Session-26

Palo Alto Networks Certified Network

Security Administrator/Expert
(PCNSA or PCNSE)
 BE PROFESSIONAL BE TECHNICAL

Question-1 what is palo alto how is it differ from other firewall?

Ans- Palo Alto Networks is a leading cybersecurity company known for its Next-Generation
Firewalls (NGFWs). These firewalls are designed to provide advanced security features and
comprehensive protection against modern cyber threats.

Key Features of Palo Alto Firewalls:

1. App-ID Technology:
Instead of relying solely on ports or protocols, Palo Alto firewalls identify and control
applications at Layer 7. This ensures precise application control, regardless of port or
encryption.
2. User-ID Integration:
Integrates with identity services like Active Directory, allowing policies to be applied based on
user identity instead of just IP addresses.
3. Content-ID:
Provides advanced threat prevention by inspecting traffic for viruses, malware, and other
threats, including URL filtering to block malicious websites.
4. Integrated Threat Intelligence:
Leverages the WildFire service, which analyzes unknown files and links in a cloud-based
sandbox to detect zero-day threats.
5. Single-Pass Architecture:
Efficiently processes traffic through a single set of engines for security, networking, and
management, resulting in better performance and lower latency.
6. SSL Decryption:
Can decrypt and inspect SSL/TLS traffic for threats, which is crucial as more malicious activity
occurs within encrypted sessions.

Differences Between Palo Alto and Other Firewalls:

Competitors (e.g.,
Feature Palo Alto Traditional Firewalls
Fortinet, Check Point)
Application Uses App-ID to identify Primarily relies on Application awareness
Awareness applications precisely port/protocol filtering varies by vendor
User-ID provides granular Often lacks deep user Some competitors have
User Awareness
user-based policies integration similar capabilities
Cloud Strong integration with May lack robust cloud
Cloud integration varies
Integration cloud environments features
Threat Real-time threat updates May not have integrated
Varies across products
Intelligence via WildFire real-time updates

Palo Alto Networks Certified Network Security Administrator (PCNSA or PCNSE) |IT INDEX
 BE PROFESSIONAL BE TECHNICAL

Competitors (e.g.,
Feature Palo Alto Traditional Firewalls
Fortinet, Check Point)
Ease of Centralized management Management can be more Some competitors offer
Management with Panorama complex similar tools
Advanced decryption with Limited or less efficient Varies depending on the
SSL Decryption
high-performance decryption vendor
Question-2 how many kinds of processors in Palo Alto?

Ans- Alto firewalls use a multi-processor architecture to handle different aspects of security and networking
efficiently. The architecture typically involves three main types of processors, each dedicated to a specific
function:

1. Management Plane Processor (MP)

• Purpose: Handles administrative tasks, including configuration, logging, and reporting.

• Key Features:

• Provides the web interface (GUI) and CLI for firewall management.

• Handles logging and analytics.

• Manages communication with Panorama (Palo Alto’s centralized management tool).

2. Control Plane Processor (CP)

• Purpose: Oversees and manages the operation of the firewall, including session setup and policy
enforcement.

• Key Features:

• Responsible for routing, policy management, and high-level control functions.

• Configures and monitors sessions in coordination with the data plane.

3. Data Plane Processor (DP)

• Purpose: Dedicated to high-speed packet processing, ensuring real-time traffic analysis and security
enforcement.

• Key Features:

• Processes application identification (App-ID), threat detection, and SSL decryption.

• Includes specialized processors:

▪ Networking Processor (NP): Handles tasks like routing, switching, and NAT.

▪ Signature Matching Processor (SP): Performs deep packet inspection for threats,
malware, and other anomalies.

▪ Security Processing Units (SPUs): Dedicated to functions like IPS,

Palo Alto Networks Certified Network Security Administrator (PCNSA or PCNSE) |IT INDEX
 BE PROFESSIONAL BE TECHNICAL

antivirus, and URL filtering.

Packet flow-

Ingress: Packet enters the firewall interface.

Session Lookup: Checks if the packet matches an existing session.

• If yes, it follows the session's established path.

• If no, a new session is created.

Zone and Policy Lookup: Identifies source and destination zones, then applies security policies
based on attributes like source IP, destination IP, port, and protocol.

Application Identification (App-ID): Determines the application (e.g., HTTP, HTTPS) and
continues inspecting packets if necessary.

Content Inspection (Content-ID): Scans for threats, including malware, viruses, and suspicious
URLs. Decrypts SSL/TLS traffic if enabled.

NAT and Routing: Applies NAT rules and determines the egress interface using the routing table.

Interface modes-

Layer 3 Mode

• Purpose: Used for routing traffic between different networks.

• Key Features:
o The interface is assigned an IP address.
o Supports routing protocols (OSPF, BGP, RIP).
o Can apply NAT and security policies.
• Use Case: Standard deployment for inter-VLAN routing or WAN connections.

2. Layer 2 Mode

• Purpose: Functions like a switch, forwarding traffic based on MAC addresses.

• Key Features:
o Interfaces belong to the same VLAN.
o Does not route traffic between networks.
o Requires VLAN tagging for segmentation.
• Use Case: Connecting devices within the same subnet or VLAN.

Palo Alto Networks Certified Network Security Administrator (PCNSA or PCNSE) |IT INDEX
 BE PROFESSIONAL BE TECHNICAL

3. Virtual Wire (vWire) Mode

• Purpose: Transparent mode for traffic inspection without altering Layer 3 or Layer 2 headers.
• Key Features:
o Acts as a "bump-in-the-wire."
o No IP or MAC address changes are required.
o Supports all security features (App-ID, Content-ID).
• Use Case: Inline deployments for monitoring and enforcing security without reconfiguring the
network.

4. Tap Mode

• Purpose: Passive traffic monitoring without affecting the actual traffic flow.
• Key Features:
o Inspects a copy of the traffic via a SPAN or mirror port.
o Does not block or alter traffic.
• Use Case: Testing or monitoring network traffic for threats without impacting production.

5. HA (High Availability) Interface Mode

• Purpose: Dedicated for synchronizing data between two firewalls in a High Availability (HA)
pair.
• Key Features:
o Syncs sessions, configuration, and state information.
o Ensures minimal downtime during failover.
• Use Case: High Availability deployments to ensure network redundancy.

6. Aggregate Ethernet (AE) Interface Mode

• Purpose: Combines multiple physical interfaces into a single logical interface.

• Key Features:
o Provides increased bandwidth and redundancy.
o Uses Link Aggregation Control Protocol (LACP).
• Use Case: Scenarios requiring high throughput and reliability.

7. Tunnel Interface Mode

Palo Alto Networks Certified Network Security Administrator (PCNSA or PCNSE) |IT INDEX
 BE PROFESSIONAL BE TECHNICAL

• Purpose: Used for routing traffic through VPN tunnels.

• Key Features:
o Works with IPsec or GRE tunnels.
o Supports advanced routing and NAT.
• Use Case: Site-to-site or client-to-site VPN deployments.

Comparison Table

Mode Traffic Handling Key Use Case

Layer 3 Routes traffic Inter-VLAN routing, WAN connections
Layer 2 Switches traffic Intra-VLAN communication
Virtual Wire Transparent inspection Inline security enforcement
Tap Passive monitoring Threat analysis without affecting traffic
HA Synchronizes firewalls High Availability deployments
Aggregate Bundles interfaces High throughput and redundancy
Tunnel Routes VPN traffic Secure site-to-site or client-to-site connectivity

Types of nat in pa

Source NAT

Used to translate the source IP address of outbound traffic. Commonly used for internal users
accessing external networks.

Destination NAT

Used to translate the destination IP address of inbound traffic. Commonly used for external users
accessing internal services.

summary of NAT Types in Palo Alto

Type Purpose Example Use Case

Maps multiple IPs to one IP with port
Dynamic IP and Port Internal users accessing the internet
translation
Maps multiple IPs to a pool of Ensuring unique IPs for internal
Dynamic IP
external IPs devices
Internal servers with a consistent
Static IP (Source) Maps internal IP to a fixed external IP
public presence
Static NAT Hosting internal services for external
Maps public IP to an internal IP
(Destination) users

Palo Alto Networks Certified Network Security Administrator (PCNSA or PCNSE) |IT INDEX
 BE PROFESSIONAL BE TECHNICAL

Type Purpose Example Use Case

Redirects external port to internal External access to internal apps via
Port Forwarding
service specific ports
Internal access to internal servers via Local user access to a public-facing
U-Turn NAT
public IP service
IPv6-only clients accessing IPv4
NAT64 Translates IPv6 to IPv4
resources

Service route-

Common Services Using Service Routes

• DNS: For resolving domain names.

• NTP: For time synchronization.
• Syslog: For sending logs to external servers.
• PAN-DB: For URL filtering updates.
• WildFire: For malware analysis and updates.
• GlobalProtect: For VPN-related traffic.
• User-ID Agent: For fetching user mappings from directory services.
• SNMP: For network monitoring.

Default Behavior

• By default, the firewall uses the management interface for these communications.
• If the management interface cannot directly reach a service, you can configure a service route
to use a different interface with access to the required resource.

Configuring Service Routes

1. Navigate to Service Routes:

Go to Device > Setup > Services > Service Route Configuration.
2. Choose the Service:
o Select the specific service (e.g., DNS, NTP) for which you want to configure a service
route.
3. Specify the Interface:
o Define which interface (e.g., Ethernet1/1) and virtual router should be used for that
service.
4. Save and Commit:
o Save the configuration and commit changes to apply the new service route.

Palo Alto Networks Certified Network Security Administrator (PCNSA or PCNSE) |IT INDEX
 BE PROFESSIONAL BE TECHNICAL

Panorama-

panorama is Palo Alto Networks' centralized management system designed to simplify the
management, monitoring, and deployment of multiple Palo Alto firewalls across a network. It
provides a unified platform to manage security policies, view logs, generate reports, and ensure
consistent security enforcement.

Types of HA

1. Active/Passive (A/P):
o Primary Use Case: High reliability with one firewall actively processing traffic and the
other on standby.
o Behavior:
▪ Active firewall handles traffic.
▪ Passive firewall monitors the active one and takes over during failure.
o Key Advantage: Simple to configure and highly reliable.
2. Active/Active (A/A):
o Primary Use Case: Load-sharing between firewalls while maintaining redundancy.
o Behavior:
▪ Both firewalls process traffic simultaneously.
▪ Traffic is divided based on configurations (e.g., session ownership).

Wildfire-

WildFire is Palo Alto Networks' advanced cloud-based malware analysis and prevention service. It
identifies and prevents threats, including zero-day malware, by analysing suspicious files and
providing near real-time protections to Palo Alto firewalls and endpoints.

Okk I did it..do your best

Palo Alto Networks Certified Network Security Administrator (PCNSA or PCNSE) |IT INDEX