Professional Documents
Culture Documents
Interested in learning palo alto Join hkr and Learn more on Palo Alto
Training !
Tap mode: this mode allows users to monitor any type of traffic flow across the
networking system with the help of tap or switch SPAN/mirror port.
Virtual wire: in this deployment model, the firewall system is installed passively
on any network segment by combing two interfaces together.
Layer 2 mode: in this layer mode, multiple networking interfaces will be configured
into a “virtual-switch” or VLAN mode.
Layer 3 deployment: In this layer 3 deployments, the Palo Alto firewall routes
allow traffic between multiple interfaces. User should add the IP address to each
interface.
4. What are the scenarios for failover triggering?
Ans: The following are the scenarios that explain the failure over triggering,
If the active device does not respond to heartbeat polls or loss of three
consecutive heartbeats over a period of 1000 millisecond this time failure occurs.
5. Which command is used to check the firewall policy matching in Palo Alto?
Ans: Open the Palo Alto web browser -> go to test security -> policy -> match from
trust to untrust destination .
HA1 and HA2 are two different ports in HA. HA is called a control link, while HA 2
is called a Datalink. These ports are used to maintain state information and
synchronize the data.
18. What is the virtual system and virtual router in Palo Alto?
Ans:A virtual router is just a function of the Palo Alto; this is also the part of
the Layer 3 routing layer. The virtual system is just an exclusive and logical
function in Palo Alto. This is also an independent firewall; the traffic here is
kept separate.
19. Which are the media types that the firewall supports?
Ans: The Palo Alto firewall supports two types of media such as copper and fiber
optic.
Single-pass processing
Parallel processing
25. What are the options available on Palo Alto Firewall for forwarding the log
messages?
Ans:There are two different options available on Palo Alto Firewall for forwarding
the log messages which are listed below:
34. Which are the features Palo Alto supports when it is in virtual wire mode?
Ans: When Palo Alto in the virtual wire mode, it supports many features like App-
ID, Decryption, Content-ID, User-ID, and NAT.
35.Do you know which virtualization platform provides its extensive support during
the deployment of Palo Alto networks?
Ans:VM-Series is the virtualization platform that provides extensive support during
the deployment of Palo Alto Networks. It offers a wide range of public and private
cloud computing environments like an open stack, VM ware, Cisco ACI, Amazon web
services, Google cloud platform, and many more.
36. Can you determine which command is used to show the maximum log file size? Give
a brief idea on how Panorama addresses new logs when the storage limit is reached?
Ans:The command that is used to show the maximum log file size is represented
below:
When the logs storage limit is reached, then Panorama automatically deletes the old
logs and gives the space to the new records. Panorama has the automated
functionality that can determine the storage limit and remove it if needed.
37. Can you determine the default IP address of the management port in Palo Alto
Firewall along with the default username and password?
Ans: The default IP address of the management port in Palo Alto Firewall is
192.168.1.1.
38. Can you explain about the different states in the HA Firewall?
Ans:The different states in HA firewall are represented as below:
Initial
Passive
Active
Active-primary
Active-secondary
Tentative
Non-functional
Suspended
39. What is wildfire? Give a brief explanation about the functionality of wildfire?
Ans: To secure a network from potential threats requires finding solutions and
analyzing the malwares and is a quite hectic process. Wildfire is a cloud based
malware direction which helps to identify the unknown files or threats made by the
attackers. Wildfire’s rapidly deliver protection and share threat intelligence to
the organizations.
42. Give a brief idea about the single pass and processing architecture? Which
architecture does Palo Alto use?
Ans: Single-pass: In Single-pass processing, all the operations are performed only
once per packet. The services include application identification, networking
functions, policy lookup, decoding, signature matching for any content or threats.
In simpler terms, instead of using multiple engines, single-pass software allows
single time scanning in a stream-based fashion.
43.Define the term HALite in Palo Alto? Give a brief explanation of the
capabilities of Palo Alto?
Ans: Before defining HALite we need to know about PA 200. PA-200 is a firewall
which prevents the network from a broad range of cyber threats. HALite is the
feature available on PA-200. It provides synchronization of some run time items.
Limited version of HA is used in PA 200 as there are a limited number of ports
available for synchronization.
45. Can you brief the basic approaches used to deploy certificates for the Palo
Alto Network Firewalls?
Ans:There are three different approaches used to deploy certificates for Palo Alto
network firewalls:
Show high- available state: show the HA state of the Palo Alto firewall
Show high –available state – synchronization: used to check the sync status
Show high –available path –monitoring: to show the status of path monitoring the
system
Request high- available state suspend: to suspend the active box and make the
current passive box as active.
Generation of self-signed certificates.
47. Elucidate the differences between PA-200, PA-600, and higher models?
The network processing and signature processing are implemented on the software in
PA-200 and PA-500. The higher models will have a dedicated hardware processor to
perform these functionalities.
A Palo Alto Network firewall in a layer 3 mode provides routing and network address
translation (NAT) functions.
The routing table is used to evaluate the source and destination zones on NAT
policies.
Example 1: If you are translating traffic that is incoming to an internal server
(which is reaached via a public IP by Internal users). The NAT policy busing the
zone in which the Public IP address resides must be configured.
Regardless of the policy, original IP addresses are ALWAYS used with rules. Why?
Since address translation does not take place until the packet egress the firewall.
The destination zone is the ONLY zone that can change from the original packet
during processing.
The following checklist details the settings that you must configure identically on
both firewalls:
Tap mode: This mode allows users to monitor any type of traffic flow across the
networking system with the help of tap or switch SPAN/mirror port.
Virtual wire: In this deployment model, the firewall system is installed passively
on any network segment by combing two interfaces together.
Layer 2 mode: In this layer mode, multiple networking interfaces will be configured
into a “virtual-switch” or VLAN mode.
Layer 3 deployment: In this layer 3 deployments, the Palo Alto firewall routes
allow traffic between multiple interfaces. The user should add the IP address to
each interface.
53. What is the role of the Virtual Wire interface in the Palo Alto firewall?
Ans: A virtual wire interface allows the transmission of traffic between two
interfaces by binding them together.
You will get security from attacks like a flood, reconnaissance, and packet-based
attacks, among others, by using the Zone protection profile.
It protects you from flood attacks such as SYN, ICMP, and UDP, among others.
You can defend against port scans and host sweeps with reconnaissance protection.
You will get protection from big ICMP packets and ICMP fragment attacks with
packet-based protection.
55. What is the difference between Palo Alto NGFW and WAF?
Ans:
A Web Application Firewall (WAF), on the other hand, is designed to look at web
applications and track them for security problems that may occur as a result of
coding errors. The only thing the two solutions share in common is that they all
use the word firewall in their names. A WAF is only needed by companies who believe
their web applications have coding problems.
56. Explain the difference between Virtual Routers and Virtual Systems in Palo
Alto?
Ans:
Virtual systems are separate, logical firewall instances within a single physical
Palo Alto Networks firewall. Controlled service providers and organizations should
use a single pair of firewalls (for high availability) and allow virtual
environments on them instead of having multiple firewalls. Each virtual system
(vsys) is an independent, separately-managed firewall with its traffic kept
separate from the traffic of other virtual systems.
A virtual router is a firewall feature that takes part in Layer 3 routing. You can
manually define static routes or participate in one or more Layer 3 routing
protocols, and the firewall can use virtual routers to obtain routes to other
subnets (dynamic routes).
The original IP address, which is the pre-NAT address, is subject to the NAT rules
and security policies. The zone associated with a pre-NAT IP address is used to
configure a NAT rule.
58. Which Palo Alto Networks solution targets endpoint security from Cyber-attacks?
Ans: The next-generation firewall solution targets endpoint security from Cyber-
attacks. It provides detailed network traffic visibility focused on applications,
customers, and content, enabling you to accept and meet your business requirements.
Interested in learning palo alto Join hkr and Learn more on Palo Alto Training
in Hyderabad !
59. Which all types of logs can be viewed on Palo Alto NGFWs?
Ans: You can view Traffic Logs, Threat Log, URL Filtering Logs, WildFire
Submissions Logs, Data Filtering Logs, Correlation Logs, Tunnel Inspection Logs,
Unified logs, HIP Match logs, GTP logs, SCTP logs, System logs, Alarm logs, and
Configuration logs, etc.
The same model—The hardware or virtual machine models of both firewalls in the pair
must be the same.
The same PAN-OS version—Both firewalls must be running the same PAN-OS version and
have the application, URL, and threat databases up to date.
The same multi virtual system capability—Multi Virtual System Capability must be
activated or disabled on both firewalls. Each firewall requires several virtual
machine licenses when it is activated.
The same type of interfaces—Dedicated HA links, or a combination of the management
port and in-band ports that are set to interface type HA.
Determine the IP address for the HA1 (control) connection between the HA peers. The
HA1 IP address for both peers must be on the same subnet if they are directly
connected or are connected to the same switch.
For firewalls without dedicated HA ports, you can use the management port for the
control connection. Using the management port provides a direct communication link
between the management planes on both firewalls. However, because the management
ports will not be directly cabled between the peers, make sure that you have a
route that connects these two interfaces across your network.
If you use Layer 3 as the transport method for the HA2 (data) connection, determine
the IP address for the HA2 link. Use Layer 3 only if the HA2 connection must
communicate over a routed network. The IP subnet for the HA2 links must not overlap
with that of the HA1 links or with any other subnet assigned to the data ports on
the firewall.
The same set of licenses—Each firewall has its own license, which cannot be shared.
As a result, all firewalls must have the same license. Both firewalls cannot
synchronize configuration information and ensure parity for a seamless failover if
they do not have the same collection of licenses.
61. What are the HA modes in which Palo Alto Firewall can be configured?
Ans: The firewalls for HA can be configured in one of two ways:
Active/Active— Both firewalls in the pair are up and running, managing traffic, and
handling session configuration and ownership in a synchronous manner. Both
firewalls keep their own session and routing tables and synchronize with one
another. In virtual wire and Layer 3 deployments, active/active HA is supported. In
virtual wire and Layer 3 deployments, active/active HA is supported.
On Google Cloud Platform, the VM-Series firewall does not allow high availability.
This Active/Passive HA in Palo Alto is supported in deployment types including
virtual wire, layer2, and layer3. In this mode, the configuration settings are
shared by both the firewalls. In this case, the active firewalls fail, the passive
firewall becomes active and maintains network security.
Alert: The website is allowed and a log entry is generated in the URL filtering
log.
Allow: The website is allowed and no log entry is generated.
Block: The website is blocked and the user will see a response page and will not be
able to continue to the website. A log entry is generated in the URL filtering log.
Continue: The user will be prompted with a response page indicating that the site
has been blocked due to company policy, but the user is prompted with the option to
continue to the website.
Override: With this Override option, the security admin or helpdesk person would
provide a password granting temporary access to all websites in the given category.
67. Steps to configure App ID and Content IDs how they can be added to the
existing/new security policies
Ans:
The default IP address of the management port in Palo Alto Firewall is 192.168.1.1.
The username is "admin" with a password as "admin."
69. Steps to take configuration Backup of the Palo alto firewall
Ans: Palo alto firewall configuration backup:
Navigate to Device -> Setup -> Operations after login into the Palo alto firewall.
Click on "Save named configuration snapshot" to save the configuration locally to
the Palo alto firewall.
Click on "Export Named Configuration Snapshot" to take the backup of the Palo Alto
Configuration file into the local PC.
This displays the status about Setup, active passive settings, control link (HA1),
control link (HA1 backup), Data link (HA2) and Election settings.
72. How to do Stateful failover on the Palo alto firewall on the HA cluster?
Ans: When a failure occurs on one firewall and the peer takes over the task of
securing traffic, the event is called a failover. A failover is triggered, for
example, when a monitored metric on a firewall in the HA pair fails. The following
are the metrics that are implemented to monitor and detect a firewall failure:
The first place to go is the Packet Capture menu on the GUI, where you can manage
filters, add capture stages, and easily download captures.
Before we get started, there are a few things you should know:
Four filters can be added with a variety of attributes.
Packet captures are session-based, so a single filter is capable of capturing both
client2server and server2client.
Packets are captured on the dataplane vs on the interface (this explains the next
bullet).
Pre-Parse Match is a feature that can capture all files before they are processed
by the engines running on the dataplane, which can help troubleshoot issues where
an engine may not be properly accepting an inbound packet. This option should be
used only if instructed by the support and on a low volume time of day as it will
capture everything.
When filtering is enabled, new sessions are marked for filtering and can be
captured, but existing sessions are not being filtered and may need to be restarted
to be able to capture them.
Offloaded sessions can't be captured so offloading may need to be disabled
temporarily. An offloaded session will display “layer7 processing: completed” in
the “show session” details.
Add couple of filters.
If we now switch the Filtering button to ON, the filters will be applied to any new
sessions that match the criteria:
A simple way to check if the filter is working is to check if global counters are
increasing if a new session is initiated.
Steps for Packet capturing in CLI:
Next you're going to configure the stages, there are four stages:
drop stage is where packets get discarded. The reasons may vary and, for this part,
the global counters may help identify if the drop was due to a policy deny, a
detected threat, or something else.
receive stage captures the packets as they ingress the firewall before they go into
the firewall engine. When NAT is configured, these packets will be pre-NAT.
transmit stage captures packets how they egress out of the firewall engine. If NAT
is configured, these will be post-NAT.
firewall stage captures packets in the firewall stage.
When all the desired stages are set, you can switch the capture button to ON, or
you can use the CLI, clear the existing sessions which match the filters specified.
This is to make sure no session has been active since before the filters were
enabled. Then use the capture on command to start the capture as displayed below.
> show session all => Note down the session number matching the configured
filters.
> clear session id => This is to clear any existing session that matches the
filters configured.
You can now launch the sessions you'd like to capture. To verify if the session has
started, use the show session command:
> show session all
When you're done, the capture can be turned off by toggling the button back to the
OFF position or using the debug command:
> debug dataplane packet-diag set capture off
82. Describe the Zero Trust feedback loop architecture in Palo Alto?
The zero-trust approach to cybersecurity secures an organisation by removing clear
trust and continuously authorising every stage of a digital interaction the
principle of never trust, always verify. Zero trust architecture provides higher
comprehensive security and makes it simple and operational. It prevents phishing,
malware, and data exfiltration attacks.
83. What Must Be Used In Security Policy Rule That Contains Addresses Where Nat
Policy Applies?
Upon accessing, The firewall checks the packet and makes a route to look up and
determine the exit interface and zone. Then Pre-NAT contends with Post-NAT zones.
Conclusion
2. Palo Alto is touted as the next-generation firewall. What are the reasons for
this?
Palo Alto has everything that is needed to call it the next-generation firewall. It
has an intrusion prevention system. It also has application control features. In
terms of delivery, it is much different from other vendors. It delivers the next-
generation features using a single platform.
3. What is the advantage of Palo Alto’s Single Pass Parallel Processing (SP3)
architecture?
The following are the advantages of Single Pass Parallel Processing (SP3)
architecture:
Subscribe to explore the latest tech updates, career transformation tips, and much
more.
Subscribe Now
5. What is the difference between PA-200 and PA-500 and the higher models?
Activities such as signature process and network processing are implemented on
software in PA-200 and PA-500. However, the higher models contain a dedicated
hardware processor.
6. Security policy rule contains addresses where NAT policy applies. Which address
needs to be used in the security policy?
You need to use the Pre-NAT address and Post-Nat zone.
13. What are the features Palo Alto supports when it is in Virtual Wire mode?
When in Virtual Wire mode, Palo Alto supports features such as
App-ID
Decryption
Content-ID
User-ID
NAT
14. What is App-ID?
App-ID is the short form for Application Identification. It is the main component
in Palo Alto. The responsibility of App-ID is to identify the applications, which
traverse the firewalls independently.
24. Which are the log types that can be viewed in Palo Alto?
You can view
Traffic Logs
Threat Log
URL Filtering Logs
WildFire Submissions Logs
Data Filtering Logs
Correlation Logs
Tunnel Inspection Logs
Unified logs
HIP Match logs
GTP logs
SCTP logs
System logs
Alarm logs
Configuration logs
25. What is the functioning of Palo Alto WildFire?
Palo Alto Wirefire highlights the threats that need more attention using a threat
intelligence prioritization feature called AutoFocus. It is a cloud-based service,
which provides malware sandboxing.
29. What is HALite in Palo Alto? What are its capabilities? Which are the features
not available in HA Lite?
The high-availability feature on the PA-200 is called HA Lite in Palo Alto. The HA
Lite provides a lighter version of HA capabilities. Some of the capabilities of HA
Lite include - DHCP Lease information, PPPoE lease information, A/P High
Availability without session sync, Failover of IPSec Tunnels, Configuration sync,
and Layer 3 forwarding tables. Some of the features that are not available in HA
include – Jumbo Frames, Link Aggregation, A/A High Availability, and A/P High
Availability with session synchronization.
31. Which are the media types that the firewall supports?
Palo Alto Networks firewall supports two media types, which include copper and
fiber optic.
32. Which are the port types recommended to use in a HA pair in Palo Alto?
The recommended ports to be used in a HA are:
35. What are the log forwarding options supported in the Palo Alto firewall?
The log forwarding options supported in Palo Alto include the following:
Forwarding of logs from firewalls to Panorama and from Panorama to external
services
Forwarding of logs from firewalls to Panorama and to external services in parallel
36. What is the purpose of the virtual wire interface in the Palo Alto firewall?
A virtual wire interface allows the transmission of traffic between two interfaces
by binding them together.
Explore Palo Alto Sample Resumes Download & Edit, Get Noticed by Top Employers!
40. What is Application Incomplete in Palo Alto?
The Application Incomplete can be understood as - either the three-way TCP
handshake is not completed or it is completed but there was no data to identify the
application after the handshake.
Exploits, malware, and malware communications should all be detected and blocked.
53. What is the difference between source and destination network address
translation (NAT)?
The destination addresses and ports of packets are translated by destination NAT.
Source NAT converts private IP addresses to public IP addresses so that intranet
users can access the Internet using public IP addresses.
54. What are the different configuration modes for Palo Alto interfaces?
Tap mode: With the use of a tap or switch SPAN/mirror port, users can observe any
form of traffic flow throughout the networking system.
Virtual Wire: The firewall system is installed passively on any network segment
using this deployment model, which combines two interfaces.
Layer 3 deployment: The Palo Alto firewall routes allow traffic to flow between
various interfaces in this layer 3 deployment. The IP address should be added to
each interface by the user.
55. What are the benefits of using Palo Alto Networks Products?
Palo Alto Networks' products offer unparalleled insight into network traffic and
malicious activities, both in the network and on the endpoint. When this visibility
is combined with Splunk, a client may do correlations and analyses on a variety of
data types. Correlations can be made between multiple types of Palo Alto Networks
data, such as comparing Wildfire reports to traffic logs to find infected hosts or
firewall logs to endpoint logs. But correlations and analyses across various
sources of data and vendors, such as correlating firewall logs with web server logs
or advanced endpoint security logs with Windows event logs, are where Splunk's true
power lies.
2. Palo Alto is touted as the next-generation firewall. What are the reasons for
this?
Palo Alto has everything that is needed to call it the next-generation firewall. It
has an intrusion prevention system. It also has application control features. In
terms of delivery, it is much different from other vendors. It delivers the next-
generation features using a single platform.
3. What is the advantage of Palo Alto’s Single Pass Parallel Processing (SP3)
architecture?
The following are the advantages of Single Pass Parallel Processing (SP3)
architecture:
Subscribe to explore the latest tech updates, career transformation tips, and much
more.
Subscribe Now
5. What is the difference between PA-200 and PA-500 and the higher models?
Activities such as signature process and network processing are implemented on
software in PA-200 and PA-500. However, the higher models contain a dedicated
hardware processor.
6. Security policy rule contains addresses where NAT policy applies. Which address
needs to be used in the security policy?
You need to use the Pre-NAT address and Post-Nat zone.
13. What are the features Palo Alto supports when it is in Virtual Wire mode?
When in Virtual Wire mode, Palo Alto supports features such as
App-ID
Decryption
Content-ID
User-ID
NAT
14. What is App-ID?
App-ID is the short form for Application Identification. It is the main component
in Palo Alto. The responsibility of App-ID is to identify the applications, which
traverse the firewalls independently.
24. Which are the log types that can be viewed in Palo Alto?
You can view
Traffic Logs
Threat Log
URL Filtering Logs
WildFire Submissions Logs
Data Filtering Logs
Correlation Logs
Tunnel Inspection Logs
Unified logs
HIP Match logs
GTP logs
SCTP logs
System logs
Alarm logs
Configuration logs
25. What is the functioning of Palo Alto WildFire?
Palo Alto Wirefire highlights the threats that need more attention using a threat
intelligence prioritization feature called AutoFocus. It is a cloud-based service,
which provides malware sandboxing.
29. What is HALite in Palo Alto? What are its capabilities? Which are the features
not available in HA Lite?
The high-availability feature on the PA-200 is called HA Lite in Palo Alto. The HA
Lite provides a lighter version of HA capabilities. Some of the capabilities of HA
Lite include - DHCP Lease information, PPPoE lease information, A/P High
Availability without session sync, Failover of IPSec Tunnels, Configuration sync,
and Layer 3 forwarding tables. Some of the features that are not available in HA
include – Jumbo Frames, Link Aggregation, A/A High Availability, and A/P High
Availability with session synchronization.
31. Which are the media types that the firewall supports?
Palo Alto Networks firewall supports two media types, which include copper and
fiber optic.
32. Which are the port types recommended to use in a HA pair in Palo Alto?
The recommended ports to be used in a HA are:
Explore Palo Alto Sample Resumes Download & Edit, Get Noticed by Top Employers!
40. What is Application Incomplete in Palo Alto?
The Application Incomplete can be understood as - either the three-way TCP
handshake is not completed or it is completed but there was no data to identify the
application after the handshake.
Exploits, malware, and malware communications should all be detected and blocked.
53. What is the difference between source and destination network address
translation (NAT)?
The destination addresses and ports of packets are translated by destination NAT.
Source NAT converts private IP addresses to public IP addresses so that intranet
users can access the Internet using public IP addresses.
54. What are the different configuration modes for Palo Alto interfaces?
Tap mode: With the use of a tap or switch SPAN/mirror port, users can observe any
form of traffic flow throughout the networking system.
Virtual Wire: The firewall system is installed passively on any network segment
using this deployment model, which combines two interfaces.
Layer 3 deployment: The Palo Alto firewall routes allow traffic to flow between
various interfaces in this layer 3 deployment. The IP address should be added to
each interface by the user.
55. What are the benefits of using Palo Alto Networks Products?
Palo Alto Networks' products offer unparalleled insight into network traffic and
malicious activities, both in the network and on the endpoint. When this visibility
is combined with Splunk, a client may do correlations and analyses on a variety of
data types. Correlations can be made between multiple types of Palo Alto Networks
data, such as comparing Wildfire reports to traffic logs to find infected hosts or
firewall logs to endpoint logs. But correlations and analyses across various
sources of data and vendors, such as correlating firewall logs with web server logs
or advanced endpoint security logs with Windows event logs, are where Splunk's true
power lies.
Data
Security Processing
Network Processing
Control
2.
On a firewall, the management network port can be configured as to which type of
interface?
Virtual wire
Layer 2
Layer 3
Serial
3.
With a Palo Alto Networks firewall, how many zones can an interface be assigned?
One
Two
Three
Four
4.
Which of the following claims about App-ID content changes is correct?
The way security policy rules are applied may change as application content is
updated.
Blowfish
SSL
Both
None
8.
Which types of attacks can a DoS Protection profile protect nodes from?
IP Address Spoofing
9.
Which of the following options displays the attributes that can be selected when
creating application filters?
Block List
Allow List
Both A and C
Both A and B