Palo Interview Questions

Question 1

What are the different deployment modes available in Palo Alto firewalls?

Answer 1

Palo Alto firewalls support multiple deployment modes:
* Tap mode: Used for monitoring traffic without affecting the flow.
* Virtual Wire mode: Allows for inline deployment without requiring changes to the existing network infrastructure.
* Layer 2 mode: Operates as a transparent bridge, forwarding traffic at layer 2.
* Layer 3 mode: Functions as a traditional router, routing traffic at layer 3.

Question 2

Question #02: Is the firewall at Palo Alto stateful

Answer 2

Yes, the firewall matches all traffic passing through it against the session and then matches every session against the security policy.

Question 3

Question #03: What is the difference between Virtual Routers and Virtual Systems in Palo Alto firewalls?

Answer 3

• Virtual Routers (VR): Logical routing instances within a firewall, allowing for separate routing tables and configurations.
• Virtual Systems (VSYS): Logical firewalls within a single physical device, providing multi-tenancy capabilities.

Question 4

Question #04: What is the purpose of Palo Alto Autofocus?

Answer 4

Cloud-based threat intelligence service allowing admins to conveniently determine all critical attacks. This way, the admins can triage effectively and take the necessary actions without the need for additional IT resources.

Question 5

Question #05: What are the different failover scenarios?

Answer 5

A failover gets triggered when a monitored metric fails on the active Panorama.

There are two significant scenarios when a failover gets triggered:
* The peers in the Panorama cannot communicate with each other, and the active peer is not responding to status polls and health.
* One or more of the destinations specified on the active peer is unreachable.

Question 6

Question #06: What is a U-Turn NAT?

Answer 6

Internal users with private IP address want to connect to the server deployed in the internal DMZ zone with the public IP address. Since there’s no Internal DNS server and it depends on a Public DNS server from the internet

Question 7

Question #07: Explain Active/Passive and Active/Active modes in Palo Alto.

Answer 7

• Active/Passive mode: One firewall manages traffic while the other is ready and synchronized to move to the active state if there is a failure. Both firewalls share the same settings, and one is responsible for actively managing the traffic until there is a failure.
• Active/Active mode: Several firewalls are grouped in the form of a cluster and contain multiple active units processing traffic. They share the network load and do DPI as well, together.

Question 8

Question #08: What is a Zone Protection Profile?

Answer 8

It helps protect the network from attacks. The attacks can be in the form of reconnaissance attacks, common floods, and similar other packet-based attacks.

Question 9

Question #09: What is the Application Command Centre (ACC)?

Answer 9

The ACC or Application Command Centre provides URL, threat, and data (files and patterns) traversing the Palo Alto network firewalls.

Question 10

Question #10: What is WAF (Web Application Firewall)?

Answer 10

A WAF helps protect web applications by monitoring and filtering the HTTP traffic between the internet and a web application.

Question 11

Question #11: What do HA, HA1, and HA2 mean in Palo Alto?

Answer 11

• HA: High Availability port. A dedicated HA link port connects the auxiliary and primary devices physically. You can place two firewalls in a group and synchronize their configuration.
• HA1: Used for clear text communication and encrypted communication.
• HA2: Used to forward tables, synchronize sessions, IPsec security associations, and the ARP tables.

Question 12

Question #13: What exactly is an App-ID?

Answer 12

It identifies and classifies applications traversing a network.

Traffic entering the network is first checked against security policies to determine if it is allowed.

Application signatures are applied to identify the application based on unique properties.

If encryption (SSL/SSH) is detected, traffic is decrypted (if a decryption policy exists) to further analyze and classify the application.

Identified applications are then subject to granular security rules for enforcement or monitoring.

Question 13

Question #14: How does an App-ID work?

Answer 13

APP ID uses several identification techniques that help determine the exact ID of the applications traversing your network. It also includes those who try evading detection by masquerading as legitimate traffic, using encryption, or by hopping ports.

Question 14

Question #15: What are the advantages of Panorama in Palo Alto?

Answer 14

It is a centralized management system that controls various Palo firewalls via a web-based interface. It helps the administrators view the device-specific or aggregate application content, user data and manage Palo Alto Networks firewalls.

Question 15

Question #16: What are the possibilities for forwarding log messages on the Palo Alto firewall?

Answer 15

Every firewall stores the log file locally by default. Panorama supports forwarding log messages to a log collector, a cortex data lake, or simultaneously both.

One can even use external services for notification, archiving, or analysis by forwarding logs to the services from panorama or firewalls.

Question 16

Question #17: What is the procedure for adding a license to the Palo Alto firewall?

Answer 16

To add a license:
1. Navigate to the device, and license, and click on the activate feature using the Auth code.
2. Download the authorization file.
3. Copy this file to a computer that has access to the internet and log in to the support panel.
4. Click on my VM series auth codes and select the applicable auth code from the list.
5. Now click on register VM. Select the authorization file from the pop-up.
6. The registration process is completed, and the serial number of the VM series firewall will be attached to the records on the support site.

Question 17

Question #18: What is GlobalProtect in Palo Alto?

Answer 17

VPN Client

Question 18

Question #19: What is endpoint security in Palo Alto?

Answer 18

Suite of tools to protect devices connected to the network such as laptops, desktops, servers, and tablets.

Cortex XDR combines advanced threat detection, machine learning, and behavioral analysis to safeguard endpoints.

Threat Detection & Prevention
Data Encryption
Firewall Protection
Device Control
Zero-Day Threat Protection

Question 19

Question #20: What are the various linkages used to establish HA or the HA Introduction?

Answer 19

The firewall in HA pair uses HA links to synchronize data and maintain state information.

However, some models of the firewall also dedicate the HA ports- Control link (HA1) and Data link (HA2).

Question 20

Question #21: What are Backup Links?

Answer 20

Backup links provide redundancy for the HA2 and HA1 links.

In-brand ports can be used for backup links for HA1 and HA2 connections when dedicated backup links aren’t available.

Question 21

Question #22: What are the various port numbers used in HA?

Answer 21

There are two major types of ports used in HA:

• TCP port 28769 and 28260: Used to ensure clear text communication between two ends.
• Port 28: Used for encrypted communication.

Question 22

Question #23: What functionalities does Palo Alto support in Virtual Wire Mode?

Answer 22

A virtual wire interface supports App ID, user ID, content ID, NAT, and decryption.

Question 23

Question #24: Which virtualization platform fully supports Palo Alto Network Deployments?

Answer 23

Cisco ACI, OpenStack, Microsoft Public, ENCS, Vmware, etc.

Question 24

Question #25: What command is used to show the maximum size of the log file?

Answer 24

1. bash
2. show logdb-quota

Question 25

Question #26: How does Panorama handle new logs once the storage limit has been reached?

Answer 25

When the log storage limit is reached, Panorama automatically deletes old logs to create a space for new entries. The panorama contains an automated feature that may check and, if necessary, remove the storage restriction.

Question 26

Question #27: What is the purpose of the Security Policy in Palo Alto Firewalls?

Answer 26

It defines the rules for allowing or denying traffic based on various criteria like source, destination, application, user, and content.

Question 27

Question #28: How does Palo Alto handle SSL Decryption?

Answer 27

It decrypt SSL/TLS traffic to inspect it for threats, malware, and policy violations. This is done through SSL Forward Proxy for outbound traffic and SSL Inbound Inspection for inbound traffic.

Question 28

Question #29: What is the purpose of the Threat Prevention security profile?

Answer 28

It’s used to protect against known and unknown threats, including malware, exploits, and command-and-control traffic.

Question 29

Question #30: What is the function of the URL Filtering security profile?

Answer 29

It categorizes and controls web access based on URL categories, allowing administrators to block or allow access to specific websites or categories.

Question 29

Question #29: What is the purpose of the Threat Prevention security profile?

Answer 29

It’s used to protect against known and unknown threats, including malware, exploits, and command-and-control traffic.

Question 30

Question #31: What is WildFire in the context of Palo Alto Networks?

Answer 30

WildFire is a cloud-based malware analysis service that identifies and analyzes unknown files and email links to detect zero-day threats and distribute protections globally within minutes.

Question 31

Question #32: What is the purpose of the Panorama management tool?

Answer 31

Panorama is a centralized management system that controls various Palo firewalls via a web-based interface, providing visibility, reporting, and policy management across multiple firewalls.

Question 32

Question #33: How does High Availability (HA) work in Palo Alto Firewalls?

Answer 32

It ensures that if one firewall fails, another can take over seamlessly. It involves active/passive or active/active configurations where firewalls are synchronized to maintain state information.

Question 33

Question #34: What is User-ID and how is it used in Palo Alto Firewalls?

Answer 33

User-ID maps users to IP addresses, allowing for user-based security policies. It integrates with Active Directory.

Question 34

Question #35: How does Palo Alto handle IP fragmentation?

Answer 34

Palo Alto Firewalls can reassemble fragmented IP packets to inspect them for threats, ensuring that fragmented traffic does not bypass security policies.

Question 35

Question #36: What is the purpose of the Log Forwarding feature in Palo Alto Firewalls?

Answer 35

Log Forwarding allows administrators to forward logs from firewalls to external services for analysis, archiving, or notification purposes.

Question 36

Question #37: What is the purpose of Dynamic Updates in Palo Alto Firewalls?

Answer 36

Dynamic Updates provide the latest threat intelligence, application signatures, and antivirus/anti-spyware definitions to keep the firewall up-to-date with the latest security information.

Question 37

Question #38: How does Palo Alto handle DoS (Denial of Service) attacks?

Answer 37

It use DoS Protection profiles to detect and mitigate DoS attacks by monitoring traffic patterns and applying rate limiting or blocking based on predefined thresholds.

Question 38

Question #39: What is the purpose of the Security Profiles in Palo Alto Firewalls?

Answer 38

Security Profiles are used to define specific security settings for applications, users, and content, including antivirus, anti-spyware, URL filtering, and more.

Question 39

Question #40: How does Palo Alto handle traffic between different security zones?

Answer 39

Palo Alto Firewalls use security zones to segregate traffic. Policies are applied to control traffic flow between zones, ensuring that traffic is inspected and filtered according to the defined rules.

Question 40

Question #41: A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRS) are created for each virtual system. In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems?

Answer 40

Layer 3 zones for the virtual systems that need to communicate. Ensure the virtual systems are visible to one another. Add a route with next hop next-vr by using the VR configured in the virtual system.

Question 41

Question #42: A firewall engineer needs to update a company’s Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network. Which path should the engineer follow to deploy the PAN-OS images to the firewalls?

Answer 41

Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls.

Question 42

Question #42: An administrator is informed that the engineer who previously managed all the VPNs has left the company. According to company policies, the administrator must update all the IPSec VPNs with new pre-shared keys. Where are the pre-shared keys located on the firewall?

Answer 42

Go to Network > Network Profiles > IKE Gateway to configure the IKE Phase-1 Gateway.

Question 43

Question #43: A company configures its WildFire analysis profile to forward any file type to the WildFire public cloud. A company employee receives an email containing an unknown link that downloads a malicious Portable Executable (PE) file. What does Advanced WildFire do when the link is clicked?

Answer 43

Performs malicious content analysis on the linked page and the corresponding PE file. A Palo Alto Networks firewall can extract HTTP/HTTPS links contained in SMTP and POP3 email messages and forward the links for WildFire analysis The Advanced WildFire cloud is also capable of analyzing certain file types which are used as secondary payloads as part of multi-stage PE, APK, and ELF malware packages

Question 44

Question #45: Which two are required by IPSec in transport mode?

Answer 44

DH-group 20 (ECP-384 bits) Auto generated key

Question 45

Question #46: Forwarding of which two log types is configured in Device > Log Settings?

Answer 45

HIP Match Configuration

Question 46

Question #47: A firewall administrator has confirmed reports of a website is not displaying as expected, and wants to ensure that decryption is not causing the issue. Which three methods can the administrator use to determine if decryption is causing the website to fail?

Answer 46

Create a policy-based “No Decrypt” rule in the decryption policy to exclude specific traffic from decryption. Investigate decryption logs of the specific traffic to determine reasons for failure. Disable SSL handshake logging.

Question 47

Question #48: An administrator configures HA on a customer’s Palo Alto Networks firewalls with path monitoring by using the default configuration values. What are the default values for ping interval and ping count before a failover is triggered?

Answer 47

Ping interval of 200 ms and ping count of 10 failed pings

Question 48

Question #49: A firewall administrator has configured User-ID and deployed GlobalProtect, but there is no User-ID showing in the traffic logs. How can the administrator ensure that User-IDs are populated in the traffic logs?

Answer 48

Enable User-ID on the expected trusted zones.

Question 49

Question #50: A decryption policy has been created with an action of “No Decryption.” The decryption profile is configured in alignment to best practices. What protections does this policy provide to the enterprise?

Answer 49

It enhances security by actively blocking access to potentially insecure sites with expired certificates or untrusted issuers.

Question 50

Question #51: An administrator plans to install the Windows User-ID agent on a domain member system. What is a best practice for choosing where to install the User-ID agent?

Answer 50

In close proximity to the servers it will be monitoring

Question 51

Question #52: A firewall engineer at a company is researching the Device Telemetry feature of PAN-OS. Which two aspects of the feature require further action for the company to remain compliant with local laws regarding privacy and data storage?

Answer 51

Telemetry feature is automatically enabled during PAN-OS installation. Telemetry data is uploaded into Strata Logging Service.

Question 52

Question #53: While troubleshooting an issue, a firewall administrator performs a packet capture with a specific filter. The administrator sees drops for packets with a source IP address of 10.1.1.1. How can the administrator further investigate these packet drops by looking at the global counters for this packet capture filter?

Answer 52

show counter global filter packet-filter yes delta yes

Question 53

Question #55: What type of NAT is required to configure transparent proxy?

Answer 53

Destination translation with Dynamic IP

Question 54

Question #56: An administrator is tasked to provide secure access to applications running on a server in the company’s on-premises datacenter. What must the administrator consider as they prepare to configure the decryption policy?

Answer 54

Obtain or generate the server certificate and private key from the datacenter server.

Question 55

Question #57: An administrator is creating a new Dynamic User Group to quarantine users for suspicious activity. Which two objects can Dynamic User Groups use as match conditions for group membership?

Answer 55

Source IP address Dynamic tags

Question 56

Question #58: When creating a Policy-Based Forwarding (PBF) policy, which two components can be used?

Answer 56

Source Interface Schedule

Question 57

Question #59: An administrator plans to install the Windows-Based User-ID Agent. What type of Active Directory (AD) service account should the administrator use?

Answer 57

Create a dedicated Active Directory service account for the User-ID agent to access the services and hosts it will monitor to collect user mappings

Question 58

Question #60: A firewall engineer is tasked with defining signatures for a custom application. Which two sources can the engineer use to gather information about the application patterns?

Answer 58

Wireshark Traffic logs

Question 59

Question #61: After configuring an IPSec tunnel, how should a firewall administrator initiate the IKE phase 1 to see if it will come up?

Answer 59

Test vpn ike-sa gateway

Question 60

Question #62: What should an engineer consider when setting up the DNS proxy for web proxy?

Answer 60

A secondary DNS server in the DNS proxy is optional, and configuration commit to the firewall will succeed with only one DNS server.

Question 61

Question #63: Which statement accurately describes how web proxy is run on a firewall with multiple virtual systems?

Answer 61

It can run on a single virtual system and multiple virtual systems.

Question 62

Question #64: What does the User-ID agent use to find login and logout events in syslog messages?

Answer 62

Syslog Parse profile

Question 63

Question #65: A company wants to use GlobalProtect as its remote access VPN solution. Which GlobalProtect features require a Gateway license?

Answer 63

Split DNS and HIP checks

Question 64

Question #66: An administrator is troubleshooting intermittent connectivity problems with a user’s GlobalProtect connection. Packet captures at the firewall reveal missing UDP packets, suggesting potential packet loss on the connection. The administrator aims to resolve the issue by enforcing an SSL tunnel over TCP specifically for this user. What configuration change is necessary to implement this troubleshooting solution for the user?

Answer 64

Enable SSL tunnel over TCP in a new agent configuration for the specific user.

Question 65

Question #67: In which two scenarios would it be necessary to use Proxy IDs when configuring site-to-site VPN Tunnels?

Answer 65

Firewalls which support policy-based VPNs. The remote device is a non-Palo Alto Networks firewall.

Question 66

Question #68: A new firewall has the Threat Prevention subscription, but the Antivirus does not appear in Dynamic Updates. What must occur to have Antivirus signatures update?

Answer 66

Install the Application and Threats updates first, then refresh the Dynamic Updates.

Question 67

Question #69: Which three sessions are created by a NGFW for web proxy?

Answer 67

A session for DNS proxy to DNS servers A session for proxy to web server A session for client to proxy

Question 68

Question #70: Which two scripting file types require direct upload to the Advanced WildFire portal/API for analysis?

Answer 68

Perl VBS

Question 69

Question #71: Certain services in a customer implementation are not working, including Palo Alto Networks Dynamic version updates. Which CLI command can the firewall administrator use to verify if the service routes were correctly installed and that they are active in the Management Plane?

Answer 69

Debug dataplane internal vif route 250

Question 70

Question #72: An administrator wants to add User-|ID information for their Citrix MetaFrame Presentation Server (MPS) users. Which option should the administrator use?

Answer 70

Terminal Server Agent for User Mapping

Question 71

Question #73: An administrator plans to install the Windows-Based User-ID Agent to prevent credential phishing. Which installer package file should the administrator download from the support site’?

Answer 71

If you are using the User-ID agent to prevent credential phishing, download the UaCredInstall64-x.x.x.msi file instead.

Question 72

Question #74: When configuring explicit proxy on a firewall, which interface should be selected under the Listening interface option?

Answer 72

Ingress for the client traffic

Question 73

Question #75: An administrator is troubleshooting application traffic that has a valid business use case, and observes the following decryption log message: “Received fatal alert UnknownCA from client.” How should the administrator remediate this issue?

Answer 73

Add the server’s hostname to the SSL Decryption Exclusion List to allow traffic without decryption.

Question 74

Question #76: An engineer configures a destination NAT policy to allow inbound access to an internal server in the DMZ. The NAT policy is configured with the following values: * Source zone: Outside and source IP address 1.2.2.2 * Destination zone: Outside and destination IP address 2.2.2.4 The destination NAT policy translates IP address 2.2.2.1 to the real IP address 10.10.10.1 in the DMZ zone. Which destination IP address and zone should the engineer use to configure the security policy?Destination Zone DMZ, Destination IP address 2.2.2.1

Answer 74

Destination Zone DMZ, Destination IP address 2.2.2.1

Question 75

Question #79: Which protocol is natively supported by Global Protect Clientless VPN?

Answer 75

HTTPS

Question 75

Question #78: Which HA firewall state describes the firewall that is currently processing traffic?

Answer 75

Active state is HA state for Active/Passive mode, which only Active Firewall that will process traffic