Palo Alto Firewall Interview Questions and Answers

Ques 1. What is the role of Virtual Wire interface in Palo Alto firewall?
Virtual wire is a deployment method of Palo Alto NGFW deployment, where the firewall is
installed transparently on a network segment between two firewall ports and passes traffic
through as layer 2. Virtual wire is internal to the firewall since it performs the change
logically. We can create virtual wire sub interfaces to classify traffic according to an IP
address, IP range, or subnet. The best thing about virtual wire is that it does not require any
change to adjacent network devices

Ques 2. What is APP-ID?

App-ID is a feature in Palo Alto NGFW which enables us to see the applications on the
network and learn how they work, their behavioural characteristics and associated risks.
App-ID identifies application functions via multiple methods –
• Application signatures
• Decryption
• Protocol decoding
• Heuristics.
The App-ID service can block high risk applications, as well as high risk behaviour, such as
file-sharing, and traffic encrypted with the SSL protocol can be decrypted and inspected.

Ques 3. How does App-ID identify the application used in network?

Identification of the applications is the very 1st task performed by Palo Alto Networks NGFW
traversing the network using App-ID. Below are the identification mechanisms–
• Application protocol detection and decryption where application protocol is
determined and if SSL is in use, decrypts the traffic so that it can be analysed further.
• Application protocol decoding where it determines whether the initially detected
application protocol is the actual one, or if it is being used as a tunnel to hide the
actual application.
• Application signatures where Context-based signatures look for unique properties
and transaction characteristics to correctly identify the application regardless of the
port and protocol being used.
• Heuristics is applied for traffic that eludes identification by signature analysis.
Heuristics identifies any troublesome applications, such as P2P or VoIP tools that use
proprietary encryption
Ques 4. An administrator is finding it hard to manage multiple Palo Alto NGFW Firewalls. What
solution should he use to simplify and centrally manage Firewalls through singly source?
Panorama is the solution. Using Panorama we can centralize policy and firewall
management of a distributed network of firewalls.

Ques 5. What are key areas in which Panorama adds value?

The key benefits/ value add which can be reaped from Panorama are -
• Centralized configuration and deployment – Panorama simplifies central
management and rapid deployment of the firewalls on the network. Firewalls can be
assembled into groups, and templates can be created to apply on devices and use
device groups to administer rules.
• Aggregated logging for analysis and reporting – 1st activity logs are collected from
all the managed firewalls on the network and then centrally analysed, investigated
and finally reported. A comprehensive view of network traffic, user activity, and the
associated risks is showcased on Panorama.
 • Distributed administration- Access can be delegated or restricted to global and local
firewall configurations and policies.

Ques 6. Which Palo Alto Networks solution targets endpoint security from successful Cyber-attacks?
TRAPS

Ques 7. What are different modes in which interfaces on Palo Alto can be configured?
When configuring the Ethernet ports on your firewall, we can have option to use in one of
below modes -
 Virtual wire
 Layer 2
 Layer 3 interface

Ques 8. Which command is used to Show the maximum log file size?
show system logdb-quota

Ques 9. What is function of Zone Protection profile?

Zone Protection Profiles offer protection against most common flood, reconnaissance, and
other packet-based attacks. For each security zone, we can define a zone protection profile
that specifies how the security gateway responds to attacks from that zone. The following
types of protection are supported -
 Flood Protection - Protects against SYN, ICMP, UDP, and other IP-based flooding
attacks.
 Reconnaissance detection- Allows you to detect and block commonly used port
scans and IP address sweeps that attackers run to find potential attack targets.
 Packet-based attack protection -Protects against large ICMP packets and ICMP
fragment attacks.
Ques 10. What is difference between Palo Alto NGFW and WAF?

Ques 11. What is U-Turn NAT?

U-Turn NAT refers to the logical path that traffic appears to travel when accessing an
internal resource when they resolve their external address. U-turn NAT is mostly used in a
network when internal users also need to access Web facing servers in DMZ Zone server
using the server’s external public IP address.
Ques 12. Explain the difference between Virtual Routers and Virtual Systems in Palo Alto?

Ques 13. A new customer wants to setup firewall to process 10Gbps of traffic. Which firewall
models could be recommended to the customer?
Below are the best possible Firewalls that can be proposed in customer environment
(requiring atleast 10 Gbps throughput)
 PA-5250 (40 Gbps)
 PA-5220 (20 Gbps)
 PA-3260 (10 Gbps)
Considering that fact that Firewall will be deployed for atleast 5 to 7 years, a higher
throughput is strongly recommended. For instance if 50% rise is throughput is expected
(which makes total throughput requirement as 15 Gbps), PA-5220 is the most suitable
candidate.

Ques 14. Which Dynamic Routing protocol cannot be configured on the Palo Alto Firewall?
EIGRP and IGRP

Ques 15. What is difference between stream-based application scanning and file-based
application scanning?
Stream-based scanning is a technique that begins scanning as soon as the first packets of
the file are received as opposed to waiting until the entire file is loaded into memory to
begin scanning. Stream-based scanning minimizes performance and latency issues by
receiving, scanning, and sending traffic to its intended destination immediately without
having to first buffer and then scan the file. On the other hand, File based scanning needs to
download the entire file before they can scan the traffic.
Ques 16. Which all IPS mechanisms are used for Content-ID to secure network from attacks?
IPS mechanisms used in Content-ID include -
 Protocol decoders and anomaly detection
 Stateful pattern matching
 Statistical anomaly detection
 Heuristic-based analysis
 Invalid or malformed packet detection
 IP defragmentation and TCP reassembly
 Custom vulnerability and spyware phone-home signatures

Ques 17. What widget allows administrators to quickly investigate security incidents by
correlating threats with applications and user identity?
Application Command Center (ACC)

Ques 18. Which all types of logs can be viewed on Palo Alto NGFWs?
 Traffic logs.
 Threat logs.
 URL Filtering logs.
 WildFire Submissions logs.
 Data Filtering logs.
 Correlation logs.
 Config logs.
 System logs.
 HIP Match logs
 Alarms logs
 Unified logs

Ques 19. A malicious file was not blocked by WildFire evaluation and somehow was allowed
to execute. Can such malicious activity still be blocked?
Yes, by Traps malware prevention modules (MPMs).

Ques 20. What is Wildfire? Explain its functioning?

WildFire provides detection and prevention of zero-day malware using a combination of
malware sandboxing and signature-based detection and blocking of malware. When a Palo
Alto Networks firewall detects an unknown sample, which may be a file or a link in an email,
the firewall can automatically forward the sample for WildFire analysis. The sample is
analysed and executed in the WildFire sandbox, where sample is determined to be benign,
grayware, or malicious. WildFire then generates signatures to recognize the newly-
discovered malware, and makes the latest signatures globally available every five minutes.
All Palo Alto Networks firewalls can then compare incoming samples against these
signatures to automatically block the malware first detected by a single firewall.
Ques 21. By default, what is the IP address of management port on Palo Alto Firewall and
default username/password?
Default IP address of management port is 192.168.1.1. From a browser, go to
https://192.168.1.1 and input the Username and password as admin/admin.

Ques 22. What is the key difference between superuser and device administrator?
A Superuser administrator can create virtual systems and add a Device Administrator,
vsysadmin, or vsysreader. A Device Administrator can access all virtual systems, but cannot
add administrators.

Ques 23. How many virtual systems can be carved out fromPA-800?
Palo Alto Firewall does not support Virtual Systems.

Ques 24. What are the HA modes in which Palo Alto Firewall can be configured?
 Active/Passive
 Active/Active

Ques 25. What is HA Lite?

HA Lite is an active/passive deployment that provides configuration synchronization and
some runtime data synchronization such as IPsec security associations. It does not support
any session synchronization (HA2), and therefore does not offer Stateful failover. The PA-
200 firewall supports HA Lite only.

Ques 26. Explain Active/Active HA in Palo Alto NGFW?

Active-Active HA is supported only in Virtual-Wire and Layer 3 modes. With Active-Active
deployment, both the devices are working as active in addition to processing of traffic.
 Active-Active HA is supported only in the virtual-wire and Layer 3 modes. This type of
deployment is preferred for scenarios involving asymmetric routing. In addition to the HA1
and HA2 links used in active-passive, active-active deployments require a dedicated HA3 link.
This link is used as packet forwarding link for session setup and asymmetric traffic handling.

In an active-active cluster, the packet handling is performed by 2 important functions that

are handled by the devices in a cluster
 Session ownership
 Session setup
Session Ownership - Within an active–active cluster, the session owner device can be either
the firewall that receives the first packet of a new session or the device in an active-primary
state. This device is responsible for -
 All layer 7 processing
 Generating all traffic logs for the session
Session Setup - The session setup device is responsible for
 Layer2 through layer4 processing required for setting up a new session.
 Address translation is performed by the session setup device.

Ques 27. Explain Active/Passive HA in Palo Alto NGFW?

In scenario of Active/Passive HA, one firewall actively manages traffic while the other
continuously synchronizes and always ready to transition to the active state during event of
failure. In this mode, both firewalls share the same configuration settings, and one actively
manages traffic. When the active firewall fails, the passive firewall transitions to the active
state and takes over seamlessly and enforces the same policies to maintain network
security. Active/passive HA is supported in the virtual wire, Layer 2, and Layer 3
deployments. HA1 (config sync) and HA2 (state sync) are used in Active/Passive setup, while
HA3 is not required.
Ques 28. What are the different states of HA Firewall?
Different states of HA Firewall are enlisted below -
 Initial
 Active
 Passive
 Active-Primary
 Active-Secondary
 Tentative
 Non-functional
 Suspended

Ques 29. Which ports types are used in HA Pair?

 Control Link - The HA1 link is used to exchange hellos, heartbeats, and HA state
information, and management plane sync for routing and User-ID information. This
link is also used to synchronize configuration changes on either the active or passive
device with its peer.
 Data Link—The HA2 link is used to synchronize sessions, forwarding tables, IPsec
security associations and ARP tables between devices in an HA pair. Data flow
always flows from the active device to the passive device.
 Backup Links - Provide redundancy for the HA1 and the HA2 links. In-band ports are
used as backup links for both HA1 and HA2.
 Packet-Forwarding Link - In addition to HA1 and HA2 links, an active/active
deployment also requires a dedicated HA3 link. The firewalls use this link for
forwarding packets to the peer during session setup and asymmetric traffic flow.
The HA3 link is a Layer 2 link that uses MAC-in-MAC encapsulation. It does not
support Layer 3 addressing or encryption.
Ques 30. What are the prerequisites while configuring an HA pair?
Below are the pre-requisites for configuring an HA pair -
 The same model
 The same PAN-OS version
 The same multi virtual system capability
 The same type of interfaces
 The same set of licenses

Ques 31. The Palo Alto Networks firewall supports how many types of VPN deployments?
 Site-to-Site VPN - The simplest form of VPN that connects a central site and a
remote site, or a hub and spoke VPN that connects a central site with multiple
remote sites.
 Remote User-to-Site VPN – This VPN type uses the GlobalProtect agent to allow a
remote user to establish a secure connection with the firewall.
 Large Scale VPN - Provides a simplified mechanism to roll out a scalable hub and
spoke VPN with up to 1,024 satellite offices.

Ques 32. What is a service route? What interface is used by default to access external
services?
The firewall uses the management (MGT) interface by default to access external services
such as DNS servers, URL updates etc. An alternative to using the MGT interface is to
configure a data port which is a regular interface, to access these services. The path from the
interface to the service on a server is known as a service route. The service packets exit the
firewall on the port assigned for the external service and the server sends its response to the
configured source interface and source IP address.

Ques 33. How many zones can an interface be part of?

One

Ques 34. 2 Zones are configured on a Palo Alto Firewall. IP communication is not happening
between both zones. What is required to allow this?
Security policy rule must be implemented to allow traffic flow across source zone and
destination zone.
Ques 35. What interface options are available to manage Palo Alto Firewall?
 Web Interface
 Command Line Interface (CLI)
 XML API

Ques 36. Which file is mandatory for bootstrap process to function?

init‐cfg.txt

Ques 37. What is the basic approach to deploy/obtain certificates for Palo Alto Networks
firewalls?
 Obtain certificates from a trusted third‐party CA
 Obtain certificates from an enterprise CA
 Generate self‐signed certificates

Ques 38. What are different types of links related for Firewall HA?
 Control Link
 Data Link
 Backup Links
 Packet-Forwarding Link

Ques 39. What parameter decides a primary and secondary HA pair?

The firewalls in an HA pair can be assigned a device priority value to indicate a preference
for which firewall should assume the active or active‐primary role.

Ques 40. What is Application Command Center (ACC)?

The Application Command Center (ACC) provides insight about the activity within customer
network. It is an interactive, graphical summary of traffic traversing the network. This traffic
may be applications, users, URLs, threats, and content. ACC uses the firewall logs to provide
visibility into traffic patterns and actionable information on threats. ACC

Ques 41. An administrator wants to configure a Palo Alto Networks NGFW to provide
protection against worms and trojans. Which Security Profile type will protect against worms
and trojans?
Antivirus
Ques 42. Which virtualization platforms support the deployment of Palo Alto Networks VM-
Series firewalls?
 Boot Strap Virtualization Module (BSVM)
 Microsoft Hyper-V

Ques 43. A traffic log displays “incomplete” for a new application. What does that mean?
“Incomplete” signifies that new application traffic was not explicitly identified by App-ID.
Further, SYN or SYN-SYNACK-ACK for this new application is seen, but no data packet are
seen.

Ques 44. What are options available on Palo Alto firewall for forwarding the log messages?
 Syslog server
 SNMP manager
 Email
 Panorama

Ques 45. What happens when a URL matches multiple patterns (multiple custom URL filtering
categories and allow/block-list) within a URL filtering profile?
When that happens, the category chosen is the one that has the most severe action defined
as below (block being most severe and allow least severe).
 block
 override
 continue
 alert
 allow

Ques 46. What are actions available while filtering URLs?

Following are the available actions -
 Allow – Traffic is passed and no log generated
 Block – Traffic is blocked and block log generated
 Alert – Traffic is allowed and allow log generated
 Continue – User is warned that the site is questionable. Block- Continue log is
generated.
 Override – Traffic is blocked. User is offered chance to enter override password.
Block-Override log is generated.

Ques 47. Which are pre-defined administrator roles?

There are 6 pre-defined administrator roles:
- Superuser – All access to all options of all virtual systems.
- Superuser (read-only)
- Device Admin – Full access to the device except for creation of virtual systems and
administrative accounts.
- Device admin (read-only)
- Vsys Admin – Full access to a specific virtual system.
- Vsys admin (read-only)
Ques 48. What is Captive portal and its usage?
Captive portal is a feature on Palo Alto firewall which can be used for user identification.
When a user tries to access http or https sites, he will get prompted for captive portal
authentication page. After providing the username and password, user will be allowed to
access internet and firewall can enforce security policy.

Ques 49. How Does Panorama address new logs Logs when It Reaches Maximum Storage
limit?
Panorama automatically deletes older logs to create space for new ones.

Ques 50. What is the benefit of using Splunk with Palo Alto devices?
By combining the visibility of Palo Alto products with Splunk allows to make correlations and
perform analytics around different kinds of data. These correlations can be between
different kinds of Palo Alto Networks data. Furthermore, Splunk is responsible for correlating
and analytics across multiple sources of data and multiple vendors like correlating firewall
logs with webserver logs, or advanced endpoint security logs with Windows event logs.