets deployed within VNets in your subscriptions.

• Cisco ACI—The Cisco ACI plugin enables you to monitor endpoints in your Cisco ACI fabric. With the plugin, you enable
communication between Panorama (8.1.6 or later) and your Cisco APIC so that Panorama can collect endpoint information as
tags for your endpoint groups and register the information to your Palo Alto Networks firewalls. When you reference these tags
in dynamic address groups and match against them in Security policy rules, you can consistently enforce policies across all
assets deployed within your Cisco ACI fabric.

• Cisco TrustSec—The Cisco TrustSec plugin enables monitoring of endpoints in your Cisco TrustSec environment. With the
plugin, you enable communication between Panorama and your Cisco pxGrid server so that Panorama can collect endpoint
information as tags for your endpoints and register the information to your Palo Alto Networks firewalls. When you reference
these tags in dynamic address groups and match against them in Security policy rules, you can consistently enforce policy
across all assets deployed within your Cisco TrustSec environment.

• Cloud Services—The Cloud Services plugin enables the use of the Cortex Data Lake and Prisma® Access. The Cortex Data
Lake solves operational logging challenges, and the Prisma Access cloud service extends your security infrastructure to your
remote network locations and mobile workforce.

• GCP—The GCP plugin enables you to secure Kubernetes services in a Google Kubernetes Engine (GKE) cluster. You can
configure the Panorama plugin for GCP to connect to your GKE cluster and learn about the services that are exposed to the
internet.

• Interconnect—The Panorama Interconnect plugin enables you to manage large-scale firewall deployments. Use the Interconnect
plugin to set up a two-tier Panorama deployment (on Panorama running PAN-OS 8.1.3 or later) for a horizontal scale-out
architecture. With the Interconnect plugin, you can deploy a Panorama Controller with up to 64 Panorama nodes or 32
Panorama HA pairs to centrally manage a large number of firewalls.

• Nutanix—The Panorama plugin for Nutanix enables VM Monitoring in your Nutanix environment. It allows you to track the virtual
machine inventory within your Nutanix Prism Central so that you can consistently enforce a Security policy that automatically

Strata by Palo Alto Networks | PSE Software Firewall Professional twenty-one

Machine Translated by Google

adapts to changes within your Nutanix environment. As virtual machines are provisioned, deprovisioned, or moved, this solution
allows you to collect the IP addresses and associated sets of attributes (or metadata elements) as tags. You can then use the
tags to define dynamic address groups and use them in the Security policy. The Panorama plugin for Nutanix requires
Panorama 9.0.4 or later.

• SD-WAN—The Software-Defined Wide Area Network (SD-WAN) plugin allows you to use multiple internet and private services to
create an intelligent and dynamic WAN, which helps lower costs and maximize application quality and usability. Instead of
using costly and time-consuming Multiprotocol Label Switching (MPLS) with components such as routers, firewalls, WAN path
controllers, and WAN optimizers, SD-WAN on a Palo Alto Networks firewall allows you to use less expensive internet services
and fewer pieces of equipment.

• VMware NSX—The VMware NSX plugin enables integration between the VM-Series firewall on VMware NSX with VMware NSX
Manager. This integration allows you to deploy the VM-Series firewall as a service on a cluster of ESXi servers.

• VMware vCenter—The Panorama plugin for VMware vCenter allows you to monitor the virtual machines in your vCenter
environment. The plugin retrieves IP addresses of virtual machines in your vCenter environment and converts them to tags
that you can use to build policy using dynamic address groups.

• IPS Signature Converter—The IPS Signature Converter plugin for Panorama provides an automated solution for converting rules
from third-party intrusion prevention systems—Snort and Suricata—into custom Palo Alto Networks threat signatures. You can
then register these signatures on firewalls that belong to device groups you specify and use them to enforce policy in
Vulnerability Protection and Anti-Spyware Security profiles.

• Kubernetes—The Kubernetes plugin for Panorama enables you to establish connectivity with the Kubernetes clusters. It helps
you manage licensing and configure policies for visibility, control, and threat inspection of traffic between pods or services, and
for inbound or outbound traffic for applications or services deployed on Kubernetes clusters.

This Kubernetes plugin is required to manage the CN-Series firewalls. Panorama provides a consistent management solution
to incorporate Kubernetes context into policies, and it allows other Palo Alto Networks firewalls in the environment to use these
context-infused policies for a uniform network security posture.

Refer to the Palo Alto Networks Compatibility Matrix for details on the different plugin versions and compatibility information.

1.3.1 References

• VM - Series Plugin https://

docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/about-the-vm-series-firewall/vm-series-plugin

• VM-Series and Panorama Plugins Release Notes https://

docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes

Strata by Palo Alto Networks | PSE Software Firewall Professional 22

Machine Translated by Google

• Panorama Plugins
https://docs.paloaltonetworks.com/plugins/vm-series-and-panorama-plugins-release-notes/p alo-alto-
networks-vm-series-and-panorama-plugins/plugins

1.4 Describe the process of segmentation

Network segmentation is an architectural approach that divides a network into multiple segments or subnets, each
acting as its own small network. This allows network administrators to control the flow of traffic between subnets
based on granular policies. Organizations use segmentation to improve monitoring, boost performance, localize
technical issues and—most importantly—enhance security.

Segmentation helps network security personnel prevent unauthorized users—curious insiders as well as malicious
attackers—from gaining access to valuable assets, such as personal information, corporate financial records, and
highly confidential intellectual property.

Securing applications and services depends upon the NGFW's ability to have visibility and control of the traffic to
and from the application and traffic between an application's components. To provide the required visibility and
control, you should segment data and applications in the private data center and public-cloud provider behind a
next-generation firewall.

One of the most common ways to segment data is based on sensitivity levels. With greater data sensitivity,
additional policies and protection are necessary, including a stricter definition of what is permitted to access the
application. The data-sensitivity level information of an application allows you to group applications and services
with common security and traffic-flow requirements. For instance, you should not group an application or service
that is at the highest level of sensitivity with any other application. You should even separate high-sensitivity
services from other components of your application if those other components have a reduced security requirement.

The sensitivity levels are as follows:

• Low—Applications and information whose loss of availability would have a limited impact
on the organization or its customers
• Moderate—Infrastructure, applications, and systems whose loss of integrity and availability would impact
the organization or its customers • High—Any information falling
under statutory requirements for notification in the case of
a breach

How you create the network segments for an application depends upon the infrastructure on which it is built. The
Palo Alto Networks portfolio allows segmentation in a variety of locations within your environment:

• Data center—The PA-Series and VM-Series are ML-powered NGFWs. The PA-Series are physical
appliances that you typically deploy at the data-center perimeter. The VM-Series are virtualized-form-
factor, ML-powered next-generation firewalls that you typically deploy within the data center, providing
a more granular layer of segmentation.

Strata by Palo Alto Networks | PSE Software Firewall Professional 23

Machine Translated by Google

• Public cloud—The VM-Series are virtualized-form-factor, ML-powered NGFWs. You deploy these in a
variety of public, private, and hybrid cloud environments. The VM-Series images are often available
from the public-cloud service-provider stores.

• Containers—Palo Alto Networks provides two methods for segmenting workloads within Kubernetes
clusters: the CN-Series NGFW and Prisma Cloud Identity-Based Microsegmentation. The CN-Series
are containerized-form-factor NGFWs. They provide advanced Layer 7 network security and threat
protection. In Kubernetes clusters, Prisma Cloud Identity-Based Microsegmentation gives you the
ability to provide segmentation based on the individual workload identity instead of IP addresses.

To define the source and destination networks for securing traffic flows, the NGFW uses zones and dynamic
address groups. Zones are used in static environments, and dynamic address groups allow the Security policy to
stay in sync with dynamic virtual environments in both the data center and the public cloud.

App-ID identifies the applications in the traffic between network segments and enables the NGFW to limit the
communication between network segments to specific applications. Because the Zero Trust Security policy in the
data center denies all traffic between segments, use App-ID to explicitly define the intersegment traffic required
for the applications to function and administrators to manage the applications.

Network segmentation can be implemented as either physical or logical segmentation As the

name implies, physical segmentation involves breaking down a larger network into a collection of smaller subnets.
It is relatively simple to administer because the topology is fixed in the architecture. A physical or virtual firewall
acts as the subnet gateway, controlling which traffic comes in and goes out.

Logical segmentation creates subnets using one of two primary methods: virtual local area networks (VLANs) or
network addressing schemes. VLAN-based approaches are simple to implement because the VLAN tags
automatically route traffic to the appropriate subnet. Network addressing schemes are equally effective but require
more detailed understanding of networking theory.

Logical segmentation is more flexible than physical segmentation because it does not require wiring or physical
movement of components. Automated provisioning can greatly simplify the configuration of subnets.

Moving to a segmentation architecture provides an opportunity to simplify the management of firewall policies. An
emerging best practice is to use a single consolidated policy for subnet access control as well as threat detection
and mitigation, rather than performing these functions in different parts of the network. This approach reduces the
attack surface and strengthens the organization's security posture.

Microsegmentation
Microsegmentation is a secure method of managing network access between workloads. It enables administrators
to manage Security policies that limit traffic based on the principle of least privilege based on an endpoint's identity
and Zero Trust without the need to re-architect.

Strata by Palo Alto Networks | PSE Software Firewall Professional 24

Machine Translated by Google

Organizations use microsegmentation to reduce the attack surface, improve breach containment, and strengthen regulatory compliance.

Microsegmentation is a fine-grained application segmentation method that is decoupled from the network infrastructure design. This allows for
a much higher degree of isolation and is ideal for ensuring least-privileged workload access.

Microsegmentation helps provide consistent security across private and public clouds by virtue of three key principles:

• Visibility—A microsegmentation solution should deliver visibility into all network traffic within and across data centers and clouds.
Although there are several ways to monitor traffic, the most effective measure is to see traffic coupled with workload context
(eg, cloud, application, orchestrators) as opposed to logs containing only IP addresses and ports.

• Granular security—Granular security means that network administrators can strengthen and pinpoint security by creating specific
policies for critical applications. The goal is to prevent lateral movement of threats with policies that precisely control traffic in
and out of specific workloads, such as weekly payroll runs or updates to human-resources databases.

• Dynamic adaptation—Microsegmentation offers protection for dynamic environments.

For instance, cloud native architectures like containers and Kubernetes can spin up and down in a matter of seconds. The IP
addresses assigned to cloud workloads are ephemeral, rendering IP-based rule management impossible. With microsegmentation,
Security policies are expressed in terms of identities or attributes (env=prod, app=hrm, etc.) rather than network constructs (eg,
10.100.0.10 tcp/80). Changes to the application or infrastructure trigger automatic revisions to Security policies in real time,
requiring no human intervention.

Prisma Cloud Identity-Based Microsegmentation and the CN-Series NGFWs support capabilities for enabling microsegmentation at the
container level. The combination of both network segmentation and microsegmentation provides coarse-grained isolation of similar applications
across your entire environment and fine-grained, identity-based microsegmentation that prevents lateral attacks for hosts and containers.

1.4.1 References

• Zero Trust Enterprise

https://www.paloaltonetworks.com/apps/pan/public/downloadResource?pagePath=/content/ pan/en_US/resources/guides/zero-trust-
overview • Network Segmentation Using Zones

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-prot ection/network-segmentation-using-
zones • What Is Network Segmentation?

https://www.paloaltonetworks.com/cyberpedia/what-is-network-segmentation • What is microsegmentation?

https://www.paloaltonetworks.com/cyberpedia/what-is-microsegmentation

Strata by Palo Alto Networks | PSE Software Firewall Professional 25

Machine Translated by Google

• Prisma Cloud Microsegmentation Administrator's Guide

https://docs.paloaltonetworks.com/prisma/prisma-cloud/prisma-cloud-admin-microsegment ation

• Prisma Cloud: Cloud Network Security training : https://

beacon.paloaltonetworks.com/student/collection/963302-prisma-cloud-cloud-network-security?
sid=276822f4-4675-4c2b-b4f5-5af9e0a83a03&sid_i=4

1.5 Describes centralized security visibility and deployment models

All Palo Alto Networks firewalls can generate logs that provide an audit trail of firewall activities. For centralized
logging and reporting, you must forward the logs generated on the firewalls to your on-premises infrastructure,
which includes the Panorama management server and Log Collectors, or send the logs to the cloud-based Cortex
Data Lake. Optionally, you can configure Panorama to forward the logs to external logging solutions, such as
syslog servers.

Panorama aggregates logs from all managed firewalls and provides visibility across all the traffic on the network.
It also provides an audit trail for all policy modifications and configuration changes made to the managed firewalls.
In addition to aggregating logs, Panorama can forward them as SNMP traps, email notifications, syslog messages,
and HTTP payloads to an external server.

Panorama uses two sources for generating reports: the local Panorama database and the remote firewalls that it
manages. The Panorama database refers to the local storage on Panorama that is allocated for storing both
summarized logs and some detailed logs. If you have a distributed Log Collection deployment, the Panorama
database includes the local storage on Panorama and all the managed Log Collectors. Panorama summarizes
the information—traffic, application, threat—collected from all managed firewalls at 15-minute intervals. However,
if you prefer not to forward logs to Panorama, Panorama can directly access the remote firewall and run reports
on data that is stored locally on the managed firewalls.

Key Idea

• You should forward logs to Panorama or to external storage for many reasons, including
compliance, redundancy, running analytics, centralized monitoring, and reviewing threat
behaviors and long-term patterns, and due to limited storage on the firewalls.

For centralized logging and reporting, you also have the option of using the cloud-based Cortex Data Lake. This
option allows your managed firewalls to forward logs to the Cortex Data Lake infrastructure instead of Panorama
or managed Log Collectors.

The Application Command Center (ACC) on Panorama provides a single pane for unified reporting across all the
firewalls. It enables you to centrally monitor network activity to analyze, investigate, and report on traffic and
potential security incidents.

1.5.1 References

• Manage Log Collection

Strata by Palo Alto Networks | PSE Software Firewall Professional 26

Machine Translated by Google

https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-log-collection
• Centralized Logging and Reporting
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-overview/ce ntralized-logging-and-reporting

1.6 Explain how to realize return on investment (ROI) by leveraging Palo Alto Networks software next-generation firewall (NGFW)

Recent data breaches and cybersecurity events impacting the global community have placed a spotlight on corporate and government IT
security teams and have renewed scrutiny on the policies and practices that keep sensitive data out of the hands of cybercriminals and other
bad actors. Reducing costs, achieving a rapid return on investment (ROI), and increasing security and IT operations efficiency for better
business outcomes are all typical mandates for cybersecurity investments, but if the investment does not ultimately improve organizational
security, are those other goals relevant?

Deploying Palo Alto Networks for network security brings significant financial and organizational benefits for the organization. These benefits
are spread across nine different categories, including efficiency gains for IT, security, and end users; cost savings from sunsetting legacy
technology; and the reduced risk of a data breach.

To find out how much ROI you can get by utilizing the Palo Alto Networks firewalls, use this interactive ROI calculator, based upon the
Forrester Consulting study The Total Economic Impact™ of VM-Series Virtual Firewalls, which was commissioned by Palo Alto Networks.
By answering a few simple questions, you will immediately see your virtualized security savings potential. Plus, you can also download a
complimentary, in-depth estimate tailored to your organization's needs, showing how ML-Powered VM-Series virtual NGFWs can pay for
themselves while protecting your data and workloads in public clouds, private clouds, hybrid clouds, and branch environments.

Strata by Palo Alto Networks | PSE Software Firewall Professional 27

Machine Translated by Google

1.6.1 References

• Calculate Your Organization 's Big Virtual Firewall ROI Potential https://
www.paloaltonetworks.com/blog/network-security/calculate-virtual-firewalls-roi-potential/

• Maximize Your Security ROI: 2021 Forrester Consulting TEI Study https://
www.paloaltonetworks.com/blog/network-security/maximize-your-security-roi-forrest er-tei/

• Maximize the ROI of Detection & Response https://

start.paloaltonetworks.com/maximize-the-roi-of-detection-and-response.html

1.7 Identify the benefits of Palo Alto Networks solutions to address customer concerns or indifference

The successful exam candidate should be able to match customer requirements and strategies to the appropriate firewall form
factor. Hardware appliances are required for certain performance characteristics such as throughput and connections per second.
However, VM-Series firewalls are

Strata by Palo Alto Networks | PSE Software Firewall Professional 28

Machine Translated by Google

the appropriate choice in various customer scenarios. VM-Series firewalls provide security for public cloud environments, private cloud and
hybrid environments, at branches, and for DevOps.

Public cloud virtual firewalls help meet customer security responsibilities in public cloud environments by securing operating systems,
platforms, access control, data, intellectual property, source code, and content. VM-Series virtual firewalls boost regulatory compliance by
providing protection across public clouds and other environments to protect data, regardless of where it resides.

Private cloud and hybrid cloud virtual firewalls secure virtualized compute resources and hypervisors. Virtual firewalls provide lateral movement
protection by inspecting traffic flows inside private clouds, which can help simplify microsegmentation and reduce the attack surface.

Deploying VM-Series virtual firewalls boosts SDN security in virtual environments that are built with software-defined networking fabrics such
as VMware NSX® and Nutanix Flow.

Branch virtual firewalls isolate and protect critical systems. Virtual firewalls deliver local branch segmentation and threat prevention to ensure
regulatory compliance and consistent branch network security from the same console that is used to manage other environments. Branch
locations also benefit from the virtualized form factor of VM-Series firewalls, which are deployable on a white box or existing servers to
minimize space requirements.

DevOps virtual firewalls protect application development speed. Virtual firewalls provide on-demand auto scaling to ensure security when you
need it most. With automated network security, you can integrate security provisioning directly into DevOps workflows and continuous
integration/continuous development pipelines without slowing the pace of business.

Key Idea

• Virtual firewalls provide on-demand auto scaling to ensure security.

1.7.1 References

• VM-Series on VMware NSX | Prism - Palo Alto Networks Datasheet

https://www.paloaltonetworks.com/resources/techbriefs/vm-series-for-nsx-solution-brief

1.8 Summary of Key Ideas

• All VM-Series firewall interfaces must be assigned an IPv4 address when deployed in a
public cloud environment. IPv6 addresses are not supported. • If you have more than
one VMSS in an Azure subscription, you must use a single Panorama appliance to manage them. • The VM-Series plugin does not
manage capabilities that are common
to both VM-Series firewalls and hardware-based firewalls. For example, VM Monitoring is not part of the VM-Series plugin because it is a
core PAN-OS feature that helps you enforce policy consistently on your virtual machine workloads from both VM-Series firewalls
and hardware-based firewalls.

• The VM-Series plugin does not manage Panorama plugins. For the difference between the VM-Series plugin and Panorama plugins,
see VM-Series Plugin and Panorama Plugins.

Strata by Palo Alto Networks | PSE Software Firewall Professional 29

Machine Translated by Google

• For plugin installations required on both Panorama and managed firewalls, the plugin version installed on Panorama must be equal to
or higher than the plugin version installed on managed firewalls.

• You should forward logs to Panorama or to external storage for many reasons, including compliance, redundancy, running analytics,
centralized monitoring, and reviewing threat behaviors and long-term patterns, and due to limited storage on the firewalls.

• Virtual firewalls provide on-demand auto scaling to ensure security.

1.9 Sample Questions

1. In AWS, which of the following publishes metrics for auto scaling? to. AWS S3 Bucket b. AWS
Lambda c. AWS
CloudWatch d. AWS
Auto Scaling Groups (ASG)

2. While defining an address group, each registered IP address can have up to how many tags?
to. 32
b. 64
c. 16
d. 8

3. The VM-Series plugin enables integration with: a. Public clouds b.

Private clouds c. Public
and private clouds d.

Hypervisors

4. Which two statements are true for Panorama plugins? (Choose two) a. Panorama plugins are
available for both VM-Series and Hardware-based Firewall. b. Panorama plugins are optional and can be removed. c.
Panorama plugins are built-in. d. Panorama plugin versions are independent of
Panorama version.

5. Which three statements are true with respect to VM-Series plugin upgrades? (Choose three.) a. The plugin can be upgraded manually
independently of PAN-OS. b. The plugin can be upgraded locally in the virtual firewall. c. A PAN-
OS upgrade is mandatory to upgrade the VM-Series plugin. d. Upgrades can be
managed centrally through Panorama. and. Every plugin version is compatible with all the PAN-OS
versions.

6. What are three advantages of network segmentation? (Choose three.)

to. It boosts performance. b. It makes
managing firewall policies easier. c. It localizes technical issues.

d. It makes virtual clouds more secure.

and. It can be implemented only as physical segmentation.

Strata by Palo Alto Networks | PSE Software Firewall Professional 30

Machine Translated by Google

7. What is used to aggregate logs from all the managed firewalls and provide visibility into all
data traffic?
to. Cortex Data Lake
b. Panorama
c. Application Command Center d.
Dedicated Log Collectors

8. Which two parameters are considered while estimating ROI using Palo Alto Networks
VM-Series Virtual Firewalls Estimator? (Choose two.) a.
Number of firewalls to be deployed b.
Number of NetOps and SecOps staff in the organization c. Quantity
of data to be inspected d. Amount spent
on physical firewalls over a life cycle of five years

Strata by Palo Alto Networks | PSE Software Firewall Professional 31

Machine Translated by Google

Domain 2: Competitive Differentiators

Three frequent cloud service provider (CSP) customer security challenges are:

• Slowing operations with multiple security tools •

Struggling to ensure a consistent network security posture • Facing
ongoing, on-demand scalability challenges

To get past these common obstacles:

• Deploy virtual firewalls with Next-Generation Firewall capabilities • Leverage

security solutions that work with multiple public cloud vendors • Seamlessly integrate
network security into DevOps workflows

Taking a layered approach to public cloud network security requires:

• Complete Visibility: Public cloud security requires complete visibility of all application traffic, including
flows that might be encrypted; This is necessary to determine what an application really is, regardless of
the port, protocol, or encryption type.
• Threat Prevention: Implementing threat prevention capabilities is necessary to identify and
stop known and unknown attacks.
• Exfiltration Prevention: Preventing sensitive data from leaving the environment is crucial
for maintaining public cloud security.
• Compliance: Achieving and maintaining compliance helps to mitigate risk throughout
decentralized environments through comprehensive reporting.
• Multicloud Support and Management: Manage public cloud network security consistently across AWS,
Azure, GCP, and others from the same console used to manage on-premises, private cloud, and branch
security postures.

2.1 Compare and contrast the capabilities of cloud-delivered VM-Series, CN-Series, and NGFW

VM-Series
VM-Series is the virtualized form factor of the Palo Alto Networks Next-Generation Firewall. It is
positioned for use in a cloud environment where it can protect and secure east-west and north-south traffic. To
meet the growing need for inline security across diverse cloud and virtualization use cases, you can deploy the
VM-Series firewall on a wide range of private and public cloud computing environments such as VMware, Cisco
ACI and Enterprise Network Compute System (ENCS), KVM, OpenStack, AWS, Microsoft public and private
cloud, Oracle Cloud Infrastructure (OCI), Alibaba Cloud, and GCP.

The VM-Series supports all the next-generation firewall and advanced threat prevention features available in our
physical form factor appliances, allowing you to safely enable applications flowing into and across your private,
public, and hybrid cloud computing environments.

Automation features such as VM Monitoring, dynamic address groups, and a REST-based API allow you to
proactively monitor virtual machine (VM) changes and dynamically feed that context into Security policies, thereby
eliminating the policy lag that may occur when your VMs change.

Strata by Palo Alto Networks | PSE Software Firewall Professional 32

Machine Translated by Google

The VM-Series supports the following hypervisors:

• VMWare ESXi and NSX

• Citrix SDX

• KVM (Centos/RHEL) • Ubuntu

• Amazon Web Services

Key Idea

• For the best instance types for optimal VM-Series capacity and performance, see the VM-Series Capacity & Performance
document.

Use Cases of VM-Series

1. Secure Public Clouds
Virtual firewalls can secure public cloud services from providers such as GCP, AWS, and Azure. These firewalls typically act as
guest virtual machines within public cloud environments and can provide visibility across multiple cloud service provider (CSP)
deployments.

Virtual firewalls also help organizations:

• Meet public cloud user security obligations—CSPs are typically responsible for lift-and-shift applications, software-as-a-
service (SaaS) applications, and cloud infrastructure (database, storage and networking). However, organizations using
these services are usually responsible for the security of the operating systems, platforms, access control, data, intellectual
property, source code, and customer-facing content that typically sit on top of the infrastructure.

• Ensure compliance with regulatory standards—Virtual firewalls can be deployed to implement threat prevention
capabilities and segmentation to meet regulatory standards such as GDPR, PCI DSS, HIPAA, and SWIFT.

• Boost the built-in security features unique to each public cloud platform—Some virtual firewalls provide inline threat
prevention to secure the flow of traffic moving laterally within a cloud environment, augmenting the basic, built-in security
unique to each CSP.

2. Extend Security to Branches and Software-Defined Environments Virtual firewalls can help
secure virtual branch offices as well as software-defined networks and software-defined wide-area networks – SDNs and SD-WANs,
respectively. In SDN environments, software and virtualization control networking and data-routing activities within servers. Similarly,
SD-WAN environments use software and virtualization to provide network connectivity for dispersed locations, such as branch
offices.

Deploying virtual firewalls in these environments allows organizations to secure the perimeter, segment the network, and protect
their branch locations.

Strata by Palo Alto Networks | PSE Software Firewall Professional 33

Machine Translated by Google

In software-defined environments, advanced virtual firewalls are used to:

• Provide consistent network security—Virtual firewalls can help organizations manage branch network security from the
same console they use to manage other environments. This can include support for SDN and SD-WAN solutions from
Cisco, Citrix, Nutanix, and VMware.

• Isolate critical systems, such as point of sale—Virtual firewalls can be used for segmentation and threat prevention as
well as to ensure compliance in branch locations with systems that require isolation, such as point-of-sale (POS) systems.

• Insert inline security into SD-WAN environments—Like their hardware siblings, virtual firewalls can be deployed to secure
the flow of live network traffic, which can be vital for privacy and compliance in branch locations.

• Prepare for future public cloud moves—Use of virtual firewalls in these environments can set the security stage for planned
moves of applications to public clouds.

3. Safeguard Private Cloud Assets Virtual firewalls

meet the security needs of private clouds, which are on-demand compute environments used by a single organization. In these
environments, virtual firewalls can help:

• Maximize investment in highly virtualized environments—Creating and managing private clouds can be a capital-
intensive undertaking. In these environments, virtual firewalls are typically deployed to secure virtualized compute
resources and hypervisors, such as VMware ESXi, KVM, Nutanix AHV, Microsoft Hyper-V® and Azure Stack.

• Reduce time-consuming manual securing provisioning—Some virtual firewalls come with policy-based automatic
provisioning of network security capabilities.
These can secure assets accurately and cost-effectively while also simplifying segmentation and microsegmentation
processes—that is, isolating workloads from one another and then securing them individually.

Container Security Risks and the need for the CN-Series NGFW Container adoption is on
the rise. According to a Gartner report, By the end of 2023, more than 75% of global organizations will be running containerized applications
in production. However, with this move, comes new security and data risks for an organization.

Organizations with containerized applications face the following three risks:

• Containers are subject to the same network-based attacks that plague legacy workloads: Containers are not aliens. They are
just another way to deploy applications.
Regardless of whether applications are running on bare-metal servers, virtual machines or

Strata by Palo Alto Networks | PSE Software Firewall Professional 3. 4

Machine Translated by Google

containers, they run on the same network stack and protocols. That means containerized apps face the same threats that have
traditionally plagued legacy apps running on bare metal and virtual machines.

• Lack of protection against unpatched and unknown vulnerabilities: Patching can be a manual and time-consuming process.
When a vulnerability is identified and the patch is available, it can take weeks and months to patch hundreds of vulnerable
applications spread across a deployment. While agent-based deploy-time (shift-left) security products help to identify and patch
known vulnerabilities at scale, applications are helpless against unknown and unpatched vulnerabilities. For example, the infamous
Log4j security vulnerability existed but remained unknown for several years until identified in December 2021. That means that
supposedly “up-to-date” organizations are subject to unknown vulnerability exploits.

• Fragmented point security products lead to inconsistent security posture and east-west network attacks: Until now, network
security teams were not equipped with the right tools to secure containers without slowing DevOps speed and agility. Hence, they
started relying on DevOps to secure containers. This leads to the network security team securing only some parts of the
infrastructure with DevOps then securing the container infrastructure, often with suboptimal security products. Inconsistent security
leads to holes in the network and an increased risk of attacks as container apps have dependencies on legacy apps. Attackers
exploit these dependencies along with allowed network communications to laterally propagate threats (east-west) in the environment.

CN-Series is the container-native version of the ML-powered NGFW designed specifically for Kubernetes environments. The Palo Alto
Networks CN-Series containerized firewall is the best-in-class next generation firewall purpose built to secure the Kubernetes environment

from network based attacks. The CN-Series firewall enables network security teams to gain layer-7 visibility into Kubernetes environments,
provide inline threat protection for containerized applications deployed anywhere, and dynamically scale security without compromising
DevOps agility. Deploy the CN-Series to:

• Secure traffic between pods in different trust zones and namespaces • Protect against known and
zero-day malware • Block data exfiltration from your containerized
environments

Using Panorama as the centralized management platform, your network security teams can consistently manage firewall policies for physical,
virtual, container, and public cloud workloads from a single interface.

CN-Series provides Layer 7 traffic visibility, including the container source IP of outbound traffic, to detect and prevent threats traveling
between namespace boundaries. CN-Series firewalls enforce enterprise-level network security and threat protection in container traffic, which
helps you elevate the overall security posture by sharing Kubernetes contextual information with other Palo Alto Networks firewalls.

The Palo Alto Networks CN-Series container firewall is the first next-generation firewall purpose-built to secure Kubernetes orchestration
environments from network-based attacks. The CN-Series firewall enables network security teams to:

Strata by Palo Alto Networks | PSE Software Firewall Professional 35

Machine Translated by Google

• Gain Layer-7 visibility and enforcement using native Kubernetes context to protect against
known and unknown threats

• Provide inline threat protection for containerized applications deployed anywhere (on-prem
or in-cloud)
• Deploy and scale network security without compromising DevOps speed and agility • Consistently secure legacy and
modern microservices-based apps through unified
management

CN-Series is meant to ensure frictionless continuous integration / continuous development (CI/CD) pipeline deployment while delivering
unparalleled runtime network protection through unified management across all multiple firewalls.

Here are some key Kubernetes terms for better understanding of concepts:

• Cluster—The foundation of your containerized environment; all your containerized

applications run on top of a cluster.
• Node—A node might be a virtual or physical machine, depending on the cluster, that
contains the necessary services required for pods.
• Pod—The smallest computing unit that you can deploy and manage in Kubernetes. The CN-Series firewall is deployed in a
distributed PAN-OS architecture as two pods: CN-MGMT and CN-NGFW. • Namespace—A namespace is a virtual cluster that
is backed by a physical cluster. In an

environment with many users spread across multiple teams and functions, a namespace can be used to separate them within a
single cluster.

• Container Network Interface (CNI)—A plugin that configures network interfaces for containers. Additionally, the CNI removes the
allocated resources used for networking when a container is deleted.

• DaemonSet—In a Kubernetes deployment, a DaemonSet ensures that some or all nodes run a copy of a particular pod. And as
nodes are added to a Kubernetes cluster, a copy of the specified pod is added to each new node. When you deploy the CN-
Series firewall as a DaemonSet, a copy of the CN-NGFW pod is deployed on each node in your cluster (up to 30 nodes per CN-
MGMT pair).

• Kubernetes Service—An abstraction that exposes an application running on a set of pods as a network service. When you deploy
the CN-Series as a service, you need to define the number of CN-NGFW pods to be deployed when setting up your YAML files.
• Horizontal Pod Autoscaler (HPA)—Automatically scales the number of pods in a deployment, replica set, or stateful set
based on various metrics such as CPU utilization or session utilization.

Use Cases of CN-Series There

are three use cases in which customers most often employ CN-Series container firewalls. All of them involve the insertion of threat protection
—and other advanced security services—at the trust boundaries of cloud native applications.

1. East-West Layer 7 Traffic Protection

Strata by Palo Alto Networks | PSE Software Firewall Professional 36

Machine Translated by Google

You can use CN-Series to insert Layer 7 traffic protection and advanced threat protection into your Kubernetes environments.
Doing so secures the allowed connections between two containerized applications of different trust levels; it can also secure the
allowed connections between containers and other workload types.

Other microsegmentation products provide granular protection at Layers 3 and 4 to block traffic between workloads that should not
be able to communicate. The critical difference is that CN-Series can inspect and control allowed traffic at Layer 7 and enable Palo

Alto Networks Threat Prevention subscription service to detect and stop threats that may be attempting to move laterally across the
environment. The two types of solutions can be used together.

2. Outbound Traffic Protection

The second prominent use case is securing outbound traffic from container environments to the internet or developer resources
hosted in sites like GitHub. Palo Alto Networks URL

Strata by Palo Alto Networks | PSE Software Firewall Professional 37

Machine Translated by Google

Filtering service provides guardrails for developers and other users to ensure that they are not connecting to potentially malicious
sites. A CN-Series firewall's ability to inspect traffic content, coupled with our DNS Security service, guards against data exfiltration
and ensures that critical information stays in the environment where it belongs.

Although some customers may prefer to use their perimeter firewalls in their on-prem data centers, customers running Kubernetes
environments in the public cloud will require CN-Series.

3. Inbound Threat Prevention

Last but not least is the traditional inbound perimeter use case. Network security teams can prevent threats riding on inbound traffic
to the container environment with Palo Alto Networks Threat Prevention and WildFire malware analysis services. Again, depending
on the customer's environment and overall architecture, they may elect to do this with their perimeter firewalls on-prem. Still, a CN-
Series or VM-Series would be required to do this in public cloud environments.

All these use cases can be addressed regardless of whether the apps are hosted in an on-prem data center or a public cloud.

Cloud NGFW

Cloud NGFW for AWS is Palo Alto Networks ML-Powered NGFW capabilities delivered as a fully managed cloud native service by Palo Alto
Networks on the Amazon Web Services (AWS) platform.
This deployment model combines the power of the Palo Alto NGFW with the ease of use of AWS.
The Cloud NGFW service provides advanced application visibility and access control using Palo Alto Networks App-ID and URL filtering
technologies. It provides threat prevention and detection through cloud-delivered security services and threat prevention signatures.

On Cloud NGFW, you define Security policy rules and group them in a rulestack. The NGFW applies your Security policy to the traffic received
by the NGFW endpoints and enforces that policy. When creating your NGFW, you must specify a VPC and local rulestack. Additionally, you
must also specify how and where the associated NGFW endpoints are deployed.

Strata by Palo Alto Networks | PSE Software Firewall Professional 38

Machine Translated by Google

NGFW endpoints intercept traffic and route it to the NGFW for inspection and policy enforcement.
There are two management modes that you can use to create endpoints.
• In a service-managed mode, the Cloud NGFW tenant automatically creates an endpoint in each subnet you specify. The NGFW
service retrieves a list of subnets from the VPC you specified; from that list, you need to choose the subnets that should have an
endpoint. • In a customer-managed mode, you choose existing availability zones that need to be secured in your specified
VPC and then manually create the NGFW endpoints in existing subnets in the chosen zones. After the NGFW has been created, you
must use the AWS console to complete the process of creating NGFW endpoints.

After creating an NGFW and NGFW endpoints, you must update your AWS route tables to ensure that traffic is sent to the NGFW. Which
route tables you update and how you update them depends on your specific deployment. See Direct Traffic to Cloud NGFW for AWS for
deployment examples with example route tables for more details.

2.1.1 References

• CN-Series Key Concepts

https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/cn-series-firewall-for-kubernetes/cn-series-key-
concepts#id06ceee36-7674-4392-9b25- 8a322528b771 • Getting Started with Cloud NGFW for AWS

https://docs.paloaltonetworks.com/cloud-ngfw/aws/cloud-ngfw-on-aws/getting-started-with-cloud-ngfw-for-aws

• Cloud NGFW and Cloud NGFW Endpoints

https://docs.paloaltonetworks.com/cloud-ngfw/aws/cloud-ngfw-on-aws/create-cloud-ngfw-in stances-and-endpoints • CN-Series
https://docs.paloaltonetworks.com/
cn-series • CN-

Series Deployment Guide

https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment • VM-Series https://

docs.paloaltonetworks.com/vm-series
• Why Native Security Controls in Public Clouds Are Not Enough
https://www.paloaltonetworks.com/resources/ebooks/native-security-not-enough

2.2 Create and apply flex credits to software firewalls

Software NGFW credits can be used to fund Software NGFWs (VM-Series and CN-Series), cloud-delivered security services (CDSS), or
virtual Panorama appliances in networks with or without internet access.

Create a deployment profile to configure one or more firewalls based on PAN-OS version, the number of vCPUs per firewall, the total number
of firewalls supported by the deployment profile, Panorama management or log collection, and security services. All the VMs that a deployment
profile creates share the same authcode.

Strata by Palo Alto Networks | PSE Software Firewall Professional 39

Machine Translated by Google

Software NGFW credits are term-based. Terms can be defined for any amount of time between one and five
years. Both allocated and unallocated credits expire at the end of the agreed-upon term.
You can purchase additional credits for a credit pool, but the expiration date must be the same as the target pool.
Use NGFW Credit Estimator Software to calculate and get credits for your deployment profile.

Activate Credits
Within your organization, you can create many accounts, each with a different purpose. During activation, you
can choose only one account per default credit pool. Once the credit pool is active, users granted the credit
administrator role can allocate the credits for deployments, and even transfer credits to other pools. If you have
an existing cloud service provider (CSP) account and are a superuser or an admin, the system automatically
adds the credit admin role to your profile. If you do not have an existing account, the CSP creates an account for
you and adds the credit admin role to your profile.

You (the purchaser) receive an email detailing the subscription, the credit pool ID, the subscription start and end
date, the number of credits purchased, and the description of the default credit pool (the credit pool created when
you activate your credits).

Key Idea

• While activating credits, always retain the confirmation email with subscription
details for future reference.

Step 1: In the email, click Start Activation to view your available credit pools.

Step 2: Select the credit pool you want to activate. You can use the search field to filter your account list by
number or name.

If you have purchased multiple credit pools, both are automatically selected. The check marks represent
activation links for onboarding credits.

You are prompted to authenticate or sign in.

Key Idea

• If you deselect a credit pool, you see a reminder that if you want to activate those credits, you
must return to the email and click the Start Activation link.

Step 3: Select Start Activation.

Step 4: Select the support account (you can search by account number or name).

Step 5: Select the default credit pool.

Step 6: Select Deposit Credits.

Strata by Palo Alto Networks | PSE Software Firewall Professional 40

Machine Translated by Google

You see a message that the deposit was successful.

Step 7: (optional) If this is your first credit activation, you see the Create Deployment Profile dialog.

Create a CN-Series Deployment Profile Step 1: If

you already have a credit pool, log in to the account. From the dashboard, select Assets > Software NGFW Credits > Prisma
NGFW Credits > Create New Profile.

If you have just activated a credit pool, you see the Create Deployment Profile form.

1. Select the CN-Series firewall type.

2. Select PAN-OS 10.2 and above.
3. Click Next.

Step 2: Create a CN-Series profile.

1. Name the Profile.

2. In the Total vCPUs field, Enter the total number of vCPUs across all CN-NGFW.

3. Select a Security Use Case from the drop-down. Each Security Use Case in the drop-down automatically selects a
number of descriptions that are recommended

Strata by Palo Alto Networks | PSE Software Firewall Professional 41

Machine Translated by Google

for the chosen use case. If you select Custom, you can specify the subscriptions that you would
like to use in your deployment.

4. (optional) Use Credits to Enable VM Panorama—For Management or Dedicated

Log Collector.

Step 3: (optional) Hover over the question mark following Protect more, save more to see how your credit
allocation affects savings.

Step 4: Click Calculate Estimated Cost to view the total credit and the number of credits available before
deployment. (optional) Hover over the question mark following the estimate to view the credit breakdown for each
component.

Step 5: (optional) If you used credits to Enable a Panorama VM, complete the following steps to provision
Panorama and generate a serial number.

1. Select Assets > Software NGFW Credits > Prisma NGFW Credits and locate your deployment
profile.
2. On the far right, select the vertical ellipsis and select Provision Panorama.

3. Click Provision to generate a serial number.

4. Record or copy the serial number to apply to your Panorama instance.

Strata by Palo Alto Networks | PSE Software Firewall Professional 42

Machine Translated by Google

5. Register Panorama.

Once you have applied the serial number to Panorama, Panorama will contact the licensing update server and retrieve the license.

Create a VM-Series Deployment Profile

Step 1: If you already have a credit pool, log in to the account. From the dashboard, select Assets > Software
NGFW Credits > Create Deployment Profile.

If you have just activated a credit pool, you see the Create Deployment Profile form.

1. Select the VM-Series firewall type.

2. Select the PAN-OS version:
• Fixed Models (VM-Series Models) •
Flexible vCPUs (PAN-OS 10.0.4 and above)

3. Click Next.

Step 2: Create a VM-Series profile.

1. Name the Profile.

2. In the Number of Firewalls field, enter the number of firewalls this profile deploys, assuming you
have sufficient credits. You do not have to deploy them all at once.

3. For Firewall Model, choose a VM-Series model.

Planned vCPU/Firewall (PAN-OS 10.0.4 or above).

Enter the number of vCPUs per firewall.

Strata by Palo Alto Networks | PSE Software Firewall Professional 43

Machine Translated by Google

Security Use Case: Choose a use case.

4. Customize Subscriptions.

After selecting a use case, you can add or remove security services.

5. (optional) Use Credits to Enable VM Panorama.

Choose the Panorama use case(s)—Management and/or Log Collector.

Step 3: (optional) Hover over the question mark following Protect more, save more to see how your credit
allocation affects savings.

Step 4: Click Calculate Estimated Cost to view the total credit and the number of credits available before
deployment.

(optional) Hover over the question mark following the estimate to view the credit breakdown for each component.

Step 5: Create the Deployment Profile.

You might have to wait several seconds for the profile to appear in the Current Deployment Profiles tab
list. Before the allocation is complete, the Credits Consumed/Allocated column shows 0 and Update
Pending. Scroll to the bottom and go to the last page to find your profile.

To view your deployment profile later, click the Details button on the parent credit pool and select Current
Deployment Profiles.

• Note the Auth Code for your profile on the far right; Software NGFW credit auth codes start with D. • The Credits Consumed/
Allocated column shows

0 and Update Pending before the

allocation is complete.
• The Audit Trail tab shows Credit Transactions and the Deployment Profiles you
manage. You can also search for a profile by time in this tab.

Use search to locate your profile and expand the row to view the configuration you specified when you
created the profile.

2.2.1 References
• Activate Credits
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/license-the-cn-series-firewall/activate-creditsActivate Credits
Video Pt. 1 https://www.youtube.com/
watch?v=0cAcLt8Lm84 Activate

Credits Video Pt. 2 https://www.youtube.com/watch?v=guojHvWIuwM

• Create a CN-Series Deployment

Profile

Strata by Palo Alto Networks | PSE Software Firewall Professional 44

Machine Translated by Google

https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/license-the-cn-series-firewall/create-a-deployment-profile-cn-
series#idd20d9f6b-0856- 4308-84da-a7368b5bf005
• Create a VM-Series Deployment Profile
https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/license-the-vm-seri es-firewall/software-ngfw/create-a-
deployment-profile-vm-series

2.3 Describe the importance of third-party integrations

Partner Interoperability for VM-series Firewalls Palo Alto Networks

offers two tiers of support for third-party partner platforms for the VM-Series next-generation firewall: Palo Alto Networks Certified and Partner-
Qualified. The VM-Series firewall provides the same security features and functionality regardless of support tier; the difference lies in the
types of issues Palo Alto Networks is able to help you resolve.

• Partner Qualified—Palo Alto Networks Customer Support assists you with any issue directly related to the VM-Series firewall. VM-
Series issues are defined as issues that occur after a packet enters the firewall. This does not include issues related to a partner

platform.
VM-Series issues include:

• PAN-OS configuration • VM-Series

upgrades • VM-Series licensing •
VM-Series documentation

• Palo Alto Networks Certified—Palo Alto Networks Customer Support assists with all VM-Series firewall issues as well as issues
related to the partner platform. Platform issues are defined as issues that involve a packet outside the VM-Series firewall, such as
arriving at or leaving the firewall or hypervisor or an issue with the hardware configuration.

Platform issues include:

• Network interfaces not recognized by the VM-Series firewall • VM-Series firewall not
booting • Platform configuration • Bootstrapping
of the VM-Series firewall • Connections
to other networking devices • High availability • I/O
Acceleration (DPDK, SR-IOV, and PCI passthrough)

Palo Alto Certified Integrations Refer to the

tables for details about hardware platforms and software versions on which you can deploy the VM-Series firewall.

The partner software version and the PAN-OS version columns display the range of versions and the minimum version in parentheses. For example,
where the PAN-OS Version column displays PAN-OS 9.1.x (9.1.0), it indicates that the integration supports PAN-OS 9.1 releases beginning with PAN-
OS 9.1.0.

Strata by Palo Alto Networks | PSE Software Firewall Professional Four. Five
Machine Translated by Google

Ciena—The following table shows the Ciena products with which VM-Series firewalls interoperate.

SAOS HYPERVISOR HARDWARE OSA PAN-OS DEPLOYMENT DOCUMENTATION

SUPPORTED TESTED VERSION MODES
SOFTWARE SOFTWARE (MINIMUM) SUPPORTED
VERSION VERSION
(MINIMUM) (MINIMUM)

3906mvi and KVM 18.xx 18.06.x 9.1.x (9.1.0) Layer 3 mode on Ciena
3926mvi (18.06.00) (18.06.00) the VM-50, documentation
VM-100, and
VM-300

VirtIO and
DPDK mode.

Cisco Cloud Services Platform—The following table shows the Cisco Cloud Services Platform (CSP) products with which
VM-Series firewalls interoperate.

CSP HYPERVISOR HARDWARE CSP TESTED PAN-OS DEPLOYMENT DOCUMENTATION

SUPPORTED SOFTWARE VERSION MODES
SOFTWARE VERSION (MINIMUM) SUPPORTED
VERSION (MINIMUM)
(MINIMUM)

CSP5400 KVM 2.xx (2.4.0) 2.4.x (2.4.0) 9.1.x (9.1.0) Layer 2, Layer Set Up the VM-
series 3, Virtual wire Series Firewall
deployments on all on Cisco CSP (PAN-
CSP2100 OS 10.2)
series VM-Series
models except
VM-50

VM-Series
Firewalls in an
HA
configuration

SR-IOV, Packet
MMAP, and
DPDK mode

CSP5400 KVM 4.6.x (4.6) 4.6.x 10.1.x (10.1.0) Layer 2, Layer 3, Virtual Set Up the VM-
series (4.6.1-FC1) wire deployments Series Firewall
on all VM-Series on Cisco CSP (PAN-
models OS 10.2)
except VM-50

VM-Series
Firewalls in an
HA
configuration

Strata by Palo Alto Networks | PSE Software Firewall Professional 46

Machine Translated by Google

SR-IOV, Packet
MMAP, and
DPDK mode

Juniper NFX Network Services Platform—The following table shows the Juniper NFX Network Services
Platform products with which VM-Series firewalls interoperate.

JUNOS HYPERVISOR HARDWARE JUNOS PAN-OS DEPLOYMENT DOCUMENTATION

SOFTWARE TESTED VERSION MODES
VERSION SOFTWARE (MINIMUM) SUPPORTED
(MINIMUM) VERSION
(MINIMUM)

NFX 250 KVM 15.1X53-D470. -

9.1.x (9.1.0) Layer 2, Layer Juniper NFX
x 3, Virtual wire documentation

(15.1X53-D470 .5) DPDK mode

NSX SD-WAN by VeloCloud—The following table shows the NSX SD-WAN by VeloCloud products with which
VM-Series firewalls interoperate.

VCE HYPERVISOR HARDWARE VCE TESTED PAN-OS DEPLOYMENT DOCUMENTATION

SOFTWARE SOFTWARE VERSION MODES
VERSION VERSION (MINIMUM) SUPPORTED
(MINIMUM) (MINIMUM)

Edge 520v KVM 3.xx (3.2.0) 3.3.x (3.3.1) 9.1.x (9.1.0) Virtual wire NSX SD-WAN by
deployments VeloCloud
Edge 840 documentation
DPDK mode

2.3.1 References

• Partner Interoperability for VM-Series Firewalls https://

docs.paloaltonetworks.com/compatibility-matrix/vm-series-firewalls/vm-series-partne r-interoperability

2.4 Explain the benefits of cloud-delivered security services (CDSS) and Advanced URL Filtering (AURLF)

Cloud delivered security services (CDSS)

CDSS provides enhanced security by unlocking certain firewall features, enabling the firewall to leverage a Palo
Alto Networks cloud-delivered service, or both. There are many current CDSSs.
Currently, Palo Alto Networks has the following:

• Threat Prevention—Goes beyond the traditional intrusion prevention system (IPS) solutions
to automatically prevent all known threats across all traffic in a single pass.
• IoT Security—Protects Internet-of-Things (IoT) and Operational Technology (OT) devices across your
organization with the industry's first turnkey IoT security solution.

Strata by Palo Alto Networks | PSE Software Firewall Professional 47

Machine Translated by Google

• WildFire—Ensures that files are safe by automatically detecting and preventing unknown
malware with cloud-based analysis.
• Data Loss Prevention—Enables cloud-based protection against unauthorized access,
misuse, extraction, and sharing of sensitive information.
• URL Filtering—Enables the safe use of the internet by preventing access to known and new
malicious websites before users can visit them.
• DNS Security—Disrupts attacks that use Domain Name System (DNS) for command and
control and data theft, without requiring any changes to your infrastructure.
• Prisma SaaS—A cloud access security broker (CASB) that provides advanced capabilities in risk discovery,
data loss prevention, compliance assurance, data governance, user behavior monitoring, and advanced
threat prevention. • GlobalProtect—Protects your
mobile workforce by extending the firewall to all users
regardless of location by establishing a secure IPSec/SSL VPN connection.
• SD-WAN—An end-to-end SD-WAN architecture that provides intelligent and dynamic path
selection on top of the security that PAN-OS software delivers.

Advanced URL Filtering (AURLF)

Palo Alto Networks URL filtering solution, AURLF, is a subscription service that defends your network from web-
based threats by giving your users safe access to the web while delivering granular policy controls to precisely
define how they interact and access online content. This service provides all of the functionality offered by the
legacy URL Filtering subscription by delivering a URL categorization database, while also bringing the added
benefit of full web-content inspection using inline ML-based web security engines to prevent evasive and unknown
web threats.

Key Idea

• Legacy URL Filtering subscription holders can continue using their URL Filtering
deploy until the end of the license term.

With AURLF enabled, URL requests are:

• Compared against the PAN-DB URL database, which contains millions of websites that have been
categorized. You can use these URL categories in URL Filtering profiles or as match criteria to enforce
Security policy. You can also use URL filtering to enforce safe search settings for your users and to
prevent credential theft based on URL category.
• Analyzed in real time using the cloud-based Advanced URL Filtering detection modules to provide protection
against new and unknown threats that do not currently exist in the URL filtering database.

• Inspected for phishing and malicious JavaScript using local inline categorization, a firewall-based analysis
solution, which can block unknown malicious web pages in real time.

If the network security requirements in your enterprise prohibit the firewalls from directly accessing the internet,
Palo Alto Networks provides an offline URL filtering solution with the PAN-DB Private Cloud. This allows you to
deploy a PAN-DB private cloud on one or more M-600 appliances that function as PAN-DB servers within your
network; However, it does not support any of the cloud-based URL analysis features found in the AURLF solution.

Strata by Palo Alto Networks | PSE Software Firewall Professional 48

Machine Translated by Google

2.4.1 References

• Cloud Delivered Security Services https://

beacon.paloaltonetworks.com/student/collection/747959-cloud-delivered-security-ser vices?sid_i=0 • URL Filtering https://

docs.paloaltonetworks.com/url-filtering • About Palo Alto Networks

URL filtering Solution
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/url-filtering-overvie
w

2.5 Describe the benefits of automation as applied by Palo Alto Networks

Automation
Automation levels the playing field, reduces the volume of threats, and allows for faster prevention of new and previously unknown
threats. Many security vendors look at automation to become more efficient and as a means to save in manpower or headcount.
Automation should also be viewed as a tool that can, and should, be used to better predict behaviors and execute protections faster. If
implemented appropriately and with the right tools, automation can aid in the prevention of successful cyberattacks. The following are
four ways in which automation should be used:

• Correlating Data
Many security vendors collect substantial amounts of threat data. However, data provides little value unless it is organized
into actionable next steps.

To do this effectively, organizations first need to collect threat data across all attack vectors and from security technologies
within their own infrastructure, as well as global threat intelligence outside of their infrastructure.

Then, they need to identify groups of threats that behave similarly within the massive amounts of data and use that to predict the
attacker's next step. When using this approach, more data collected results in more accurate results and reduces the likelihood that
the groups identified are merely an anomaly. Consequently, the analysis must also have enough computing power to scale to

today's threat volume—something that is impossible to do manually. Machine learning and automation allow data sequencing to
happen faster, more effectively, and more accurately.

Finally, combining this approach with dynamic threat analysis is the only way to accurately detect sophisticated and never-
before-seen threats.

• Generating Protections Faster Than Attacks Can Spread

Once a threat is identified, protections need to be created and distributed faster than an attack can spread throughout the
organization's networks, endpoints, or cloud. Because of the time penalty that analysis adds, the best place to stop the newly
discovered attack is not at the location where it was discovered but at the attack's predicted next step. Manually creating a
full set of protections for the different security technologies and enforcement points capable of countering future behaviors is
not only a slow-moving, lengthy process but also is extremely difficult when correlating different security vendors in your
environment

Strata by Palo Alto Networks | PSE Software Firewall Professional 49

Machine Translated by Google

without the right control and resources. Automation can expedite the process of creating protections without straining resources, all
while keeping pace with the attack.

• Implementing Protections Faster Than Attacks Can Progress Once protections are
created, they need to be implemented to prevent the attack from progressing further through its life cycle. Protections should be
enforced not only in the location where the threat was identified, but also across all technologies within the organization to provide
consistent protection against the attack's current and future behaviors. Utilizing automation in the distribution of protections is the
only way to move faster than an automated and well-coordinated attack and stop it. With automated big-data attack sequencing and
automated generation and distribution of protections, you are able to more accurately predict the next step of an unknown attack
and move fast enough to prevent it.

• Detecting Infections Already in Your Network To stop an attack

before data leaves the network, you must respond faster than the attack itself. To identify an infected host or suspicious behaviors,
you must be able to analyze data from your environment backward and forward in time, looking for a combination of behaviors that
indicate that a host in your environment has been infected. Similar to analyzing unknown threats attempting to enter the network,
manually correlating and analyzing data across your network, endpoints, and clouds is difficult to scale. Automation allows for faster
analysis and, should a host on your network be compromised, faster detection and intervention.

2.5.1 Terraform

Terraform is a powerful open-source tool that is used to build and deploy infrastructure safely and efficiently. It is cloud platform agnostic
(unlike AWS cloud formation templates (CFTs) or Azure Resource Manager (ARM) templates), provides for the definition of infrastructure as
code, and produces immutable infrastructure deployments. The Palo Alto Networks Terraform automation project offers Terraform templates
to assist in deploying agile infrastructures based on the Palo Alto Networks next-generation firewalls in the cloud.

Terraform Quickstart The

Palo Alto Networks Repository of Terraform Templates to Secure Workloads on AWS and Azure, https://github.com/PaloAltoNetworks/
terraform-templates, contains templates to deploy three-tier and two-tier applications along with the Palo Alto Networks firewall on cloud
platforms such as AWS and Azure. Terraform is licensed under Mozilla Public License v2.0.

Key Idea

• Each of the subrepos contain a README with instructions on usage and

deployment.

This repository contains the following subrepositories:

Strata by Palo Alto Networks | PSE Software Firewall Professional fifty

Machine Translated by Google

• aws_elb_autoscale
• Deploy a three-tier application. • Deploy
an external load balancer that sits in front of the PAN firewalls (FWs). • Deploy the PAN FW
into an auto scale group. • Deploy an internal load
balancer that sits behind the PAN FW and fronts the web tier. • Deploy the Lambda functions to configure
the PAN FWs. • aws_two_tier_no_bootstrap_with_ansible • Deploy a
two-tier application. • Deploy the web instances into
a secure subnet. • Deploy the PAN FW
with interfaces on the untrust, trust, and management
subnets. • Deploy an application on the backend trust subnets. • Configure the VM-Series with Ansible.
• Invoke Ansible directly from Terraform.

• aws_two_tier
• Deploy a two-tier application. • Deploy
the web instances into a secure subnet. • Deploy the PAN
FW with interfaces on the untrust, trust, and management subnets. • azure_two_tier_sample

• Deploy a two-tier application. • Deploy

the web instances into a secure subnet. • Deploy the PAN
FW with interfaces on the untrust, trust, and management subnets.
• Automated Terraform and Ansible one-click deployment for AWS and Azure.

2.5.2 Ansible

Ansible is a very powerful open-source automation language. It uses modules to communicate with vendor-specific
devices. What makes Ansible unique is that it is also a deployment and orchestration tool. Ansible helps provide large
productivity gains to a wide variety of automation challenges. The Palo Alto Networks Ansible integration project uses
Ansible to help organizations automate configuration and management of the Palo Alto Networks Platform.

Ansible Quickstart A
collection of Ansible modules are available to automate configuration and operational tasks on Palo Alto Networks next-
generation firewalls—both physical and virtualized form factors. The underlying protocol uses API calls that are
wrapped within the Ansible framework.

• Free software: Apache 2.0 License • Palo

Alto Networks Ansible Collection: https://paloaltonetworks.github.io/pan-os-ansible/ • PANW community
supported live page: http://live.paloaltonetworks.com/ansible

You can use the Palo Alto Networks Ansible collection to automate configuration and operational tasks on Palo Alto
Networks next-generation firewalls using the PAN-OS API.

It is available under the Apache 2.0 license.

• https://github.com/PaloAltoNetworks/pan-os-ansible/

Strata by Palo Alto Networks | PSE Software Firewall Professional 51

Machine Translated by Google

Installation

The recommended way to install the modules is installing the Palo Alto Networks Ansible Galaxy collection:

- ansible-galaxy collection install paloaltonetworks.panos

Then, in your playbooks, you can specify that you want to use the panos collection like so:

collections: -

paloaltonetworks.panos

2.5.3 Dynamic responses to threats

Palo Alto Networks regularly posts updates that include new and modified applications, threat protection, and GlobalProtect data files through
dynamic updates. The firewall can retrieve these updates and use them to enforce policy, without requiring configuration changes. Applications
and Threats content updates deliver the very latest application and threat signatures to the firewall. The applications portion of the package
includes new and modified App-IDs and does not require a license. The full Applications and Threats content package, which also includes
new and modified threat signatures, requires a Threat Prevention license. As the firewall automatically retrieves and installs the latest
application and threat signatures (based on your custom settings), it starts enforcing Security policy based on the latest App-IDs and threat
protection without any additional configuration.

New and modified threat signatures and modified App-IDs are released at least weekly and often more frequently. New App-IDs are released
on the third Tuesday of every month.

Key Idea

• In rare cases, publication of the update that contains new App-IDs may be delayed one or two days.

Because new App-IDs can change how the Security policy enforces traffic, this limited release of new App-IDs is intended to provide you with
a predictable window in which you can prepare and update your Security policy. Additionally, content updates are cumulative; this means that
the latest content update always includes the application and threat signatures released in previous versions.

Because application and threat signatures are delivered in a single package—the same decoders that enable application signatures to identify
applications also enable threat signatures to inspect traffic—you need to consider whether you want to deploy the signatures together or
separately.
How you choose to deploy content updates depends on your organization's network security and application availability requirements. As a
starting point, identify your organization as having one of the following postures (or perhaps both, depending on firewall location):

• An organization with a security-first posture prioritizes protection using the latest threat signatures over application availability. You
are primarily using the firewall for its threat

Strata by Palo Alto Networks | PSE Software Firewall Professional 52

Machine Translated by Google

prevention capabilities. Any changes to App-ID that impact how a Security policy enforces application traffic is secondary.

• A mission-critical network prioritizes application availability over protection using the latest threat signatures. Your network has zero
tolerance for downtime. The firewall is deployed inline to enforce security policy, and if you are using App-ID in a Security policy,
any change to content release introduces that affects App-ID could cause downtime.

2.5.4 References

• 4 Ways Cybersecurity Automation Should be Used https://

www.paloaltonetworks.com/cyberpedia/4-ways-cybersecurity-automation-should-be- used

• Infrastructure as Code
https://panos.pan.dev/docs/automation/ • Applications
and Threats Content Updates
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/software-and-content-updates/app-and-threat-content-updates

2.6 Summary of Key Ideas

• For the best instance types for optimal VM-Series capacity and performance, see the
VM-Series Performance and Capacity document.
• While activating credits, always retain for future reference the confirmation email with subscription details. • If you deselect a credit
pool, you see a reminder
that if you want to activate those credits,
you must return to the email and click the Start Activation link.
• Legacy URL Filtering subscription holders are able to continue using their URL Filtering deployment until the end of the license term.

• Each of the subrepositories contain a README with instructions on usage and deployment. • In rare cases, publication of the update
that contains new App-IDs may be delayed one or
two days.

2.7 Sample Questions

1. Which security service assists file safety by automatically detecting unknown malware?
to. URL Filtering b.
WildFire
c. App-ID d.
Threat Prevention

2. Which profile is used to categorize content? to. URL Filtering b.

Threat Prevention

c. Zero Trust
d. Data Loss Prevention

3. Ansible is used for what purpose?

to. Providing PAN-OS application signature updates

Strata by Palo Alto Networks | PSE Software Firewall Professional 53

Machine Translated by Google

b. Automating device configuration c. Optimizing

firewall resource consumption d. Identifying transit traffic

4. Which of the following is a package manager for containers?

to. Terraform
b. Helm
c. Ansible
d. YAML

5. What is the basic operational unit of Kubernetes?

to. Do not give

b. Container
c. Kubernetes services
d. pod

6. VM-Series is applicable for which of the following traffic scenarios?

to. Inbound b.
North-south and east-west c. East-west

only d. Outbound

7. What is the order of Kubernetes constructs from smallest to largest in terms of size and
scope?
to. Node, namespace, pod, cluster b. Namespace,
node, cluster, pod c. Pod, node, namespace,
cluster d. Pod, node, cluster, namespace

8. Which environment uses software and virtualization to provide network connectivity for dispersed locations? to. On-premise b.
SDN

c. SD-WAN
d. Nutanix

9. After deselecting a credit pool, you see a reminder to activate those credits. What will be
your next step? to.
Select the credit pool you want to activate. b. Deposit credits. c.
Purchase a different credit
pool. d. Return to your email and click the Start
Activation link.

Strata by Palo Alto Networks | PSE Software Firewall Professional 54

Machine Translated by Google

Domain 3: Architecture and Planning

3.1 Compare and contrast VM-Series deployment options

The VM-Series firewall is distributed in the Open Virtualization Alliance (OVA) format, a standard method of
packaging and deploying virtual machines. You can install this solution on any x86 device that is capable of running
VMware ESXi.

You can deploy any VM-Series model as a guest virtual machine on VMware ESXi. It is ideal for cloud or networks
where a virtual form factor is required.

VM-Series for AWS You can

deploy the VM-Series firewall in the public AWS cloud and AWS GovCloud. You can then configure it to secure access to the applications that are
deployed on EC2 instances and placed into a VPC on AWS.

The AWS Gateway Load Balancer (GWLB) is an AWS-managed service that allows you to deploy a stack of VM-
Series firewalls and operate them in a horizontally scalable and fault-tolerant manner.
You can then expose the AWS GWLB with the stack of firewalls as a VPC endpoint service for traffic inspection and
threat prevention. By creating GWLB endpoints (GWLBEs) for the VPC endpoint service, you can easily insert an
auto scaling VM-Series firewall stack in the outbound, east-west, and inbound traffic paths of your applications.

Integrating VM-Series firewalls with GWLB:

• Provides simplified connectivity • Offers

performance at scale

Strata by Palo Alto Networks | PSE Software Firewall Professional 55

Machine Translated by Google

• It is cost-effective

You can deploy any VM-Series model, except the VM-50, on EC2 instances on the AWS Cloud.

VM-Series for Microsoft Azure

VM-Series firewall on Azure brings the security features of the Palo Alto Networks Next-Generation Firewall as a virtual machine into the
Azure Marketplace. It provides a complete set of security functionality to ensure that your virtual-machine workloads and data are protected.
The capabilities that the firewall enables are different from native security features such as Security Groups, Web Application Firewalls, and
native, port-based firewalls.

On Azure, the VM-Series firewall is available in the bring-your-own-license (BYOL) model or in the pay-as-you-go (PAYG) hourly model.

Microsoft Azure allows you to deploy the firewall to secure your workloads within the virtual network in the cloud so that you can deploy a
public cloud solution or extend the on-premises IT infrastructure to create a hybrid solution. For more information on GWLB based architecture,
refer to section 1.1

Strata by Palo Alto Networks | PSE Software Firewall Professional 56

Machine Translated by Google

You can deploy any VM-Series model, except the VM-50, on the Azure VNet.

VM-Series for Google Cloud Platform You can

deploy a VM-Series firewall on a Google Compute Engine instance on the Google Cloud Platform.

You can deploy any VM-Series model, except the VM-50 and the VM-50 Lite, on Google Compute Engine instances.

Google Cloud Intrusion Detection System (Cloud IDS) is the first network threat detection system delivered as a native Google Cloud service,
built with the industry-leading security technologies of Palo Alto Networks. Cloud IDS is the result of a year-long joint design and engineering
effort between Google Cloud and Palo Alto Networks that was focused on combining the best-in-class security of Palo Alto Networks with the
simplicity and scale of Google Cloud native services.

Cloud IDS can analyze the raw traffic data from Google Cloud workloads and provide contextually rich application and threat information.
More importantly, organizations can monitor even the traffic traversing within the VPC boundary using Cloud IDS. This capability complements
the visibility and protection that VM-Series virtual firewalls provide with traffic crossing the VPC boundary.

Based on this more in-depth inspection, customers can choose to enable alerts for a wide range of security issues, for example:

• High-priority security alerts: Attacks for known exploits—for example, an attempt to exploit CVE-2017-5638 for Apache Struts-based
web servers running in GCP. • Traffic to inappropriate, malicious destinations and command-
and-control systems: Detect whether the source/destination is inappropriate or malicious, whether there are geoblocking restrictions
to be met, or whether there is Bitcoin traffic or an SSH session to a known command-and-control systems and-control (C2) domain.

VM-Series for Kernel Virtualization Module (KVM)

Kernel-based Virtual Machine (KVM) is an open-source virtualization module for servers running Linux distributions. The VM-Series firewall
can be deployed on a Linux server that is running the KVM hypervisor.

You can deploy any VM-Series model on a Linux server that is running the KVM hypervisor.

VM-Series for Microsoft Hyper-V The VM-

Series firewall can be deployed on a server running Microsoft Hyper-V. Hyper-V is packaged as a standalone hypervisor or as an add-on/role
for Windows Server.

You can deploy any VM-Series model on a Windows Server 2012 R2 server with the Hyper-V role add-on enabled or a standalone Hyper-V
2012 R2 server.

VM-Series on VMware NSX-T The VM-

Series firewall on VMware NSX-T integrates Palo Alto next-generation firewalls and Panorama with ESXi host servers to provide
comprehensive visibility and safe application enablement of all north-south traffic in your NSX-T software-defined datacenter.

Strata by Palo Alto Networks | PSE Software Firewall Professional 57

Machine Translated by Google

You can deploy the VM-100, VM-300, VM-500, or VM-700 in your NSX-T environment.

3.2.1 References

• VM-Series Deployments https://

docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/about-the-vm-series-firewall/vm-series-deployments#idbc049c9e-8fdf-
40c3-b70a-00176813948e
• VM-Series for AWS
https://live.paloaltonetworks.com/t5/blogs/vm-series-and-aws-gateway-load-balancer-integr ation-overview/ba-p/367897 • VM-
Series for Azure

https://www.paloaltonetworks.com/blog/network-security/vm-series-azure-gateway-load-bal ancer/

3.2 Describes CN-Series deployment tool options

CN-Series firewalls can be used to secure traffic between containers within the same cluster, as well as between containers and other
workload types such as virtual machines and bare metal servers.

If you are on the OpenShift environment, see Deploy the CN-Series on OpenShift. For securing 5G traffic, see Secure 5G With the CN-Series
Firewall.

Key Idea

• You need standard Kubernetes tools such as kubectl or Helm to deploy and manage your Kubernetes clusters, apps,
and firewall services. Panorama is not designed to be an orchestrator for Kubernetes cluster deployment and
management. Templates for cluster management are provided by Managed Kubernetes providers. Palo Alto
Networks provides community-supported templates for deploying CN-Series with Helm and Terraform.

Refer to the links below to learn about CN-Series Firewalls and the options available for deploying on different cloud platforms:

• Deploy the CN-Series Firewall with Rancher Orchestration • Deploy the CN-Series
Firewall on GKE • Deploy the CN-Series Firewall on EKS
• Deploy the CN-Series Firewall as a Kubernetes Service
• Deploy the CN-Series Firewall as a DaemonSet • Deploy the CN-Series Firewall
as a Kubernetes CNF • Deploy the Kubernetes CNF L3 in Standalone
Mode • Deploy the CN-Series on OpenShift • Deploy CN-Series Firewalls
with a Template

For more details about CN-Series deployment, refer to CN-Series deployment guide.

Strata by Palo Alto Networks | PSE Software Firewall Professional 58

Machine Translated by Google

Key Idea

• Before moving from deploying CN-Series as a DaemonSet to CN-Series as a

Service or vice versa, you must delete and reapply plugin-serviceaccount.yaml. • When
you deploy CN-Series as a DaemonSet,
pan-plugin-cluster-mode-secret must not exist. • When
you deploy CN-Series as a Kubernetes Service, pan-plugin-
cluster-mode-secret must be present.

3.2.1 YAML Ain't Markup Language (YAML)

YAML is a popular data-serialization language for writing configuration files. It is a well-known programming
language and is human-readable, which makes it easier to understand. Its ability to combine with other
programming languages makes YAML flexible, as well.

YAML is used by the Ansible automation tool for creating automation processes in the form of Ansible Playbooks
because of its adaptability and accessibility.

YAML 3.0.x
CN-Series YAML 3.0.x should be used with the CN-Series running PAN-OS 10.1 or PAN-OS 10.2.

VERSION WHAT'S NEW

3.0.2 Adds support for K8s 1.22 on the CN-Series on AWS EKS. This support
also requires CN-Series PAN-MGMT-INIT version 3.0.2.

3.0.1 • Adds support for K8s 1.22 on the CN-Series on all platforms
except AWS EKS. This support also requires CN-
Series PAN-MGMT-INIT version 3.0.1.

• Adds support for OpenShift for the CN-Series deployed as a

Kubernetes service. This requires PAN-CNI 3.0.2 or
later. • CN-120: Adds pod affinity for CN-
MGMT and CN-NGFW pods in CN-Series deployed in CNF mode.

3.2.2 Terraform Templates

The CN-Series deployment repository contains Terraform plans to deploy a GKE, EKS, or AKS cluster.
These plans ensure that the cluster node sizing and CNIs support a CN-Series firewall deployment within the
cluster. The repository also provides a CN-Series firewall deployment plan and a sample PHP guestbook
application that you can secure with the firewall.

3.2.3 Differentiation

The following are differences between Helm and Terraform:

• Terraform is a relatively new Kubernetes provider, while Helm is a mature tool with a tried
and tested Kubernetes capability.

Strata by Palo Alto Networks | PSE Software Firewall Professional 59

Machine Translated by Google

• Terraform does not install anything within the Kubernetes cluster. Helm installs Tiller server
within the cluster and connects it with K8s API.
• Helm cannot install a Kubernetes cluster, whereas Terraform can. • In modularity
terms, Terraform relies on modules, while Helm uses sub-charts. • Terraform uses the JSON/
HCL file format, while Helm uses standard manifests and
Go-templates.
• Terraform maintains Kubernetes objects, while Helm maintains K8s objects. • Terraform has
limited options at runtime, whereas Helm's Tiller server provides numerous
capabilities at runtime.
• Helm has limited options for environment variables, while Terraform supports environment
variables.
• Terraform modules in the registry do not work on Kubernetes, whereas in Helm, stable and incubator charts offer
a rich set of packages. • Rolling back with Helm is
far easier, but maintaining it can take up precious resources. In Terraform, rolling back is complex, but takes up
only a few resources.

3.2.4 References

• Deploy the CN-Series Firewall

https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/secure-kubernetes- workloads-with-
cn-series/deploy-the-cn-series-firewalls • Deploy CN-Series
Firewall With and Without the Helm Repository
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/secure-kubernetes- workloads-with-
cn-series/deploy-the-cn-series-firewalls/deploy-cn- series-firewalls-with-a-te mplate/deploy-cn-series-firewalls-
with-helm-charts-and-templates/deploy-cn-series-firewall s-with-and-without-the-helm-repository

3.3 Describes CN-Series sizing, capabilities, and features

The CN-Series firewall is the containerized next-generation firewall that provides visibility and security for your
containerized application workloads on Kubernetes clusters. The CN-Series firewall uses native Kubernetes constructs
and Palo Alto Networks components to make this possible.

Size and Scale Security Based on Immediate Needs—In Minutes

The CN-Series firewalls help you to:

• Match software firewalls and security services with the speed and flexibility needed for
rapidly changing requirements.
• Maximize your ROI on security investments with the industry's most flexible way to adopt
NGFWs software and security services.
• Discover unmatched flexibility with easy scaling and sizing of VM-Series virtual and CN-Series container NGFWs,
cloud-delivered security services, and VM Panorama for management and log collection.

Three simple steps let you choose and deploy the right firewalls and security services you need at any given time:

1. Procure Software NGFW credits.

Strata by Palo Alto Networks | PSE Software Firewall Professional 60

Machine Translated by Google

2. Allocate or reallocate credits across different deployments to activate your choice of security products and your choice of security
services in just minutes.
3. Manage and monitor credits via the Palo Alto Networks Customer Support Portal.

As needs change, you can reallocate Software NGFW credits to new and other firewall-as-a-platform solutions without having to go through
additional procurement cycles.

CN-Series Capabilities
Whatever the security needs of your container environment, the CN-Series is built to deliver the following:

A. Inline Network Security Visibility and Control

• Threat prevention and sandboxing: Threat Prevention and WildFire services can be enabled on CN-Series firewalls to
block exploits, prevent malware, and stop both known and unknown advanced threats.

• Exfiltration prevention and URL filtering: The CN-Series enables content inspection and SSL decryption, preventing
sensitive information from leaving your network.
Advanced URL Filtering uses machine learning to categorize URLs and block access to malicious sites that deliver
malware or steal credentials. Automation ensures that protections are always up to date.

• Flexible tag-based policy model: You can define CN-Series firewall policies by application, user, content, native Kubernetes
labels, and other metadata to deliver flexible policies aligned with business needs.

B. Automated Deployment and Configuration

• Kubernetes-orchestrated deployment: CN-Series firewalls run as a DaemonSet, allowing a single command from within
Kubernetes to deploy firewalls on all nodes in a cluster at once.

• DevOps-friendly configuration: All configuration of CN-Series firewalls is specified in a YAML file and can be easily
integrated into infrastructure deployment files for fast, repeatable deployments. Configuration templates can be found in
our official CN-Series GitHub repository.

• Community-supported Kubernetes Helm chart: For development teams using Helm to manage their Kubernetes
applications, a CN-Series Helm Chart has been created to simplify firewall deployment and management.

C. Flexible and Consistent CNI Integration

• Simple insertion: The CN-Series supports multiple CNI plugins for use in different
types of Kubernetes deployments.

Strata by Palo Alto Networks | PSE Software Firewall Professional 61

Machine Translated by Google

D. Kubernetes Support for Cloud and On-Premises Environments

• Public cloud: You can deploy CN-Series firewalls in hosted container environments
such as GKE, AKS, Amazon EKS, and Red Hat OpenShift. For detailed platform
support information, refer to the table below.

• On-premises: You can also deploy CN-Series firewalls into Kubernetes environments
hosted on-premises.

Refer to the link below for details on the deployment of the CN-Series in supported
environments.
https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/cn-series-fire
wall-for-kubernetes/cn-series-deployment-environments

Table: CN-Series Support Matrix

Product Version(s)

Containerized PAN-OS 9.2.0

Kubernetes Overview 1.0.0

Container Runtime Docker, CRI-0

Native Kubernetes 1.14-1.18

Cloud Provider-Managed Kubernetes * OpenShift 4.2, 4.4, 4.5,

AWS EKS (1.14-1.17)
Azure AKS (1.14-1.18)
GCP GKE (1.14-1.17)

Customer-Managed Kubernetes†

Kubernetes Host VM OS Ubuntu 16.04, 18.04, RHEL/CentOS

CNI CNI Spec 0.3.0 and higher, which supports CNI

chaining (eg, Calico, Flannel, Weave)
* Recommended versions for Kubernetes, Calico, etc.
† In customer-managed deployments, Kubernetes can be deployed using any orchestrator (eg, Rancher, Kubespray) and
deployed in a public or private cloud as long as Kubernetes, CNI, and host OS versions are from table above.

Virtualization Features

• CN-Series Firewall as a Kubernetes Container Network Function (CNF):

You can now deploy the CN-Series CNF in your Kubernetes environment.

CN-Series-as-a-DaemonSet and CN-Series-as-a-Kubernetes-service deployment modes

provide an automated security deployment and leverage the auto scaling capabilities of
Kubernetes. However, these deployment modes have limited insertion options and do not

Strata by Palo Alto Networks | PSE Software Firewall Professional 62

Machine Translated by Google

support I/O acceleration. In addition, they limit the achievable throughput for the application pods that require inspection and use
multiple network interfaces.

Traditionally, customers have two deployment options based on their operational and budgetary considerations.

Option 1 - Distributed deployments/DaemonSet deployment mode: One option is to deploy the CN-Series data plane as a
DaemonSet.
Pros:

• Traffic latency is reduced because the CN-Series data plane is deployed per node.
This places security enforcement as close to the workloads as possible while minimizing traffic latency. • Pricing is node-
based, which simplifies upfront
forecasting by reducing the need to
predict throughput requirements for the firewall.
Cons:

• Compute resources will need to be allocated on every node to the firewalls, making
this a resource-intensive option.
• Cost prohibitive in large environments due to the number of firewalls required.

Option 2 - Clustered deployments/Kubernetes Service Deployment Mode: You can deploy the CN-Series data plane as a
native Kubernetes service in a dedicated security node.
Pros:

• Kubernetes-native auto scale capabilities are leveraged to elastically scale CN-Series

deployments.
• Compute efficiency is maximized by allowing Kubernetes to deploy CN-Series firewalls based on available resources.

• This option is cost-effective due to the need for fewer firewalls.

Cons: •

Network latency is potentially increased due to traffic hairpinning.

Strata by Palo Alto Networks | PSE Software Firewall Professional 63

Machine Translated by Google

Option 3 - CN-Series: Deploying the CN-series as a Kubernetes CNF resolves these challenges. Traffic
that uses Service Function Chaining (SFC) through external entities such as a cloud provider's native
routing, vRouters, and top-of-ack (ToR) switches as the CN-series-as-a-Kubernetes-CNF mode of
deployment does not impact the application pods.

Benefits:
• Both containerized and non-containerized workloads are protected. • Network
deployment options are expanded for public and private clouds.

Strata by Palo Alto Networks | PSE Software Firewall Professional 64

Machine Translated by Google

• Traffic is secured more efficiently and may experience performance increases.

For more information, see Deploying the CN-Series Firewall as a Kubernetes-CNF.

• HA Support for CN-Series Firewall as a Kubernetes CNF:

High availability (HA) is a configuration in which two firewalls are placed in a group and their configuration is synchronized to prevent
a single point of failure on your network. A heartbeat connection between the firewall peers ensures seamless failover if a peer goes
down. Setting up the firewalls in a two-device cluster provides redundancy and allows you to ensure business continuity.

You can now deploy the CN-Series as a Kubernetes CNF in HA. This mode of deployment supports only active/passive HA with
session and configuration synchronization.

When you deploy the CN-Series as a Kubernetes CNF in HA, there will be two PAN-CN-MGMT-CONFIGMAP, PAN-CN-MGMT, and
PAN-CN-NGFW YAML files each, one set for active node and one for passive node.

For more information, see High Availability Support for deploying the CN-Series Firewall as a Kubernetes CNF.

• HA Support for CN-Series Firewall on AWS EKS To ensure

redundancy, you can deploy the CN-Series firewalls on AWS in an active/passive HA configuration. The active peer continuously
synchronizes its configuration and session information with the identically configured passive peer. A heartbeat connection between
the two devices ensures failover if the active device goes down. You can deploy the CN-Series firewall on AWS EKS in HA through
secondary IP move.

To ensure that all traffic to your internet-facing applications passes through the firewall, you can configure AWS ingress routing.
This capability allows you to associate route tables with the AWS internet gateway and add route rules to redirect the application
traffic through the CN-Series firewall.

This redirection ensures that all internet traffic passes through the firewall without having to reconfigure the application endpoints.

When the active peer goes down, the passive peer detects this failure and becomes active.
Additionally, it:

• Triggers API calls to the AWS infrastructure to move the configured secondary IP
addresses from the data-plane interfaces of the failed peer to itself
• Updates the route tables to ensure that traffic is directed to the active firewall
instance

These two operations ensure that inbound and outbound traffic sessions are restored after failover. The HA configuration allows you
to take advantage of the Data Plane Development Kit (DPDK) to improve the performance of your CN-Series firewall instances.

Strata by Palo Alto Networks | PSE Software Firewall Professional 65

Machine Translated by Google

AWS requires that all API requests must be cryptographically signed using credentials issued by AWS. In order to enable API
permissions for the CN-Series firewalls that will be deployed as an HA pair, you must create a policy and attach that policy to a role
in the AWS Identity and Access Management (IAM) service. The role must be attached to the CN-Series firewalls at launch. The
policy gives the IAM role permissions for initiating API actions required to move interfaces or secondary IP addresses from the
active peer to the passive peer when failover is triggered.

The devices in an HA pair can be assigned a device priority value to indicate a preference for which device should assume the
active role and manage traffic upon failover. If you need to use a specific device in the HA pair for actively securing traffic, you must
enable the preemptive behavior on both the firewalls and assign a device priority value for each device.

The device with the lower numerical value, and therefore higher priority, is designated as active and manages all traffic on the
network. The other device is in a passive state and synchronizes configuration and state information with the active device so that
it is ready to transition to an active state should a failure occur.

For more information, see High Availability support for CN-Series Firewall on AWS EKS.

• DPDK Support for CN-Series Firewall

The Kubernetes CNF mode of CN-Series now supports Data Plane Development Kit (DPDK) and allows the application pods to
use DPDK. DPDK enables fast packet processing in data-plane applications by bypassing multiple layers of kernel networking
stacks and communicating directly with the network hardware.

See Configure DPDK on CN-Series Firewall for instructions to set up DPDK.

• Daemonset(vWire) IPv6 Support

In the Kubernetes Daemonset mode, application pods can have IPv4 and IPv6 addresses on either one or many interfaces with
the Multus environment. If the application pods have IPv6 addresses, you can still secure those interfaces using the Kubernetes
Daemonset mode.

Additionally, with the Kubernetes plugin supporting DAG-to-IPv6 address mapping, you can use DAGs for Security policy.

Key Idea

• IPv6 addresses are supported only in the k8s-Daemonset mode, not in the
k8s-CNF or k8s-service mode.

• Panorama Plugin for Kubernetes 3.0.0

The Kubernetes 3.0.0 plugin supports the following functionalities:

• Retrieve IPv6 Addresses for Multus CNI Setup In a Multus CNI

setup, each pod has multiple interfaces, and these interfaces can have IPv6 or IPv4 addresses. The Kubernetes 3.0.0
plugin queries and collects the IPv4 and IPv6 addresses for Multus CNI.

• Tag Pruning

Strata by Palo Alto Networks | PSE Software Firewall Professional 66

Machine Translated by Google

Tag pruning increases the scalability of the plugin and the number of tags that the plugin collects.
It enables the plugin to collect a larger number of tags and push them to Panorama without IP
addresses. Panorama has a 10MB payload limitation; with tag pruning, the plugin can send empty
tags to Panorama and only send IP addresses for tags that are used in Security policies. In case
of a shared device group on Panorama, the plugin cannot learn the DAGs, and hence the IP
addresses will not be pushed.

• Service Account Validation

The Kubernetes 3.0.0 plugin supports service account file validation as a pre-commit, where the
validation takes place after the user adds a service account file and commits the credentials. By
using this method, the plugin can implement periodic checks for service accounts and update
their status accordingly.

Strata by Palo Alto Networks | PSE Software Firewall Professional 67

Machine Translated by Google

• Dashboard
For tags not used in device-group Security policies, Panorama only holds tags without IP
addresses. With tag Pruning, the plugin pushes the IP/tag mappings on to the plugin UI, and you
will be able to navigate the Dashboard to see the IP/tag mappings. You will have the option to
view IP addresses (IPv4 and IPv6) associated with all tags learned by the plugin and then look
for the tags associated with each IP address when you click Associated tags.

Strata by Palo Alto Networks | PSE Software Firewall Professional 68

Machine Translated by Google

The Kubernetes 3.0.0 plugin works only with Panorama 10.2 and PAN-OS 10.2 devices.
However, it can manage 10.1 firewall devices on 10.2 Panorama.

Strata by Palo Alto Networks | PSE Software Firewall Professional 69

Machine Translated by Google

Key Idea
• To upgrade to a Kubernetes 3.0.0 plugin, download it and upgrade your Panorama to 10.2. This
will automatically install the downloaded plugin. However, if you have not downloaded the
plugin before upgrading the Panorama, the upgrade will be stopped. • You cannot use a
Kubernetes 2.0.0 plugin
with Panorama 10.2. • You will find four default templates on Panorama
after downgrading the Kubernetes 3.0.0. plugin. The unnecessary templates can be deleted
manually.

• L3 IPV4 Support for CN-Series With

the Kubernetes CNF, CN-Series now supports the traffic through a vRouter, where static routes are
configured to redirect traffic to the data-plane interfaces of the firewall. For reverse direction, the traffic is
redirected to the same firewall using Layer 3 policy-based routing (PBR) with IPv4 IP addresses. IP
addresses to the interfaces in a K8s environment are typically programmed through the CNI using DHCP.

In Kubernetes CNF mode, only one CN-NFGW pod is supported with a CN-MGMT pod.

CN-Series supports Static and Connected routes and BGP protocol. OSPF is supported on Native/
OnPrem environments, but not supported on public clouds, due to the limitation in the cloud infrastructure.
Bidirectional Forwarding Detection (BFD) and tunnel interfaces are not supported.

Strata by Palo Alto Networks | PSE Software Firewall Professional 70

Machine Translated by Google

Key Idea •
vWire can still be used on data-plane ports where an external ToR is configured to
manage L1 PBR.

• Support for 47 Data-Plane Cores in VM-Series and CN-Series Firewalls

Starting with PAN-OS 10.2, VM-Series and CN-Series firewalls support a maximum of 47 data-plane cores. Increasing the number
of data-plane cores improves performance.

Key Idea •
For VM-Series, if you have NUMA performance optimization enabled with custom
data-plane core settings, the NUMA setting takes precedence.
For more information, see Enable NUMA Performance Optimization on VM-Series.

3.3.1 References

• CN-Series Supported Scale Factors

https://docs.paloaltonetworks.com/content/techdocs/en_US/cn-series/10-0/cn-series-deploy ment/cn-series-supported-scale-
factors.html#ida75c6278-e6db-488c-acf2 -855d5cee3b18 • CN -Series Capabilities https://www.paloaltonetworks.com/apps/
pan/public/downloadResource?
pagePath=/content/pan/en_US/resources/datasheets/cn-series-container-firewall • Virtualization features

Strata by Palo Alto Networks | PSE Software Firewall Professional 71

Machine Translated by Google

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-new-features/virtualization-features

3.4 Explain various segmentation models, including east-west and north-south segmentation design per
CNet, VNet, and pod

Workload
A workload can be broadly defined as the resources and processes needed to run an application.
Hosts, virtual machines, and containers are a few examples of workloads.

Companies can run workloads across data centers and hybrid cloud and multicloud environments.
Most organizations' applications are becoming increasingly distributed across different cloud native compute
architectures, based on business needs.

Beyond Perimeter Security

Perimeter security makes up a significant part of most organizations' network security controls.
Network security devices such as network firewalls inspect “north-south” (client-to-server) traffic that crosses the
security perimeter, and they stop bad traffic. Assets within the perimeter are implicitly trusted, and thus “east-
west” (workload-to-workload) traffic may go without inspection.

For most organizations, east-west communications make up the majority of data-center and cloud traffic patterns.
Because perimeter-focused defenses do not have visibility into east-west traffic, malicious actors use this as an
opportunity to move laterally across workloads.

The network creates reliable pathways between workloads. Microsegmentation creates isolation and determines
whether two endpoints should access each other. Enforcing segmentation with least-privileged access reduces
the scope of lateral movement and contains data breaches.

Strata by Palo Alto Networks | PSE Software Firewall Professional 72

Machine Translated by Google

Network Segmentation Challenges Network

segmentation is an approach that divides a network into multiple smaller segments. This comes with following benefits:

• Performance: Subdividing the network into smaller subnets and VLANs reduces the scope of broadcast packets and improves network
performance. • Security: Network security teams can apply access control lists
(ACLs) to VLANs and subnets to isolate machines on different network segments. In the event of a data breach, ACLs can prevent the
threat from spreading to other network segments.

Leveraging network segmentation for security purposes comes with challenges. Often segmentation needs don't match the network
architecture. Re-architecting the networks or reconfiguring VLANs and subnets to meet segmentation requirements is difficult and consumes
a lot of time.

Microsegmentation, also referred to as Zero Trust or identity-based segmentation, delivers on segmentation requirements without the need
to re-architect. Security teams can isolate workloads in a network to limit the effect of malicious lateral movement.

Microsegmentation controls can be assimilated into three categories:

• Agent-based solutions use a software agent on the workload and enforce granular isolation to individual hosts and containers. Agent-
based solutions may leverage the built-in host-based firewall or derive isolation abilities based on workload identity or attributes.

• Network-based segmentation controls rely on the network infrastructure. This style leverages physical and virtual devices, such as
load-balancers, switches, software-defined networks (SDNs), and overlay networks to enforce policy.

• Native cloud controls leverage capabilities embedded in the cloud service provider (eg,
Amazon security group, Azure firewall, or Google Cloud firewall).

Strata by Palo Alto Networks | PSE Software Firewall Professional 73

Machine Translated by Google

Microsegmentation helps provide consistent security across private and public clouds alike by virtue of three key principles: visibility, granular
security, and dynamic adaptation. For more details, visit Section 1.4.

Benefits of Microsegmentation
Organizations that adopt microsegmentation realize tangible benefits:

• Reduced attack surface: Microsegmentation provides visibility into the complete network environment without slowing development or
innovation. Application developers can integrate Security policy definition early in the development cycle and ensure that neither
application deployments nor updates create new attack vectors. This is particularly important in the fast-moving world of DevOps.

• Improved breach containment: Microsegmentation gives security teams the ability to monitor network traffic against predefined
policies as well as shorten the time to respond to and remediate data breaches.

• Stronger regulatory compliance: Using microsegmentation, regulatory officers can create policies that isolate systems subject to
regulations from the rest of the infrastructure.
Granular control of communications with regulated systems reduces the risk of noncompliant usage.

• Simplified policy management: Moving to a microsegmented network or Zero Trust security model provides an opportunity to simplify
policy management. Some microsegmentation solutions offer automated application discovery and policy suggestions based on
learned application behavior.

Use Cases

The range of use cases for microsegmentation is vast and growing. Here are some representative examples:

• Development and production systems: In the best-case scenario, organizations carefully separate development and test environments
from production systems. However, these measures may not prevent careless activity, such developers as taking customer
information from production databases for testing. Microsegmentation can enforce a more disciplined separation by granularly
limiting connections between the two environments.

• Security for soft assets: Companies have a huge financial and reputational incentive to protect “soft” assets, such as confidential
customer and employee information, intellectual property, and company financial data. Microsegmentation adds another level of
security to guard against exfiltration and other malicious actions that can cause downtime and interfere with business operations.

• Hybrid cloud management: Microsegmentation can provide seamless protection for applications that span multiple clouds and
implement uniform security policies across hybrid environments composed of multiple data centers and cloud service providers.

Strata by Palo Alto Networks | PSE Software Firewall Professional 74

Machine Translated by Google

• Incident response: As noted earlier, microsegmentation limits lateral movement of threats and the impact
of breaches. In addition, microsegmentation solutions provide log information to help incident response
teams better understand attack tactics and telemetry to help pinpoint policy violations to specific
applications.

3.4.1 References

• What is Microsegmentation?
paloaltonetworks.com/cyberpedia/what-is-microsegmentation

3.5 Describe the concept of growth planning with Kubernetes

The scale numbers that the different components require to Secure Kubernetes Workloads with
CN-Series are listed in the following sections:

• Scale Supported on the CN-Series Components • Scale

Supported on the Kubernetes Plugin on Panorama • CN-Series Key
Performance Metrics

3.5.1 References

• CN-Series Firewall for Kubernetes

https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/cn-series-firewall-for-
kubernetes

3.6 Describe placement considerations of Layer 2 and Layer 3 deployments

A virtual wire interface will allow Layer 2 and Layer 3 packets from connected devices to pass transparently if the
policies applied to the zone or interface allow the traffic. The virtual wire interfaces themselves do not participate
in routing or switching.

For example, the firewall does not decrement the time to live (TTL) in a traceroute packet going over the virtual
link because the link is transparent and does not count as a hop. Packets such as Operations, Administration, and
Maintenance (OAM) protocol data units (PDUs), for example, do not terminate at the firewall. Thus, the virtual
wire allows the firewall to maintain a transparent presence acting as a pass-through link, while still providing
security, NAT, and QoS services.

For bridge protocol data units (BPDUs) and other Layer 2 control packets (which are typically untagged) to pass
through a virtual wire, the interfaces must by default be attached to a virtual wire object that allows untagged
traffic. If the virtual wire object Tag Allowed field is empty, the virtual wire allows untagged traffic.

For routing (Layer 3) control packets to pass through a virtual wire, you must apply a Security policy rule that
allows the traffic to pass through. For example, apply a Security policy rule that allows an application such as
BGP or OSPF.

Layer 2 Deployment

Strata by Palo Alto Networks | PSE Software Firewall Professional 75

Machine Translated by Google

In a Layer 2 deployment, the firewall provides switching between two or more networks. You must assign a group
of interfaces to a common VLAN object for the firewall to switch between them.
Choose this option when switching is required.

Layer 2 Deployment

Key Idea

• Firewalls in Layer 2 or virtual wire mode can inspect and provide threat
prevention for tagged or untagged traffic.

A design consideration for implementing Layer 2 interfaces is whether or not you need to segregate all virtual
machines from each other. A Software NGFW can perform this segregation on the network by
manipulating VLAN tags and preserving the existing Layer 3 gateways. The basis for this design is providing
maximum flexibility with regard to VM-Series placement, guest VM protection, and the inherent networking
capabilities of the selected cloud.

The following documents describe the different types of Layer 2 interfaces you can configure for each type of
deployment you need, including details on using virtual LANs (VLANs) for traffic and policy separation among
groups. The following documents describe how the firewall rewrites the inbound port VLAN ID number in a
Cisco per-VLAN spanning tree (PVST+) or Rapid PVST+ bridge protocol data unit (BPDU).

• Layer 2 Interfaces with No VLANs •

Layer 2 Interfaces with VLANs • Set
to Layer 2 Interface • Configure to
Layer 2 Interface, Subinterface, and VLAN • Manage Per-VLAN
Spanning Tree (PVST+) BPDU Rewrite

Layer 3 Deployment
In a Layer 3 deployment, the firewall routes traffic between multiple ports. This deployment requires that you
assign an IP address to each interface and configure virtual routers to route the traffic.
Choose this option when routing is required.

Strata by Palo Alto Networks | PSE Software Firewall Professional 76

Machine Translated by Google

Layer 3 Deployment

Key Idea

• Layer 3 interfaces allow traffic to be routed between network segments, while having the firewall
apply a full suite of security features to inspect traffic for potential threats.

The following documents describe how to configure Layer 3 interfaces and how to use Neighbor Discovery
Protocol (NDP) to provision IPv6 hosts and view the IPv6 addresses of devices on the link local network to
quickly locate devices.

• Configure Layer 3 Interfaces •

Manage IPv6 Hosts Using NDP

3.6.1 References

• Layer 2 and Layer 3 Packets over a Virtual Wire https://

docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/configure-interfac es/virtual-wire-
interfaces/layer- 2-and-layer-3-packets-over-a-virtual-wire • Layer 2 Interfaces

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/configure-interfaces/layer-2-
interfaces
• Layer 3 Interfaces
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-networking-admin/configure-interfaces/layer-3-
interfaces

3.7 Summary of Key Ideas

• You need standard Kubernetes tools such as kubectl or Helm to deploy and manage your Kubernetes
clusters, apps, and firewall services. Panorama is not designed to be an orchestrator for Kubernetes
cluster deployment and management. Templates for cluster management are provided by Managed
Kubernetes providers. Palo Alto Networks provides community-supported templates for deploying CN-
Series with Helm and Terraform. • Before moving from deploying CN-Series as a DaemonSet
to CN-Series as a Service or vice
versa, you must delete and reapply plugin-serviceaccount.yaml. • When
you deploy CN-Series as a DaemonSet, pan-plugin-cluster-mode-secret must
not exist.
• When you deploy CN-Series as a Kubernetes service, pan-plugin-cluster-mode-secret
must be present.

Strata by Palo Alto Networks | PSE Software Firewall Professional 77

Machine Translated by Google

• IPv6 addresses are supported only in the k8s-Daemonset mode, not in the k8s-CNF or
k8s-service mode.
• To upgrade to a Kubernetes 3.0.0 plugin, download it and upgrade your Panorama to 10.2.
This will automatically install the downloaded plugin. However, if you have not downloaded the plugin before upgrading the
Panorama, the upgrade will be stopped.
• You cannot use a Kubernetes 2.0.0 plugin with Panorama 10.2. • You will find four default
templates on Panorama after downgrading the Kubernetes 3.0.0. plugin. The unnecessary templates can be deleted manually. • vWire
can still be used on data-plane ports where an external ToR is configured to manage

L1 PBR.
• For VM-Series, if you have NUMA performance optimization enabled with custom
data-plane core settings, the NUMA setting takes precedence.
For more information, see Enable NUMA Performance Optimization on VM-Series. • Firewalls in Layer 2 or virtual
wire mode can inspect and provide threat prevention for tagged or untagged traffic. • Layer 3 interfaces allow traffic to be routed between
network segments while having the
firewall apply a full suite of security features to inspect traffic for potential threats.

3.8 Sample Questions

1. Threat Prevention and WildFire services enabled on CN-Series firewalls:

(choose three.) a.
Block exploits b. Prevent
malware c. Ensures that

protections are always up to date d. Stop only known advanced threats

e. Stop both known and unknown advanced threats

2. Where can you download Configuration templates? to. Palo Alto Networks
Customer Support Portal b. Palo Alto Networks public documentation
c. GitHub repository d. Marketplace

3. CN-Series as a Kubernetes CNF in HA mode of deployment supports _______ with session and configuration synchronization.
to. Activate/activate HA b. Active/passive HA c.
Passive/passive HA d. 1:n/
n:1

4. How many default templates can you find on Panorama after downgrading the Kubernetes
plugin from 3.0.0? to. five

b. Four
c. Two
d. six

5. In Kubernetes CNF mode, which protocol is supported on Native/OnPrem environments, but not on public clouds? to. BGP

Strata by Palo Alto Networks | PSE Software Firewall Professional 78

Machine Translated by Google

b. B.F.D.
c. Tunnel interface
d. OSPF

6. Which mode of deployment allows the firewall to route traffic between multiple ports?
to. Tap mode b.
Layer 2 c.
virtualwire

d. Layer 3

7. Which threat detection system can monitor the traffic traversing within the VPC boundary?
to. Advanced URL Filtering b. Cloud
IDS

c. Threat monitoring d. Global

Protect

8. After git cloning the repository from GitHub, what do you need to do immediately to deploy
the CN-Series firewall?
to. Change into a local directory for the cloned repository. b. Change to the
subdirectory for your deployment. c. Edit the values.yaml file. d. Generate
the VM auth key on Panorama.

9. VM-Series can be deployed on which three of the following platforms? (Choose three.)
to. XenServer
b. NSX-T
c. AWS
d. Azure
and. On-Premises

10. In which layer, the firewall is capable of inspection and providing threat prevention for
tagged or untagged traffic? to. Layer 3
b. Layer 7 c.
Layer 4 d.
Layer 2

Strata by Palo Alto Networks | PSE Software Firewall Professional 79

Machine Translated by Google

Domain 4: Demonstration and Evaluation

4.1 Create, apply, and upgrade licenses

Installing licenses Every

instance of Panorama requires valid licenses that entitle you to manage firewalls and obtain support. Before you can begin using Panorama
for centralized management, logging, and reporting, you are required to register, activate, and retrieve the Panorama device management and
support licenses. The Firewall Device Management license enforces the maximum number of firewalls that Panorama can manage. This
license is based on firewall serial numbers and enables Panorama software updates and dynamic content updates such as the updates for the
latest Applications and Threats signatures. Remember, Panorama virtual appliances on AWS and Azure must be purchased from Palo Alto
Networks and cannot be purchased on the AWS or Azure marketplaces.

After upgrading your Panorama virtual appliance, you are prompted if:

• A capacity license has not been successfully installed, or • The total number of
firewalls being managed by Panorama exceeds the device
management license.

In both cases, You have 180 days from the date of upgrade to install a valid device management license if no license has been installed. If the
number of managed firewalls exceeds the device management license, you have 180 days to delete firewalls to meet the device management
license requirements or upgrade your device management license. All commits fail if a valid device management license is not installed, or the
existing device management license limit is not met, within 180 days of upgrade. To purchase a device management license, contact your
Palo Alto Networks sales representative or authorized reseller.

Key Idea

• If you are running an evaluation license for firewall management on your

Panorama virtual appliance and want to apply a Panorama license that you purchased, perform the tasks
Register Panorama and Activate/Retrieve a Firewall Management License when the Panorama Virtual Appliance is
Internet-connected.

• Panorama can manage firewalls and collect logs even when the support license expires. However, in that case, software
and content updates will be unavailable.
The software and content versions on Panorama must be the same or later than the versions on the managed
firewalls; Otherwise, errors will occur. For details, see Panorama, Log Collector, Firewall, and WildFire Version
Compatibility.

You can migrate VM-ELA or perpetual virtual Panorama licensing to Software Next-Generation Firewall (Software NGFW) licensing.

Use the following procedure to migrate:

• A Panorama with access to the Customer Support Portal • A Panorama HA pair that
can access the CSP

Strata by Palo Alto Networks | PSE Software Firewall Professional 80

Machine Translated by Google

• An HA pair that cannot access the CSP to a flexible license

1. Select Assets > Software NGFW Credits and click the Details link on the credit pool you used to create
your profile.
2. On the far right, click the vertical ellipsis (More Options) and select Provision Panorama and then click
Migrate Existing.
The CSP displays all virtual Panorama devices associated with your account.
3. Select the check box for each virtual Panorama to be migrated.
4. Click Migrate.
Verify that the Current Support Expiration Date has been updated. Additionally, you can expand each
row to view the individual licenses applied to the selected Panorama.

Complete the following procedure to migrate a standalone Panorama that cannot access the CSP to a flexible license:

1. On your Panorama, upgrade if necessary, and note the serial number and the current
support expiration date.
2. In the CSP, select Assets > Software NGFW Credits and click the Details link on a credit
pool. Select a deployment profile or create one.
3. On the far right, click the vertical ellipsis (More Options), select Provision Panorama, and
select Migrate Existing.
The CSP displays all virtual Panorama devices associated with your account.

Strata by Palo Alto Networks | PSE Software Firewall Professional 81

Machine Translated by Google

4. Select each virtual Panorama to be migrated and click Migrate.

5. On Panorama, replace the serial number with the serial number from the Panorama you
provisioned in the CSP. Wait one minute, then refresh the page.
6. In the CSP, select your provisioned Panorama and download all licenses (the support license, the
management license) and Panorama as a log manager if your deployment profile includes it. Securely
pass the licenses to your Panorama.
7. Upload all Software NGFW licenses.
8. Verify that the Current Support Expiration Date has been updated. Additionally, you can expand each row to view the support license and/or
logging license applied to the selected Panorama.

Install Content Updates and Software Upgrades for Panorama A valid support
subscription enables access to the Panorama software image and release notes. To take advantage of the latest fixes and security
enhancements, upgrade to the latest software and content updates that your reseller or a Palo Alto Networks Systems Engineer recommends
for your deployment. The procedure to install software and content updates depends on whether Panorama has a direct connection to the
internet and whether it has an HA configuration. See the following documents for more details:

• Upgrade Panorama with an Internet Connection • Upgrade Panorama

Without an Internet Connection • Install Content Updates Automatically for
Panorama without an Internet Connection • Upgrade Panorama in an HA Configuration • Migrate Panorama Logs to the New
Log Format • Upgrade Panorama for Increased Device
Management Capacity • Upgrade Panorama and Managed Devices in
FIPS-CC Mode • Downgrade from Panorama 10.2

Manage Licenses and Updates You can

use the Panorama management server to centrally manage licenses, software updates, and content updates on firewalls and Dedicated Log
Collectors. To activate licenses or install updates on the Panorama management server, refer to the above information in this section.

When you deploy licenses or updates, Panorama checks in with the Palo Alto Networks licensing server or update server, verifies the request
validity, and then allows retrieval and installation of the license or update. This capability facilitates deployment by eliminating the need to
repeat the same tasks on each firewall or Dedicated Log Collector. It is particularly useful for managing firewalls that do not have direct
internet access or for managing Dedicated Log Collectors, which do not have a web interface.

Before deploying updates, see Panorama, Log Collector, Firewall, and WildFire Version Compatibility for important details about update
version compatibility.

Panorama automatically performs a daily check-in with the licensing server, retrieves license updates and renewals, and pushes them to the
firewalls. Check-in is hard-coded to occur between 1 am and 2 am; you cannot change this schedule.

Strata by Palo Alto Networks | PSE Software Firewall Professional 82

Machine Translated by Google

Key Idea

• You cannot use Panorama to activate the support license for firewalls. You must
access the firewalls individually to activate their support licenses.

Use the following steps to retrieve new licenses using an authentication code and push the license keys to managed
firewalls.

Activate newly purchased licenses

1. Select Panorama > Device Deployment > Licenses and Activate.
2. Enter the Auth Code that Palo Alto Networks provided for each firewall that has a new
license.
3. Activate the license.
4. (WildFire subscriptions only) Perform a commit on each firewall that has a new WildFire subscription to complete
the activation:
• Commit any pending changes. You must access each firewall web interface to do
Este.
• If no configuration changes are pending, make a minor change and Commit. For example, update a rule
description and commit the change. If the firewalls belong to the same device group, you can push the
rule change from Panorama to initiate a commit on all those firewalls instead of accessing each firewall
separately.

Key Idea

• Check that the WildFire Analysis profile rules include the advanced file types that the WildFire
subscription supports.

Use the following steps to manually update the license status of firewalls with or without direct internet access.

Update the license status of firewalls

1. Select Panorama > Device Deployment > Licenses.
Each entry on the page indicates whether the license is active or inactive and displays the expiration date for
active licenses.
2. If you previously activated auth codes for the support subscription directly on the firewalls, click Refresh and
select the firewalls from the list. Panorama retrieves the license, deploys it to the firewalls, and updates the
licensing status on the Panorama web interface.
3. (Enterprise Data Loss Prevention (DLP) license only) Push the updated license to the
managed firewalls that are leveraging Enterprise DLP.

• Select Commit and Commit to Panorama. • Select

Commit > Push to Devices and Edit Selections.
• Select Templates and select the template stack associated with the managed
Leveraging Enterprise DLP firewalls. • Click OK
to continue.
• Push the template configuration to successfully update the Enterprise DLP license.

Strata by Palo Alto Networks | PSE Software Firewall Professional 83

Machine Translated by Google

4.1.1 References

• Register Panorama and Install Licenses

https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/set-up-panorama/regist er-panorama-and-install-licenses •
Migrate Panorama to a Software NGFW License

https://docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/license-the-vm-seri es-firewall/software-ngfw/migrate-
panorama-to-a-flexible-license
• Install Content Updates and Software Upgrades for Panorama https://
docs.paloaltonetworks.com/pan-os/10-2/pan-os-upgrade/upgrade-panorama/install-c ontent-and-software-updates-for-
panorama#id8b92a813-8235-40fc-bd19-4815c8dc0269 • Manage Licenses on Firewalls Using Panorama https://
docs.paloaltonetworks.com/panorama/10-2/panorama-admin/manage-
licenses-and-u pdates/manage-licenses-on-firewalls-using-panorama

4.2 Execute a successful proof of concept (POC)

A proof of concept (POC) is the most effective test you can run to make sure you are getting the right NGFW for your environment.

Candidates preparing for this topic should know how to select the right product and configuration for basic threat prevention and detection for
both out-of-band and inline firewalls in the customer environment.

Successful candidates should be able to work closely with customers to prepare the list of items to be addressed in a POC. Here are some
very important considerations:

• Does a customer environment require a chassis-based firewall or a non-chassis-based

firewall?

• When can, should, or must a customer use a specific firewall family, such as the PA-7000? • Which cloud-delivered security
services are required to provide the required customer
protection?
• What are the required configurations for firewalls and cloud-delivered security services?

Candidates should know about common testing approaches, such as Breaking Point, and should be able to incorporate the customer's testing
approach into the list of items addressed by the POC.
Candidates should be able to explain to customers the impact of Palo Alto Networks threat handling on these tests' performance, such as
disabling old signatures for out-of-use viruses or known issues that impact performance. Candidates should be able to match firewall choices
to the testing approaches that are used in the POC, and match firewall and cloud-delivered security services to the list of items to be addressed
by the POC.

In firewall sales opportunities in which a customer and sales team determine that a POC might be helpful, many data-center customers know
what they want to run through their firewalls and want to see how a Palo Alto Networks firewall handles that traffic. For example, customers
often need to run specific loads of traffic through the firewall and ensure that the POC firewall properly filters and monitors those traffic loads.
Palo Alto Networks has a POC team to ensure that the firewall and its configuration can handle customer throughput requirements.

Strata by Palo Alto Networks | PSE Software Firewall Professional 84

Machine Translated by Google

While many customers may know what performance and functionality they need from a firewall, they often may not know how to formalize
specific success criteria for a POC. For that reason, the POC team should be engaged as soon as a POC opportunity is recognized as a
necessary part of the sales cycle. The POC team should help define POC success criteria, select and configure firewalls so that they meet
that criteria, and drive the POC to a successful result.

Multiple sources are available for providing exposure to Palo Alto Networks technologies. For lab environments, you can leverage
resources at Qwiklabs. Current information about Qwiklabs can be found at:

• AWS QwikLab Registration • AWS

CloudNGFW QwikLab • AWS GWLB
QwikLab with VM-Series • AWS CN-Series QwikLab

Refer to the following link if you wish to perform customized testing of any next-generation firewall appliances in your environment: https://
start.paloaltonetworks.com/next-generation-
firewall-proof-of-concept-evaluation

4.2.1 References

• Threat Signatures
https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/threat-prevention/learn-more-about-and-assess-threats/learn-more-
about-threat-signatures

4.3 Apply the appropriate deployment / configuration tool for various environments

When you are registering a new device (at the end of the registration process), an optional step prompts you to run Day 1 Configuration.

Strata by Palo Alto Networks | PSE Software Firewall Professional 85

Machine Translated by Google

The Day 1 Configuration tool helps you configure your devices for threat prevention using best-practice
recommendations from Palo Alto Networks.

Why Use Day 1 Configuration Templates?

Instead of extensive and detailed "how-to" documentation, Day 1 Configuration templates provide an easy-to-
implement configuration model that is related to use case. The emphasis is on key security elements, such as
dynamic updates, Security profiles, rules, and logging that should be consistent across deployments.

Day 1 Configuration templates use common best-practice recommendations and compile them.
These templates can be loaded into Panorama or a next-generation firewall. Benefits of Day 1 Configuration
templates include:

• Faster time to implement •

Reduced configuration errors •
Improved security posture

Day 1 Configuration in Network Security If

you have already registered a device, you can access the Day 1 Configuration tool from Assets > Network
Security.

Then, select the Day 1 Configuration icon for an NGFW.

Strata by Palo Alto Networks | PSE Software Firewall Professional 86

Machine Translated by Google

Day 1 Configuration in Tools

Or, if you have already registered a device, you can access the Day 1 Configuration tool from Tools > Run Day
1 Configuration.

Day 1 Configuration in Devices

Or, if you have already registered a device, you can access the Day 1 Configuration tool from Devices > Run
Day 1 Config.

Strata by Palo Alto Networks | PSE Software Firewall Professional 87

Machine Translated by Google

What Are the Day 1 Configuration Steps?

Day 1 Configuration prompts you to enter a PAN-OS version.

1. Specify the same PAN-OS version you selected during Device Registration.
2. Enter a hostname for your device.
3. Enter IP information and log server information for the device.

Strata by Palo Alto Networks | PSE Software Firewall Professional 88

Machine Translated by Google

Some values have been provided as examples below.

Strata by Palo Alto Networks | PSE Software Firewall Professional 89

Machine Translated by Google

S tries by P alo A lto N etworks | PSES o ft ware Fire all P rofes sion al 90
Machine Translated by Google

Finally, click Generate Config File. The newly generated config file is then downloaded via your browser. If you
have downloads blocked, make sure to allow the download or add an exception.
Import and load the prepared Day 1 Configuration file onto your firewall.

Key Idea

• A Day 1 Configuration template only supports IPv4. If you need IPv6, you must configure it by
CLI instead of the automated configuration tool. You can also configure IPv6 after the IPv4
configuration using the GUI or CLI.

4.3.1 References
• Day 1 Configuration
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PM2lCAG

Strata by Palo Alto Networks | PSE Software Firewall Professional 91

Machine Translated by Google

4.4 Use, deploy, and tag Panorama plugins

Panorama Plugins
The architecture of the Panorama extensible plugin enables support for third-party integration plugins, such as
VMware NSX, and other Palo Alto Networks products, such as the GlobalProtect cloud service. With this modular
architecture, you can take advantage of new capabilities without waiting for a new PAN-OS version.

To understand the Panorama plugins in detail, refer to Section 1.3.

Deployment and tagging

You can install one or more of the available plugins on Panorama to enable integration on the GlobalProtect cloud
service, Cortex Data Lake, or VMware NSX, or for monitoring your virtual machines on AWS or Azure public cloud.

For the cloud services plugin, you must activate a valid authentication code on the Customer Support Portal and
select the region—Americas or Europe—to which you want to send logs.

Key Idea

• If you have a version of a plugin currently installed and you install a new version of the plugin,
Panorama replaces the currently installed version.

Step 1: Download the plugin.

1. Select Panorama > Plugins.

2. Select Check Now to retrieve a list of available updates.

Strata by Palo Alto Networks | PSE Software Firewall Professional 92

Machine Translated by Google

3. Select Download in the Action column to download the plugin.

Refer to the Compatibility Matrix for the minimum supported PAN-OS version for each Panorama plugin.

Step 2: Install the plugin.

Select the version of the plugin and click Install in the Action column to install the plugin.
Panorama will alert you when the installation is complete. For more details, refer to install the VMware NSX plugin or the Cloud Services
plugin.

Key Idea

• When installing the plugin for the first time on a Panorama HA pair, first install the plugin on the passive peer. The peer
will transition to a nonfunctional state.
After you successfully install the plugin on the active peer, the passive peer returns to a functional state.

4.4.1 References

• Panorama Plugins
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-plugins
• Install Panorama Plugins
https://docs.paloaltonetworks.com/panorama/10-2/panorama-admin/panorama-plugins/about-panorama-plugins/install-panorama-
plugins

4.5 Deploy VM-Series and CN-Series

VM-Series
• VM-Series firewalls support two license types (BYOL and PAYG) and two different licensing models—Software Next-Generation
Firewall credits for flexible configurations that you specify with a deployment profile, and fixed VM-Series model configurations.
Both models also license security services and other features.

• You can deploy the VM-Series firewall on the following platforms:

• VM-Series for VMware vSphere Hypervisor (ESXi) and vCloud Air

You can deploy any VM-Series model as a guest virtual machine on VMware ESXi; This arrangement is ideal for cloud
or networks where a virtual form factor is required.
For details, see Set Up a VM-Series Firewall on an ESXi Server and Set Up the VM-Series Firewall on vCloud Air.

• VM-Series on VMware NSX-T You can

deploy the VM-100, VM-300, VM-500, or VM-700 in your NSX-T environment.
For details, see Set Up the VM-Series Firewall on VMware NSX-T (North-South).

• VM-Series for Amazon Web Services (AWS)

You can deploy any VM-Series model, except the VM-50, on EC2 instances on the AWS Cloud.

For details, see Set Up the VM-Series Firewall on AWS.

Strata by Palo Alto Networks | PSE Software Firewall Professional 93

Machine Translated by Google

• VM-Series for Google Cloud Platform

You can deploy any VM-Series model, except the VM-50 and the VM-50 Lite, on Google Compute Engine instances. For
details, see Set Up the VM-Series Firewall on Google Cloud Platform.

• VM-Series for Kernel Virtualization Module (KVM)

You can deploy any VM-Series model on a Linux server that is running the KVM hypervisor. For details, see Set Up the
VM-Series Firewall on KVM.

• VM-Series for Microsoft Hyper-V

You can deploy any VM-Series model on a Windows Server 2012 R2 server with the Hyper-V role add-on enabled or a
standalone Hyper-V 2012 R2 server. For details, see Set Up the VM-Series Firewall on Hyper-V.

• VM-Series for Microsoft Azure

You can deploy any VM-Series model, except the VM-50, on the Azure VNet.
For details, see Set up the VM-Series Firewall on Azure.

CN-Series

To deploy the CN-Series firewall, you must complete the following tasks:

• If not done already, License the CN-Series Firewall. Generate your authorization code and have it available when you are ready to
deploy the CN-Series firewall.

• Review the CN-Series Prerequisites before you begin your deployment. Make sure you understand the system requirements needed to
deploy the CN-Series firewall.

• Prepare the components. • Generate a

VM Auth Key on Panorama. • (Optional) Generate the Auto-
Registration PIN for the CN-Series. • Create Service Accounts for Cluster Authentication. •
Deploy Panorama to configure, deploy, and manage your CN-Series firewall

deployment. For more information about deploying and setting up a Panorama appliance, see Set Up Panorama.

• Install the Kubernetes Plugin and Set up Panorama for CN-Series. • Get the Images and Files
for the CN-Series Deployment. Access the Palo Alto Networks Customer Support Portal to download the Docker files and
GitHub to get the YAML files required to deploy the CN-Series firewall in your Kubernetes environment.

• Deploy the CN-Series firewall. • Edit the

YAML files to fit your deployment. Review the Editable Parameters in CN-Series Deployment YAML Files before you deploy
the CN-Series firewall. Many of the parameters set in the YAML files must be modified to successfully deploy the CN-
Series firewall.

• Deploy the CN-Series Firewall as a Kubernetes Service. • Deploy the CN-Series

Firewall as a DaemonSet.

Strata by Palo Alto Networks | PSE Software Firewall Professional 94

Machine Translated by Google

• (Optional) If you are deploying your CN-Series firewall as a Kubernetes service, you can Enable Horizontal Pod Autoscaling
on the CN-Series. Horizontal pod auto scaling (HPA) allows your CN-Series firewall deployment to autoscale dynamically
along with your Kubernetes environment.

• If you are deploying your CN-Series in an OpenShift environment, see Deploy the CN-Series on OpenShift. • If you are
securing 5G traffic with your CN-
Series firewall, see Secure 5G With the CN-Series Firewall.

• After you have deployed your CN-Series firewall, use Panorama to configure Security policies
that enable traffic enforcement and push those policies to the firewall.

Refer to the link below for details on the deployment of the CN-Series in supported environments. https://docs.paloaltonetworks.com/cn-
series/10-2/cn-series-deployment/cn-series-firewall-for-kubern etes/cn-series-deployment-environments

4.5.1 References

• VM - Series Deployments https://

docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/about-the-vm-series-firewall/vm-series-deployments

• CN-Series Deployment guide

https://docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment
• CN-Series Deployment—Supported Environments https://
docs.paloaltonetworks.com/cn-series/10-2/cn-series-deployment/cn-series-firewall-for- kubernetes/cn-series-deployment-
environments • CN-Series Deployment Checklist https://
docs.paloaltonetworks.com/cn-series/10-2/cn-
series-deployment/secure-kubernetes- workloads-with-cn-series/cn-series-deployment-checklist

4.6 Spin up, locate, and demonstrate demo, lab, or Ultimate Test Drive

Multiple sources are available for providing exposure to Palo Alto Networks technologies. For lab environments, you can leverage
resources at Qwiklabs. Current information about Qwiklabs can be found at:

• AWS QwikLab Registration • AWS

CloudNGFW QwikLab • AWS GWLB
QwikLab with VM-Series • AWS CN-Series QwikLab

Ultimate Test Drives (UTDs) are guided, hands-on experiences designed to familiarize participants with Palo Alto Networks technology and to
enhance their understanding of how our products work and how they can improve an organization's security posture.

Each UTD addresses a different topic. All workshops take place in a virtual lab environment with step-by-step directions and an expert
instructor to guide the participants.

Strata by Palo Alto Networks | PSE Software Firewall Professional 95

Machine Translated by Google

Format
• Technical
• Hands-on lab, activities, and tasks • Guided
experience • Runs on
Cloudshare platform

Delivery
• Virtual: Webinar format (exclusively online) with SE instructor (2-3 hour session, 50 people
max.)
OR
• Live: In-person, on-site event with SE instructor (2-3 hour session)

What kinds of UTDs does Palo Alto Networks provide?

Who delivers UTD?

Palo Alto Networks SE delivered

• A Palo Alto Networks SE is the instructor (for new prospects or existing accounts).

Partner SE delivered

• A Partner SE is the instructor (for partners, prospects or customers).

Virtual UTD—pre-scheduled managed online event

• Regional scheduled events open to the public • Delivered

online (webinar format)

What is a Universal Test Drive?

• Exciting and immersive! • A
conversion and demand-generation tool • A virtual lab
environment—read/write access
• An evaluation-acceleration tool

Strata by Palo Alto Networks | PSE Software Firewall Professional 96

Machine Translated by Google

• A way to expose customers to new products and solutions

What is UTD not?

• A training tool • A full
demonstration of our platform • Full coverage of our
products

How does the UTD benefit your customer?

• Hands-on experience. Guided technical overview of products and solutions to build understanding and comfort.

• Quick and easy. Simple, free, walk-through of product features, UI, and benefits. • Convenient. No setup, a
virtual environment, a step-by step-guide.

How does the UTD benefit you?

• Generates services and product opportunities. Provides insight into other areas of our technology to expand deals.

• Accelerates deals. Demonstrates technology to speed up the evaluation process. • Breaks through noise in
the market. Clearly shows the power of our technology.

There is a 51 percent win rate for initial business opportunities that run to UTD.

4.6.1 References

• Ultimate Test Drive (UTD)

https://beacon.paloaltonetworks.com/student/path/825466?sid=8785726e-8520-4469-b6e7-4 e5bfe8c7e00&sid_i=0

4.7 Summary of Key Ideas

• If you are running an evaluation license for firewall management on your Panorama virtual appliance and want to apply a
Panorama license that you purchased, perform the tasks Register Panorama and Activate/Retrieve a Firewall
Management License when the Panorama Virtual Appliance is Internet-connected.

• Panorama can manage firewalls and collect logs even when the support license expires.
However, in that case, software and content updates will be unavailable. The software and content versions on Panorama
must be the same or later than the versions on the managed firewalls; Otherwise, errors will occur. For details, see
Panorama, Log Collector, Firewall, and WildFire Version Compatibility.

• You cannot use Panorama to activate the support license for firewalls. You must access the
firewalls individually to activate their support licenses.
• Check that the WildFire Analysis profile rules include the advanced file types that the
WildFire subscription supports.
• A Day 1 Configuration template only supports IPv4. If you need IPv6, you must configure it by CLI instead of the automated
configuration tool. You can also configure IPv6 after the IPv4 configuration using the GUI or CLI.

• If you have a version of a plugin currently installed and you install a new version of the
plugin, Panorama replaces the currently installed version.
• When installing the plugin for the first time on a Panorama HA pair, first install the plugin on the passive peer. The peer will
transition to a nonfunctional state. After you successfully install the plugin on the active peer, the passive peer returns to a
functional state.

Strata by Palo Alto Networks | PSE Software Firewall Professional 97

Machine Translated by Google

4.8 Sample Questions

1. Where can you purchase Panorama virtual appliances on Azure? to. AWS Marketplace b. Palo Alto
Networks v. Azure Marketplace
d. Third-party websites

2. If no license has been installed, within how many days from the upgrade date can you install
a valid device management license? to. 180 b. 90 c.
150 d. 100

3. Panorama automatically performs a daily check-in with the licensing server. The check-in is hard-coded to occur between which hours? to.
12:00 am to 1:00 am 12:00 am to 12:30 am 1:00 am to 1:30 am
1:00 am to 2:00 am

4. A Day 1 Configuration template supports which of the following?

to. IPv4 b.
IPv6 c.
MAC routing d. VWire
routing

5. Which three plugin configuration options are supported for use in Panorama? (Choose
three.) a.
Cisco ACI b. GCP
c. OCI d.
AMC e.
VMware
NSX

6. Where can you download the Docker files for CN-Series deployment? to. Palo Alto Networks Customer
Support Portal b. Palo Alto Networks public documentation c. GitHub
repository d. Marketplace

7. Which three statements are true for Ultimate Test Drive? (Choose three.) a. It is a conversion and demand-
generation tool. b. It is a training tool. c. It is an evaluation-acceleration tool.
d. It is a full demonstration of our
platform e. It is a way to expose customers to new products
and solutions.

8. In a Day 1 Configuration template, where you can configure IPv6 after the IPv4
configuration? to. GUI

b. CLI

Strata by Palo Alto Networks | PSE Software Firewall Professional 98

Machine Translated by Google

c. cortex
d. Both GUI and CLI

9. What is the win rate for initial business opportunities that run to UTD?
to. 71%
b. 68%
c. 51%
d. 88%

Strata by Palo Alto Networks | PSE Software Firewall Professional 99

Machine Translated by Google

Domain 5: Network Security Best Practices

5.1 Explain why intrazone policies in cloud are a best practice

The default security rules are applied to the end of the normal security rules, as shown below:

• A green cog image next to the “intrazone-default” rule name indicates the rule is predefined
or from Panorama. A tip tool is available on the image.
• A double cog image next to the “interzone-default” rule name indicates that the rule is in the current virtual system and overriding the
values of another rule from Panorama. • The “intrazone-default” rule action is allowed. • The “interzone-default” rule
action is deny.

The table below describes various rule types.

RuleType Description

Universal A Security policy allowing traffic destined between two zones, whether from the same zone or a different zone. This
policy applies the rule to all matching interzone and intrazone traffic in the specified source and destination zones.

For example, if you create a universal role with source zones A and B and destination zones A and B, the rule would
apply to all traffic: • Within zone A • Within zone B

• From zone A to zone B

• From zone B to zone A

Intrazone A Security policy allowing traffic within the same zone. This policy applies the rule to all matching traffic within the specified
source zones (cannot specify a destination zone for intrazone rules).

For example, if you set the source zone to A and B, the rule would apply to all traffic within zone A and zone B, but
not to traffic between zones A and B.

Interzone A Security policy allowing traffic between two different zones. However, the traffic between the same zone will not
be allowed when created with this type. This policy applies the rule to all matching traffic between the specified
source and destination
zones.

For example, if you set the source zone to A, B, and C and the destination zone to A and
B, the rule would apply to traffic from: • Zone A to zone
B
• Zone B to zone A
• Zone C to zone A
• Zone C to zone B
It will NOT apply to traffic within zones A, B, or C.

A user-defined security rule can be configured as universal, intrazone, or interzone.

When a rule is configured as intrazone, the destination zone cannot be changed, and its value comes from the source zone.

Strata by Palo Alto Networks | PSE Software Firewall Professional 100

Machine Translated by Google

You cannot change the predefined or Panorama-pushed intrazone-default and interzone-default rules, names, or
functions. This is indicated by a green border around the editor and the Read Only wording in the title.

To make a change to predefined or Panorama-pushed intrazone-default or interzone-default rules, you must override
these rules.

You can override these rules if there is a green single cog image next to the rule name.

The override action will bring up a security rule editor with two tabs.

• On the General tab, only the Tags field can be modified. • On the
Actions tab, only the Profile Setting and Log Setting fields can be modified.

To get back the predefined or Panorama-pushed value, perform the revert action.

On Panorama, the default rules are visible in a separate tree node, below the security pre and post rules. The green
single cog image next to the name indicates that the rule is from an ancestor device group or is shared or predefined.

A double cog image next to the name indicates that the rule is overriding that of an ancestor device group rule, shared
rule, or predefined rule.

Key Idea

• You can use Panorama to configure Security policy rules.

5.1.1 Reference

• What are Universal, Intrazone and Interzone Rules https://

knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClomCAC

5.2 Describe the use of object tagging and DAGs

DAGs allow you to create a policy that automatically adapts to changes such as adding, moving, or deleting servers.
They also provide the flexibility to apply different rules to the same server based on tags that define the server's role in
the network, the operating system, or the different kinds of traffic it processes.

Membership in a DAG is determined using tag names or tag-based filters. Either external software or the firewall can
automatically add a tag to an IP address, and then you can associate that tag with a dynamic address group. For
example, VMware NSX software can assign a tag to the IP address of a newly created virtual machine, or the auto-
tagging capability included in the log forwarding feature of the firewall can add a tag to an IP address.

Auto-tagging allows the firewall or Panorama to tag a policy object when it receives a log that matches specific criteria
and establishes IP-address-to-tag or user-to-tag mapping.

Strata by Palo Alto Networks | PSE Software Firewall Professional 101

Machine Translated by Google

When the firewall generates a threat log, you can configure the firewall to tag the source IP address or source
user in the Threat log with a specific tag name. You can use these tags to automatically populate policy objects
such as DAGs, which you can then use to automate security actions in Security, Authentication, or Decryption
policies. For example, when you create a filter for the URL logs for “yes” in the Credential Detected column, you
can apply a tag that enforces an Authentication policy that requires the user to authenticate using multi-factor
authentication (MFA).

Redistribute the mappings across your network by registering the IP-address-to-tag and user-to-tag mappings to
a PAN-OS integrated User-ID agent on the firewall or Panorama or a remote User-ID agent using an HTTP Server
profile . The firewall can automatically remove a tag associated with an IP address or user when you configure a
timeout as part of a built-in action as a part of log forwarding settings.

For example, if the firewall detects that a user has potentially compromised credentials, you could configure the
firewall to require MFA authentication for that user for a given period, then configure a timeout to remove the user
from the MFA requirement group.

Key Idea

• Dynamic user groups do not support auto-tagging from HIP Match logs.

5.2.1 References

• Dynamic Address Groups

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/monitor-changes-in-the-virtual-
environment/use-dynamic-address-groups-in-policy • Auto-Tagging
https://
docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/policy/use-auto-tagging-to-aut omate-security-
actions

5.3 Explain how Zero Trust relates to VM-Series and CN-Series cloud deployments

Zero Trust is a business-driven, strategic approach to securing your most critical data, applications, assets, and
services (DAAS) as well as your users based on what is important to your business, in a protected surface. Zero
Trust strategy is infrastructure-neutral, so you can apply it to all physical and virtual locations—network, public
cloud, private cloud, and endpoint.

The concept behind Zero Trust is simple: trust is a vulnerability.

Trust nothing in the digital environment—packets, identities, devices, or services—and verify everything. There is
no such thing as default trust. Eliminating trust helps prevent successful data breaches, simplifies operations
through automation and a reduced rulebase, and simplifies regulatory compliance and audits because Zero Trust
environments are designed for compliance and easy auditing.

Zero Trust strategy is not something you implement once and copy from network to network because each
environment and protected surface is different. As businesses change over time, the

Strata by Palo Alto Networks | PSE Software Firewall Professional 102

Machine Translated by Google

goals and DAAS elements also change. Strategy is always business-specific, and security strategy is specific to
protecting what is important to your business.

Five-step methodology for implementing a Zero Trust strategy The

five-step methodology for implementing a Zero Trust strategy presents a logical path to protect your environment,
data, applications, assets, services, and users.

This methodology works whether you are implementing a Zero Trust strategy in the cloud, on a private network,
or on endpoints, regardless of infrastructure.

Step 1: Define your protect surface.

Step 2: Map the protected surface transaction flows.
Step 3: Architect a Zero Trust network.
Step 4: Create the Zero Trust Policy.
Step 5: Monitor and maintain the network.

Step 1: Define Your Protect Surface A

protected surface is what is valuable to your business—DAAS elements you need to protect to ensure normal
business operation.

Defining your protect surface enables you to focus on defending what really matters to your business instead of
trying to identify and protect the entire attack surface or focusing on just the perimeter. The protect surface is also
much smaller than the attack surface or the perimeter, so it is easier to protect.

Define your protect surface based on the most crucial DAAS elements for your business:

• Data: What data needs to be protected? Think about intellectual property such as proprietary code or
processes, personally identifiable information (PII), payment card information (PCI), and personal
health information (PHI) such as Health Insurance Portability and Accountability Act (HIPAA)
information.
• Applications: Which applications consume sensitive information? Which applications are
critical for your business functions?
• Assets: Which assets are the most sensitive? Depending on your business, that could be Supervisory
Control and Data Acquisition (SCADA) controls, POS terminals, medical equipment, manufacturing
equipment, and groups of critical servers.
• Services: Which services can attackers exploit to disrupt IT operations and negatively
impact the business?

Step 2: Map the Protect Surface Transaction Flows Map

the transaction flows or interactions between your critical DAAS elements and users to understand their
interdependencies—who has business reasons to access each element, in what manner, and at what time.
Mapping helps you understand how to create a Security policy that allows only authorized users access to specific
data and assets using the specified applications. (This is the principle of least privilege.)

There are many ways to map transaction flows. Some techniques for defining your protect surface apply, as well:

Strata by Palo Alto Networks | PSE Software Firewall Professional 103

Machine Translated by Google

• Leverage existing flow diagrams if you have them (compliance and auditing sometimes require businesses to create flow diagrams).
• Work with application, network, and enterprise architects, as
well as business representatives, to understand the purpose of applications and the transaction flow they envision.

• Insert one or more next-generation firewalls transparently into your network in virtual wire mode to gain visibility into traffic. Check
Traffic logs to view and analyze traffic.
• Use third-party tools from Palo Alto Networks integrated partners. • Use log
information from the Cortex Data Lake to gain visibility into, and map, transaction flows. The Cortex Data Lake
aggregates logs from the Next-Generation Firewall, VM-Series firewalls, Prisma Access, and Cortex XDR.

• Map the flow of application data across the network, the computing objects required for
each application, and who uses each application.
• Find out who uses the data, where you collect, store, use, and transfer the data, and how
the data is stored, encrypted, archived, or destroyed after use.
• For each asset, find out its location, who uses it, when they use it, and where the asset fits
into workflows.
• Map the service workflows across the environment.

Step 3: Architect a Zero Trust Network Armed

with an understanding of your protect surface and transaction flows, begin architecting your Zero Trust network.
Architect the business-critical protect surfaces you identified in Step 1 from the inside out. Keep in mind ease of
operation and maintenance, as well as flexibility to accommodate protect surface and business changes. Run the Best
Practice Assessment tool to set a best-practice configuration baseline and measure progress toward your Zero Trust
goals.

The cornerstone of the architecture is segmentation gateways—physical or virtual Palo Alto Networks next-generation
firewalls that connect your network segments and enforce Layer 7 policy.
Run all traffic through a segmentation gateway, place segmentation gateways as close as possible to the resources
they protect, and use them in conjunction with other Palo Alto Networks capabilities to automate as much as possible.
Next-generation firewalls:

• Create a microperimeter in Layer 7 policy around each protect surface. This prevents lateral movement because the microperimeter
provides granular policy controls for who (User-ID) accesses what applications (App-ID) and resources in what manner (Content-
ID) and at what time through the segmentation gateway. Segment based on how transactions flow across your network and
how your users and applications access data and services.

• Aggregate security capabilities into a single control point for all traffic entering and exiting the protected surface. The segmentation
gateway should enforce policy, decrypt encrypted traffic, and apply protections such as: • DNS Security (use the DNS Security
service, which provides multiple real-time threat intelligence sources,
infinitely scalable real-time analysis of DNS requests, and advanced DNS signatures).

• Intrusion prevention (Vulnerability Protection, Anti-Spyware, and Antivirus profiles).

ÿ Blocking potentially dangerous file types

Strata by Palo Alto Networks | PSE Software Firewall Professional 104

Machine Translated by Google

ÿ Preventing unknown and Day 1 threats (WildFire) ÿ URL

Filtering ÿ Data
Loss Prevention (DLP)

• Decrypt and inspect traffic at Layer 7 in real time.

• Log every session, then send the logs to the Cortex Data Lake from Panorama for managed firewalls,
from individual firewalls, from Prisma Access (formerly GlobalProtect cloud service), and from Cortex
XDR to centralize and aggregate your on-premises and virtual (private and public cloud) log storage
for physical and VM-Series firewalls.

• Use APIs for tight integration with third-party defense tools from partners.

• Automate feedback loops that detect events and automate responses.

• Use templates and template stacks in Panorama to automate policy deployment.

• Use tools such as Ansible, Terraform, and Python to automate, orchestrate, and accelerate protecting
Prisma Cloud deployments.

Palo Alto Networks enables you to architect your Zero Trust environment and apply consistent security across all
locations:

• Panorama centralizes management policy control for multiple next-generation firewalls and increases
operational efficiency compared to managing firewalls individually.

• Corporate network and data center: Use next-generation firewalls to segment the
network into microperimeters for your protected surfaces.

• Public cloud: Use Prisma Access, which uses on-premises or VM-Series next-generation firewalls, and
Prisma Cloud (an API-based cloud infrastructure security solution) to implement Zero Trust policy in
cloud environments. VPCs define protection boundaries to segment workloads.

• Private cloud: Use VM-Series firewalls to implement Zero Trust policy.

• Branch office and mobile users: Use Prisma Access to provide cloud-based security and to avoid
round-trips to corporate network resources. Configure Prisma Access for users and also Prisma
Access for networks to secure branches. Alternatively, use an on-premises next-generation firewall
with the GlobalProtect subscription service to extend security policy and enforcement to remote users
and branch offices.

• Endpoints: Layer protection by using the Next-Generation Firewall for segmentation and the first layer
of protection, and using Cortex XDR agent for the second layer of protection. Enforce consistent policy
using GlobalProtect (on-premises installation) or Prisma Access (installed using Panorama and
managed for you in the cloud) VPNs to extend policy to remote endpoints and enable policy to move
with the user. Prisma Access requires the GlobalProtect app on mobile-user endpoints. In all cases,
install the GlobalProtect app on managed endpoints and use GlobalProtect Clientless VPN on
unmanaged endpoints (endpoints on which you cannot or do not want to place an

Strata by Palo Alto Networks | PSE Software Firewall Professional 105

Machine Translated by Google

agent, such as partner systems or personal devices). Apply multi-factor authentication when appropriate
to protect high-value assets.

• SaaS applications: Use Prisma SaaS to scan, analyze, classify, and help protect SaaS applications.
Redirect SaaS application traffic for unmanaged devices through your next-generation firewall.

Step 4: Create the Zero Trust Policy

Zero Trust policy consists of allow rules that allow only authorized users to access specific resources using the
specified applications at the right time in the right places. If traffic does not match a rule, the firewall automatically
blocks the traffic. This is important because:

• It is much easier to know the applications you want to allow to support your business than to take on the never-ending task of
identifying and blocking all the applications you do not want to allow.

• All breaches and malicious activity happen on allow rules. Focus security on traffic you
allow, and allow only the traffic required for business.

Zero Trust policy is based on the Kipling Method. Answering Rudyard Kipling's six-tuple of questions, “who, what,
when, where, why, and how,” shows you how to decide whether to allow or block traffic and how to create a
Security policy that safeguards each protect surface.

Step 5: Monitor and Maintain the Network

Security is an iterative process because logging and monitoring reveal improvements to make in sync with your
business and network changes over time. Follow the operational processes you developed when architecting the
network to maintain and continually update prevention controls.

Key Idea

• Zero Trust policy is based on the Kipling Method.

The way you apply the methodology depends on what you are protecting and your business requirements—what's
critical to your business—but the outcomes you are working toward are the
same:

• Segment the network effectively and efficiently to prevent lateral movement. • Protect
business-critical data and systems from unauthorized applications and users. • Protect business-
critical applications from unauthorized access and usage. • Enforce policy seamlessly
across networks, cloud, and endpoints to simplify management and apply consistent policy everywhere.

5.3.1 Reference
• What is Zero Trust for the Cloud?
https://docs.paloaltonetworks.com/best-practices/10-1/zero-trust-best-practices/zero-trust-be st-practices/
what-is-zero-trust-and-why-do-i -need-it

Strata by Palo Alto Networks | PSE Software Firewall Professional 106

Machine Translated by Google

5.4 Leverage automation tools to deploy Palo Alto Networks solutions

The Palo Alto Networks auto scaling templates for AWS help you to configure and deploy VM-Series firewalls to protect applications deployed
in AWS. The templates leverage AWS scalability features to independently and automatically scale VM-Series firewalls deployed in AWS to
meet surges in application workload resource demand.

• The VM-Series automation capabilities include the PAN-OS API and bootstrapping (using a
bootstrap file for version 2.0 and Panorama for version 2.1).

• AWS automation technology includes CloudFormation templates and scripts for AWS services such as Lambda, auto scaling groups (ASGs),
Elastic Load Balancing (ELB), S3, and SNS.

The templates are available on the Palo Alto Networks GitHub repository for Auto Scaling VM-Series
Firewalls in AWS:

• Version 2.0 provides a firewall template and an application template. These templates and the supporting scripts deploy VM-Series
firewalls, an internet-facing firewall, an internal firewall, and application ASGs in one or more VPCs.

In version 2.0, Palo Alto Networks supports the firewall template while the application template is community-supported. See VM-
Series Auto Scaling Template for AWS Version 2.0 for deployment details.

• Version 2.1 includes two firewall templates and five application templates. It adds support for deployment in a single VPC and adds
support for a load balancer sandwich topology that enables you to deploy the VM-Series firewalls in a front-end VPC and the back-
end applications in one or more application VPCs connected by VPC peering or AWS PrivateLink.

In version 2.1, you can implement both application load balancers (ALBs) and network load balancers (NLBs) in VPCs.

Key Idea

• VM-Series automation capabilities include the PAN-OS API and bootstrapping.

5.4.1 Reference

• Auto Scaling VM-Series Firewalls with the Amazon ELB Service https://
docs.paloaltonetworks.com/vm-series/10-2/vm-series-deployment/set-up-the-vm-seri es-firewall-on -aws/auto-scale-vm-series-
firewalls-with-the-amazon-elb

5.5 Compare and contrast Prisma Cloud Compute (PCC) and CN-Series

Prisma Cloud provides comprehensive visibility and threat detection to mitigate risks and secure your workloads in a hybrid and multi-cloud
environment. If your organization is leveraging public cloud platforms and a rich set of microservices to rapidly build and deliver applications,
Prisma Cloud offers cloud native application security controls for public cloud platforms, hosts, containers, and serverless technologies.

Strata by Palo Alto Networks | PSE Software Firewall Professional 107

Machine Translated by Google

Prisma Cloud Compute Edition delivers cloud workload protection platform (CWPP) for modern enterprises,
providing holistic protection across hosts, containers, and serverless deployments in any cloud, throughout the
application life cycle. Prisma Cloud Compute Edition is cloud native and API-enabled, protecting all your workloads
regardless of their underlying compute technology or the cloud in which they run. The CN-Series is the industry's
first ML-powered firewall that helps enforce enterprise-level network security and threat protection in container traffic
across Kubernetes namespace boundaries. CN-Series provides inline traffic filtering. The CN-Series container
firewalls help network security teams safeguard developers with deep security integration into Kubernetes
orchestration. Deploy the CN-Series to secure traffic between pods in different trust zones and namespaces, for
protection against known and zero-day malware, and to block data exfiltration from your containerized environments.

Key Idea

• Prisma Cloud Compute Edition is cloud native and API-enabled. • CN-Series

provides inline traffic filtering.

5.5.1 References

• Prisma Cloud Compute https://

www.paloaltonetworks.com/resources/datasheets/prisma-cloud-compute-edition-aa g • CN-Series https://docs.paloaltonetworks.com/

cn-series

5.6 Summary of Key Ideas

• You can use Panorama to configure Security policy rules. • Dynamic

user groups do not support auto-tagging from HIP Match logs. • Zero Trust policy is
based on the Kipling Method. • VM-Series automation
capabilities include the PAN-OS API and bootstrapping. • Prisma Cloud Compute Edition is
cloud native and API-enabled. • CN-Series provides inline traffic filtering.

5.7 Sample Questions

1. Which three of the following are cloud policy rule types? (Choose three.)
to. Intrazone
b. Interzone
c. Zero Trust
d. Universal

2. Which Security policy rule type allows traffic from a zone to the same zone?
to. Intrazone
b. Interzone
c. Zero Trust
d. Universal

Strata by Palo Alto Networks | PSE Software Firewall Professional 108

Machine Translated by Google

3. What does SCADA stand for?

to. Supervisory Communication and Data Acquisition b. Supervisory Control

and Data Acquisition c. Supervisory Central and Data Acquisition
d. Supervisory Control and Data Association

4. Which of the following allows the firewall or Panorama to tag a policy object when it receives
to log that matches specific criteria? to. To D.A.G.

b. Zero Trust

c. Universal policy d. Auto-

tagging

5. What does CWPP stand for?

to. Cloud Workload Private Platform
b. Cloud Workload Public Platform
c. Cloud Workload Protection Platform
d. Cloud Workload Prevention Platform

6. Zero Trust policy is based on which method? to. Bootstrap Method b.

Discovery Method c. Kipling
Method d. Authentication Method

7. What are three of the DAAS elements? (Choose three.) a. Data b. Applications c.
Automation

d. Services

8. What can be autoscaled to ensure security when you need it most?

to. DNS Security b. A
dynamic address group c. A virtual firewall
d. The Bootstrap Method

9. Intrusion prevention includes: (Choose three.)

to. Blocking potentially dangerous file types b. Infinitely scalable
real-time analysis of DNS requests c. URL Filtering d. Data Loss Prevention (DLP)

10. The virtual firewalls of which two cloud types secure virtualized compute resources and hypervisors? (Choose two.) a. Private cloud b.
Protected cloud c. Public cloud

Strata by Palo Alto Networks | PSE Software Firewall Professional 109

Machine Translated by Google

d. Hybrid cloud

Strata by Palo Alto Networks | PSE Software Firewall Professional 110

Machine Translated by Google

Appendix A: Sample Questions with Answers

Below are the questions offered throughout the study guide, with the correct answers indicated.

Domain 1
1. In AWS, which of the following publishes metrics for auto scaling? to. AWS S3 Bucket

b. AWS Lambda
c. AWS CloudWatch

d. AWS Auto Scaling Groups (ASG)

2. While defining an address group, each registered IP address can have up to how many tags?
to. 32
b. 64
c. 16
d. 8

3. VM-Series Plugin enables integration with: a. Public Clouds

b. Private Clouds c.
Public and Private cloud d. Hypervisors

4. Which two statements are true for Panorama plugins? (Choose two)
to. Panorama plugins are available for both VM-Series and Hardware-based Firewall. b. Panorama plugins are optional
and can be removed. c. Panorama plugins are built-in. d. Panorama plugin
versions are independent of Panorama version.

5. Which three statements are true with respect to VM-Series plugin upgrades? (Choose three.)
to. Can be upgraded manually independent of PAN-OS. b. Can be upgraded
locally in the virtual firewall. c. PAN-OS Upgrade is mandatory to
upgrade VM-Series plugins d. Upgrades can be managed centrally through Panorama.
and. Every plugin version is compatible with all the PAN-OS versions.

6. What are three advantages of network segmentation? (Choose three.)

to. It boosts performance b. It
makes managing firewall policies easier c. It helps localizing
technical issues d. It makes virtual clouds more
secure. It can be implemented only as physical

segmentation.

7. What is used to aggregate logs from all the managed firewalls and provide visibility into all
data traffic? to.
Cortex data Lake b.
Panorama

Strata by Palo Alto Networks | PSE Software Firewall Professional 111

Machine Translated by Google

c. Application Command Center d. Dedicated

log collectors

8. Which two parameters are considered while estimating ROI using Palo Alto Networks
VM-Series Virtual Firewalls Estimator? (Choose two.) a. No. of firewalls
to be deployed b. No. of NetOps and SecOps
staff in the organization c. Quantity of data to be inspected d. Amount spent
on physical firewalls over a life cycle of 5 years.

Domain 2
1. Which security service assists file safety by automatically detecting unknown malware? to. URL Filtering b. WildFire

c. App-ID d.
Threat Prevention

2. Which profile is used to categorize content? to. URL Filtering

b. Threat Prevention

c. Zero Trust
d. Data Loss Prevention

3. Ansible is used for what purpose?

to. Providing PAN-OS application signature updates b. Automating
device configuration c. Optimizing firewall resource
consumption d. Identifying transit traffic

4. Which of the following is a package manager for containers?

to. Terraform
b. Helm
c. Ansible
d. YAML

5. What is the basic operational unit of Kubernetes?

to. Do not give

b. Container
c. Kubernetes services
d. pod

6. VM-Series is applicable for which of the following traffic scenarios?

to. Inbound
b. North-south and east-west
c. East-west only

Strata by Palo Alto Networks | PSE Software Firewall Professional 112

Machine Translated by Google

d. Outbound

7. What is the order of Kubernetes constructs from smallest to largest in terms of size and
scope?
to. Node, namespace, pod, cluster b. Namespace,
node, cluster, pod c. Pod, node, namespace,
cluster d. Pod, node, cluster, namespace

8. Which environment uses software and virtualization to provide network connectivity for
dispersed locations? to. On-
premise b. SDN

c. SD-WAN
d. Nutanix

9. After deselecting a credit pool, you see a reminder to activate those credits. What will be
your next step? to.
Select the credit pool you want to activate. b. Deposit credits. c.
Purchase a different credit
pool. d. Return to your email and click the Start
Activation link.

Domain 3

1. Threat Prevention and WildFire services enabled on CN-Series firewalls: (choose three.) a. block

exploits b. prevent
malware c. Ensures that
protections are always up to
date d. Stop only known advanced threats e. Stop both known and
unknown advanced threats

2. Where can you download Configuration templates? to. Palo Alto Networks
Customer Support Portal b. Palo Alto Networks public documentation
c. GitHub repository d. Marketplace

3. CN-Series as a Kubernetes CNF in HA mode of deployment supports _______ with session and configuration synchronization.
to. Activate/activate HA b. Active/passive HA c.
Passive/passive HA d. 1:n/
n:1

4. How many default templates can you find on Panorama after downgrading the Kubernetes
plugin from 3.0.0? to. five

Strata by Palo Alto Networks | PSE Software Firewall Professional 113

Machine Translated by Google

b. Four
c. Two
d. six

5. In Kubernetes CNF mode, which protocol is supported on Native/OnPrem environments, but not on public clouds? to. BGP

b. B.F.D.
c. tunnel interface
d. OSPF

6. Which mode of deployment allows the firewall to route traffic between multiple ports?
to. Tap mode b.
Layer 2 c.
virtualwire

d. Layer 3

7. Which threat detection system can monitor the traffic traversing within the VPC boundary?
to. Advanced URL Filtering b. Cloud
IDS c. Threat

monitoring d. Global Protect

8. After git cloning the repository from GitHub, what do you need to do immediately to deploy
the CN-Series firewall?
to. Change into a local directory for the cloned repository. b. Change to the
subdirectory for your deployment. c. Edit the values.yaml file. d. Generate
the VM auth key on Panorama.

9. VM-Series can be deployed on which three of the following platforms? (Choose three.)
to. XenServer
b. NSX-T
c. AWS
d. Azure
and. On-Premises

10. In which layer, the firewall is capable of inspection and providing threat prevention for
tagged or untagged traffic? to. Layer 3
b. Layer 7 c.
Layer 4 d.
Layer 2

Domain 4

1. Where can you purchase Panorama virtual appliances on Azure? to. AWS Marketplace b.
Palo Alto Networks

Strata by Palo Alto Networks | PSE Software Firewall Professional 114

Machine Translated by Google

c. Azure Marketplace d. Third-

party websites

2. If no license has been installed, within how many days from the upgrade date can you install
a valid device management license? to. 180 b. 90 c.
150 d. 100

3. Panorama automatically performs a daily check-in with the licensing server. The check-in is hard-coded to occur between which hours? to.
12:00 am to 1:00 am 12:00 am to 12:30 am 1:00 am to 1:30 am
d. 1:00 am to 2:00 am

4. A Day 1 Configuration template supports which of the following?

to. IPv4 b.
IPv6 c.
MAC routing d. VWire
routing

5. Which three plugin configuration options are supported for use in Panorama? (Choose
three.) a.
Cisco ACI b. GCP
c. OCI d.
AMC e.
VMware
NSX

6. Where can you download the Docker files for CN-Series deployment?
to. Palo Alto Networks Customer Support Portal b. Palo Alto Networks
public documentation c. GitHub repository d. Marketplace

7. Which three statements are true for Ultimate Test Drive? (Choose three.) a. It is a conversion and demand-
generation tool. b. It is a training tool. c. It is an evaluation acceleration
tool. d. It is a full demonstration
of our platform e. It is a Way to expose customers to new
products and solutions

8. In a Day 1 Configuration template, where you can configure IPv6 after the IPv4
configuration? to.
GUI b. CLI
c. Cortex
d. Both GUI
and CLI

9. What is the win rate for initial business opportunities that run to UTD?
to. 71%

Strata by Palo Alto Networks | PSE Software Firewall Professional 115

Machine Translated by Google

b. 68%
c. 51%
d. 88%

Domain 5

1. Which three of the following are cloud policy rule types? (Choose three.)
to. Intrazone
b. Interzone
c. Zero Trust
d. Universal

2. Which Security policy rule type allows traffic from a zone to the same zone?
to. Intrazone
b. Interzone
c. Zero Trust
d. Universal

3. What does SCADA stand for?

to. Supervisory Communication and Data Acquisition b. Supervisory
Control and Data Acquisition c. Supervisory Central and Data
Acquisition d. Supervisory Control and Data Association

4. Which of the following allows the firewall or Panorama to tag a policy object when it receives
to log that matches specific criteria? to. A DAG b.
Zero Trust c.
Universal policy d.

Auto-tagging

5. What does CWPP stand for? to. Cloud

Workload Private Platform b. Cloud Workload
Public Platform c. Cloud Workload Protection
Platform d. Cloud Workload Prevention Platform

6. Zero Trust policy is based on which method? to. Bootstrap

Method b. Discovery Method
c. Kipling Method d.
Authentication Method

7. What are three of the DAAS elements? (Choose three.)

to. Data
b. Applications c.
Automation d.
Services

Strata by Palo Alto Networks | PSE Software Firewall Professional 116

Machine Translated by Google

8. What can be autoscaled to ensure security when you need it most?

to. DNS Security b. A
dynamic address group c. To virtual
firewall
d. The Bootstrap Method

9. Intrusion prevention includes: (Choose three.)

to. Blocking potentially dangerous file types b. infinitely
scalable real-time analysis of DNS requests c. URL Filtering d. Data
Loss Prevention (DLP)

10. The virtual firewalls of which two cloud types secure virtualized compute resources and hypervisors? (Choose two.)

to. Private cloud

b. Protected cloud
c. Public cloud
d. Hybrid cloud

Strata by Palo Alto Networks | PSE Software Firewall Professional 117

Machine Translated by Google

Appendix B: Sample Test

These questions are intended to simulate taking the PSE Software Firewall Professional exam. They are not the same as the sample
questions provided earlier in this study guide.

1. Which of the following is a valid CN-MGMT metric to auto scale CN-Series firewall?
to. mgmtplanecpuutilizationpct b.
panthroughput c.
panpacketrate d.
pandataplaneslots

2. What does VPC stand for? to. Virtual

Public Cloud b. Virtual Prisma
Cloud c. Virtual Private Cloud d.
Virtual Protected Cloud

3. In network segmentation, what are two advantages of subdividing the network into smaller
subnets and VLANs? (Choose two.) a. It reduces
the scope of broadcast packets. b. You can isolate machines
on different network segments. c. It improves network performance. d. It prevents a
threat from spreading to other network segments.

4. Which three statements are true for the UTD? (Choose three.) a. It is available to both
prospects and customers. b. It is free to use.

c. It can be delivered in person or online (webinar style). d. It provides full

coverage of our products. and. It is a full demonstration of
our platform.

5. Which of the following is an architecture-based approach to enhance network security? to. Identity allocation b. Network
segmentation c. Advance
URL Filtering d. DNS sinkholing

6. Terraform templates can be used to secure workloads on which two platforms? (Choose
two.)
a. AWS
b. Azure
c. Jenkins
d. GitHub

7. VM-Series automation methods include which of the following? (Choose two.) a. Zero Trust b. PAN-OS API

Strata by Palo Alto Networks | PSE Software Firewall Professional 118

Machine Translated by Google

c. URL Filtering d.
Bootstrapping

8. Which two statements are true for CN-Series deployment modes? (Choose two.) a. They provide an automated
security deployment. b. They provide unlimited insertion options. c. They
leverage the auto scaling capabilities of Kubernetes. d. They
support I/O acceleration.

9. Microsegmentation helps provide consistent security across private and public clouds by
virtue of which three principles? (Choose three.) a. Visibility b.
Granular security
c. Dynamic adaptation d.
Threat prevention e. Exfiltration
prevention

10. Which statement is true regarding CN-Series firewall licensing? to. A single license is
needed per management plan. b. Credits are used to scale the data plane
and add subscriptions. c. Panorama manages the licenses. d. A license is needed for both the
management plane and data plane.

11. Which Palo Alto Networks service provides protection against new and unknown threats?
to. Advanced URL Filtering b. DNS
Security c. GlobalProtect
d. Prism SaaS

12. Panorama Supports forwarding logs to:

to. Cortex Data Lake b. A

Log Collector c. Either a

Log Collector, the Cortex Data Lake, or both in parallel. d. The Application Command Center

13. Which platform cannot run a VM-Series firewall natively? to. NSX

b. OIC
c. Xen
d. GCP

14. Logical segmentation can be achieved using:

to. User-ID
b. Subnets c.

Timestamps d. App-ID

15. What is Ansible?

Strata by Palo Alto Networks | PSE Software Firewall Professional 119

Machine Translated by Google

to. It is a collection of scripts for collecting data. b. It is an orchestration

engine for task automation such as device configuration. c. It is a module used to facilitate communication between
network devices.

d. It is an open-source container orchestration system for automation software

deployment, scaling, and management.

16. Which Kubernetes auto scaling method allows your CN-Series firewall deployment to auto scale dynamically along with your Kubernetes
environment?
to. Horizontal pod auto scaling b. Vertical
cluster auto scaling c. Cluster auto scaling d.
Namespace auto scaling

17. Where can you access the Day 1 Configuration? (Choose three.)
to. Assets > Network Security b. Activate
Products

c. Tools > Run Day 1 Configuration d. Devices >

Run Day 1 Config e. Groups

18. Which two standards does HPA use for scaling? to. CPU Utilization

b. Memory Utilization c. Packet

Buffer Utilization
d. Session Utilization

19. Where can you find the YAML files required to deploy the CN-Series firewall in your Kubernetes environment?

to. Palo Alto Networks Customer Support Portal b. Palo Alto Networks
public documentation c. GitHub repository d. Marketplace

20. Virtual wire interfaces will forward traffic from which of the following connected device
types?
to. Layer 2 switches b. Layer
3 routers c. Layer 7
firewalls d. Layer 4
multiplexing e. Layer 6 encryption

Strata by Palo Alto Networks | PSE Software Firewall Professional 120

Machine Translated by Google

Appendix C: Answers to the Sample Test

Below are the answers to the sample test from Appendix B.

1. Which of the following is a valid CN-MGMT metric to auto scale CN-Series firewall?
to. mgmtplanecpuutilizationpct b. panthroughput
c. panpacketrate d.
pandataplaneslots

2. What does VPC stand for? to. Virtual

Public Cloud b. Virtual Prisma
Cloud c. Virtual Private Cloud d.
Virtual Protected Cloud

3. In network segmentation, what are two advantages of subdividing the network into smaller
subnets and VLANs? (Choose two.)
to. It reduces the scope of broadcast packets. b. You can isolate
machines on different network segments. c. It improves network performance. d. It
prevents a threat from spreading to other network
segments.

4. Which three statements are true for the UTD? (Choose three.)
to. It is available to both prospects and customers. b. It is free to use.
c. It can be delivered in

person or online (webinar style). d. It provides full coverage of our products. and. It
is a full demonstration of our platform.

5. Which of the following is an architecture-based approach to enhance network security? to. Identity allocation b. Network
segmentation c. Advance
URL Filtering d. DNS sinkholing

6. Terraform templates can be used to secure workloads on which two platforms? (Choose
two.)
a. AWS
b. Azure
c. Jenkins
d. GitHub

7. VM-Series automation methods include which of the following? (Choose two.) a. Zero Trust

b. PAN-OS API c. URL

Filtering d. Bootstrapping

Strata by Palo Alto Networks | PSE Software Firewall Professional 121

Machine Translated by Google

8. Which two statements are true for CN-Series deployment modes? (Choose two.) a. They provide an automated security
deployment. b. They provide unlimited insertion options. c. They leverage the
auto scaling capabilities of Kubernetes. d. They support I/O
acceleration.

9. Microsegmentation helps provide consistent security across private and public clouds by
virtue of which three principles? (Choose three.)
to. Visibility b.
Granular security c. Dynamic
adaptation d. Threat prevention e.
Exfiltration prevention

10. Which statement is true regarding CN-Series firewall licensing? to. A single license is needed
per management plan. b. Credits are used to scale the data plane and add
subscriptions. c. Panorama manages the licenses. d. A license is needed for both the management
plane and data plane.

11. Which Palo Alto Networks service provides protection against new and unknown threats?
to. Advanced URL Filtering b. DNS
Security c. GlobalProtect
d. Prism SaaS

12. Panorama Supports forwarding logs to:

to. Cortex Data Lake b. A Log

Collector c. Either a Log

Collector, the Cortex Data Lake, or both in parallel. d. The Application Command Center

13. Which platform cannot run a VM-Series firewall natively? to. NSX

b. OIC
c. Xen
d. GCP

14. Logical segmentation can be achieved using:

to. User-ID
b. Subnets c.

Timestamps d. App-ID

15. What is Ansible?

to. It is a collection of scripts for collecting data. b. It is an orchestration

engine for task automation such as device configuration. c. It is a module used to facilitate communication between
network devices.

Strata by Palo Alto Networks | PSE Software Firewall Professional 122

Machine Translated by Google

d. It is an open-source container orchestration system for automation software

deployment, scaling, and management.

16. Which Kubernetes auto scaling method allows your CN-Series firewall deployment to auto scale dynamically along with your
Kubernetes environment?
to. Horizontal pod auto scaling b. Vertical
cluster auto scaling c. Cluster auto scaling
d. Namespace auto scaling

17. Where can you access the Day 1 Configuration? (Choose three.)
to. Assets > Network Security b. Activate
Products

c. Tools > Run Day 1 Configuration d. Devices >

Run Day 1 Config e. Groups

18. Which two standards does HPA use for scaling? to. CPU Utilization
b. Memory Utilization c.
Packet Buffer Utilization

d. Session Utilization

19. Where can you find the YAML files required to deploy the CN-Series firewall in your Kubernetes environment?

to. Palo Alto Networks Customer Support Portal b. Palo Alto

Networks public documentation c. GitHub repository d.
Marketplace

20. Virtual wire interfaces will forward traffic from which of the following connected device
types?
to. Layer 2 switches b.
Layer 3 routers c. Layer
7 firewalls d. Layer 4
multiplexing e. Layer 6 encryption

Strata by Palo Alto Networks | PSE Software Firewall Professional 123

Machine Translated by Google

Appendix D: Glossary
• Access token - A virtual credential that can be used by an application to access an API. Item
can either be an opaque string or a JSON Web Token.

• Access Control Lists (ACLs) - A set of rules that help to control network traffic and reduce
network attacks.

• Application Load Balancers (ALBs) - A feature of Elastic Load Balancer. See Elastic Load
Balancing (ELB).

• Application Programming Interface (API) - Enables two or more softwares to

Communicate with each other by working as an intermediary.

• App-ID - A patented traffic-classification system available only in Palo Alto Networks firewalls. It determines
what an application is, regardless of port, protocol, encryption (SSH or SSL) or any other evasive tactics
used by the application. It applies multiple classification mechanisms—application signatures, application
protocol decoding, and heuristics—to the network traffic stream to accurately identify applications.

• Application Gateway - Used to help users access a web app. An application gateway creates a temporary pinhole for a limited time
and exclusively for transferring data or controlling network traffic.

• Auto Scaling Groups (ASGs) - A logical grouping used in auto scaling and management.

• Azure Kubernetes Service (AKS) - A way to deploy Kubernetes on Azure and manage
Kubernetes environments hosted on Azure.

• Azure Resource Manager (ARM) Templates - Provide users with the ability to manage and
scale Azure services on a public or private cloud.

• Bootstrapping - Allows you to create a repeatable and streamlined process of deploying new VM-Series
firewalls on a network by creating a package with the model configuration for the network and then using
that package to deploy VM-Series firewalls.

• Breaking point - A network security test solution that simulates the good application traffic, the bad malicious
attack traffic, and the ugly malformed traffic to validate the network performance and security posture,
reduce risk, and increase attack readiness.

• Bridge protocol data unit (BPDU) - A data message used to detect loops in a network. A BPDU contains
information about ports, switches, port priority, and addresses.

• Bring your own license (BYOL) - A licensing model that allows flexible use of licenses
owned by a company.

• Cloud-Delivered Security Services (CDSS) - A group of services provided by Palo Alto Networks to make
cloud applications secure. CDSS include: • Advance URL Filtering

Strata by Palo Alto Networks | PSE Software Firewall Professional 124

Machine Translated by Google

• DNS Security •
Enterprise DLP • IoT
Protection

• SaaS Security • Threat

Prevention
• WildFire

• CloudFormation - A service by AWS that helps set up and model resources to reduce the time spent in managing resources.
CloudFormation templates can be used to autoscale firewalls in AWS.

• CloudWatch - A monitoring and management service by AWS that provides actionable data
such as metrics and logs to better manage and optimize resources.

• Cloud Workload Protection Platform (CWPP) - Central to Palo Alto Networks strategy to help organizations secure infrastructure,
applications, and data across hybrid and multicloud environments.

• Command-line interface (CLI) - A utility that allows the user to monitor and configure the
device.

• Container - An isolated environment in which an application or part of an application can run. The processes that run inside a container
are isolated from processes running in other containers on the same server.

• Cortex Data Lake - A service by Palo Alto Networks that provides cloud-based, centralized log storage and aggregation for on-premises
and virtual firewalls, Prisma Access, and cloud-delivered services such as Cortex XDR. The service is secure, resilient, and fault-
tolerant, and it ensures that logging data is up to date and available when needed. It provides a scalable logging infrastructure that
alleviates the need to plan and deploy Log Collectors to meet log retention needs.

• CN-Series - The container-native version of the ML-Powered Next-Generation Firewall,

designed specifically for Kubernetes environments.

• CNI - Container Network Interface, which is a framework for the dynamic configuration of
networking resources.

• CRI-O - The name derives from CRI plus Open Container Initiative (OCI) because CRI-O is strictly focused on OCI-compliant runtimes
and container images. Allows you to run containers directly from Kubernetes, without any unnecessary code or tooling.

• Daemonset - A controller that manages pods like Deployments, ReplicaSets, and

StatefulSets.

• Data loss prevention (DLP) - A security strategy that ensures that sensitive or confidential information does not leak outside of the
corporate network in a way that is unsafe or noncompliant.

Strata by Palo Alto Networks | PSE Software Firewall Professional 125

Machine Translated by Google

• Day 1 Configuration - A tool that helps build a sturdy baseline configuration by providing best-practice
configuration templates as a foundation on which you can build the rest of the configuration.

• DevOps - A practice that unites development and operations teams throughout the software-delivery
process, enabling them to discover and remediate issues earlier, automate testing and deployment, and
reduce time to market.

• Docker - A software framework for building, running, and managing containers.

• Dynamic Host Configuration Protocol (DHCP) - Provides a framework for passing

configuration information to hosts on a TCP/IP network.

• EC2 - A service that provides scalable computing capacity to launch virtual machines. EC2, or the AWS
Elastic Compute Cloud, categorizes instance families—General Purpose, Compute Optimized, Memory
Optimized, Accelerate Networking, and Storage Optimized—to fit different use cases and application
profiles.

• Elastic Kubernetes Service (EKS) - A Kubernetes conformant to run Kubernetes on AWS.

• ELB - Elastic Load Balancing, which automatically distributes application traffic for multiple
targets and virtual appliances in one or more availability zones.

• Endpoint - Refers to any remote computing device—such as a desktop, laptop, mobile

phone, and so on—that communicates with a network.

• Enterprise Network Compute System (ENCS) - A branch virtualization tool by Cisco that can help deploy
network services in minutes.

• ESXi - Elastic Sky X Integrated. A hypervisor that runs directly on system hardware without
the need for an operating system.

• Exploit - A piece of code or a program that takes advantage of a weakness in an application or system. Exploits are typically divided into
the resulting behavior after the vulnerability is exploited, such as arbitrary code execution, privilege escalation, denial of service, or data
exposure.

• GitHub - A website and cloud-based service that helps developers store and manage their
code, as well as track and control changes to their code.

• GlobalProtect - Provides a complete infrastructure for managing your mobile workforce to enable secure access for all your users,
regardless of what endpoints they are using or where they are located. It includes the following components: • GlobalProtect Portal
• GlobalProtect Gateways • GlobalProtect App

• Google Cloud Platform (GCP) - A suite of cloud computing services offered by Google that runs on the
same infrastructure that Google uses internally for its end-user products, such as Google Search, Gmail,
Google Drive, and YouTube.

Strata by Palo Alto Networks | PSE Software Firewall Professional 126

Machine Translated by Google

• Google Kubernetes Engine (GKE) - A fully managed Kubernetes service that helps you deploy Kubernetes
on GCP.

• Graphical user interface (GUI) - An interface through which a user interacts with electronic devices such
as computers and smartphones using icons, menus, and other visual indicators or representations.

• High availability (HA) - A deployment in which two firewalls are placed in a group and their configuration is
synchronized to prevent a single point of failure on your network. A heartbeat connection between the
firewall peers ensures seamless failover in the event that a peer goes down.

• HTTP - Hypertext Transfer Protocol (HTTP). This is an application-layer protocol model for distributed,
collaborative, hypermedia information systems.

• Hub-and-Spoke Architecture - Hub-and-spoke is a type of message-oriented broker. It uses a central message broker, and the
communication between each application is done via this broker.

• Hyper-V - A standalone hypervisor or an add-on/role for Windows Server.

• Hypervisor - Technology that allows multiple virtual (or guest) operating systems to run
concurrently on a single physical host computer.

• Instance - A copy of a software or application running on a physical or virtual machine.

• Internet Protocol (IP) address - A 32-bit or 128-bit identifier assigned to a networked device for
communications at the Network layer of the OSI model or the Internet layer of the TCP/IP model. See
also Open Systems Interconnection (OSI) model and Transmission Control Protocol/Internet Protocol
(TCP/IP) model.

• Kernel-based Virtual Machine (KVM) - An open-source virtualization module for servers running Linux
distributions.

• Lambda - An event-driven, serverless computing platform that is part of Amazon Web Services. Lambda
layers are ZIP archives that contain libraries, custom runtimes, or other dependencies. These layers let
you add reusable components to your functions and focus deployment packages on business logic.

• Load Balancer - A traffic cop for networks to balance the load on various VPCs inside an application. It is
used to scale up and down any application based on demand.

• Log - A detailed audit trail of all the changes made to a network.

• Malware - A file or code, typically delivered over a network, that infects, explores, steals, or
behaves virtually any behavior an attacker wants.

• Mean time to resolution (MTTR) - The average time to fully recover from a failure.

Strata by Palo Alto Networks | PSE Software Firewall Professional 127

Machine Translated by Google

• MFA - Multi-factor authentication (MFA). An electronic authentication method in which access is granted to a user only after successful
presentation of two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence.

• Monolithic architecture - A traditional software-development model that describes the

development of an application as a single block.

• Network Address Translation (NAT) - A method of mapping an IP address or IP address space into another by modifying network
address information in the IP header of packets. A common use for NAT is to obscure the real IP address of a host that needs
access to public addresses.

• Net present value (NPV) - The total value of all future cash flows generated by a project.

• NLBs - Network Load Balancers

• NSX-T - Offers a flexible software-defined infrastructure to create environments for cloud

native applications. It makes networking and security operations easier.

• OAM - Operations, administration, and maintenance

• OpenShift - A cloud-based Kubernetes platform that helps developers build applications. It offers automated installation, upgrades, and
life-cycle management throughout the container stack.

• Oracle Cloud Infrastructure (OCI) - A set of products and services that allow customers to
manage and scale their networks.

• OVA - Open Virtualization Alliance

• PAN-DB - A URL and IP database from Palo Alto Networks, integrated with PAN-OS.

• PAN-OS - The software that runs all Palo Alto Networks next-generation firewalls. By leveraging the key technologies that are built into
PANÿOS—AppÿID, ContentÿID, Device-ID, and UserÿID—you can have complete visibility and control of the applications in use
across all users and devices in all locations all the time.

• Panorama - A centralized management system that provides global visibility and control over multiple Palo Alto Networks next-
generation firewalls through an easy-to-use web-based interface.

• Persistent Volume (PV) - A piece of storage inside the cluster that has been provisioned by administrators or dynamically provisioned
by storage classes.

• Plugin - A software add-on that adds a feature to an existing program. Plugins help you use functionalities that are not native to an
application, without upgrading or changing the entire application.

• POC (Proof of Concept) - The most effective test you can run to make sure you are getting
the right NGFW for your environment.

Strata by Palo Alto Networks | PSE Software Firewall Professional 128

Machine Translated by Google

• Pod - The smallest building block of a Kubernetes cluster. A pod can contain one or more
containers.

• Private cloud - A cloud computing model that consists of a cloud infrastructure used
exclusively by a single organization.

• Protect surface - In a Zero Trust architecture, the protect surface consists of the most
critical and valuable data, assets, applications, and services on a network.

• Protocol data units (PDUs) - Chunks of information that are sent between various entities within networks. This
information can be used to control things like addresses or data. In layered systems, a PDU represents a unit
of data specified in the protocol of a given layer, which includes protocol control information and user data.

• Public cloud - A cloud computing deployment model that consists of a cloud infrastructure
open to use by the general public.

• Pub/sub - Also known as publish/subscribe messaging, this is a messaging service used in serverless or microservices architectures.

• Quality of Service - The use of mechanisms or technologies to control traffic and ensure the
performance of critical applications on a network with limited capacity.

• Representational State Transfer (REST) API - Allows for interaction with RESTful web services. It works on the
REST Architecture, hence the name. The Panorama REST API allows you to manage firewalls and Panorama
through a third-party service, application, or script.

• Routes - Predefined paths for data-packet traffic to flow between or across multiple
networks.

• SaaS - Software as a service (SaaS). A software licensing method that provides software licensing on a
subscription basis. It uses a delivery model that is centrally hosted.

• Secure Sockets Layer (SSL) proxy - Performs Secure Sockets Layer encryption and
decryption between server and client.

• Security policy - Protects network assets from threats and disruptions and helps to optimally allocate network resources for enhancing
productivity and efficiency in business processes. On a Palo Alto Networks firewall, individual Security policy rules determine
whether to block or allow a session based on traffic attributes, such as the source and destination security zone, the source and
destination IP address, the application, the user, and the service.

• Simple Network Management Protocol (SNMP) - Used to manage and monitor LAN or
WAN networks.

• Simple Notification Service (SNS) - An AWS service used to send notifications directly to
the customers.

• Simple Storage Service (S3) - Scalable and affordable storage service by AWS.

Strata by Palo Alto Networks | PSE Software Firewall Professional 129

Machine Translated by Google

• Software-Defined Network (SDN) - A networking approach that uses software-based controllers or APIs to communicate with
underlying hardware infrastructure and direct traffic on a network.

• Software-Defined Wide Area Network (SD-WAN) - A technology that allows you to use multiple internet and private services to
create an intelligent and dynamic WAN. It helps lower costs and maximize application quality and usability.

• Stateful set - The workload API object used to manage stateful applications.

• Subnet IP address (SNIP) - An IP address that is owned and used by the Citrix ADC to communicate with the Citrix servers. The Citrix
ADC proxies client connections to servers by using the subnet IP address as the source IP address.

• Tags - Used to identify the purpose of a rule or a configuration object and better organize your rulebase. You can tag objects to group
related items and add color to the tag to visually distinguish them for easy scanning. You can create tags for the following objects:
address objects, address groups, user groups, zones, service groups, and policy rules.

• Template stack - Used to configure the setting that enables firewalls to operate on networks. Templates are the basic building blocks
you use to configure the Network and Device tabs on Panorama. Template stacks give you the ability to layer multiple templates
and create a combined configuration. They simplify management by allowing you to define a common base configuration for all
devices attached to the template stack.

• Threat signature - A typical footprint or pattern associated with a malicious attack on a computer network or system. There are three
types of Palo Alto Networks threat signatures, each designed to detect different types of threats as the firewall scans network traffic:

• Antivirus signatures - Detect viruses and malware found in executables and file types.

• Anti-spyware signatures - Detect command-and-control activity, where spyware on an infected client is collecting data without
the user's consent and/or communicating with a remote attacker.

• Vulnerability signatures - Detect system flaws that an attacker might otherwise attempt to exploit.

• Throughput - A measure of the number of data packets that can be processed in a unit of
time. It is the rate of successful packet deliveries over a channel.

• Ultimate Test Drives (UTDs) - Guided, hands-on experiences designed to familiarize participants with Palo Alto Networks technology
and to enhance their understanding of how our products work and how they can improve an organization's security posture.

• User defined routing (UDR) table - Used to route traffic in a subnet in Azure. In the absence
of UDR, Azure uses the default routes.

• Virtual LAN (VLAN) - A logical overlay network that isolates the traffic for each group of devices that share a physical LAN and groups
them together.

Strata by Palo Alto Networks | PSE Software Firewall Professional 130

Machine Translated by Google

• Virtual Machine Scale Sets (VMSS) - A native service of Azure that allows you to create and
manage a group of load-balanced virtual machines.

• Virtual Private Cloud (VPC) - An on-demand configurable pool of shared resources allocated within a public cloud environment,
providing a certain level of isolation between the different organizations using the resources.

• Visibility - A firewall's ability to track and log the traffic regardless of its origin or
destination.

• VM authentication key - Allows Panorama to authenticate the newly bootstrapped

VM-Series firewall.

• VM Monitoring - Provides an automated way to gather information on the VM inventory on each monitored source (host). As virtual
machines (guests) are deployed or moved, the firewall collects a predefined set of attributes (or metadata elements) as tags;
these tags can then be used to define dynamic address groups and be matched against in policy.

• VMware ESXi - An operating-system-independent hypervisor, based on the VMkernel

operating system, that communicates with agents operating on top of it.

• VNet - One of the fundamental building blocks of Azure private network. VNet, or Azure Virtual Network, enables services like Azure
Virtual Machines to communicate securely with both on-premises and external networks.

• WildFire - Identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls can use to detect and
block the malware.

• XSOAR Marketplace - The central location for installing, exchanging, contributing, and managing your content, including playbooks,
integrations, automations, fields, layouts, and
more.

• YAML - A data-serialization language that is commonly used in configuration files. The acronym stands for “yet another markup
language” or “YAML ain't markup language.”

• Zero Trust - A business-driven, strategic approach to secure your most critical data, applications, assets, and services (DAAS).

Strata by Palo Alto Networks | PSE Software Firewall Professional 131

Machine Translated by Google

Appendix E: What's Different in This Study Guide

As this is the first release of this Study Guide, there are no changes of note.

Strata by Palo Alto Networks | PSE Software Firewall Professional 132

Machine Translated by Google

Continuing Your Learning Journey with Palo Alto Networks

Training from Palo Alto Networks and our Authorized Training Partners delivers the knowledge and expertise to prepare you to protect our
way of life in the digital age. Our trusted security certifications give you the Palo Alto Networks product portfolio knowledge necessary to
prevent successful cyberattacks and to safely enable applications. A full description of offerings can be found at the Palo Alto Networks
Education Services main site.

Digital Learning For

those of you who want to keep up to date on our technology, a learning library of free digital learning is available. These on-demand, self-
paced digital-learning classes are a helpful way to reinforce the key information for those who have been to the formal hands-on classes.
They also serve as a useful overview and introduction to working with our technology for those unable to attend a hands-on, instructor-led
class. More information can be found at the Palo Alto Networks Education Services site (https://www.paloaltonetworks.com/services/education)
and also at Beacon (https://beacon.paloaltonetworks.com/student/catalog).

Simply register in Beacon and you will be given access to our digital-learning portfolio. These online classes cover foundational material and
contain narrated slides, knowledge checks, and, where applicable, demos for you to access.

New courses are being added often, so check back to see new curriculum available.

Instructor-Led Training Looking

for a hands-on, instructor-led course in your area?

Palo Alto Networks Authorized Training Partners (ATPs) are located globally and offer a breadth of solutions from onsite training to public,
open-environment classes. About 42 authorized training centers are delivering online courses in 14 languages and at convenient times for
most major markets worldwide.

For class schedule, location, and training offerings, see: https://

www.paloaltonetworks.com/services/education/atc-locations.

Learning Through the Community You can also

learn from your peers and other experts in the field. Check out our community site at https://live.paloaltonetworks.com, where you can:

• Discover reference material • Learn best

practices • Learn what is trending

Strata by Palo Alto Networks | PSE Software Firewall Professional 133

Machine Translated by Google