Course content

1.Palo Alto Certification - what does it take.


  • Palo Alto Firewalls overview

  • Firewalls Overview 

  • Deployment Options

  • Layer 2 deployment

  • Layer 3 deployment

  • Layer 2 deployment and spanning tree

  • Layer 2 Features and Limitations with a demonstration

  • Virtual Wire deployment

  • Virtual Wire IP Classify

  • Tap Mode deployment

  • Deployment Options 

  • Initial Configuration

2.Lab and AWS Palo Alto instance(s) Setup

  • Create an Amazon AWS instance to practice

  • Setup Amazon AWS for lab testing, add a windows AD server

  • AWS VPC setup, routing setup, route traffic through the AWS instance

  • Create a DMZ segment in Amazon AWS, add a server to the DMZ segment

  • AWS routing issue to be aware 

  • Unetlab EVE-NG name change

  • Create your own test lab to practice

3.Basic Administrative Tasks

  • Basic Settings

  • Changes and Committing changes

  • Local Administrator Account with External Authentication

  • External Authentication Using Radius Server

  • System software Upgrade / Downgrade, global protect client install

  • Dynamic Updates

  • Interface Management Profile

4.Security Policy Configuration

  • Security Zones and Traffic Processing

  • Packet Flow

  • Quick knowledge check 1 Quiz

  • Rules-based on an application using App-ID

  • Security Policy Rules for applications not running on application default ports

  • Application Override Policies - Custom Applications

  • URL Filtering Rules and Options

  • Knowledge check 2 Quiz

  • Custom URL Category

  • Using Address Objects

  • Using Service Objects

  • Using Dynamic Block Lists

  • Using Tags

5.Installing User-ID agent on AD

  • Configure the firewall to use user ID agent

  • Configuring integrated User ID agent

  • Group to User ID mapping

  • Making decisions based on user group membership example

  • Identifying Users using Captive Portal Redirect Mode

  • User ID mapping using CaptivePortal in Transparent Mode

  • Captive Portal using Broswer Challenge SSO example

  • Relaying UserID information using XML example

  • User ID mapping using Syslog Messages example

  • SSL Forward Proxy - Trust Certificate - Local Cert on PaloAlto

  • SSL Forward Proxy - Untrust Certificate - Local Cert on PaloAlto

  • SSL Forward Proxy Using an Internal PKI Subordinate CA

  • SSL Forward Proxy Blocking Threats in Encrypted Traffic - Demo

  • SSL Inbound Inspection

6.Network Address Translation

  • Understanding Dynamic NAT and port

  • Dynamic NAT and port configuration examples

  • Dynamic NAT and port Egress Interface Multiple ISP consideration

  • What is the difference between Dynamic IP and Dynamic IP and port with examples

  • Static NAT concepts and example

  • Static NAT with Port Translation Use Case and scenario example

  • Static NAT with Port Translation Use Case and scenario example - part 2

  • Destination NAT and Destination NAT with Port Address Translation

  • UTurn NAT with port translation

  • Source and Destination NAT

  • New in Version 8.1 Dynamic Destination NAT

7.Basic and Intermediate Networking

  • DHCP Services

  • Default Route

  • OSPF Routing

  • BGP Routing

  • BGP Advertise

  • Using Multiple Virtual Routers

  • Multiple Virtual Routers NAT and Security Policy Example

  • Multiple ISP Failover Scenario using BGP

  • Multiple ISP Failover using floating Static Route

  • Multiple ISP Failover using Policy-Based Forwarding

  • Multiple ISP Load Sharing using Policy-Based Forwarding

8.High Availability

  • High Availability Overview

  • Active Passive Configuration Configuration Example

  • High Availability Active / Passive different failure scenarios HA1 HA2 heartbeat

  • High Availability Active / Passive HA1-backup, HA2-backup configuration

9.High Availability Active/passive link and path monitoring, HA operations

  • Active High availability intro, Floating IP

  • Active Active with Floating IP configuration example

  • Active Active session owner, session setup using IP modulus, failover example

  • Active Active Static Nat Configuration Example using NAT HA binding Primary

  • Active Active High Availability Arp Load Sharing Configuration Example

10.IPv6 configuration

  • IPv6 structure, addressing, unicast (link-local, site-local, global), multicast

  • IPv6 neighbor discovery, icmpv6, dhcpv6

  • IPv6 Stateless, Stateful DHCP, M Flag O Flag concepts

  • IPv6 basic firewall configuration example

  • IPv6 Network Prefix Translation NPTv6 configuration example

  • IPv6 NAT64 example connecting IPv6 only network to IPv4 Internet example

  • IPv6 NAT64 example connecting IPv4 only network to IPv6 only network

  • IPv6 dhcpv6 relay on PaloAlto firewall example

  • IPv6 issues related to Windows and policy based on IPv6 addresses, example

11.VPN IPSec configuration details

  • VPN IPSEC L2L intro and configuration steps

  • VPN IPSec L2L PaloAlto to PaloAlto Example

  • VPN IPSec Site To Site Hub Spoke, Dynamic IP address example

  • VPN IPSEC L2L Paloalto to Cisco ASA configuration example

  • VPN IPSEC L2L Paloalto to Cisco ASA with Dynamic IP address

  • IPsec Quick mode negotiation understanding

  • IKE main mode more details, explanation

  • Understanding IPSec Quick mode with PFS

  • IKE security policies required and NAT-T explanation/example

  • IKEv1 main mode versus aggressive mode, understand the difference

  • IKEv2 intro and differences between IKEv2 and IKEv1

  • IKEv2 Auth phase, IPsec associations, differences between Ikev1 and Ikev2

12.Global Protect

  • Global Protect Setup example

  • Getting a free publicly trusted SSL certificate to test Global Protect

  • Setting up global protect for on-demand mode, discover agent settings

  • Dual Factor Authentication Using Open Source Solution PrivacyIdea - demo

  • Joining a Windows PC to AWS windows domain - VPN tunnel to AWS

  • Installing CA services on windows, certificate enrollment policy service, OCSP

  • Global Protect Authentication using Dual Factor Token and Computer Certificate

  • Global Protect Always-On User-Logon and Pre-Logon configuration

  • Global Protect Pre-Logon with User Logon (on demand) configuration example

  • Setup Palo Alto VM In Azure

  • Protecting Virtual Machines in Azure behind Palo Alto firewall


  • Panorama concepts, hardware, template and template stack

  • Panorama Device Group Concepts Part 1

  • Panorama Device Group and Object Inheritance


  • QoS Introduction

  • QoS Download Upload Bandwidth Restriction

  • QoS Classification and Marking

  • QoS Classification and Markings Example

  • IPSec QoS lab setup overview

  • Bandwidth Throttling IPSec tunnels demo

  • IPSec Tunnel QoS traffic classification

  • IPSec Tunnel QoS controlling traffic bidirectionally

  • IPSec QoS Copy TOS Header Explanation and demo

  • Using the CLI to show QoS details

15.Installing PaloAlto 8.1 In AWS

  • Palo Alto 8.1 Section Intro

  • Provisioning PaloAlto Firewall 8.1 in AWS - Part 1

  • Provisioning PaloAlto Firewall 8.1 in AWS - Part 2

16.Palo Alto Firewall In Google Cloud

  • Installing Palo Alto Firewall In Google Cloud

  • Initial configuration of interfaces

  • Placing workload behind the palo alto firewlal

Nothing to book right now. Check back soon.