PCNSE Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0 Questions and Answers

A: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-web-interface-help/network/network-virtual-routers/more-runtime-stats-for-a-logical-router#id5628a5e4-e908-457e-a2fd-270a476ab752

D: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-cli-quick-start/cli-cheat-sheets/cli-cheat-sheet-networking

The engineer is configuring a DoS Protection profile to defend specific endpoints and resources against malicious activity. A DoS Protection profile is a feature that enables the firewall to detect and prevent denial-of-service (DoS) attacks that attempt to overwhelm network resources or disrupt services. A DoS Protection profile can provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet, such as web servers, DNS servers, or VPN gateways. A DoS Protection profile can be applied to a security policy rule that matches the traffic to and from the protected systems, and can specify the thresholds and actions for different types of flood attacks, such as SYN, UDP, ICMP, or other IP floods12. References: DoS Protection, PCNSE Study Guide (page 58)

TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClSvCAK

TIPS & TRICKS: REDUCING MANAGEMENT PLANE LOAD—PART 2:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClU4CAK

The best description of the Cluster Synchronization Timeout (min) is the maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing. This is a parameter that can be configured in an HA cluster, which is a group of firewalls that share session state and provide high availability and scalability. The Cluster Synchronization Timeout (min) determines how long the local firewall will wait for the cluster to reach a stable state before it decides to become Active and process traffic. A stable state means that all cluster members are either Active or Passive, and have synchronized their sessions with each other. If there is another cluster member that is in an unknown or unstable state, such as Initializing, Non-functional, or Suspended, then it may prevent the cluster from fully synchronizing and cause a delay in traffic processing. The Cluster Synchronization Timeout (min) can be set to a value between 0 and 30 minutes, with a default of 0. If it is set to 0, then the local firewall will not wait for any other cluster member and will immediately go to Active state. If it is set to a positive value, then the local firewall will wait for that amount of time before going to Active state, unless the cluster reaches a stable state earlier12. References: Configure HA Clustering, PCNSE Study Guide (page 53)

How to Set Session, TCP, and UDP Timeout Values - Palo Alto Networks ...

A close-up of a computer screen Description automatically generated

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/datasheets/education/pcnse-study-guide.pdf page 83

https://docs.paloaltonetworks.com/panorama/9-1/panorama-admin/manage-firewalls/manage-device-groups/manage-unused-shared-objects

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1CCAS

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application

For HIP match logs to be visible on the data center firewall, the following conditions must be met:

• HIP profiles added to security rules: HIP profiles must be applied to security rules on the data center firewall to enforce access restrictions based on the received HIP reports. If the HIP profiles are not associated with the security rules, the firewall will not evaluate traffic against these profiles, and consequently, no HIP match logs will be generated.
• User-ID enabled on the incoming zone: User-ID must be enabled on the zone where the users are located in the data center firewall. The User-ID feature is responsible for mapping IP addresses to user names, which is critical for applying policies based on user identity and, by extension, for HIP-based policy enforcement.

The other options (A and D) are related to logging and log forwarding but would not directly impact the generation or visibility of HIP match logs on the data center firewall itself.

• B is the best choice for an SSL Forward Untrust certificate because a self-signed certificate generated on the firewall is not trusted by any client browsers by default1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the self-signed certificate to the client, which will trigger an untrusted certificate warning2. This way, the security admin can ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates.
• A web server certificate signed by the organization’s PKI (A) or a subordinate Certificate Authority certificate signed by the organization’s PKI © are not good choices for an SSL Forward Untrust certificate because they are trusted by the client browsers that have the organization’s root CA installed1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the web server or subordinate CA certificate to the client, which will not trigger an untrusted certificate warning2. This way, the security admin cannot ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates.
• A web server certificate signed by an external Certificate Authority (D) is not a good choice for an SSL Forward Untrust certificate because it is trusted by most client browsers that have the external CA in their trust store1. This means that if the firewall observes an invalid or untrusted security certificate from the server, it will present the web server certificate to the client, which will not trigger an untrusted certificate warning2. This way, the security admin cannot ensure that users are aware of any potential risks when accessing HTTPS sites with untrusted certificates.

Verified References:

• 1: How to Configure SSL Decryption - Palo Alto Networks Knowledge Base
• 2: How to Implement and Test SSL Decryption - Palo Alto Networks Knowledge Base

The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.

If you not believed, then login the firewall go to Vulnerability > Exceptions and select "Show all signatures". From there you will see all threat information including specific actions.

More detail: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm4yCAC

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management Push the configuration bundle from Panorama to the newly added firewall to remove all policy rules and objects from its local configuration. This step is necessary to prevent duplicate rule or object names, which would cause commit errors when you push the device group configuration from Panorama to the firewall in the next step.

To enable XML API access to a firewall for automation from a network segment routed through a Layer 3 sub-interface, the most straightforward approach is to use an Interface Management profile.

C. This can be achieved by:

• Configuring an Interface Management profile and enabling HTTPS access on it. This profile defines management services that are permitted on the interface, including HTTPS, which is required for XML API access.
• Applying this Interface Management profile to the desired Layer 3 sub-interface. This action enables HTTPS access (and thus XML API access) on the sub-interface, allowing devices on the connected network segment to communicate with the firewall for automation purposes.

This solution allows for the secure extension of management capabilities to network segments without direct access to the dedicated management interface, facilitating automation and operational efficiency without necessitating changes to existing access configurations.

An authentication portal is a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An authentication portal is a web page that the firewall displays to users who need to authenticate before accessing the network or the internet. The authentication portal can be customized to include a welcome message, a login prompt, a disclaimer, a certificate download link, and a logout button. The authentication portal can also be configured to use different authentication methods, such as local database, RADIUS, LDAP, Kerberos, or SAML1. By using an authentication portal, the firewall can redirect BYOD users to a web page where they can learn about the decryption policy, download and install the CA certificate, and agree to the terms of use before accessing the network or the internet2.

An SSL decryption profile is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption profile is a set of options that define how the firewall handles SSL/TLS traffic that it decrypts. An SSL decryption profile can include settings such as certificate verification, unsupported protocol handling, session caching, session resumption, algorithm selection, etc3. An SSL decryption profile does not provide any user identification or notification functions.

An SSL decryption policy is not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. An SSL decryption policy is a set of rules that determine which traffic the firewall decrypts based on various criteria, such as source and destination zones, addresses, users, applications, services, etc. An SSL decryption policy can also specify which type of decryption to apply to the traffic, such as SSL Forward Proxy, SSL Inbound Inspection, or SSH Proxy4. An SSL decryption policy does not provide any user identification or notification functions.

Comfort pages are not a feature that can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted. Comfort pages are web pages that the firewall displays to users when it blocks or fails to decrypt certain traffic due to security policy or technical reasons. Comfort pages can include information such as the reason for blocking or failing to decrypt the traffic, the URL of the original site, the firewall serial number, etc5. Comfort pages do not provide any user identification or notification functions before decrypting the traffic.

References: Configure an Authentication Portal, Redirect Users Through an Authentication Portal, SSL Decryption Profile, Decryption Policy, Comfort Pages

How to Implement SSH Decryption on a Palo Alto Networks Device

A template is a set of configuration options that can be applied to one or more firewalls or virtual systems managed by Panorama. A template can include settings from the Device and Network tabs on the firewall web interface, such as login banner, SSL decryption exclusion, and dynamic updates4. These settings can be configured in a template named “Global” and included in all template stacks. A template stack is a group of templates that Panorama pushes to managed firewalls in an ordered hierarchy4. References: Manage Templates and Template Stacks, PCNSE Study Guide (page 50)

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm1OCAS

Palo Alto Networks recommends following a specific upgrade path when upgrading PAN-OS to ensure compatibility and minimize the risk of issues. The recommended path involves sequential upgrades through major releases.

B. The detailed upgrade path from PAN-OS 10.1 to 11.0.x involves:

• First, upgrading to the latest preferred maintenance release of the current PAN-OS version (10.1) to ensure that all the latest fixes and improvements are applied.
• Next, upgrading to the base version of the next major release (PAN-OS 10.2.0), followed by upgrading to the latest preferred maintenance release of PAN-OS 10.2. This step ensures that the firewall is on a stable and supported version before proceeding to the next major release.
• Finally, upgrading to the base version of PAN-OS 11.0 (11.0.0), followed by the desired PAN-OS 11.0.x version. This step completes the upgrade to the new major version, providing access to new features and improvements, such as TLSv1.3 support for management access.

This sequential upgrade path is designed to ensure a smooth transition between major versions, maintaining system stability and security.

https://docs.paloaltonetworks.com/globalprotect/9-1/globalprotect-admin/globalprotect-gateways/split-tunnel-traffic-on-globalprotect-gateways/configure-a-split-tunnel-based-on-the-domain-and-application

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClETCA0

A device group is a logical grouping of firewalls that share the same security policy rules. A device group can contain multiple vsys and firewalls, including multi-vsys firewalls. A multi-vsys firewall can have each vsys in a different device group, depending on the desired security policy for each vsys. This allows for granular control and flexibility in managing multi-vsys firewalls with Panorama1. References: Device Group Push to a Multi-VSYS Firewall, Configure Virtual Systems, PCNSE Study Guide (page 50)

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRdCAK

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/configure-url-filtering

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/url-filtering/allow-password-access-to-certain-sites#id7e63ce07-8b30-4506-a1e3-5800303954e8

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000oNlUCAU &lang=en_US

When the peer device will act as the initiator and none of the peer addresses are known, the administrator can enable Passive Mode to establish the VPN connection. Passive Mode tells the firewall to wait for the peer device to initiate the VPN connection. The other options are incorrect. Option A, setting up certificate authentication, would require the administrator to know the peer device's certificate. Option C, using the Dynamic IP address type, would require the administrator to know the peer device's dynamic IP address. Option D, configuring the peer address as an FQDN, would require the administrator to know the peer device's fully qualified domain name.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIGCA0

The compare option for a specific rule in the New App Viewer under Policy Optimizer allows an administrator to compare the applications configured in the rule with the applications seen from traffic matching the same rule. This helps the administrator to identify any new applications that are not explicitly defined in the rule, but are implicitly allowed by the firewall based on the dependencies of the configured applications. The compare option also shows the usage statistics and risk levels of the applications, and provides suggestions for optimizing the rule by adding, removing, or replacing applications12. References: New App Viewer (Policy Optimizer), PCNSE Study Guide (page 47)

Why use Security Policy Optimizer and what are the benefits?

Policy-Based Forwarding (PBF) on Palo Alto Networks firewalls allows administrators to define forwarding decisions based on criteria other than the destination IP address, such as the application, source address, or user. It can address scenarios like:

A. Routing FTP to a backup ISP link to save bandwidth on the primary ISP link: PBF can be configured to identify FTP traffic and route it through a different ISP, preserving bandwidth on the primary link for other critical applications.

B. Providing application connectivity when the primary circuit fails: PBF can be used for failover purposes, directing traffic to an alternate path if the primary connection goes down, ensuring continuous application availability.

PBF is not designed to bypass Layer 7 inspection or forward traffic based solely on source port, as these tasks are managed through different mechanisms within the firewall's operating system.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP3ICAW

In Palo Alto Networks firewalls, the order of rule evaluation is critical for traffic enforcement. To ensure high priority evaluation, rules should be configured at the top of the rulebase so they are matched before others. The Security Pre-Rules are designed for shared policies across multiple device groups in Panorama, and by placing the block action rules at the top of the Pre-Rules, it guarantees that these rules are evaluated first, before any device-specific or post-rules.For verification, please refer to the Palo Alto Networks "PAN-OS® Administrator’s Guide" or the official configuration documentation for Panorama and device group rules.

Hover over an attribute in the table below the chart and click the arrow icon to the right of the attribute. https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/monitoring/use-the-application-command-center/interact-with-the-acc#id5cc39dae-04cf-4936-9916-1a4b0f3179b9

Traffic didnt match any other policies and so landed at the implicit "deny all" policy. If it's deny all, the traffic was dropped before the application could be determined. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClibCAC

Palo Alto Networks Device Telemetry data, collected from firewalls with a device certificate installed, is stored on Palo Alto Networks Update Servers. This telemetry data includes information about threats, device health, and other operational metrics that are crucial for the continuous improvement of security services and threat intelligence. The collected data is anonymized and securely transmitted to Palo Alto Networks, where it is used to enhance the overall effectiveness of threat identification and prevention capabilities across all deployed devices. This collaborative approach helps in keeping the security ecosystem updated and resilient against emerging threats.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/bfd/bfd-overview/bfd-for-dynamic-routing-protocols

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClG2CAK

In an active/active high availability (HA) firewall pair, when a firewall experiences a failure of a monitored path, it enters the “Tentative” state1. This state indicates that the firewall is synchronizing sessions and configurations from its peer due to a failure or a change in monitored objects such as a link or path. The firewall in this state is not fully functional but is working towards resuming normal operations by syncing with its peer. Therefore, the correct answer is B. Tentative.

Firewall Stuck in Initial (Leaving Suspended State) - Palo Alto Networks

When using the log forwarding built-in action with tagging in Palo Alto Networks firewalls, the primary purpose is to dynamically respond to threats or unwanted traffic identified by the firewall's threat detection mechanisms. The action involves tagging the IP address associated with the unwanted traffic and then using that tag in dynamic security policies to block or manage the traffic.

A. Destination IP addresses of selected unwanted traffic are blocked:

• When the tagging action is used, the firewall tags the IP addresses involved in the unwanted traffic (which could be the source or destination IP addresses, but in many configurations, the focus is on the source of the attack). These tags can then be referenced in Dynamic Address Groups (DAGs) within security policies. Consequently, any traffic coming from or going to these tagged IP addresses can be blocked or subjected to specific security rules, effectively mitigating the threat or unwanted behavior.

This approach allows for automated, real-time responses to identified threats, enhancing the security posture by quickly adapting to emerging threats without manual intervention.

In an active/active high availability (HA) firewall pair, the firewall that is currently processing traffic is in the “Active” state. This state indicates that the firewall is fully functional and can own sessions and set up sessions. An active firewall can be either active-primary or active-secondary, depending on the Device ID and the HA configuration. An active-primary firewall connects to User-ID agents, runs DHCP server and DHCP relay, and matches NAT and PBF rules with the Device ID of the active-primary firewall. An active-secondary firewall connects to User-ID agents, runs DHCP server, and matches NAT and PBF rules with the Device ID of the active-secondary firewall. An active-secondary firewall does not support DHCP relay1. References: HA Firewall States, PCNSE Study Guide (page 53)

'Implicitly Uses' has web-browsing listed. This means that if you allow facebook-posting, that it will also be allowing the web-browsing application implicitly.. In our case, we dont know which APP the question referes too but 'Implicitly means already uses HTTP.

To generate email alerts when decryption rules are changed in a Palo Alto Networks firewall, you would configure email log forwarding based on specific system logs that capture changes to decryption policies. This is done by setting up log forwarding profiles with filters that match events related to decryption rule modifications. These profiles are then applied to the relevant log types within the firewall's log settings.

To specifically monitor for changes to decryption rules, you would navigate to the Device > Log Settings section of the firewall's web interface. Here, you can configure log forwarding for system logs, which capture configuration changes among other system-level events. By creating a filter that looks for logs associated with decryption rule changes, and associating this filter with an email server profile, the firewall can automatically send out email alerts whenever a decryption rule is modified.

This setup ensures that the security team is promptly notified of any changes to the decryption policies, allowing for quick review and action if the changes were unauthorized or unintended. It is an essential part of maintaining the security posture of the network and ensuring compliance with organizational policies on encrypted traffic inspection.

 The correct packet-flow sequence is C. PBF > Static route > Security policy enforcement. This sequence describes the order of operations that the firewall performs when processing a packet. PBF stands for Policy-Based Forwarding, which is a feature that allows the firewall to override the routing table and forward traffic based on the source and destination addresses, application, user, or service. PBF is evaluated before the static route lookup, which is the default method of forwarding traffic based on the destination address and the longest prefix match. Security policy enforcement is the stage where the firewall applies the security policy rules to allow or block traffic based on various criteria, such as zone, address, port, user, application, etc12. References: Policy-Based Forwarding, Packet Flow Sequence in PAN-OS

https://live.paloaltonetworks.com/t5/blogs/what-is-application-dependency/ba-p/344330

To create an application-based Security policy rule to allow Evernote, the administrator only needs to add the Evernote application to the Security policy rule. The Evernote application is a predefined App-ID that identifies the traffic generated by the Evernote client or web interface. The Evernote application implicitly uses SSL and web browsing as dependencies, which means that the firewall automatically allows these applications when the Evernote application is allowed. Therefore, there is no need to add HTTP, SSL, or web browsing applications to the same Security policy rule. Adding these applications would broaden the scope of the rule and potentially allow unwanted traffic12. References: App-ID Overview, Create a Security Policy Rule

• A and D are the best practice deployment modes for the firewall if the company wants to add threat prevention to the network without redesigning the network routing. This is because these modes allow the firewall to act as a transparent device that does not affect the existing network topology or routing1.
• A: VirtualWire mode allows the firewall to be inserted into any existing network segment without changing the IP addressing or routing of that segment2. The firewall inspects traffic between two interfaces that are configured as a pair, called a virtual wire. The firewall applies security policies to the traffic and forwards it to the same interface from which it was received2.
• D: Layer 2 mode allows the firewall to act as a switch that forwards traffic based on MAC addresses3. The firewall inspects traffic between interfaces that are configured as Layer 2 interfaces and belong to the same VLAN. The firewall applies security policies to the traffic and forwards it to the appropriate interface based on the MAC address table3.

Verified References:

• 1: https://www.garlandtechnology.com/blog/whats-your-palo-alto-ngfw-deployment-plan
• 2: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/virtual-wire.html
• 3: https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/networking/configure-interfaces/layer-2.html

When an administrator needs to evaluate recent policy changes that were committed and pushed to a firewall device group in Panorama, the most direct approach is to use the "Preview Changes" feature.

A. Click Preview Changes under Push Scope:

• The "Preview Changes" option is available under the "Push Scope" in Panorama. This feature allows administrators to see a detailed comparison of the changes that are about to be pushed to the managed firewalls or that have been recently pushed. It highlights the differences between the current configuration and the previous one, making it easier to identify exactly what changes were made, including modifications to policies, objects, and other settings.
• This is particularly useful for auditing and verifying that the intended changes match the actual changes being deployed, enhancing transparency and reducing the risk of unintended configuration modifications.

This approach provides a clear and concise way to review configuration changes before and after they are applied, ensuring that policy modifications are intentional and accurately reflect the administrator's objectives.

If an administrator wants to apply QoS to traffic based on source, they must specify the post-NAT source address in a QoS policy rule. This is because QoS is enforced on traffic as it egresses the firewall, and the firewall applies NAT rules before QoS rules. Therefore, the firewall will match the QoS policy rule based on the translated source address, not the original source address. If the administrator uses the pre-NAT source address in the QoS policy rule, the firewall will not be able to identify the traffic correctly and apply the desired QoS treatment. References:

• QoS Policy
• Configure QoS

The timer that determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational is the Hello Interval. The Hello Interval is the interval in milliseconds between hello packets that are sent to check the HA status of the peer firewall. The default value for the Hello Interval is 8000 ms for all platforms, and the range is 8000-60000 ms. If the firewall does not receive a hello packet from its peer within the specified interval, it will declare the peer as failed and initiate a failover12. References: HA Timers, Layer 3 High Availability with Optimal Failover Times Best Practices

How to Configure Ping Interval/Timeout Settings ... - Palo Alto Networks

>Threat logs, create a log forwarding profile to define how you want the firewall or Panorama to handle logs. >Configure an HTTP server profile to forward logs to a remote User-ID agent. > Select the log forwarding profile you created then select this server profile as the HTTP server profile https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/policy/use-auto-tagging-to-automate-security-actions

https://docs.paloaltonetworks.com/compatibility-matrix/supported-os-releases-by-model/palo-alto-networks-next-gen-firewalls

Regardless of whether you generate Forward Trust certificates from your Enterprise Root CA or use a self-signed certificate generated on the firewall, generate a separate subordinate Forward Trust CA certificate for each firewall. The flexibility of using separate subordinate CAs enables you to revoke one certificate when you decommission a device (or device pair) without affecting the rest of the deployment and reduces the impact in any situation in which you need to revoke a certificate. Separate Forward Trust CAs on each firewall also helps troubleshoot issues because the CA error message the user sees includes information about the firewall the traffic is traversing. If you use the same Forward Trust CA on every firewall, you lose the granularity of that information.

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/decryption/configure-ssl-forward-proxy

The best decryption best practice that the administrator should consider is A: Consider the local, legal, and regulatory implications and how they affect which traffic can be decrypted. This is because decryption involves intercepting and inspecting encrypted traffic, which may raise privacy and compliance issues depending on the jurisdiction and the type of traffic1. Therefore, the administrator should be aware of the local, legal, and regulatory implications and how they affect which traffic can be decrypted, and follow the appropriate guidelines and policies to ensure that decryption is done in a lawful and ethical manner1.

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-log-collection/manage-collector-groups/configure-a-collector-group

"Log redundancy is available only if each Log Collector has the same number of logging disks." (Recommended) Enable log redundancy across collectors if you are adding multiple Log Collectors to a single Collector group. Redundancy ensures that no logs are lost if any one Log Collector becomes unavailable. Each log will have two copies and each copy will reside on a different Log Collector. For example, if you have two Log Collectors in the collector group the log is written to both Log Collectors. Enabling redundancy creates more logs and therefore requires more storage capacity, reducing storage capability in half. When a Collector Group runs out of space, it deletes older logs. Redundancy also doubles the log processing traffic in a Collector Group, which reduces its maximum logging rate by half, as each Log Collector must distribute a copy of each log it receives.

For virtual systems (vSys) on a Palo Alto Networks firewall to communicate with each other, especially when separate virtual routers (VRs) are used for each vSys, the configuration must facilitate proper routing and security policy enforcement. The key aspects to focus on include:

A. External zones with the virtual systems added:

• External zones are special types of zones that are used to facilitate traffic flow between virtual systems within the same physical firewall. By adding virtual systems to an external zone, you enable them to communicate with each other, effectively bypassing the need for traffic to exit and re-enter the firewall.

D. Add a route with next hop next-vr by using the VR configured in the virtual system:

• When using separate VRs for each vSys, it's essential to configure inter-VR routing. This is done by adding routes in each VR with the next hop set to 'next-vr', specifying the VR of the destination vSys. This setup enables traffic to be routed from one virtual system's VR to another, facilitating communication between them.

E. Ensure the virtual systems are visible to one another:

• Visibility between virtual systems is a prerequisite for inter-vSys communication. This involves configuring the virtual systems in a way that they are aware of each other's existence. This is typically managed in the vSys settings, where you can specify which virtual systems can communicate with each other.

By focusing on these configuration details, the network security engineer can ensure that the virtual systems can communicate effectively, maintaining the necessary isolation while allowing the required traffic flow.