Cloud next-generation firewall is the Palo Alto Networks software firewall that protects Amazon Web Services (AWS) deployments with network security delivered as a managed cloud service. Cloud next-generation firewall is a cloud-native solution that provides comprehensive security and visibility across AWS environments, including VPCs, regions, accounts, and workloads. Cloud next-generation firewall is deployed and managed by Palo Alto Networks as a service, eliminating the need for customers to provision, configure, or maintain any infrastructure or software. VM-Series, CN-Series, and Ion-Series are not Palo Alto Networks software firewalls that protect AWS deployments with network security delivered as a managed cloud service, but they are related solutions that can be deployed on AWS or other platforms. Reference:Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [Cloud Next-Generation Firewall Datasheet], [VM-Series Datasheet], [CN-Series Datasheet], [Ion-Series Datasheet]

CN-Series firewall prevents exfiltration by inspecting outbound traffic content and blocking suspicious activity. Exfiltration is a technique used by attackers to steal sensitive data or assets from a compromised network or system, usually by sending them to an external destination, such as a command and control server, a drop zone, or an email address. CN-Series firewall is a containerized firewall that integrates with Kubernetes and provides visibility and control over container traffic. CN-Series firewall prevents exfiltration by inspecting outbound traffic content and blocking suspicious activity using threat prevention technologies, such as antivirus, anti-spyware, vulnerability protection, URL filtering, file blocking, data filtering, and WildFire analysis. CN-Series firewall does not prevent exfiltration by employing custom-built signatures based on hash, distributing incoming virtual private cloud (VPC) traffic across the pool of VM-Series firewalls, or providing a license deactivation API key, as those are not valid or relevant methods for exfiltration prevention. Reference:Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [CN-Series Concepts], [CN-Series Deployment Guide for Native K8], [Threat Prevention Datasheet], [What is Exfiltration?]

A benefit of network runtime security is that it identifies unknown vulnerabilities that cannot be identified by known Common Vulnerability and Exposure (CVE) lists. Network runtime security is a type of security that monitors and analyzes network traffic in real time to detect and prevent malicious activities or anomalous behaviors. Network runtime security can identify unknown vulnerabilities that cannot be identified by known CVE lists, such as zero-day exploits, advanced persistent threats, or custom malware. Network runtime security can also provide visibility and context into network activity, such as application dependencies, user identities, device types, or threat intelligence. Network runtime security does not more narrowly focus on one security area and requires careful customization, integration, and maintenance, remove vulnerabilities that have been baked into containers, or is siloed to enhance workload security, as those are not benefits or characteristics of network runtime security. Reference:Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [Network Runtime Security], [What is CVE?]

Traffic is directed to a Palo Alto Networks firewall integrated with Cisco ACI through a policy-based redirect. Cisco ACI is a software-defined network (SDN) solution that provides network automation, orchestration, and visibility. A policy-based redirect is a mechanism that allows Cisco ACI to redirect traffic from one endpoint group (EPG) to another EPG through a service device, such as a Palo Alto Networks firewall. The firewall can then inspect and enforce security policies on the redirected traffic before sending it back to Cisco ACI. Traffic is not directed to a Palo Alto Networks firewall integrated with Cisco ACI by using contracts between endpoint groups that send traffic to the firewall using a shared policy, through a virtual machine (VM) monitor domain, or by creating an access policy, as those are not valid methods for traffic redirection in Cisco ACI. Reference:Palo Alto Networks Certified Software Firewall Engineer (PCSFE), [Deploy the VM-Series Firewall on Cisco ACI], [Cisco ACI Policy-Based Redirect]

The two routing options that are supported by VM-Series are:

OSPF

BGP

Routing is a process that determines the best path for sending network packets from a source to a destination. Routing options are protocols or methods that enable routing between different networks or devices. VM-Series firewall is a virtualized version of the Palo Alto Networks next-generation firewall that can be deployed on various cloud or virtualization platforms. VM-Series firewall supports various routing options that allow it to participate in dynamic routing environments and exchange routing information with other routers or devices. OSPF and BGP are two routing options that are supported by VM-Series. OSPF is a routing option that uses link-state routing algorithm to determine the shortest path between routers within an autonomous system (AS). BGP is a routing option that uses path vector routing algorithm to determine the best path between routers across different autonomous systems (ASes). RIP and IGRP are not routing options that are supported by VM-Series, but they are related protocols that can be used for other purposes. Reference: [Palo Alto Networks Certified Software Firewall Engineer (PCSFE)], [VM-Series Deployment Guide], [Routing Overview], [What is OSPF?], [What is BGP?]