Mostly frequently Asked Palo Alto Interview Questions

Is Palo Alto a stateful firewall

What is the application command center (ACC)
What is the zone protection profile
Define WAF and its purpose
What is APP-ID
What is an HSCI port
What are HA1 and HA2 in Palo Alto
What do you mean by endpoint security in Palo Alto
Can you explain about the different states in the HA Firewall
How to perform troubleshoot HA Using CLI
How to configure HA on Palo alto firewall
What is the function of the Zone Protection Profile
Explain Active/Passive HA in Palo Alto NGFW
Steps to configure zone protection profiles
What parameter decides a primary and secondary HA pair
Steps to do a Packet capture on GUI and CLI
How to do Dynamic updates and how to schedule them

1. Is Palo Alto a stateful firewall?

Ans:The answer would be yes because here all the firewall traffic can be
transmitted through the Palo Alto system, and later these are matches against a
session. More importantly, each session should match against a firewall
cybersecurity policy as well.

Interested in learning palo alto Join hkr and Learn more on Palo Alto
Training !

2. What is the purpose of Palo Alto Focus?

Ans: Palo Alto Focus is one of the services available in Palo Alto to identify the
critical attacks and take necessary action without using any additional resources.
It is considered as the cloud-based threat intelligence service.

3. Name the types of deployment modes in Palo Alto?

Ans: There are four deployment models available such as;

Tap mode: this mode allows users to monitor any type of traffic flow across the
networking system with the help of tap or switch SPAN/mirror port.
Virtual wire: in this deployment model, the firewall system is installed passively
on any network segment by combing two interfaces together.
Layer 2 mode: in this layer mode, multiple networking interfaces will be configured
into a “virtual-switch” or VLAN mode.
Layer 3 deployment: In this layer 3 deployments, the Palo Alto firewall routes
allow traffic between multiple interfaces. User should add the IP address to each
interface.
4. What are the scenarios for failover triggering?
Ans: The following are the scenarios that explain the failure over triggering,

Failure occurs, if one or more monitored interface fail

Failure occurs, if one or more specified destinations cannot be pinged by the

active firewall

If the active device does not respond to heartbeat polls or loss of three
consecutive heartbeats over a period of 1000 millisecond this time failure occurs.

5. Which command is used to check the firewall policy matching in Palo Alto?
Ans: Open the Palo Alto web browser -> go to test security -> policy -> match from
trust to untrust destination .

6. What is the application command center (ACC)?

Ans: The application command center offers visibility to the traffic patterns and
actionable information on threats in the firewall network logs.

We have the perfect professional PaloAlto Tutorial for you.

Enroll now!

7. What is the purpose of Palo Alto’s autofocus?

Ans: Autofocus in Palo Alto is the kind of threat intelligence service; this
supports easier identification of critical attacks so that effective action can be
taken without the need for the additional resources.

8. What is the zone protection profile?

Ans: With the help of the Zone protection profile, you will get complete protection
from attacks like floods, reconnaissance, and packet-based attacks. The flood
attacks can be of type SYN, ICMP, and UDP, etc. The reconnaissance protections will
help you to defend againss port and host sweeps. The packet protections help you to
get the protection from the large ICMP and ICMP fragment attacks.

9. Name the types of protections used in Palo Alto?

Ans: The following are the major protections used in Palo Alto;

Zone protection profile: examples are floods, reconnaissance, and packet-

based attacks.
Configured under Network tab protection: Network profiles, and zone
protections.
10. What is U-turn in Palo Alto?
Ans: The U-turn ANAT in Palo Alto is nothing but a logical path used in the
networking system. In this NAT profile, the user should access the internal DMZ
servers. To achieve this you should use the external IP address of the respective
servers.

11. Mention the advantages of the Palo Alto firewall?

Ans:The following are the important features of the Palo Alto firewall;

Offers high throughput and low latency

Palo Alto provides high-level active security functions
Supports the provision of single and fully integrated security policy
Easier to use management policy.

12. Define WAF and its purpose?

Ans: WAF refers to the Web Application Firewall. The primary purpose of WAF is to
monitor web applications to enhance the security and its features in web
applications. It protects the web application by filtering the traffic between the
internet and the application.

13. What do you mean by HA, HA1, and HA 2 in Palo Alto?

Ans:HA: HA refers to High Availability, a deployment model in Palo Alto.HA is used
to prevent single point failure in a network. It includes two firewalls with a
synchronized configuration. If one firewall crashes, then security features are
applied via another firewall. This will help in continuing the business without any
interruption.

HA1 and HA2 are two different ports in HA. HA is called a control link, while HA 2
is called a Datalink. These ports are used to maintain state information and
synchronize the data.

14. What is the type of Palo Alto architecture?

Ans: The Palo Alto architecture follows single pass parallel processing.

15. What are Active/passive and Active/Active modes in Palo Alto?

Ans:There are many modes that can be used in Palo Alto configuration.

Active/passive: this mode in Palo Alto is supported in deployment types including

virtual wire, layer2, and layer3. In this mode, the configuration settings are
shared by both the firewalls. In this case, the active firewalls fail, the passive
firewall becomes active and maintain network security.
Active/Active: this mode in Palo Alto is supported in deployment types including
virtual wire and layer 3. In this mode, both the firewalls work synchronously and
process the traffic.

16. What is APP-ID?

Ans:App-ID is nothing but the short form for the application identifications. This
is one of the main components in Palo Alto. The major responsibilities of App-Id
included are identifying the applications and transverse the firewalls
independently.

17. Mention the benefits of Panorama in Palo Alto?

Ans:The following are the few benefits of panorama in Palo Alto;

Offers distributed administrations, which helps you to control and delegate

assessment to the Palo Alto firewall configurations.
Provides a centralized configuration system and Deployment.
Supports logging or aggregated management with central oversight for reporting and
analyzing purposes.
Related article : palo alto Networks
Essentials

18. What is the virtual system
Ans:A virtual router is just a
the Layer 3 routing layer. The
function in Palo Alto. This is
kept separate.
and virtual router in Palo Alto?
function of the Palo Alto; this is also the part of
virtual system is just an exclusive and logical
also an independent firewall; the traffic here is

19. Which are the media types that the firewall supports?
Ans: The Palo Alto firewall supports two types of media such as copper and fiber
optic.

20. What is an HSCI port?

Ans: SCI is a layer 1 of the SFP+ interface. In an HA configuration, this connects
any two PA -200 firewall series. This port can be used for both HA2 and HA3 network
connections and the raw layer can be transmitted to the HSCI ports.

Palo Alto Training

Master Your Craft Lifetime LMS & Faculty Access 24/7 online expert support
Real-world & Project Based Learning
21. What is global VPN support?
Ans:The global protect VPN provides a clientless SSL Virtual private network (VPN)
and helps to access the application in the data center.
22. What are HA1 and HA2 in Palo Alto?
Ans: HA1 and HA2 in Palo Alto have dedicated HA ports. HA1 port is a control link
whereas HA2 is just a data link. These links are primarily used to synchronize the
data and also help to maintain the state information.

23. What is incomplete and application override in palo Alto?

Ans:Application Incomplete can be interpreted as-either the three-way TCP handshake
is not completed or completed, and there was no information to classify the process
just after handshake.Where as Application override is being used to bypass the App-
ID (Normal Application Identification) for unique traffic transmitted via a
firewall.

24. Mention the types of Palo Alto Architecture processing?

Ans: There are two types of processing available such as;

Single-pass processing
Parallel processing
25. What are the options available on Palo Alto Firewall for forwarding the log
messages?
Ans:There are two different options available on Palo Alto Firewall for forwarding
the log messages which are listed below:

Forwarding of logs from firewalls to PanoramaPanorama and from PanoramaPanorama to

external services
Forwarding of logs from firewalls to PanoramaPanorama and external services in
parallel.
26. What is Single-pass parallel processing?
Ans: Single-pass parallel processing allows the system to operate on one packet.
The following are important features of Single-pass parallel processing such as
policy lookup, identifying applications, performing networking functions, decoding,
and signature matching. The content in the Palo Alto firewall is scanned only once
in the architecture.

27. What protocol is used to exchange heart beats between HA?

Ans: ICMP is the protocol used to exchange heartbeat between HA.

28. What is parallel processing?

Ans: The Palo Alto architecture is designed with separate data content and control
planes to help parallel processing. The hardware elements in parallel processing
support discrete and process groups to perform several complex functions.

29.Define the term: U-Turn NAT?

Ans: U-Turn NAT refers to the logical path in a network. The users will be provided
access to the DMZ server using the server's external IP address.U-Turn NAT allows
clients to access the public web server on the internal network.

30. What do you mean by endpoint security in Palo Alto?

Ans:Endpoint security is something which protects the user’s devices like laptops,
mobiles, PC using the designed tools and products. It is one of the world’s leading
network’s security suites which helps in securing the user’s data and applications
from the organizations. Depending on a network against various threats is not quite
simple nowadays however, it can be attained by using best practices in both
hardware and software.

Palo Alto Intermediate Interview Questions

31. Mention the differences between Palo Alto -200, Palo Alto -500, and any higher
models?
Ans: In both Palo Alto- 200 and Palo Alto -500 implement activities such as
signature process, and network processing. A higher model comprised of a dedicated
hardware processor.

32.Mention the types of links used to establish HA or HA introduction?

Ans: There are 4 types of links used to establish HA or HA introduction,

Control link or HA1

Datalink or HA2
Backup Links
Packet forwarding links.
33. Mention the various port numbers used in HA?
Ans: HA1: tcp/ 28769, tcp/28260 for clear text communication

Tcp/28 for encrypted communication

HA2: Use protocol number 99 or UDP -29281

34. Which are the features Palo Alto supports when it is in virtual wire mode?
Ans: When Palo Alto in the virtual wire mode, it supports many features like App-
ID, Decryption, Content-ID, User-ID, and NAT.

35.Do you know which virtualization platform provides its extensive support during
the deployment of Palo Alto networks?
Ans:VM-Series is the virtualization platform that provides extensive support during
the deployment of Palo Alto Networks. It offers a wide range of public and private
cloud computing environments like an open stack, VM ware, Cisco ACI, Amazon web
services, Google cloud platform, and many more.

36. Can you determine which command is used to show the maximum log file size? Give
a brief idea on how Panorama addresses new logs when the storage limit is reached?
Ans:The command that is used to show the maximum log file size is represented
below:

show system logdb-quota

When the logs storage limit is reached, then Panorama automatically deletes the old
logs and gives the space to the new records. Panorama has the automated
functionality that can determine the storage limit and remove it if needed.

37. Can you determine the default IP address of the management port in Palo Alto
Firewall along with the default username and password?
Ans: The default IP address of the management port in Palo Alto Firewall is
192.168.1.1.

The username is "admin" with a password as "admin."

38. Can you explain about the different states in the HA Firewall?
Ans:The different states in HA firewall are represented as below:

Initial

Passive

Active
Active-primary

Active-secondary

Tentative

Non-functional

Suspended

39. What is wildfire? Give a brief explanation about the functionality of wildfire?
Ans: To secure a network from potential threats requires finding solutions and
analyzing the malwares and is a quite hectic process. Wildfire is a cloud based
malware direction which helps to identify the unknown files or threats made by the
attackers. Wildfire’s rapidly deliver protection and share threat intelligence to
the organizations.

40.Differences between Palo Alto NGFW and Checkpoint UTM?

Ans: Palo Alto follows Single-pass parallel processing whereas Checkpoint UTM
follows a multi-pass architecture process.

Palo Alto Advanced Interview Questions

41. Can you explain why Palo Alto is being called as a next-generation firewall?
Ans: The Palo Alto cybersecurity application has everything that is needed for the
next generation. This application consists of an infusion prevention system and
control features. In terms of productivity, it is considered as different from
other cybersecurity vendors. One important thing is that it delivers the next
generation features with the help of a single platform.

42. Give a brief idea about the single pass and processing architecture? Which
architecture does Palo Alto use?
Ans: Single-pass: In Single-pass processing, all the operations are performed only
once per packet. The services include application identification, networking
functions, policy lookup, decoding, signature matching for any content or threats.
In simpler terms, instead of using multiple engines, single-pass software allows
single time scanning in a stream-based fashion.

Parallel processing: Parallel processing uses some discrete processing groups to

perform the functions. The functions include networking, app id, content Id
analysis, etc.

Palo Alto utilizes Single Pass Parallel processing (SP3) architecture.

43.Define the term HALite in Palo Alto? Give a brief explanation of the
capabilities of Palo Alto?
Ans: Before defining HALite we need to know about PA 200. PA-200 is a firewall
which prevents the network from a broad range of cyber threats. HALite is the
feature available on PA-200. It provides synchronization of some run time items.
Limited version of HA is used in PA 200 as there are a limited number of ports
available for synchronization.

Subscribe To Our Youtube Channel To Get New Updates..!

44. Define what is meant by the service route? Can you determine the interface that
is used to access external services by default?
Ans: Service route refers to the path from the interface to the service on the
server. .The interface that is used to access external sources by default is the
management (MGT) interface.

45. Can you brief the basic approaches used to deploy certificates for the Palo
Alto Network Firewalls?
Ans:There are three different approaches used to deploy certificates for Palo Alto
network firewalls:

Obtaining the documents from a trusted third-party CA like VeriSign or GoDaddy.

Acquiring the certificates from an enterprise CA

46. How to perform troubleshoot HA Using CLI?

Ans:

Show high- available state: show the HA state of the Palo Alto firewall
Show high –available state – synchronization: used to check the sync status
Show high –available path –monitoring: to show the status of path monitoring the
system
Request high- available state suspend: to suspend the active box and make the
current passive box as active.
Generation of self-signed certificates.
47. Elucidate the differences between PA-200, PA-600, and higher models?
The network processing and signature processing are implemented on the software in
PA-200 and PA-500. The higher models will have a dedicated hardware processor to
perform these functionalities.

48. In An Enterprise Deployment, A Network Security Engineer Wants To Assign To A

Group Of Administrators Without Creating Local Administrator Accounts On The
Firewall. Which Authentication Method Must Be Used?
RADIUS with Vendor-Specific Attributes.

49. What is the difference between a Next-Generation Firewall vs. Traditional

Firewall?
Ans: A next-generation firewall (NGFW) is a network security solution that goes
beyond a traditional stateful firewall in terms of capability.While a traditional
firewall inspects all incoming and outgoing network traffic in real-time.
Application awareness and control, integrated intrusion prevention, and cloud-
delivered threat intelligence are all used in a next-generation firewall.

50. Packet flow architecture of Palo alto firewall

Ans:

A Palo Alto Network firewall in a layer 3 mode provides routing and network address
translation (NAT) functions.
The routing table is used to evaluate the source and destination zones on NAT
policies.
Example 1: If you are translating traffic that is incoming to an internal server
(which is reaached via a public IP by Internal users). The NAT policy busing the
zone in which the Public IP address resides must be configured.

Example 2: If you are translating traffic that is incoming to an internal server

(which is reached via a public IP by Internal users and that public IP is routed to
a DMZ zone). It is essential to use the DMZ zone to configure the NAT policy.

Regardless of the policy, original IP addresses are ALWAYS used with rules. Why?
Since address translation does not take place until the packet egress the firewall.
The destination zone is the ONLY zone that can change from the original packet
during processing.

51. How to configure HA on Palo alto firewall?

Ans: To set up an active (PeerA) passive (PeerB) pair in HA, you must configure
some options identically on both firewalls and some independently (non-matching) on
each firewall. These HA settings are not synchronized between the firewalls.

The following checklist details the settings that you must configure identically on
both firewalls:

You must enable HA on both firewalls.

You must configure the same Group ID value on both firewalls. The firewall uses the
Group ID value to create a virtual MAC address for all the configured interfaces.
See Floating IP Address and Virtual MAC Address for information about virtual MAC
addresses. When a new active firewall takes over, it sends Gratuitous ARP messages
from each of its connected interfaces to inform the connected Layer 2 switches of
the virtual MAC address’s new location.
If you are using in-band ports as HA links, you must set the interfaces for the HA1
and HA2 links to type HA.
Set the HA Mode to Active Passive on both firewalls.
If required, enable preemption on both firewalls. The device priority value,
however, must not be identical.
If required, configure encryption on the HA1 link (for communication between the HA
peers) on both firewalls.
Based on the combination of HA1 and HA1 Backup ports you are using, use the
following recommendations to decide whether you should enable heartbeat backup:
HA1: Dedicated HA1 port
HA1 Backup: Dedicated HA1 port
Recommendation: Enable Heartbeat Backup
HA1: Dedicated HA1 port
HA1 Backup: In-band port
Recommendation: Enable Heartbeat Backup
HA1: Dedicated HA1 port
HA1 Backup: Management port
Recommendation: Do not enable Heartbeat Backup
HA1: In-band port
HA1 Backup: In-band port
Recommendation: Enable Heartbeat Backup
HA1: Management port
HA1 Backup: In-band port
Recommendation: Do not enable Heartbeat Backup
52. What are different modes in which interfaces on Palo Alto can be configured?
Ans: There are four modes of interfaces as follows;

Tap mode: This mode allows users to monitor any type of traffic flow across the
networking system with the help of tap or switch SPAN/mirror port.
Virtual wire: In this deployment model, the firewall system is installed passively
on any network segment by combing two interfaces together.
Layer 2 mode: In this layer mode, multiple networking interfaces will be configured
into a “virtual-switch” or VLAN mode.
Layer 3 deployment: In this layer 3 deployments, the Palo Alto firewall routes
allow traffic between multiple interfaces. The user should add the IP address to
each interface.
53. What is the role of the Virtual Wire interface in the Palo Alto firewall?
Ans: A virtual wire interface allows the transmission of traffic between two
interfaces by binding them together.

54. What is the function of the Zone Protection Profile?

Ans: The following are the functions of the Zone Protection Profile:

You will get security from attacks like a flood, reconnaissance, and packet-based
attacks, among others, by using the Zone protection profile.
It protects you from flood attacks such as SYN, ICMP, and UDP, among others.
You can defend against port scans and host sweeps with reconnaissance protection.
You will get protection from big ICMP packets and ICMP fragment attacks with
packet-based protection.
55. What is the difference between Palo Alto NGFW and WAF?
Ans:

Palo Alto Network’s Next-Generation Firewalls (NGFW) employ three distinct

identification technologies to provide policy-based access and control over
applications, users, and content: App-ID, User-ID, and Content-ID. The knowledge of
which application is traversing the network and who is using it is then be used to
create firewall security policies, including access control, SSL decryption, threat
prevention, and URL filtering. A firewall is essential for every organization.

A Web Application Firewall (WAF), on the other hand, is designed to look at web
applications and track them for security problems that may occur as a result of
coding errors. The only thing the two solutions share in common is that they all
use the word firewall in their names. A WAF is only needed by companies who believe
their web applications have coding problems.

56. Explain the difference between Virtual Routers and Virtual Systems in Palo
Alto?
Ans:

Virtual systems are separate, logical firewall instances within a single physical
Palo Alto Networks firewall. Controlled service providers and organizations should
use a single pair of firewalls (for high availability) and allow virtual
environments on them instead of having multiple firewalls. Each virtual system
(vsys) is an independent, separately-managed firewall with its traffic kept
separate from the traffic of other virtual systems.

A virtual router is a firewall feature that takes part in Layer 3 routing. You can
manually define static routes or participate in one or more Layer 3 routing
protocols, and the firewall can use virtual routers to obtain routes to other
subnets (dynamic routes).

57. Difference between Pre NAT and Post NAT

Ans:

The original IP address, which is the pre-NAT address, is subject to the NAT rules
and security policies. The zone associated with a pre-NAT IP address is used to
configure a NAT rule.

In comparison to NAT rules, security protocols look at post-NAT zones to see

whether a packet is allowed. Protection protocols are applied on the post-NAT
region because the very essence of NAT is to change the source or destination IP
addresses, which will change the packet's outgoing interface and zone.

Palo Alto Training

Weekday / Weekend Batches

58. Which Palo Alto Networks solution targets endpoint security from Cyber-attacks?
Ans: The next-generation firewall solution targets endpoint security from Cyber-
attacks. It provides detailed network traffic visibility focused on applications,
customers, and content, enabling you to accept and meet your business requirements.

Interested in learning palo alto Join hkr and Learn more on Palo Alto Training
in Hyderabad !
59. Which all types of logs can be viewed on Palo Alto NGFWs?
Ans: You can view Traffic Logs, Threat Log, URL Filtering Logs, WildFire
Submissions Logs, Data Filtering Logs, Correlation Logs, Tunnel Inspection Logs,
Unified logs, HIP Match logs, GTP logs, SCTP logs, System logs, Alarm logs, and
Configuration logs, etc.

60. What are the prerequisites while configuring an HA pair?

Ans: To set up high availability on your Palo Alto Networks firewalls, you need a
pair of firewalls that meet the following requirements:

The same model—The hardware or virtual machine models of both firewalls in the pair
must be the same.
The same PAN-OS version—Both firewalls must be running the same PAN-OS version and
have the application, URL, and threat databases up to date.
The same multi virtual system capability—Multi Virtual System Capability must be
activated or disabled on both firewalls. Each firewall requires several virtual
machine licenses when it is activated.
The same type of interfaces—Dedicated HA links, or a combination of the management
port and in-band ports that are set to interface type HA.
Determine the IP address for the HA1 (control) connection between the HA peers. The
HA1 IP address for both peers must be on the same subnet if they are directly
connected or are connected to the same switch.
For firewalls without dedicated HA ports, you can use the management port for the
control connection. Using the management port provides a direct communication link
between the management planes on both firewalls. However, because the management
ports will not be directly cabled between the peers, make sure that you have a
route that connects these two interfaces across your network.

If you use Layer 3 as the transport method for the HA2 (data) connection, determine
the IP address for the HA2 link. Use Layer 3 only if the HA2 connection must
communicate over a routed network. The IP subnet for the HA2 links must not overlap
with that of the HA1 links or with any other subnet assigned to the data ports on
the firewall.
The same set of licenses—Each firewall has its own license, which cannot be shared.
As a result, all firewalls must have the same license. Both firewalls cannot
synchronize configuration information and ensure parity for a seamless failover if
they do not have the same collection of licenses.
61. What are the HA modes in which Palo Alto Firewall can be configured?
Ans: The firewalls for HA can be configured in one of two ways:

Active/Passive— One firewall handles traffic actively, while the other is

synchronized and ready to take over in the event of a malfunction. Both firewalls
use the same configuration settings in this mode, and one actively manages traffic
until a route, link, system, or network fails. When the active firewall fails, the
passive firewall seamlessly switches to active mode and enforces the same policies
to keep the network secure. Virtual wire, Layer 2 and Layer 3 deployments both
support active/passive HA.

Active/Active— Both firewalls in the pair are up and running, managing traffic, and
handling session configuration and ownership in a synchronous manner. Both
firewalls keep their own session and routing tables and synchronize with one
another. In virtual wire and Layer 3 deployments, active/active HA is supported. In
virtual wire and Layer 3 deployments, active/active HA is supported.

62. Explain Active/Active HA in Palo Alto NGFW?

Ans: Active/Active high availability is the stateful sessions and configuration
synchronization with a few exceptions: Active/Active HA in Palo Alto is supported
in deployment types including virtual wire and layer 3. In this mode, both the
firewalls work synchronously and process the traffic.

63. Explain Active/Passive HA in Palo Alto NGFW

Ans:

Active/Passive availability is also the stateful sessions and configuration

synchronization with a few exceptions:

The active/passive HA is supported by the VM-Series firewalls on Azure and AWS.

When using the Amazon Elastic Load Balancing (ELB) service to deploy the firewall
on AWS, it does not support HA (in this case, ELB service provides the failover
capabilities).

On Google Cloud Platform, the VM-Series firewall does not allow high availability.
This Active/Passive HA in Palo Alto is supported in deployment types including
virtual wire, layer2, and layer3. In this mode, the configuration settings are
shared by both the firewalls. In this case, the active firewalls fail, the passive
firewall becomes active and maintains network security.

64. How many zones can an interface be part of?

Ans: An interface on the firewall must be assigned to a security zone before the
interface can process traffic. A zone can have multiple interfaces of the same type
assigned to it (such as tap, layer 2, or layer 3 interfaces), but an interface can
belong to only one zone.

65. Steps to configure zone protection profiles

Ans: There are four steps to configure zone protection profiles.

Configure Reconnaissance Protection.

Configure Packet-Based Attack Protection.
Configure Protocol Protection.
Configure Packet Buffer Protection.
66. What actions are available while filtering URLs?
Ans: The following are the actions available while filtering URLs.

Alert: The website is allowed and a log entry is generated in the URL filtering
log.
Allow: The website is allowed and no log entry is generated.
Block: The website is blocked and the user will see a response page and will not be
able to continue to the website. A log entry is generated in the URL filtering log.
Continue: The user will be prompted with a response page indicating that the site
has been blocked due to company policy, but the user is prompted with the option to
continue to the website.
Override: With this Override option, the security admin or helpdesk person would
provide a password granting temporary access to all websites in the given category.

67. Steps to configure App ID and Content IDs how they can be added to the
existing/new security policies
Ans:

Configuration steps for App ID for adding to security policies:

Traffic is matched against policy to check whether it is allowed on the network.

Signatures are then applied to allowed traffic to identify the application based on
unique application properties and related transaction characteristics. The
signature also determines if the application is being used on its default port or
it is using a non-standard port. If the traffic is allowed by policy, the traffic
is then scanned for threats and further analyzed for identifying the application
more granularly.
If App-ID determines that encryption (SSL or SSH) is in use, and a Decryption
policy rule is in place, the session is decrypted and application signatures are
applied again on the decrypted flow.
Decoders for known protocols are then used to apply additional context-based
signatures to detect other applications that may be tunneling inside of the
protocol (for example, Yahoo! Instant Messenger used across HTTP). Decoders
validate that the traffic conforms to the protocol specification and provide
support for NAT traversal and opening dynamic pinholes for applications such as SIP
and FTP.
For applications that are particularly evasive and cannot be identified through
advanced signature and protocol analysis, heuristics or behavioral analysis may be
used to determine the identity of the application.
Configuration steps for Content-ID for adding to security policies:

Content-ID enables customers to apply policies to inspect and control content

traversing the network.

Detect and block known and unknown threats in a single pass.

Implement policy control over unapproved web surfing.
Limit unauthorized transfer of files and sensitive data, such as credit card or
Social Security numbers.
Proactively identify and defend against unknown, new, or custom malware and
exploits.
Single-pass software architecture maximizes performance by scanning traffic only
once, regardless of which Content-ID features are enabled.
68. By default, what is the IP address of the management port on the Palo Alto
Firewall and default username/password?(optional)
Ans:

The default IP address of the management port in Palo Alto Firewall is 192.168.1.1.
The username is "admin" with a password as "admin."
69. Steps to take configuration Backup of the Palo alto firewall
Ans: Palo alto firewall configuration backup:

Navigate to Device -> Setup -> Operations after login into the Palo alto firewall.
Click on "Save named configuration snapshot" to save the configuration locally to
the Palo alto firewall.
Click on "Export Named Configuration Snapshot" to take the backup of the Palo Alto
Configuration file into the local PC.

70. What parameter decides a primary and secondary HA pair?

Ans: It is decided by the parameter “Device ID”. In active/active configuration,
set the Device ID to determine which peer will be active-primary (set Device ID to
0) and which will be active-secondary (set the Device ID to 1).

71. Status of high availability to check on GUI and CLI(command needed)

Ans:

High availability check on GUI:

Go to Device Tab -> High Availability -> General.

This displays the status about Setup, active passive settings, control link (HA1),
control link (HA1 backup), Data link (HA2) and Election settings.

High availability check on CLI:

1. To View status of the HA4 backup interface, the following command is used:

> show high-availability cluster ha4-backup-status

2. To View information about the type and number of synchronized messages to or

from an HA cluster, the following command is used:

> show high-availability cluster session-synchronization

3. To View HA cluster state and configuration information, the following command is

used:

> show high-availability cluster state

4. To View HA cluster statistics, such as counts received messages and dropped

packets for various reasons, the following command is used:

> show high-availability cluster statistics

5. To Clear HA cluster statistics, the following command is used:

> clear high-availability cluster statistics

6. To Clear session cache, the following command is used:

> request high-availability cluster clear-cache

7. To Request full session cache synchronization, the following command is used:

> request high-availability cluster sync-from

72. How to do Stateful failover on the Palo alto firewall on the HA cluster?
Ans: When a failure occurs on one firewall and the peer takes over the task of
securing traffic, the event is called a failover. A failover is triggered, for
example, when a monitored metric on a firewall in the HA pair fails. The following
are the metrics that are implemented to monitor and detect a firewall failure:

Heartbeat Polling and Hello messages.

Link Monitoring.
Link Monitoring.

73. Steps to do a Packet capture on GUI and CLI

Ans:

Steps for Packet capturing in GUI:

The first place to go is the Packet Capture menu on the GUI, where you can manage
filters, add capture stages, and easily download captures.
Before we get started, there are a few things you should know:
Four filters can be added with a variety of attributes.
Packet captures are session-based, so a single filter is capable of capturing both
client2server and server2client.
Packets are captured on the dataplane vs on the interface (this explains the next
bullet).
Pre-Parse Match is a feature that can capture all files before they are processed
by the engines running on the dataplane, which can help troubleshoot issues where
an engine may not be properly accepting an inbound packet. This option should be
used only if instructed by the support and on a low volume time of day as it will
capture everything.
When filtering is enabled, new sessions are marked for filtering and can be
captured, but existing sessions are not being filtered and may need to be restarted
to be able to capture them.
Offloaded sessions can't be captured so offloading may need to be disabled
temporarily. An offloaded session will display “layer7 processing: completed” in
the “show session” details.
Add couple of filters.
If we now switch the Filtering button to ON, the filters will be applied to any new
sessions that match the criteria:
A simple way to check if the filter is working is to check if global counters are
increasing if a new session is initiated.
Steps for Packet capturing in CLI:

From the CLI, execute this command:

> show counter global filter delta yes packet-filter yes

Next you're going to configure the stages, there are four stages:
drop stage is where packets get discarded. The reasons may vary and, for this part,
the global counters may help identify if the drop was due to a policy deny, a
detected threat, or something else.
receive stage captures the packets as they ingress the firewall before they go into
the firewall engine. When NAT is configured, these packets will be pre-NAT.
transmit stage captures packets how they egress out of the firewall engine. If NAT
is configured, these will be post-NAT.
firewall stage captures packets in the firewall stage.
When all the desired stages are set, you can switch the capture button to ON, or
you can use the CLI, clear the existing sessions which match the filters specified.
This is to make sure no session has been active since before the filters were
enabled. Then use the capture on command to start the capture as displayed below.
> show session all => Note down the session number matching the configured
filters.

> clear session id => This is to clear any existing session that matches the
filters configured.

You can now launch the sessions you'd like to capture. To verify if the session has
started, use the show session command:
> show session all

When you're done, the capture can be turned off by toggling the button back to the
OFF position or using the debug command:
> debug dataplane packet-diag set capture off

Packet capture is disabled

> debug dataplane packet-diag clear filter-marked-session all

Unmark All sessions in packet debug

74. How to add a License to the Palo Alto Firewall?

Ans: Steps for activating License in Palo Alto Firewall.

Locate the activation codes for the licenses you purchased.

Activate your Support license.
Activate each license you purchased.
Verify that the license is successfully activated.
Perform a commit to complete WildFire subscription activation.

75. How to do Dynamic updates and how to schedule them?

Ans: Through dynamic updates, Palo Alto Networks regularly publishes new and
updated applications, vulnerability protection, and Global Protect data files.
Setting a schedule for dynamic updates allows you to define the frequency at which
the firewall checks for and downloads or installs new updates. The “schedule”
option allows you to schedule the frequency for retrieving updates. You can define
how often and when the dynamic content updates occur—the “Recurrence” and time—and
whether to “Download Only” or to “Download and Install” scheduled updates.

76. What is a Palo Alto sinkhole?

The DNS sinkhole permits Palo Alto Networks device to manipulate a response to a
DNS query to a known vicious URL/domain, causing the vicious domain name to solve a
customer.

77. What kind of firewall is Palo Alto?

The firewall of Palo Alto Networks is VM-Series and a virtualized next-generation
firewall that operates on PAN-OSTM OS. The following virtualization security
features are included in the VM-Series, which also identifies, controls, and
securely permits intra-host connections.

78. What is a Tap deployment mode?

A network tap is a device that provides a path to access data flowing in a computer
network. Tap deployment mode allows you to monitor traffic flow partially across
the network with the help of a mirror port or switch SPAN.

79. What is App-ID?

Application Identification, also known as App-ID, is the main component in Palo
Alto. App-ID allows you to see the applications present in your network and
understand how they behave, work, and their risks. It finds applications that cross
the firewalls independently.

80. What is Palo Alto Content ID?

Palo Alto Content-ID provides a real-time threat prevention engine with a huge URL
database and application identification to limit files and data transfers, identify
and block malware, exploits, and malware communications, and regulate internet
usage.

81. Are Palo Alto updates cumulative?

Content updates are dynamic and cumulative, the updates have the most recent
content, and updates always incorporate from the previous versions and enforce them
without requiring systemic changes.

82. Describe the Zero Trust feedback loop architecture in Palo Alto?
The zero-trust approach to cybersecurity secures an organisation by removing clear
trust and continuously authorising every stage of a digital interaction the
principle of never trust, always verify. Zero trust architecture provides higher
comprehensive security and makes it simple and operational. It prevents phishing,
malware, and data exfiltration attacks.

83. What Must Be Used In Security Policy Rule That Contains Addresses Where Nat
Policy Applies?
Upon accessing, The firewall checks the packet and makes a route to look up and
determine the exit interface and zone. Then Pre-NAT contends with Post-NAT zones.

84. What is unique about Palo Alto?

Palo Alto Network delivers the most advanced and next-gen. Firewall features in its
single platform, unique management systems, and simultaneous processing diverse it
from other competitors who rely on multiple management systems or various modules.
85. Is Palo Alto IDS or IPS?
Palo Alto Network is an Intrusion Prevention System (IPS) by nature. It differs
from other traditional IPS by linking network anti-malware, vulnerability
protection, and anti-spyware into a unified service that scrutinises all traffic
for threats.

86. What is a zero-trust approach?

Zero Trust is a strategic approach to cybersecurity that secures an organisation by
continuous validation and removing implicit trust at every stage of digital
interaction. It prevents data breaches. It does not make the system to be trusted;
instead, it eliminates trust

87. What is IT OT Convergence?

Operational Technology (OT) and Information Technology(IT) systems are united
together and called IT/OT convergence. IT integration is useful in data-centric
computing, and OT systems will monitor devices, processes, and events and suggest
necessary changes in industrial operations and organisation.

Conclusion

1. Palo Alto is a stateful firewall. What does it mean?

A stateful firewall means all the traffic that is transmitted through the firewall
is matched against a session. Also, each session is matched against a security
policy as well.

2. Palo Alto is touted as the next-generation firewall. What are the reasons for
this?
Palo Alto has everything that is needed to call it the next-generation firewall. It
has an intrusion prevention system. It also has application control features. In
terms of delivery, it is much different from other vendors. It delivers the next-
generation features using a single platform.

3. What is the advantage of Palo Alto’s Single Pass Parallel Processing (SP3)
architecture?
The following are the advantages of Single Pass Parallel Processing (SP3)
architecture:

High throughput and low latency

Active security functions
Provision of single and fully integrated policy
Easier management of firewall policy

Subscribe to explore the latest tech updates, career transformation tips, and much
more.

Subscribe Now

4. Why use Palo Alto Networks together with My Splunk?

Palo Alto provides the visibility that is needed by Splunk to provide actionable
and usable insights. Both Palo Alto and Splunk work together to keep the network
secure.

5. What is the difference between PA-200 and PA-500 and the higher models?
Activities such as signature process and network processing are implemented on
software in PA-200 and PA-500. However, the higher models contain a dedicated
hardware processor.
6. Security policy rule contains addresses where NAT policy applies. Which address
needs to be used in the security policy?
You need to use the Pre-NAT address and Post-Nat zone.

7. When is U-turn NAT applicable? How to configure it?

When there is a need for the internal resources on a trust zone to access DMZ
resources using public IP addresses of an untrusted zone, the U-turn NAT is
applicable.

8. What is a Tap deployment mode?

The Tap deployment mode is the one, which allows monitoring of traffic passively
across the network. It uses a tap or switch SPAN/mirror port for this purpose.

9. What is Virtual ware deployment mode?

In the Virtual ware deployment mode, the firewall is installed transparently on a
network segment. The installation will be done by binding two interfaces into a
single set.

10. What is a Layer2 deployment mode?

In the Layer2 deployment mode, multiple interfaces are configured into a virtual
switch or VLAN in L2 mode.

11. What is a Layer3 deployment mode?

In the Layer3 deployment mode, traffic is routed by a firewall across multiple
interfaces. To do this, each interface needs to be assigned an IP address. Besides,
a virtual router also needs to be defined to route the traffic.

12. Which mode comes pre-configured in Palo Alto?

Palo Alto comes with Virtual Wire mode by default.

13. What are the features Palo Alto supports when it is in Virtual Wire mode?
When in Virtual Wire mode, Palo Alto supports features such as

App-ID
Decryption
Content-ID
User-ID
NAT
14. What is App-ID?
App-ID is the short form for Application Identification. It is the main component
in Palo Alto. The responsibility of App-ID is to identify the applications, which
traverse the firewalls independently.

15. What are the benefits of using Panorama in Palo Alto?

There are multiple benefits to using Panorama. Some of these benefits include:

You can update the software in bulk with a single click.

You can get a complete report, which enables you to validate the compliance status.
You can use Panorama logs from managed services, which enables solving logging
issues.
16. What are the main areas Panorama adds value to?
The following are the main areas in which Panorama adds value:

Distributed administration, which enables to control and delegate access to

firewall configurations locally and globally.
Centralized configuration and deployment.
Logging (aggregated) with central oversight for analysis and reporting.
17. What is U-Turn NAT in Palo Alto?
U-turn NAT is a logical path used in a network. In U-turn NAT, the users have to
access the internal DMZ server. For this purpose, they use the external IP address
of that server.

18. What is a virtual router in Palo Alto?

A virtual router is a function of the firewall, which is a part of Layer 3 routing.

19. What is a virtual system in Palo Alto?

A virtual system is an exclusive and logical firewall in Palo Alto. Being an
independent firewall, the traffic in a virtual system is kept separate.

20. What is the endpoint security in Palo Alto?

Endpoint security ensures the protection of individual access points in the network
and sensitive data. It is a process, which illustrates techniques, tools, and
applications or products, which can be used to protect devices including computer
systems, laptops, smartphones, etc.

21. What is a Single Pass processing architecture?

Single-pass processing architecture operates only once on a packet. Similarly,
activities such as policy lookup, application identification, networking functions,
and decoding, and signature matching are also will be performed only once when a
packet is processed. Even the content is also scanned only once in the Single-pass
processing architecture.

22. What is a Zone Protection profile?

Using the Zone protection profile, you can get protection from attacks such as
flood, reconnaissance, and packet-based attacks, etc. It provides you protection
from flood attacks such as SYN, ICMP, and UDP, etc. The reconnaissance protection
enables you to defend against port scans and host sweeps. In the case of packet-
based protection, you can get protection from large ICMP packets and ICMP fragment
attacks.

23. What is a WAF? What purpose does it serve?

WAF is the short form of a Web Application Firewall. It monitors web applications
for security issues, which may arise due to errors in the code.

24. Which are the log types that can be viewed in Palo Alto?
You can view

Traffic Logs
Threat Log
URL Filtering Logs
WildFire Submissions Logs
Data Filtering Logs
Correlation Logs
Tunnel Inspection Logs
Unified logs
HIP Match logs
GTP logs
SCTP logs
System logs
Alarm logs
Configuration logs
25. What is the functioning of Palo Alto WildFire?
Palo Alto Wirefire highlights the threats that need more attention using a threat
intelligence prioritization feature called AutoFocus. It is a cloud-based service,
which provides malware sandboxing.

26. What are Active/Passive and Active/Active modes in Palo Alto?

These are the modes in which Palo Alto can be configured. Here is a brief of these
modes:

Active/Passive: This mode is supported in deployment types including virtual wire,

Layer 2, and Layer 3. In this mode, the configuration settings are shared by both
the firewalls. In case, the Active firewall fails, the Passive firewall becomes
active and maintains the network security.
Active/Active: This mode is supported in deployment types including virtual wire
and Layer 3. In this mode, both the firewalls work synchronously and process the
traffic.
27. What are HA1 and HA2 in Palo Alto?
HA1 and HA2 have dedicated HA ports. HA1 is a control link whereas HA2 is a data
link. These links are used by firewalls to synchronize the data and maintain state
information.

28. What is a HA in Palo Alto?

HA is the short form of High Availability. The HA is a deployment type in which two
firewalls are placed together and configuration is synchronized. This is done to
prevent a single point of failure in the network. This HA deployment enables
redundancy and ensures the continuity of the business. In case, one firewall fails,
the other one ensures maintaining the security of the traffic.

29. What is HALite in Palo Alto? What are its capabilities? Which are the features
not available in HA Lite?
The high-availability feature on the PA-200 is called HA Lite in Palo Alto. The HA
Lite provides a lighter version of HA capabilities. Some of the capabilities of HA
Lite include - DHCP Lease information, PPPoE lease information, A/P High
Availability without session sync, Failover of IPSec Tunnels, Configuration sync,
and Layer 3 forwarding tables. Some of the features that are not available in HA
include – Jumbo Frames, Link Aggregation, A/A High Availability, and A/P High
Availability with session synchronization.

Palo Alto Interview Questions For Experienced

30. What is the VPN deployment type in which a GlobalProtect agent is used?
GlobalProtect agent is used in Remote User-to-Site VPN deployment. It is used to
enable the remote user to establish a secure connection through the firewall.

31. Which are the media types that the firewall supports?
Palo Alto Networks firewall supports two media types, which include copper and
fiber optic.

32. Which are the port types recommended to use in a HA pair in Palo Alto?
The recommended ports to be used in a HA are:

HA1, HA1-A, and HA1-B - for HA control and synchronizing traffic

HA2 and HSCI (High-Speed Chassis Interconnect ) ports - for HA session setup
traffic
AUX-1 and AUX-2 (multipurpose auxiliary ports) – for PA-5200 Series firewalls
33. What is an HSCI port?
It is a Layer 1 SFP+ interface. In a HA configuration, this port connects two PA-
3200 series firewalls. This port can be used for HA2 and HA3 connections. Raw layer
1 traffic is transmitted on the HSCI ports.

34. What does GlobalProtect VPN support?

This GlobalProtect VPN supports clientless SSL VPN and provides access to the
applications in the data center.

35. What are the log forwarding options supported in the Palo Alto firewall?
The log forwarding options supported in Palo Alto include the following:
Forwarding of logs from firewalls to Panorama and from Panorama to external
services
Forwarding of logs from firewalls to Panorama and to external services in parallel
36. What is the purpose of the virtual wire interface in the Palo Alto firewall?
A virtual wire interface allows the transmission of traffic between two interfaces
by binding them together.

37. What is The Application Command Center (ACC)?

The Application Command Center provides visibility into traffic patterns and
actionable information on threats by using the firewall logs.

38. What is Application Override in Palo Alto?

Application override is used to override the App-ID (normal Application
Identification) of specific traffic transmitted through the firewall.

39. What is the purpose of Palo Alto AutoFocus?

AutoFocus is a threat intelligence service, which provides easier identification of
critical attacks so that effective action can be taken without the need for
additional resources.

Explore Palo Alto Sample Resumes Download & Edit, Get Noticed by Top Employers!
40. What is Application Incomplete in Palo Alto?
The Application Incomplete can be understood as - either the three-way TCP
handshake is not completed or it is completed but there was no data to identify the
application after the handshake.

41. What is U Turn Nat in Palo Alto?

In Palo Alto, the logical path where traffic appears when accessing an internal
resource and resolving their exterior address is referred to as U-Turn NAT.
Internal users need to reach an internal DMZ server utilizing the external public
IP address of the servers.

42. What is App ID Palo Alto?

App-ID allows you to view the programs on your network and learn about their
functionality, behavioral traits, and risk level. Multiple techniques, such as
application signatures, decryption (if necessary), protocol decoding, and
heuristics, are used to identify applications and application services. This
enables fine-grained management, such as permitting only sanctioned Office 365
accounts or allowing Slack for instant messaging but not file transmission.

43. What is Palo Alto Content ID?

Content-ID combines a real-time threat prevention engine with a large URL database
and application identification features to:

Data and file transfers that aren't authorized should be limited.

Exploits, malware, and malware communications should all be detected and blocked.

Regulate unapproved internet usage

App-application ID's visibility and control, along with Content-content ID's

inspection, allow your IT team to recover control over application traffic and
related content.

44. In Palo Alto, what is Ha Lite?

The high-availability feature of the PA-200 is referred to as HA-Lite. It provides
a slimmed-down version of the HA features present on other Palo Alto Networks
hardware platforms. Because there are just a few ports available for
synchronization on PA-200s, a HA’s limited version is required.
45. What kind of firewall is Palo Alto?
Palo Alto Networks' VM-Series is a virtualized next-generation firewall that runs
on our PAN-OSTM operating system. The VM-Series recognizes, manages, and safely
enables intra-host communications, and includes the following virtualization
security features.

46. What is Palo Alto WildFire?

The industry's most advanced analysis and prevention engine for highly evasive
zero-day vulnerabilities and malware is Palo Alto Networks® WildFire® cloud-based
threat analysis service.

47. In Palo Alto, what is a dynamic update?

Through dynamic updates, Palo Alto Networks regularly publishes new and modified
programs, threat protection, and GlobalProtect data files. Without requiring
configuration changes, the firewall may retrieve these updates and use them to
enforce rules.

48. What is the content update for Palo Alto?

Palo Alto Networks next-generation firewalls now include the most up-to-date threat
prevention and application identification technology, thanks to upgrades to the
Applications and Threats content. The firewall receives the most up-to-date
application and threat signatures via content updates for Applications and Threats.

49. Is it true that updates to Palo Alto are cumulative?

Furthermore, content updates are cumulative, which means that the most recent
content update always incorporates all previous versions' application and threat
signatures.

50. What is Palo Alto auto focus?

AutoFocus is a cloud-based threat intelligence tool that helps you quickly detect
critical attacks so you can properly triage and respond without requiring
additional IT resources.

51. What is a Palo Alto sinkhole?

The DNS sinkhole allows the Palo Alto Networks device to fabricate a response to a
DNS query for a known malicious domain/URL, causing the malicious domain name to
resolve to a client-defined IP address (fake IP).

52. In Palo Alto, what are the primary types of NAT?

Dynamic IP and Port (DIPP) - Multiple hosts can have their source IP addresses
converted to the same public IP address with varying port numbers using Dynamic IP
and Port (DIPP).

Dynamic IP - Allows one-to-one dynamic translation of a source IP address alone (no

port number) to the NAT address pool's next available address.

Static IP - Allows a one-to-one static translation of a source IP address, but does

not change the source port.

53. What is the difference between source and destination network address
translation (NAT)?
The destination addresses and ports of packets are translated by destination NAT.
Source NAT converts private IP addresses to public IP addresses so that intranet
users can access the Internet using public IP addresses.

54. What are the different configuration modes for Palo Alto interfaces?
Tap mode: With the use of a tap or switch SPAN/mirror port, users can observe any
form of traffic flow throughout the networking system.
Virtual Wire: The firewall system is installed passively on any network segment
using this deployment model, which combines two interfaces.

Layer 2 mode: Multiple networking interfaces will be configured into a "virtual-

switch" or VLAN mode in this layer mode.

Layer 3 deployment: The Palo Alto firewall routes allow traffic to flow between
various interfaces in this layer 3 deployment. The IP address should be added to
each interface by the user.

55. What are the benefits of using Palo Alto Networks Products?
Palo Alto Networks' products offer unparalleled insight into network traffic and
malicious activities, both in the network and on the endpoint. When this visibility
is combined with Splunk, a client may do correlations and analyses on a variety of
data types. Correlations can be made between multiple types of Palo Alto Networks
data, such as comparing Wildfire reports to traffic logs to find infected hosts or
firewall logs to endpoint logs. But correlations and analyses across various
sources of data and vendors, such as correlating firewall logs with web server logs
or advanced endpoint security logs with Windows event logs, are where Splunk's true
power lies.

1. Palo Alto is a stateful firewall. What does it mean?

A stateful firewall means all the traffic that is transmitted through the firewall
is matched against a session. Also, each session is matched against a security
policy as well.

2. Palo Alto is touted as the next-generation firewall. What are the reasons for
this?
Palo Alto has everything that is needed to call it the next-generation firewall. It
has an intrusion prevention system. It also has application control features. In
terms of delivery, it is much different from other vendors. It delivers the next-
generation features using a single platform.

3. What is the advantage of Palo Alto’s Single Pass Parallel Processing (SP3)
architecture?
The following are the advantages of Single Pass Parallel Processing (SP3)
architecture:

High throughput and low latency

Active security functions
Provision of single and fully integrated policy
Easier management of firewall policy

Subscribe to explore the latest tech updates, career transformation tips, and much
more.

Subscribe Now

4. Why use Palo Alto Networks together with My Splunk?

Palo Alto provides the visibility that is needed by Splunk to provide actionable
and usable insights. Both Palo Alto and Splunk work together to keep the network
secure.

5. What is the difference between PA-200 and PA-500 and the higher models?
Activities such as signature process and network processing are implemented on
software in PA-200 and PA-500. However, the higher models contain a dedicated
hardware processor.

6. Security policy rule contains addresses where NAT policy applies. Which address
needs to be used in the security policy?
You need to use the Pre-NAT address and Post-Nat zone.

7. When is U-turn NAT applicable? How to configure it?

When there is a need for the internal resources on a trust zone to access DMZ
resources using public IP addresses of an untrusted zone, the U-turn NAT is
applicable.

8. What is a Tap deployment mode?

The Tap deployment mode is the one, which allows monitoring of traffic passively
across the network. It uses a tap or switch SPAN/mirror port for this purpose.

9. What is Virtual ware deployment mode?

In the Virtual ware deployment mode, the firewall is installed transparently on a
network segment. The installation will be done by binding two interfaces into a
single set.

10. What is a Layer2 deployment mode?

In the Layer2 deployment mode, multiple interfaces are configured into a virtual
switch or VLAN in L2 mode.

11. What is a Layer3 deployment mode?

In the Layer3 deployment mode, traffic is routed by a firewall across multiple
interfaces. To do this, each interface needs to be assigned an IP address. Besides,
a virtual router also needs to be defined to route the traffic.

12. Which mode comes pre-configured in Palo Alto?

Palo Alto comes with Virtual Wire mode by default.

13. What are the features Palo Alto supports when it is in Virtual Wire mode?
When in Virtual Wire mode, Palo Alto supports features such as

App-ID
Decryption
Content-ID
User-ID
NAT
14. What is App-ID?
App-ID is the short form for Application Identification. It is the main component
in Palo Alto. The responsibility of App-ID is to identify the applications, which
traverse the firewalls independently.

15. What are the benefits of using Panorama in Palo Alto?

There are multiple benefits to using Panorama. Some of these benefits include:

You can update the software in bulk with a single click.

You can get a complete report, which enables you to validate the compliance status.
You can use Panorama logs from managed services, which enables solving logging
issues.
16. What are the main areas Panorama adds value to?
The following are the main areas in which Panorama adds value:

Distributed administration, which enables to control and delegate access to

firewall configurations locally and globally.
Centralized configuration and deployment.
Logging (aggregated) with central oversight for analysis and reporting.
17. What is U-Turn NAT in Palo Alto?
U-turn NAT is a logical path used in a network. In U-turn NAT, the users have to
access the internal DMZ server. For this purpose, they use the external IP address
of that server.

18. What is a virtual router in Palo Alto?

A virtual router is a function of the firewall, which is a part of Layer 3 routing.

19. What is a virtual system in Palo Alto?

A virtual system is an exclusive and logical firewall in Palo Alto. Being an
independent firewall, the traffic in a virtual system is kept separate.

20. What is the endpoint security in Palo Alto?

Endpoint security ensures the protection of individual access points in the network
and sensitive data. It is a process, which illustrates techniques, tools, and
applications or products, which can be used to protect devices including computer
systems, laptops, smartphones, etc.

21. What is a Single Pass processing architecture?

Single-pass processing architecture operates only once on a packet. Similarly,
activities such as policy lookup, application identification, networking functions,
and decoding, and signature matching are also will be performed only once when a
packet is processed. Even the content is also scanned only once in the Single-pass
processing architecture.

22. What is a Zone Protection profile?

Using the Zone protection profile, you can get protection from attacks such as
flood, reconnaissance, and packet-based attacks, etc. It provides you protection
from flood attacks such as SYN, ICMP, and UDP, etc. The reconnaissance protection
enables you to defend against port scans and host sweeps. In the case of packet-
based protection, you can get protection from large ICMP packets and ICMP fragment
attacks.

23. What is a WAF? What purpose does it serve?

WAF is the short form of a Web Application Firewall. It monitors web applications
for security issues, which may arise due to errors in the code.

24. Which are the log types that can be viewed in Palo Alto?
You can view

Traffic Logs
Threat Log
URL Filtering Logs
WildFire Submissions Logs
Data Filtering Logs
Correlation Logs
Tunnel Inspection Logs
Unified logs
HIP Match logs
GTP logs
SCTP logs
System logs
Alarm logs
Configuration logs
25. What is the functioning of Palo Alto WildFire?
Palo Alto Wirefire highlights the threats that need more attention using a threat
intelligence prioritization feature called AutoFocus. It is a cloud-based service,
which provides malware sandboxing.

26. What are Active/Passive and Active/Active modes in Palo Alto?

These are the modes in which Palo Alto can be configured. Here is a brief of these
modes:

Active/Passive: This mode is supported in deployment types including virtual wire,

Layer 2, and Layer 3. In this mode, the configuration settings are shared by both
the firewalls. In case, the Active firewall fails, the Passive firewall becomes
active and maintains the network security.
Active/Active: This mode is supported in deployment types including virtual wire
and Layer 3. In this mode, both the firewalls work synchronously and process the
traffic.
27. What are HA1 and HA2 in Palo Alto?
HA1 and HA2 have dedicated HA ports. HA1 is a control link whereas HA2 is a data
link. These links are used by firewalls to synchronize the data and maintain state
information.

28. What is a HA in Palo Alto?

HA is the short form of High Availability. The HA is a deployment type in which two
firewalls are placed together and configuration is synchronized. This is done to
prevent a single point of failure in the network. This HA deployment enables
redundancy and ensures the continuity of the business. In case, one firewall fails,
the other one ensures maintaining the security of the traffic.

29. What is HALite in Palo Alto? What are its capabilities? Which are the features
not available in HA Lite?
The high-availability feature on the PA-200 is called HA Lite in Palo Alto. The HA
Lite provides a lighter version of HA capabilities. Some of the capabilities of HA
Lite include - DHCP Lease information, PPPoE lease information, A/P High
Availability without session sync, Failover of IPSec Tunnels, Configuration sync,
and Layer 3 forwarding tables. Some of the features that are not available in HA
include – Jumbo Frames, Link Aggregation, A/A High Availability, and A/P High
Availability with session synchronization.

Palo Alto Interview Questions For Experienced

30. What is the VPN deployment type in which a GlobalProtect agent is used?
GlobalProtect agent is used in Remote User-to-Site VPN deployment. It is used to
enable the remote user to establish a secure connection through the firewall.

31. Which are the media types that the firewall supports?
Palo Alto Networks firewall supports two media types, which include copper and
fiber optic.

32. Which are the port types recommended to use in a HA pair in Palo Alto?
The recommended ports to be used in a HA are:

HA1, HA1-A, and HA1-B - for HA control and synchronizing traffic

HA2 and HSCI (High-Speed Chassis Interconnect ) ports - for HA session setup
traffic
AUX-1 and AUX-2 (multipurpose auxiliary ports) – for PA-5200 Series firewalls
33. What is an HSCI port?
It is a Layer 1 SFP+ interface. In a HA configuration, this port connects two PA-
3200 series firewalls. This port can be used for HA2 and HA3 connections. Raw layer
1 traffic is transmitted on the HSCI ports.

34. What does GlobalProtect VPN support?

This GlobalProtect VPN supports clientless SSL VPN and provides access to the
applications in the data center.
35. What are the log forwarding options supported in the Palo Alto firewall?
The log forwarding options supported in Palo Alto include the following:

Forwarding of logs from firewalls to Panorama and from Panorama to external

services
Forwarding of logs from firewalls to Panorama and to external services in parallel
36. What is the purpose of the virtual wire interface in the Palo Alto firewall?
A virtual wire interface allows the transmission of traffic between two interfaces
by binding them together.

37. What is The Application Command Center (ACC)?

The Application Command Center provides visibility into traffic patterns and
actionable information on threats by using the firewall logs.

38. What is Application Override in Palo Alto?

Application override is used to override the App-ID (normal Application
Identification) of specific traffic transmitted through the firewall.

39. What is the purpose of Palo Alto AutoFocus?

AutoFocus is a threat intelligence service, which provides easier identification of
critical attacks so that effective action can be taken without the need for
additional resources.

Explore Palo Alto Sample Resumes Download & Edit, Get Noticed by Top Employers!
40. What is Application Incomplete in Palo Alto?
The Application Incomplete can be understood as - either the three-way TCP
handshake is not completed or it is completed but there was no data to identify the
application after the handshake.

41. What is U Turn Nat in Palo Alto?

In Palo Alto, the logical path where traffic appears when accessing an internal
resource and resolving their exterior address is referred to as U-Turn NAT.
Internal users need to reach an internal DMZ server utilizing the external public
IP address of the servers.

42. What is App ID Palo Alto?

App-ID allows you to view the programs on your network and learn about their
functionality, behavioral traits, and risk level. Multiple techniques, such as
application signatures, decryption (if necessary), protocol decoding, and
heuristics, are used to identify applications and application services. This
enables fine-grained management, such as permitting only sanctioned Office 365
accounts or allowing Slack for instant messaging but not file transmission.

43. What is Palo Alto Content ID?

Content-ID combines a real-time threat prevention engine with a large URL database
and application identification features to:

Data and file transfers that aren't authorized should be limited.

Exploits, malware, and malware communications should all be detected and blocked.

Regulate unapproved internet usage

App-application ID's visibility and control, along with Content-content ID's

inspection, allow your IT team to recover control over application traffic and
related content.

44. In Palo Alto, what is Ha Lite?

The high-availability feature of the PA-200 is referred to as HA-Lite. It provides
a slimmed-down version of the HA features present on other Palo Alto Networks
hardware platforms. Because there are just a few ports available for
synchronization on PA-200s, a HA’s limited version is required.

45. What kind of firewall is Palo Alto?

Palo Alto Networks' VM-Series is a virtualized next-generation firewall that runs
on our PAN-OSTM operating system. The VM-Series recognizes, manages, and safely
enables intra-host communications, and includes the following virtualization
security features.

46. What is Palo Alto WildFire?

The industry's most advanced analysis and prevention engine for highly evasive
zero-day vulnerabilities and malware is Palo Alto Networks® WildFire® cloud-based
threat analysis service.

47. In Palo Alto, what is a dynamic update?

Through dynamic updates, Palo Alto Networks regularly publishes new and modified
programs, threat protection, and GlobalProtect data files. Without requiring
configuration changes, the firewall may retrieve these updates and use them to
enforce rules.

48. What is the content update for Palo Alto?

Palo Alto Networks next-generation firewalls now include the most up-to-date threat
prevention and application identification technology, thanks to upgrades to the
Applications and Threats content. The firewall receives the most up-to-date
application and threat signatures via content updates for Applications and Threats.

49. Is it true that updates to Palo Alto are cumulative?

Furthermore, content updates are cumulative, which means that the most recent
content update always incorporates all previous versions' application and threat
signatures.

50. What is Palo Alto auto focus?

AutoFocus is a cloud-based threat intelligence tool that helps you quickly detect
critical attacks so you can properly triage and respond without requiring
additional IT resources.

51. What is a Palo Alto sinkhole?

The DNS sinkhole allows the Palo Alto Networks device to fabricate a response to a
DNS query for a known malicious domain/URL, causing the malicious domain name to
resolve to a client-defined IP address (fake IP).

52. In Palo Alto, what are the primary types of NAT?

Dynamic IP and Port (DIPP) - Multiple hosts can have their source IP addresses
converted to the same public IP address with varying port numbers using Dynamic IP
and Port (DIPP).

Dynamic IP - Allows one-to-one dynamic translation of a source IP address alone (no

port number) to the NAT address pool's next available address.

Static IP - Allows a one-to-one static translation of a source IP address, but does

not change the source port.

53. What is the difference between source and destination network address
translation (NAT)?
The destination addresses and ports of packets are translated by destination NAT.
Source NAT converts private IP addresses to public IP addresses so that intranet
users can access the Internet using public IP addresses.
54. What are the different configuration modes for Palo Alto interfaces?
Tap mode: With the use of a tap or switch SPAN/mirror port, users can observe any
form of traffic flow throughout the networking system.

Virtual Wire: The firewall system is installed passively on any network segment
using this deployment model, which combines two interfaces.

Layer 2 mode: Multiple networking interfaces will be configured into a "virtual-

switch" or VLAN mode in this layer mode.

Layer 3 deployment: The Palo Alto firewall routes allow traffic to flow between
various interfaces in this layer 3 deployment. The IP address should be added to
each interface by the user.

55. What are the benefits of using Palo Alto Networks Products?
Palo Alto Networks' products offer unparalleled insight into network traffic and
malicious activities, both in the network and on the endpoint. When this visibility
is combined with Splunk, a client may do correlations and analyses on a variety of
data types. Correlations can be made between multiple types of Palo Alto Networks
data, such as comparing Wildfire reports to traffic logs to find infected hosts or
firewall logs to endpoint logs. But correlations and analyses across various
sources of data and vendors, such as correlating firewall logs with web server logs
or advanced endpoint security logs with Windows event logs, are where Splunk's true
power lies.

Multiple Choice Questions

1.
Which firewall plane has a distinct processor for configuration, logging, and
reporting?

Data

Security Processing

Network Processing

Control
2.
On a firewall, the management network port can be configured as to which type of
interface?

Virtual wire

Layer 2

Layer 3

Serial
3.
With a Palo Alto Networks firewall, how many zones can an interface be assigned?

One
Two

Three

Four
4.
Which of the following claims about App-ID content changes is correct?

The way security policy rules are applied may change as application content is
updated.

New applications must be manually categorised before being used after an

application content upgrade.

New applications are automatically detected and categorised after an application

content update.

All of the above

5.
Which of the following statements about User-ID is false?

Users' LDAP group membership data is collected by User-ID.

An endpoint agent collects the User-ID.

User-ID checks up on domain controllers for authentication issues.

Tasks using User-IDs can be shared across various firewalls.

6.
Firewall configuration files can be ___.

recorded at whichever moment and stored on the firewall.

shared among firewalls.

restored to the working configuration.

All of the above.

7.
Through decryption policies, a Palo Alto Networks firewall can decrypt which two
types of encryptions?

Blowfish

SSL

Both

None
8.
Which types of attacks can a DoS Protection profile protect nodes from?

TCP Port Scans

Floods

ICMP Large Packets

IP Address Spoofing
9.
Which of the following options displays the attributes that can be selected when
creating application filters?

Name, Subcategory, Technology, and Characteristic

Category, Subcategory, Technology, Risk, and Characteristic

Name, Category, Technology, Risk, and Characteristic

Category, Subcategory, Risk, Standard Ports, and Technology

10.
Which two components in a URL filtering security profile can have actions assigned
to them?

Block List

Custom URL Categories

Allow List

Both A and C

Both A and B