A Palo Alto Networks Next-Generation Firewall (NGFW) must be configured to use a Layer 3 underlay network in order to secure traffic in a Cisco ACI environment. A Layer 3 underlay network is a physical network that provides IP connectivity between devices, such as routers, switches, and firewalls. A Palo Alto Networks NGFW must use a Layer 3 underlay network to communicate with the Cisco ACI fabric and receive traffic redirection from the Cisco ACI policy-based redirect mechanism. A Palo Alto Networks NGFW does not need to be deployed as a member of a device cluster, receive all forwarding lookups from the network controller, or be identified as a default gateway in order to secure traffic in a Cisco ACI environment, as those are not valid requirements or options for firewall integration with Cisco ACI. References: Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [Deploy the VM-Series Firewall on Cisco ACI], [Cisco ACI Underlay Network]

Security profiles are the components that scan for threats in allowed traffic. Security profiles are sets of rules or settings that define how the firewall will inspect and handle traffic based on various threat prevention technologies, such as antivirus, anti-spyware, vulnerability protection, URL filtering, file blocking, data filtering, and WildFire analysis. Security profiles can be applied to Security policy rules to enforce granular protection against known and unknown threats in allowed traffic. Intelligent Traffic Offload, TLS decryption, and NAT are not components that scan for threats in allowed traffic, but they are related features that can enhance security and performance. References: Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [Security Profiles Overview], [Threat Prevention Datasheet]

Containers are the elements that a CN-Series firewall can secure traffic between. Containers are isolated units of software that run on a shared operating system and have their own resources, dependencies, and configuration. A CN-Series firewall can inspect and enforce security policies on traffic between containers within a pod, across pods, or across namespaces in a Kubernetes cluster. Host containers, source applications, and IPods are not valid elements that a CN-Series firewall can secure traffic between. References: Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [CN-Series Concepts], [What is a Container?]

Threat Prevention and WildFire are the two subscriptions that provide protection against malware and lateral movement in a private data center. Threat Prevention blocks known threats using antivirus, anti-spyware, and vulnerability protection. WildFire analyzes unknown files and links in a cloud-based sandbox and generates signatures for new threats. Intelligent Traffic Offload is a feature that reduces the load on the firewall by offloading traffic that does not need inspection. SD-WAN is a feature that optimizes the performance and availability of WAN connections. References: Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [Threat Prevention Datasheet], [WildFire Datasheet], [Intelligent Traffic Offload], [SD-WAN]

VM-Series firewall is the software firewall that would assist a prospect who is interested in securing extensive DevOps deployments. DevOps is a set of practices that combines software development and IT operations to deliver software products faster and more reliably. DevOps deployments require network security that can protect the traffic between different stages of the software development lifecycle, such as development, testing, staging, and production, as well as between different cloud or virtualization platforms, such as public clouds, private clouds, or on-premises data centers. VM-Series firewall is a virtualized version of the Palo Alto Networks next-generation firewall that can be deployed on various cloud or virtualization platforms. VM-Series firewall can assist a prospect who is interested in securing extensive DevOps deployments by providing comprehensive security and visibility across hybrid and multi-cloud environments, protecting applications and data from cyberattacks, and supporting automation and orchestration tools that simplify and accelerate the deployment and configuration of firewalls across different platforms. CN-Series, Ion-Series, and Cloud next-generation firewall are not software firewalls that would assist a prospect who is interested in securing extensive DevOps deployments, but they are related solutions that can be deployed on specific platforms or environments. References: Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [VM-Series Datasheet], [VM-Series Deployment Guide], [What is DevOps?]

Access to the Cloud NGFW for AWS console must be enabled when using Terraform templates with a Cloud next-generation firewall (NGFW) for Amazon Web Services (AWS). Terraform is an open-source tool that allows users to define and provision infrastructure as code using declarative configuration files. Terraform templates are files that specify the resources and configuration for deploying and managing infrastructure components, such as firewalls, load balancers, networks, or servers. Cloud NGFW for AWS is a cloud-native solution that provides comprehensive security and visibility across AWS environments, including VPCs, regions, accounts, and workloads. Cloud NGFW for AWS is deployed and managed by Palo Alto Networks as a service, eliminating the need for customers to provision, configure, or maintain any infrastructure or software. Access to the Cloud NGFW for AWS console must be enabled when using Terraform templates with a Cloud NGFW for AWS, as the console is the web-based interface that allows customers to view and manage their Cloud NGFW for AWS instances, policies, logs, alerts, and reports. The console also provides the necessary information and credentials for integrating with Terraform, such as the API endpoint, access key ID, secret access key, and customer ID. AWS CloudWatch logging, access to the Palo Alto Networks Customer Support Portal, and AWS Firewall Manager console access do not need to be enabled when using Terraform templates with a Cloud NGFW for AWS, as those are not required or relevant components for Terraform integration. References: [Palo Alto Networks Certified Software Firewall Engineer (PCSFE)], [Terraform Overview], [Cloud Next-Generation Firewall Datasheet], [Cloud Next-Generation Firewall Deployment Guide], [Cloud Next-Generation Firewall Console Guide]

CN-Series devices obtain a VM-Series authorization key from Panorama. Panorama is a centralized management server that provides visibility and control over multiple Palo Alto Networks firewalls and devices. A VM-Series authorization key is a license key that activates the VM-Series firewall features and capacities. CN-Series devices obtain a VM-Series authorization key from Panorama by registering with Panorama using their CPU ID and requesting an authorization code from Panorama’s license pool. Panorama then generates an authorization key for the CN-Series device and sends it back to the device for activation. CN-Series devices do not obtain a VM-Series authorization key from local installation, GitHub, or Customer Support Portal, as those are not valid or relevant sources for license management. References: Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [Panorama Overview], [VM-Series Licensing Overview], [CN-Series Licensing]

A benefit of network runtime security is that it identifies unknown vulnerabilities that cannot be identified by known Common Vulnerability and Exposure (CVE) lists. Network runtime security is a type of security that monitors and analyzes network traffic in real time to detect and prevent malicious activities or anomalous behaviors. Network runtime security can identify unknown vulnerabilities that cannot be identified by known CVE lists, such as zero-day exploits, advanced persistent threats, or custom malware. Network runtime security can also provide visibility and context into network activity, such as application dependencies, user identities, device types, or threat intelligence. Network runtime security does not more narrowly focus on one security area and requires careful customization, integration, and maintenance, remove vulnerabilities that have been baked into containers, or is siloed to enhance workload security, as those are not benefits or characteristics of network runtime security. References: Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [Network Runtime Security], [What is CVE?]

Palo Alto Networks Next-Generation Firewalls (NGFWs) are deployed within a Cisco ACI architecture using service graphs. Service graphs are logical representations of how traffic flows through different network services, such as firewalls, load balancers, or routers. By configuring service graphs, you can insert NGFWs into the traffic path and apply security policies to the traffic. References: [Palo Alto Networks NGFW Integration with Cisco ACI]

Kubernetes/Deployment Type/Environment is the structure of the YAML Ain’t Markup Language (YAML) file repository. YAML is a human-readable data serialization language that is commonly used for configuration files. YAML file repository is a collection of YAML files that specify the resources and configuration for deploying and managing infrastructure components, such as firewalls, load balancers, networks, or servers. Kubernetes/Deployment Type/Environment is the structure of the YAML file repository that organizes the YAML files based on the following criteria:

• Kubernetes: The platform that provides orchestration, automation, and management of containerized applications.
• Deployment Type: The method or model of deploying and managing infrastructure components, such as Terraform, Ansible, Helm, or Kubernetes manifests.
• Environment: The type or stage of the cloud or virtualization environment, such as development, testing, staging, or production. Deployment Type/Kubernetes/Environment, Kubernetes/Environment/Deployment Type, and Environment/Kubernetes/Deployment Type are not the structure of the YAML file repository, but they are related ways of organizing YAML files based on different criteria. References: [Palo Alto Networks Certified Software Firewall Engineer (PCSFE)], [What is YAML?], [YAML File Repository]

Secure Sockets Layer (SSL) Inbound Inspection is the offering that can gain visibility and prevent an attack by a malicious actor attempting to exploit a known web server vulnerability using encrypted communication. SSL Inbound Inspection is a feature that allows the firewall to decrypt and inspect inbound SSL/TLS traffic from external clients to internal servers. SSL Inbound Inspection can gain visibility and prevent an attack by a malicious actor attempting to exploit a known web server vulnerability using encrypted communication by applying threat prevention technologies, such as antivirus, anti-spyware, vulnerability protection, URL filtering, file blocking, data filtering, and WildFire analysis, to the decrypted traffic and blocking any malicious content or activity. OCSP, Advanced URL Filtering (AURLF), and WildFire are not offerings that can gain visibility and prevent an attack by a malicious actor attempting to exploit a known web server vulnerability using encrypted communication, but they are related solutions that can enhance security and visibility. References: Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [SSL Inbound Inspection], [Threat Prevention Datasheet]

Using the management interface as the HA1 backup link helps avoid split brain in active-passive high availability (HA) pair deployment. High availability (HA) is a feature that provides redundancy and failover protection for firewalls in case of hardware or software failure. Active-passive HA is a mode of HA that consists of two firewalls in a pair, where one firewall is active and handles all traffic, while the other firewall is passive and acts as a backup. Split brain is a condition that occurs when both firewalls in an HA pair assume the active role and start processing traffic independently, resulting in traffic duplication, policy inconsistency, or session disruption. Split brain can be caused by network failures, device failures, or configuration errors that prevent the firewalls from communicating their HA status and synchronizing their configurations and sessions. Using the management interface as the HA1 backup link helps avoid split brain in active-passive HA pair deployment. The HA1 interface is used for exchanging HA state information and configuration synchronization between the firewalls. Using the management interface as the HA1 backup link provides redundancy and failover protection for the HA1 interface, ensuring that the firewalls can maintain their HA communication and avoid split brain. Using a standard traffic interface as the HA2 backup, enabling preemption on both firewalls in the HA pair, or using a standard traffic interface as the HA3 link do not help avoid split brain in active-passive HA pair deployment, but they are related features that can enhance performance and reliability. References: Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [High Availability Overview], [Configure HA Backup Links], [Configure Heartbeat Backup]