Firewall Configurations And Managing Firewall Interfaces

Configuration Management

The purpose of the running and candidate firewall configurations

Running Configuration
• Configuration settings currently active on the firewall (maintained in a file on the firewall named running config.xml)

Candidate Configuration
•Configuration changes in progress but not active on the firewall (all of in progress edits are made to the candidate configuration)

Candidate --> COMMIT --> running ..will overwrite current config this activates config changes. Previous are labelled and timestamped

Writes to the control and data plane memory.

Firewall Configuration Actions
Manage firewall configuration

Config management operations are global in scope. Revert, Save and Load work local to the firewall.

Export and Import are XML formatted files from host running the web interface. Panorama can be used to build and distribute config (a combination of export, copy, edit and import XML files in bulk). 

At boot the lastest config on disk is loaded to the candidate config in the control-plane memory.

Save current candidate configuration to an XML filename on disk by clicking Save named configuration snapshot

Full Commit

requires proper permissions

Per-Admin Commit

An admin only or select grp of other administrators.

Commit Changes Made By (admin or location)

Commit For Other Admins

by Superuser of and Admin role with these privileges

Commit Status Window

Two tabs are Commit and Rule Shadow 

Use Tasks reopen the commit status window for that commit operation.

Per-Administrator Save and Revert

Changes or the changes of a select group of other administrators to the default XML file. Each change is tagged with information about the administrator.

Preview and Validate Configuration Changes

Compare and and run config, Change summary, Validate commit (performs a syntactic and semantic validation of a firewall candidate configuration. Use to find and fix errors before commit.

Transaction Locks and Multiple Administrators

Other administrators cannot change the configuration or commit changes without removing the lock.

View firewall logs

View and filter firewall logs (with focus on System and Configuration logs because they are updated when managing firewall configurations)


Time stamped file that provides an audit trail for system events on the firewall or network traffic events that the firewall monitors., activities, or behaviours associated with the logged event, such as the application type or the IP address of an attack.

View and Filter a Log
Monitor > Logs > System

Filter a Log Using the Filter Builder
Monitor > Logs > Traffic



1. For guidance on continuing to deploy the security platform features to address your network security needs, review the PAN-OS Administrator's Guide section titled ______________________________________________.

Set Up a Basic Security Policy

Best Practices for Completing the Firewall Deployment

Register the Firewall

Best Practices for Securing Administrative Access

2. In the web interface, what is signified when a text box is highlighted in red?
The value in the text box is required

The value in the text box is controlled by Panorama

The value in the text box is optional

The value in the text box is an error

The  answer is: The value in the text box is required
3. True. By default, the firewall uses the management (MGT) interface to access external services, such as DNS servers, external authentication servers, Palo Alto Networks services such as software, URL updates, licenses and AutoFocus.

4. True. Service routes can be used to configure an in-band port to access external services.

5. The Gartner Magic Quadrant for Network Firewalls rates company's:
Regulatory Compliance / Intellectual Properties

Ability to Execute / Completeness of Vision

Growth Potential / Profitability

6. Which attribute is associated with the dedicated out-of-band network management port in Palo Alto Networks firewalls?
Cannot be configured as a standard traffic port

Supports only SSH connections

Supports DHCP only

Requires a static, non-DHCP network configuration

7. Which command will reset a next generation firewall to its factory default settings if you know the admin account password?
a. reset startup-config 

request system private-data-reset


reset system settings