This course is designed for students who are new to next-generation firewalls. Candidates should have basic understaing on ip addressing, routing and switching technoilogies.

Upon completion of this course, students will be able to:

  • Explain the features and advantages of the next-generation firewall architecture over stateful inspection firewalls

Perform the basic & advance configuration of the firewall including:

  • Configuring interfaces, security zones, security policies, and content profiles
  • Setting up basic operation of User-ID, Content-ID, and App-ID
  • Enable SSL decryption and VPNs
  • Review logs and write basic reports
  • Configure an active-passive high availability (HA) pair

Module 0 – Platform Overview

  • Understanding on Hardware architecture of next generation firewall
  • Single pass architecture
  • Flow logic
  • Segregated control plane and data plane
  • Fast path

Module 1 – Administration and Management

  • Administration and management of firewall using GUI, CLI
  • Overview of REST API
  • Config Mgmt, PAN-OS, Account Administration

Module2 – Interface Configuration

  • Understating on various interface types including Tap, v-waire, layer3, HA
  • Security zones overview
  • Designing network security with layer2, transparent and layer3 deployment

Module3 – Layer3 configuration

  • Overview of layer 3 technologies including Virtual routers , interface management profile and service route configuration
  • Policy based forwarding, Static and dynamic routing protocols
  • Network address translation
    • Dynamic IP
    • Static IP
  • Destination NAT Type
    • Static IP
    • Port forwarding
  • NAT Specific traffic flow
  • Understating and implementation of NAT policies

Module 4 – Application –ID

  • Overview of application APP-ID
  • Application-ID traffic flow
  • Overview of security policy
  • App-id and security policies configuration
  • Advance concepts on application and security policies
    • Application dependencies
    • Managing policy behavior
    • Custom application signatures
  • Logging and reporting
  • Overview of SSL session setup and underrating on PAKI
  • how to configure firewall for SSL visibility
  • inbound deep packet inspection of SSL traffic – IPS and other signatures for inbound SSL traffic

Module 5 – User-ID

  • User-id flow & user based policies
  • understating on user-id process
  • Enumerate users and group with Active directory and LDAP
  • User id agent identification method
  • understating on AD security logs, CAS security logs, shared server sessions and WMI queries
  • Captive portal overview for guest authentication

Module 6 – Content-ID

  • Overview of content-id modules and security profiles
  • Understanding on advance deep packet inspection using
    • Anti-virus profiles
    • Anti-spyware profiles
    • Vulnerability scanning profiles
    • URL filtering profiles
    • File blocking profiles
    • Wild fire profiles
  • Administration of security profiles
  • Zone protection profiles

Module 7 – VPN

  • Overview of VPN technologies
    • SSL VPN
    • IPsec VPN
  • Understating on policy and route based VPN
  • Implementing VPN on PAN oS
  • Advance understanding of SSL VPN technology
  • Establishing SSL VPN with global protect

Module 8 – High Availability

  • Overview of redundant architecture and high availability
  • understating on active-active and active-standby HA
  • understating and managing split brain condition
  • path and link monitoring configuration to handle failover conditions

Module 9 – Troubleshooting

  • Overview of troubleshooting methodology on PAN os
  • Online tools, working with Palo alto support team
  • Troubleshooting with
    • GUI, CLI, logs, packet captures, debug and mint. mode
    • Tools and techniques for troubleshooting for VPN, session issues