"Myself Pradip Lahiri,I am from Kolkata.

I have done engineering in electronics & telecommunication

department. I have around 10 years of experience in IT networking field. From year of 2016 I have
been working in TCS as network administrator in Internal IT branch. Before joining TCS I have worked
with companies like HCL & Sify in different role. I have done many technical certifications throughout
my professional carrier. Now I am looking forward for a change to enhance my skill & knowledge &
meet my financial aspiration."

Presently I am working as network administrator in TCS, here I manages campus data centre and
building switching infrastructure, security devices. I used to provide end to end, cost effective &
secure solution to offshore project. Configuring site-to-site vpn, remote access vpn for offshore users
as well as configuring SSL VPN gateway for ‘work for home’ users
Maintaining firewall rule base & other security benchmark & mitigate all security related
vulnerability & handling all connectivity related issue for offshore projects as well as participating in
their network audits.

Is it possible to route traffic through a VPN between two networks with the same subnet if so
how?
If local network & remote network are on same subnet then it is not possible to build a tunnel
between these two sites. Because all packets are routed based on the destination IP address. Before
routing occurs, determine whether the destination IP address is available on the local network or
not.
How to configure tunnel for overlapping addresses in Palo Alto?
There's no way for the traffic to route over the VPN tunnel, as the same network exists on both sides
of the tunnel. 
 The only way to resolve by Dynamic NAT at both directions with two different pools that don't
conflict with the 10.10.10.0/24 address.  Maybe you translate 10.10.11.0/24 to 10.10.10.0/24 on the
corp side, and you translate 10.10.12.0/24 to 10.10.10.0/24 on the client side or something like that.

SSL v/s TLS ?

TLS is successor of SSL, supporting modern ciphers
One wild license of one PA firewall license how to use in another PA firewall?
License can be transfer.
Palo Alto Networks® WildFire® cloud-based threat analysis service

Phase 1 and Phase 2 will be up. However, the hosts behind the peer are not reachable?
Occasionally happens on a site-to-site IPSec VPN between a Palo Alto Networks device and another
device. If the tunnel interface is in the untrust zone, the traffic will be NATed to the public IP, while
leaving the tunnel, by the default NAT rule on the Palo Alto Networks device.
Resolution
There are two options to resolve this issue:
Move the tunnel interface to one of the trust zones, so that the traffic will not get NATed while
leaving the tunnel.
Create a No-NAT rule for traffic from the tunnel zones to those destination addresses behind the
peer.

RSA ?

RSA is an asymmetric system, its combination of a public key

(used for encryption) and a private key (used for decryption).
How to check a Policy configured on not in PA 220?
Use the test security-policy-match command to determine whether a security policy rule is
configured correctly

To upgrade appliances using the WebUI:

Open Internet Explorer and log in to the appliance.
 Select Appliance > Upgrade.
 Click Check Point Download Center.
 The Internet browser opens to the Check Point Support Center.
 Search for and download the R76 upload package file.
 In the WebUI, click Upload upgrade package to appliance.
 The Upload Package to Appliance window opens.
 Select the upgrade file:
Check_Point_upg_WEBUI_and_SmartUpdate_R76.SecurePlatform.tgz
 Click Upload.
 Click Start Upgrade.
 Before the upgrade begins, an image is created of the system and is used to revert to in the
event the upgrade is not successful.
 The Save an Image before Upgrade page, displays the image information.
 Click Next.
 In the Safe Upgrade section, select Safe upgrade to require a successful login after the
upgrade is complete. If no login takes place within the configured amount of time, the
system will revert to the saved image.
 Click Next.
 The Current Upgrade File on Appliance section displays the information of the current
upgrade.
 To begin the upgrade, click Start.
There are eight basic steps in setting up remote access for users with the
Cisco ASA.

 Step 1. Configure an Identity Certificate

 Step 2. Upload the SSL VPN Client Image to the ASA
 Step 3. Enable AnyConnect VPN Access
 Step 4. Create a Group Policy
 Step 5. Configure Access List Bypass
 Step 6. Create a Connection Profile and Tunnel Group
 Step 7. Configure NAT Exemption
 Step 8. Configure User Accounts

Palo Alto Active/Active

When configuring the first peer, set the Device ID 0 & second peer, set the Device ID 1.
For active/active mode uses For firewalls with dedicated HA ports, use an Ethernet cable to connect
the dedicated HA1 ports and the HA2 ports on peers. Use a crossover cable if the peers are directly
connected to each other.
On any other hardware model, use dataplane interfaces for HA3.

 Persona/Node Type – This one is often used interchangeable and

determines the service provided by particular node:
o Administration (PAN) – Administration Node is a single point of ISE
deployment configuration. This persona provides full access to
administration GUI
o Policy Service (PSN) – Policy Service Node is a node that handles
traffic between network devices and ISE (its IP is used as Radius for
devices). To achieve radius traffic sharing you can scale the PSNs up.
o Monitoring (MnT) – monitoring node is responsible for logs aggregation
across deployment.

Is Cisco ISE a radius server?

Cisco ISE (Identity Services Engine) is a RADIUS Server + policy engine that is
used as a gatekeeper for the network

Checkpoint 4200 R80.4

Cisco ISE Release 3.0 --- SNS 3500/3600

What is 802.1X? How Does it Work?

Devices attempting to connect to a LAN or WLAN require an authentication mechanism.
IEEE 802.1X, an IEEE Standard for Port-Based Network Access Control (PNAC), provides
protected authentication for secure network access.
SIC in checkpoint

SIC in Checkpoint
SIC layer provides a secure internal communication method between Check Point software
entities. Authority (status, issue, revoke). Port 18210 is used to pull certificates from the CA.

Encryption used for site to site vpn phase 1 and 2

Stages of IPSE VPN tunnel building

How any connect vpn works steps to user connect to vpn gateway & acess internal applications

tcp fin in palo alto

anti spoofing firewall

Anti-Spoofing detects if a packet with an IP address that is behind a certain interface,

arrives from a different interface. For example, if a packet from an external network has an
internal IP address, Anti-Spoofing blocks that packet

connection table in firewall

To set up a Site-to-Site VPN connection, complete the following steps:

site to site vpn phase 1 and 2 difference