Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Mastering Palo Alto Networks
Mastering Palo Alto Networks

Mastering Palo Alto Networks: Deploy and manage industry-leading PAN-OS 10.x solutions to secure your users and infrastructure

Arrow left icon
Profile Icon Tom Piens Aka 'Reaper'
Arrow right icon
$40.99 $58.99
Full star icon Full star icon Full star icon Full star icon Half star icon 4.5 (19 Ratings)
eBook Sep 2020 514 pages 1st Edition
eBook
$40.99 $58.99
Paperback
$72.99
Subscription
Free Trial
Renews at $19.99p/m
Arrow left icon
Profile Icon Tom Piens Aka 'Reaper'
Arrow right icon
$40.99 $58.99
Full star icon Full star icon Full star icon Full star icon Half star icon 4.5 (19 Ratings)
eBook Sep 2020 514 pages 1st Edition
eBook
$40.99 $58.99
Paperback
$72.99
Subscription
Free Trial
Renews at $19.99p/m
eBook
$40.99 $58.99
Paperback
$72.99
Subscription
Free Trial
Renews at $19.99p/m

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning
Table of content icon View table of contents Preview book icon Preview Book

Mastering Palo Alto Networks

Chapter 1: Understanding the Core Technologies

In this chapter, we're going to examine the core technologies that make up the Palo Alto Networks firewall.

We are going to take a closer look at how security zones control how security, Network Address Translation (NAT), and routing verdicts are made. We will review the mechanics behind App-ID and Content-ID so you get a deeper understanding of how packets are processed and security decisions are made by the firewall, and we will review how User-ID contributes to a more robust security stance by applying group-based or user-based access control.

This chapter will cover the following topics:

  • Understanding the zone-based firewall
  • Understanding App-ID and Content-ID
  • The management and data plane
  • Authenticating users with User-ID

Technical requirements

For this chapter, no physical installation is required; the technology is only explained. It is helpful if you've already worked with Palo Alto Networks firewalls, but it is not required. Some experience with firewalls or web proxies in general is recommended, as this will make the subject matter more tangible.

Understanding the zone-based firewall

Traditionally, when considering the firewall as an element of your network, most likely you will imagine a network design like the one in the following image, with two to four areas surrounding a box. Most of the time, whatever is placed in the north is considered dangerous, east and west are somewhat grey areas, and the south is the happy place where users do their daily tasks. The box in the middle is the firewall.

Figure 1.1 – Basic network topology

Figure 1.1 – Basic network topology

In reality, a network design may look a lot more complex due to network segregation, segmentation, remote offices being connected to the headquarters via all sorts of different technologies, and the adoption of cloud vendors.

In a route-based firewall, zones are simply an architectural or topological concept that helps identify which areas comprise the global network that is used by the company and are usually represented by tags that can be attached to a subnet object. They hold no bearing in any of the security decisions made by the system when processing security policies.

The zone-based firewall, on the other hand, will use zones as a means to internally classify the source and destination in its state table. When a packet is first received, a source zone lookup is performed. If the source zone has a protection profile associated with it, the packet is evaluated against the profile configuration. If the first packet is a TCP packet, it will also be evaluated against TCP state where the first packet needs to be a SYN packet, and a SYN-cookie is triggered if the protection profile threshold is reached. Then, a destination zone is determined by checking the Policy-Based Forwarding (PBF) rules and if no results are found, the routing table is consulted. Lastly, the NAT policy is evaluated as the destination IP may be changed by a NAT rule action, thereby changing the destination interface and zone in the routing table. This would require a secondary forwarding lookup to determine the post-NAT egress interface and zone:

Figure 1.2 – Phases of packet processing

Figure 1.2 – Phases of packet processing

After these zone lookups have been performed, the firewall will continue to the security policy evaluation.

The policy evaluation then uses the 'six tuple' (6-Tuple) to match establishing sessions to security rules:

  1. Source IP
  2. Source Port
  3. Destination IP
  4. Destination Port
  5. Source Zone
  6. Protocol

Zones are attached to a physical, virtual, or sub interface. Each interface can only be part of one single zone. Zones can be created to suit any naming convention and can be very descriptive in their purpose (untrust, dmz, lan, and so on), which ensures that from an administrative standpoint, each area is easily identifiable.

It is best practice to use zones in all security rules and leveraging a clear naming convention prevents misconfiguration and makes security rules very readable. Networks that are physically separated for whatever reason but are supposed to be connected topologically (for example, users spread over two buildings that come into the firewall on two separate interfaces) can be combined into the same zone, which simplifies policies.

It is important to note that there are implied rules that influence intra- or interzone sessions. These rules can be found at the bottom of the security policy:

  • Default intrazone connections: Packets flowing from and to the same zone will be implicitly allowed.
  • Default interzone connections: Packets flowing from one zone to a different zone are implicitly blocked.

Security rules can also be set to only accept traffic within the same zone, between different zones only, or both. This way, an administrator could set a specific rule for the intrazone setting and allow all applications without inadvertently allowing this full access to be open to a different network. Adding a second zone to that same rule would allow the same access inside the new zone, but there would not be any access granted between the zones; that would require a new interzone or universal rule:

Figure 1.3 – Different security rule types and default rules

Figure 1.3 – Different security rule types and default rules

Let's now look at the expected behavior when determining zones.

Expected behavior when determining zones

When a packet arrives on an interface, the PBF policy or routing table will be consulted to determine the destination zone based on the original IP address in the packet header.

Let's consider the following routing table:

> show routing route 
flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, 
       Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2, E:ecmp, M:multicast
VIRTUAL ROUTER: default (id 1)
  ==========
destination       nexthop       metric flags  interface    
0.0.0.0/0         198.51.100.1  10     A S    ethernet1/1                  
198.51.100.0/24   198.51.100.2  0      A C    ethernet1/1
198.51.100.2/32   0.0.0.0       0      A H                                      
192.168.0.0/24    192.168.0.1   0      A C    ethernet1/2                  
192.168.0.1/32    0.0.0.0       0      A H         
172.16.0.0/24     172.16.0.1    0      A C    ethernet1/3                  
172.16.0.1/32     0.0.0.0       0      A H                                                                     
total routes shown: 7

Let's assume ethernet1/1 is the external interface with IP address 198.51.100.2 set to zone external, ethernet1/2 is the DMZ interface with IP address 192.168.0.1 set to zone dmz, and ethernet1/3 is the LAN interface with IP 172.16.0.1 and set to zone lan. The default route is going out of interface ethernet1/1 to 198.51.100.1 as next-hop. There are a few scenarios that will influence how the zone is determined:

  • Scenario 1: A packet is received from client PC 172.16.0.5 with destination IP 1.1.1.1.

    The firewall quickly determines the source zone is lan and a route lookup determines the destination IP is not a connected network, so the default route needs to be followed to the internet. The destination zone must be external because the egress interface is ethernet1/1.

  • Scenario 2: A packet is received from client PC 172.16.0.5 with destination IP 1.1.1.1 but a PBF rule exists that forces all traffic for 1.1.1.1 to the next-hop IP 192.168.0.25. As PBF overrides the routing table, the destination zone will become dmz as the egress interface is now ethernet1/2.
  • Scenario 3: A packet is received from internet IP 203.0.113.1 with destination IP 198.51.100.2. This is a typical example of what NAT looks like to the firewall: It receives a packet with its external IP address as the destination. From the perspective of the NAT policy, the source zone will be external as the IP is not from a connected network and no static route exists, and the destination zone will also be external as the IP is connected to that interface. From a security aspect, however, once NAT is applied, the destination zone will change to whatever NAT action is applied.

    Important note

    Remember that NAT policy evaluation happens after the initial zones have been determined, but before the security policy is evaluated.

Understanding App-ID and Content-ID

App-ID and Content-ID are two technologies that go hand in hand and make up the core inspection mechanism. They ensure applications are identified and act as expected, threats are intercepted and action is applied based on a configurable policy, and data exfiltration is prevented.

How App-ID gives more control

Determining which application is contained within a specific data flow is the cornerstone of any next-generation firewall. It can no longer be assumed that any sessions using TCP port 80 and 443 are simply plaintext or encrypted web browsing, as today's applications predominantly use these ports as their base transport and many malware developers have leveraged this convergence to well-known ports in an attempt to masquerade their malware as legitimate web traffic while exfiltrating sensitive information or downloading more malicious payloads into an infected host:

Figure 1.4 – How App-ID classifies applications

Figure 1.4 – How App-ID classifies applications

When a packet is received, App-ID will go through several stages to identify just what something is. First, the 6-Tuple is checked against the security policy to verify whether a certain source, destination, protocol, and port combination is allowed or not. This will take care of low-hanging fruit if all the unnecessary ports have been closed off and unusual destination ports can already be rejected. Next, the packets will be checked against known application signatures and the app cache to see if the session can be rapidly identified, followed by a second security policy check against the application, now adding App-ID to the required set of identifiers for the security policy to allow the session through.

If at this time or in future policy checks, it is determined that the application is SSH, TLS, or SSL, a secondary policy check is performed to verify whether decryption needs to be applied. If a decryption policy exists, the session will go through decryption and will then be checked again for a known application signature, as the session encapsulated inside TLS or SSH may be something entirely different.

If in this step, the application has not been identified (a maximum of 4 packets after the handshake, or 2,000 bytes), App-ID will use the base protocol to determine which decoder to use to analyze the packets more deeply. If the protocol is known, the decoder will go ahead and decode the protocol, then run the payload against the known application signatures again. The outcome could either be a known application, or an unknown generic application, like unknown-tcp. The session is then again re-matched against the security policy to determine whether it is allowed to pass or needs to be rejected or dropped.

If the protocol is unknown, App-ID will apply heuristics to try and determine which protocol is used in the session. Once it is determined which protocol is used, another security policy check is performed. Once the application has been identified or all options have been exhausted, App-ID will stop processing the packets for identification.Throughout the life of a session, the identified application may change several times as more information is learned from the session through inspecting packet after packet. A TCP session may be identified as SSL, which is the HTTPS application as the firewall detects an SSL handshake. The decryption engine and protocol decoders will then be initiated to decrypt the session and identify what is contained inside the encrypted session. Next, it may detect application web-browsing as the decoder identifies typical browsing behavior such as an HTTP GET. App-ID can then apply known application signatures to identify flickr. Each time the application context changes, the firewall will quickly check whether this particular application is allowed in its security rule base.

If at this point flickr is allowed, the same session may later switch contexts again as the user tries to upload a photo, which will trigger another security policy check. The session that was previously allowed may now get blocked by the firewall as the sub-application flickr-uploading may not be allowed.

Once the App-ID process has settled on an application, the application decoder will continuously scan the session for expected and deviant behavior, in case the application changes to a sub-application or a malicious actor is trying to tunnel a different application or protocol over the existing session.

How Content-ID makes things safe

Meanwhile, if the appropriate security profiles have been enabled in the security rules, the Content-ID engine will apply the URL filtering policy and will continuously, and in parallel, scan the session for threats like vulnerability exploits, virus or worm infections, suspicious DNS queries, command and control (C&C or C2) signatures, DoS attacks, port scans, malformed protocols, or data patterns matching sensitive data exfiltration. TCP reassembly and IP defragmentation are performed to prevent packet-level evasion techniques:

Figure 1.5 – How Content-ID scans packets

Figure 1.5 – How Content-ID scans packets

All of this happens in parallel because the hardware and software were designed so that each packet is simultaneously processed by an App-ID decoder and a Content-ID stream-based engine, each in a dedicated chip on the chassis or through a dedicated process in a Virtual Machine (VM). This design reduces latency versus serial processing, which means that enabling more security profiles does not come at an exponential cost to performance as is the case with other firewall and IPS solutions.

Hardware and VM design is centered on enabling the best performance for parallel processing while still performing tasks that cost processing power that could impede the speed at which flows are able to pass through the system. For this reason, each platform is split up into so-called planes, which we'll learn about in the next section.

The management and data plane

There are two main planes that make up a firewall, the data plane and the management plane, which are physical or logical boards that perform specific functions. All platforms have a management plane. Larger platforms like the PA-5200 come with 2 to 3 data planes and the largest platforms have replaceable hardware blades (line cards) that have up to 3 data plane equivalents per line card and can hold up to 10 line cards. The smaller platforms like the PA-220 only have the one hardware board that virtually splits up responsibilities among its CPU cores.

The management plane is where all administrative tasks happen. It serves the web interfaces used by the system to allow configuration, provide URL filtering block pages, and serve the client VPN portal. It performs cloud lookups for URL filtering and DNS security, and downloads and installs content updates onto the data plane. It also performs the logic part of routing and communicates with dynamic routing peers and neighbors. Authentication, User-ID, logging, and many other supporting functions that are not directly related to processing packets.

The data plane is responsible for processing flows and performs all the security features associated with the next-generation firewall. It scans sessions for patterns and heuristics. It maintains IPSec VPN connections and has hardware offloading to provide wire-speed throughputs. Due to its architecture and the use of interconnected specialty chips, all types of scanning can happen in parallel as each chip processes packets simultaneously and reports its findings.

A switch fabric enables communication between planes so the data plane can send lookup requests to the management plane, and the management plane can send configuration updates and content updates.

Another important feature is the ability to identify users and apply different security policies based on identity or group membership.

Authenticating users with User-ID

Frequently neglected but very powerful when set up properly is a standard feature called User-ID. Through several mechanisms, the firewall can learn who is initiating which sessions, regardless of their device, operating system, or source IP. Additionally, security policies can be set so users are granted access or restricted in their capabilities based on their individual ID or group membership.

User-ID expands functionality with granular control of who is accessing certain resources and provides customizable reporting capabilities for forensic or managerial reporting.

Users can be identified through several different methods:

  • Server monitoring:

    --Microsoft Active Directory security log reading for log-on events

    --Microsoft Exchange Server log-on events

    --Novell eDirectory log-on events

  • The interception of X-Forward-For (XFF) headers, forwarded by a downstream proxy server
  • Client probing using Netbios and WMI probes
  • Direct user authentication

    -- The Captive Portal to intercept web requests and serve a user authentication form or transparently authenticate using Kerberos

    -- GlobalProtect VPN client integration

  • Port mapping on a multiuser platform such as Citrix or Microsoft Terminal Server where multiple users will originate from the same source IP
  • The XML API
  • A syslog listener to receive forwarded logs from external authentication systems

Summary

You should now understand which basic technologies make up the security ecosystem on the Palo Alto Networks firewall. It's okay if this seems a bit vague as we will see more practical applications, and implications, in the next two chapters. We will be taking a closer look at how security and NAT rules behave once you start playing with zones, and how to anticipate expected behavior by simply glancing at the rules.

Left arrow icon Right arrow icon
Download code icon Download Code

Key benefits

  • Understand how to optimally use PAN-OS features
  • Build firewall solutions to safeguard local, cloud, and mobile networks
  • Protect your infrastructure and users by implementing robust threat prevention solutions

Description

To safeguard against security threats, it is crucial to ensure that your organization is effectively secured across networks, mobile devices, and the cloud. Palo Alto Networks’ integrated platform makes it easy to manage network and cloud security along with endpoint protection and a wide range of security services. With this book, you'll understand Palo Alto Networks and learn how to implement essential techniques, right from deploying firewalls through to advanced troubleshooting. The book starts by showing you how to set up and configure the Palo Alto Networks firewall, helping you to understand the technology and appreciate the simple, yet powerful, PAN-OS platform. Once you've explored the web interface and command-line structure, you'll be able to predict expected behavior and troubleshoot anomalies with confidence. You'll learn why and how to create strong security policies and discover how the firewall protects against encrypted threats. In addition to this, you'll get to grips with identifying users and controlling access to your network with user IDs and even prioritize traffic using quality of service (QoS). The book will show you how to enable special modes on the firewall for shared environments and extend security capabilities to smaller locations. By the end of this network security book, you'll be well-versed with advanced troubleshooting techniques and best practices recommended by an experienced security engineer and Palo Alto Networks expert.

Who is this book for?

This book is for network engineers, network security analysts, and security professionals who want to understand and deploy Palo Alto Networks in their infrastructure. Anyone looking for in-depth knowledge of Palo Alto Network technologies, including those who currently use Palo Alto Network products, will find this book useful. Intermediate-level network administration knowledge is necessary to get started with this cybersecurity book.

What you will learn

  • Perform administrative tasks using the web interface and command-line interface (CLI)
  • Explore the core technologies that will help you boost your network security
  • Discover best practices and considerations for configuring security policies
  • Run and interpret troubleshooting and debugging commands
  • Manage firewalls through Panorama to reduce administrative workloads
  • Protect your network from malicious traffic via threat prevention

Product Details

Country selected
Publication date, Length, Edition, Language, ISBN-13
Publication date : Sep 07, 2020
Length: 514 pages
Edition : 1st
Language : English
ISBN-13 : 9781789950564
Concepts :

What do you get with eBook?

Product feature icon Instant access to your Digital eBook purchase
Product feature icon Download this book in EPUB and PDF formats
Product feature icon Access this title in our online reader with advanced features
Product feature icon DRM FREE - Read whenever, wherever and however you want
Product feature icon AI Assistant (beta) to help accelerate your learning

Product Details

Publication date : Sep 07, 2020
Length: 514 pages
Edition : 1st
Language : English
ISBN-13 : 9781789950564
Concepts :

Packt Subscriptions

See our plans and pricing
Modal Close icon
$19.99 billed monthly
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Simple pricing, no contract
$199.99 billed annually
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts
$279.99 billed in 18 months
Feature tick icon Unlimited access to Packt's library of 7,000+ practical books and videos
Feature tick icon Constantly refreshed with 50+ new titles a month
Feature tick icon Exclusive Early access to books as they're written
Feature tick icon Solve problems while you work with advanced search and reference features
Feature tick icon Offline reading on the mobile app
Feature tick icon Choose a DRM-free eBook or Video every month to keep
Feature tick icon PLUS own as many other DRM-free eBooks or Videos as you like for just $5 each
Feature tick icon Exclusive print discounts

Frequently bought together


Stars icon
Total $ 259.97
Mastering Palo Alto Networks
$137.99
Mastering Palo Alto Networks
$72.99
Securing Remote Access in Palo Alto Networks
$48.99
Total $ 259.97 Stars icon

Table of Contents

17 Chapters
Section 1: First Steps and Basic Configuration Chevron down icon Chevron up icon
Chapter 1: Understanding the Core Technologies Chevron down icon Chevron up icon
Chapter 2: Setting Up a New Device Chevron down icon Chevron up icon
Section 2: Advanced Configuration and Putting the Features to Work Chevron down icon Chevron up icon
Chapter 3: Building Strong Policies Chevron down icon Chevron up icon
Chapter 4: Taking Control of Sessions Chevron down icon Chevron up icon
Chapter 5: Services and Operational Modes Chevron down icon Chevron up icon
Chapter 6: Identifying Users and Controlling Access Chevron down icon Chevron up icon
Chapter 7: Managing Firewalls through Panorama Chevron down icon Chevron up icon
Section 3: Maintenance and Troubleshooting Chevron down icon Chevron up icon
Chapter 8: Upgrading Firewalls and Panorama Chevron down icon Chevron up icon
Chapter 9: Logging and Reporting Chevron down icon Chevron up icon
Chapter 10: VPN and Advanced Protection Chevron down icon Chevron up icon
Chapter 11: Troubleshooting Common Session Issues Chevron down icon Chevron up icon
Chapter 12: A Deep Dive into Troubleshooting Chevron down icon Chevron up icon
Chapter 13: Supporting Tools Chevron down icon Chevron up icon
Other Books You May Enjoy Chevron down icon Chevron up icon

Customer reviews

Top Reviews
Rating distribution
Full star icon Full star icon Full star icon Full star icon Half star icon 4.5
(19 Ratings)
5 star 84.2%
4 star 0%
3 star 0%
2 star 15.8%
1 star 0%
Filter icon Filter
Top Reviews

Filter reviews by




Nicholas S. Sep 08, 2020
Full star icon Full star icon Full star icon Full star icon Full star icon 5
# Mastering Palo Alto Networks - PAN-OS 10.x Edition (2020)## SynopsisMastering Palo Alto Networks is geared towards Network Security Engineers with some experience with Palo Alto firewalls (or "Strata") seeking to improve their skillset within Palo Alto's Strata subset (Next-Generation Firewalls).## The FieldPalo Alto Networks is the industry leader for perimeter firewalling (NGFW) as of this publication and has fought hard to achieve this title. Over the last 5 or so years, Palo Alto has accelerated the rate of development with its core product line to maintain this lead, making it difficult for new users to navigate through the dizzying array of new features (1-2 major releases *per year*). The author of this book has a proven reputation when it comes to making these capabilities clear when they are otherwise buried by the product developer.This book bridges the gap between vendor documentation and actionable practice, covering visually and comprehensively every capability in PAN-OS. This is important, especially with features that are platform unique (like NAT) where the quirks are consistent, but not well understood. Many of these features are rapidly developing, and Packt worked well with the author to ensure that all examples within the text are up-to-date. Please note that at the time of this publishing, PAN-OS 10.0 was released *two months ago*, so this took considerable effort.## The BookOverall, the book is organized in a way I would consider to be in-line with what I'd expect a burgeoning Network Security Engineer should learn. I have trained quite a few people on this platform and the layout of this book generally follows the path I would consider to be "from most important, to most useful." When I say that, I mean that the fundamentals are of the utmost importance when you begin to learn because it makes more advanced topics easier to achieve mastery on. There are some side-hikes along the way. This book must be comprehensive, however, and this is unavoidable without compromising at least one of those objectives.That being said, this is a powerful utility, but should not be regarded as a standalone work. I would strongly encourage whoever has the ability to get access to a lab or test unit to try out the concepts covered in this book to truly achieve mastery. If a reader has no prior experience with the platform/subject matter, some of the concepts covered in this book (it covers EVERYTHING) may seem foreign and will be difficult to retain.My recommendation to a reader would be to take this chapter-by-chapter for best information retention. The author does an excellent job of keeping each section self-contained, so there is no harm in stopping at the end of the chapter. Focus on absorbing the knowledge fully, then move on to the next section from there. To use an old science fiction neologism, `grok it completely`.Tom Piens has provided something fundamentally important here. I'm not exactly the target audience (PCNSE 7-10) but I have struggled to provide training and resources like this to on-board new Network Security Engineers. This will be a valuable tool in my team training arsenal from here on out!## Fit and FinishOverall, this is a good first edition. It is worth mentioning that the majority of this book has been written in informal language, and will have some awkward 1st Edition-isms. This is common with other technical texts, as people in our field tend to try to get the facts down first and work on cleanup later. Given that this is effectively going to become a continual publication as time evolves, I wouldn't decry this book for that - it's going to improve over time.
Amazon Verified review Amazon
Christopher Hagberg Sep 14, 2020
Full star icon Full star icon Full star icon Full star icon Full star icon 5
I have worked with Palo Alto Firewalls for nearly 2 years and I wish I had this book when I started out.It covers everything you need to know to properly manage Palo Alto firewalls in a efficient way.The book contains information for people on every skill level and is great at explaining how the firewall works.
Amazon Verified review Amazon
Liam Wesley Nov 12, 2020
Full star icon Full star icon Full star icon Full star icon Full star icon 5
This is an excellent resource for PanOS 10. Anyone in cybersecurity who deals with Palo Alto firewalls (which would be most of us) will find great benefit in this book.
Amazon Verified review Amazon
Pablo Xavier LĂłpez Sosegar Apr 03, 2022
Full star icon Full star icon Full star icon Full star icon Full star icon 5
The writer is amazing, period. The information is laid out as so FEW in the industry do, as if he was you sitting in front of your first Palo Alto and then, having a Panoramic experience. I'll use this book in my daily work as I deal with Palo Alto firewalls 220 - 5000 series with Panorama. It's so damn well written! I used this book in concert with Exam Topics and was able to zoom through the exam AND...I very well know the material. I can actually use the machines and understand what they are doing. Excellent work. PLEASE have something written for CCNP! PLEASE! Amazing shortage of excellent writers for Cisco and it's killing us.
Amazon Verified review Amazon
Leo Macron Dec 27, 2020
Full star icon Full star icon Full star icon Full star icon Full star icon 5
Great book for beginners and people with some background knowledge in Palo Alto. Concepts are well explained.
Amazon Verified review Amazon
Get free access to Packt library with over 7500+ books and video courses for 7 days!
Start Free Trial

FAQs

How do I buy and download an eBook? Chevron down icon Chevron up icon

Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.

If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.

Please Note: Packt eBooks are non-returnable and non-refundable.

Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:

  • You may make copies of your eBook for your own use onto any machine
  • You may not pass copies of the eBook on to anyone else
How can I make a purchase on your website? Chevron down icon Chevron up icon

If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:

  1. Register on our website using your email address and the password.
  2. Search for the title by name or ISBN using the search option.
  3. Select the title you want to purchase.
  4. Choose the format you wish to purchase the title in; if you order the Print Book, you get a free eBook copy of the same title. 
  5. Proceed with the checkout process (payment to be made using Credit Card, Debit Cart, or PayPal)
Where can I access support around an eBook? Chevron down icon Chevron up icon
  • If you experience a problem with using or installing Adobe Reader, the contact Adobe directly.
  • To view the errata for the book, see www.packtpub.com/support and view the pages for the title you have.
  • To view your account details or to download a new copy of the book go to www.packtpub.com/account
  • To contact us directly if a problem is not resolved, use www.packtpub.com/contact-us
What eBook formats do Packt support? Chevron down icon Chevron up icon

Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.

You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.

What are the benefits of eBooks? Chevron down icon Chevron up icon
  • You can get the information you need immediately
  • You can easily take them with you on a laptop
  • You can download them an unlimited number of times
  • You can print them out
  • They are copy-paste enabled
  • They are searchable
  • There is no password protection
  • They are lower price than print
  • They save resources and space
What is an eBook? Chevron down icon Chevron up icon

Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.

When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.

For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.