PALO ALTO INTERVIEW

QUESTIONS

Beginner’s Forum
https://beginnersforum.net/
Beginner’s Forum Palo Alto interview questions

Preface
Due to overwhelming response on our Palo Alto interview questions in our site, and due to
the extended request for more questions and answers we decided to add more here as a PDF file for
our readers. Hope this helps you.

Copyright
Copyright ©2018. All rights reserved. No part of this document may be reproduced or
transmitted in any form or by any means, electronic or mechanical, including photocopying recording
or by any information storage retrieval system, without written permission from the publisher.

1
Beginner’s Forum Palo Alto interview questions

1.How Palo Alto provide VPN functionality?

Palo Alto provide VPN functionality using GLobalProtect Solution which support users from
laptop, Mobile Phone, and tablets
2.What are the different deployment method of Global Protect?
Site to Site VPN: - Extend private network with secure communication over public networks,
using standards-based IPsec VPN connections.
Large-Scale VPN: - Easily extend your network with protection for branch offices and retail
stores around the globe. Large-scale VPN simplifies the process for deploying a hub and spoke VPN
topology with branch firewalls by setting up connections with minimal effort
GlobalProtect Remote Client: - establishes an SSL/IPsec VPN tunnel from a laptop,
smartphone or tablet to the optimal next-generation firewall, thus providing visibility and consistent
enforcement of security policy for continuous protection from known and unknown threats .

2
Beginner’s Forum Palo Alto interview questions

3.Describe steps to setup Site to Site VPN solution?

Following are the steps
 Configure L3 interfaces, virtual routers, and zones
 Create a tunnel interface and attach it to a virtual router and security zone.
 Configure a static route, on the virtual router, to the destination subnet.
 Define IKE Crypto Profiles
 Define IPSec Crypto profile
 Define IKE gateways
 Setup the IPSec Tunnel
 Define security policies to filter and inspect the traffic.
Detailed configuration are following
A. Configure L3 interfaces, virtual routers, and zones
This interface is used for the IKE phase-1 tunnel termination
Define following parameters
Interface—ethernet1/7
Security Zone—untrust
Virtual Router—default
IPv4—192.168.10.10/24 (it would be public IP address )
B. Create a tunnel interface and attach it to a virtual router and security zone.
Ideally, put the tunnel interfaces in a separate zone, so that tunneled traffic can use
different policies.
Select Network->Interfaces->Tunnel and click Add.
Define following parameters
Interface—tunnel.10

3
Beginner’s Forum Palo Alto interview questions

Security Zone—vpn_tun
Virtual Router—default
IPv4—10.10.10.1./24
C. Configure a static route, on the virtual router, to the destination subnet.
Set up static routes or assign routing protocols to redirect traffic to the VPN tunnel
interface created on step 2 for the destination subnet.
Select Network->Virtual Router->Static Route-> Add
Define following parameters
Destination—192.168.30.0/24 (Destination Network)
Interface—tunnel.10
D. Define IKE Crypto Profiles
The IKE crypto profile is used to set up the encryption and authentication algorithms
used for the key exchange process in IKE Phase 1 , and lifetime of the keys, which
specifies how long the keys are valid. To invoke the profile, you must attach it to the IKE
Gateway configuration.
GO to Network->Network Profiles -> IKE Crypto and select Add.
Define following parameters
Define Name, DH Group, Authentication:(SHA), Encryption (AES or 3DES), Key Life time
(Default 8 Hours)
E. Define IPSec Crypto profile
Configure the parameters that are needed to establish the IPSec connection for
transfer of data across the VPN tunnel
Follow the path : Go to -> Networ>Network Profiles->IPSec Crypto and select Add.
Define following parameters
Name, Protocol (AH or ESP), Encryption (AES or 3DES), Authentication (SHA or MD5),
DG Group, Lifetime
F. Define IKE gateways

4
Beginner’s Forum Palo Alto interview questions

The IKE gateways using for establishing communication between the peers across each
end of the VPN tunnel. Also attach IKE Encryption profile created above that
specifies the protocols and algorithms for identification, authentication, and encryption
to be used in IKEv1 Phase 1
Following is the path:
Select Network->Network Profiles->IKE Gateways -> click Add
Define Following Parameters:
Name, IKE Version,
Establish the local endpoint of the tunnel ->
Select the local termination physical interface of the tunnel and select the IP address
(This would be public IP address)
Specifiy Remote End details
Provide Peer type as Static and Peer IP address
Specify authentication (Pre shared key or certificate)
Attach the IKE Profile
Click Advanced Tab and select IKE profile created on step 2
G. Setup the IPSec Tunnel
The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP
packet) as it traverses across the tunnel.
Steps:
Select Network->IPSec Tunnels ->New Tunnel Interface
Define following parameters:
Name, provide name
Select tunnel interface
Select IKE gateway created on Step 4
Select IPSec profile created on Step 3

5
Beginner’s Forum Palo Alto interview questions

Create Tunnel monitoring profile to define the action on failure to establish

connectivity
H. Define security policies to filter and inspect the traffic.
Create rules to allow traffic between the un-trust and the vpn-tun zone and the vpn-tun
and the un-trust zone for traffic originating from specified source and destination IP
addresses.
Reference Article:
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/vpns/site-to-site-vpn-
quick-configs/site-to-site-vpn-with-static-routing#id12184b17-432a-41cf-b10c-67eca32b4bb6

4.How to troubleshoot VPN connectivity ?

a) Initiate traffic though tunnel
Initiate IKE phase 1 by either pinging a host across the tunnel or using the following CLI
command:
test vpn ike-sa gateway <gateway_name>
b) Verify IKE Phase 1 status
show vpn ike-sa gateway <gateway_name>
In the output, check whether the Security Association displays. If it doesn’t, review peer
reachability and phase-1 related configuration. Review the system log for exact reason for failure.
c) Initiate IKE Phase 2 Traffic
Initiate IKE phase 2 by either pinging a host from across the tunnel or using the following CLI
command:
test vpn ipsec-sa tunnel <tunnel_name>
d) Verify Phase 2 status
show vpn ipsec-sa tunnel <tunnel_name>
In the output, check whether the Security Association displays. If it doesn’t, review the system
log messages to interpret the reason for failure.

6
Beginner’s Forum Palo Alto interview questions

e) To view the VPN traffic flow information, use the following command:
show vpn flow
total tunnels configured: 1
filter - type IPSec, state any

total IPSec tunnel configured: 1

total IPSec tunnel shown: 1

name id state local-ip peer-ip tunnel-i/f

-----------------------------------------------------------------------------------
vpn-to-siteB 5 active 100.1.1.1 200.1.1.1 tunnel.41

f) You can also troubleshoot by enable/disable/refresh/restart of IPSec Tunnel

Network->IPSec Tunnels-> Tunnel Name->Tunnel Info ->Refresh/Restart
5.Why to use proxy ID on VPN?
When we are talking about IPSec VPN tunnels, if you are setting up the Palo Alto Networks
firewall to work with a peer that supports policy-based VPN, you must define proxy IDs. Devices that
support policy-based VPN use specific security rules/policies or access lists (source addresses,
destination addresses and ports) for permitting interesting traffic through an IPSec tunnel. These rules
are referenced during quick mode/IKE phase 2 negotiation, and are exchanged as proxy IDs in the first
or the second message of the process.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClUFCA0
6.Explain about DNS Proxy
You can configure the firewall to act as a DNS server. You can create DNX Proxy rule to direct
DNS queries to different DNS servers based on domain names. DNS servers can ensure localization of
DNS queries and increase efficiency by caching. For example, you can forward all corporate DNS
queries to a corporate DNS server and forward all other queries to ISP DNS servers.

7
Beginner’s Forum Palo Alto interview questions

https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-
help/network/network-dns-proxy/dns-proxy-overview

7.What is the purpose of Evasion Signature in Palo Alto firewall?

Palo Alto Networks evasion signatures detect crafted HTTP or TLS requests, and can alert to
instances where a client connects to a domain other than the domain specified in a DNS query.
Evasion signatures are effective only when the firewall is also enabled to act as a DNS proxy and
resolve domain name queries.
8.What are the best practices for securing Network using Palo Alto firewall?
a. Upgrade to the most current PAN-OS software version and content release version to
ensure that you have the latest security updates
b. Set up the firewall to act as a DNS proxy and enable evasion signatures
c. Protect servers by creating Security policy rules to allow only the application(s) that you
sanction on each server. Verify that the standard port for the application matches the listening port on
the server. For example, to ensure that only SMTP traffic is allowed to your email server, set the
Application to SMTP and set the Service to application-default.
d. Block all unknown applications and traffic using the Security policy.
e. Set Up File Blocking to block Portable Executable (PE) file types for internet-based SMB
(Server Message Block) traffic from traversing trust to untrust zones (ms-ds-smb applications).
f. Create a Zone Protection profile that is configured to protect against packet-based attacks
g. Disable the options to Forward datagrams exceeding UDP content inspection queue and
Forward segments exceeding TCP content inspection queue (Device->Setup->Content-ID Content-ID
Settings).By default, when the TCP or UDP content inspection queues are full, the firewall skips
content inspection for TCP segments or UDP datagrams that exceed the queue limit of 64. Disabling
this option ensures content inspection for all TCP and UDP datagrams that the firewall allows
h. Create a Vulnerability Protection Profile that blocks protocol anomalies and blocks
vulnerabilities with low and high severities.
i. Continue to attach Anti-Spyware and Ant-virus security profiles to your Security policy rules
to provide signature-based protection

8
Beginner’s Forum Palo Alto interview questions

9.How to create threat exception in Firewall?

Palo Alto Networks defines a recommended default action (such as block or alert) for threat
signatures. You can use a threat ID to exclude a threat signature from enforcement or modify the
action the firewall enforces for that threat signature. For example, you can modify the action for
threat signatures that are triggering false positives on your network.
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/threat-
prevention/create-threat-exceptions
10.How to review New App-ID Impact on Existing Policy Rules?
You can review the policy impact of new content release versions that are downloaded to the
firewall. Download a new content release version, and click the Review Policies in the Action column.
The Policy review based on candidate configuration dialog allows you to filter by Content Version and
view App-IDs introduced in a specific release
https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/manage-new-
app-ids-introduced-in-content-releases/review-new-app-id-impact-on-existing-policy-rules

11.How to configure DOS Protection in PAN-OS?

A Denial of Service (DoS) attack is an attempt to disrupt network services by overloading the
network with unwanted traffic. PAN-OS DoS protection features protect your firewall and in turn
your network resources and devices from being exhausted or overwhelmed in the event of network
floods, host sweeps, port scans and packet based attacks.
We Can Configure DOS Protection by following methods
1. Zone-Based Protection – A broad-based comprehensive DoS template at the edge to prevent
the enterprise network from volumetric DoS attacks. It acts as a first line of defense for the network.
2. End Host Protection (DoS Rule base and Profiles) – A flexible policy rule base that provides a
scalpel-like granularity in protecting specific end hosts (web servers, DNS servers, user subnets),
which are critical or have been historically prone to DoS attacks. It also protects from attacks
originating within the private network by filtering on compromised servers and rogue end hosts.
https://knowledgebase.paloaltonetworks.com/servlet/fileField?entityId=ka10g000000CySkAAK&f
ield=Attachment_1__Body__s

9
Beginner’s Forum Palo Alto interview questions

12.How to prevent Brut force attack using PAN-OS?

A brute force attack uses a large volume of requests/responses from the same source or
destination IP address to break into a system. The attacker employs a trial-and-error method to guess
the response to a challenge or a request.
The Vulnerability Protection profile on the firewall includes signatures to protect you from
brute force attacks. Each signature has an ID, Threat Name, and Severity and is triggered when a
pattern is recorded. The pattern specifies the conditions and interval at which the traffic is identified
as a brute-force attack; some signatures are associated with another child signature that is of a
lower severity and specifies the pattern to match against. When a pattern matches against the
signature or child signature, it triggers the default action for the signature.

13.Why we require vulnerability protection profile?

Vulnerability Protection profiles stop attempts to exploit system flaws or gain unauthorized
access to systems. While Anti-Spyware profiles help identify infected hosts as traffic leaves the
network, Vulnerability Protection profiles protect against threats entering the network. For example,
Vulnerability Protection profiles help protect against buffer overflows, illegal code execution, and
other attempts to exploit system vulnerabilities. The default Vulnerability Protection profile protects
clients and servers from all known critical, high, and medium-severity threats. You can also create
exceptions, which allow you to change the response to a specific signature.

14.What you mean by Zero Trust Architecture and how it is implemented in Palo Alto?
Zero Trust, rooted in the principle of “never trust, always verify,” is designed to address
lateral threat movement within the network by leveraging micro-segmentation and granular
perimeters enforcement, based on user, data and location.
a. Ensure all data and resources are accessed securely, based on user and location.
b. Adopt a least-privileged access strategy and strictly enforce access control.
c. Always verify,” meaning inspect and log all traffic
d. Add more authentication methods to counter credential based attacks.

10
Beginner’s Forum Palo Alto interview questions

e. Never trust, always keep adding context and keep your roles up-to-date.

15.How to inspect encrypted traffic in Palo Alto?

Palo Alto Networks firewall use decryption profile which is policy-based, and can decrypt,
inspect, and control inbound and outbound SSL and SSH connections. A Decryption policy enables you
to specify traffic to decrypt by destination, source, service, or URL category, and to block, restrict, or
forward the specified traffic according to the security settings in the associated Decryption profile. It
provides three types of decryption policy

16.Difference between Cisco ASA and Palo Alto firewall?

Cisco ASA 5550 Palo Alto

Architecture Modular Policy framework Single Pass architecture
Policies ->Policy decision based on ->Policy decision based on
ports/protocols application regardless of
->Multiple policies for FW,IPS,etc ports and protocols
->One unified Policy rule
base
Threat AIP-SSM Modules(IPS) Complete threat protection
protection AIP-CSC Modules (AV) framework(known and
unknown)
Zones/Interface Interfaces Security Zones
Deployment Layer 2, Layer 3 Tap mode, Virtual Wire(layer
Modes 1)
Layer2, Layer3
Management CSM, Prime, ASDM Panorama, Device GUI
17.Describe about the best practices on migration process
Migration requires a combination of People, process and technology to effectively and
efficiently migrate from legacy firewall to PaloAlto firewall.
Following are the proven migration process

11
Beginner’s Forum Palo Alto interview questions

Cutover Audit

Covert Analyze

Audit:
 Verify the current policy for effectiveness and security
 Clean up the policy prior to migration
Analyze:
 Understand how the current firewall integrate in to network environment
 Find the corner case that need to be migrated
Convert:
 Object, Services & Policies in to PAN-OS
 Test/Check the converted policy
 Manually configure the corner cases (NAT&VPN)
Cutover:
 Develop a migration plan
 Cut-over, monitor and fine tune the configuration

18.Typical Post migration clean-up process

 Perform a one-to-one migration
 Run for 2-3 weeks
 Use “High-light unused policies to see which policies are “stale”
 Disable un used policies
 Monitor

12
Beginner’s Forum Palo Alto interview questions

 Delete in used policies

19.What are the different strategies for ASA to Palo Alto Migration?
It can be categorized based on Risk, Effort and Reward. Following are the different methods

1. Less Risk, Lower Effort, Small Reward

Method: Migrate objects and policies “as is”
Conversion Process:
 Move IP/Network Object
 Move policies
 Compare policies to ensure accuracy
 Cutover and Monitor
Post Conversion:
 Start moving from port to applications
 Move from IP/Network in to users/groups
Pros:
 Easier migration with less risk during initial cutover
Cons:
 No policy “compression” or optimization
 No policy clean up, still living with policy explosion

2. Less Risk, Lower Effort, Small Reward

Method: Policy/Object clean up method
Conversion Process:
 Move only IP and Network objects that are used in current policy
 Analyze the current policies and compress in to fewer rules where ever possible

13
Beginner’s Forum Palo Alto interview questions

 Compare policies to ensure the accuracy

Post Conversion:
 Start moving from port to application
 Move from IP/Network to Users/Groups
Pros:
 Simplified and optimized policy after the conversion
 Fewer IP and Network Objects
Cons:
 Needs more analysis and pre-conversion.

3. More Risk, Higher Effort, Big Reward

Method: Policy/Object clean up + move to application policies
Conversion Process:
 Move only IP and Network that are used in the current policy
 Analyze the current policies and compress in to fewer rules where ever possible
 Convert from port/protocol to application
 Compare policies to ensure the accuracy
 Cutover and monitor
Post Conversion:
 Policy Tuning
 Move from IP/Network to Users/Groups
Pros:
 Take full advantage of application-based policies
 Cleaned up policies and objects
 Easier maintenance and operation

14
Beginner’s Forum Palo Alto interview questions

Cons:
 Needs more analysis pre-conversion
 Riskier Cutover

20.How User-ID benefit to compress the polices?

Legacy firewall provides User to IP mapping which is still require same amount of policies and
rule base. PaloAlto User-ID feature provide User & Group policies which can be simplified in to “IT
Admin” access “SSH” on “Server Network”
21.Explain about Panorama
It is a management server provides centralized monitoring and management of multiple Palo
Alto Networks next-generation firewalls and of WildFire appliances and appliance clusters. It
provides a single location from which you can oversee all applications, users, and content
traversing your network, and then use this knowledge to create application enablement policies
that protect and control the network.
22.Explain about AppID and its operation.
A patented mechanism to determine what an application is irrespective of port, protocol,
encryption (SSH or SSL) or any other evasive tactic used by the application.
23.What are the mechanisms used by App-ID to identify the traffic?
Application Signature: PA has signature database which contains unique application properties
and related transaction characteristics. These Signatures are applied to allowed traffic to identify
the application even if the application is being used on its default port or it is using a non-
standard port.
Decrypt traffic: It will decrypt the encrypted traffic to identify the application if decryption policy
configured. Using for SSL and SSH traffic
Unknown Protocol Decoder: Identifying app based on network behaviour . This is require when
the application using proprietary and end to encryption Eg: Skype and Bit torrent
Known Protocol decoder: Understand syntax and commands of common application. Decoders
for known protocols are used to apply additional context-based signatures to detect Other
applications that may be tunneling inside of the protocol (for example, Yahoo! Instant Messenger
used across HTTP).

15
Beginner’s Forum Palo Alto interview questions

24.Explain about App-ID traffic flow?

 Traffic is matched against policy to check whether it is allowed on the network.
 Signatures are then applied to allowed traffic to identify the application based on unique
application properties and related transaction characteristics. The signature also determines if
the application is being used on its default port or it is using a non-standard port. If the traffic
is allowed by policy, the traffic is then scanned for threats and further analyzed for identifying
the application more granularly.
 If App-ID determines that encryption (SSL or SSH) is in use, and a Decryption policy rule is in
place, the session is decrypted and application signatures are applied again on the decrypted
flow.
 Decoders for known protocols are then used to apply additional context-based signatures to
detect other applications that may be tunneling inside of the protocol (for example, Yahoo!
Instant Messenger used across HTTP). Decoders validate that the traffic conforms to the
protocol specification and provide support for NAT traversal and opening dynamic pinholes for
applications such as SIP and FTP.
 For applications that are particularly evasive and cannot be identified through advanced
signature and protocol analysis, heuristics or behavioral analysis may be used to determine the
identity of the application.
When the application is identified, the policy check determines how to treat the application, for
example—block, or allow and scan for threats, inspect for unauthorized file transfer and data
patterns, or shape using QoS.

16
Beginner’s Forum Palo Alto interview questions

25.What is an Application Override?

Application Override is where the Palo Alto Networks firewall is configured to override the
normal Application Identification (App-ID) of specific traffic passing through the firewall. As soon as
the Application Override policy takes effect, all further App-ID inspection of the traffic is stopped, and
the session is identified with the custom application.

Example Use Scenario

You might ask why we'd ever need to override the normal application identification process. In
some cases, customers build their own custom applications to address specific needs unique to the
company. For these applications, we may not have signatures to properly identify the expected
behavior and identify the traffic with a known application. In such cases, we recommended creating
an application override to allow easier identification and reporting, and to prevent confusion.

Let's look at a typical scenario where you might use an Application Override policy. If you, for
example, have a custom application that uses TCP Port 23, but traffic passing through the firewall is
identified as temenos-T24, and the misidentification causes confusion about the traffic, then an
Application Override can be implemented to correctly identify the traffic

26.Use of Application filter and Application group?

Application Group:
An application group is an object that contains applications that you want to treat similarly in
policy. Application groups are useful for enabling access to applications that you explicitly sanction
for use within your organization. Grouping sanctioned applications simplifies administration of your
rule bases. Instead of having to update individual policy rules when there is a change in the
applications you support, you can update only the affected application groups.
Application Filter:
An application filter is an object that dynamically groups’ applications based on application
attributes that you define, including category, subcategory, technology, risk factor, and
characteristic. This is useful when you want to safely enable access to applications that you do not
explicitly sanction, but that you want users to be able to access.

17
Beginner’s Forum Palo Alto interview questions

27.How to publish internal website to internet. Or how to perform destination NAT ?

To publish internal website to outside world, we would require destination NAT and policy
configuration. NAT require converting internal private IP address in to external public IP address.
Firewall policy need to enable access to internal server on http service from outside .We can see
how to perform NAT and policy configuration with respect to following scenario
Provide the access to 192.168.10.100 through the public IP address 64.10.11.10 from internet

Following NAT and policy rules need to be created.

NAT:-> Here we need to use pre-NAT configuration to identify zone. Both source and
destination Zone should be Untrust-L3 as source and destination address part of un trust zone
Policy-> Here we need to use Post-NAT configuration to identify zone. The source zone will be
Untrust-L3 as the source address still same 12.67.5.2 and the destination zone would be Trust-L3 as
the translated IP address belongs to trust-l3 zone.
We have to use pre-NAT IP address for the source and destination IP address part on policy
configuration. According to packet flow, actual translation is not yet happen, only egress zone and
route look up happened for the packet. Actual translation will happen after policy lookup . Please
click here to understand detailed packet flow in PA firewall. Just remember the following technique
so it will be easy to understand

In firewall rule,
Zone: Post NAT
IP address: Pre NAT
In NAT rule,
Zone: Pre NAT
Final Configuration looks like below:
18
Beginner’s Forum Palo Alto interview questions

28. What is Global Protect ?

GlobalProtect provides a transparent agent that extends enterprise security Policy to all users
regardless of their location. The agent also can act as Remote Access VPN client.
Following are the components

Gateway : This can be or more interface on Palo Alto firewall which provide access and
security enforcement for traffic from Global Protect Agent

Portal: Centralized control which manages gatrway, certificate , user authentication and end
host check list

Agent : software on the laptop that is configured to connect to the GlobalProtect deployment.

29.Explain about virtual system?

A virtual system specifies a collection of physical and logical firewall interfaces and security
zones.Virtual system allows to segmentation of security policy functionalities like ACL, NAT and QOS.
Networking functions including static and dynamic routing are not controlled by virtual systems. If
routing segmentation is desired for each virtual system, we should have an additional virtual router.

19
Beginner’s Forum Palo Alto interview questions

30.Explain about various links used to establish HA or HA introduction?

PA firewall use HA links to synchronize data and maintain state information. Some models of
the firewall have dedicated HA ports—Control link (HA1) and Data link (HA2), while others require
you to use the in-band ports as HA links.

Control Link : The HA1 links used to exchange hellos, heartbeats, and HA state information,
and management plane sync for routing, User-ID information and synchronize configuration . The
HA1 should be layar 3 interface which require an IP address

Data Link : The HA2 link is used to synchronize sessions, forwarding tables, IPSec security
associations and ARP tables between firewalls in an HA pair. The HA 2 is a layer 2 link

Backup Links: Provide redundancy for the HA1 and the HA2 links. In-band ports are used as
backup links for both HA1 and HA2. The HA backup links IP address must be on different subnet from
primary HA links.

Packet-Forwarding Link: In addition to the HA1 and HA2 links, an active/active deployment
also requires a dedicated HA3 link. The firewalls use this link for forwarding packets to the peer
during session setup and asymmetric traffic flow.
31.What protocol used to exchange heart beat between HA?

ICMP
32.Various port numbers used in HA?
HA1: TCP/28769, TCP/28260 for clear text communication, TCP/28 for encrypted
communication

HA2: Use protocol number 99 or UDP-29281

33.What are the scenarios for fail-over triggering?

-> if one or more monitored interfaces fail

-> if one or more specified destinations cannot be pinged by the active firewall

20
Beginner’s Forum Palo Alto interview questions

-> if the active device does not respond to heartbeat polls (Loss of three consecutive
heartbeats over period of 1000 milliseconds)
34.How to troubleshoot HA using CLI?
>show high-availability state : Show the HA state of the firewall
>show high-availability state-synchronization : to check sync status
>show high-availability path-monitoring : to show the status of path monitoring
>request high-availablity state suspend : to suspend active box and make the current passive
box as active

35.Which command to check the firewall policy matching for particular destination?
>test security-policy-match from trust to untrust destination <IP>
36.Command to check the NAT rule?
>test nat-policy-match
37.Command to check the system details?
>show system info // It will show management IP , System version and serial number
38.How to perform debug in PA?
Following are the steps :
Clear all packet capture settings
>debug dataplane packet-diag clear all
Set traffic matching condition
> debug dataplane packet-diag set filter match source 192.168.9.40 destination 4.2.2.2
> debug dataplane packet-diag set filter on
Enable packet capture
> debug dataplane packet-diag set capture stage receive file rx.pcap
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture stage drop file dp.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set capture on
View the captured file

21
Beginner’s Forum Palo Alto interview questions

view-pcap filter-pcap rx.pcap

39.What you mean by Device Group and Device Template?

Device group allows you to group firewalls which is require similar set of policy, such as
firewalls that manage a group of branch offices or individual departments in a company.
Panorama treats each group as a single unit when applying policies. A firewall can belong to
only one device group. The Objects and Policies are only part of Device Group.

Device Template: Device Templates enable you to deploy a common base configuration like
Network and device specific settings to multiple firewalls that require similar settings. This
is available in Device and Network tabs on Panorama

40.Why you are using Security Profile?

Security Profile using to scans allowed applications for threats, such as viruses,
malware, spyware, and DDOS attacks.Security profiles are not used in the match criteria of
a traffic flow. The security profile is applied to scan traffic after the application or category
is allowed by the security policy. You can add security profiles that are commonly applied
together to a Security Profile Group.

Following are the Security Profiles available :

 Antivirus Profiles
 Anti-Spyware Profiles
 Vulnerability Protection Profiles
 URL Filtering Profiles
 Data Filtering Profiles
 File Blocking Profiles
 WildFire Analysis Profiles
 DoS Protection Profiles
41.Why Palo Alto is being called as next generation firewall?

Next-generation firewalls include enterprise firewall capabilities, an intrusion prevention

system (IPS) and application control features. Palo Alto Networks delivers all the next
generation firewall features using the single platform, parallel processing and single
management systems, unlike other vendors who use different modules or multiple

22
Beginner’s Forum Palo Alto interview questions

management systems to offer NGFW features. Palo Alto NGFW different from other
venders in terms of Platform, Process and architecture

42.Difference between Palo Alto NGFW and Checkpoint UTM?

PA follows Single pass parallel processing while UTM follows Multi pass architecture
process

43.Describe about Palo Alto architecture and advantage?

Architecture- Single Pass Parallel Processing (SP3) architecture

Advantage: This Single Pass traffic processing enables very high throughput and low latency
– with all security functions active. It also offers single, fully integrated policy which helps
simple and easier management of firewall policy

44.Explain about Single Pass and Parallel processing architecture?

Single Pass: The single pass software performs operations once per packet. As a packet is
processed, networking functions, policy lookup, application identification and decoding,
and signature matching for any and all threats and content are all performed just once.
Instead of using separate engines and signature sets (requiring multi-pass scanning) and
instead of using file proxies (requiring file download prior to scanning), the single pass
software in next-generation firewalls scans content once and in a stream-based fashion to
avoid latency introduction.

Parallel Processing: PA designed with separate data and control planes to support
parallel processing. The second important element of the Parallel Processing hardware is
the use of discrete, specialized processing groups to perform several critical functions.

 Networking: routing, flow lookup, stats counting, NAT, and similar functions are
performed on network-specific hardware
 User-ID, App-ID, and policy all occur on a multi-core security engine with hardware
acceleration for encryption, decryption, and decompression.
 Content-ID content analysis uses dedicated, specialized content scanning engine

23
Beginner’s Forum Palo Alto interview questions

 On the controlplane, a dedicated management processor (with dedicated disk and

RAM) drives the configuration management, logging, and reporting without touching
data processing hardware.

45.Difference between PA-200, PA-500 and higher models?

In PA-200 and PA-500, Signature process and network processing implemented on software
while higher models have dedicate hardware processer

46.What are the four deployment mode and explain?

 Tap Mode : Tap mode allows you to passively monitor traffic flow across network by
way of tap or switch SPAN/mirror port

 Virtual wire : In a virtual wire deployment, the firewall is installed transparently on a

network segment by binding two interfaces together

 Layer 2 mode : multiple interfaces can be configured into a “virtual-switch” or VLAN

in L2 mode.

 Layer 3 Deployment : In a Layer 3 deployment, the firewall routes traffic between

multiple interfaces. An IP address must be assigned to each interface and a virtual
router must be defined to route the traffic.

47.What you mean by Zone Protection profile?

Zone Protection Profiles offer protection against most common flood, reconnaissance, and
other packet-based attacks. For each security zone, you can define a zone protection
profile that specifies how the security gateway responds to attacks from that zone. The
following types of protection are supported:

-Flood Protection—Protects against SYN, ICMP, UDP, and other IP-based flooding attacks.

-Reconnaissance detection—Allows you to detect and block commonly used port scans and
IP address sweeps that attackers run to find potential attack targets.

24
Beginner’s Forum Palo Alto interview questions

-Packet-based attack protection—Protects against large ICMP packets and ICMP fragment
attacks.

Configured under Network tab -> Network Profiles -> Zone protection.

48.What is u-turn NAT and how to configure?

U-turn NAT is applicable when internal resources on trust zone need to access DMZ
resources using public IP addresses of Untrust zone.

Let’s explain based on below scenario.

In above example, the website company.com (192.168.10.20) statically NAT’ed with public
IP address 81.23.7.22 on untrusted zone. Users in the corporate office on the
192.168.1.0/24 segment need to access the company webpage. Their DNS lookup will
resolve to the public IP in the Internet zone. The basic destination NAT rules that provide
internet users access to the web server will not work for internal users browsing to the
public IP.
Following are the NAT rule and policy definition.

25
Beginner’s Forum Palo Alto interview questions

49.Explain the Palo Alto packet flow

The below chart explains the packet flow.

26
 Process Steps Result and Comments

Receiving Packet.
Packet receiving on
ingress interface

Packet ingress Process

Extract L2/L3/L4 info Ingress After this, Source Zone info available
interface &zone lookup

VPN Decryption Perform source zone look up again on

Perform VPN decryption for the decrypted packet
tunnelled packet

Session Lookup
Do session lookup on flow table Follow below process if session not found,
Skip to fast path process if session found

Forwarding Lookup
FW Session Setup Find egres interface, zone&vsys Destination Zone and VSYS available
Process/SlowPath Started from L3 route table

NAT Policy Lookup Working against original packet. Looking for

Check NAT rule, if present perform final destination interface and zone. Not
final egress interface and zone performing NAT translation .Final destination
lookup zone will be available after the lookup

User-ID Lookup
Fetch user info using source IP from This step also will fetch the user group info
User-IP table

Working against original packet.

Security Policy Lookup Source IP : Pre NAT,
Check Policy rule on VSYS Destination IP : Pre NAT
Destination Zone: Post NAT

Create two uni-directional sessions.

Create Session
Client to Server (C2S) and Server to Client (S2C)

L2-L4 Processing
FW fast Path started Update session timeout. Perform Do NAT in this step.
NAT translation NAT translation happening after policy lookup

SSL Proxy Decryption

Decrypt packet if applicable

App-ID Process
Application identification

Content Inspection
Perform content inspection

Packet forwarding process

Forwarding/Egress Do route/switch/vwire forwarding Use ingress interface to get forwarding domain
information

Transmit Packet