Paloalto Networks NetSec-Pro - Palo Alto Networks Network Security Professional

GlobalProtect logs

These logs provide detailed insights into the user’s connectivity, tunnel status, and authentication events.

“GlobalProtect logs include detailed information about connection establishment, tunnel negotiation, and any errors that can prevent mobile users from accessing applications.”

(Source: GlobalProtect Troubleshooting)

Autonomous Digital Experience Management (ADEM)

ADEM helps visualize end-to-end performance and identifies network issues affecting SaaS app access for mobile users.

“ADEM provides real-time and historical visibility into user experience, enabling quick identification and resolution of connectivity or performance issues for SaaS applications.”

(Source: ADEM for Prisma Access)

Content-IDis the core of Palo Alto Networks' prevention architecture, providingsingle-pass application layer inspectionto deliver real-time threat prevention across all traffic.

“Content-ID uses a single-pass architecture to perform application-layer (Layer 7) traffic inspection and real-time threat prevention. Unlike traditional firewalls that rely on multiple scans, Content-ID inspects traffic once to enforce multiple security controls simultaneously.”

(Source: Content-ID Overview)

By consolidating security functions in a single pass, it ensures both efficiency and comprehensive security.

To allow third-party contractors controlled access, security policies must combineuser identificationandtime-based access controls:

User-ID

“User-ID enables security policies to be based on user identity rather than IP addresses, ensuring precise policy enforcement for specific users such as contractors.”

(Source: User-ID Overview)

Schedule

“Schedules allow policies to be active only during specific times, providing time-based access control (e.g., after business hours).”

(Source: Security Policy Schedules)

Together, they ensure that only authorized users (contractors) have access, and only when explicitly allowed.

The firewall must be running a PAN-OS version that is supported by Panorama. This means thatPanorama must be running the same or a newer PAN-OS versionas the one being installed on the firewalls to maintain compatibility.

“Before you upgrade the firewall, ensure that Panorama is running the same or a later PAN-OS version than the firewall. Panorama must always be at the same or a higher version to maintain compatibility.”

(Source: Panorama Admin Guide – Upgrade Process)

To fully manage a firewall from Strata Cloud Manager (SCM), it’s essential to establish trust and ensure reliable connectivity:

Configure NTP and DNS servers

The firewall must have accurate time (NTP) and name resolution (DNS) to securely communicate with SCM and related cloud services.

“To ensure successful management, configure the firewall’s NTP and DNS settings to synchronize time and resolve domain names such as stratacloudmanager.paloaltonetworks.com.”

(Source: SCM Onboarding Requirements)

Install a device certificate

A device certificate authenticates the firewall’s identity when connecting to SCM.

“The device certificate authenticates the firewall to Palo Alto Networks cloud services, including SCM. It’s a fundamental requirement to establish secure connectivity.”

(Source: Device Certificates)

These steps ensuretrust, secure communication, and successful onboarding into SCM.

Applications and threats

Panorama can push application and threat signature updates to managed firewalls, ensuring consistent application and threat visibility.

“Panorama uses dynamic updates to distribute the latest application and threat signature packs to all managed firewalls.”

(Source: Manage Content Updates in Panorama)

WildFire

Panorama also distributes WildFire signature updates to firewalls for real-time malware detection.

“WildFire updates provide the latest malware signatures to enhance detection and prevention, and can be deployed to all managed firewalls via Panorama.”

(Source: WildFire and Dynamic Updates)

To inspect SaaS app traffic (often encrypted), you must configure:

SSL Forward Proxy

“The SSL Forward Proxy decryption profile enables the firewall to decrypt outbound SSL traffic, essential for visibility into SaaS app usage.”

(Source: SSL Forward Proxy Overview)

Validate certificates

“Validating and deploying the appropriate root and intermediate CA certificates is critical for establishing trust and preventing SSL errors during decryption.”

(Source: Certificate Deployment and Validation)

Without these steps, SaaS decryption and policy enforcement would be incomplete.

Protecting againstmaliciousandmisconfigured domainsrequires two critical services:

Advanced Threat Prevention

Provides signature-based and advanced analysis to identify threats, including DNS-based attacks.

“Advanced Threat Prevention enables the NGFW to detect and prevent exploits and malware-based communications, including those leveraging DNS.”

(Source: Advanced Threat Prevention)

Advanced DNS Security

Specifically designed to detect and sinkhole malicious and misconfigured DNS queries.

“DNS Security uses real-time intelligence to block DNS-based threats, protect against data exfiltration, and automatically sinkhole suspicious domain lookups.”

(Source: DNS Security)

Bycombiningthese services in security policies, NGFWs ensure robust protection against domain-based threats and misconfigurations.