PCNSA: Palo Alto Networks Certified Network Security Administrator

Palo Alto Networks NGFWs use three identification technologies: App-ID (identifies applications using signatures, decryption, and heuristics — not just port/protocol), User-ID (maps IP addresses to usernames via Active Directory, captive portal, or syslog), Content-ID (inspects content for threats, URLs, files, and data patterns). Single-Pass Parallel Processing (SP3): the NGFW processes all identification and inspection in a single pass through the dataplane, avoiding the performance penalty of chained inspection engines. Management plane is separate from data plane — management tasks (policy changes, log queries) do not affect forwarding performance. Deployment modes: Layer 3 (full routing), Layer 2 (transparent bridge, no routing), Virtual Wire (vwire — inline, transparent, no IP on interfaces), Tap (passive monitoring from SPAN port). VSYS (Virtual Systems): logical firewall partitions on a physical device, each with independent policies, interfaces, and administrators.

Security policy rules: source and destination zone, source and destination address, application (App-ID), service (port/protocol), user (User-ID), URL category, action (allow, deny, drop, reset-client, reset-server, reset-both). Rules are evaluated top-down — first match wins. The implicit deny at the bottom of every policy drops unmatched traffic. Security profiles: attached to allow rules to inspect allowed traffic. Antivirus (malware signatures), Anti-Spyware (C2 detection, DNS sinkholing), Vulnerability Protection (exploit signatures), URL Filtering (category-based web control), File Blocking (by file type and direction), WildFire (unknown file sandboxing). A security rule that allows without profiles does not inspect the allowed traffic. NAT policies: source NAT (hide internal IPs behind the firewall's public IP — Dynamic IP and Port DIPP), destination NAT (port forward inbound connections to internal servers). NAT is evaluated after security policy zone matching but before routing — the post-NAT zone determines which security policy applies.

SSL/TLS Decryption: the firewall decrypts traffic to apply App-ID and Content-ID inspection, then re-encrypts. Forward proxy decryption (outbound): firewall impersonates the destination server to the client — requires deploying the firewall's CA certificate to clients as trusted. Inbound decryption: firewall holds the server's private key and decrypts inbound traffic. Decryption profiles: control which SSL/TLS versions and cipher suites are allowed, whether to block sessions with expired/untrusted certs. Decryption exclusions: for sites that cannot be decrypted (certificate pinning, broken TLS implementations) or for privacy reasons (health, banking). URL Filtering profiles: categories (news, social, malware, phishing, unknown), actions per category (allow, block, continue, override). PAN-DB is the cloud-based URL database. Custom URL categories allow you to override PAN-DB classifications for specific sites.

Firewall management: Web UI (HTTPS on management interface), CLI (SSH, operational and configuration modes), API (XML API for automation). Configuration changes are staged in the candidate configuration and applied with Commit — the running configuration is not affected until commit. Commit validation checks for configuration errors before applying. Logging: Traffic logs (all sessions matching an allow rule with log at session end enabled), Threat logs (events from security profiles), URL logs (web browsing activity), WildFire logs (file analysis results), System logs (firewall events). Forward logs to Panorama, Syslog, SNMP, or email. Panorama: centralised management platform for multiple Palo Alto firewalls. Device Groups: push shared policies to groups of firewalls. Templates: push device configuration (interfaces, zones, routing) to firewalls. Log Collector: aggregate logs from all managed firewalls for centralised querying.