CertPrepNow
Palo Alto NetworksNetSec-Pro96 concepts

NetSec-Pro Cheat Sheet

Quick reference for the Palo Alto Networks Certified Network Security Professional exam.

Core NGFW Technologies

App-ID
Identifies applications traversing the network regardless of port, protocol, encryption, or evasive technique. Uses application signatures, protocol decoders, and heuristics for Layer 7 identification.
Content-ID
Scans traffic content for threats using antivirus, anti-spyware, vulnerability protection, URL filtering, file blocking, and data filtering. Requires security profiles attached to allow rules.
User-ID
Maps IP addresses to usernames by integrating with Active Directory, LDAP, captive portal, GlobalProtect, and other authentication sources. Enables user-based and group-based security policies.
WildFire
Cloud-based advanced malware analysis service that detonates unknown files in sandbox environments. Generates and distributes new threat signatures globally within minutes of discovery.
Single-Pass Architecture
Palo Alto NGFW processes each packet once through all security functions (App-ID, Content-ID, threat scanning) simultaneously rather than sequentially. Provides high throughput with full inspection.
Threat Prevention
Combines antivirus, anti-spyware, and vulnerability protection to block known threats, command-and-control activity, and exploit attempts at the network level.

Security Zones & Interfaces

Security Zones
Logical groupings of interfaces that define trust boundaries. All traffic between zones (inter-zone) is denied by default. Traffic within the same zone (intra-zone) is allowed by default.
Layer 3 Interface
Interface with an IP address that participates in routing. Used for routed deployments where the firewall is a routed hop in the network.
Layer 2 Interface
Interface that operates at Layer 2 (switching). Used when the firewall is deployed as a transparent bridge without changing IP addressing.
Virtual Wire (V-Wire)
Two interfaces bound together transparently. Traffic enters one and exits the other. The firewall inspects traffic without being a routed or switched hop.
Tap Interface
Passive monitoring interface that receives a copy of traffic (from a SPAN port). Can inspect and log traffic but cannot block it. Used for visibility without inline deployment.
Tunnel Interface
Virtual interface used as the endpoint for VPN tunnels (IPsec, GRE). Assigned to a security zone to apply policies to tunneled traffic.
Loopback Interface
Virtual interface with an IP address not tied to a physical port. Used for management access, routing protocol identifiers, and GlobalProtect portals/gateways.
Aggregate Ethernet (AE)
Combines multiple physical interfaces into a single logical interface for increased bandwidth and redundancy using LACP (Link Aggregation Control Protocol).

Security Policy & NAT

Security Policy Rules
Rules controlling traffic between zones. Components: source/destination zone, address, user, application, service, action (allow/deny/drop/reset), security profiles, and logging. Evaluated top-down, first match wins.
Interzone Default Rule
Implicit deny rule at the bottom of the security policy that denies all traffic between different zones. Cannot be deleted but can be modified to log denied traffic.
Intrazone Default Rule
Implicit allow rule that permits traffic within the same zone. Can be modified to deny or log intra-zone traffic for tighter security.
Source NAT (SNAT)
Translates the source IP of outbound traffic. Types: Dynamic IP and Port (many-to-one), Dynamic IP (many-to-many), Static IP (one-to-one). Applied AFTER security policy evaluation.
Destination NAT (DNAT)
Translates the destination IP of inbound traffic to redirect to internal servers. Applied BEFORE security policy evaluation. Security rules must use the pre-NAT (original public) destination address.
U-Turn NAT
Allows internal users to access internal servers using the server's public IP address. Requires both source NAT and destination NAT rules working together.
NAT Processing Order
Destination NAT is evaluated BEFORE security policy. Source NAT is evaluated AFTER security policy. Critical for writing correct security rules for NAT scenarios.

Threat Prevention Profiles

Antivirus Profile
Scans traffic for known malware signatures. Configurable actions per protocol (HTTP, SMTP, FTP, etc.): alert, drop, reset-client, reset-server, reset-both.
Anti-Spyware Profile
Detects spyware, command-and-control (C2) traffic, and phone-home activity. Includes DNS sinkholing to redirect C2 DNS queries to a controlled address.
Vulnerability Protection Profile
Blocks exploitation of known vulnerabilities using IPS signatures. Actions configurable by severity level (critical, high, medium, low, informational).
URL Filtering Profile
Controls web access based on URL categories. Actions per category: allow, alert, block, continue (user acknowledges risk), override (requires password). Includes credential phishing detection.
File Blocking Profile
Controls file transfers by type and direction. Can alert, block, or allow specific file types (PE, PDF, Office docs, etc.) on specific protocols.
WildFire Analysis Profile
Defines which file types are forwarded to WildFire cloud for sandbox analysis. Configurable per protocol and file type.
Security Profile Group
Named bundle of individual security profiles (AV, AS, VP, URL, FB, WF) for easy attachment to security policy rules. Use groups instead of individual profiles for consistency.
DNS Sinkholing
Anti-spyware feature that intercepts DNS queries for known malicious domains and responds with a controlled IP address, preventing infected hosts from reaching C2 servers.

GlobalProtect & Remote Access

GlobalProtect Portal
Authentication and configuration hub for GlobalProtect clients. Provides client configuration, gateway lists, and agent settings. Users connect here first.
GlobalProtect Gateway
VPN tunnel endpoint that provides the actual encrypted connection. Enforces security policies for remote user traffic. Can be internal or external.
Always-On VPN
GlobalProtect mode where the VPN tunnel is automatically established at system startup and reconnects after disconnection. Ensures all traffic is always protected.
Split Tunneling
Configuration that routes only specific traffic through the VPN tunnel while other traffic (e.g., internet) goes directly. Reduces VPN bandwidth but bypasses inspection for split traffic.
HIP (Host Information Profile)
Endpoint health check that evaluates the connecting device's security posture: OS patch level, antivirus status, disk encryption, firewall status. Used in security policy rules.
Authentication Profiles
Define how users are authenticated: LDAP, RADIUS, SAML, Kerberos, local database, client certificate. Applied to GlobalProtect portals, gateways, and captive portals.

Prisma SASE & SD-WAN

Prisma Access
Cloud-delivered SASE platform extending NGFW-grade security to mobile users and remote networks. Provides consistent security policies regardless of user location.
Mobile User Connections
Prisma Access secures remote/mobile users through GlobalProtect agent connection to cloud-based security processing nodes closest to the user.
Remote Network Connections
Prisma Access secures branch office traffic via IPsec tunnels from branch routers/firewalls to Prisma Access cloud security nodes.
SASE Architecture
Secure Access Service Edge: convergence of WAN networking (SD-WAN) and network security (FWaaS, SWG, CASB, ZTNA) delivered as a cloud service.
SD-WAN
Software-Defined WAN integrated into PAN-OS. Provides intelligent traffic steering across multiple WAN links based on application requirements and link quality metrics.
Traffic Distribution Profiles
SD-WAN profiles that define how traffic is distributed across WAN links: weighted, priority-based, or application-based steering with failover rules.
Path Quality Metrics
SD-WAN monitors WAN link health using latency, jitter, and packet loss measurements. Triggers path switching when quality thresholds are exceeded.
Autonomous DEM
Autonomous Digital Experience Monitoring integrated with Prisma Access. Provides end-to-end visibility into user experience including application performance and network path quality.

Panorama Centralized Management

Panorama
Centralized management platform for Palo Alto Networks firewalls. Provides unified policy management, logging, reporting, and configuration deployment at scale.
Device Groups
Panorama construct for pushing security policies, objects, and profiles to managed firewalls. Supports hierarchical structure with inheritance from parent to child groups.
Template Stacks
Panorama construct for pushing network and device configurations (interfaces, zones, routing, system settings) to managed firewalls. Multiple templates stack with priority.
Commit and Push
Panorama operation that commits changes to the Panorama configuration and then pushes them to managed firewalls. Supports selective push to specific device groups or templates.
Log Collectors
Dedicated appliances or Panorama instances in log collector mode that aggregate and store logs from managed firewalls for centralized querying and reporting.
Collector Groups
Logical grouping of log collectors that defines log retention, redundancy, and distribution policies. Managed firewalls are assigned to collector groups for log forwarding.
ACC (Application Command Center)
Panorama dashboard providing real-time visibility into network traffic, threats, URLs, and application usage across all managed firewalls with drill-down capabilities.
Strata Cloud Manager
Cloud-native management and operations platform for Strata products. Complements Panorama with AI-powered best-practice recommendations, unified visibility, and health monitoring across firewalls.

Cloud-Delivered Security Services (CDSS)

Advanced Threat Prevention
CDSS subscription providing inline deep learning models to detect and block zero-day threats, command-and-control traffic, and evasive attacks in real time.
Advanced URL Filtering
CDSS subscription with real-time ML-based URL categorization. Adds inline phishing detection and credential theft prevention beyond basic URL category blocking.
DNS Security
CDSS subscription using predictive analytics to block DNS-based threats including C2 channels, DNS tunneling, and newly registered malicious domains.
IoT Security
CDSS subscription that discovers, classifies, and secures IoT and OT devices on the network using machine learning. Recommends least-privilege security policies.
SaaS Security
CDSS service providing visibility and control over sanctioned and unsanctioned SaaS application usage. Identifies shadow IT, data exposure risks, and compliance violations.
Enterprise DLP
CDSS subscription for data loss prevention across network traffic. Identifies sensitive data patterns (PII, financial, health) and enforces data handling policies.

VPN & Encryption

IKE Phase 1
First phase of IPsec VPN negotiation. Establishes the IKE Security Association using Diffie-Hellman key exchange, authentication (pre-shared key or certificate), and encryption/hash algorithms.
IKE Phase 2
Second phase of IPsec VPN negotiation. Establishes the IPsec Security Association that protects actual data traffic. Defines encryption, authentication, and proxy IDs (traffic selectors).
Proxy IDs
Define which traffic is encrypted through the IPsec tunnel (source/destination IP ranges and protocol). Must match on both VPN peers. Mismatched proxy IDs cause tunnel failures.
IKE Crypto Profile
Defines the encryption (AES-128/256/GCM), authentication (SHA-256/384/512), and DH group parameters used during IKE Phase 1 negotiation. 3DES is deprecated in current PAN-OS.
IPsec Crypto Profile
Defines the encryption and authentication algorithms used to protect data traffic in the IPsec tunnel (Phase 2). Includes PFS (Perfect Forward Secrecy) settings.
SSL Forward Proxy
Decrypts outbound HTTPS traffic by acting as a man-in-the-middle proxy. Requires the firewall CA certificate to be trusted by client endpoints.
SSL Inbound Inspection
Decrypts inbound HTTPS traffic destined for internal servers. Requires the server's private key and certificate to be imported on the firewall.
Decryption Policy
Rules that define which SSL/TLS traffic to decrypt or exclude from decryption. Based on source, destination, URL category, and service. Processed top-down.
Zone Protection Profile
Applied at the zone level to protect against flood attacks (SYN, UDP, ICMP), reconnaissance (port scan, host sweep), and packet-based attacks. Attached to a security zone, not a policy rule.
DoS Protection Profile
Rate-based protection for specific destination hosts or services. Applied via a DoS policy rule (not a security zone). Protects individual servers from targeted flood attacks.
Decryption Broker
Shares already-decrypted traffic with third-party security tools (DLP, IDS, forensics) without each tool performing independent decryption. Firewall decrypts once and distributes cleartext.

Routing & Network Integration

Virtual Router
PAN-OS routing instance that maintains its own routing table and routing protocol configuration. Each interface is assigned to a virtual router. Multiple VRs enable routing isolation.
Static Routes
Manually configured routes with destination network, next-hop IP, and interface. Supports path monitoring for failover to backup routes when the primary path fails.
OSPF
Open Shortest Path First dynamic routing protocol. Link-state protocol that calculates shortest paths. Configure areas, interfaces, authentication, and redistribution.
BGP
Border Gateway Protocol for inter-AS routing. Used for internet routing and multi-homed WAN connections. Configure neighbors, AS numbers, route filtering, and local preference.
Policy-Based Forwarding (PBF)
Route traffic based on source, application, or user rather than destination. Evaluated BEFORE the routing table. Use for traffic steering to specific ISP links or security devices.
Route Redistribution
Sharing routes between different routing protocols (e.g., OSPF to BGP) or between static routes and dynamic protocols. Requires redistribution profiles and filters.

High Availability

Active/Passive HA
One firewall processes traffic (active), the other monitors (passive). On failure, the passive takes over. Simpler to deploy. Most commonly used HA mode.
Active/Active HA
Both firewalls process traffic simultaneously. Provides better throughput utilization but adds complexity for session synchronization and asymmetric routing.
HA1 Link (Control)
Dedicated link between HA peers for control plane synchronization: hello messages, heartbeats, HA state changes, configuration sync, and routing updates.
HA2 Link (Data)
Dedicated link between HA peers for data plane synchronization: session table sync, forwarding table sync, IPsec SA sync, and ARP table sync.
HA3 Link (Packet Forwarding)
Used only in Active/Active mode. Forwards packets between HA peers when one firewall receives traffic that belongs to a session owned by the other peer.
Preemption
When enabled, the higher-priority firewall automatically reclaims the active role after recovering from a failure. When disabled, the current active firewall remains active.
Link & Path Monitoring
HA monitors physical link status and network path reachability. If monitored links or paths fail, the firewall triggers failover to the HA peer.

System Administration & Operations

Candidate Configuration
Working copy of the firewall configuration where all changes are made. Changes are NOT active until committed. Multiple administrators can work on the candidate simultaneously.
Running Configuration
The active configuration that the firewall is currently enforcing. Updated only when a commit succeeds. Remains unchanged if a commit fails.
Commit Process
Validates and applies candidate configuration changes to the running configuration. Atomic operation: all changes succeed or none are applied. Supports commit locks.
Dynamic Content Updates
Regular updates for threat signatures (Applications and Threats), Antivirus, WildFire, URL categories, and GlobalProtect data files. Should be scheduled for automatic installation.
PAN-OS Upgrades
Firmware updates for the firewall operating system. Requires downloading the target version and all intermediate versions. Install content updates before PAN-OS upgrades.
Configuration Backups
Export running or candidate configuration as XML. Use for disaster recovery, migration, and audit trails. Panorama can schedule automatic backups of managed firewalls.
Role-Based Access Control (RBAC)
Administrative roles defining what each administrator can view and modify. Includes predefined roles (superuser, device admin) and custom roles with granular permissions.
Virtual Systems (VSYS)
Multi-tenancy feature partitioning a single physical firewall into multiple virtual firewalls. Each VSYS has independent policies, interfaces, zones, and administrators.

Zero Trust & Security Architecture

Zero Trust Architecture
Security model based on 'never trust, always verify.' Assumes breach, verifies every access request, enforces least privilege, and uses microsegmentation regardless of network location.
Microsegmentation
Granular network segmentation that isolates individual workloads or applications. Limits lateral movement by enforcing policies at the workload level, not just the network perimeter.
Defense-in-Depth
Layered security strategy using multiple, different security controls (network, endpoint, application, data, user) so that failure of one layer does not compromise overall security.
Least Privilege
Grant users, devices, and applications only the minimum access rights needed for their function. Reduces blast radius of compromised accounts or breached systems.
Strata (Network Security)
Palo Alto Networks product pillar encompassing hardware NGFWs, virtual firewalls (VM-Series, CN-Series), and associated network security technologies.
Prisma (Cloud & SASE Security)
Palo Alto Networks product pillar for cloud security (Prisma Cloud) and SASE (Prisma Access, Prisma SD-WAN). Secures cloud workloads, SaaS, and remote users.
Cortex (Security Operations)
Palo Alto Networks product pillar for SOC and security operations: Cortex XSIAM (autonomous SOC), Cortex XDR (detection and response), Cortex XSOAR (orchestration and automation).

Ready to test yourself?

Start a timed NetSec-Pro mock exam or review practice questions by domain.