ALL ABOUT PALO ALTO

1. What is strength of Palo Alto next generation firewall ?

Single Pass Parallel Processing (SP3) architecture.

2. Difference between Palo Alto NGFW and Checkpoint UTM ?

PA follows Single pass parallel processing but UTM follows Multi pass architecture
process.

3. Describe about Palo Alto architecture ?

Palo alto firewall Architecture is Single Pass Parallel Processing (SP3) architecture, This Single
Pass traffic processing enables very high throughput and low latency – with all security functions
active. It also offers single, fully integrated policy which helps simple and easier management of
firewall policy .

4. What is Single Pass and Parallel processing architecture ? Explain .

Single Pass : The single pass software performs operations once per packet. As a packet is
processed, networking functions, policy lookup, application identification and decoding, and
signature matching for any and all threats and content are all performed just once. Instead of
using separate engines and signature sets (requiring multi-pass scanning) and instead of using
file proxies (requiring file download prior to scanning), the single pass software in next-
generation firewalls scans content once and in a stream-based fashion to avoid latency
introduction.

Parallel Processing : PA designed with separate data and control planes to support parallel
processing. The second important element of the Parallel Processing hardware is the use of
discrete, specialized processing groups to perform several critical functions.
Networking: routing, flow lookup, stats counting, NAT, and similar functions are performed on
network-specific hardware.

User-ID, App-ID, and policy all occur on a multi-core security engine with hardware
acceleration for encryption, decryption, and decompression.
Content-ID content analysis uses dedicated, specialized content scanning engine On the control
plane, a dedicated management processor (with dedicated disk and RAM) drives the
configuration management, logging, and reporting without touching data processing hardware.

5 .What is NAT in palo alto firewall and how to check the NAT rule (command ) ?
NAT rules provide address translation, and are different from security policy rules, which allow
or deny packets.
>test nat-policy-match

6.What is Dynamic IP and Port NAT ?

Multiple clients to use same public IP address with diffrent source port numbers . And Dynamic
IP and port rule can applied :-----
Interface IP address
Single IP address
Range of IP address
Subnet IP address

7.What is bidirectional NATing ?

Enable internal servers to send and receive traffic through the firewall , and bidirectional
translation is an optional for static NAT only.

8. what is port forwarding ?

Port -forwarding , which is a technique used to mange traffic through NAT policies based on
destination port number .

9.What is Global Protect ?

Global Protect provides a transparent agent that extends enterprise security Policy to all users
regardless of their location. The agent also can act as Remote Access VPN client. Following are
the component.
Gateway : This can be or more interface on Palo Alto firewall which provide access and security
enforcement for traffic from Global Protect Agent.
Portal: Centralized control which manages gateway, certificate , user authentication and end
host check list.
Agent : software on the laptop that is configured to connect to the Global Protect deployment.

10.Explain about various links such as (control link , data link , backup link) used to
establish HA ?
PA firewall use HA links to synchronize data and maintain state information. Some models of
the firewall have dedicated HA ports—Control link (HA1) and Data link (HA2), while others
require you to use the in-band ports as HA links.

Control Link : The HA1 links used to exchange hellos, heartbeats, and HA state information,
and management plane sync for routing, User-ID information and synchronize configuration .
The HA1 should be layar 3 interface which require an IP address.
Data Link : The HA2 link is used to synchronize sessions, forwarding tables, IPSec security
associations and ARP tables between firewalls in an HA pair. The HA 2 is a layer 2 link.
Backup Links: Provide redundancy for the HA1 and the HA2 links. In-band ports are used as
backup links for both HA1 and HA2. The HA backup links IP address must be on different
subnet from primary HA links.

11.What is packet-Forwarding link ?

Packet-Forwarding Link: In addition to the HA1 and HA2 links, an active/active deployment
also requires a dedicated HA3 link. The firewalls use this link for forwarding packets to the peer
during session setup and asymmetric traffic flow.

12. What protocol used to exchange heart beat between HA ?

ICMP

13. Various port numbers used in HA ?

HA1: tcp/28769,tcp/28260 for clear text communication ,tcp/28 for encrypted communication
HA2: Use protocol number 99 or UDP-29281.

14. What are the scenarios for fail-over triggering ?

-if one or more monitored interfaces fail
-if one or more specified destinations cannot be pinged by the active firewall
-if the active device does not respond to heartbeat polls (Loss of three consecutive heartbeats
over period of 1000 milliseconds).

15. Command to check the system details ?

>show system info // It will show management IP , System version and serial number.

16. How to perform debug in PA ?

Following are the steps
Clear all packet capture settings
>debug dataplane packet-diag clear all
set traffic matching condition
> debug dataplane packet-diag set filter match source 192.168.4.20 destination 4.2.2.2
> debug dataplane packet-diag set filter on
Enable packet capture
> debug dataplane packet-diag set capture stage receive file rx.pcap
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture stage drop file dp.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set capture on

17. What you mean by Device Group and Device Template.?

Device group allows you to group firewalls which is require similar set of policy , such as
firewalls that manage a group of branch offices or individual departments in a company.
Panorama treats each group as a single unit when applying policies. A firewall can belong to
only one device group. The Objects and Policies are only part of Device Group.
Device Template :Device Templates enable you to deploy a common base configuration like
Network and device specific settings to multiple firewalls that require similar settings. This is
available in Device and Network tabs on Panorama.

18. Why you are using Security Profile .?

Security Profile using to scans allowed applications for threats, such as viruses, malware,
spyware, and DDOS attacks. Security profiles are not used in the match criteria of a traffic flow.
The security profile is applied to scan traffic after the application or category is allowed by the
security policy. You can add security profiles that are commonly applied together to a Security
Profile Group.

Following are the Security Profiles available:------

Antivirus Profiles
Anti-Spyware Profiles
Vulnerability Protection Profiles
URL Filtering Profiles
Data Filtering Profiles
File Blocking Profiles
WildFire Analysis Profiles
DoS Protection Profiles

19.How to check licenses of palo alto firewall ?

Device>License.

20.What Is U-turn Nat And How To Configure ?

U-turn NAT is applicable when internal resources on trust zone need to access DMZ resources
using public IP addresses of Untrust zone.

21 .What You Mean By Zone Protection Profile and GUI configuration ?

Zone Protection Profiles offer protection against most common flood, reconnaissance, and other
packet-based attacks. For each security zone, you can define a zone protection profile that
specifies how the security gateway responds to attacks from that zone.

The following types of protection are supported:----

Flood Protection—Protects against SYN, ICMP, UDP, and other IP-based flooding attacks.
Reconnaissance detection—Allows you to detect and block commonly used port scans and IP
address sweeps that attackers run to find potential attack targets.

Packet-based attack protection—Protects against large ICMP packets and ICMP fragment
attacks.
Network tab -> Network Profiles -> Zone protection.

22.How To Troubleshoot HA Using CLI ?

show high-availability state :- Show the HA state of the firewall.
show high-availability state-synchronization : -to check sync status.
show high-availability path-monitoring : -to show the status of path monitoring.
request high-availability state suspend : -to suspend active box and make the current passive box
as active.

Palo Alto Single Pass Parallel Processing (SP3) Architecture

Single Pass Parallel Processing (SP3) Architecture :-

Palo Alto Networks next-generation firewalls are based on a unique Single Pass Parallel
Processing (SP3) Architecture – which enables high-throughput, low-latency network security.

And The combination of Single Pass software and Parallel Processing hardware is completely
unique in network security, and enables Palo Alto Networks next-generation firewalls to restore
visibility and control to enterprise networks at very high levels of performance.

Palo Alto Networks solves the performance problems that plague today’s security infrastructure
with the SP3 architecture, which combines two complementary components.

1-Single Pass software

2-Parallel Processing hardware

Single Pass Software:-

Palo Alto Networks Single Pass software is designed to accomplish two keyfunctions within the
Palo Alto Networks next-generation firewall.

First, the single pass software performs operations once per packet. As a packet is processed,
networking functions, policy lookup, application identification and decoding, and signature
matching for any and all threats and content are all performed just once. This significantly reduces
the amount of processing overhead required to perform multiple functions in one security device.

Second, the content scanning step in Palo Alto Networks’ Single Pass software is stream-based,
and uses uniform signature matching to detect and block threats. Instead of using separate engines
and signature sets (requiring multi-pass scanning) and instead of using file proxies (requiring file
download prior to scanning), the single pass software in our next-generation firewalls scans
content once and in a stream-based fashion to avoid latency introduction.

This Single Pass traffic processing enables very high throughput and low latency – with all security
functions active. It also offers the additional benefit of a single, fully integrated policy, enabling
simple, easier management of enterprise network security.
Parallel Processing Hardware:-
The other critical piece of Palo Alto Networks SP3 Architecture is hardware. Palo Alto Networks
next-generation firewalls use Parallel Processing hardware to ensure that the Single Pass software
runs fast. First, Palo Alto Networks engineers designed separate data and control planes. This
separation means that heavy utilization of one won’t negatively impact the other – for example, an
administrator could be running a very processor-intensive report, and yet the ability to process
packets would be completely unhindered, due to the separation of data and control planes.

The second important element of the Parallel Processing hardware is the use of discrete,
specialized processing groups that work in harmony to perform several critical functions.

Networking: routing, flow lookup, stats counting, NAT, and similar functions are performed on
network-specific hardware.

User-ID, App-ID, and policy all occur on a multi-core security engine with hardware acceleration
for encryption, decryption, and decompression.

Content-ID content analysis uses dedicated, specialized content scanning engine On the control
plane, a dedicated management processor (with dedicated disk and RAM) drives the configuration
management, logging, and reporting without touching data processing hardware.

The results is the perfect mix of raw throughput, transaction processing and network security that
today’s high performance networks require.