Questions1 – How many deployments model available in Paloalto.
Ans – There are multiple deployment model available –
- Tap mode
- Layer 2
- Layer 3 deployment
- Virtual Wire mode
Tap mode – This interface type used to connect the firewall to switch SPAN or mirror port. It passively collects and logs traffic to the firewall traffic log
Layer 2 mode- All are in same subnet , this firewall working as switching mode
Layer 3 mode – All interface in different subnet also firewall working as router like use routing, static , dynamic.
Virtual Wire mode- There is no any ip or mac on interface –
Question2– How many Ethernet (physical) and Logical interfaces avilabale in Paloalo
Ans –
Physical interfaces
- Tap Mode
- Virtual Wire
- Layer 2
- Layer 3
- Aggregate Interfaces
- HA
Logical interview –
- VLAN
- Loopback
- Tunnel
- Decrypt Mirror
Question 3- How to publish internal website to internet. Or how to perform destination NAT ?
Ans –
To publish internal website to outside world, we would require destination NAT and policy configuration. NAT require converting internal private IP address in to external public IP address. Firewall policy need to enable access to internal server on http service from outside
We used below scenario to configuration destination NAT
For NAT – Here we need to use pre-NAT configuration to identify zone. Both source and destination Zone should be Untrust-L3 as source and destination address part of un trust zone.
For Policy– Here we need to use Post-NAT configuration to identify zone. The source zone will be Untrust-L3 as the source address still same 1.1.1.1 and the destination zone would be Trust-L3 as the translated IP address belongs to trust-l3 zone.
We have to use pre-NAT IP address for the source and destination IP address part on policy configuration. According to packet flow, actual translation is not yet happen, only egress zone and route look up happened for the packet. Actual translation will happen after policy lookup.
In firewall rule,
Zone: Post NAT
IP address: Pre NAT
In NAT rule,
Zone: Pre NAT
Pre NAT – L3 -untrust to L3 untrust
Security rule- Post Nat- From L3 -Untrust to L3-Trust
Question 4- What is Global Protect ?
Ans-
GlobalProtect provides a transparent agent that extends enterprise security Policy to all users regardless of their location. The agent also can act as Remote Access VPN client. Following are the component
Gateway : This can be or more interface on Palo Alto firewall which provide access and security enforcement for traffic from Global Protect Agent
Portal: Centralized control which manages gatrway, certificate , user authentication and end host check list
Agent : software on the laptop that is configured to connect to the GlobalProtect deployment
Question 5- What is HA and How Many Link used in HA configuration
Ans –
PA firewall use HA links to synchronize data and maintain state information. Some models of the firewall have dedicated HA ports—Control link (HA1) and Data link (HA2), while others require you to use the in-band ports as HA links.
Control Link : The HA1 links used to exchange hellos, heartbeats, and HA state information, and management plane sync for routing, User-ID information and synchronize configuration . The HA1 should be layar 3 interface which require an IP address
Data Link : The HA2 link is used to synchronize sessions, forwarding tables, IPSec security associations and ARP tables between firewalls in an HA pair. The HA 2 is a layer 2 link
Backup Links: Provide redundancy for the HA1 and the HA2 links. In-band ports are used as backup links for both HA1 and HA2. The HA backup links IP address must be on different subnet from primary HA links.
Packet-Forwarding Link: In addition to the HA1 and HA2 links, an active/active deployment also requires a dedicated HA3 link. The firewalls use this link for forwarding packets to the peer during session setup and asymmetric traffic flow.
Question 6- Which protocol use exchange heart beat between HA ?
Ans –
ICMP
Question 7 – How many ports used in HA.
Ans –
HA1: tcp/28769,tcp/28260 for clear text communication ,tcp/28 for encrypted communication
HA2: Use protocol number 99 or UDP-29281
Question 8 – When fail-over triggering in Paloalto ?
Ans –
1- if one or more monitored interfaces fail
2- if one or more specified destinations cannot be pinged by the active firewall
3- if the active device does not respond to heartbeat polls (Loss of three consecutive heartbeats over period of 1000 milliseconds)
Question 9 – How troubleshoot HA issue though CLI.
Ans –
>show high-availability state : Show the HA state of the firewall
>show high-availability state-synchronization : to check sync status
>show high-availability path-monitoring: to show the status of path monitoring
>request high-availablity state suspend: to suspend active box and make the current Passive and active.
Question 10 – How to test firewall policy matching for particular destination ?
Ans –
test security-policy-match from trust to untrust destination <IP>
Question 11- how to check the NAT rule ?
Ans –
test nat-policy-match
Question 12- How to check System details ?
Ans –
show system info // It will show management IP , System version and serial number
Question 13 – How to perform debug in PA ?
Ans –
- Clear all packet capture settings
- debug dataplane packet-diag clear all
- set traffic matching condition
- debug dataplane packet-diag set filter match source y.y.y.y destination x.x.x.x
- debug dataplane packet-diag set filter on
- debug dataplane packet-diag set capture stage receive file rx.pcap
- debug dataplane packet-diag set capture stage transmit file tx.pcap
- debug dataplane packet-diag set capture stage drop file dp.pcap
- debug dataplane packet-diag set capture stage firewall file fw.pcap
- debug dataplane packet-diag set capture on
View Pcap – view-pcap filter-pcap rx.pcap
Question 14 – What you mean by Device Group and Device Template.?
Ans –
Device group :
Device group allows you to group firewalls which is require similar set of policy , such as firewalls that manage a group of branch offices or individual departments in a company. Panorama treats each group as a single unit when applying policies. A firewall can belong to only one device group. The Objects and Policies are only part of Device Group.
Device Template :
Device Templates enable you to deploy a common base configuration like Network and device specific settings to multiple firewalls that require similar settings.
This is available in Device and Network tabs on Panorama
Question 15- What is the Security Profile ?
Ans –
Security Profile using to scans allowed applications for threats, such as viruses, malware, spyware, and DDOS attacks.Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy
Below are the Security Profiles available
- Antivirus Profiles
- Anti-Spyware Profiles
- Vulnerability Protection Profiles
- URL Filtering Profiles
- Data Filtering Profiles
- File Blocking Profiles
- WildFire Analysis Profiles
- DoS Protection Profiles
Question 16 – What is function of Zone Protection Profile?
Ans –
Configure protection against floods, reconnaissance, packet-based attacks, and non-IP-protocol-based attacks with Zone Protection profiles. Apply a Zone Protection profile to each zone to defend it based on the aggregate traffic entering the ingress zone
Questions 17 – What is difference between Palo Alto NGFW and WAF?
Ans –
Palo Alto Networks next generation firewall:
• Designed to be a primary firewall, identifying and controlling applications users and content traversing the network.
. Logging and reporting: All application, user and threat traffic is logged for analysis and forensics purposes.
• Performance: Designed to act as the primary firewall for enterprises of all sizes which dictates that it deliver high performance
• App-ID: Identifies and controls more than 900 applications of all types, irrespective of port, protocol, SSL encryption or
evasive tactic.
• User-ID: Leverages user data in Active Directory (as opposed to IP addresses) for policy creation, logging and reporting.
Web Application Firewalls:
Designed to compensate for insecure coding practices – only those companies that use web applications and are concerned that their code is insecure need to buy a WAF.
• Looks specifically for security flaws in the application itself, ignoring the myriad of attacks that may be traversing the,network.
• Highly customized for each environment – looking at how the web application is supposed to act and acting on any odd behavior.
• Looks only at the specific L7 fields of a web application – they do not look at any of the other layers in the OSI stack.
Question 17 – What is U-Turn NAT?
Ans –
The term U-Turn is used when the logical path of a connection traverses the firewall from inside to outside and back in, by connecting to an internal resource using its external IP address. U-Turn NAT is a configuration trick to accommodate a deployment where the external IP needs to reach an internal resource.
Question 18 – Explain the difference between Virtual Routers and Virtual Systems in Palo Alto?
Ans –
VSYS can come in handy in certain situations where you really should have multiple different firewalls, however for budgetary reasons only one is available.
You can have multiple VR instances running inside VSYS
Question 19 – How many types of logs can be viewed on Palo Alto NGFWs
Ans –
Log Types and Severity Levels
- Traffic Logs.
- Threat Logs.
- URL Filtering Logs.
- WildFire Submissions Logs.
- Data Filtering Logs.
- Correlation Logs.
- Tunnel Inspection Logs.
- Config Logs.
Question 20 – What is Wildfire?
Ans –
The WildFire Analysis Environment identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls can use to then detect and block the malware. The malware found in the file attachment is an advanced VM-aware threat and has not been encountered before.
The WildFire™ cloud service analyzes files and email links to detect threats and create protections to block malware. When WildFire identifies a zero-day threat, it globally distributes protection for that threat in under five minutes.
Question 21 – what is the IP address of management port on Palo Alto Firewall and default username/password?
Ans –
By default, the firewall has an IP address of 192.168. 1.1 and a username/password of admin/admin.
Question 22- What is the key difference between superuser and device administrator?
Ans –
Superuser: Full access to the firewall, including defining new administrator accounts and virtual systems. You must have Superuser privileges to create an administrative user with Superuser privileges.
Device Administrator: Full access to all firewall settings except for defining new accounts or virtual systems.
Question 23- What is Pre-requisites for High Availability?
Ans –
- Same Model
- Same PAN-OS Version
- Same Multi-VSYS
- Same Interfaces
- Same Set of Licenses
Question 24- How many VPN deployment support by Paloalto ?
Ans-
There are two types of VPN: Site-to-site VPN is used to connect branch offices to a central office over the internet when distance prevents direct network connections. Remote access VPN allows individual users to remotely connect to a central network.
Question 25- What interface is used by default to access external services?
Ans –
The firewall uses the management (MGT) interface by default to access external services, such as DNS servers, external authentication servers, Palo Alto Networks services such as software, URL updates, licenses and AutoFocus.
Question 26- How many zones can an interface be part of?
Ans –
A zone can have multiple interfaces of the same type assigned to it (such as tap, layer 2, or layer 3 interfaces), but an interface can belong to only one zone.
Question 27 – In Paloalto Inter-Zone communication is blocked ?
Ans –
By default, Inter-Zone communication is blocked, so Security Policy is required with Allow Action to pass IP communication between two security zones.
Question 28 – Which file is mandatory for bootstrap process to function?
Ans – Create the init-cfg. txt file, a mandatory file that provides bootstrap parameters. The fields are described in Sample init-cfg.
Question 29 – which parameter decides a primary and secondary HA pair?
Ans –
The firewalls in an HA pair can be assigned a device priority value to indicate a preference for which firewall should assume the active role.
In active/active configuration, set the Device ID to determine which peer will be active-primary (set Device ID to 0) and which will be active-secondary (set the Device ID to 1).
Question 30 – What is the Application Command Center (ACC)?
Ans –
The Application Command Center (ACC) is an interactive, graphical summary of the applications, users, URLs, threats, and content traversing your network. The ACC uses the firewall logs to provide visibility into traffic patterns and actionable information on threats.
Question 31- A traffic log displays “incomplete” for a new application. What does that mean?
Ans –
Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application.
Question 32- Palo Alto firewall for forwarding the log messages?
Ans –
Log messages forwarding options include Email Servers, Syslog Server, SNMP trap servers or HTTP based services.
Question 33- When a URL matches multiple categories, the category chosen is the one ?
Ans –
When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe and allow least severe).
Question 34 – What actions are available while filtering URLs?
Ans –
From most strict to least strict, possible URL Filtering profile actions are: block, override, continue, alert, and allow
Question 35- What is the Captive portal and its usage?
Ans –
The Captive Portal is used to create a user-to-IP mappings on the Palo Alto Networks firewall. The portal is triggered based on the Captive Portal policies for http and/or https traffic only and is triggered only for the IP addresses without existing user-to-IP mapping.
Question 36- App-ID identify the application used in the network?
Ans –
App-ID enables you to see the applications on your network and learn how they work, their behavioral characteristics, and their relative risk. Applications and application functions are identified via multiple techniques, including application signatures, decryption (if needed), protocol decoding, and heuristics.
Question 37 – What are 3 focal areas in which Panorama adds value?
Ans –
The three main areas in which Panorama adds value are:
- Centralized configuration and deployment.
- Aggregated logging with central oversight for analysis and reporting.
- Distributed administration.
Question 38 – benefits of using Panorama?
Ans –
Panorama is very useful in updating the software in bulk with a single click without any hassles. It also provides us detailed reporting to check the validate the compliance status. Panorama is used for logging service to collect logs from managed devices to solve your operational logging challenges.
Question 39 – Which command is used to show the maximum log file size?
Ans –
#show system logdb-quota
Question 40 – What are the different failover scenarios?
Ans-
The event is known as a failover when one firewall fails and the peer takes over the role of safeguarding traffic. When a monitored metric on a firewall in the HA pair fails.
- Hello messages and heartbeat polling:
- Hello messages and heartbeats are used by the firewalls to ensure that the peer firewall is responsive and working. To validate the state of the firewall, hello messages are delivered from one peer to the other at the configured Hello Interval.
- The heartbeat is an ICMP ping over the control link to the HA peer, to which the peer responds to confirm that the firewalls are connected and responding. The heartbeat interval is 1000 milliseconds by default. Every 1000 milliseconds, a ping is issued, and if three consecutive heartbeat losses occur, a failover happens.
- Link monitoring:
- The monitored physical interfaces are organised into a link group, and their status (link up or link down) is tracked. One or more physical interfaces can be found in a link group. When any or all of the interfaces in a group fail, a firewall failure occurs. The default behaviour is that if any link in the link group fails, the firewall will set the HA status to non-functional (or tentative in active/active mode) to signify a monitored object failure.
- Path monitoring:
- Path Monitoring keeps track of the whole network path to mission-critical IP addresses. Pings using the ICMP protocol are used to check if an IP address is reachable. Ping intervals are set to 200ms by default. When 10 consecutive pings (the default value) fail, an IP address is declared unreachable, and a firewall failure occurs when any or all of the monitored IP addresses become unreachable. The default behaviour is that if any of the IP addresses becomes unreachable, the firewall will set the HA state to non-functional (or tentative in active/active mode) to signify a monitored object failure.
- A failover happens when the administrator suspends the firewall or when preemption occurs, in addition to the above failover triggers.
Question 41- What is the procedure for adding a licence to the Palo Alto Firewall?
Ans –
Locate the licence activation codes that you purchased –
Palo Alto Networks customer care should have sent you an email with the activation codes associated with each subscription when you purchased them. If you can’t find this email, you’ll need to contact Customer Support to get your activation codes before continuing.
You have to activate your Support subscription. If you don’t have a valid Support licence, you won’t be able to upgrade your PAN-OS software.
- Select DeviceSupport after logging in to the web portal.
- Select Activate support with authorisation code from the drop-down menu.
- Click OK after entering your Authorization Code
Active each licence you’ve bought. Choose Device>Licences, then activate your licences and subscriptions using one of the methods below:
- License keys can be obtained via the licence server.
- Use the authorisation code to activate the functionality.
- Upload the licence key manually.
Question 42 – How to take backup of Paloalto firewall –
Ans –
- After logging into the Palo Alto firewall, go to Device -> Setup -> Operations.
- To save the settings locally to the Palo Alto firewall, click “Save named configuration snapshot.”
- To save a backup of the Palo Alto Configuration file to your local PC, click “Export Named Configuration Snapshot.”
Question 43 – Explain Single Pass Software and Parallel Processing Hardware ?
Ans –
Within the Palo Alto Networks next-generation firewall, the Palo Alto Networks Single Pass software is meant to achieve two critical purposes. The single-pass software, for starters, only conducts operations once per packet. Networking functions, policy lookup, application identification and decoding, and signature matching for all threats and content are all executed once when a packet is processed.
Hardware is the important component of Palo Alto Networks SP3 Architecture. Parallel Processing hardware is used in Palo Alto Networks’ next-generation firewalls to ensure that the Single Pass software operates quickly. Palo Alto Networks developers first created data and control planes that were independent
Question 44- what is “service route” in Paloalto ?
Ans –
The path from the interface to the server’s service is referred to as the service route. The management (MGT) interface is the default interface for accessing external sources.
Leave a Reply