This is a non-comprehensive, personal reference for the Palo Alto PCNSFE certification exam.

The exam is broken into multiple domains:

• Domain 1: Software Firewall Fundamentals
• Domain 2: Securing Environments with Software Firewalls
• Domain 3: Deploying Arhcitecture
• Domain 4: Automations and Orchestration
• Domain 5: Technology Integration
• Domain 6: Troubleshooting
• Domain 7: Management Plugins and Log Forwarding

Domain 1:

Software Firewall Fundamentals

1. Differentiate between software firewalls
   • Know the different ways of obtaining, installing, configuring, and maintaining Palo Alto Networks software firewalls.
   • Image from Support Portal for various vendors (ESXi/KVM/etc…)
   • Cloud Marketplace
   • CN-Series
   • Cloud-Delivered Security Services (CDSS) subscriptions
     • Advanced Threat
     • Advanced Wildfire
     • Advanced URL Filtering
     • DNS Security
     • IoT Security
     • SAAS Security
     • Enterprise DLP
   • Cloud Next-Generation Firewall (NGFW) ex: deployments in AWS/Azure
   • VM-Series
2. Describe licensing options for software firewalls
   • Enterprise Licensing Agreement (ELA) subscriptions
     • Multi-Model ELA Fixed Configurations:
       • VM-50 : 10 Tokens
       • VM-100 : 25 Tokens
       • VM-300 : 50 Tokens
       • VM-500 : 140 Tokens
       • VM-700 : 300 Tokens
     • Customer forcasts the number of instances of each VM-Series they expect to spin-up to add to their existing “estate”.
       • 1 Year term: No limit of firewalls - but will need to increase forecast next cycle.
       • 3 year: First half there is a limit of existing estate + 150%
       • 5 year: first 60% of term there is a limit of existing estate + 150%.
     • Only term based licenses - no perpetual.
   • Flex licensing
   • Software NGFW Credit Estimator
   • Pay-as-you-go licensing

Domain 2:

Securing Environments with Software Firewalls

1. Decribe methologies for securing data centers
   • Segmentation (how environments can be segmented)
   • Virtualization (how software firewalls can support security in virtualized environments)
   • Application visibility and control
   • VPN connectivity controls (how authentication, user identification, and various policies can be used to secure VPN connections)
   • Securing Datacenters
2. Explain how traffic flow is secured in public cloud environments Understand traffic flows:
   • Inbound
   • Outbound
   • East-West
   • Deployment guides:
     • Azure
     • AWS
     • GCP
3. Explain how traffic flow is secured in virtualized branch environments
   • Understand Virtualized Branch Environments
   • VM-Series Deployment Guide

Domain 3:

Deployment Architecture

1. Describe common VM-Series deployment models
   • Centralized
   • Distributed
   • Deployment Models
2. Explain the use of VM-Series firewalls in centralized and distributed environments.
   • GCP
   • HA pair deployment on various cloud platforms
   • Azure Gateway Load Balancer
   • Amazon Web Services Gateway Load Balancer
   • Azure VNET
   • VWAN
   • Autoscaling integration
3. Describe VM-Series private cloud integrations
   • Understand which interface modes are supported in private cloud integrations, how to configure them, and under what circumstances a specific interface type should be implemented.
     • Virtual Wire (vwwire)
     • Layer 3
4. Describe CN-Series deployment methods
   • Understand the requirements for each CN-Series firewall deployment strategy.
     • DaemonSet
     • Kubernetes services
     • Container Network Function (CNF)
     • Hyperscale deployment mode
   • CN-Series Deployment Guide

Domain 4:

Automation and Orchestration

1. Describe software management tools
   • Panorama for VM-Series and CN-Series firewalls
   • Helm charts and operators for CN-Series firewalls
   • Cloud NGFW interface for AWS
   • AWS firewall manager
   • Cloud NGFW on AWS
   • CN-Series and Helm Charts
   • Deploying Cloud NGFW on AWS with Firewall Manager
2. Describe software firewall automation tools
   • Automations tools can be used to update configurations and to perform maintenance activities for VM-Series and CN-Series firewalls. Understand the automation tools recommended by Palo Alto Networks.
     • Ansible
     • Terraform
     • AWS CloudFormation Template (CFT)

Domain 5:

Technology Integration

1. Explain how Intelligent Traffic Offload (ITO) integrates with VM-Series firewalls
   • ITO and the VM-Series
2. Explain the deployment process for VM-Series fotware firewalls using third-party marketplaces
   • Understand how to deploy VM-Series from these marketplaces
     • Alibaba
     • AWS
     • Azure
     • GCP

Domain 6:

Troubleshooting

1. Toubleshooting CN-Series firewalls
   • Troubleshoot deployment and integration oif CN-Series firewall
   • Verify and validate functionality
   • Troubleshoot:
     • Deployment
     • Traffic
   • CN-Serioes Deployment Checklist
   • PAN-OS Troubleshooting
2. Troubleshooting VM-Series firewalls
   • Same as CN-Series
   • VM-Series Deployment Guide
3. Troubleshoot Cloud NGFW software firewalls
   • Same as VM-Series
4. Troubleshoot Panorama plugins
   • Troubleshoot these plugins:
     • Kubernetes
     • Public Cloud (AWS, Azure, and GCP)
     • VMWare NSX
     • VMWare vCenter
     • Plugin Reference

Domain 7:

Management Plugins and Log Forwarding

1. Describe cloud NGFW log forwarding destinations
   • Describe valid options for log forwarding.
   • AWS CloudWatch
   • AWS Simple Storage Service (S3)
   • Azure Application Insight
   • Google Stackdriver
   • Kinesis
2. Descirbe the use of management plugins
   • Describe management plugins in Panorama for VM/CN-Series
   • Kubernetes
   • Public Cloud (AWS, Azure, GCP)
   • VMWare NSX
   • VMWare vCenter