©2016-2019, Palo Alto Networks, Inc. 1 PALO ALTO NETWORKS PCNSE STUDY GUIDE May

©2016-2019, Palo Alto Networks, Inc. 1 PALO ALTO NETWORKS PCNSE STUDY GUIDE May 2019 ©2016-2019, Palo Alto Networks, Inc. 2 Palo Alto Networks, Inc. www.paloaltonetworks.com ©2016-2019 Palo Alto Networks – all rights reserved. Aperture, AutoFocus, Demisto, GlobalProtect, Palo Alto Networks, PAN-OS, Panorama, RedLock, Traps, and WildFire are trademarks of Palo Alto Networks, Inc. All other trademarks are the property of their respective owners. ©2016-2019, Palo Alto Networks, Inc. 3 Contents Palo Alto Networks PCNSE Study Guide ............................................................................................................ 16 Overview ........................................................................................................................................................... 16 Exam Details ...................................................................................................................................................... 16 Intended Audience ............................................................................................................................................ 16 Qualifications .................................................................................................................................................... 16 Skills Required ................................................................................................................................................... 17 Recommended Training .................................................................................................................................... 17 About This Document ........................................................................................................................................ 17 Disclaimer .......................................................................................................................................................... 17 Preliminary Score Report ................................................................................................................................... 18 Exam Domain 1 – Plan ....................................................................................................................................... 19 1.1 Identify how the Palo Alto Networks products work together to detect and prevent threats ................... 19 Securing the Enterprise ................................................................................................................................. 20 Securing the Cloud ........................................................................................................................................ 21 Sample Questions ......................................................................................................................................... 22 1.2 Given a scenario, identify how to design an implementation of the firewall to meet business requirements that leverage the Palo Alto Networks Security Operating Platform .......................................... 24 Choosing the Appropriate Firewall ............................................................................................................... 24 Security Policy ............................................................................................................................................... 25 Security Zones ............................................................................................................................................... 26 Traffic Processing Sequence ......................................................................................................................... 27 Enterprise Firewall Management ................................................................................................................. 27 Virtual Firewalls in Clouds ............................................................................................................................. 28 Sample Questions ......................................................................................................................................... 28 1.3 Given a scenario, identify how to design an implementation of firewalls in High Availability to meet business requirements that leverage the Palo Alto Networks Security Operating Platform ........................... 29 High Availability ............................................................................................................................................ 29 HA Modes ...................................................................................................................................................... 29 Active/Passive Clusters ................................................................................................................................. 29 Active/Active Clusters ................................................................................................................................... 30 Choosing an HA Cluster Type ........................................................................................................................ 31 Sample Questions ......................................................................................................................................... 33 1.4 Identify the appropriate interface type and configuration for a specified network deployment .............. 35 Types of Interfaces ........................................................................................................................................ 35 ©2016-2019, Palo Alto Networks, Inc. 4 Tap ................................................................................................................................................................ 35 Virtual Wire ................................................................................................................................................... 36 Layer 2 ........................................................................................................................................................... 36 Layer 3 ........................................................................................................................................................... 37 Decrypt Mirror .............................................................................................................................................. 37 Aggregate Interfaces ..................................................................................................................................... 37 Virtual Interfaces ........................................................................................................................................... 38 VLAN Interfaces ............................................................................................................................................. 38 Loopback Interfaces ...................................................................................................................................... 38 Tunnel Interfaces .......................................................................................................................................... 39 Traffic Forwarding ......................................................................................................................................... 39 Virtual Routers .............................................................................................................................................. 41 Administrative Distance ................................................................................................................................ 42 Route Redistribution ..................................................................................................................................... 42 GRE Tunnels .................................................................................................................................................. 43 Routing Troubleshooting .............................................................................................................................. 44 Sample Questions ......................................................................................................................................... 45 1.5 Identify strategies for retaining logs using Distributed Log Collection ....................................................... 47 Event Logging on NGFWs .............................................................................................................................. 47 Distributed Log Collection ............................................................................................................................. 47 Sample Questions ......................................................................................................................................... 49 1.6 Given a scenario, identify the strategy that should be implemented for Distributed Log Collection ........ 50 Log Collection Platform Choices ................................................................................................................... 50 On-Premises Log Collection .......................................................................................................................... 50 Cortex Data Lake ........................................................................................................................................... 51 Sample Questions ......................................................................................................................................... 51 1.7 Identify how to use template stacks for administering Palo Alto Networks firewalls as a scalable solution using Panorama ................................................................................................................................................. 52 Panorama Overview ...................................................................................................................................... 52 Templates and Template Stacks ................................................................................................................... 53 Sample Questions ......................................................................................................................................... 54 1.8 Identify how to use device group hierarchy for administering Palo Alto Networks firewalls as a scalable solution using Panorama ................................................................................................................................... 55 Device Groups ............................................................................................................................................... 55 ©2016-2019, Palo Alto Networks, Inc. 5 Committing Changes with Panorama ........................................................................................................... 57 Sample Questions ......................................................................................................................................... 60 1.9 Identify planning considerations unique to deploying Palo Alto Networks firewalls in a public cloud ...... 61 Virtual Firewalls ............................................................................................................................................ 61 Public Clouds ................................................................................................................................................. 62 Sample Questions ......................................................................................................................................... 62 1.10 Identify planning considerations unique to deploying Palo Alto Networks firewalls in a hybrid cloud ... 64 Hybrid Cloud ................................................................................................................................................. 64 Connectivity Considerations ......................................................................................................................... 64 Sample Question ........................................................................................................................................... 64 1.11 Identify planning considerations unique to deploying Palo Alto Networks firewalls in a private cloud .. 65 Private Clouds ............................................................................................................................................... 65 Sample Questions ......................................................................................................................................... 65 1.12 Identify methods for authorization, authentication, and device administration ..................................... 66 Administrative Accounts and Roles .............................................................................................................. 66 Authentication .............................................................................................................................................. 66 Special Note About Multi-Factor Authentication ......................................................................................... 68 Panorama Access Domains ........................................................................................................................... 69 Sample Questions ......................................................................................................................................... 69 1.13 Identify the methods of certificate creation on the firewall ..................................................................... 71 Certificate Background ................................................................................................................................. 71 Certificates on the Firewall ........................................................................................................................... 72 Certificate Creation and Import .................................................................................................................... 73 Sample Questions ......................................................................................................................................... 75 1.14 Identify options available in the firewall to support dynamic routing ...................................................... 76 Overview ....................................................................................................................................................... 76 Administrative Distance ................................................................................................................................ 77 Sample Questions ......................................................................................................................................... 78 1.15 Given a scenario, identify ways to mitigate resource exhaustion (because of denial-of-service) in application servers ............................................................................................................................................ 79 Resource Exhaustion ..................................................................................................................................... 79 Zone Protection Profiles ............................................................................................................................... 79 DoS Protection Profile ................................................................................................................................... 80 Differences Between DoS Protection and Zone Protection .......................................................................... 81 Sample Questions ......................................................................................................................................... 82 ©2016-2019, Palo Alto Networks, Inc. 6 1.16 Identify decryption deployment strategies ............................................................................................... 83 Packet Visibility ............................................................................................................................................. 83 Decryption ..................................................................................................................................................... 83 Decryption Broker ......................................................................................................................................... 84 Decryption Mirror ......................................................................................................................................... 84 Keys and Certificates ..................................................................................................................................... 84 Decryption Policies........................................................................................................................................ 85 SSL Forward Proxy ......................................................................................................................................... 85 Decryption Exclusions ................................................................................................................................... 86 App-ID and Encryption .................................................................................................................................. 87 Sample Questions ......................................................................................................................................... 87 1.17 Identify the impact of application override to the overall functionality of the firewall ............................ 88 Use Cases ...................................................................................................................................................... 88 Sample Questions ......................................................................................................................................... 89 1.18 Identify the methods of User-ID redistribution ......................................................................................... 91 User-ID Table Sharing ................................................................................................................................... 91 User-ID Table Consumption .......................................................................................................................... 91 Use Case Example ......................................................................................................................................... 92 1.19 Identify VM-Series bootstrap components and their function ................................................................. 94 Bootstrapping ............................................................................................................................................... 94 VM-Series Bootstrapping .............................................................................................................................. 94 Bootstrap Package ........................................................................................................................................ 94 Sample Questions ......................................................................................................................................... 95 Exam Domain 2 — Deploy and Configure ......................................................................................................... 96 2.1 Identify the application meanings in the Traffic log (incomplete, insufficient data, non-syn TCP, not applicable, unknown TCP, unknown UDP, and unknown P2P) ......................................................................... 96 SaaS Applications .......................................................................................................................................... 97 Note About Using App-ID .............................................................................................................................. 98 Sample Questions ......................................................................................................................................... 99 2.2 Given a scenario, identify the set of Security Profiles that should be used .............................................. 100 Security Profile Types .................................................................................................................................. 100 Sample Questions ....................................................................................................................................... 105 2.3 Identify the relationship between URL filtering and credential theft prevention ..................................... 107 Phishing Prevention Overview .................................................................................................................... 107 Credential Detection ................................................................................................................................... 107 ©2016-2019, Palo Alto Networks, Inc. 7 Category Selection for Enforcement ........................................................................................................... 108 Sample Questions ....................................................................................................................................... 109 2.4 Implement and maintain the App-ID lifecycle .......................................................................................... 110 Step 1: Identify Port-Based Rules ............................................................................................................... 110 Step 2: Prioritize Which Port-Based Rules to Convert First ........................................................................ 110 Step 3: Review the Apps Seen on Port-Based Rules, Starting with the Highest Priority Rules ................... 111 Step 4: Clone or Add Applications to the Rule to Specify the Applications You Want to Allow on the Rule .................................................................................................................................................................... 112 Step 5: For Each Application-Based Rule, Set the Service to application-default ...................................... 115 Step 6: Commit the Configuration .............................................................................................................. 115 Step 7: Monitor the Rules ........................................................................................................................... 115 Sample Questions ....................................................................................................................................... 115 2.5 Identify how to create security rules to implement App-ID without relying on port-based rules ............ 117 App-ID vs. Port-Based Security ................................................................................................................... 117 Moving from Port-Based to App-ID Security .............................................................................................. 117 Sample Questions ....................................................................................................................................... 119 2.6 Identify configurations for distributed Log Collectors .............................................................................. 120 Simple Log Collection Deployment ............................................................................................................. 120 Log Collector Deployment .......................................................................................................................... 120 Log Collector Groups ................................................................................................................................... 121 Cortex Data Lake (Formerly Logging Service) ............................................................................................. 122 Sample Questions ....................................................................................................................................... 124 2.7 Identify the required settings and steps necessary to provision and deploy a next-generation firewall .. 125 Steps to Connect the Firewall ..................................................................................................................... 125 Sample Questions ....................................................................................................................................... 126 2.8 Identify which device of an HA pair is the active partner ......................................................................... 127 Sample Questions ....................................................................................................................................... 128 2.9 Identify various methods for authentication, authorization, and device administration within PAN-OS software for connecting to the firewall .......................................................................................................... 129 2.10 Identify various methods for authentication, authorization, and device administration within PAN-OS software for connecting to services through the firewall ............................................................................... 130 Protecting Service Access Through the Firewall ......................................................................................... 130 Configuring Authentication Policy .............................................................................................................. 130 Sample Questions ....................................................................................................................................... 133 2.11 Identify how to configure and maintain certificates to support firewall features .................................. 134 Certificate Management ............................................................................................................................. 134 ©2016-2019, Palo Alto Networks, Inc. 8 Sample Questions ....................................................................................................................................... 134 2.12 Identify the features that support IPv6 ................................................................................................... 135 Firewall Support of IPv6 .............................................................................................................................. 135 Sample Questions ....................................................................................................................................... 139 2.13 Identify how to configure a virtual router ............................................................................................... 140 Routing Configuration ................................................................................................................................. 140 Sample Questions ....................................................................................................................................... 141 2.14 Given a scenario, identify how to configure an interface as a DHCP relay agent ................................... 143 DHCP Overview ........................................................................................................................................... 143 DHCP and DHCP Relay on the Firewall ........................................................................................................ 143 Sample Questions ....................................................................................................................................... 144 2.15 Identify the configuration settings for site-to-site VPN .......................................................................... 145 IPsec Tunnel Interfaces ............................................................................................................................... 145 CLI Troubleshooting Commands ................................................................................................................. 145 Sample Questions ....................................................................................................................................... 145 2.16 Identify the configuration settings for GlobalProtect .............................................................................. 147 GlobalProtect Overview .............................................................................................................................. 147 References .................................................................................................................................................. 149 Sample Questions ....................................................................................................................................... 150 2.17 Identify how to configure items pertaining to denial-of-service protection and zone protection .......... 151 2.18 Identify how to configure features of NAT policy rules ........................................................................... 152 Reference .................................................................................................................................................... 152 Sample Questions ....................................................................................................................................... 152 2.19 Given a configuration example including DNAT, identify how to configure security rules ..................... 153 Reference .................................................................................................................................................... 153 Sample Questions ....................................................................................................................................... 153 2.20 Identify how to configure decryption ...................................................................................................... 155 Special Decryption Implementations .......................................................................................................... 155 Sample Questions ....................................................................................................................................... 155 2.21 Given a scenario, identify an application override configuration and use case ...................................... 156 References .................................................................................................................................................. 156 Sample Questions ....................................................................................................................................... 156 2.22 Identify how to configure VM-Series firewalls for deployment .............................................................. 157 Sample Questions ....................................................................................................................................... 157 2.23 Identify how to configure firewalls to use tags and filtered log uploads/Ingenierie_Lourd/ pcnse-study-guide.pdf

Tags
Ingénierie firewall which traffic policy security
Documents similaires
  • 36
  • 0
  • 0
Afficher les détails des licences
Licence et utilisation
Gratuit pour un usage personnel Attribution requise
Partager