Paloalto Networks PCNSE - Palo Alto Networks Certified Security Engineer (PCNSE) PAN-OS 11.0

The Device Group and Template Admin role is tailored for managing specific device groups and templates in Panorama, allowing contractors to deploy policies and objects within their assigned scope without broader administrative access. This aligns with compliance by restricting privileges.

Option B (Dynamic Admin) is undefined in PAN-OS; Panorama Admin is too broad. Option C (Read-only Superuser) prevents configuration changes. Option D (Custom Panorama Admin) could work but requires more setup than the predefined role. Documentation recommends this role for such scenarios.

The vsysadmin role in Palo Alto Networks firewalls is a virtual system (vsys)-specific administrative role with limited privileges. It can commit changes to the candidate configuration of the assigned vsys (Option B) and create/edit Security policies and profiles specific to that vsys (Option C). This role is designed for multi-tenant environments where administrators manage only their assigned virtual systems.

Option A (configure resource limits) is a superuser or device-level task, not within vsysadmin’s scope. Option D (configure interfaces) is also outside vsysadmin’s permissions, as interface management is a device-wide function. Official documentation defines these privileges clearly.

ttps://www.kareemccie.com/2021/05/palo-alto-firewall-packet-flow.html

https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/high-availability/set-up-activeactive-ha/prerequisites-for-activeactive-ha

These are the two links that can be used to configure an active/active high availability pair. An active/active high availability pair consists of two firewalls that are both active and share the traffic load between them1. To configure an active/active high availability pair, the following links are required2:

HA1: This is the control link that is used for exchanging heartbeat messages and configuration synchronization between the firewalls. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.

HA2: This is the data link that is used for forwarding sessions from one firewall to another in case of failover or load balancing. It can be a dedicated interface or a subinterface. It can also have a backup link for redundancy.

HA3: This is the session owner synchronization link that is used for synchronizing session information between the firewalls in different virtual systems. It can be a dedicated interface or a subinterface. It is only required for active/active high availability pairs, not for active/passive pairs.

URL profile action alert.

File Profile action alert.

AV and Wildfire action Reset-both

Policy Action Allow.

The firewall inspects the content as per all the security profiles attached to the original matching rule. If it results in threat detection, then the corresponding security profile action is taken.

The firewalls exchange hello messages and heartbeats at configurable intervals to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer. A response from the peer indicates that the firewalls are connected and responsive.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUcCAK

"A "heartbeat-interval" CLI command was added to the election settings for HA, this interval has a 1000ms minimum for all Palo Alto Networks platforms and is an ICMP ping to the other device through the HA control link." https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClMaCAK