Questions1 - How many deployments model available in Paloalto. ‘Ans — There are multiple deployment model available — 1. Tap mode 2 Layer 2 3+ Layer 3 deployment 4- Virtual Wire mode Tap mode — This interface type used to connect the firewall to switch SPAN or mirror port. It passively collects and logs traffic to the firewall traffic log Layer 2 mode- All are in same subnet , this firewall working as switching mode Layer 2 mode E14 E16 E15 . 2 168.1.0/24 192.168.1.0/24 192.168.1.0/24 Layer 3 mode — Alll interface in different subnet also firewall working as router like use routing, static , dynamic.Layer 3mode [aay — 1 an E1/4 E1/6 ES « 192.168.1.0/24 192.168.2.0/24 172.16.1.0/24 Virtual Wire mode- There is no any ip or mac on interface - Zone A Firewall ZoneB (Virtual Wire) Wirtual Wire) Virtual Wire Virtual Wire interface interface Question2- How many Ethernet (physical) and Logical interfaces avilabale in Paloalo Ans Physical interfaces + Tap Mode © Virtual Wire + Layer 2 Layer 3 + Aggregate Interfaces + HA Logical interview — + VLAN+ Loopback © Tunnel * Decrypt Mirror Question 3- How to publish internal website to internet. Or how to perform destination NAT ? Ans — To publish intemal website to outside world, we would require destination NAT and policy configuration. NAT require converting internal private IP address in to extemal public IP address. Firewall policy need to enable access to intemal server on http service from outside We used below scenario to configuration destination NAT v.. Server fone sails techclick.co.in & Publicle Private IP 192.168.1.10 UT = 192,168.11 DNS: 2.22 For NAT - Here we need to use Bre=WAT configuration to identify zone. Both source and destination Zone should be Untrust-L3 as source and destination address part of un trust zone. For Policy- Here we need to use POSENAT configuration to identify zone. The source zone will be Untrust-L3 as the source address still same 1.1.1.1 and the destination zone would be Trust- L3 as the translated IP address belongs to trust-I3 zone. We have to use pre-NAT IP address for the source and destination IP address part on policy configuration. According to packet flow, actual translation is not yet happen, only egress zone and route look up happened for the packet. Actual translation will happen after policy lookup. In Srewall rule, Zone: Post NAT IP adress: Pre NAT InNAT rule, Zone: Pre NAT Pre NAT —L3 -untrust to L3 untrust