NGFW Engineering: App-ID, Decryption and Policy Design
Moves beyond port-based rules into application-aware policy engineering. Candidates work Juniper SRX unified policies with AppSecure (AppID, AppFW, AppTrack), PAN-OS App-ID/Content-ID with User-ID mapping, and Cisco Secure Firewall access control policies — then confront the hard part: SSL forward-proxy decryption design, certificate deployment, decryption exclusions for pinned apps, and policy-order pitfalls when application shifts occur mid-session.
- Learner can design a zone-based, application-aware policy set on SRX unified policies and explain rule-match order including dynamic application resolution
- Learner can implement SSL forward-proxy decryption on PAN-OS with a subordinate CA, exclusion lists for certificate-pinned applications, and verify via decryption logs
- Learner can map users to sessions with User-ID/JIMS-style identity sources and write user- and group-based rules instead of IP-based rules
- Learner can migrate a legacy L4 ACL rulebase to an application-based rulebase and prove functional equivalence with traffic replay
- Learner can operate firewall HA (SRX chassis cluster, PAN-OS active/passive) and execute a hitless policy push and failover
SRX App-Aware Zone Policy Build
On vSRX, build trust/DMZ/untrust zones with unified policies using dynamic-applications, enable AppTrack, and verify application shifts with 'show security flow session' and structured syslog.
PAN-OS TLS Decryption Rollout
Deploy SSL forward proxy on PAN-OS VM-Series with an enterprise subordinate CA, build decryption policy with pinned-app exclusions, and validate with decrypted threat-log evidence against test traffic.
L4-to-App Policy Migration
Convert a 60-rule port-based ACL export into an application-based rulebase, replay captured production-like traffic through the firewall, and produce a hit-count report proving no service breakage.