Accredited Configuration Engineer (ACE) Exam

I’ve passed Accredited Configuration Engineer (ACE) Exam – PAN-OS 6.0 Version; it was a nice learning curve to get it done. The test is not timed and you can use any resources you have available to pass exam. After second attempt i got it with passing score (80%). Very useful exercise and good foundation for future courses and exams. Strongly recommended for anyone working with PAN firewalls.

While working on a test, i come across few useful Internet resources, besides great PAN’s knowledgebase.
Here are links:
A bit older but still valued set of commands.    ||     PA Firewall Configuration Essentials
Familiarize with PAN cli    ||    PAN-OS Admin guide ver. 6.0
PAN-OS GlobalProtect Admin Guide ver. 6.0    ||    PAN-OS Panorama Guide ver 6.0
CNSE 5.1 Study Guide

===================================
How to get readable and searchable PA config output:

admin@PA-3020-01> set cli config-output-format set
admin@PA-3020-01> set cli pager off
admin@PA-3020-01)> configure
admin@PA-3020-01# show
… set deviceconfig system ip-address 10.180.150.251
===================================
How to generate and download tech support file:

From GUI:
Go to Device/Support
Click on Generate Tech Support File
Download the file and upload it to the PA via case management portal.
===================================

Proxy-IDs
When setting up IPSec VPN tunnel between two devices, particularly between PAN and other vendors’ VPN device, important part is to remember to add Proxy IDs – this is network that has to go thru established tunnel. I spent some “quality” time figuring this out; the reason for quality time is glancing thru IPSec VPN document provided by PAN. Suggestion – read thru the whole document; you can spend quality time doing something else. So, below is snippet i missed. And here is URL to the document:
https://live.paloaltonetworks.com/docs/DOC-6791
If the other side of the tunnel is a third party VPN device configured as a policy-based VPN, then enter the local proxy ID and remote proxy ID to match the other side. When configuring an IPSec Tunnel Proxy-ID configuration to identify local and remote IP networks for traffic that is NATed, the Proxy-ID configuration for the IPSec Tunnel must be configured with the Post-NAT IP network information since the Proxy-ID information defines the networks that will be allowed through the tunnel on both sides for the IPSec configuration.

===================================

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s