Firewall: Troubleshooting (EDU-330)


  • Select Time Zone
    Americas Date and Time
    Asia Date and Time
    Europe Date and Time

Share this on:



Firewall: Troubleshooting (EDU-330)

Successful completion of this three-day, instructor-led course will enhance the participant’s understanding of how to troubleshoot the full line of Palo Alto Networks next-generation firewalls…
Firewall: Troubleshooting (EDU-330)



The Palo Alto Networks Firewall 10.2:
Troubleshooting course is three days of instructor-led training that will help you: 1. Use firewall tools, including the CLI, to investigate networking issues 2. Follow proven troubleshooting methodologies that are specific to individual features 3. Analyze advanced logs to resolve various real-life scenarios 4. Solve advanced, scenario-based challenges.

Successful completion of this three-day, instructor-led course will enhance the participant’s understanding of how to troubleshoot the full line of Palo Alto Networks next-generation firewalls. Participants will perform hands-on troubleshooting related to the configuration and operation of the Palo Alto Networks firewall. Completion of this class will help participants develop an in-depth knowledge of how to troubleshoot visibility and control over applications, users, and content.

The technical curriculum, developed and authorized by Palo Alto Networks and delivered by Palo Alto Networks Authorized Training Partners, helps provide the knowledge and expertise that prepare you to protect our digital way of life. Our trusted certifications validate your knowledge of the Palo Alto Networks product portfolio and your ability to help prevent successful cyberattacks and safely enable applications.


Participants must complete the Firewall 10.2 Essentials: Configuration and Management (EDU-210) course. Participants must have strong practical knowledge of routing and switching, IP addressing, and network security concepts, and at least six months of on-the-job experience with Palo Alto Networks firewalls.

Content will be here…
Target Audience

Participants must complete the Firewall 10.2 Essentials: Configuration and Management (EDU-210) course. Participants must have strong practical knowledge of routing and switching, IP addressing, and network security concepts, and at least six months of on-the-job experience with Palo Alto Networks firewalls.

Best Practices
Content will be here…
Content will be here…
Content will be here…

Exam Resources



Study guide

Sample Questions

Course Outline

Module 1 – Tools and Resources

• Troubleshooting Enablement
• Troubleshooting Tools
• Troubleshooting Skills
• Troubleshooting Knowledge
• Options For Information and Support
• Online Resources: Fuel User Group
• Online Resources: LIVE Community
• Customer Support Portal
• Enabling Notifications
• Contact Technical Support or Account Manager?
• Support Section Within the Firewall
• Status Monitoring Tools
• Health Indicators to Check
• Dashboard Indicators
• Application Control Center (ACC)
• Pan(w)achrome Browser Extension (Third Party)
• Logs in the Web Interface
• Diagnostic Tools for Policy and Connectivity Analysis
• Why Learn About the CLI?
• Packet-Level Tracing
• Maintenance Mode
• Entering Maintenance Mode
• Welcome to the Maintenance Recovery Tool
• Maintenance Mode Entry Reason
• Obtaining System Information
• Factory Reset
• Revert or Reload PAN-OS Software
• Set the Management IP Address
• Load Configuration
• Run Diagnostics
• (Optional) Use the CLI to Export a Tech Support File Lab
• CLI Fundamentals Lab (Content in Appendix A)

Lab 1: Tech Support Files

• Connect to Your Student Firewall
• Validate the Basic Functionality of the System
• Use the Web Interface to Get a Tech Support File
• Decompress the Contents of the Tech Support File
• Explore the Tech Support File
• Use the CLI to Export a Tech Support File
• Use the CLI to Generate a Tech Support File
• Use the CLI to Export a Tech Support File
• Validate the Exported Tech Support File
• Reference Information

Module 2 – Flow Logic

• Sessions and States
• How Does Network Communication Work?
• Session-Based Processing
• Why Review the Concept of a Session?
• What Is a Palo Alto Networks Firewall Session?
• Basic Session Information
• What Is a Session?
• show session info Command
• Session Management and Traffic Flow
• Session States
• Display of Session Details in the Session Browser
• show session all Command
• show session id Command
• Traffic Log: Session Details
• Session End Reasons
• Traffic Log
• Flow Logic
• How to Get a Clear and Relevant View of the Flow Logic
• Hardware Terms for Data-Plane Troubleshooting
• Software Terms for Data-Plane Troubleshooting
• Data-Plane Processing
• Data-Plane Packet Flow
• Ingress Stage
• Session Matching
• After Initial Packet Parsing…
• Session Setup (“slowpath”) Stage
• Security Processing (“fastpath”) Stage
• App-ID Applied
• Content-ID/Content Inspection Applied
• Content Inspection
• Egress Stage

Lab 2: CLI Fundamentals

• Import, Load, and Commit a Configuration File
• Confirm the Current Device Configuration
• Explore Options for Changing Other Device Settings
• Change the Current Device Configuration
• Clean Up Your Lab Environment
• Lab (Optional): Use the CLI to Modify Policy Objects
• Review the Existing Policy Configuration
• Use the CLI to Examine a Configuration and Discover Options for How to Modify It
• Modify Object Parameters
• Review Changes and Commit the Configuration
• (Optional) Test URL Filtering Profile Changes
• Reference Information

Module 3 – Packet Captures

• Packet Capture Concepts
• Troubleshooting with Packet Captures
• Packet Filters
• Types of Firewall Packet Captures
• Packet Capture Stages
• Using Packet Capture Stages
• Which Capture Stages to Examine?
• Configuring Packet Captures
• Packet Capture Using the Web Interface
• Packet Capture on CLI
• Packet Capture Recommendations
• Viewing Pcaps in the CLI
• Options for Viewing Pcaps in the CLI
• Debug-Log Packet Diagnostics Features (Data Plane)
• Debug-Log Packet Diagnostics 10.1 Improvements (Data Plane)
• Daemon Packet Captures: CLI Only (Management Plane)

Lab 3: Tracing Data-Plane Packet Flow

• Open the Packet-Diagnostics File
• Trace the First Packet Through the Firewall
• Trace the Second Packet
• Trace the Content Inspection of a Packet
• Identify Firewall-Generated Packets
• Identify Other Dropped Packets and the Session End
• Reference Information

Module 4 – Debug-Level Diagnostic Log Features

• Data-Plane Flow Logging Options
• Using the Flow-Basic Feature
• Visibility Provided by Flow-Basic Logs
• The Scope of Flow-Basic Log Output
• To Enhance Visibility
• Recommendations
• Steps for Using Flow Basic: Overview
• Using Flow Basic
• Interpreting Flow-Basic Output
• Interpreting Flow-Basic Logs
• Packet-Diagnostics Configuration: show setting Option
• Packet Correlation: view-pcap Command
• Flow Basic: Ingress Stage
• Flow Basic: Session Setup (slowpath)
• Flow Basic: Security Processing (fastpath)
• Flow Basic: Egress Stage (forwarding)
• Flow Basic: Block Page, Close Session
• Flow Basic: Block Page Responses
• Hardware Assistance and Offloading
• Hardware Session Offload to the Network Processor
• Which Traffic Can Be Offloaded?
• Troubleshooting Offloaded Traffic

Lab 4: Packet Capture

• Configure a Packet Filter
• Test Session Marking
• Configure Capture Stages
• Clear Marked Sessions
• Turn On Packet Capture and Capture Packets
• Analyze the Pcaps
• Add a Security Policy Configuration to Drop Traffic
• Reconfigure the Filter
• Capture a New Session and Download the Pcaps
• Analyze the Pcaps
• Reference Information

Module 5 – Host-Inbound Traffic

• What Is Host-Inbound Traffic?
• Problem Identification: Probing Questions
• Validate the Problem
• Problem Validation Method – Example: SNMP
• Host-Inbound Traffic Troubleshooting Approach
• General Approach for Feature-Specific Diagnostics
• Troubleshooting Example: VPN Traffic
• End Users Report Trouble
• Which Features Are Involved?
• VPN Troubleshooting
• Tunnel Does Not Get Established
• Tunnel Established, but There Is No Traffic
• Tunnel Establishment: Background
• System Logs
• Reading VPN Error Messages (System Log)
• System Log Errors: Prefer to Troubleshoot the Responder
• Troubleshooting from the Responder
• Troubleshooting VPN Tunnels
• Troubleshooting Example Continued: IKE
• Troubleshooting IKE Information: Web Interface
• Troubleshooting IKE Information: CLI
• Troubleshooting IKE
• Data-Plane Packet Capture for IKE (ikemgr)
• Management Plane IKE (ikemgr) Pcap
• Example Output of ikemgr.log for Phase 1 at Debug Level
• Troubleshooting Example Continued: Ipsec
• IPsec Tunnel Status: Confirm the VPN Configuration Exists
• IPsec Tunnel Status: Check Connectivity
• Phase 2 and Tunnel Status
• Troubleshooting a Specific IPsec Tunnel
• New Sample Output for IKE Phase 2 from ikmgr.log at Debug Level
• Additional CLI Commands
• Verifying Tunnels and Tunneled Traffic
• Testing the VPN
• Confirmation of VPN
• Verify Tunnel Session
• Tunneled Traffic Session
• Decrypt IKE and ESP Packets

Lab 5: Flow Basic

• Load the Lab Config File and Start the FTP Server
• Verify External Connectivity to the FTP Server
• Verify the Problem with the Internal Client
• Examine Firewall Traffic Logs and Threat Logs
• Configure the Capture Filter
• Check Counters
• Configure Packet Capture and Enable Flow Basic
• Run Packet Capture and Flow Basic Diagnostic Logging
• Interpret the Flow Basic Log and Pcaps
• Implement a Solution and Verify
• Check Logs and Enable Logging for Increased Visibility

Module 6 – Transit Traffic

• Identify the Traffic Type
• What Is Transit Traffic?
• Methodology
• Probing Questions
• Isolate the Problem
• Problem Resolution
• Transit Traffic Troubleshooting Progression
• Collect Information
• Monday Morning…
• First: Review the Logs
• Using Traffic Logs to Diagnose Common Issues
• Traffic Log Details
• Incorrect Application Information
• Incorrect IP and Port Addressing
• How application-default Affects Policy Matching
• Rule-Match Troubleshooting
• Applying Traffic Log Findings
• An Alternative: The Unified Log View
• Next: Session Browser
• Short Sessions
• Have Sessions but No Logs
• Getting Traffic Logs
• Use Counters
• Receiving Traffic but Have No Sessions
• What to Look for in Global Counters
• Using the Packet Filter with Global Counters
• Using the Delta Option with Global Counters
• Filter Global Counters with a String
• Example Scenarios
• Use PCAPs and Packet Diagnostics
• Need Proof of Traffic or Additional Information

Lab 6: Host-Inbound Traffic

• VPN Traffic—Case A
• Verify the Problem
• Check Routing and Security Policy Rules
• Stop! Try a Top-Down Approach Instead
• Check the Health of the VPN Tunnel
• Initiate the VPN Connection from the Remote Network
• Troubleshoot the VPN Connection as the Responder
• Check Proxy ID Settings and Correct the Problem
• Verify the Solution
• Host-Inbound VPN Traffic—Case B
• Apply a Baseline Configuration to the Firewall
• Verify the Problem with SFTP Access to the Web Server
• Review the Traffic and System Logs
• Check the High-Level Health Indicators for the Tunnel
• Troubleshoot as the Responder
• Reset the Pre-Shared Key and Verify Functionality
• (Optional) Cause the Firewall to Initiate the Connection

Module 7 – System Services (Daemons)

• What Are Performance Issues?
• Probing Questions for Performance Issues
• Performance Troubleshooting Progression
• Baseline Service Performance
• System Counters
• Overview of System Services (Daemons)
• System Services (Daemons)
• Example Service Log Listing (PA-220)
• Management-Plane Services
• Service (Daemon) Log Data
• Debug Log Levels
• Show Current Log Levels
• Example Debug Log Levels
• Setting Debug Log Levels
• Why Change the Log Level of a Service?
• To Reset Debug Log Levels
• Gathering More Data
• How to Monitor Daemons
• Web Interface Tools: Dashboard and System Logs
• To Review Service Log Files
• Display Statistics on the Management Plane
• Using the show system resources follow Command
• Restarting Processes (Daemons)
• Data-Plane Crash

Lab 7: Transit Traffic—App-ID and Torrents

• Attempt to Connect to Torrent Sites
• Examine Traffic Logs and App-ID Results
• Enable Traffic
• Set the Matching Policy Rule to “Deny” and Test
• Create a Policy Rule to Block Torrents
• Add File Blocking to the Security Profile Setting
• Transit Traffic—Blocking Tor
• Lab Challenge and Checklist
• Lab Solution: Security Policy to Block Tor App-ID
• Lab Solution: Use Application Filters
• Lab Solution: Block Risky URL Categories
• Lab Solution: Deny Unknown Applications
• Lab Solution: Blocking Untrusted and Expired Certificates with a Decryption Profile
• Lab Solution: Create Decryption Profile for Decrypted Traffic
• Lab Solution: Use an External Dynamic List (EDL)

Module 8 – Certificate Management and SSL Decryption

• Troubleshooting SSL Decryption
• Decryption Policy Rule Types
• Review of SSL Decryption Configuration
• That Monday Morning Phone Call…
• Probing Questions
• Troubleshooting Progression for SSL Decryption
• Troubleshoot SSL Session Terminations
• SSL Decryption Troubleshooting
• Displaying Troubleshooting Statistics
• Basic Decryption Troubleshooting Steps
• Troubleshoot Potential Performance Issues
• Decryption Failures and Unsupported Applications
• SSL Decryption Exclusion List
• Decryption Failures
• Unsupported Mode and Failure Checks
• External Factors That Complicate SSL Decryption
• Certificate Pinning (HPKP)
• ECDHE Application and Security Impact
• App-ID-Based Issues

Lab 8: System Services

• Check Running Services
• Review the Logs for a Specific Service
• Change the Debug Level for a Service
• Restart a Service
• Restart a Service and Monitor a Data-Plane Session
• Investigate the Event

Module 9 – User-ID

• User-ID Mapping Flow
• User-ID Purpose
• User-ID Components
• User Mapping Methods
• User-ID Agent Flow
• User-ID Troubleshooting Progression
• User-ID Agent
• Troubleshooting Connectivity: Logs
• User-ID Agents Connection Status: Firewall Web Interface
• User-ID Agent Connection Status: Firewall CLI
• User-ID Agent Connection Status: Local User Interface
• Enable Debug-Level Logging on the User-ID Agent
• User-ID Agent Debug Log
• Forwarding User-ID Agent Logs
• User Mappings Not Present
• No Source User in Sessions
• Requirements for Extracting Server Information
• User-ID Agent User Identification Timeout
• User-ID Agent Client Probing
• Reminder: AD Versus LDAP
• User Mappings
• IP-to-User Source Mapping Type
• IP-to-User Mapping for AD
• IP-to-User Mapping
• debug user-id reset Commands
• Modifying the User Cache
• View IP Mappings on the Agent
• Group Mapping
• Display User-Group Mapping State
• Display User-Group List
• Display User-Group Membership
• Display User-Group Relationship
• Display User Username and Group Mappings
• Debug Commands for Group Mapping
• Group Mapping Statistics
• User-ID Group Recommendations
• Multiple Domain Configuration
• Integrated User-ID Agent
• User-ID Log Files
• To Enable IP-to-User mapping
• Integrated Agent Connection Status: Web Interface
• Integrated Agents Connection Status: CLI
• Potential User-ID Agent Configuration Issues
• User-ID Agent Best Practices
• Authentication Policy
• Configuration Checklist
• Authentication Policy Troubleshooting Progression
• User-ID Troubleshooting Steps
• Authentication Policy
• Verify Authentication Policy
• Test User Authentication
• Use Captive Portal Redirect Mode When Possible
• RADIUS and Captive Portal
• Multi-Factor Authentication
• Authentication Logs for MFA
• CLI Test for MFA Vendor Connectivity
• Example IP-User Mapping for MFA-Enabled Authentication Policy
• Example authd.log Events for MFA
• Diagnostic Information via the Automated Correlation Engine*

Lab 9: SSL Decryption

• Verify the Functionality of SSL Decryption
• Create a Tag and a Dynamic Address Group
• Create a Decryption Policy Rule
• Create Custom Vulnerability Signatures
• Configure a Log Forwarding Profile
• Configure a Vulnerability Protection Profile to Generate Alerts
• Add the Log Forwarding Profile to a Security Policy Rule
• Test the Configuration and Confirm Results

Module 10 – Global Protect

• Common GlobalProtect Issues
• GlobalProtect Troubleshooting
• Probing Questions
• GlobalProtect Troubleshooting Progression
• Configuration Checklist
• GlobalProtect Logs and Certificates
• GlobalProtect Logs
• CLI GlobalProtect Commands
• Troubleshooting Authentication
• Verify Connection via CLI
• User GlobalProtect Agent Logs: Collecting Logs
• GlobalProtect Agent Log Collection
• GlobalProtect Certificates

Lab 10 – No User-ID Names in Logs

• Diagnose and Fix the Problem
• Reference Information
• Lab Solution: Enable User-ID on the Correct Zone
• Lab Solution: Fix the LDAP Server Profile
• Lab Solution: Verify the Solution with Traffic Logs

Module 11 – Support Escalation and RMAs

• Case Management
• Essential Case Information
• Create Your Case Online
• Severity Level Definitions
• Opening a Support Case: Customer Support Portal
• Opening a Support Case: LIVE Community
• Support Section Within the Firewall
• Support Entitlement Summary
• Opening a Support Case: Step 1
• Opening a Support Case: Step 2
• Opening a Support Case: Step 3
• Opening a Support Case: Step 4
• Opening a Support Case: Step 5
• Hardware failure and return merchandise authorizations (RMAs)
• RMA Process
• Dead on Arrival (DOA)
• Field-Replaceable Units (FRUs)
• Escalation and Support Events
• Contact Technical Support or Account Manager?
• Request a Support Event

Lab 11: Troubleshooting GlobalProtect

• Download the GlobalProtect Agent
• Connect to the External Gateway
• Disconnect the Connected User

Appendix A – CLI Primer

• Scope and Structure of the CLI Objectives
• Functional Introduction to the CLI
• CLI Command Modes
• Autocomplete
• Other Shortcuts
• Exploring Command Parameters
• Operational Mode: Types of Commands
• Searching for Commands
• Configuration Mode: Navigation of the Configuration Hierarchy
• Configuration Mode: Using edit, set, and delete
• Configuration Mode: edit Examples
• Configuration Mode: set, show, delete Examples
• Invalid Syntax
• Displaying and Navigating Data Objectives
• Filtering the Display of Data
• Data Displayed Through less
• Tips for the less Command
• CLI Configuration Display Formats
• Copy and Paste set Commands to Replicate Configuration Elements
• Common CLI Tasks
• Reference Guide

  • Select Time Zone
    Americas Date and Time
    Asia Date and Time
    Europe Date and Time
Payment Methods

We accept all common payment methods in both the Euro and US Dollar as well as Palo Alto Networks training credits and vouchers for this Firewall: Troubleshooting (EDU-330) training course.

  • Training Credits and Vouchers from Palo Alto Networks – We accept both training credits and training vouchers issued by Palo Alto Networks. To sign-up for a course and pay using training credits or vouchers, please use the Register button above. You can select training credits at the end of the registration form.
  • Purchase Order “PO” – If your company wants to raise a purchase order to book a training course, please sign-up using the register button above. At the end of the form, please answer the questions “How would you like to pay for the course?” with “My company will pay for it, please send me an invoice with the payment details”. Our training team will then send you an official quote which your company can use to issue the PO. Our training team will also be able to provide any additional information that might be required by your accounts department.
  • Bank Transfer – Consigas has a bank account both in the US and in Europe. Our banks support all common bank transfer methods like IBAN/BIC, Swift, ACH or wire transfer. To sign-up for a course and pay per bank transfer, please use the Register button above.
  • Credit Card – We can accept credit card payment from all major credit card companies like Mastercard, VISA, American Express, Discover & Diners or Cartes Bancaires. You can pay per credit card either directly through the registration link above, or we can issue an invoice with a web link to pay online. All credit card transactions are secured by Stripe and Consigas is not storing any credit card details.


Guaranteed to Run Training Courses
Guaranteed to Run – Consigas guarantees to run this Firewall Configuration and Management (EDU-210) class, exempt in unexpected circumstances of force majeure, like an accident or illness of the instructor, which prevents the course from being conducted.

Guaranteed on next Course Booking
Guaranteed on next Booking – Consigas guarantees to run this Firewall Configuration and Management (EDU-210) class if one more student registers for the training course.

Guaranteed on next Course Booking
Scheduled Class – Consigas has scheduled this Firewall Configuration and Management (EDU-210) training course and booked an instructor. We rarely cancel any classes because of low inscriptions and provide a “Cancel no more than Once” guarantee. This means that in the rare case that we cannot run a class because of low inscriptions, we guarantee running the next course regardless of the number of attendees.

Training Course Sold Out
Sold Out – This class is fully booked. Please contact us using this form and we will put you on the waiting list or let you know in case we schedule an additional class.

Half and Full-Day Training
We are offering training courses both in the classical full-day as well as in a half-day format. The half-day classes are specially tailored for IT professionals who cannot afford to leave the office for several days in a row. This format allows students to attend and fully focus on the course for a couple of hours and then catch up with their day-to-day job.The training content of both schedule formats is exactly the same. The only difference is that half-day classes distribute the course over a longer period of time. Consigas is running training courses in a half-day format for many years, and we have received very positive feedback from customers. Students tell us that besides being more flexible, it also enables them to learn more effectively as it gives them more time to process all information resulting in a better understanding.

Successful completion of this three-day, instructor-led course will enhance the participant’s understanding of how to troubleshoot the full line of Palo Alto Networks next-generation firewalls. Participants will perform hands-on troubleshooting related to the configuration and operation of the Palo Alto Networks firewall. Completion of this class will help participants develop an in-depth knowledge of how to troubleshoot visibility and control over applications, users, and content.



Become An Expert By Practice – Get Your Hands On Labs

Don’t let your tech outpace the skills of your people


Dedicated to excellence, we cultivate strong partnerships with worldwide technology innovators.


What Our Clients Say


There are no reviews yet.

Be the first to review “Firewall: Troubleshooting (EDU-330)”