Accredited Configuration Engineer (ACE) Exam

I’ve passed Accredited Configuration Engineer (ACE) Exam – PAN-OS 6.0 Version; it was a nice learning curve to get it done. The test is not timed and you can use any resources you have available to pass exam. After second attempt i got it with passing score (80%). Very useful exercise and good foundation for future courses and exams. Strongly recommended for anyone working with PAN firewalls.

While working on a test, i come across few useful Internet resources, besides great PAN’s knowledgebase.
Here are links:
A bit older but still valued set of commands.    ||     PA Firewall Configuration Essentials
Familiarize with PAN cli    ||    PAN-OS Admin guide ver. 6.0
PAN-OS GlobalProtect Admin Guide ver. 6.0    ||    PAN-OS Panorama Guide ver 6.0
CNSE 5.1 Study Guide

How to get readable and searchable PA config output:

admin@PA-3020-01> set cli config-output-format set
admin@PA-3020-01> set cli pager off
admin@PA-3020-01)> configure
admin@PA-3020-01# show
… set deviceconfig system ip-address
How to generate and download tech support file:

From GUI:
Go to Device/Support
Click on Generate Tech Support File
Download the file and upload it to the PA via case management portal.

When setting up IPSec VPN tunnel between two devices, particularly between PAN and other vendors’ VPN device, important part is to remember to add Proxy IDs – this is network that has to go thru established tunnel. I spent some “quality” time figuring this out; the reason for quality time is glancing thru IPSec VPN document provided by PAN. Suggestion – read thru the whole document; you can spend quality time doing something else. So, below is snippet i missed. And here is URL to the document:
If the other side of the tunnel is a third party VPN device configured as a policy-based VPN, then enter the local proxy ID and remote proxy ID to match the other side. When configuring an IPSec Tunnel Proxy-ID configuration to identify local and remote IP networks for traffic that is NATed, the Proxy-ID configuration for the IPSec Tunnel must be configured with the Post-NAT IP network information since the Proxy-ID information defines the networks that will be allowed through the tunnel on both sides for the IPSec configuration.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s