Questions1 – How many deployments model available in Paloalto.

Ans – There are multiple deployment model available –

1- Tap mode
2- Layer 2
3- Layer 3 deployment
4- Virtual Wire mode

Tap mode – This interface type used to connect the firewall to switch SPAN or mirror port.
It passively collects and logs traffic to the firewall traffic log

Layer 2 mode- All are in same subnet , this firewall working as switching mode

Layer 3 mode – All interface in different subnet also firewall working as router like use routing,
static , dynamic.
Virtual Wire mode- There is no any ip or mac on interface –

Question2- How many Ethernet (physical) and Logical interfaces avilabale in Paloalo
Ans -

Physical interfaces

• Tap Mode
• Virtual Wire
• Layer 2
• Layer 3
• Aggregate Interfaces
• HA

Logical interview –
• VLAN
 • Loopback
• Tunnel
• Decrypt Mirror

Question 3- How to publish internal website to internet. Or how to perform destination NAT ?
Ans –
To publish internal website to outside world, we would require destination NAT and policy
configuration. NAT require converting internal private IP address in to external public IP
address. Firewall policy need to enable access to internal server on http service from outside
We used below scenario to configuration destination NAT

For NAT - Here we need to use pre-NAT configuration to identify zone. Both source and
destination Zone should be Untrust-L3 as source and destination address part of un trust zone.

For Policy- Here we need to use Post-NAT configuration to identify zone. The source zone will
be Untrust-L3 as the source address still same 1.1.1.1 and the destination zone would be Trust-
L3 as the translated IP address belongs to trust-l3 zone.

We have to use pre-NAT IP address for the source and destination IP address part on policy
configuration. According to packet flow, actual translation is not yet happen, only egress zone
and route look up happened for the packet. Actual translation will happen after policy lookup.
In firewall rule,

Zone: Post NAT

IP address: Pre NAT

In NAT rule,

Zone: Pre NAT

Pre NAT – L3 -untrust to L3 untrust

Security rule- Post Nat- From L3 -Untrust to L3-Trust

Question 4- What is Global Protect ?

Ans-
GlobalProtect provides a transparent agent that extends enterprise security Policy to all users
regardless of their location. The agent also can act as Remote Access VPN client. Following
are the component

Gateway : This can be or more interface on Palo Alto firewall which provide access and
security enforcement for traffic from Global Protect Agent

Portal: Centralized control which manages gatrway, certificate , user authentication and
end host check list

Agent : software on the laptop that is configured to connect to the GlobalProtect

deployment

Question 5- What is HA and How Many Link used in HA configuration

Ans –

PA firewall use HA links to synchronize data and maintain state information. Some
models of the firewall have dedicated HA ports—Control link (HA1) and Data link (HA2),
while others require you to use the in-band ports as HA links.

Control Link : The HA1 links used to exchange hellos, heartbeats, and HA state
information, and management plane sync for routing, User-ID information and
synchronize configuration . The HA1 should be layar 3 interface which require an IP
address
Data Link : The HA2 link is used to synchronize sessions, forwarding tables, IPSec
security associations and ARP tables between firewalls in an HA pair. The HA 2 is a
layer 2 link

Backup Links: Provide redundancy for the HA1 and the HA2 links. In-band ports are
used as backup links for both HA1 and HA2. The HA backup links IP address must be
on different subnet from primary HA links.

Packet-Forwarding Link: In addition to the HA1 and HA2 links, an active/active

deployment also requires a dedicated HA3 link. The firewalls use this link for forwarding
packets to the peer during session setup and asymmetric traffic flow.

Question 6- Which protocol use exchange heart beat between HA ?

Ans –

ICMP

Question 7 – How many ports used in HA.

Ans –
HA1: tcp/28769,tcp/28260 for clear text communication ,tcp/28 for encrypted
communication
HA2: Use protocol number 99 or UDP-29281

Question 8 – When fail-over triggering in Paloalto ?

Ans –
1- if one or more monitored interfaces fail
2- if one or more specified destinations cannot be pinged by the active firewall
3- if the active device does not respond to heartbeat polls (Loss of three consecutive
heartbeats over period of 1000 milliseconds)

Question 9 – How troubleshoot HA issue though CLI.

Ans –
>show high-availability state : Show the HA state of the firewall
>show high-availability state-synchronization : to check sync status
>show high-availability path-monitoring: to show the status of path monitoring
>request high-availablity state suspend: to suspend active box and make the current
Passive and active.

Question 10 – How to test firewall policy matching for particular destination ?

Ans –
test security-policy-match from trust to untrust destination <IP>

Question 11- how to check the NAT rule ?

Ans –

test nat-policy-match

Question 12- How to check System details ?

Ans –

show system info // It will show management IP , System version and serial number

Question 13 - How to perform debug in PA ?

Ans –
1- Clear all packet capture settings
2- debug dataplane packet-diag clear all
3- set traffic matching condition
4- debug dataplane packet-diag set filter match source y.y.y.y destination
x.x.x.x
5- debug dataplane packet-diag set filter on
6- debug dataplane packet-diag set capture stage receive file rx.pcap

7- debug dataplane packet-diag set capture stage transmit file tx.pcap

8- debug dataplane packet-diag set capture stage drop file dp.pcap
9- debug dataplane packet-diag set capture stage firewall file fw.pcap
10- debug dataplane packet-diag set capture on

View Pcap - view-pcap filter-pcap rx.pcap

Question 14 - What you mean by Device Group and Device Template.?
Ans –
Device group :
Device group allows you to group firewalls which is require similar set of policy , such
as firewalls that manage a group of branch offices or individual departments in a
company. Panorama treats each group as a single unit when applying policies. A
firewall can belong to only one device group. The Objects and Policies are only part of
Device Group.
Device Template :
Device Templates enable you to deploy a common base configuration like Network and
device specific settings to multiple firewalls that require similar settings.
This is available in Device and Network tabs on Panorama

Question 15- What is the Security Profile ?

Ans –
Security Profile using to scans allowed applications for threats, such as viruses,
malware, spyware, and DDOS attacks.Security profiles are not used in the match
criteria of a traffic flow. The security profile is applied to scan traffic after the application
or category is allowed by the security policy

Below are the Security Profiles available

▪ Antivirus Profiles
 ▪ Anti-Spyware Profiles
▪ Vulnerability Protection Profiles
▪ URL Filtering Profiles
▪ Data Filtering Profiles
▪ File Blocking Profiles
▪ WildFire Analysis Profiles
▪ DoS Protection Profiles

Question 16 - What is function of Zone Protection Profile?

Ans –
Configure protection against floods, reconnaissance, packet-based attacks, and non-IP-
protocol-based attacks with Zone Protection profiles. Apply a Zone Protection profile to each
zone to defend it based on the aggregate traffic entering the ingress zone
Questions 17 - What is difference between Palo Alto NGFW and WAF?
Ans –
Palo Alto Networks next generation firewall:

• Designed to be a primary firewall, identifying and controlling applications users and content
traversing the network.

. Logging and reporting: All application, user and threat traffic is logged for analysis and
forensics purposes.

• Performance: Designed to act as the primary firewall for enterprises of all sizes which dictates
that it deliver high performance

• App-ID: Identifies and controls more than 900 applications of all types, irrespective of port,
protocol, SSL encryption or

evasive tactic.

• User-ID: Leverages user data in Active Directory (as opposed to IP addresses) for policy
creation, logging and reporting.

Web Application Firewalls:

Designed to compensate for insecure coding practices – only those companies that use web
applications and are concerned that their code is insecure need to buy a WAF.

• Looks specifically for security flaws in the application itself, ignoring the myriad of attacks that
may be traversing the,network.
• Highly customized for each environment – looking at how the web application is supposed to
act and acting on any odd behavior.

• Looks only at the specific L7 fields of a web application – they do not look at any of the other
layers in the OSI stack.

Question 17 - What is U-Turn NAT?

Ans –
The term U-Turn is used when the logical path of a connection traverses the firewall from inside
to outside and back in, by connecting to an internal resource using its external IP address. U-
Turn NAT is a configuration trick to accommodate a deployment where the external IP needs to
reach an internal resource.

Question 18 - Explain the difference between Virtual Routers and Virtual Systems in Palo
Alto?
Ans –
VSYS can come in handy in certain situations where you really should have multiple different
firewalls, however for budgetary reasons only one is available.
You can have multiple VR instances running inside VSYS

Question 19 – How many types of logs can be viewed on Palo Alto NGFWs
Ans –
Log Types and Severity Levels
• Traffic Logs.
• Threat Logs.
• URL Filtering Logs.
• WildFire Submissions Logs.
• Data Filtering Logs.
• Correlation Logs.
• Tunnel Inspection Logs.
• Config Logs.

Question 20 - What is Wildfire?

Ans –
The WildFire Analysis Environment identifies previously unknown malware and generates
signatures that Palo Alto Networks firewalls can use to then detect and block the malware. The
malware found in the file attachment is an advanced VM-aware threat and has not been
encountered before.
The WildFire™ cloud service analyzes files and email links to detect threats and create
protections to block malware. When WildFire identifies a zero-day threat, it globally distributes
protection for that threat in under five minutes.
Question 21 - what is the IP address of management port on Palo Alto Firewall and
default username/password?
Ans –

By default, the firewall has an IP address of 192.168. 1.1 and a username/password of

admin/admin.

Question 22- What is the key difference between superuser and device administrator?
Ans -
Superuser: Full access to the firewall, including defining new administrator accounts and virtual
systems. You must have Superuser privileges to create an administrative user with Superuser
privileges.
Device Administrator: Full access to all firewall settings except for defining new accounts or
virtual systems.

Question 23- What is Pre-requisites for High Availability?

Ans –
 • Same Model
• Same PAN-OS Version
• Same Multi-VSYS
• Same Interfaces
• Same Set of Licenses

Question 24- How many VPN deployment support by Paloalto ?

Ans-
There are two types of VPN: Site-to-site VPN is used to connect branch offices to a central
office over the internet when distance prevents direct network connections. Remote access
VPN allows individual users to remotely connect to a central network.

Question 25- What interface is used by default to access external services?

Ans –
The firewall uses the management (MGT) interface by default to access external services, such
as DNS servers, external authentication servers, Palo Alto Networks services such as software,
URL updates, licenses and AutoFocus.

Question 26- How many zones can an interface be part of?

Ans -
A zone can have multiple interfaces of the same type assigned to it (such as tap, layer 2, or
layer 3 interfaces), but an interface can belong to only one zone.

Question 27 – In Paloalto Inter-Zone communication is blocked ?

Ans –
By default, Inter-Zone communication is blocked, so Security Policy is required with Allow Action
to pass IP communication between two security zones.

Question 28 - Which file is mandatory for bootstrap process to function?

Ans – Create the init-cfg. txt file, a mandatory file that provides bootstrap parameters. The
fields are described in Sample init-cfg.
Question 29 - which parameter decides a primary and secondary HA pair?
Ans –
The firewalls in an HA pair can be assigned a device priority value to indicate a preference for
which firewall should assume the active role.
In active/active configuration, set the Device ID to determine which peer will be active-primary
(set Device ID to 0) and which will be active-secondary (set the Device ID to 1).
Question 30 - What is the Application Command Center (ACC)?
Ans –
The Application Command Center (ACC) is an interactive, graphical summary of the
applications, users, URLs, threats, and content traversing your network. The ACC uses the
firewall logs to provide visibility into traffic patterns and actionable information on threats.

Question 31- A traffic log displays “incomplete” for a new application. What does that
mean?
Ans –
Incomplete means that either the three-way TCP handshake did not complete OR the three-way
TCP handshake did complete but there was no enough data after the handshake to identify the
application. In other words that traffic being seen is not really an application.

Question 32- Palo Alto firewall for forwarding the log messages?
Ans –
Log messages forwarding options include Email Servers, Syslog Server, SNMP trap servers or
HTTP based services.

Question 33- When a URL matches multiple categories, the category chosen is the one ?
Ans –

When a URL matches multiple categories, the category chosen is the one that has the most
severe action defined below (block being most severe and allow least severe).
Question 34 - What actions are available while filtering URLs?
Ans –
From most strict to least strict, possible URL Filtering profile actions are: block, override,
continue, alert, and allow
Question 35- What is the Captive portal and its usage?
Ans -
The Captive Portal is used to create a user-to-IP mappings on the Palo Alto Networks firewall.
The portal is triggered based on the Captive Portal policies for http and/or https traffic only and
is triggered only for the IP addresses without existing user-to-IP mapping.

Question 36- App-ID identify the application used in the network?

Ans –
App-ID enables you to see the applications on your network and learn how they work, their
behavioral characteristics, and their relative risk. Applications and application functions are
identified via multiple techniques, including application signatures, decryption (if needed),
protocol decoding, and heuristics.

Question 37 - What are 3 focal areas in which Panorama adds value?

Ans –
The three main areas in which Panorama adds value are:
• Centralized configuration and deployment.
• Aggregated logging with central oversight for analysis and reporting.
• Distributed administration.
Question 38 - benefits of using Panorama?
Ans –
Panorama is very useful in updating the software in bulk with a single click without any hassles.
It also provides us detailed reporting to check the validate the compliance status. Panorama is
used for logging service to collect logs from managed devices to solve your operational logging
challenges.
Question 39 - Which command is used to show the maximum log file size?
Ans –

#show system logdb-quota

Question 40 - What are the different failover scenarios?

Ans-
The event is known as a failover when one firewall fails and the peer takes over the role of
safeguarding traffic. When a monitored metric on a firewall in the HA pair fails.
• Hello messages and heartbeat polling:
o Hello messages and heartbeats are used by the firewalls to ensure that the peer
firewall is responsive and working. To validate the state of the firewall, hello
messages are delivered from one peer to the other at the configured Hello
Interval.
o The heartbeat is an ICMP ping over the control link to the HA peer, to which the
peer responds to confirm that the firewalls are connected and responding. The
heartbeat interval is 1000 milliseconds by default. Every 1000 milliseconds, a
ping is issued, and if three consecutive heartbeat losses occur, a failover
happens.
• Link monitoring:
o The monitored physical interfaces are organised into a link group, and their
status (link up or link down) is tracked. One or more physical interfaces can be
found in a link group. When any or all of the interfaces in a group fail, a firewall
failure occurs. The default behaviour is that if any link in the link group fails, the
firewall will set the HA status to non-functional (or tentative in active/active mode)
to signify a monitored object failure.
• Path monitoring:
o Path Monitoring keeps track of the whole network path to mission-critical IP
addresses. Pings using the ICMP protocol are used to check if an IP address is
reachable. Ping intervals are set to 200ms by default. When 10 consecutive
pings (the default value) fail, an IP address is declared unreachable, and a
firewall failure occurs when any or all of the monitored IP addresses become
unreachable. The default behaviour is that if any of the IP addresses becomes
unreachable, the firewall will set the HA state to non-functional (or tentative in
active/active mode) to signify a monitored object failure.
o A failover happens when the administrator suspends the firewall or when
preemption occurs, in addition to the above failover triggers.
Question 41- What is the procedure for adding a licence to the Palo Alto Firewall?
Ans –
Locate the licence activation codes that you purchased –
Palo Alto Networks customer care should have sent you an email with the activation codes
associated with each subscription when you purchased them. If you can't find this email, you'll
need to contact Customer Support to get your activation codes before continuing.
You have to activate your Support subscription. If you don't have a valid Support
licence, you won't be able to upgrade your PAN-OS software.

1- Select DeviceSupport after logging in to the web portal.

2- Select Activate support with authorisation code from the drop-down menu.
3- Click OK after entering your Authorization Code

Active each licence you've bought. Choose Device>Licences, then

activate your licences and subscriptions using one of the methods below:

1- License keys can be obtained via the licence server.

2- Use the authorisation code to activate the functionality.
3- Upload the licence key manually.

Question 42 – How to take backup of Paloalto firewall –

Ans –

1- After logging into the Palo Alto firewall, go to Device -> Setup -> Operations.
2- To save the settings locally to the Palo Alto firewall, click "Save named
configuration snapshot."
3- To save a backup of the Palo Alto Configuration file to your local PC, click
"Export Named Configuration Snapshot."

Question 43 - Explain Single Pass Software and Parallel Processing Hardware ?

Ans –

Within the Palo Alto Networks next-generation firewall, the Palo Alto Networks Single Pass
software is meant to achieve two critical purposes. The single-pass software, for starters, only
conducts operations once per packet. Networking functions, policy lookup, application
identification and decoding, and signature matching for all threats and content are all
executed once when a packet is processed.

Hardware is the important component of Palo Alto Networks SP3 Architecture. Parallel
Processing hardware is used in Palo Alto Networks' next-generation firewalls to ensure that
the Single Pass software operates quickly. Palo Alto Networks developers first created data
and control planes that were independent

Question 44- what is "service route" in Paloalto ?

Ans –

The path from the interface to the server's service is referred to as the service route. The
management (MGT) interface is the default interface for accessing external sources.