Palo Interview Questions Flashcards
What are the different deployment modes available in Palo Alto firewalls?
Palo Alto firewalls support multiple deployment modes:
* Tap mode: Used for monitoring traffic without affecting the flow.
* Virtual Wire mode: Allows for inline deployment without requiring changes to the existing network infrastructure.
* Layer 2 mode: Operates as a transparent bridge, forwarding traffic at layer 2.
* Layer 3 mode: Functions as a traditional router, routing traffic at layer 3.
Question #02: Is the firewall at Palo Alto stateful
Yes, the firewall matches all traffic passing through it against the session and then matches every session against the security policy.
Question #03: What is the difference between Virtual Routers and Virtual Systems in Palo Alto firewalls?
- Virtual Routers (VR): Logical routing instances within a firewall, allowing for separate routing tables and configurations.
- Virtual Systems (VSYS): Logical firewalls within a single physical device, providing multi-tenancy capabilities.
Question #04: What is the purpose of Palo Alto Autofocus?
Cloud-based threat intelligence service allowing admins to conveniently determine all critical attacks. This way, the admins can triage effectively and take the necessary actions without the need for additional IT resources.
Question #05: What are the different failover scenarios?
A failover gets triggered when a monitored metric fails on the active Panorama.
There are two significant scenarios when a failover gets triggered:
* The peers in the Panorama cannot communicate with each other, and the active peer is not responding to status polls and health.
* One or more of the destinations specified on the active peer is unreachable.
Question #06: What is a U-Turn NAT?
Internal users with private IP address want to connect to the server deployed in the internal DMZ zone with the public IP address. Since there’s no Internal DNS server and it depends on a Public DNS server from the internet
Question #07: Explain Active/Passive and Active/Active modes in Palo Alto.
- Active/Passive mode: One firewall manages traffic while the other is ready and synchronized to move to the active state if there is a failure. Both firewalls share the same settings, and one is responsible for actively managing the traffic until there is a failure.
- Active/Active mode: Several firewalls are grouped in the form of a cluster and contain multiple active units processing traffic. They share the network load and do DPI as well, together.
Question #08: What is a Zone Protection Profile?
It helps protect the network from attacks. The attacks can be in the form of reconnaissance attacks, common floods, and similar other packet-based attacks.
Question #09: What is the Application Command Centre (ACC)?
The ACC or Application Command Centre provides URL, threat, and data (files and patterns) traversing the Palo Alto network firewalls.
Question #10: What is WAF (Web Application Firewall)?
A WAF helps protect web applications by monitoring and filtering the HTTP traffic between the internet and a web application.
Question #11: What do HA, HA1, and HA2 mean in Palo Alto?
- HA: High Availability port. A dedicated HA link port connects the auxiliary and primary devices physically. You can place two firewalls in a group and synchronize their configuration.
- HA1: Used for clear text communication and encrypted communication.
- HA2: Used to forward tables, synchronize sessions, IPsec security associations, and the ARP tables.
Question #13: What exactly is an App-ID?
It identifies and classifies applications traversing a network.
Traffic entering the network is first checked against security policies to determine if it is allowed.
Application signatures are applied to identify the application based on unique properties.
If encryption (SSL/SSH) is detected, traffic is decrypted (if a decryption policy exists) to further analyze and classify the application.
Identified applications are then subject to granular security rules for enforcement or monitoring.
Question #14: How does an App-ID work?
APP ID uses several identification techniques that help determine the exact ID of the applications traversing your network. It also includes those who try evading detection by masquerading as legitimate traffic, using encryption, or by hopping ports.
Question #15: What are the advantages of Panorama in Palo Alto?
It is a centralized management system that controls various Palo firewalls via a web-based interface. It helps the administrators view the device-specific or aggregate application content, user data and manage Palo Alto Networks firewalls.
Question #16: What are the possibilities for forwarding log messages on the Palo Alto firewall?
Every firewall stores the log file locally by default. Panorama supports forwarding log messages to a log collector, a cortex data lake, or simultaneously both.
One can even use external services for notification, archiving, or analysis by forwarding logs to the services from panorama or firewalls.
Question #17: What is the procedure for adding a license to the Palo Alto firewall?
To add a license:
1. Navigate to the device, and license, and click on the activate feature using the Auth code.
2. Download the authorization file.
3. Copy this file to a computer that has access to the internet and log in to the support panel.
4. Click on my VM series auth codes and select the applicable auth code from the list.
5. Now click on register VM. Select the authorization file from the pop-up.
6. The registration process is completed, and the serial number of the VM series firewall will be attached to the records on the support site.
Question #18: What is GlobalProtect in Palo Alto?
VPN Client
Question #19: What is endpoint security in Palo Alto?
Suite of tools to protect devices connected to the network such as laptops, desktops, servers, and tablets.
Cortex XDR combines advanced threat detection, machine learning, and behavioral analysis to safeguard endpoints.
Threat Detection & Prevention
Data Encryption
Firewall Protection
Device Control
Zero-Day Threat Protection
Question #20: What are the various linkages used to establish HA or the HA Introduction?
The firewall in HA pair uses HA links to synchronize data and maintain state information.
However, some models of the firewall also dedicate the HA ports- Control link (HA1) and Data link (HA2).
Question #21: What are Backup Links?
Backup links provide redundancy for the HA2 and HA1 links.
In-brand ports can be used for backup links for HA1 and HA2 connections when dedicated backup links aren’t available.
Question #22: What are the various port numbers used in HA?
There are two major types of ports used in HA:
- TCP port 28769 and 28260: Used to ensure clear text communication between two ends.
- Port 28: Used for encrypted communication.
Question #23: What functionalities does Palo Alto support in Virtual Wire Mode?
A virtual wire interface supports App ID, user ID, content ID, NAT, and decryption.
Question #24: Which virtualization platform fully supports Palo Alto Network Deployments?
Cisco ACI, OpenStack, Microsoft Public, ENCS, Vmware, etc.
Question #25: What command is used to show the maximum size of the log file?
- bash
- show logdb-quota
Question #26: How does Panorama handle new logs once the storage limit has been reached?
When the log storage limit is reached, Panorama automatically deletes old logs to create a space for new entries.
The panorama contains an automated feature that may check and, if necessary, remove the storage restriction.
Question #27: What is the purpose of the Security Policy in Palo Alto Firewalls?
It defines the rules for allowing or denying traffic based on various criteria like source, destination, application, user, and content.
Question #28: How does Palo Alto handle SSL Decryption?
It decrypt SSL/TLS traffic to inspect it for threats, malware, and policy violations.
This is done through SSL Forward Proxy for outbound traffic and SSL Inbound Inspection for inbound traffic.
Question #29: What is the purpose of the Threat Prevention security profile?
It’s used to protect against known and unknown threats, including malware, exploits, and command-and-control traffic.
Question #30: What is the function of the URL Filtering security profile?
It categorizes and controls web access based on URL categories, allowing administrators to block or allow access to specific websites or categories.
Question #29: What is the purpose of the Threat Prevention security profile?
It’s used to protect against known and unknown threats, including malware, exploits, and command-and-control traffic.
Question #31: What is WildFire in the context of Palo Alto Networks?
WildFire is a cloud-based malware analysis service that identifies and analyzes unknown files and email links to detect zero-day threats and distribute protections globally within minutes.
Question #32: What is the purpose of the Panorama management tool?
Panorama is a centralized management system that controls various Palo firewalls via a web-based interface, providing visibility, reporting, and policy management across multiple firewalls.
Question #33: How does High Availability (HA) work in Palo Alto Firewalls?
It ensures that if one firewall fails, another can take over seamlessly. It involves active/passive or active/active configurations where firewalls are synchronized to maintain state information.
Question #34: What is User-ID and how is it used in Palo Alto Firewalls?
User-ID maps users to IP addresses, allowing for user-based security policies. It integrates with Active Directory.
Question #35: How does Palo Alto handle IP fragmentation?
Palo Alto Firewalls can reassemble fragmented IP packets to inspect them for threats, ensuring that fragmented traffic does not bypass security policies.
Question #36: What is the purpose of the Log Forwarding feature in Palo Alto Firewalls?
Log Forwarding allows administrators to forward logs from firewalls to external services for analysis, archiving, or notification purposes.
Question #37: What is the purpose of Dynamic Updates in Palo Alto Firewalls?
Dynamic Updates provide the latest threat intelligence, application signatures, and antivirus/anti-spyware definitions to keep the firewall up-to-date with the latest security information.
Question #38: How does Palo Alto handle DoS (Denial of Service) attacks?
It use DoS Protection profiles to detect and mitigate DoS attacks by monitoring traffic patterns and applying rate limiting or blocking based on predefined thresholds.
Question #39: What is the purpose of the Security Profiles in Palo Alto Firewalls?
Security Profiles are used to define specific security settings for applications, users, and content, including antivirus, anti-spyware, URL filtering, and more.
Question #40: How does Palo Alto handle traffic between different security zones?
Palo Alto Firewalls use security zones to segregate traffic. Policies are applied to control traffic flow between zones, ensuring that traffic is inspected and filtered according to the defined rules.
Question #41: A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall.
Separate virtual routers (VRS) are created for each virtual system.
In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems?
Layer 3 zones for the virtual systems that need to communicate.
Ensure the virtual systems are visible to one another.
Add a route with next hop next-vr by using the VR configured in the virtual system.
Question #42: A firewall engineer needs to update a company’s Panorama-managed firewalls to the latest version of PAN-OS.
Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network.
Which path should the engineer follow to deploy the PAN-OS images to the firewalls?
Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.
Question #42: An administrator is informed that the engineer who previously managed all the VPNs has left the company.
According to company policies, the administrator must update all the IPSec VPNs with new pre-shared keys. Where are the pre-shared keys located on the firewall?
Go to Network > Network Profiles > IKE Gateway to configure the IKE Phase-1 Gateway.
Question #43: A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud.
A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file.
What does Advanced WildFire do when the link is clicked?
Performs malicious content analysis on the linked page and the corresponding PE file.
A Palo Alto Networks firewall can extract HTTP/HTTPS links contained in SMTP and POP3 email messages and forward the links for WildFire analysis
The Advanced WildFire cloud is also capable of analyzing certain file types which are used as secondary payloads as part of multi-stage PE, APK, and ELF malware packages
Question #45: Which two are required by IPSec in transport mode?
DH-group 20 (ECP-384 bits)
Auto generated key
Question #46: Forwarding of which two log types is configured in Device > Log Settings?
HIP Match
Configuration
Question #47: A firewall administrator has confirmed reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue.
Which three methods can the administrator use to determine if decryption is causing the website to fail?
Create a policy-based “No Decrypt” rule in the decryption policy to exclude specific traffic from decryption.
Investigate decryption logs of the specific traffic to determine reasons for failure.
Disable SSL handshake logging.
Question #48: An administrator configures HA on a customer’s Palo Alto Networks firewalls with path monitoring by using the default configuration values.
What are the default values for ping interval and ping count before a failover is triggered?
Ping interval of 200 ms and ping count of 10 failed pings
Question #49: A firewall administrator has configured User-ID and deployed GlobalProtect, but there is no User-ID showing in the traffic logs.
How can the administrator ensure that User-IDs are populated in the traffic logs?
Enable User-ID on the expected trusted zones.
Question #50: A decryption policy has been created with an action of “No Decryption.” The decryption profile is configured in alignment to best practices.
What protections does this policy provide to the enterprise?
It enhances security by actively blocking access to potentially insecure sites with expired certificates or untrusted issuers.
Question #51: An administrator plans to install the Windows User-ID agent on a domain member system.
What is a best practice for choosing where to install the User-ID agent?
In close proximity to the servers it will be monitoring
Question #52: A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS.
Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage?
Telemetry feature is automatically enabled during PAN-OS installation.
Telemetry data is uploaded into Strata Logging Service.
Question #53: While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1.
How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?
show counter global filter packet-filter yes delta yes
Question #55: What type of NAT is required to configure transparent proxy?
Destination translation with Dynamic IP
Question #56: An administrator is tasked to provide secure access to applications running on a server in the company’s on-premises datacenter.
What must the administrator consider as they prepare to configure the decryption policy?
Obtain or generate the server certificate and private key from the datacenter server.
Question #57: An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity. Which two objects can Dynamic User Groups use as match conditions for group membership?
Source IP address
Dynamic tags
Question #58: When creating a Policy-Based Forwarding (PBF) policy, which two components can be used?
Source Interface
Schedule
Question #59: An administrator plans to install the Windows-Based User-ID Agent.
What type of Active Directory (AD) service account should the administrator use?
Create a dedicated Active Directory service account for the User-ID agent to access the services and hosts it will monitor to collect user mappings
Question #60: A firewall engineer is tasked with defining signatures for a custom application.
Which two sources can the engineer use to gather information about the application patterns?
Wireshark
Traffic logs
Question #61: After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?
Test vpn ike-sa gateway
Question #62: What should an engineer consider when setting up the DNS proxy for web proxy?
A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server.
Question #63: Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?
It can run on a single virtual system and multiple virtual systems.
Question #64: What does the User-ID agent use to find login and logout events in syslog messages?
Syslog Parse profile
Question #65: A company wants to use GlobalProtect as its remote access VPN solution. Which GlobalProtect features require a Gateway license?
Split DNS and HIP checks
Question #66: An administrator is troubleshooting intermittent connectivity problems with a user’s GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user.
What configuration change is necessary to implement this troubleshooting solution for the user?
Enable SSL tunnel over TCP in a new agent configuration for the specific user.
Question #67: In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels?
Firewalls which support policy-based VPNs.
The remote device is a non-Palo Alto Networks firewall.
Question #68: A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates. What must occur to have Antivirus signatures update?
Install the Application and Threats updates first, then refresh the Dynamic Updates.
Question #69: Which three sessions are created by a NGFW for web proxy?
A session for DNS proxy to DNS servers
A session for proxy to web server
A session for client to proxy
Question #70: Which two scripting file types require direct upload to the Advanced WildFire portal/API for analysis?
Perl
VBS
Question #71: Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates.
Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?
Debug dataplane internal vif route 250
Question #72: An administrator wants to add User-|ID information for their Citrix MetaFrame Presentation Server (MPS) users. Which option should the administrator use?
Terminal Server Agent for User Mapping
Question #73: An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing.
Which installer package file should the administrator download from the support site’?
If you are using the User-ID agent to prevent credential phishing, download the UaCredInstall64-x.x.x.msi file instead.
Question #74: When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?
Ingress for the client traffic
Question #75: An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: “Received fatal alert UnknownCA from client.”
How should the administrator remediate this issue?
Add the server’s hostname to the SSL Decryption Exclusion List to allow traffic without decryption.
Question #76: An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ.
The NAT policy is configured with the following values:
* Source zone: Outside and source IP address 1.2.2.2
* Destination zone: Outside and destination IP address 2.2.2.4
The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone.
Which destination IP address and zone should the engineer use to configure the security policy?Destination Zone DMZ, Destination IP address 2.2.2.1
Destination Zone DMZ, Destination IP address 2.2.2.1
Question #79: Which protocol is natively supported by Global Protect Clientless VPN?
HTTPS
Question #78: Which HA firewall state describes the firewall that is currently processing traffic?
Active state is HA state for Active/Passive mode, which only Active Firewall that will process traffic
