Pass NGFW-Engineer Exam Guide

Palo Alto Networks Next-Generation Firewalls (NGFWs) use SSL/TLS profiles to secure connections for services such as GlobalProtect Gateways and GlobalProtect Portals. These profiles are used to manage the SSL/TLS encryption and decryption for secure communication between the firewall and clients (such as VPN clients for GlobalProtect). This helps ensure the confidentiality and integrity of the data during transmission.

In the Palo Alto Networks architecture, establishing a site-to-site VPN requires a clear understanding of how the Security Policy engine interacts with different traffic flows. According to technical documentation (Step 7 of the IPSec configuration guide), there are two distinct categories of traffic to consider: theControl Plane(negotiation) and theData Plane(transit).

First, the IKE negotiation (UDP 500/4500) and IPSec/ESP packets are directed at the firewall’s own external interface. Because the peer gateway is usually reachable through the same zone as that interface (e.g., 'Untrust'), the traffic is processed asintrazone. By default, PAN-OS includes anintrazone-defaultsecurity policy set to 'Allow'. Consequently, the tunnel can technically establish without an explicit rule, provided no manual 'Deny All' rule precedes it. This confirms that negotiation is allowed by default via the intrazone policy.

Second, regarding the data traffic entering or exiting the tunnel interface, the firewall applies standard zone-based inspection. While the firewall is stateful and policies are unidirectional, the documentation specifies that creating separate rules for each direction (one for inbound and one for outbound) isoptional. An administrator can choose to create two granular rules for tighter control or combine both directions into a single rule by adding both the internal and tunnel zones to the source and destination fields. This flexibility allows for a more streamlined rulebase while still meeting security requirements.

In the context of GlobalProtect with certificate-based authentication, certificate profiles are used to ensure proper validation of the certificates. They perform the following functions:

Define trust anchors, which are the root and intermediate Certificate Authorities (CAs) that the firewall trusts to authenticate certificates.

Specify revocation checks, such as CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol), to ensure that the certificates being used have not been revoked.

Map certificate attributes, such as the Common Name (CN), which helps in authenticating users and devices based on their certificates.