Targeted to engineers and technical personnel involved in deploying, implementing, operating and optimizing IP Network, both in enterprise and Service Provider environments, including advanced feature like security and automation and programmability. The Palo Alto covers a breadth of topics like NAT policies, URL filtering, Site-to-site VPN, Monitoring etc. EDU-210 is a lab-intensive course and objectives are accomplished mainly through hands on learning.
This course is created to impart knowledge and skills related to network fundamentals, network access, IP connectivity, IP services, security fundamentals, and automation and programmability. This course will help candidates prepare for the CCNA exam. The following topics are general guidelines to better reflect the contents of the course and for clarity purposes, the guidelines below may change at any time without notice.
Firewall Administration
-
- Management Interfaces
- Use the Web Interface
- Launch the Web Interface
- Configure Banners, Message of the Day, and Logos
- Use the Administrator Login Activity Indicators to Detect Account Misuse
- Manage and Monitor Administrative Tasks
- Commit, Validate, and Preview Firewall Configuration Changes
- Export Configuration Table Data
- Use Global Find to Search the Firewall or Panorama Management Server
- Manage Locks for Restricting Configuration Changes
- Manage Configuration Backups
- Save and Export Firewall Configurations
- Revert Firewall Configuration Changes
- Manage Firewall Administrators
-
- Administrative Role Types
- Configure an Admin Role Profile
- Administrative Authentication
- Configure Administrative Accounts and Authentication
-
- Reset the Firewall to Factory Default Settings
Authentication
- Authentication Types
- External Authentication Services
- Multi-Factor Authentication
- SAML
- Kerberos
- TACACS+
- RADIUS
- LDAP
- Local Authentication
- Configure Multi-Factor Authentication
- Configure MFA Between RSA SecurID and the Firewall
- Configure MFA Between Okta and the Firewall
- Configure MFA Between Duo and the Firewall
- Configure SAML Authentication
- Configure Kerberos Single Sign-On
- Configure Kerberos Server Authentication
- Configure TACACS+ Authentication
- Configure RADIUS Authentication
- Configure LDAP Authentication
- Connection Timeouts for Authentication Servers
- Guidelines for Setting Authentication Server Timeouts
- Modify the PAN-OS Web Server Timeout
- Modify the Captive Portal Session Timeout
- Configure Local Database Authentication
- Configure an Authentication Profile and Sequence
- Test Authentication Server Connectivity
- Authentication Policy
- Authentication Timestamps
- Configure Authentication Policy
- Troubleshoot Authentication Issues
Certificate Management
- Keys and Certificates
- Default Trusted Certificate Authorities (CAs)
- Certificate Revocation
- Certificate Revocation List (CRL)
- Online Certificate Status Protocol (OCSP)
- Certificate Deployment
- Set Up Verification for Certificate Revocation Status
- Configure an OCSP Responder
- Configure Revocation Status Verification of Certificates
- Configure Revocation Status Verification of Certificates Used for SSL/TLS
- Decryption
- Configure the Master Key
- Obtain Certificates
- Create a Self-Signed Root CA Certificate
- Generate a Certificate
- Import a Certificate and Private Key
- Obtain a Certificate from an External CA
- Deploy Certificates Using SCEP
- Export a Certificate and Private Key
- Configure a Certificate Profile
- Configure an SSL/TLS Service Profile
- Replace the Certificate for Inbound Management Traffic
- Configure the Key Size for SSL Forward Proxy Server Certificates
- Revoke and Renew Certificates
- Revoke a Certificate
- Renew a Certificate
- Secure Keys with a Hardware Security Module
- Set Up Connectivity with an HSM
- Encrypt a Master Key Using an HSM
- Store Private Keys on an HSM
- Manage the HSM Deployment
High Availability
- HA Overview
- HA Concepts
- HA Modes
- HA Links and Backup Links
- Device Priority and Preemption
- Failover
- LACP and LLDP Pre-Negotiation for Active/Passive HA
- Floating IP Address and Virtual MAC Address
- ARP Load-Sharing
- Route-Based Redundancy
- HA Timers
- Session Owner
- Session Setup
- NAT in Active/Active HA Mode
- ECMP in Active/Active HA Mode
- Set Up Active/Passive HA
- Prerequisites for Active/Passive HA
- Configuration Guidelines for Active/Passive HA
- Configure Active/Passive HA
- Define HA Failover Conditions
- Verify Failover
- Set Up Active/Active HA
- Prerequisites for Active/Active HA
- Configure Active/Active HA
- Determine Your Active/Active Use Case
Monitoring
- Use the Dashboard
- Use the Application Command Center
- ACC—First Look
- ACC Tabs
- ACC Widgets
- Widget Descriptions
- ACC Filters
- Interact with the ACC
- Use Case: ACC—Path of Information Discovery
- Use the App Scope Reports
- Summary Report
- Change Monitor Report
- Threat Monitor Report
- Threat Map Report
- Network Monitor Report
- Traffic Map Report
- Use the Automated Correlation Engine
- Automated Correlation Engine Concepts
- View the Correlated Objects
- Interpret Correlated Events
- Use the Compromised Hosts Widget in the ACC
- Take Packet Captures
- Types of Packet Captures
- Disable Hardware Offload
- Take a Custom Packet Capture
- Take a Threat Packet Capture
- Take an Application Packet Capture
- Take a Packet Capture on the Management Interface
- Monitor Applications and Threats
- View and Manage Logs
- Log Types and Severity Levels
- View Logs
- Filter Logs
- Export Logs
- Configure Log Storage Quotas and Expiration Periods
- Schedule Log Exports to an SCP or FTP Server
- Monitor Block List
- View and Manage Reports
- Report Types
- View Reports
- Configure the Expiration Period and Run Time for Reports
- Disable Predefined Reports
- Custom Reports
- Generate Custom Reports
- Generate Botnet Reports
- Generate the SaaS Application Usage Report
- Manage PDF Summary Reports
- Generate User/Group Activity Reports
- Manage Report Groups
- Schedule Reports for Email Delivery
- Manage Report Storage Capacity
- View Policy Rule Usage
- Use External Services for Monitoring
- Configure Log Forwarding
- Configure Email Alerts
- Use Syslog for Monitoring
- Configure Syslog Monitoring
- Syslog Field Descriptions
- SNMP Monitoring and Traps
- SNMP Support
- Use an SNMP Manager to Explore MIBs and Objects
- Enable SNMP Services for Firewall-Secured Network Elements
- Monitor Statistics Using SNMP
- Forward Traps to an SNMP Manager
- Supported MIBs
- Forward Logs to an HTTP/S Destination
- NetFlow Monitoring
- Configure NetFlow Exports
- NetFlow Templates
- Firewall Interface Identifiers in SNMP Managers and NetFlow Collectors
User-ID
- User-ID Overview
- User-ID Concepts
- Group Mapping
- User Mapping
- Enable User-ID
- Map Users to Groups
- Map IP Addresses to Users
- Create a Dedicated Service Account for the User-ID Agent
- Configure User Mapping Using the Windows User-ID Agent
- Configure User Mapping Using the PAN-OS Integrated User-ID Agent
- Configure Server Monitoring Using WinRM
- Configure User-ID to Monitor Syslog Senders for User Mapping
- Map IP Addresses to Usernames Using Captive Portal
- Configure User Mapping for Terminal Server Users
- Send User Mappings to User-ID Using the XML API
- Enable User- and Group-Based Policy
- Enable Policy for Users with Multiple Accounts.
- Verify the User-ID Configuration
- Deploy User-ID in a Large-Scale Network
- Deploy User-ID for Numerous Mapping Information Sources
- Redistribute User Mappings and Authentication Timestamps
- Share User-ID Mappings Across Virtual Systems
App-ID
- App-ID Overview
- App-ID and HTTP/2 Inspection
- Manage Custom or Unknown Applications
- Manage New and Modified App-IDs
- Workflow to Best Incorporate New and Modified App-IDs
- See the New and Modified App-IDs in a Content Release
- See How New and Modified App-IDs Impact Your Security Policy
- Ensure Critical New App-IDs are Allowed
- Monitor New App-IDs
- Disable and Enable App-IDs
- Use Application Objects in Policy
- Create an Application Group
- Create an Application Filter
- Create a Custom Application
- Safely Enable Applications on Default Ports
- Applications with Implicit Support
- Security Policy Rule Optimization
- Policy Optimizer Concepts
- Migrate Port-Based to App-ID Based Security Policy Rules
- Rule Cloning Migration Use Case: Web Browsing and SSL Traffic
- Add Applications to an Existing Rule
- Identify Security Policy Rules with Unused Applications
- High Availability for Application Usage Statistics
- How to Disable Policy Optimizer
- Application Level Gateways
- Disable the SIP Application-level Gateway (ALG)
- Use HTTP Headers to Manage SaaS Application Access
- Understand SaaS Custom Headers
- Domains used by the Predefined SaaS Application Types
- Create HTTP Header Insertion Entries using Predefined Types
- Create Custom HTTP Header Insertion Entries
- Maintain Custom Timeouts for Data Center Applications
Threat Prevention
- Best Practices for Securing Your Network from Layer 4 and Layer 7 Evasions
- Set Up Antivirus, Anti-Spyware, and Vulnerability Protection
- DNS Security
- About DNS Security
- Domain Generation Algorithm (DGA) Detection
- DNS Tunneling Detection
- Cloud-Delivered DNS Signatures and Protections
- Enable DNS Security
- Use DNS Queries to Identify Infected Hosts on the Network
- How DNS Sinkholing Works
- Configure DNS Sinkholing
- Configure DNS Sinkholing for a List of Custom Domains
- Configure the Sinkhole IP Address to a Local Server on Your Network
- See Infected Hosts that Attempted to Connect to a Malicious Domain
- Set Up Data Filtering
- Create a Data Filtering Profile
- Predefined Data Filtering Patterns
- Set Up File Blocking
- Prevent Brute Force Attacks
- Customize the Action and Trigger Conditions for a Brute Force Signature
- Enable Evasion Signatures
- Prevent Credential Phishing
- Methods to Check for Corporate Credential Submissions
- Configure Credential Detection with the Windows-based User-ID Agent
- Set Up Credential Phishing Prevention
- Monitor Blocked IP Addresses
- Threat Signature Categories
- Create Threat Exceptions
- Custom Signatures
- Monitor and Get Threat Reports
- Monitor Activity and Create Custom Reports Based on Threat Categories
- Learn More About Threat Signatures
- AutoFocus Threat Intelligence for Network Traffic
- Share Threat Intelligence with Palo Alto Networks
- What Telemetry Data Does the Firewall Collect?
- Passive DNS Monitoring
- Enable Telemetry
- Threat Prevention Resources
Decryption
- Decryption Overview
- Decryption Concepts
- Keys and Certificates for Decryption Policies
- SSL Forward Proxy
- SSL Forward Proxy Decryption Profile
- SSL Inbound Inspection
- SSL Inbound Inspection Decryption Profile
- SSL Protocol Settings Decryption Profile
- SSH Proxy
- SSH Proxy Decryption Profile
- Decryption Profile for No Decryption
- SSL Decryption for Elliptical Curve Cryptography (ECC) Certificates
- Perfect Forward Secrecy (PFS) Support for SSL Decryption
- SSL Decryption and Subject Alternative Names (SANs)
- High Availability Support for Decrypted Sessions
- Decryption Mirroring
- Prepare to Deploy Decryption
- Work with Stakeholders to Develop a Decryption Deployment Strategy
- Develop a PKI Rollout Plan
- Size the Decryption Firewall Deployment
- Plan a Staged, Prioritized Deployment
- Define Traffic to Decrypt
- Create a Decryption Profile
- Create a Decryption Policy Rule
- Configure SSL Forward Proxy
- Configure SSL Inbound Inspection
- Configure SSH Proxy
- Configure Server Certificate Verification for Undecrypted Traffic
- Decryption Exclusions
- Palo Alto Networks Predefined Decryption Exclusions
- Exclude a Server from Decryption for Technical Reasons
- Create a Policy-Based Decryption Exclusion
- Enable Users to Opt Out of SSL Decryption
- Temporarily Disable SSL Decryption
- Configure Decryption Port Mirroring
- Verify Decryption
- Decryption Broker
- How Decryption Broker Works
- Decryption Broker Concepts
- Layer 3 Security Chain Guidelines
- Configure Decryption Broker with One or More Layer 3 Security Chain
- Transparent Bridge Security Chain Guidelines
- Configure Decryption Broker with a Single Transparent Bridge Security Chain
- Configure Decryption Broker with Multiple Transparent Bridge Security Chains
- Activate Free Licenses for Decryption Features
URL Filtering
- About URL Filtering
- How URL Filtering Works
- URL Filtering Vendors
- Enable BrightCloud URL Filtering
- Enable PAN-DB URL Filtering
- URL Filtering Use Cases
- URL Categories
- Security-Focused URL Categories
- Malicious URL Categories
- Policy Actions You Can Take Based on URL Categories
- Plan Your URL Filtering Deployment
- URL Filtering Best Practices
- Configure URL Filtering
- Monitor Web Activity
- Monitor Web Activity of Network Users
- View the User Activity Report
- Configure Custom URL Filtering Reports
- Log Only the Page a User Visits
- Create a Custom URL Category
- URL Category Exceptions
- Basic Guidelines For URL Category Exception Lists
- Wildcard Guidelines for URL Category Exception Lists
- URL Category Exception List—Wildcard Examples
- Use an External Dynamic List in a URL Filtering Profile
- Allow Password Access to Certain Sites
- Safe Search Enforcement
- Safe Search Settings for Search Providers
- Block Search Results when Strict Safe Search is not Enabled
- Transparently Enable Safe Search for Users
- URL Filtering Response Pages
- Customize the URL Filtering Response Pages
- HTTP Header Logging
- Request to Change the Category for a URL
- Make a Change Request Online
- Make a Bulk Change Request
- Make a Change Request from the Firewall
- Troubleshoot URL Filtering
- Problems Activating PAN-DB
- PAN-DB Cloud Connectivity Issues
- URLs Classified as Not-Resolved
- Incorrect Categorization
- URL Database Out of Date
- PAN-DB Private Cloud
- M-500 Appliance for PAN-DB Private Cloud
- Set Up the PAN-DB Private Cloud
Quality of Service
- QoS Overview
- QoS Concepts
- QoS for Applications and Users
- QoS Policy
- QoS Profile
- QoS Classes
- QoS Priority Queuing
- QoS Bandwidth Management
- QoS Egress Interface
- QoS for Clear Text and Tunneled Traffic
- Configure QoS
- Configure QoS for a Virtual System
- Enforce QoS Based on DSCP Classification
- QoS Use Cases
- Use Case: QoS for a Single User
- Use Case: QoS for Voice and Video Applications
VPNs
- VPN Deployments
- Site-to-Site VPN Overview
- Site-to-Site VPN Concepts
- IKE Gateway
- Tunnel Interface
- Tunnel Monitoring
- Internet Key Exchange (IKE) for VPN
- IKEv2
- Set Up Site-to-Site VPN
- Set Up an IKE Gateway
- Define Cryptographic Profiles
- Set Up an IPSec Tunnel
- Set Up Tunnel Monitoring
- Enable/Disable, Refresh or Restart an IKE Gateway or IPSec Tunnel
- Test VPN Connectivity
- Interpret VPN Error Messages
- Site-to-Site VPN Quick Configs
- Site-to-Site VPN with Static Routing
- Site-to-Site VPN with OSPF
- Site-to-Site VPN with Static and Dynamic Routing
Large Scale VPN (LSVPN)
- LSVPN Overview
- Create Interfaces and Zones for the LSVPN
- Enable SSL Between GlobalProtect LSVPN Components
- About Certificate Deployment
- Deploy Server Certificates to the GlobalProtect LSVPN Components
- Deploy Client Certificates to the GlobalProtect Satellites Using SCEP
- Configure the Portal to Authenticate Satellites
- Configure GlobalProtect Gateways for LSVPN
- Configure the GlobalProtect Portal for LSVPN
- GlobalProtect Portal for LSVPN Prerequisite Tasks
- Configure the Portal
- Define the Satellite Configurations
- Prepare the Satellite to Join the LSVPN
- Verify the LSVPN Configuration
- LSVPN Quick Configs
- Basic LSVPN Configuration with Static Routing
- Advanced LSVPN Configuration with Dynamic Routing
- Advanced LSVPN Configuration with iBGP
Networking
- Configure Interfaces
- Tap Interfaces
- Virtual Wire Interfaces
- Layer 2 Interfaces
- Layer 3 Interfaces
- Configure an Aggregate Interface Group
- Use Interface Management Profiles to Restrict Access
- Virtual Routers
- Service Routes
- Static Routes
- Static Route Overview
- Static Route Removal Based on Path Monitoring
- Configure a Static Route
- Configure Path Monitoring for a Static Route
- RIP
- OSPF
- OSPF Concepts
- Configure OSPF
- Configure OSPFv3
- Configure OSPF Graceful Restart
- Confirm OSPF Operation
- BGP
- BGP Overview
- MP-BGP
- Configure BGP
- Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast
- Configure a BGP Peer with MP-BGP for IPv4 Multicast
- BGP Confederations
- IP Multicast
- IGMP
- PIM
- Configure IP Multicast
- View IP Multicast Information
- Route Redistribution
- GRE Tunnels
- GRE Tunnel Overview
- Create a GRE Tunnel
- DHCP
- DHCP Overview
- Firewall as a DHCP Server and Client
- DHCP Messages
- DHCP Addressing
- DHCP Options
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCP Client
- Configure the Management Interface as a DHCP Client
- Configure an Interface as a DHCP Relay Agent
- Monitor and Troubleshoot DHCP
- DNS
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security
- Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
- NAT
- NAT Policy Rules
- Source NAT and Destination NAT
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
- Configure NAT
- NAT Configuration Examples
- NPTv6
- NPTv6 Overview
- How NPTv6 Works
- NDP Proxy
- NPTv6 and NDP Proxy Example
- Create an NPTv6 Policy
- NAT64
- NAT64 Overview
- IPv4-Embedded IPv6 Address
- DNS64 Server
- Path MTU Discovery
- IPv6-Initiated Communication
- Configure NAT64 for IPv6-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication with Port Translation
- ECMP
- ECMP Load-Balancing Algorithms
- ECMP Model, Interface, and IP Routing Support
- Configure ECMP on a Virtual Router
- Enable ECMP for Multiple BGP Autonomous Systems
- Verify ECMP
- LLDP
- LLDP Overview
- Supported TLVs in LLDP
- LLDP Syslog Messages and SNMP Traps
- Configure LLDP
- View LLDP Settings and Status
- Clear LLDP Statistics
- BFD
- BFD Overview
- Configure BFD
- Reference: BFD Details
- Session Settings and Timeouts
- Transport Layer Sessions
- TCP
- UDP
- ICMP
- Control Specific ICMP or ICMPv6 Types and Codes
- Configure Session Timeouts
- Configure Session Settings
- Session Distribution Policies
- Prevent TCP Split Handshake Session Establishment
- Tunnel Content Inspection
- Tunnel Content Inspection Overview
- Configure Tunnel Content Inspection
- View Inspected Tunnel Activity
- View Tunnel Information in Logs
- Create a Custom Report Based on Tagged Tunnel Traffic
Policy
- Policy Types
- Security Policy
- Components of a Security Policy Rule
- Security Policy Actions
- Create a Security Policy Rule
- Policy Objects
- Security Profiles
- Create a Security Profile Group
- Set Up or Override a Default Security Profile Group
- Track Rules Within a Rulebase
- Rule Numbers
- Rule UUIDs
- Enforce Policy Rule Description, Tag, and Audit Comment
- Move or Clone a Policy Rule or Object to a Different Virtual System
- Use an Address Object to Represent IP Addresses
- Address Objects
- Create an Address Object
- Use Tags to Group and Visually Distinguish Objects
- Create and Apply Tags
- Modify Tags
- View Rules by Tag Group
- Use an External Dynamic List in Policy
- External Dynamic List
- Formatting Guidelines for an External Dynamic List
- Built-in External Dynamic Lists
- Configure the Firewall to Access an External Dynamic List
- Retrieve an External Dynamic List from the Web Server
- View External Dynamic List Entries
- Exclude Entries from an External Dynamic List
- Enforce Policy on an External Dynamic List
- Find External Dynamic Lists That Failed Authentication
- Disable Authentication for an External Dynamic List
- Register IP Addresses and Tags Dynamically
- Monitor Changes in the Virtual Environment
- Enable VM Monitoring to Track Changes on the Virtual Network
- Attributes Monitored on Virtual Machines in Cloud Platforms
- Use Dynamic Address Groups in Policy
- CLI Commands for Dynamic IP Addresses and Tags
- Identify Users Connected through a Proxy Server
- Use XFF Values for Policies and Logging Source Users
- Use the IP Address in the XFF Header to Troubleshoot Events
- Policy-Based Forwarding
- PBF
- Create a Policy-Based Forwarding Rule
- Use Case: PBF for Outbound Access with Dual ISPs
- Test Policy Rules
Virtual Systems
- Virtual Systems Overview
- Virtual System Components and Segmentation
- Benefits of Virtual Systems
- Use Cases for Virtual Systems
- Platform Support and Licensing for Virtual Systems
- Administrative Roles for Virtual Systems
- Shared Objects for Virtual Systems
- Communication Between Virtual Systems
- Inter-VSYS Traffic That Must Leave the Firewall
- Inter-VSYS Traffic That Remains Within the Firewall
- Inter-VSYS Communication Uses Two Sessions
- Shared Gateway
- External Zones and Shared Gateway
- Networking Considerations for a Shared Gateway
- Configure Virtual Systems
- Configure Inter-Virtual System Communication within the Firewall
- Configure a Shared Gateway
- Customize Service Routes for a Virtual System
- Customize Service Routes to Services for Virtual Systems
- Configure a PA-7000 Series Firewall for Logging Per Virtual System
- Configure Administrative Access Per Virtual System or Firewall
- Virtual System Functionality with Other Features
Zone Protection and DoS Protection
- Network Segmentation Using Zones
- How Do Zones Protect the Network?
- Zone Defense
- Zone Defense Tools
- How Do the Zone Defense Tools Work?
- Firewall Placement for DoS Protection
- Baseline CPS Measurements for Setting Flood Thresholds
- Zone Protection Profiles
- Packet Buffer Protection
- DoS Protection Profiles and Policy Rules
- Configure Zone Protection to Increase Network Security
- Configure Reconnaissance Protection
- Configure Packet Based Attack Protection
- Configure Protocol Protection
- Configure Packet Buffer Protection
- DoS Protection Against Flooding of New Sessions
- Multiple-Session DoS Attack
- Single-Session DoS Attack
- Configure DoS Protection Against Flooding of New Sessions
- End a Single Session DoS Attack
- Identify Sessions That Use an Excessive Percentage of the Packet Buffer
Discard a Session Without a Commit