Palo Alto Firewall Interview Questions & Answers

5 avg. rating (100% score) - 2 votes

Palo Alto Firewall Interview Questions & Answers

Palo Alto Networks is an American multinational cybersecurity firm with head office in Santa Clara, California. If your interest is in Cybersecurity then you can apply to the Palo Alto Firewall company. Cyber Security jobs are much in demand at present because of the tremendous increase on the Internet. If you are looking for the interview question then we in Wisdomjobs has made it easier for your job search. Because we provide you with all kinds of Palo Alto Firewall Interview Question and Answers on our site page. If you are good at firewall concepts then there are various leading companies that offer job roles like Director Operations (Infrastructure), Technical Marketing Engineering (Cyber Security), Technical Support Engineer, Software Engineer, Software QA Performance Engineer, Senior Software Engineer (Virtualization) along with that there are many other roles too that you can apply for. For more details on Palo Alto Firewall Jobs visit our site page.

Palo Alto Firewall Interview Questions

Palo Alto Firewall Interview Questions
    1. Question 1. Why Palo Alto Is Being Called As Next Generation Firewall ?

      Answer :

      Next-generation firewalls include enterprise firewall capabilities, an intrusion prevention system (IPS) and application control features. Palo Alto Networks delivers all the next generation firewall features using the single platform, parallel processing and single management systems, unlike other vendors who use different modules or multiple management systems to offer NGFW features. Palo Alto NGFW different from other vendors in terms of Platform, Process and architecture

    2. Question 2. Difference Between Palo Alto Ngfw And Checkpoint Utm ?

      Answer :

      PA follows Single pass parallel processing while UTM follows Multi pass architecture process.

    3. Question 3. Describe About Palo Alto Architecture And Advantage ?

      Answer :

      Architecture: Single Pass Parallel Processing (SP3) architecture.

      Advantage: This Single Pass traffic processing enables very high throughput and low latency – with all security functions active.  It also offers single, fully integrated policy which helps simple and easier management of firewall policy.

    4. Question 4. Explain About Single Pass And Parallel Processing Architecture?

      Answer :

      Single Pass : The single pass software performs operations once per packet. As a packet is processed, networking functions, policy lookup, application identification and decoding, and signature matching for any and all threats and content are all performed just once.  Instead of using separate engines and signature sets (requiring multi-pass scanning) and instead of using file proxies (requiring file download prior to scanning), the single pass software in next-generation firewalls scans content once and in a stream-based fashion to avoid latency introduction.

      Parallel Processing :   PA designed with separate data and control planes to support parallel processing. The second important element of the Parallel Processing hardware is the use of discrete, specialized processing groups to perform several critical functions.

      Networking: routing, flow lookup, stats counting, NAT, and similar functions are performed on network-specific hardware

      User-ID, App-ID, and policy all occur on a multi-core security engine with hardware acceleration for encryption, decryption, and decompression.

      Content-ID content analysis uses dedicated, specialized content scanning engine

      On the controlplane, a dedicated management processor (with dedicated disk and RAM) drives the configuration management, logging, and reporting without touching data processing hardware.

    5. Question 5. Difference Between Pa-200,pa-500 And Higher Models ?

      Answer :

      In PA-200 and PA-500, Signature process and network processing implemented on software while higher models have dedicated hardware processor

    6. Question 6. What Are The Four Deployment Mode And Explain ?

      Answer :

      Tap Mode : Tap mode allows you to passively monitor traffic flow across network by way of tap or switch SPAN/mirror port

      Virtual wire : In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two interfaces together

      Layer 2 mode : multiple interfaces can be configured into a “virtual-switch” or VLAN in L2 mode.

      Layer 3 Deployment : In a Layer 3 deployment, the firewall routes traffic between multiple interfaces. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic.

    7. Question 7. What You Mean By Zone Protection Profile?

      Answer :

      Zone Protection Profiles offer protection against most common flood, reconnaissance, and other packet-based attacks. For each security zone, you can define a zone protection profile that specifies how the security gateway responds to attacks from that zone.

      The following types of protection are supported:

      • Flood Protection—Protects against SYN, ICMP, UDP, and other IP-based flooding attacks.
      • Reconnaissance detection—Allows you to detect and block commonly used port scans and IP address sweeps that attackers run to find potential attack targets.
      • Packet-based attack protection—Protects against large ICMP packets and ICMP fragment attacks.

      Configured under Network tab -> Network Profiles -> Zone protection.

    8. Question 8. What Is U-turn Nat And How To Configure ?

      Answer :

      U-turn NAT is applicable when internal resources on trust zone need to access DMZ resources using public IP addresses of Untrust zone.

    9. Question 9. What Is Global Protect ?

      Answer :

      GlobalProtect provides a transparent agent that extends enterprise security Policy to all users regardless of their location. The agent also can act as Remote Access VPN client. 

      Following are the component

      Gateway : This can be or more interface on Palo Alto firewall which provide access and security enforcement for traffic from Global Protect Agent

      Portal: Centralized control which manages gateway, certificate , user authentication and end host check list

      Agent : software on the laptop that is configured to connect to the GlobalProtect deployment.

    10. Question 10. Various Port Numbers Used In Ha ?

      Answer :

      HA1: tcp/28769,tcp/28260 for clear text communication ,tcp/28 for encrypted communication

      HA2: Use protocol number 99 or UDP-29281

    11. Question 11. What Are The Scenarios For Failover Triggering ?

      Answer :

      • if one or more monitored interfaces fail
      • if one or more specified destinations cannot be pinged by the active firewall
      • if the active device does not respond to heartbeat polls (Loss of three consecutive heartbeats over period of 1000 milliseconds)

    12. Question 12. How To Troubleshoot Ha Using Cli ?

      Answer :

      show high-availability state : Show the HA state of the firewall
      show high-availability state-synchronization : to check sync status
      show high-availability path-monitoring : to show the status of path monitoring
      request high-availability state suspend : to suspend active box and make the current passive box as active

    13. Question 13. Command To Check The Nat Rule ?

      Answer :

      >test nat-policy-match

    14. Question 14. Command To Check The System Details ?

      Answer :

      show system info  // It will show management IP , System version and serial number

    15. Question 15. How To Perform Debug In Pa?

      Answer :

      Following are the steps:

      • Clear all packet capture settings
      • debug dataplane packet-diag clear all
      • set traffic matching condition
      • debug dataplane packet-diag set filter match source destination
      • debug dataplane packet-diag set filter on

    16. Question 16. What You Mean By Device Group And Device Template?

      Answer :

      Device group allows you to group firewalls which is require similar  set of policy , such as firewalls that manage a group of branch offices or individual departments in a company. Panorama treats each group as a single unit when applying policies. A firewall can belong to only one device group. The Objects and Policies are only part of Device Group.

      Device Template:

      • Device Templates enable you to deploy a common base configuration like Network and device specific settings to multiple firewalls that require similar settings.
      • This is available in Device and Network tabs on Panorama.

    17. Question 17. Why You Are Using Security Profile?

      Answer :

      Security Profile using to scans allowed applications for threats, such as viruses, malware, spyware, and DDOS attacks.Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy. You can add security profiles that are commonly applied together to a Security Profile Group

      Following are the Security Profiles available:

      • Antivirus Profiles
      • Anti-Spyware Profiles
      • Vulnerability Protection Profiles
      • URL Filtering Profiles
      • Data Filtering Profiles
      • File Blocking Profiles
      • WildFire Analysis Profiles
      • DoS Protection Profiles

Popular Interview Questions

All Interview Questions

Palo Alto Firewall Practice Test

All rights reserved © 2018 Wisdom IT Services India Pvt. Ltd Protection Status