Duration
120 hrs.
Level
Advanced
The (PCNSA+PCNSE) combo course validates the knowledge and skills required for network security engineers that design, deploy, operate, manage, and troubleshoot Palo Alto Networks Next-Generation Firewalls. Palo Alto Networks technology is highly integrated and automated. The Palo Alto Networks product portfolio comprises multiple separate technologies working in unison to prevent successful cyberattacks. The course demonstrates that engineers can correctly deploy and configure Palo Alto Networks Next-Generation Firewalls while leveraging the rest of the platform. In this course you will learn Next-Generation Firewall setup and management connection, zone security, security and NAT policies, Protection profiles for zones and DOS attacks, APP-ID to block threats, wildfire versus malware, Security profiles and security policies, Device-ID to block threats, threat and traffic information, introduction to firewall management through Panorama, Panorama to manage NGFW, templates and device groups.
Introduction
This 120hrs (Lectures + hands-on Lab) training is for anyone seeking the Palo Alto certification for validating the knowledge and skills required for network security engineers that design, deploy, operate, manage, and troubleshoot Palo Alto Networks Next-Generation Firewalls. Palo Alto Networks technology is highly integrated and automated. The Palo Alto Networks product portfolio comprises multiple separate technologies working in unison to prevent successful cyberattacks. The combo course demonstrates that engineers can correctly deploy and configure Palo Alto Networks Next-Generation Firewalls while leveraging the rest of the platform.
The key to a high success rate is based on the program’s objectives as follows:
- Course contents are based on Palo Alto (PCNSA+PCNSE) course outlines.
- Dedicated Monitoring to evaluate and report candidate’s progress.
- Extensive hands-on lab exercises.
- Industry acclaimed, experienced and certified instructors.
- Project manager can be assigned to track candidate’s performance.
- Curriculum based on course outlines defined by Microsoft.
- This Instructor-led classroom course is designed with an aim to build theoretical knowledge supplemented by ample hands-on lab exercises.
- Facility of Lab on cloud available.
- Courseware includes reference material to maximize learning.
- Assignments and tests to ensure concept absorption.
- Courseware includes reference material to maximize learning.
- Repeating of lectures allowed (On approval basis)
- Candidates can attend lectures online.
- Demonstrate knowledge of firewall management interfaces.
- Provision local administrators.
- Assign role-based authentication.
- Maintain firewall configurations.
- Push policy updates to Panorama-managed firewalls.
- Schedule and install dynamic updates.
- Create and apply security zones to policies.
- Identify and configure firewall interfaces.
- Maintain and enhance the configuration of a virtual or logical router.
- Planning, managing, deploying and configuring next-generation firewalls
- Identifying planning considerations unique to public, hybrid and cloud environments
- Maintaining high availability
- Troubleshooting and optimizing traffic and routing
- Configure and manage Security and NAT policies
- Monitor network traffic using the interactive web interface and firewall reports
- Describe the basics of cryptography, including synchronous and asynchronous encryption, public key infrastructure, and certificates.
- Configure and manage Threat Prevention strategies to block known and unknown threats
- Create and maintain address and address group objects.
- Create and maintain services and service groups.
- Create and maintain external dynamic lists.
- Configure and maintain application filters and application groups.
- Develop the appropriate application-based Security policy.
- Differentiate specific security rule types.
- Configure Security policy match conditions, actions, and logging.
- Identify and implement proper NAT policies.
- Optimize Security policies using appropriate tools.
- Compare and contrast different types of Security profiles.
- Create, modify, add, and apply the appropriate Security profiles and.
- Differentiate between Security profile actions.
- Use information available in logs.
- Enable DNS Security to control traffic based on domains.
- Designing firewall implementations that meet business requirements
- Navigating the protocols and advanced security tools
- Interpreting security data, and maintaining firewall software
- Configuring firewall through CLI
This course covers all topics required for the Palo Alto Networks Certified Network Security Administrator and Expert (PCNSA+PCNSE) certification. The following topics are general guidelines to better reflect the contents of the course and for clarity purposes, the guidelines below may change at any time without notice.
(PCNSA+PCNSE): Course Topics
Device Management and Services.
- Demonstrate knowledge of firewall management interfaces.
- Management interfaces.
- Methods of access.
- Access restrictions.
- Identity-management traffic flow.
- Management services.
- Service routes.
- Provision local administrators.
- Authentication profile.
- Authentication sequence.
- Assign role-based authentication.
- Maintain firewall configurations.
- Running configuration.
- Candidate configuration.
- Discern when to use load, save, import, and export.
- Differentiate between configuration states.
- Back up Panorama configurations and firewalls from Panorama.
- Push policy updates to Panorama-managed firewalls.
- Device groups and hierarchy.
- Where to place policies.
- Implications of Panorama management.
- Impact of templates, template stacks, and hierarchy.
- Schedule and install dynamic updates.
- From Panorama.
- From the firewall.
- Scheduling and staggering updates on an HA pair.
- Create and apply security zones to policies.
- Identify zone types.
- External types.
- Layer 2.
- Layer 3.
- TAP.
- VWire.
- Tunnel.
- Identify and configure firewall interfaces.
- Different types of interfaces.
- How interface types affect Security policies.
- Maintain and enhance the configuration of a virtual or logical router.
- Steps to create a static route.
- How to use the routing table.
- What interface types can be added to a virtual or logical router.
- How to configure route monitoring.
Managing Objects.
- Create and maintain address and address group objects.
- How to tag objects.
- Differentiate between address objects.
- Static groups versus dynamic groups.
- Create and maintain services and service groups.
- Create and maintain external dynamic lists.
- Configure and maintain application filters and application groups.
- When to use filters versus groups.
- The purpose of application characteristics as defined in the App-ID database.
Policy Evaluation and Management.
- Develop the appropriate application-based Security policy.
- Create an appropriate App-ID rule.
- Rule shadowing.
- Group rules by tag.
- The potential impact of App-ID updates on existing Security policy rules.
- Policy usage statistics.
- Differentiate specific security rule types.
- Interzone.
- Intrazone.
- Universal.
- Configure Security policy match conditions, actions, and logging options.
- Application filters and groups.
- Logging options.
- App-ID.
- User-ID.
- Device-ID.
- Application filter in policy.
- Application group in policy.
- EDLs.
- Identify and implement proper NAT policies.
- Destination.
- Source.
- Optimize Security policies using appropriate tools.
- Policy test match tool.
- Policy Optimizer.
Securing Traffic.
- Compare and contrast different types of Security profiles.
- Antivirus.
- Anti-Spyware.
- Vulnerability Protection.
- URL Filtering.
- WildFire Analysis.
- Create, modify, add, and apply the appropriate Security profiles and groups.
- Antivirus.
- Anti-Spyware.
- Vulnerability Protection.
- URL Filtering.
- WildFire Analysis.
- Configure threat prevention policy.
- Differentiate between Security profile actions.
- Use information available in logs.
- Traffic.
- Threat.
- Data.
- System logs.
- Enable DNS Security to control traffic based on Topics.
- Configure DNS Security.
- Apply DNS Security in policy.
- Create and deploy URL-filtering-based controls.
- Apply a URL profile in a Security policy.
- Create a URL Filtering profile.
- Create a custom URL category.
- Control traffic based on a URL category.
- Why a URL was blocked.
- How to allow a blocked URL.
- How to request a URL recategorization.
- Differentiate between group mapping and IP-to-user mapping within policies and logs.
- How to control access to specific locations.
- How to apply specific policies.
- Identify users within the ACC and the monitor tab.
Identify how Palo Alto Networks products work together to improve PAN-OS services
- Security components
- Firewall components
- Panorama components
- PAN-OS subscriptions and the features they enable
- Plugin components
- Heatmap and BPA reports
- Artificial intelligence operations (AIOps)/Telemetry
- IPv6
- Internet of things (IoT)
Determine and assess appropriate interfaces or zone types for various environments
- Layer 2 interface
- Layer 3 interfaces
- Virtual wire (vwire) interfaces
- Tap interfaces
- Subinterfaces
- Tunnel interfaces
- Aggregate interfaces
- Loopback interfaces
- Decrypt mirror interfaces
- VLAN interfaces
Identify decryption deployment strategies
- Risks and implications of enabling decryption
- Use cases
- Decryption types
- Decryption profiles and certificates
- Create a decryption policy in the firewall
- Configure SSH Proxy
Enforce User-ID
- Methods of building user-to-IP mappings
- Determine if User-ID agent or agentless should be used
- Compare and contrast User-ID agents
- Methods of User-ID redistribution
- Methods of group mapping
- Server profile and authentication profile
Determine how and when to use the Authentication policy
- Purpose of, and use case for, the Authentication policy
- Dependencies
- Captive portal versus GlobalProtect (GP) client
Differentiate between the fundamental functions that reside on the management plane and data plane
Define multiple virtual systems (multi-vsys) environment
- User-ID hub
- Inter-vsys routing
- Service routes
Configure Management Profiles
- Interface Management Profile
- SSL/TLS profile
Deploy and configure Security Profiles
- Custom configuration of different Security Profiles and Security Profile Croups
- Relationship between URL filtering and credential theft prevention
- Use of username and domain name in HTTP header insertion
- DNS Security
- How to tune or add exceptions to a Security Profile
- Compare and contrast threat prevention and advanced threat prevention
- Compare and contrast URL Filtering and Advanced URL Filtering
Configure zone protections, packet buffer protection, and DoS protection
- Customized values versus default settings
- Classified versus aggregate profile values
- Layer 3 and Layer 4 header inspection
Design the deployment configuration of a Palo Alto Networks firewall
- Advanced high availability (HA) deployments
- HA Pair
- Zero-Touch Provisioning
- Bootstrapping
Configure authorization, authentication, and device access
- Role-based access control for authorization
- Different methods used to authenticate
- The Authentication Sequence
- The device access method
Configure and manage certificates
- Usage
- Profiles
- Chains
Configure routing
- Dynamic routing
- Redistribution Profiles
- Static routes
- Route monitoring
- Policy-based forwarding
- Virtual routers versus logical routers
Configure NAT
- NAT policy rules
- Security rules
- Source NAT
- No-NAT Policies
- Use session browser to find NAT rule name
- U-Turn NAT
- Check HIT counts
Configure site-to-site tunnels
- IPsec components
- Static peers and dynamic peers for IPsec
- IPsec tunnel Monitor Profiles
- IPsec tunnel testing
- Generic Routing Encapsulation
- One-to-one and one-to-many tunnels
- Determine when to use proxy IDs
Configure service routes
- Default
- Custom
- Destination
- Custom routes for different virtual systems versus destination routes
- How to verify service routes
Configure application-based QoS
- Enablement requirements
- QoS policy rule
- Add a Differentiated Services Code Point/ToS component
- Qos Profile
- Determine how to control bandwidth use on a per-application basis
- Use QoS to monitor bandwidth utilization
Configure App-lD
- Create security rules with App-lD
- Convert port and protocol rules to App-lD rules
- Identify the impact of application override to overall firewall functionality
- Create custom apps and threats
- Review App-lD dependencies
Configure GlobalProtect
- GlobalProtect licensing
- Configure the gateway and the portal
- GlobalProtect agent
- Differentiate between logon methods
- Configure clientless VPN
- HIP
- Configure multiple gateway agent profiles
- split tunneling
Configure decryption
- Inbound decryption
- SSL forward proxy
- SSL decryption exclusions
- SSH proxy
Configure User-ID
- User-ID agent and agentless
- User-ID group mapping
- Shared User-ID mapping across virtual systems
- Data redistribution
- User-ID methods
- Benefits of using dynamic user groups (DUGs) in policy rules
- Requirements to support dynamic user groups
- How GlobalProtect internal and external gateways can be used
Configure WildFire
- Submission profile
- Action profile
- Submissions and verdicts
- Signature actions
- File types and file sizes
- Update schedule
- Forwarding of decrypted traffic
Configure Web Proxy
- Transparent proxy
- Explicit proxy
Configure templates and template stacks
- Components configured in a template
- How the order of templates in a stack affects the configuration push to a firewall
- Overriding a template value in a stack
- Configure variables in templates
- Relationship between Panorama and devices for dynamic update versions, policy implementation, and HA peers
Configure device groups
- Device group hierarchies
- Identify what device groups contain
- Differentiate between different use cases for pre-rules, local rules, default rules, and post-rules
- Identify the impact of configuring a primary device
- Assign firewalls to device groups
- References
Manage firewall configurations within Panorama
- Licensing
- Commit recovery feature
- Automatic commit recovery
- Commit types and schedules
- Configuration backups
- Commit type options
- Manage dynamic updates for Panorama and Panorama-managed devices
- Software and dynamic updates
- Import firewall configurations into Panorama
- Configure Log Collectors
- Check firewall health and status from Panorama
- Configure role-based access control on Panorama
Manage and configure log forwarding
- Identify log types and criticalities
- Manage external services
- Create and manage tags
- Log monitoring
- Customize logging and reporting settings
- References
- Plan and execute the process to upgrade a Palo Alto Networks system
- Single firewall
- High availability pairs
- Panorama push
- Dynamic updates
- References
Manage HA functions
- Link monitoring
- Path monitoring
- HA links
- Failover
- Active/active and active/passive
- HA interfaces
- Clustering
- Election setting
Troubleshooting
- Troubleshoot site-to-site tunnels
- IPSec
- GRE
- One-to-one and one-to-many tunnels
- Phase 1 issues:
- Route-based versus policy-based remote hosts
- Tunnel monitoring
Troubleshoot interfaces
- Transceivers
- Settings
- Aggregate interfaces, LACP
- Counters
- Tagging
- 6.2.6 References
Troubleshoot Decryption
- Inbound decryption
- SSL forward proxy
SSH proxy
- Identify what cannot be decrypted and configure exclusions and bypasses
- Certificates
Troubleshoot routing
- Dynamic routing
- Redistribution profiles
- Static routes
- Route monitoring
- Policy-based forwarding
- Multicast routing
- Service routes
General Troubleshooting
- Logs
- Packet capture (pcap)
- Reports
Troubleshoot resource protections
- Zone Protection profiles
- DoS protections
- Packet buffer protections
Troubleshoot GlobalProtect
- Portal and Gateway
- Access to resources
- GlobalProtect client
Troubleshoot policies
- NAT
- Security
- Decryption
- Authentication
Troubleshoot HA functions
- Monitor
- Failover triggers
Palo Alto Networks Certified Network Security Administrator (PCNSA) course: Lab topics
- Lab 1. Configure Interface Management.
- Lab 2. Palo Alto User Management.
- Lab 3. Configuration Management.
- Lab 4. Initial Configuration.
- Lab 5. Local AAA.
- Lab 6. Configuring Security Policy.
- Lab 7. Configure Static NAT.
- Lab 8. Configure Dynamic NAT.
- Lab 9. Configure PAT.
- Lab 10. Configure Application and URL filtering.
- Lab 11. Configuring DOS and Zone Protection.
- Lab 12. Configure User ID.
- Lab 13. Monitoring Using CLI.
- Lab 14. Initial Configuration of Palo Alto firewall
- Lab 15. Configuring PA FW High Availabiltiy
- Lab 16. Using template stacks with panorama
- Lab 17. Using Device groups with panorama
- Lab 18. Managing FWs with Panorama
- Lab 19. Managing PA FW Digital certificates
- Lab 20. Enforcing Palo Alto FW User-ID
- Lab 21. Configuring PA FW Admin authentication
- Lab 22. Implement routing for PA FW
- Lab 23. Configure PA FW QoS
- Lab 24. Configuring PA FW L2 interfaces
- Lab 25. Configuring PA FW zone, vulnerability and DoS protection
- Lab 26. Implementing PA FW Virtual wires
- Lab 27. Implementing PA FW App-ID
- Lab 28. Configure PA FW Source and destination NAT
- Lab 29. Configure PA FW VLAN, TAP and aggregate interfaces
- Lab 30. Configuring PA FW Decryption services
- Lab 31. Configuring static PA FW S2S VPNs
- Lab 32. Configuring PA FW S2S VPNs with certificates
- Lab 33. Configuring a IPSEC VPN
- Lab 34. Using LSVPNs with GlobalProtect
- Lab 35. Using PA FW AV and Wildfire
- Lab 36. Using Palo Alto ZTP
- Lab 37. Troubleshooting
- Lab 38. Using PA FW Anti-Spyware
- Lab 39. Using IPv6 with PA FW
- Instructor led online training is an ideal vehicle for delivering training to individuals anywhere in the world at any time.
- This innovative approach presents live content with instructor delivering the training online.
- Candidates will be performing labs remotely on our labs on cloud in presence of an online instructor.
- SunPlus forum uses microsoft lync engine to deliver instructor led online training.
- Advances in computer network technology, improvements in bandwidth, interactions, chat and conferencing, and realtime audio and video offers unparalleled training opportunities.
- Instructor led online training can helps today’s busy professionals to perform their jobs and upgrade knowledge by integrating self-paced instructor led online training in their daily routines.
- The minimum batch size required for batch is 10 participants in this course.
- The SunPlus forum reserves the right to cancel/postpone the class.
- Course schedule will be provided before commencement of the course.
- Certificate of participation will be awarded to participants with a minimum 90% attendance.
- All attendees must observe the Copyright Law on intellectual properties such as software and courseware from respective vendors.
- The SunPlus forum reserves the right to include external participants in the program either for the entire course or individual courses.
- The SunPlus forum reserves the right to change/alter the sequence of courses. SunPlus forum published Book would be given at 50% discounted rate to the forum students.