Professional Documents
Culture Documents
Palo Alto Interview Questions
Palo Alto Interview Questions
QUESTIONS
Beginner’s Forum
https://beginnersforum.net/
Beginner’s Forum Palo Alto interview questions
Preface
Due to overwhelming response on our Palo Alto interview questions in our site, and due to
the extended request for more questions and answers we decided to add more here as a PDF file for
our readers. Hope this helps you.
Copyright
Copyright ©2018. All rights reserved. No part of this document may be reproduced or
transmitted in any form or by any means, electronic or mechanical, including photocopying recording
or by any information storage retrieval system, without written permission from the publisher.
1
Beginner’s Forum Palo Alto interview questions
2
Beginner’s Forum Palo Alto interview questions
3
Beginner’s Forum Palo Alto interview questions
Security Zone—vpn_tun
Virtual Router—default
IPv4—10.10.10.1./24
C. Configure a static route, on the virtual router, to the destination subnet.
Set up static routes or assign routing protocols to redirect traffic to the VPN tunnel
interface created on step 2 for the destination subnet.
Select Network->Virtual Router->Static Route-> Add
Define following parameters
Destination—192.168.30.0/24 (Destination Network)
Interface—tunnel.10
D. Define IKE Crypto Profiles
The IKE crypto profile is used to set up the encryption and authentication algorithms
used for the key exchange process in IKE Phase 1 , and lifetime of the keys, which
specifies how long the keys are valid. To invoke the profile, you must attach it to the IKE
Gateway configuration.
GO to Network->Network Profiles -> IKE Crypto and select Add.
Define following parameters
Define Name, DH Group, Authentication:(SHA), Encryption (AES or 3DES), Key Life time
(Default 8 Hours)
E. Define IPSec Crypto profile
Configure the parameters that are needed to establish the IPSec connection for
transfer of data across the VPN tunnel
Follow the path : Go to -> Networ>Network Profiles->IPSec Crypto and select Add.
Define following parameters
Name, Protocol (AH or ESP), Encryption (AES or 3DES), Authentication (SHA or MD5),
DG Group, Lifetime
F. Define IKE gateways
4
Beginner’s Forum Palo Alto interview questions
The IKE gateways using for establishing communication between the peers across each
end of the VPN tunnel. Also attach IKE Encryption profile created above that
specifies the protocols and algorithms for identification, authentication, and encryption
to be used in IKEv1 Phase 1
Following is the path:
Select Network->Network Profiles->IKE Gateways -> click Add
Define Following Parameters:
Name, IKE Version,
Establish the local endpoint of the tunnel ->
Select the local termination physical interface of the tunnel and select the IP address
(This would be public IP address)
Specifiy Remote End details
Provide Peer type as Static and Peer IP address
Specify authentication (Pre shared key or certificate)
Attach the IKE Profile
Click Advanced Tab and select IKE profile created on step 2
G. Setup the IPSec Tunnel
The IPSec tunnel configuration allows you to authenticate and/or encrypt the data (IP
packet) as it traverses across the tunnel.
Steps:
Select Network->IPSec Tunnels ->New Tunnel Interface
Define following parameters:
Name, provide name
Select tunnel interface
Select IKE gateway created on Step 4
Select IPSec profile created on Step 3
5
Beginner’s Forum Palo Alto interview questions
6
Beginner’s Forum Palo Alto interview questions
e) To view the VPN traffic flow information, use the following command:
show vpn flow
total tunnels configured: 1
filter - type IPSec, state any
7
Beginner’s Forum Palo Alto interview questions
https://www.paloaltonetworks.com/documentation/80/pan-os/web-interface-
help/network/network-dns-proxy/dns-proxy-overview
8
Beginner’s Forum Palo Alto interview questions
9
Beginner’s Forum Palo Alto interview questions
14.What you mean by Zero Trust Architecture and how it is implemented in Palo Alto?
Zero Trust, rooted in the principle of “never trust, always verify,” is designed to address
lateral threat movement within the network by leveraging micro-segmentation and granular
perimeters enforcement, based on user, data and location.
a. Ensure all data and resources are accessed securely, based on user and location.
b. Adopt a least-privileged access strategy and strictly enforce access control.
c. Always verify,” meaning inspect and log all traffic
d. Add more authentication methods to counter credential based attacks.
10
Beginner’s Forum Palo Alto interview questions
e. Never trust, always keep adding context and keep your roles up-to-date.
11
Beginner’s Forum Palo Alto interview questions
Cutover Audit
Covert Analyze
Audit:
Verify the current policy for effectiveness and security
Clean up the policy prior to migration
Analyze:
Understand how the current firewall integrate in to network environment
Find the corner case that need to be migrated
Convert:
Object, Services & Policies in to PAN-OS
Test/Check the converted policy
Manually configure the corner cases (NAT&VPN)
Cutover:
Develop a migration plan
Cut-over, monitor and fine tune the configuration
12
Beginner’s Forum Palo Alto interview questions
13
Beginner’s Forum Palo Alto interview questions
14
Beginner’s Forum Palo Alto interview questions
Cons:
Needs more analysis pre-conversion
Riskier Cutover
15
Beginner’s Forum Palo Alto interview questions
16
Beginner’s Forum Palo Alto interview questions
Let's look at a typical scenario where you might use an Application Override policy. If you, for
example, have a custom application that uses TCP Port 23, but traffic passing through the firewall is
identified as temenos-T24, and the misidentification causes confusion about the traffic, then an
Application Override can be implemented to correctly identify the traffic
17
Beginner’s Forum Palo Alto interview questions
To publish internal website to outside world, we would require destination NAT and policy
configuration. NAT require converting internal private IP address in to external public IP address.
Firewall policy need to enable access to internal server on http service from outside .We can see
how to perform NAT and policy configuration with respect to following scenario
Provide the access to 192.168.10.100 through the public IP address 64.10.11.10 from internet
In firewall rule,
Zone: Post NAT
IP address: Pre NAT
In NAT rule,
Zone: Pre NAT
Final Configuration looks like below:
18
Beginner’s Forum Palo Alto interview questions
Gateway : This can be or more interface on Palo Alto firewall which provide access and
security enforcement for traffic from Global Protect Agent
Portal: Centralized control which manages gatrway, certificate , user authentication and end
host check list
Agent : software on the laptop that is configured to connect to the GlobalProtect deployment.
A virtual system specifies a collection of physical and logical firewall interfaces and security
zones.Virtual system allows to segmentation of security policy functionalities like ACL, NAT and QOS.
Networking functions including static and dynamic routing are not controlled by virtual systems. If
routing segmentation is desired for each virtual system, we should have an additional virtual router.
19
Beginner’s Forum Palo Alto interview questions
PA firewall use HA links to synchronize data and maintain state information. Some models of
the firewall have dedicated HA ports—Control link (HA1) and Data link (HA2), while others require
you to use the in-band ports as HA links.
Control Link : The HA1 links used to exchange hellos, heartbeats, and HA state information,
and management plane sync for routing, User-ID information and synchronize configuration . The
HA1 should be layar 3 interface which require an IP address
Data Link : The HA2 link is used to synchronize sessions, forwarding tables, IPSec security
associations and ARP tables between firewalls in an HA pair. The HA 2 is a layer 2 link
Backup Links: Provide redundancy for the HA1 and the HA2 links. In-band ports are used as
backup links for both HA1 and HA2. The HA backup links IP address must be on different subnet from
primary HA links.
Packet-Forwarding Link: In addition to the HA1 and HA2 links, an active/active deployment
also requires a dedicated HA3 link. The firewalls use this link for forwarding packets to the peer
during session setup and asymmetric traffic flow.
31.What protocol used to exchange heart beat between HA?
ICMP
32.Various port numbers used in HA?
HA1: TCP/28769, TCP/28260 for clear text communication, TCP/28 for encrypted
communication
-> if one or more specified destinations cannot be pinged by the active firewall
20
Beginner’s Forum Palo Alto interview questions
-> if the active device does not respond to heartbeat polls (Loss of three consecutive
heartbeats over period of 1000 milliseconds)
34.How to troubleshoot HA using CLI?
>show high-availability state : Show the HA state of the firewall
>show high-availability state-synchronization : to check sync status
>show high-availability path-monitoring : to show the status of path monitoring
>request high-availablity state suspend : to suspend active box and make the current passive
box as active
35.Which command to check the firewall policy matching for particular destination?
>test security-policy-match from trust to untrust destination <IP>
36.Command to check the NAT rule?
>test nat-policy-match
37.Command to check the system details?
>show system info // It will show management IP , System version and serial number
38.How to perform debug in PA?
Following are the steps :
Clear all packet capture settings
>debug dataplane packet-diag clear all
Set traffic matching condition
> debug dataplane packet-diag set filter match source 192.168.9.40 destination 4.2.2.2
> debug dataplane packet-diag set filter on
Enable packet capture
> debug dataplane packet-diag set capture stage receive file rx.pcap
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture stage drop file dp.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set capture on
View the captured file
21
Beginner’s Forum Palo Alto interview questions
Device group allows you to group firewalls which is require similar set of policy, such as
firewalls that manage a group of branch offices or individual departments in a company.
Panorama treats each group as a single unit when applying policies. A firewall can belong to
only one device group. The Objects and Policies are only part of Device Group.
Device Template: Device Templates enable you to deploy a common base configuration like
Network and device specific settings to multiple firewalls that require similar settings. This
is available in Device and Network tabs on Panorama
Security Profile using to scans allowed applications for threats, such as viruses,
malware, spyware, and DDOS attacks.Security profiles are not used in the match criteria of
a traffic flow. The security profile is applied to scan traffic after the application or category
is allowed by the security policy. You can add security profiles that are commonly applied
together to a Security Profile Group.
22
Beginner’s Forum Palo Alto interview questions
management systems to offer NGFW features. Palo Alto NGFW different from other
venders in terms of Platform, Process and architecture
PA follows Single pass parallel processing while UTM follows Multi pass architecture
process
Advantage: This Single Pass traffic processing enables very high throughput and low latency
– with all security functions active. It also offers single, fully integrated policy which helps
simple and easier management of firewall policy
Single Pass: The single pass software performs operations once per packet. As a packet is
processed, networking functions, policy lookup, application identification and decoding,
and signature matching for any and all threats and content are all performed just once.
Instead of using separate engines and signature sets (requiring multi-pass scanning) and
instead of using file proxies (requiring file download prior to scanning), the single pass
software in next-generation firewalls scans content once and in a stream-based fashion to
avoid latency introduction.
Parallel Processing: PA designed with separate data and control planes to support
parallel processing. The second important element of the Parallel Processing hardware is
the use of discrete, specialized processing groups to perform several critical functions.
Networking: routing, flow lookup, stats counting, NAT, and similar functions are
performed on network-specific hardware
User-ID, App-ID, and policy all occur on a multi-core security engine with hardware
acceleration for encryption, decryption, and decompression.
Content-ID content analysis uses dedicated, specialized content scanning engine
23
Beginner’s Forum Palo Alto interview questions
In PA-200 and PA-500, Signature process and network processing implemented on software
while higher models have dedicate hardware processer
Tap Mode : Tap mode allows you to passively monitor traffic flow across network by
way of tap or switch SPAN/mirror port
Zone Protection Profiles offer protection against most common flood, reconnaissance, and
other packet-based attacks. For each security zone, you can define a zone protection
profile that specifies how the security gateway responds to attacks from that zone. The
following types of protection are supported:
-Flood Protection—Protects against SYN, ICMP, UDP, and other IP-based flooding attacks.
-Reconnaissance detection—Allows you to detect and block commonly used port scans and
IP address sweeps that attackers run to find potential attack targets.
24
Beginner’s Forum Palo Alto interview questions
-Packet-based attack protection—Protects against large ICMP packets and ICMP fragment
attacks.
Configured under Network tab -> Network Profiles -> Zone protection.
U-turn NAT is applicable when internal resources on trust zone need to access DMZ
resources using public IP addresses of Untrust zone.
In above example, the website company.com (192.168.10.20) statically NAT’ed with public
IP address 81.23.7.22 on untrusted zone. Users in the corporate office on the
192.168.1.0/24 segment need to access the company webpage. Their DNS lookup will
resolve to the public IP in the Internet zone. The basic destination NAT rules that provide
internet users access to the web server will not work for internal users browsing to the
public IP.
Following are the NAT rule and policy definition.
25
Beginner’s Forum Palo Alto interview questions
26
Process Steps Result and Comments
Receiving Packet.
Packet receiving on
ingress interface
Session Lookup
Do session lookup on flow table Follow below process if session not found,
Skip to fast path process if session found
Forwarding Lookup
FW Session Setup Find egres interface, zone&vsys Destination Zone and VSYS available
Process/SlowPath Started from L3 route table
User-ID Lookup
Fetch user info using source IP from This step also will fetch the user group info
User-IP table
L2-L4 Processing
FW fast Path started Update session timeout. Perform Do NAT in this step.
NAT translation NAT translation happening after policy lookup
App-ID Process
Application identification
Content Inspection
Perform content inspection
Transmit Packet