Secure IT

Palo Alto Interview Questions and Answers – Part II Plao Alto Interview Questions and Answers This post is a continuation to one of our recent post where we discussed a few questions and answers on Palo Alto firewall. Here we are adding another set of Q&A based on our readers interest. Hope this will help you in improving your knowledge of the PA firewall. 1. How to publish internal website to internet. Or how to perform destination NAT ? To publish internal website to outside world, we would require destination NAT and policy configuration. NAT require converting internal private IP address in to external public IP address. Firewall policy need to enable access to internal server on http service from outside .We can see how to perform NAT and policy configuration with respect to following scenario Provide the access to 192.168.10.100 through the public IP address 64.10.11.10 from internet Following NAT and policy rules need to be created. NAT:-> Here we

Palo Alto Interview Questions and Answers – Part I Plao Alto Interview Questions and Answers Some of our readers had requested for a post with some of the common questions and answers for the Palo Alto Firewall, after reading our post on PA Firewall . Following are some of the questions normally asked for PA interview. Please use the comment section if you have any questions to add . 1. Why Palo Alto is being called as next generation firewall ? Ans: Next-generation firewalls include enterprise firewall capabilities, an intrusion prevention system (IPS) and application control features. Palo Alto Networks delivers all the next generation firewall features using the  single platform ,  parallel processing  and  single management systems , unlike other vendors who use different modules or multiple management systems to offer NGFW features. Palo Alto NGFW different from other venders in terms of Platform, Process and architecture 2. Difference between Palo Alto NGFW and

I am share with Checkpoint Firewall Interview Question and Answer . These question generally ask in interview.  its also my personal experience. Checkpoint Firewall is award winner security firewall. Every Corporate organization used Checkpoint firewall for Internal Network security purpose. Security engineer must have to aware about Checkpoint firewall for growth in their career. I am sure that below Checkpoint Firewall Interview Question and Answer will help in Interview. What is Anti-Spoofing. Ans-  Anti-Spoofing is the feature of Checkpoint Firewall. which is protect from attacker who generate IP Packet with Fake or Spoof source address. Its determine that whether traffic is legitimate or not. If traffic is not legitimate then firewall block that traffic on interface of firewall. 2. What is Asymmetric Encryption. Ans – In Asymmetric Encryption there is two different key used for encrypt and decrypt to packet. Means that one key used for Encrypt packet, an

Lecture 1: Installing GAiA Operating System in Vmware Lecture 2: Checkpoint Pushing Policy Checkpoint Firewall R77 30 Lecture 3 :Network Address Translation Checkpoint Firewall R77 30 Lecture 4 : Backup and Recovery Checkpoint Firewall R77 30 Lecture 5 : HTTPS Inspection Checkpoint Firewall R77 30 Lecture 6 : App Control and URL Filtering Lecture 7 : LDAP Lab ( Lightweight Directory Access Protocol ) Lecture 8 : IPsec VPNs Site to Site in vmware Checkpoint ISO download links below Checkpoint R77.30 ISO Download ! Click Here Checkpoint R80 Management Server IOS Download ! Click Here

How to configure Site-to-Site VPN on Cisco ASA? Access-Lists Add the ACLs which we will need to NAT, the encryption domain and the group policy. access-list Example_Policy_ACL extended permit tcp object-group Local_LAN object-group Remote_LAN eq 80 access-list Example_Policy_ACL extended deny ip any any access-list Example_VPN_ACL permit ip object-group Local_LAN object-group Remote_LAN Group Policy Create your group policy which will restrict traffic between hosts within your encryption domain. group-policy Example_Policy internal group-policy Example_Policy attributes vpn-filter value Example_Policy_ACL default-group-policy Example_Policy NAT Add your No NAT for traffic within the encryption domain nat (outside) 0 access-list Example_VPN_ACL Tunnel Group Create your tunnel group which will include your pre-shared key. tunnel-group [Peer IP] type ipsec-l2l tunnel-group [Peer IP] general-attributes default-group-

What is DoS attack? How can it be prevented? DoS (Denial of Service) attack can be generated by sending a flood of data or requests to a target system resulting in a consume/crash of the target system’s resources. The attacker often uses ip spoofing to conceal his identity when launching a DoS attack.

What is difference between DoS vs DDoS attacks? In a Denial of Service (DoS) attack, a hacker uses a single Internet connection to either exploit a software vulnerability or flood a target with fake requests—usually in an attempt to exhaust server resources (e.g., RAM and CPU). On the other hand, D istributed Denial of Service (DDoS) attacks are launched from multiple connected devices that are distributed across the Internet. These multi-person, multi-device barrages are generally harder to deflect, mostly due to the sheer volume of devices involved. Unlike single-source DoS attacks, DDoS assaults tend to target the network infrastructure in an attempt to saturate it with huge volumes of traffic. DDoS attacks also differ in the manner of their execution. Broadly speaking, DoS attacks are launched using homebrewed scripts or DoS tools (e.g., Low Orbit Ion Canon), while DDoS attacks are launched from botnets—large clusters of co

How to modify SSH/HTTP/Telnet time out in Cisco ASA firewall? By default tcp idle timeout is 1:0:0 hh:mm:ss. If in case you need to modify it you can do it by MPF (Modular Policy Framework). Let us setup a custom timeout when traffic is coming from particular host 10.77.241.129. !— Match the traffic using the access-list —! object-group service DM_INLINE_TCP_1 tcp port-object eq www port-object eq ssh port-object eq telnet access-list outside_mpc extended permit tcp host 10.77.241.129 <source ip> any object-group DM_INLINE_TCP_1 !— Define the class map Cisco-class –! class-map Cisco-class match access-list outside_mpc !— Call this class-map into policy map and set the connection reset after 10 min when traffic is coming from particular host —! policy-map Cisco-policy class Cisco-class set connection timeout idle 0:10:00 reset !— Apply the policy-map Cisco-policy on the interface. —! service-policy Cisco-polic

How to setup the internet access through the Cisco ASA firewall? Basic Guidelines for setting Internet through the Cisco ASA firewall: At first we need to configure the interfaces on the firewall. !— Configure the outside interface. interface GigabitEthernet0/0 nameif outside security-level 0 ip address 10.165.200.226 255.255.255.224 !— Configure the inside interface. interface GigabitEthernet0/1 nameif inside security-level 100 ip address 10.1.1.1 255.255.255.0 The nameif command gives the interface a name and assigns a security level. Typical names are outside, inside, or DMZ. Security levels are numeric values, ranging from 0 to 100, used by the appliance to control traffic flow. Traffic is permitted to flow from interfaces with higher security levels to interfaces with lower security levels, but not the other way. Access-lists must be used to permit traffic to flow from lower security levels to higher security l

How to enable multiple context in the Cisco ASA firewall Cisco ASA firewall is possibly already configured for multiple security contexts dependent upon how you ordered it from Cisco, but if you are upgrading then you might need to convert from single mode to multiple mode. The context mode (single or multiple) is not stored in the configuration file, even though it does endure reboots. If you need to copy your configuration to another device, set the mode on the new device to match with the mode command. When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files: a new startup configuration that comprises the system configuration, and admin.cfg that comprises the admin context (in the root directory of the internal Flash memory). The original running configuration is saved as old_running.cfg (in the root directory of the internal Flash memory). The original startup

How to enable logging in Palo Alto Networks Firewall? When it comes to live troubleshooting or to ensure certain traffic is either blocked or allowed one relies heavily on logs, Palo Alto Network Firewalls does provides very good logging options and fields. Its quite easy to read them and understands them. By default when some one creates any security policy Palo Alto Networks Firewall logs the details at the end of the session. So one does not need to enable logging, if he/she wants to monitor session since it started then they have enable the it. One can enable logging, directly from the security policy he/she creates as shown below

What are the modes in which interfaces on Palo Alto can be configured? When configuring the Ethernet ports on your firewall, you can choose from virtual wire, Layer 2, or Layer 3 interface deployments. In addition, to allow you to integrate into a variety of network segments, you can configure different types of interfaces on different ports. The following sections provide basic information on each type of deployment. -Virtual Wire Deployments -Layer 2 Deployments -Layer 3 Deployments Virtual Wire Deployments In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two ports together. By using a virtual wire, you can install the firewall in any network environment without reconfiguring adjacent devices. If necessary, a virtual wire can block or allow traffic based on the virtual LAN (VLAN) tag values. You can also create multiple subinterfaces and classify traffic according to an IP Address (

What are the modes in which interfaces on Palo Alto can be configured? When configuring the Ethernet ports on your firewall, you can choose from virtual wire, Layer 2, or Layer 3 interface deployments. In addition, to allow you to integrate into a variety of network segments, you can configure different types of interfaces on different ports. The following sections provide basic information on each type of deployment. -Virtual Wire Deployments -Layer 2 Deployments -Layer 3 Deployments Virtual Wire Deployments In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two ports together. By using a virtual wire, you can install the firewall in any network environment without reconfiguring adjacent devices. If necessary, a virtual wire can block or allow traffic based on the virtual LAN (VLAN) tag values. You can also create multiple subinterfaces and classify traffic according to an IP Address (

Etherchannel There are three types of Etherchannels negotiation mechanism PAgP  (Port Aggregation Protocol)- Cisco’s proprietary negotiation protocol LACP (Link Aggregation Protocol)  – Standards-based negotiation protocol Static Persistence (“On”) – No negotiation protocol is used There are two types of Etherchannels 1) Layer2   2) Layer3 1) Layer2 Etherchannels: Switch1(config)# interface range gigabitethernet0/1 -4  Switch1(config-if-range)# switchport access vlan 100 Switch1(config-if-range)# channel-group 5 mode ? active–Enable LACP unconditionally auto–Enable PAgP only if a PAgP device is detected desirable–Enable PAgP unconditionally on–Enable Etherchannel only “Manual On Mode” passive–Enable LACP only if a LACP device is detected Switch1(config-if-range)# channel-group 5 mode desirable 2) Layer 3 Etherchannels: Switch1(config)# interface port-channel 2 Switch1(config-if)# no switchport Switch1(config-i

common Switch troubleshooting commands For CPU related issues: Show process cpu sorted Show process cpu history Show platform port-asic stats drop Show controllers cpu-interface Debug platform cpu-queues Show plat for ip For memory issues Show memory statistics Show process memory sorted Show buffers For link issues Show interface status | inc connected Test cable-diagnostics tdr interface <> Show cable-diagnostic tdr interface <> Show interface <> Show interface <> counters Show interface <> counters errors Show interface counter errors Show controller Ethernet-controller <> Show platform pm if-numbers Show controllers Ethernet-controller port-asic statistics Show platform port-asic stats drop <> Layer 2 forwarding issues Show interface <> status Show spanning-tree interface <> Show interface <> counter Show mac address-table interfa

                                                 IPSEC IPSEC consist of multiple protocols: Internet Security Association and Key Management Protocol (ISAKMP) A framework for the negotiation and management of security associations between peers (traverses UDP/500) Internet Key Exchange (IKE) Responsible for key agreement using asymmetric cryptography Encapsulating Security Payload (ESP) Provides data encryption, data integrity, and peer authentication; IP protocol 50 Authentication Header (AH) Provides data integrity and peer authentication, but not data encryption; IP protocol 51 Encryption algorithm:   Type Key Length (Bits) Strength DES Symmetric 56 Weak 3DES Symmetric 168 Medium AES Symmetric 128/192/256 Strong RSA Asymmetric 1024+ Strong HASH Algorithm: Length (Bits) Strength   MD5 128   Medium   SHA-1 160   Strong IPSEC Phase: Phase 1 A bidirectional ISA