PCNSE: Palo Alto Networks Certified Network Security Engineer

Palo Alto firewalls use virtual routers (VRs) for routing. Each VR has its own routing table. Static routes: administrative distance 10 (adjustable), path monitoring for health-based failover. Dynamic routing: OSPF (areas, LSA types, stub/NSSA), BGP (eBGP/iBGP, route maps, communities, redistribution), RIP (supported but rarely used). Route redistribution between virtual routers and between routing protocols. PBF (Policy-Based Forwarding): route traffic based on application, source address, or user — not just destination IP. Used for asymmetric routing to specific ISPs or for sending specific application traffic through a different path (e.g., video traffic through a high-bandwidth link). Egress interface and next hop are specified in the PBF rule.

HA modes: Active/Passive (one firewall active, one in standby — sync config and sessions, instant failover) and Active/Active (both firewalls active, used for asymmetric routing environments, more complex configuration). HA1 (control link — configuration sync, HA state), HA2 (data link — session sync), HA3 (packet forwarding in active/active), HA4 (Panorama sync). Failover triggers: link monitoring (monitored interface goes down), path monitoring (target IP unreachable). HA timer profiles: Recommended (balanced), Aggressive (faster detection, higher CPU), or Custom. Preemption: allows the primary to reclaim active role after recovery — disabled by default to prevent flapping. Global Protect Portal and Gateway HA: multiple gateways registered with the portal provide redundancy. Clients connect to the gateway with the lowest priority (highest preference number) that is available. Gateway selection can be based on location for optimal routing.

GlobalProtect: Palo Alto's remote access VPN solution. Portal: authenticates users and distributes gateway configuration and the agent software. Gateway: terminates VPN tunnels using SSL/TLS or IPsec (IKEv1/v2). Agent connects to the portal on TCP 443, receives gateway list, then connects to the optimal gateway. HIP (Host Information Profile): collects endpoint state (OS version, patch level, disk encryption status, antivirus installed) and allows security policy to enforce compliance. HIP checks run continuously — non-compliant endpoints can be redirected to a remediation page. Prisma Access (formerly GlobalProtect Cloud Service): Palo Alto's SASE offering. Cloud-hosted security services (GlobalProtect gateways, Prisma SD-WAN, CASB, DLP) delivered from Palo Alto's global PoPs. Managed via Panorama Cloud or Strata Cloud Manager. Mobile user connectivity and remote network (site-to-cloud) connectivity are the two primary use cases.

Panorama architecture: Panorama server (management) with Log Collectors (log aggregation) and Managed Devices (NGFWs). Device Groups hierarchy: devices can be in nested device groups — shared policies at the top apply to all, specialised policies further down. Pre-rules (pushed before local rules), Post-rules (pushed after local rules). Troubleshooting flow: test security-policy-match (simulates policy lookup), test nat-policy-match, test routing fib-lookup, packet capture (stages: drop, firewall, receive, transmit — filter by source/dest IP, port), flow basic debugging (debug dataplane packet-diag set filter match source ...). CLI show commands: show session all, show session id <N>, show arp all, show routing route. WildFire and threat prevention tuning: threat exception profiles allow you to override the default action for specific threat IDs (block a threat that is normally set to alert, or allow a false positive). Dynamic updates: content updates (App-ID, threat signatures) and antivirus updates are delivered on a schedule — verify update scheduling in Device > Dynamic Updates.