PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

Cisco TrustSec technology uses Security Group Tags (SGTs) to enforce access controls on Layer 2 traffic. When implementing Zone Protection on a Palo Alto Networks firewall in an environment with Cisco TrustSec, you should configure Ethernet SGT Protection. This setting ensures that the firewall can recognize SGTs in Ethernet frames and apply the appropriate actions based on the configured policies.The use of Ethernet SGT Protection in conjunction with TrustSec is covered in advanced firewall configuration documentation and in interoperability guides between Palo Alto Networks and Cisco systems.

When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.

D. A master device with Group Mapping configured must be set in the device group where the Security rules are configured:

• The concept of a "master device" in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.
• By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.
• This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/manage-software-and-content-updates

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-web-interface-help/panorama-web-interface/panorama-device-deployment/panorama-dynamic-updates-revert-content

When configuring Quality of Service (QoS) policies, particularly for traffic going to or from specific IP addresses and involving NAT, it's important to base the rule on how the firewall processes the traffic. For QoS, the firewall evaluates traffic using pre-NAT IP addresses and zones because QoS policies typically need to be applied before the NAT action occurs. This is especially true for inbound traffic, where the goal is to limit bandwidth before the destination IP is translated.

The correct combination for a QoS rule in this scenario, where the aim is to limit bandwidth for downloads from a specific server (implying inbound traffic to the server), would be:

D. Pre-NAT source IP address Pre-NAT source zone:

• Pre-NAT source IP address: This refers to the original IP address of the client or source device before any NAT rules are applied. Since QoS policies are evaluated before NAT, using the pre-NAT IP address ensures that the policy applies to the correct traffic.
• Pre-NAT source zone: This is the zone associated with the source interface before NAT takes place. Using the pre-NAT zone ensures that the QoS policy is applied to traffic as it enters the firewall, before any translations or routing decisions are made.

By configuring the QoS rule with pre-NAT information, the firewall can accurately apply bandwidth limitations to the intended traffic, ensuring efficient use of network resources and mitigating the impact of large file downloads from the specified server.

For detailed guidelines on configuring QoS policies, refer to the Palo Alto Networks documentation, which provides comprehensive instructions and best practices for managing bandwidth and traffic priorities on the network.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK

The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications. The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12. References: New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)

Why use Security Policy Optimizer and what are the benefits?

To determine the egress interface a Palo Alto Networks firewall will use to route a specific IP address, the appropriate command is test routing fib-lookup ip 10.2.5.3 virtual-router default. This command performs a Forwarding Information Base (FIB) lookup for the specified IP address within the context of the specified virtual router, which in this case is the default virtual router. The FIB lookup process checks the routing table and the associated forwarding information to determine the next-hop and the egress interface for the given IP address. This command is instrumental for troubleshooting and verifying routing decisions made by the firewall to ensure that traffic is routed as expected through the network infrastructure.

If some sites cannot be decrypted due to technical reasons, such as unsupported ciphers, and blocking them is not an option, then the engineer should add the sites to the SSL Decryption Exclusion list to exempt them from decryption. The SSL Decryption Exclusion list is a predefined list of sites that are not subject to SSL decryption by the firewall. The list includes sites that use certificate pinning, mutual authentication, or unsupported cipher suites. The engineer can also add custom sites to the list if they have a valid business reason or technical limitation for not decrypting them34. Adding the sites to the SSL Decryption Exclusion list will allow the traffic to pass through without being decrypted or blocked by the firewall. References: SSL Decryption Exclusion, Troubleshoot Unsupported Cipher Suites

 The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match. Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12. References: Policy-Based Forwarding, Packet Flow Sequence in PAN-OS

When using certificate authentication for firewall administration on Palo Alto Networks devices, the method used for authorization is typically the Local database. Certificate authentication ensures that the entity attempting to access the firewall is in possession of a valid certificate. Once the certificate is validated for authentication, the authorization process determines what level of access or permissions the authenticated entity has. This is usually managed locally on the firewall, where administrators can define roles and permissions associated with different users or certificates. Thus, the authorization process, in this case, leverages the Local database to enforce access controls and permissions, aligning with best practices for secure management of network devices.

The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways. A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12. References: DoS Protection, PCNSE Study Guide (page 58)

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRdCAK

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/configure-url-filtering

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/allow-password-access-to-certain-sites#id7e63ce07-8b30-4506-a1e3-5800303954e8

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group

"Log redundancy is available only if each Log Collector has the same number of logging disks." (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/vpns/set-up-site-to-site-vpn/interpret-vpn-error-messages

The VPN peer on one end is using policy-based VPN. You must configure a Proxy ID on the Palo Alto Networks firewall. https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/vpns/set-up-site-to-site-vpn/interpret-vpn-error-messages.html

For collecting User-ID user mapping information, the most reliable and commonly used source is directory services, with Microsoft Active Directory being the predominant choice in many organizational environments.

C. Microsoft Active Directory:

• Microsoft Active Directory is a directory service used for user authentication and authorization. It provides a comprehensive database of user accounts, groups, and other objects within an organization's network. Palo Alto Networks firewalls can integrate with Active Directory to obtain real-time user mapping information, which is crucial for implementing security policies based on user identity.
• The integration involves monitoring Active Directory domain controllers for security logs that contain user login events, IP address mappings, and other relevant information. This allows the firewall to accurately and dynamically map user identities to IP addresses, enhancing the granularity and effectiveness of security policies.
• Compared to other sources like Syslog Listener, Microsoft Exchange, or GlobalProtect, Active Directory offers direct and comprehensive insights into user activities and is therefore considered the most reliable source for User-ID user mapping in Palo Alto Networks environments.

When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe and allow least severe).

1 block

2 override

3 continue

4 alert

5 allow

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsmCAC

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClGJCA0

>Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs. >Configure an HTTP server profile to forward logs to a remote User-ID agent. > Select the log forwarding profile you created then select this server profile as the HTTP server profile https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNlUCAU &lang=en_US

The CLI command "show system state filter-pretty sys.sl.p8.phy" is used to display detailed physical layer information, which would include the physical media connected to a specific interface such as ethernet1/8. This command is designed to filter the output to show relevant physical layer information for the specified interface.For more information on Palo Alto Networks CLI commands and their outputs, refer to the "PAN-OS® CLI Reference Guide".

When managing firewalls with Panorama, configurations can be pushed from Panorama templates to managed firewalls. However, there are scenarios where specific settings need to be overridden on the local firewall level due to unique requirements or exceptions.

B. The modification will not be visible in Panorama:

• When an override is made directly on the firewall, this change is not automatically reflected back in Panorama's templates or device groups. The local configuration on the firewall will take precedence over the Panorama pushed configuration for the overridden settings, but these local changes will not be visible in the Panorama interface. This means that while Panorama maintains central control and visibility over the bulk of the configuration, it does not have visibility into local overrides made directly on the firewalls.

This distinction is crucial for auditors and administrators to understand, as it impacts how configurations are managed and synchronized between Panorama and the individual firewalls. Local overrides provide flexibility but require careful management to ensure consistency and compliance with security policies.

The image shows an IKE Gateway configuration where Site B is set to IKEv1 only mode, and passive mode is not enabled. For dynamic peering to work when Site A is using a DHCP assigned address:

• Passive mode on Site A needs to be disabled. In passive mode, the firewall will not initiate the IKE negotiation and will only respond to negotiation requests from the peer. Since Site A has a dynamic IP, it must be able to initiate the connection to Site B, which has a static IP.
• Matching the IKE version between Site A and Site B is also necessary for successful IPSec tunnel establishment. Since Site B is set to IKEv1 only mode, Site A also needs to be configured to use IKEv1 to ensure that both sites are using the same version for the IKE negotiation process.

NAT Traversal is used when there are NAT devices between the two endpoints, but there's no indication that this is the case here. Additionally, local identification on Site A is not necessarily related to the issue with dynamic peering not working.

Log Forwarding profiles in Palo Alto Networks firewalls are used to specify the log types that should be forwarded to external services like syslog servers, Panorama, HTTP(S) servers, or email. These profiles enable granular control over which logs are forwarded and where they are sent, facilitating centralized logging and analysis.

B. GlobalProtect:Among the log types supported for forwarding in a Log Forwarding profile, GlobalProtect logs are particularly relevant for organizations using the GlobalProtect VPN solution. These logs contain detailed information about VPN connections, including user authentication, connection establishment, and disconnection events. Forwarding GlobalProtect logs can be crucial for security analysis, troubleshooting VPN issues, and monitoring user access.

For organizations that rely on GlobalProtect for remote access, configuring log forwarding for GlobalProtect logs is essential for maintaining visibility into remote access activities and ensuring secure and efficient VPN operations.

To configure log forwarding for GlobalProtect and other supported log types, administrators can refer to the Palo Alto Networks documentation, which provides detailed instructions on creating and applying Log Forwarding profiles to capture and forward the desired logs for external analysis and storage.

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha-timers

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbXCAS https://live.paloaltonetworks.com/t5/general-topics/phase-2-tunnel-is-not-up/td-p/424789

To override a device and network setting applied by a template, you can either configure the setting locally on the firewall or override the setting on the template stack. Configuring the setting locally on the firewall will copy the setting to the local configuration of the device and will no longer be controlled by the template. Overriding the setting on the template stack will apply the setting to all the firewalls that are assigned to the template stack, unless the setting is also overridden locally on a firewall. Changing the setting on the global template will affect all the firewalls that inherit the setting from the template, which is not desirable in this scenario. Configuring a service route for DNS on a different interface will not change the DNS server address, but only the interface that the firewall uses to reach the DNS server. References:

• Override a Template Setting
• How to override panorama pushed template configuration on the local firewall
• Overriding Panorama Template settings

In Palo Alto Networks firewalls, the processing of NAT rules occurs in a top-down fashion, similar to security policies. To exclude a specific IP address from a broader source NAT rule, a more specific NAT rule must be placed above the broader rule.

C. Place a more specific NAT rule above the broader one:

• Create a source NAT rule (NAT-Rule-1) to translate the broader network range (10.0.0.0/23) with dynamic IP and port translation. This rule allows the majority of the subnet to access the internet through NAT.
• Create another NAT rule (NAT-Rule-2) with the source IP address in the original packet set specifically to the IP address that should not be translated (10.0.0.10/32). In this rule, set the source translation to none, indicating that this traffic should not be translated and thus not allowed to access the internet.
• Place NAT-Rule-2 above NAT-Rule-1 in the NAT policy list. This ensures that the more specific rule (NAT-Rule-2) is evaluated first. If traffic matches NAT-Rule-2, it will not be translated or allowed to the internet, effectively excluding the specific server from internet access.

This configuration leverages the principle of specificity and the order of operation in NAT policies to exclude a specific IP address from source NAT translation, thereby preventing it from accessing the internet.

For HIP match logs to be visible on the data center firewall, the following conditions must be met:

• HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.
• User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.

The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.

• B is the best choice for an SSL Forward Untrust certificate because a self-signed certificate generated on the firewall is not trusted by any client browsers by default1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the self-signed certificate to the client, which will trigger an untrusted certificate warning2. This way, the security admin can ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates.
• A web server certificate signed by the organization’s PKI (A) or a subordinate Certificate Authority certificate signed by the organization’s PKI © are not good choices for an SSL Forward Untrust certificate because they are trusted by the client browsers that have the organization’s root CA installed1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the web server or subordinate CA certificate to the client, which will not trigger an untrusted certificate warning2. This way, the security admin cannot ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates.
• A web server certificate signed by an external Certificate Authority (D) is not a good choice for an SSL Forward Untrust certificate because it is trusted by most client browsers that have the external CA in their trust store1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the web server certificate to the client, which will not trigger an untrusted certificate warning2. This way, the security admin cannot ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates.

Verified References:

• 1: How to Configure SSL Decryption - Palo Alto Networks Knowledge Base
• 2: How to Implement and Test SSL Decryption - Palo Alto Networks Knowledge Base

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management Push the configuration bundle from Panorama to the newly added firewall to remove all policy rules and objects from its local configuration. This step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push the device group configuration from Panorama to the firewall in the next step.

For an application that is currently identified as unknown-tcp and has sessions that often remain idle for long periods, creating a custom application and using an application override rule is the most time-efficient solution.

C. The process involves:

• Creating a custom application in the Palo Alto Networks firewall and configuring it with specific timeouts to accommodate the application's idle session behavior. This step ensures that the firewall does not prematurely close the application's sessions due to inactivity.
• Next, creating an application override rule that references the custom application. This rule directs the firewall to identify traffic matching the rule criteria (such as source, destination, and port information) as the custom application, bypassing the App-ID engine's regular identification process.

This approach allows for the quick implementation of a solution that ensures the application is properly identified in traffic logs without undergoing threat scanning, meeting the requirements for both identification and reporting.

A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama. A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named “Global” and included in all template stacks. A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4. References: Manage Templates and Template Stacks, PCNSE Study Guide (page 50)

In a situation where Panorama and its managed firewalls lack internet access, updating PAN-OS requires a manual upload of the downloaded PAN-OS images. The process involves:

D. Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls:

• The engineer first uploads the downloaded PAN-OS images to Panorama. This is done through the "Device Deployment" section, specifically under the "Software" menu. This area of Panorama's interface is designed for managing PAN-OS versions and software updates for the managed devices.
• Once the PAN-OS images are uploaded to Panorama, the engineer can then deploy these images to the firewalls directly from Panorama. This process allows for centralized management of software updates, ensuring that all firewalls can be updated to the latest PAN-OS version in a consistent and controlled manner, even without direct internet access.

This method streamlines the update process for environments with strict security requirements, allowing for the efficient deployment of necessary PAN-OS updates to maintain security and functionality.

Decryption Mirror is a feature that allows a Palo Alto Networks firewall to send a copy of decrypted traffic to an external security device or tool for further analysis. The potential risk associated with Decryption Mirror is that if the firewall administrator's credentials are compromised, a malicious user could potentially access sensitive decrypted information. Hence, it's advised to be cautious and ensure proper handling of this feature.

Additionally, laws and regulations regarding the decryption, storage, inspection, and use of SSL/TLS encrypted traffic vary by country and industry. It is crucial to ensure compliance with relevant laws and best practices when using Decryption Mirror. This often requires consultation with corporate legal counsel to understand the implications and ensure that the use of such features does not violate privacy laws or regulatory requirements.

The need for administrative consent and the legal implications of using Decryption Mirror features are outlined in Palo Alto Networks' "PAN-OS® Administrator’s Guide" and best practice documentation. It is not specifically required to have a tap interface to use Decryption Mirror, which eliminates option A. Option C is incorrect because it is not just management consent but legal compliance that needs to be considered.

Custom Panorama Admin: Custom Panorama Admin roles allow you to customize the elements of Panorama that an administrator can access. You can hide tabs in the web interface, you can set specific items in Panorama to read-only, or you can limit an administrator’s access to Panorama plugins. Custom Panorama Admin roles require planning and configuration, but they provide extensive flexibility because you can control what administrators can access through the web interface or the CLI. Device Group and Template Admin: Device Group and Template Admin roles also require configuration because there are no built-in examples. These Admin Roles allow you to define which Panorama templates or Panorama device groups an administrator can access and configure. You can hide tabs in the web interface or set specific items to read only to control what administrators can configure.

When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.

A. Destination IP addresses of selected unwanted traffic are blocked:

• When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.

This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.

If the DNS response matches the Original Destination Address in the rule, translate the DNS response using the same translation the rule uses. For example, if the rule translates IP address 1.1.1.10 to 192.168.1.10, the firewall rewrites a DNS response of 1.1.1.10 to 192.168.1.10. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/nat/source-nat-and-destination-nat/destination-nat-dns-rewrite-use-cases#id0d85db1b-05b9-4956-a467-f71d558263bb

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PNGFCA4

The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms. If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12. References: HA Timers, Layer 3 High Availability with Optimal Failover Times Best Practices

How to Configure Ping Interval/Timeout Settings ... - Palo Alto Networks

The GlobalProtect VPN solution by Palo Alto Networks is designed to provide secure remote access to users. It primarily attempts to establish a VPN tunnel using the IPSec protocol for optimal security and performance. However, in cases where IPSec cannot be used due to network restrictions or other issues, GlobalProtect has a fallback mechanism.

C. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS:

• If the GlobalProtect app fails to establish an IPSec tunnel with the GlobalProtect gateway, the default behavior is to fallback to SSL/TLS for tunnel establishment. This ensures that the VPN connection can still be established, maintaining secure remote access for the user even in environments where IPSec is not feasible. SSL/TLS provides a secure tunnel, albeit generally with slightly less efficiency than IPSec.

This fallback mechanism is part of the GlobalProtect app's design to ensure reliability and continuous secure access for remote users under various network conditions.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/zone-protection-and-dos-protection/zone-defense/packet-buffer-protection

To configure SSL Forward Proxy decryption on a Palo Alto Networks firewall, certain key components must be set up to ensure secure and effective decryption and inspection of SSL/TLS encrypted traffic:

B. Define a Forward Trust Certificate:

• A Forward Trust Certificate is essential for SSL Forward Proxy decryption. This certificate is used by the firewall to dynamically generate certificates for SSL sites that are trusted. When the firewall decrypts and inspects the traffic and then re-encrypts it, the new certificate presented to the client comes from the Forward Trust Certificate authority. This certificate must be trusted by client devices, often requiring the Forward Trust CA certificate to be distributed and installed on client devices.

C. Configure SSL decryption rules:

• SSL decryption rules are the policies that determine which traffic is to be decrypted. These rules specify the source, destination, service, and URL category, among other criteria. The rules define what traffic the SSL Forward Proxy will apply to, enabling selective decryption based on security and privacy requirements.

Together, these components form the basis of the SSL Forward Proxy decryption setup, allowing for the decryption, inspection, and re-encryption of SSL/TLS encrypted traffic to identify and prevent threats hidden within encrypted sessions.

A syslog listener is the best choice for deploying User-ID to ensure maximum coverage in an environment with multiple forms of authentication. A syslog listener is a feature that enables the firewall or Panorama to receive syslog messages from other systems and parse them for IP address-to-username mappings. A syslog listener can collect user mapping information from a variety of sources, such as network access control systems, domain controllers, MDM solutions, VPN gateways, wireless controllers, proxies, and more2. A syslog listener can also support multiple platforms and operating systems, such as Windows, Linux, macOS, iOS, Android, etc3. Therefore, a syslog listener can provide a comprehensive and flexible solution for User-ID deployment in a large-scale network. References: Configure a Syslog Listener for User Mapping, User-ID Agent Deployment Guide, PCNSE Study Guide (page 48)

Set the Action to take when matching a packet:

Forward—Directs the packet to the specified Egress Interface.

Forward to VSYS (On a firewall enabled for multiple virtual systems)—Select the virtual system to which to forward the packet.

Discard—Drops the packet.

No PBF—Excludes packets that match the criteria for source, destination, application, or service defined in the rule. Matching packets use the route table instead of PBF; the firewall uses the route table to exclude the matched traffic from the redirected port.

https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/policy/policy-based-forwarding/create-a-policy-based-forwarding-rule#ideca3cc65-03d7-449d-b47a-90fabee5293c

The best description of the Cluster Synchronization Timeout (min) is the maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. This is a parameter that can be configured in an HA cluster, which is a group of firewalls that share session state and provide high availability and scalability. The Cluster Synchronization Timeout (min) determines how long the local firewall will wait for the cluster to reach a stable state before it decides to become Active and process traffic. A stable state means that all cluster members are either Active or Passive, and have synchronized their sessions with each other. If there is another cluster member that is in an unknown or unstable state, such as Initializing, Non-functional, or Suspended, then it may prevent the cluster from fully synchronizing and cause a delay in traffic processing. The Cluster Synchronization Timeout (min) can be set to a value between 0 and 30 minutes, with a default of 0. If it is set to 0, then the local firewall will not wait for any other cluster member and will immediately go to Active state. If it is set to a positive value, then the local firewall will wait for that amount of time before going to Active state, unless the cluster reaches a stable state earlier12. References: Configure HA Clustering, PCNSE Study Guide (page 53)

How to Set Session, TCP, and UDP Timeout Values - Palo Alto Networks ...

ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html

The type of policy in Palo Alto Networks firewalls that can use Device-ID as a match condition is QoS. This is because Device-ID is a feature that allows the firewall to identify and classify devices on the network based on their characteristics, such as vendor, model, OS, and role1. QoS policies are used to allocate bandwidth and prioritize traffic based on various criteria, such as application, user, source, destination, and device2. By using Device-ID as a match condition in QoS policies, the firewall can apply different QoS actions to different types of devices, such as IoT devices, laptops, smartphones, etc3. This can help optimize the network performance and ensure the quality of service for critical applications and devices.