Quick Navigation
Core NGFW TechnologiesSecurity Zones & InterfacesSecurity Policy & NATThreat Prevention ProfilesGlobalProtect & Remote AccessPrisma SASE & SD-WANPanorama Centralized ManagementCloud-Delivered Security Services (CDSS)VPN & EncryptionRouting & Network IntegrationHigh AvailabilitySystem Administration & OperationsZero Trust & Security Architecture
Core NGFW Technologies
- App-ID
- Identifies applications traversing the network regardless of port, protocol, encryption, or evasive technique. Uses application signatures, protocol decoders, and heuristics for Layer 7 identification.
- Content-ID
- Scans traffic content for threats using antivirus, anti-spyware, vulnerability protection, URL filtering, file blocking, and data filtering. Requires security profiles attached to allow rules.
- User-ID
- Maps IP addresses to usernames by integrating with Active Directory, LDAP, captive portal, GlobalProtect, and other authentication sources. Enables user-based and group-based security policies.
- WildFire
- Cloud-based advanced malware analysis service that detonates unknown files in sandbox environments. Generates and distributes new threat signatures globally within minutes of discovery.
- Single-Pass Architecture
- Palo Alto NGFW processes each packet once through all security functions (App-ID, Content-ID, threat scanning) simultaneously rather than sequentially. Provides high throughput with full inspection.
- Threat Prevention
- Combines antivirus, anti-spyware, and vulnerability protection to block known threats, command-and-control activity, and exploit attempts at the network level.
Security Zones & Interfaces
- Security Zones
- Logical groupings of interfaces that define trust boundaries. All traffic between zones (inter-zone) is denied by default. Traffic within the same zone (intra-zone) is allowed by default.
- Layer 3 Interface
- Interface with an IP address that participates in routing. Used for routed deployments where the firewall is a routed hop in the network.
- Layer 2 Interface
- Interface that operates at Layer 2 (switching). Used when the firewall is deployed as a transparent bridge without changing IP addressing.
- Virtual Wire (V-Wire)
- Two interfaces bound together transparently. Traffic enters one and exits the other. The firewall inspects traffic without being a routed or switched hop.
- Tap Interface
- Passive monitoring interface that receives a copy of traffic (from a SPAN port). Can inspect and log traffic but cannot block it. Used for visibility without inline deployment.
- Tunnel Interface
- Virtual interface used as the endpoint for VPN tunnels (IPsec, GRE). Assigned to a security zone to apply policies to tunneled traffic.
- Loopback Interface
- Virtual interface with an IP address not tied to a physical port. Used for management access, routing protocol identifiers, and GlobalProtect portals/gateways.
- Aggregate Ethernet (AE)
- Combines multiple physical interfaces into a single logical interface for increased bandwidth and redundancy using LACP (Link Aggregation Control Protocol).
Security Policy & NAT
- Security Policy Rules
- Rules controlling traffic between zones. Components: source/destination zone, address, user, application, service, action (allow/deny/drop/reset), security profiles, and logging. Evaluated top-down, first match wins.
- Interzone Default Rule
- Implicit deny rule at the bottom of the security policy that denies all traffic between different zones. Cannot be deleted but can be modified to log denied traffic.
- Intrazone Default Rule
- Implicit allow rule that permits traffic within the same zone. Can be modified to deny or log intra-zone traffic for tighter security.
- Source NAT (SNAT)
- Translates the source IP of outbound traffic. Types: Dynamic IP and Port (many-to-one), Dynamic IP (many-to-many), Static IP (one-to-one). Applied AFTER security policy evaluation.
- Destination NAT (DNAT)
- Translates the destination IP of inbound traffic to redirect to internal servers. Applied BEFORE security policy evaluation. Security rules must use the pre-NAT (original public) destination address.
- U-Turn NAT
- Allows internal users to access internal servers using the server's public IP address. Requires both source NAT and destination NAT rules working together.
- NAT Processing Order
- Destination NAT is evaluated BEFORE security policy. Source NAT is evaluated AFTER security policy. Critical for writing correct security rules for NAT scenarios.
Threat Prevention Profiles
- Antivirus Profile
- Scans traffic for known malware signatures. Configurable actions per protocol (HTTP, SMTP, FTP, etc.): alert, drop, reset-client, reset-server, reset-both.
- Anti-Spyware Profile
- Detects spyware, command-and-control (C2) traffic, and phone-home activity. Includes DNS sinkholing to redirect C2 DNS queries to a controlled address.
- Vulnerability Protection Profile
- Blocks exploitation of known vulnerabilities using IPS signatures. Actions configurable by severity level (critical, high, medium, low, informational).
- URL Filtering Profile
- Controls web access based on URL categories. Actions per category: allow, alert, block, continue (user acknowledges risk), override (requires password). Includes credential phishing detection.
- File Blocking Profile
- Controls file transfers by type and direction. Can alert, block, or allow specific file types (PE, PDF, Office docs, etc.) on specific protocols.
- WildFire Analysis Profile
- Defines which file types are forwarded to WildFire cloud for sandbox analysis. Configurable per protocol and file type.
- Security Profile Group
- Named bundle of individual security profiles (AV, AS, VP, URL, FB, WF) for easy attachment to security policy rules. Use groups instead of individual profiles for consistency.
- DNS Sinkholing
- Anti-spyware feature that intercepts DNS queries for known malicious domains and responds with a controlled IP address, preventing infected hosts from reaching C2 servers.
GlobalProtect & Remote Access
- GlobalProtect Portal
- Authentication and configuration hub for GlobalProtect clients. Provides client configuration, gateway lists, and agent settings. Users connect here first.
- GlobalProtect Gateway
- VPN tunnel endpoint that provides the actual encrypted connection. Enforces security policies for remote user traffic. Can be internal or external.
- Always-On VPN
- GlobalProtect mode where the VPN tunnel is automatically established at system startup and reconnects after disconnection. Ensures all traffic is always protected.
- Split Tunneling
- Configuration that routes only specific traffic through the VPN tunnel while other traffic (e.g., internet) goes directly. Reduces VPN bandwidth but bypasses inspection for split traffic.
- HIP (Host Information Profile)
- Endpoint health check that evaluates the connecting device's security posture: OS patch level, antivirus status, disk encryption, firewall status. Used in security policy rules.
- Authentication Profiles
- Define how users are authenticated: LDAP, RADIUS, SAML, Kerberos, local database, client certificate. Applied to GlobalProtect portals, gateways, and captive portals.
Prisma SASE & SD-WAN
- Prisma Access
- Cloud-delivered SASE platform extending NGFW-grade security to mobile users and remote networks. Provides consistent security policies regardless of user location.
- Mobile User Connections
- Prisma Access secures remote/mobile users through GlobalProtect agent connection to cloud-based security processing nodes closest to the user.
- Remote Network Connections
- Prisma Access secures branch office traffic via IPsec tunnels from branch routers/firewalls to Prisma Access cloud security nodes.
- SASE Architecture
- Secure Access Service Edge: convergence of WAN networking (SD-WAN) and network security (FWaaS, SWG, CASB, ZTNA) delivered as a cloud service.
- SD-WAN
- Software-Defined WAN integrated into PAN-OS. Provides intelligent traffic steering across multiple WAN links based on application requirements and link quality metrics.
- Traffic Distribution Profiles
- SD-WAN profiles that define how traffic is distributed across WAN links: weighted, priority-based, or application-based steering with failover rules.
- Path Quality Metrics
- SD-WAN monitors WAN link health using latency, jitter, and packet loss measurements. Triggers path switching when quality thresholds are exceeded.
- Autonomous DEM
- Autonomous Digital Experience Monitoring integrated with Prisma Access. Provides end-to-end visibility into user experience including application performance and network path quality.
Panorama Centralized Management
- Panorama
- Centralized management platform for Palo Alto Networks firewalls. Provides unified policy management, logging, reporting, and configuration deployment at scale.
- Device Groups
- Panorama construct for pushing security policies, objects, and profiles to managed firewalls. Supports hierarchical structure with inheritance from parent to child groups.
- Template Stacks
- Panorama construct for pushing network and device configurations (interfaces, zones, routing, system settings) to managed firewalls. Multiple templates stack with priority.
- Commit and Push
- Panorama operation that commits changes to the Panorama configuration and then pushes them to managed firewalls. Supports selective push to specific device groups or templates.
- Log Collectors
- Dedicated appliances or Panorama instances in log collector mode that aggregate and store logs from managed firewalls for centralized querying and reporting.
- Collector Groups
- Logical grouping of log collectors that defines log retention, redundancy, and distribution policies. Managed firewalls are assigned to collector groups for log forwarding.
- ACC (Application Command Center)
- Panorama dashboard providing real-time visibility into network traffic, threats, URLs, and application usage across all managed firewalls with drill-down capabilities.
- Strata Cloud Manager
- Cloud-native management and operations platform for Strata products. Complements Panorama with AI-powered best-practice recommendations, unified visibility, and health monitoring across firewalls.
Cloud-Delivered Security Services (CDSS)
- Advanced Threat Prevention
- CDSS subscription providing inline deep learning models to detect and block zero-day threats, command-and-control traffic, and evasive attacks in real time.
- Advanced URL Filtering
- CDSS subscription with real-time ML-based URL categorization. Adds inline phishing detection and credential theft prevention beyond basic URL category blocking.
- DNS Security
- CDSS subscription using predictive analytics to block DNS-based threats including C2 channels, DNS tunneling, and newly registered malicious domains.
- IoT Security
- CDSS subscription that discovers, classifies, and secures IoT and OT devices on the network using machine learning. Recommends least-privilege security policies.
- SaaS Security
- CDSS service providing visibility and control over sanctioned and unsanctioned SaaS application usage. Identifies shadow IT, data exposure risks, and compliance violations.
- Enterprise DLP
- CDSS subscription for data loss prevention across network traffic. Identifies sensitive data patterns (PII, financial, health) and enforces data handling policies.
VPN & Encryption
- IKE Phase 1
- First phase of IPsec VPN negotiation. Establishes the IKE Security Association using Diffie-Hellman key exchange, authentication (pre-shared key or certificate), and encryption/hash algorithms.
- IKE Phase 2
- Second phase of IPsec VPN negotiation. Establishes the IPsec Security Association that protects actual data traffic. Defines encryption, authentication, and proxy IDs (traffic selectors).
- Proxy IDs
- Define which traffic is encrypted through the IPsec tunnel (source/destination IP ranges and protocol). Must match on both VPN peers. Mismatched proxy IDs cause tunnel failures.
- IKE Crypto Profile
- Defines the encryption (AES-128/256/GCM), authentication (SHA-256/384/512), and DH group parameters used during IKE Phase 1 negotiation. 3DES is deprecated in current PAN-OS.
- IPsec Crypto Profile
- Defines the encryption and authentication algorithms used to protect data traffic in the IPsec tunnel (Phase 2). Includes PFS (Perfect Forward Secrecy) settings.
- SSL Forward Proxy
- Decrypts outbound HTTPS traffic by acting as a man-in-the-middle proxy. Requires the firewall CA certificate to be trusted by client endpoints.
- SSL Inbound Inspection
- Decrypts inbound HTTPS traffic destined for internal servers. Requires the server's private key and certificate to be imported on the firewall.
- Decryption Policy
- Rules that define which SSL/TLS traffic to decrypt or exclude from decryption. Based on source, destination, URL category, and service. Processed top-down.
- Zone Protection Profile
- Applied at the zone level to protect against flood attacks (SYN, UDP, ICMP), reconnaissance (port scan, host sweep), and packet-based attacks. Attached to a security zone, not a policy rule.
- DoS Protection Profile
- Rate-based protection for specific destination hosts or services. Applied via a DoS policy rule (not a security zone). Protects individual servers from targeted flood attacks.
- Decryption Broker
- Shares already-decrypted traffic with third-party security tools (DLP, IDS, forensics) without each tool performing independent decryption. Firewall decrypts once and distributes cleartext.
Routing & Network Integration
- Virtual Router
- PAN-OS routing instance that maintains its own routing table and routing protocol configuration. Each interface is assigned to a virtual router. Multiple VRs enable routing isolation.
- Static Routes
- Manually configured routes with destination network, next-hop IP, and interface. Supports path monitoring for failover to backup routes when the primary path fails.
- OSPF
- Open Shortest Path First dynamic routing protocol. Link-state protocol that calculates shortest paths. Configure areas, interfaces, authentication, and redistribution.
- BGP
- Border Gateway Protocol for inter-AS routing. Used for internet routing and multi-homed WAN connections. Configure neighbors, AS numbers, route filtering, and local preference.
- Policy-Based Forwarding (PBF)
- Route traffic based on source, application, or user rather than destination. Evaluated BEFORE the routing table. Use for traffic steering to specific ISP links or security devices.
- Route Redistribution
- Sharing routes between different routing protocols (e.g., OSPF to BGP) or between static routes and dynamic protocols. Requires redistribution profiles and filters.
High Availability
- Active/Passive HA
- One firewall processes traffic (active), the other monitors (passive). On failure, the passive takes over. Simpler to deploy. Most commonly used HA mode.
- Active/Active HA
- Both firewalls process traffic simultaneously. Provides better throughput utilization but adds complexity for session synchronization and asymmetric routing.
- HA1 Link (Control)
- Dedicated link between HA peers for control plane synchronization: hello messages, heartbeats, HA state changes, configuration sync, and routing updates.
- HA2 Link (Data)
- Dedicated link between HA peers for data plane synchronization: session table sync, forwarding table sync, IPsec SA sync, and ARP table sync.
- HA3 Link (Packet Forwarding)
- Used only in Active/Active mode. Forwards packets between HA peers when one firewall receives traffic that belongs to a session owned by the other peer.
- Preemption
- When enabled, the higher-priority firewall automatically reclaims the active role after recovering from a failure. When disabled, the current active firewall remains active.
- Link & Path Monitoring
- HA monitors physical link status and network path reachability. If monitored links or paths fail, the firewall triggers failover to the HA peer.
System Administration & Operations
- Candidate Configuration
- Working copy of the firewall configuration where all changes are made. Changes are NOT active until committed. Multiple administrators can work on the candidate simultaneously.
- Running Configuration
- The active configuration that the firewall is currently enforcing. Updated only when a commit succeeds. Remains unchanged if a commit fails.
- Commit Process
- Validates and applies candidate configuration changes to the running configuration. Atomic operation: all changes succeed or none are applied. Supports commit locks.
- Dynamic Content Updates
- Regular updates for threat signatures (Applications and Threats), Antivirus, WildFire, URL categories, and GlobalProtect data files. Should be scheduled for automatic installation.
- PAN-OS Upgrades
- Firmware updates for the firewall operating system. Requires downloading the target version and all intermediate versions. Install content updates before PAN-OS upgrades.
- Configuration Backups
- Export running or candidate configuration as XML. Use for disaster recovery, migration, and audit trails. Panorama can schedule automatic backups of managed firewalls.
- Role-Based Access Control (RBAC)
- Administrative roles defining what each administrator can view and modify. Includes predefined roles (superuser, device admin) and custom roles with granular permissions.
- Virtual Systems (VSYS)
- Multi-tenancy feature partitioning a single physical firewall into multiple virtual firewalls. Each VSYS has independent policies, interfaces, zones, and administrators.
Zero Trust & Security Architecture
- Zero Trust Architecture
- Security model based on 'never trust, always verify.' Assumes breach, verifies every access request, enforces least privilege, and uses microsegmentation regardless of network location.
- Microsegmentation
- Granular network segmentation that isolates individual workloads or applications. Limits lateral movement by enforcing policies at the workload level, not just the network perimeter.
- Defense-in-Depth
- Layered security strategy using multiple, different security controls (network, endpoint, application, data, user) so that failure of one layer does not compromise overall security.
- Least Privilege
- Grant users, devices, and applications only the minimum access rights needed for their function. Reduces blast radius of compromised accounts or breached systems.
- Strata (Network Security)
- Palo Alto Networks product pillar encompassing hardware NGFWs, virtual firewalls (VM-Series, CN-Series), and associated network security technologies.
- Prisma (Cloud & SASE Security)
- Palo Alto Networks product pillar for cloud security (Prisma Cloud) and SASE (Prisma Access, Prisma SD-WAN). Secures cloud workloads, SaaS, and remote users.
- Cortex (Security Operations)
- Palo Alto Networks product pillar for SOC and security operations: Cortex XSIAM (autonomous SOC), Cortex XDR (detection and response), Cortex XSOAR (orchestration and automation).