PALO ALTO INTERVIEW QUESTIONS AND

ANSWERS – PART I
October 31, 2017 Naisam 5 comments

Plao Alto Interview Questions and Answers

Some of our readers had requested for a post with some of the common questions and
answers for the Palo Alto Firewall, after reading our post on PA Firewall. Following are
some of the questions normally asked for PA interview. Please use the comment
section if you have any questions to add .
Download PDF (~50 QA)

Note : for international purchases ($6) for the above document (containing ~50 Q&A)
please reach out to us at beginnersforum@gmail.com
1. Why Palo Alto is being called as next generation firewall ?
Ans: Next-generation firewalls include enterprise firewall capabilities, an intrusion
prevention system (IPS) and application control features. Palo Alto Networks delivers all
the next generation firewall features using the single platform, parallel
processing and single management systems, unlike other vendors who use different
modules or multiple management systems to offer NGFW features. Palo Alto NGFW
different from other venders in terms of Platform, Process and architecture
2. Difference between Palo Alto NGFW and Checkpoint UTM  ?

PA follows Single pass parallel processing while UTM follows Multi pass architecture
process

3. Describe about Palo Alto architecture and advantage ?

Architecture- Single Pass Parallel Processing (SP3) architecture

Advantage: This Single Pass traffic processing enables very high throughput and low
latency – with all security functions active.  It also offers single, fully integrated policy
which helps simple and easier management of firewall policy

——————- advertisements ——————-

———————————————————-
4. Explain about Single Pass and Parallel processing architecture ?
Single Pass : The single pass software performs operations once per packet. As a packet
is processed, networking functions, policy lookup, application identification and
decoding, and signature matching for any and all threats and content are all performed
just once.  Instead of using separate engines and signature sets (requiring multi-pass
scanning) and instead of using file proxies (requiring file download prior to scanning),
the single pass software in next-generation firewalls scans content once and in a
stream-based fashion to avoid latency introduction.
Parallel Processing :   PA designed with separate data and control planes to support
parallel processing. The second important element of the Parallel Processing hardware
is the use of discrete, specialized processing groups to perform several critical
functions.
 Networking: routing, flow lookup, stats counting, NAT, and similar functions
are performed on network-specific hardware
 User-ID, App-ID, and policy all occur on a multi-core security engine with
hardware acceleration for encryption, decryption, and decompression.
 Content-ID content analysis uses dedicated, specialized content scanning
engine
 On the controlplane, a dedicated management processor (with dedicated
disk and RAM) drives the configuration management, logging, and reporting
without touching data processing hardware.
5. Difference between PA-200,PA-500 and higher models ?

In PA-200 and PA-500, Signature process and network processing implemented on

software while higher models have dedicate hardware processer
6. What are the four deployment mode and explain ?
1. Tap Mode : Tap mode allows you to passively monitor traffic flow across
network by way of tap or switch SPAN/mirror port
2. Virtual wire : In a virtual wire deployment, the firewall is installed
transparently on a network segment by binding two interfaces together

——————- advertisements ——————-

———————————————————-
 1. Layer 2 mode : multiple interfaces can be configured into a “virtual-switch” or
VLAN in L2 mode.
2. Layer 3 Deployment : In a Layer 3 deployment, the firewall routes traffic
between multiple interfaces. An IP address must be assigned to each
interface and a virtual router must be defined to route the traffic.
7. What you mean by Zone Protection profile ?

Zone Protection Profiles offer protection against most common flood, reconnaissance,
and other packet-based attacks. For each security zone, you can define a zone
protection profile that specifies how the security gateway responds to attacks from that
zone. The following types of protection are supported:

-Flood Protection—Protects against SYN, ICMP, UDP, and other IP-based flooding
attacks.

-Reconnaissance detection—Allows you to detect and block commonly used port scans
and IP address sweeps that attackers run to find potential attack targets.

-Packet-based attack protection—Protects against large ICMP packets and ICMP

fragment attacks.

Configured under Network tab -> Network Profiles -> Zone protection.
8. What is u-turn NAT and how to configure ?

U-turn NAT is applicable when internal resources on trust zone need to access DMZ
resources using public IP addresses of Untrust zone.

——————- advertisements ——————-

———————————————————-

Let’s explain based on below scenario.

In above example, the website company.com (192.168.10.20) statically NAT’ed with
public IP address 81.23.7.22 on untrusted zone. Users in the corporate office on the
192.168.1.0/24 segment need to access the company webpage. Their DNS lookup will
resolve to the public IP in the Internet zone. The basic destination NAT rules that
provide internet users access to the web server will not work for internal users browsing
to the public IP .

Following are the NAT rule and policy definition.

  Next Page
Enjoyed Reading.? If you found the above contents useful and easily understandable,
you can download a bundle of most frequently asked interview question and answers
via the below link. We are sure it will help you increase your confidence in Palo Alto and
will help you in tackling the interviews with positive results.Please click below link (you
will be re-directed to the payment gateway  – Instamojo) to Download PDF for less than
6 USD (INR 400). This contains 45 + Most frequently asked PA interview question on
the following topics with detailed explanation.

 Question from VPN setup and troubleshooting

 Migration of ASA into PA
 Questions from AppID and Vulnerability Protection
 PA Best practices
 Other Hot questions and explanation

PALO ALTO INTERVIEW QUESTIONS AND

ANSWERS – PART II
October 31, 2017 Naisam 8 comments

Plao Alto Interview Questions and Answers

This post is a continuation to one of our recent post where we discussed a few
questions and answers on Palo Alto firewall. Here we are adding another set of Q&A
based on our readers interest. Hope this will help you in improving your knowledge of
the PA firewall.
Download PDF (~50 QA)

Note : for international purchases ($6) for the above document (containing ~50 Q&A)
please reach out to us at beginnersforum@gmail.com
1. How to publish internal website to internet. Or how to perform destination NAT ?
To publish internal website to outside world, we would require destination NAT and
policy configuration. NAT require converting internal private IP address in to external
public IP address. Firewall policy need to enable access to internal server on http
service from outside .We can see how to perform NAT and policy configuration with
respect to following scenario

Provide the access to 192.168.10.100 through the public IP address 64.10.11.10 from
internet

Following NAT and policy rules need to be created.

NAT:-> Here we need to use pre-NAT configuration to identify zone. Both source and
destination Zone should be Untrust-L3 as source and destination address part of un
trust zone

——————- advertisements ——————-

———————————————————-

Policy-> Here we need to use Post-NAT configuration to identify zone. The source zone
will be Untrust-L3 as the source address still same 12.67.5.2 and the destination zone
would be Trust-L3 as the translated IP address belongs to trust-l3 zone.

We have to use pre-NAT IP address for the source and destination IP address part on
policy configuration. According to packet flow, actual translation is not yet happen, only
egress zone and route look up happened for the packet. Actual translation will happen
after policy lookup . Please click here to understand detailed packet flow in PA firewall. 
Just remember the following technique so it will be easy to understand

In firewall rule,
Zone: Post NAT

IP address: Pre NAT

In NAT rule,

Zone: Pre NAT

Final Configuration looks like below:

2. What is Global Protect ?

——————- advertisements ——————-

———————————————————-

GlobalProtect provides a transparent agent that extends enterprise security Policy to all
users regardless of their location. The agent also can act as Remote Access VPN
client.  Following are the component

Gateway : This can be or more interface on Palo Alto firewall which provide access and
security enforcement for traffic from Global Protect Agent
Portal: Centralized control which manages gatrway, certificate , user authentication and
end host check list
Agent : software on the laptop that is configured to connect to the GlobalProtect
deployment.
3. Explain about virtual system ?

A virtual system specifies a collection of physical and logical firewall interfaces and
security zones.Virtual system allows to segmentation of security policy functionalities
like ACL, NAT and QOS. Networking functions including static and dynamic routing are
not controlled by virtual systems. If routing segmentation is desired for each virtual
system, we should have an additional virtual router.

——————- advertisements ——————-

———————————————————-
4.Explain about various links used to establish HA or HA introduction ?

PA firewall use HA links to synchronize data and maintain state information. Some
models of the firewall have dedicated HA ports—Control link (HA1) and Data link (HA2),
while others require you to use the in-band ports as HA links.

Control Link :  The HA1 links used to exchange hellos, heartbeats, and HA state
information, and management plane sync for routing, User-ID information and
synchronize configuration . The HA1 should be layar 3 interface which require an IP
address
Data Link : The HA2 link is used to synchronize sessions, forwarding tables, IPSec
security associations and ARP tables between firewalls in an HA pair. The HA 2 is a
layer 2 link
Backup Links: Provide redundancy for the HA1 and the HA2 links. In-band ports are
used as backup links for both HA1 and HA2. The HA backup links IP address must be
on different subnet from primary HA links.
Packet-Forwarding Link: In addition to the HA1 and HA2 links, an active/active
deployment also requires a dedicated HA3 link. The firewalls use this link for forwarding
packets to the peer during session setup and asymmetric traffic flow.
4. What protocol used to exchange heart beat between HA ?

ICMP

——————- advertisements ——————-

———————————————————-

5. Various port numbers used in HA ?

HA1: tcp/28769,tcp/28260 for clear text communication ,tcp/28 for encrypted

communication

HA2: Use protocol number 99 or UDP-29281

6. What are the scenarios for fail-over triggering ?

->if one or more monitored interfaces fail

->if one or more specified destinations cannot be pinged by the active firewall

->if the active device does not respond to heartbeat polls (Loss of three consecutive
heartbeats over period of 1000 milliseconds)

7. How to troubleshoot HA using CLI ?

>show high-availability state : Show the HA state of the firewall
>show high-availability state-synchronization : to check sync status
>show high-availability path-monitoring : to show the status of path monitoring
>request high-availablity state suspend : to suspend active box and make the current passive
box as active
8. which command to check the firewall policy matching for particular destination ?

>test security-policy-match from trust to untrust destination <IP>

9.Command to check the NAT rule ?

>test nat-policy-match

10. Command to check the system details ?

>show system info  // It will show management IP , System version and serial number

11. How to perform debug in PA ?

Following are the steps

Clear all packet capture settings

>debug dataplane packet-diag clear all

set traffic matching condition

> debug dataplane packet-diag set filter match source 192.168.9.40 destination 4.2.2.2
> debug dataplane packet-diag set filter on

——————- advertisements ——————-

———————————————————-

Enable packet capture

> debug dataplane packet-diag set capture stage receive file rx.pcap
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture stage drop file dp.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set capture on

View the captured file

view-pcap filter-pcap rx.pcap

12. What you mean by Device Group and Device Template.?

Device group allows you to group firewalls which is require similar  set of policy , such
as firewalls that manage a group of branch offices or individual departments in a
company. Panorama treats each group as a single unit when applying policies. A
firewall can belong to only one device group. The Objects and Policies are only part of
Device Group.

Device Template :

Device Templates enable you to deploy a common base configuration like Network and
device specific settings to multiple firewalls that require similar settings.
This is available in Device and Network tabs on Panorama

13. Why you are using Security Profile .?

Security Profile using to scans allowed applications for threats, such as viruses,
malware, spyware, and DDOS attacks.Security profiles are not used in the match
criteria of a traffic flow. The security profile is applied to scan traffic after the application
or category is allowed by the security policy. You can add security profiles that are
commonly applied together to a Security Profile Group

Following are the Security Profiles available

 Antivirus Profiles
 Anti-Spyware Profiles
 Vulnerability Protection Profiles
 URL Filtering Profiles
 Data Filtering Profiles
 File Blocking Profiles
 WildFire Analysis Profiles
 DoS Protection Profiles

Enjoyed Reading.? If you found the above contents useful and easily understandable,
you can download a bundle of most frequently asked interview question and answers
via the below link. We are sure it will help you increase your confidence in Palo Alto and
will help you in tackling the interviews with positive results.Please click below link (you
will be re-directed to the payment gateway  – Instamojo) to Download PDF for less than
6 USD (INR 400). This contains 45 + Most frequently asked PA interview question on
the following topics with detailed explanation.

 Question from VPN setup and troubleshooting

 Migration of ASA into PA
 Questions from AppID and Vulnerability Protection
 PA Best practices
 Other Hot questions and explanation

PALO ALTO FIREWALL CONFIGURATION OPTIONS.

TAP MODE, VIRTUAL WIRE, LAYER 2 & LAYER 3
DEPLOYMENT MODES
WRITTEN BY YASIR IRFAN. POSTED IN PALO ALTO FIREWALLS
4.166666666666711111 Rating 4.17 (12 Votes)
fShare

Share

Save

Our previous article explained how Palo Alto Firewalls make use of Security Zones to process
and enforce security policies. This article will explain the different configuration options for physical
Ethernet and logical interfaces available on the Palo Alto Firewall.

It’s easy to mix and match the interface types and deployment options in real world deployments and this
seems to be the strongest selling point of Palo Alto Networks Next-Generation Firewalls. Network
segmentation becomes easier due to the flexibility offered by a single pair of Palo Alto appliances.

Below is a list of the configuration options available for Ethernet (physical) interfaces:

 Tap Mode
 Virtual Wire
 Layer 2
 Layer 3
 Aggregate Interfaces
 HA

Following are the Logical interface options available:

 VLAN
 Loopback
 Tunnel
 Decrypt Mirror

The various interface types offered by Palo Alto Networks Next-Generation Firewalls provide flexible
deployment options.

TAP MODE DEPLOYMENT OPTION

TAP Mode deployment allows passive monitoring of the traffic flow across a network by using the SPAN
feature (also known as mirroring).

A typical deployment would involve the configuration of SPAN on Cisco Catalyst switches where the
destination SPAN port is the switch port to which our Palo Alto Firewall connects, as shown in the
diagram below:
 

Figure 1. Palo Alto Next Generation Firewall deployed in TAP mode

The advantage of this deployment model is that it allows organizations to closely monitor traffic to their
servers or network without requiring any changes to the network infrastructure.

During the configuration of SPAN it is important to ensure the correct SPAN source and SPAN

Destination ports are configured while also enabling Tap mode at the Firewall.

Tap mode offers visibility of application, user and content, however, we must be mindful that the firewall
is unable to control the traffic as no security rules can be applied in this mode. Tap mode simply offers
visibility in the ACC tab of the dashboard. The catch here is to ensure that the tap interface is assigned to
a security zone.

VIRTUAL WIRE  (V-WIRE) DEPLOYMENT OPTION

Virtual Wire, also know as V-Wire, deployment options use Virtual Wire interfaces. The great thing
about V-Wire deployment is that the firewall can be inserted into an existing topology without requiring
any changes to the existing network topology.

The V-Wire deployment options overcome the limitations of TAP mode deployment, as engineers are
able to monitor and control traffic traversing the link. A Virtual Wire interface supports App-ID, User-
ID, Content-ID, NAT and decryption.

Figure 2. Palo Alto Next Generation Firewall deployed in V-Wire mode

LAYER 2 DEPLOYMENT OPTION

Palo Alto Networks Next Generation Firewall can also be deployed in Layer 2 mode. In this mode
switching is performed between two or more network segments as shown in the diagram below:
 

Figure 3. Palo Alto Next Generation Firewall deployed in Layer 2 mode

In Layer 2 deployment mode the firewall is configured to perform switching between two or more
network segments. Traffic traversing the firewall is examined, as per policies, providing increased security
and visibility within the internal network.

In this mode the firewall interfaces are capable of supporting Access or Trunk Links (802.1Q trunking) and
do not participate in the Spanning Tree topology. Any BPDUs received on the firewall interfaces are
directly forwarded to the neighboring Layer 2 switch without being processed. Routing traffic between
VLAN networks or other networks can be achieved via a default Gateway which is usually a Layer 3
switch supporting InterVLAN routing, a Firewall security appliance, or even Router-on-a-Stick design.

LAYER 3 DEPLOYMENT OPTION

Layer 3 deployment mode is a popular deployment setup. In this mode the firewall routes traffic
between multiple interfaces, each of which is configured with an IP address and security zone. The
Firewall interfaces can also be configured to obtain their IP address via a DHCP server and can be used
to manage the security appliance.

 
 Figure 4 – Palo Alto Next Generation Firewall deployed in Layer 3 mode

The diagram above shows a typical Layer 3 deployment setup where the Firewall routes and controls
traffic between three different IP networks. Similar to other setup methods, all traffic traversing the
Firewall is examined and allowed or blocked according to the security policies configured.

CONCLUSION
In this article we examined a few of the different deployment modes available for Palo Alto firewalls. We
talked about Tap mode, Virtual Wire mode, Layer 2 and Layer 3 deployment modes. Each
deployment method is used to satisfy different security requirements and allows flexible configuration
options. Visit our Palo Alto Firewalls Section for more in-depth technical articles.

What is NAT-Traversal (Network Address

Translation - Traversal)
IPSec does not work if we have a NAT Device between two IPSec peers, performing Port
Address Translation. It is not possible for the IPSec ESP packets to traverse (Travel across
or pass over) across a NAT Device performing PAT.

Before proceeding, you need to know what is Network Address Translation (NAT) and
what is Port Address Translation (PAT).

In Port Address Translation (PAT), the NAT Device changes the source Port Number (TCP
or UDP) with another port number.To perform Port Address Translation (PAT), a NAT
device must be able to open TCP/UDP header and find Source TCP/UDP Port Number.
The TCP and UDP Port Numbers are not visible for a NAT device
performing PAT between IPSec Peers, because TCP/UDP headers are encrypted and
encapsulated with ESP header.

When IPSec is used to secure IPv4 traffic, original TCP/UDP Port Numbers are kept encrypted
and encapsulated using ESP. Following image shows how IPSec encapsulates IPv4 datagram. For
more details visit IPSec VPN Modes - Tunnel Mode and Transport Mode.
Following image shows a Wireshark capture of ESP encapsulated IPSec packet.
Note that TCP/UDP headers are not visible. TCP/UDP headers are kept encrypted as ESP
data payload.

NAT Traversal (NAT-T) technology is used in IPSec to overcome above mentioned

problem.

NAT Traversal (NAT-T) technology can detect whether both IPSec peers support NAT-T.
NAT Traversal (NAT-T) technology can also detect NAT devices between IPSec
Peers.  ISAKMP Main Mode messages one and two are used to detect whether both
IPSec peers support NAT-T. If both IPSec peers support NAT-T, NAT Devices are
detected in ISAKMP Main Mode messages three and four.f

Once a NAT PAT device is detected between IPSec Peers, NAT-T encapsulates ESP
packets inside an unencrypted UDP header with both Source and Destination ports as
4500. Now the NAT PAT devices have a UDP header and port number to play with and
PAT happens as usual.