Professional Documents
Culture Documents
Pan Os Admin
Pan Os Admin
Parallel Processing : PA designed with separate data and control planes to support parallel
processing. The second important element of the Parallel Processing hardware is the use of
discrete, specialized processing groups to perform several critical functions.
Networking: routing, flow lookup, stats counting, NAT, and similar functions are performed on
network-specific hardware.
User-ID, App-ID, and policy all occur on a multi-core security engine with hardware
acceleration for encryption, decryption, and decompression.
Content-ID content analysis uses dedicated, specialized content scanning engine On the control
plane, a dedicated management processor (with dedicated disk and RAM) drives the
configuration management, logging, and reporting without touching data processing hardware.
5 .What is NAT in palo alto firewall and how to check the NAT rule (command ) ?
NAT rules provide address translation, and are different from security policy rules, which allow
or deny packets.
>test nat-policy-match
10.Explain about various links such as (control link , data link , backup link) used to
establish HA ?
PA firewall use HA links to synchronize data and maintain state information. Some models of
the firewall have dedicated HA ports—Control link (HA1) and Data link (HA2), while others
require you to use the in-band ports as HA links.
Control Link : The HA1 links used to exchange hellos, heartbeats, and HA state information,
and management plane sync for routing, User-ID information and synchronize configuration .
The HA1 should be layar 3 interface which require an IP address.
Data Link : The HA2 link is used to synchronize sessions, forwarding tables, IPSec security
associations and ARP tables between firewalls in an HA pair. The HA 2 is a layer 2 link.
Backup Links: Provide redundancy for the HA1 and the HA2 links. In-band ports are used as
backup links for both HA1 and HA2. The HA backup links IP address must be on different
subnet from primary HA links.
Packet-based attack protection—Protects against large ICMP packets and ICMP fragment
attacks.
Network tab -> Network Profiles -> Zone protection.
Palo Alto Networks next-generation firewalls are based on a unique Single Pass Parallel
Processing (SP3) Architecture – which enables high-throughput, low-latency network security.
And The combination of Single Pass software and Parallel Processing hardware is completely
unique in network security, and enables Palo Alto Networks next-generation firewalls to restore
visibility and control to enterprise networks at very high levels of performance.
Palo Alto Networks solves the performance problems that plague today’s security infrastructure
with the SP3 architecture, which combines two complementary components.
First, the single pass software performs operations once per packet. As a packet is processed,
networking functions, policy lookup, application identification and decoding, and signature
matching for any and all threats and content are all performed just once. This significantly reduces
the amount of processing overhead required to perform multiple functions in one security device.
Second, the content scanning step in Palo Alto Networks’ Single Pass software is stream-based,
and uses uniform signature matching to detect and block threats. Instead of using separate engines
and signature sets (requiring multi-pass scanning) and instead of using file proxies (requiring file
download prior to scanning), the single pass software in our next-generation firewalls scans
content once and in a stream-based fashion to avoid latency introduction.
This Single Pass traffic processing enables very high throughput and low latency – with all security
functions active. It also offers the additional benefit of a single, fully integrated policy, enabling
simple, easier management of enterprise network security.
Parallel Processing Hardware:-
The other critical piece of Palo Alto Networks SP3 Architecture is hardware. Palo Alto Networks
next-generation firewalls use Parallel Processing hardware to ensure that the Single Pass software
runs fast. First, Palo Alto Networks engineers designed separate data and control planes. This
separation means that heavy utilization of one won’t negatively impact the other – for example, an
administrator could be running a very processor-intensive report, and yet the ability to process
packets would be completely unhindered, due to the separation of data and control planes.
The second important element of the Parallel Processing hardware is the use of discrete,
specialized processing groups that work in harmony to perform several critical functions.
Networking: routing, flow lookup, stats counting, NAT, and similar functions are performed on
network-specific hardware.
User-ID, App-ID, and policy all occur on a multi-core security engine with hardware acceleration
for encryption, decryption, and decompression.
Content-ID content analysis uses dedicated, specialized content scanning engine On the control
plane, a dedicated management processor (with dedicated disk and RAM) drives the configuration
management, logging, and reporting without touching data processing hardware.
The results is the perfect mix of raw throughput, transaction processing and network security that
today’s high performance networks require.