Online PCNSE Questions Video

The Exceptions settings allows you to change the response to a specific signature. For example, you can block all packets that match a signature, except for the selected one, which generates an alert. The Exception tab supports filtering functions.

If you not believed, then login the firewall go to Vulnerability > Exceptions and select "Show all signatures". From there you will see all threat information including specific actions.

More detail:

For virtual systems (vSys) on a Palo Alto Networks firewall to communicate with each other, especially when separate virtual routers (VRs) are used for each vSys, the configuration must facilitate proper routing and security policy enforcement. The key aspects to focus on include:

A. External zones with the virtual systems added:

External zones are special types of zones that are used to facilitate traffic flow between virtual systems within the same physical firewall. By adding virtual systems to an external zone, you enable them to communicate with each other, effectively bypassing the need for traffic to exit and re-enter the firewall.

D. Add a route with next hop next-vr by using the VR configured in the virtual system:

When using separate VRs for each vSys, it's essential to configure inter-VR routing. This is done by adding routes in each VR with the next hop set to 'next-vr', specifying the VR of the destination vSys. This setup enables traffic to be routed from one virtual system's VR to another, facilitating communication between them.

E. Ensure the virtual systems are visible to one another:

Visibility between virtual systems is a prerequisite for inter-vSys communication. This involves configuring the virtual systems in a way that they are aware of each other's existence. This is typically managed in the vSys settings, where you can specify which virtual systems can communicate with each other.

By focusing on these configuration details, the network security engineer can ensure that the virtual systems can communicate effectively, maintaining the necessary isolation while allowing the required traffic flow.

When building Security rules in a Device Group that need to allow traffic to specific users and groups defined in Active Directory, it's essential to have user and group information available in Panorama to select these entities for the rules.

D. A master device with Group Mapping configured must be set in the device group where the Security rules are configured:

The concept of a "master device" in Panorama refers to a specific firewall that is designated to provide certain settings or information, such as user and group mappings from Active Directory, to Panorama. This information can then be used across other firewalls within the same device group.

By configuring Group Mapping on a master device, Panorama can leverage this information to populate user and group objects. These objects can then be used in Security rules within the device group, allowing for the creation of policies that are based on user identity and group membership, as defined in Active Directory.

This setup ensures that Panorama has the necessary context to apply user- and group-based policies accurately across the managed firewalls, facilitating centralized management and consistency in policy enforcement.