Plao Alto Interview Questions and Answers

Some of our readers had requested for a post with some of the common
questions and answers for the Palo Alto Firewall, after reading our post on
PA Firewall. Following are some of the questions normally asked for PA
interview. Please use the comment section if you have any questions to
add .

Buy&Download PDF (~50 QA)

Note : for international purchases ($6) for the above

document (containing ~50 Q&A) please reach out to us at
[email protected]

1. Why Palo Alto is being called as next generation firewall ?

Ans: Next-generation firewalls include enterprise firewall capabilities, an

intrusion prevention system (IPS) and application control features. Palo
Alto Networks delivers all the next generation firewall features using
the single platform, parallel processing and single management
systems, unlike other vendors who use different modules or multiple
management systems to offer NGFW features. Palo Alto NGFW different
from other venders in terms of Platform, Process and architecture

2. Difference between Palo Alto NGFW and Checkpoint UTM ?

PA follows Single pass parallel processing while UTM follows Multi pass
architecture process

3. Describe about Palo Alto architecture and advantage ?

Architecture- Single Pass Parallel Processing (SP3) architecture

Advantage: This Single Pass traffic processing enables very high

throughput and low latency – with all security functions active. It also
offers single, fully integrated policy which helps simple and easier
management of firewall policy

——————- advertisements ——————-

———————————————————-

4. Explain about Single Pass and Parallel processing architecture ?

Single Pass : The single pass software performs operations once per
packet. As a packet is processed, networking functions, policy lookup,
application identification and decoding, and signature matching for any
and all threats and content are all performed just once. Instead of using
separate engines and signature sets (requiring multi-pass scanning) and
instead of using file proxies (requiring file download prior to scanning), the
single pass software in next-generation firewalls scans content once and
in a stream-based fashion to avoid latency introduction.

Parallel Processing : PA designed with separate data and control

planes to support parallel processing. The second important element of
the Parallel Processing hardware is the use of discrete, specialized
processing groups to perform several critical functions.

 Networking: routing, flow lookup, stats counting, NAT, and similar

functions are performed on network-specific hardware

 User-ID, App-ID, and policy all occur on a multi-core security engine

with hardware acceleration for encryption, decryption, and
decompression.

 Content-ID content analysis uses dedicated, specialized content

scanning engine

 On the controlplane, a dedicated management processor (with

dedicated disk and RAM) drives the configuration management,
logging, and reporting without touching data processing hardware.

5. Difference between PA-200,PA-500 and higher models ?

In PA-200 and PA-500, Signature process and network processing
implemented on software while higher models have dedicate hardware
processer

6. What are the four deployment mode and explain ?

1. Tap Mode : Tap mode allows you to passively monitor traffic flow
across network by way of tap or switch SPAN/mirror port

2. Virtual wire : In a virtual wire deployment, the firewall is installed

transparently on a network segment by binding two interfaces
together

——————- advertisements ——————-

———————————————————-

1. Layer 2 mode : multiple interfaces can be configured into a

“virtual-switch” or VLAN in L2 mode.

2. Layer 3 Deployment : In a Layer 3 deployment, the firewall routes

traffic between multiple interfaces. An IP address must be assigned
to each interface and a virtual router must be defined to route the
traffic.

7. What you mean by Zone Protection profile ?

Zone Protection Profiles offer protection against most common flood,

reconnaissance, and other packet-based attacks. For each security zone,
you can define a zone protection profile that specifies how the security
gateway responds to attacks from that zone. The following types of
protection are supported:

-Flood Protection—Protects against SYN, ICMP, UDP, and other IP-based

flooding attacks.

-Reconnaissance detection—Allows you to detect and block commonly

used port scans and IP address sweeps that attackers run to find potential
attack targets.
-Packet-based attack protection—Protects against large ICMP packets and
ICMP fragment attacks.

Configured under Network tab -> Network Profiles -> Zone protection.

8. What is u-turn NAT and how to configure ?

U-turn NAT is applicable when internal resources on trust zone need to

access DMZ resources using public IP addresses of Untrust zone.

Let’s explain based on below scenario.

In above example, the website company.com (192.168.10.20) statically

NAT’ed with public IP address 81.23.7.22 on untrusted zone. Users in the
corporate office on the 192.168.1.0/24 segment need to access the
company webpage. Their DNS lookup will resolve to the public IP in the
Internet zone. The basic destination NAT rules that provide internet users
access to the web server will not work for internal users browsing to the
public IP .

Following are the NAT rule and policy definition.

1. How to publish internal website to internet. Or how to perform
destination NAT ?

To publish internal website to outside world, we would require destination

NAT and policy configuration. NAT require converting internal private IP
address in to external public IP address. Firewall policy need to enable
access to internal server on http service from outside .We can see how to
perform NAT and policy configuration with respect to following scenario

Provide the access to 192.168.10.100 through the public IP address

64.10.11.10 from internet

Following NAT and policy rules need to be created.

NAT:-> Here we need to use pre-NAT configuration to identify zone. Both
source and destination Zone should be Untrust-L3 as source and
destination address part of un trust zone

Policy-> Here we need to use Post-NAT configuration to identify zone. The

source zone will be Untrust-L3 as the source address still same 12.67.5.2
and the destination zone would be Trust-L3 as the translated IP address
belongs to trust-l3 zone.

We have to use pre-NAT IP address for the source and destination IP

address part on policy configuration. According to packet flow, actual
translation is not yet happen, only egress zone and route look up
happened for the packet. Actual translation will happen after policy lookup
. Please click here to understand detailed packet flow in PA firewall. Just
remember the following technique so it will be easy to understand

In firewall rule,

Zone: Post NAT

IP address: Pre NAT

In NAT rule,

Zone: Pre NAT

Final Configuration looks like below:

2. What is Global Protect ?

GlobalProtect provides a transparent agent that extends enterprise

security Policy to all users regardless of their location. The agent also can
act as Remote Access VPN client. Following are the component

Gateway : This can be or more interface on Palo Alto firewall which

provide access and security enforcement for traffic from Global Protect
Agent

Portal: Centralized control which manages gatrway, certificate , user

authentication and end host check list

Agent : software on the laptop that is configured to connect to the

GlobalProtect deployment.

3. Explain about virtual system ?

A virtual system specifies a collection of physical and logical firewall

interfaces and security zones.Virtual system allows to segmentation of
security policy functionalities like ACL, NAT and QOS. Networking functions
including static and dynamic routing are not controlled by virtual systems.
If routing segmentation is desired for each virtual system, we should have
an additional virtual router.
——————- advertisements ——————-

———————————————————-

4.Explain about various links used to establish HA or HA introduction ?

PA firewall use HA links to synchronize data and maintain state

information. Some models of the firewall have dedicated HA ports—
Control link (HA1) and Data link (HA2), while others require you to use the
in-band ports as HA links.

Control Link : The HA1 links used to exchange hellos, heartbeats, and
HA state information, and management plane sync for routing, User-ID
information and synchronize configuration . The HA1 should be layar 3
interface which require an IP address

Data Link : The HA2 link is used to synchronize sessions, forwarding

tables, IPSec security associations and ARP tables between firewalls in an
HA pair. The HA 2 is a layer 2 link

Backup Links: Provide redundancy for the HA1 and the HA2 links. In-
band ports are used as backup links for both HA1 and HA2. The HA backup
links IP address must be on different subnet from primary HA links.

Packet-Forwarding Link: In addition to the HA1 and HA2 links, an

active/active deployment also requires a dedicated HA3 link. The firewalls
use this link for forwarding packets to the peer during session setup and
asymmetric traffic flow.

4. What protocol used to exchange heart beat between HA ?

ICMP

——————- advertisements ——————-

———————————————————-

5. Various port numbers used in HA ?

HA1: tcp/28769,tcp/28260 for clear text communication ,tcp/28 for
encrypted communication

HA2: Use protocol number 99 or UDP-29281

6. What are the scenarios for fail-over triggering ?

->if one or more monitored interfaces fail

->if one or more specified destinations cannot be pinged by the active

firewall

->if the active device does not respond to heartbeat polls (Loss of three
consecutive heartbeats over period of 1000 milliseconds)

7. How to troubleshoot HA using CLI ?

>show high-availability state : Show the HA state of the firewall

>show high-availability state-synchronization : to check sync status

>show high-availability path-monitoring : to show the status of path

monitoring

>request high-availablity state suspend : to suspend active box and make

the current passive box as active

8. which command to check the firewall policy matching for particular destination ?

>test security-policy-match from trust to untrust destination <IP>

9.Command to check the NAT rule ?

>test nat-policy-match

10. Command to check the system details ?

>show system info // It will show management IP , System version and

serial number
11. How to perform debug in PA ?

Following are the steps

Clear all packet capture settings

>debug dataplane packet-diag clear all

set traffic matching condition

> debug dataplane packet-diag set filter match source 192.168.9.40

destination 4.2.2.2
> debug dataplane packet-diag set filter on

——————- advertisements ——————-

———————————————————-

Enable packet capture

> debug dataplane packet-diag set capture stage receive file rx.pcap
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture stage drop file dp.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set capture on

View the captured file

view-pcap filter-pcap rx.pcap

12. What you mean by Device Group and Device Template.?

Device group allows you to group firewalls which is require similar set of
policy , such as firewalls that manage a group of branch offices or
individual departments in a company. Panorama treats each group as a
single unit when applying policies. A firewall can belong to only one device
group. The Objects and Policies are only part of Device Group.

Device Template :
Device Templates enable you to deploy a common base configuration like
Network and device specific settings to multiple firewalls that require
similar settings.
This is available in Device and Network tabs on Panorama

13. Why you are using Security Profile .?

Security Profile using to scans allowed applications for threats, such as

viruses, malware, spyware, and DDOS attacks.Security profiles are not
used in the match criteria of a traffic flow. The security profile is applied to
scan traffic after the application or category is allowed by the security
policy. You can add security profiles that are commonly applied together to
a Security Profile Group

Following are the Security Profiles available

 Antivirus Profiles

 Anti-Spyware Profiles

 Vulnerability Protection Profiles

 URL Filtering Profiles

 Data Filtering Profiles

 File Blocking Profiles

 WildFire Analysis Profiles

 DoS Protection Profiles

1. Question 1. In A New Firewall, Which Port Provides Webui Access By

Default?
Answer :
Management port.
2. Question 2. The Management Network Port On A Firewall Can Be
Configured As Which Type Of Interface?
Answer :
Layer 3.
3. Question 3. How Does Panorama Handle Incoming Logs When It
Reaches The Maximum Storage Capacity?
Answer :
Panorama automatically delete older logs to create space for new ones.

4.

Question 4. In An Enterprise Deployment, A Network Security Engineer

Wants To Assign To A Group Of Administrators Without Creating Local
Administrator Accounts On The Firewall. Which Authentication Method
Must Be Used?
Answer :
RADIUS with Vendor-Specific Attributes.
5. Question 5. When A Malware-infected Host Attempts To Resolve A
Known Command-and-control Server, The Traffic Matches A Security
Policy With Dns Sinkhole Enabled, Generating A Traffic Log. What Will Be
The Destination Ip Address In That Log Entry?
Answer :
The IP Address specified in the sinkhole configuration.
6. Question 6. A Network Design Change Requires An Existing Firewall
To Start Accessing Palo Alto Updates From A Data Plane Interface
Address Instead Of The Management Interface. Which Configuration
Setting Needs To Be Modified?
Answer :
Service route.

7.

Question 7. What Must Be Used In Security Policy Rule That Contains

Addresses Where Nat Policy Applies?
Answer :
Pre-NAT address and Post-Nat zones.
8. Question 8. The Configuration Of A Dos Protection Profile Can
Defend Nodes From Which Attacks?
Answer :
Floods.
9. Question 9. Does The App Conform To The Common Information
Model?
Answer :
Yes! The Common Information Model (CIM) is a set of standards and an
app that help other apps conform to a common naming and tagging
scheme. This allows Splunk users to search for data across multiple kinds
of logs from multiple vendors using the same field names to access the
data, which eases correlations across different kinds of data. For example,
a Splunk user could correlate between firewall logs and web server logs. To
Splunk for Palo Alto Networks app conforms strictly to the Common
Information Model.

10.

Question 10. Does The App Have A Data Model?

Answer :
Yes! In Splunk 6.x, the data model feature allows Splunk users to quickly
visualize and analyze data with a point-and-click interface (instead of the
Splunk search bar language). This capability requires that the data be
modeled into a Splunk Data Model which is a highly accelerated summary
index of the data. Not only is there a data model for all Palo Alto Networks
logs, all the app’s dashboards are based on this accelerated data model for
extremely fast data retrieval and visualization. So the app itself is using the
same Data Model that Splunk administrators would use to generate
visualizations.
11. Question 11. What Kinds Of Data Does The App Take In?
Answer :
The Splunk for Palo Alto Networks app accepts syslog from Firewalls,
Panorama, and Endpoint Security Manager. Also, Wildfire malware reports
are pulled from the Wildfire portal as XML. These reports represent a
behavioral fingerprint of any malware detected by Wildfire which you can
correlate against other logs to detect indicators of compromise.
12. Question 12. Why Use Palo Alto Networks With My Splunk?
Answer :
 Splunk has unmatched ability to consume and analyze data, but for Splunk
to present usable and actionable insights, it must have the highest level of
visibility and knowledge possible. Palo Alto Networks provides that level of
visibility into the network and the endpoint to detect and even predict
malicious activity. When an indicator of compromise is detected, Palo Alto
Networks and Splunk work together to take action and remediate problems
automatically to keep the network secure.

13.

Question 13. Why Use Splunk With My Palo Alto Networks Products?
Answer :
Palo Alto Networks products provide exceptional levels of visibility into
network traffic and malicious activity, both in the network and on the
endpoint. Combining this visibility with Splunk allows a customer to make
correlations and perform analytics around different kinds of data. These
correlations can be between different kinds of Palo Alto Networks data, for
example, correlating Wildfire reports against traffic logs to detect infected
hosts, or correlating firewall logs with endpoint logs. But the real power of
Splunk is correlations and analytics across multiple sources of data and
multiple vendors, for example, correlating firewall logs with webserver logs,
or advanced endpoint security logs with Windows event logs