Palo Alto Interview Questions and Answers – Part II

Plao Alto Interview Questions and Answers

This post is a continuation to one of our recent post where we discussed a few questions and answers on Palo Alto firewall. Here we are adding another set of Q&A based on our readers interest. Hope this will help you in improving your knowledge of the PA firewall.
1. How to publish internal website to internet. Or how to perform destination NAT ?
To publish internal website to outside world, we would require destination NAT and policy configuration. NAT require converting internal private IP address in to external public IP address. Firewall policy need to enable access to internal server on http service from outside .We can see how to perform NAT and policy configuration with respect to following scenario
Provide the access to 192.168.10.100 through the public IP address 64.10.11.10 from internet
Following NAT and policy rules need to be created.
NAT:-> Here we need to use pre-NAT configuration to identify zone. Both source and destination Zone should be Untrust-L3 as source and destination address part of un trust zone
——————- advertisements ——————-
———————————————————-
Policy-> Here we need to use Post-NAT configuration to identify zone. The source zone will be Untrust-L3 as the source address still same 12.67.5.2 and the destination zone would be Trust-L3 as the translated IP address belongs to trust-l3 zone.
We have to use pre-NAT IP address for the source and destination IP address part on policy configuration. According to packet flow, actual translation is not yet happen, only egress zone and route look up happened for the packet. Actual translation will happen after policy lookup . Please click here to understand detailed packet flow in PA firewall.  Just remember the following technique so it will be easy to understand
In firewall rule,
Zone: Post NAT
IP address: Pre NAT
In NAT rule,
Zone: Pre NAT
Final Configuration looks like below:

2. What is Global Protect ?
——————- advertisements ——————-
———————————————————-
GlobalProtect provides a transparent agent that extends enterprise security Policy to all users regardless of their location. The agent also can act as Remote Access VPN client.  Following are the component
Gateway : This can be or more interface on Palo Alto firewall which provide access and security enforcement for traffic from Global Protect Agent
Portal: Centralized control which manages gatrway, certificate , user authentication and end host check list
Agent : software on the laptop that is configured to connect to the GlobalProtect deployment.

3. Explain about virtual system ?

A virtual system specifies a collection of physical and logical firewall interfaces and security zones.Virtual system allows to segmentation of security policy functionalities like ACL, NAT and QOS. Networking functions including static and dynamic routing are not controlled by virtual systems. If routing segmentation is desired for each virtual system, we should have an additional virtual router.
——————- advertisements ——————-
———————————————————-

4.Explain about various links used to establish HA or HA introduction ?

PA firewall use HA links to synchronize data and maintain state information. Some models of the firewall have dedicated HA ports—Control link (HA1) and Data link (HA2), while others require you to use the in-band ports as HA links.
Control Link :  The HA1 links used to exchange hellos, heartbeats, and HA state information, and management plane sync for routing, User-ID information and synchronize configuration . The HA1 should be layar 3 interface which require an IP address
Data Link : The HA2 link is used to synchronize sessions, forwarding tables, IPSec security associations and ARP tables between firewalls in an HA pair. The HA 2 is a layer 2 link
Backup Links: Provide redundancy for the HA1 and the HA2 links. In-band ports are used as backup links for both HA1 and HA2. The HA backup links IP address must be on different subnet from primary HA links.
Packet-Forwarding Link: In addition to the HA1 and HA2 links, an active/active deployment also requires a dedicated HA3 link. The firewalls use this link for forwarding packets to the peer during session setup and asymmetric traffic flow.
4. What protocol used to exchange heart beat between HA ?
ICMP
——————- advertisements ——————-
———————————————————-
5. Various port numbers used in HA ?
HA1: tcp/28769,tcp/28260 for clear text communication ,tcp/28 for encrypted communication
HA2: Use protocol number 99 or UDP-29281
6. What are the scenarios for fail-over triggering ?
->if one or more monitored interfaces fail
->if one or more specified destinations cannot be pinged by the active firewall
->if the active device does not respond to heartbeat polls (Loss of three consecutive heartbeats over period of 1000 milliseconds)
7. How to troubleshoot HA using CLI ?
>show high-availability state : Show the HA state of the firewall
>show high-availability state-synchronization : to check sync status
>show high-availability path-monitoring : to show the status of path monitoring
>request high-availablity state suspend : to suspend active box and make the current passive box as active

8. which command to check the firewall policy matching for particular destination ?

>test security-policy-match from trust to untrust destination <IP>
9.Command to check the NAT rule ?
>test nat-policy-match
10. Command to check the system details ?
>show system info  // It will show management IP , System version and serial number
11. How to perform debug in PA ?
Following are the steps
Clear all packet capture settings
>debug dataplane packet-diag clear all
set traffic matching condition
> debug dataplane packet-diag set filter match source 192.168.9.40 destination 4.2.2.2
> debug dataplane packet-diag set filter on
——————- advertisements ——————-
———————————————————-
Enable packet capture
> debug dataplane packet-diag set capture stage receive file rx.pcap
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture stage drop file dp.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set capture on
View the captured file

view-pcap filter-pcap rx.pcap

12. What you mean by Device Group and Device Template.?
Device group allows you to group firewalls which is require similar  set of policy , such as firewalls that manage a group of branch offices or individual departments in a company. Panorama treats each group as a single unit when applying policies. A firewall can belong to only one device group. The Objects and Policies are only part of Device Group.
Device Template :
Device Templates enable you to deploy a common base configuration like Network and device specific settings to multiple firewalls that require similar settings.
This is available in Device and Network tabs on Panorama
13. Why you are using Security Profile .?
Security Profile using to scans allowed applications for threats, such as viruses, malware, spyware, and DDOS attacks.Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy. You can add security profiles that are commonly applied together to a Security Profile Group
Following are the Security Profiles available
Antivirus Profiles
Anti-Spyware Profiles
Vulnerability Protection Profiles
URL Filtering Profiles
Data Filtering Profiles
File Blocking Profiles
WildFire Analysis Profiles
DoS Protection Profiles