In this post we shall try to answer different Palo Alto technical Interview Questions which might be helpful for your Job Interview. Palo Alto is the Next Generation of Firewalls which provides packet inspection at Application layer. It uses next generation features like App-ID, User-ID and Content-ID for Identify applications, users and content inspection all in one box. If you are planning to appear for Senior Network Engineer interview, these interview questions for palo alto firewall might be helpful in landing your dream job.
What is the role of Virtual Wire interface in Palo Alto firewall?
Virtual wires bind two interfaces within a firewall, allowing you to easily install a firewall into a topology that requires no switching or routing by those interfaces. In a virtual wire deployment, you install a firewall transparently on a network segment by binding two firewall ports (interfaces) together.
What is APP-ID?
App-ID, a patented traffic classification system only available in Palo Alto Networks firewalls, determines what an application is irrespective of port, protocol, encryption (SSH or SSL) or any other evasive tactic used by the application. Traffic is matched against policy to check whether it is allowed on the network.
App-ID enables you to see the applications on your network and learn how they work, their behavioral characteristics, and their relative risk.
How does App-ID identify the application used in the network?
App-ID enables you to see the applications on your network and learn how they work, their behavioral characteristics, and their relative risk. Applications and application functions are identified via multiple techniques, including application signatures, decryption (if needed), protocol decoding, and heuristics.
An administrator is finding it hard to manage multiple Palo Alto NGFW Firewalls. What solution should he use to simplify and centrally manage Firewalls through singly source?
Panorama saves time and reduces complexity by managing network security with a single pane of glass for all your Palo Alto Networks Next-Generation.
What are 3 focal areas in which Panorama adds value?
The three main areas in which Panorama adds value are:
- Centralized configuration and deployment.
- Aggregated logging with central oversight for analysis and reporting.
- Distributed administration.
What are the benefits of using Panorama?
Panorama is very useful in updating the software in bulk with a single click without any hassles. It also provides us detailed reporting to check the validate the compliance status. Panorama is used for logging service to collect logs from managed devices to solve your operational logging challenges.
Which Palo Alto Networks solution targets endpoint security from Cyber-attacks?
As part of Palo Alto Networks Next-Generation Security Platform, Traps integrates with WildFire® cloud-based threat analysis service to automatically convert threat intelligence into malware prevention, preemptively blocking threats before they can compromise an endpoint.
What are different modes in which interfaces on Palo Alto can be configured?
You can configure Ethernet interfaces as the following types: tap, high availability (HA), log card (interface and subinterface), decrypt mirror, virtual wire (interface and subinterface), Layer 2 (interface and subinterface), Layer 3 (interface and subinterface), and aggregate Ethernet.
Which command is used to show the maximum log file size?
#show system logdb-quota
What is function of Zone Protection Profile?
Configure protection against floods, reconnaissance, packet-based attacks, and non-IP-protocol-based attacks with Zone Protection profiles. Apply a Zone Protection profile to each zone to defend it based on the aggregate traffic entering the ingress zone.
What is difference between Palo Alto NGFW and WAF?
Key attributes of Palo Alto Networks next generation firewall:
• Designed to be a primary firewall, identifying and controlling applications users and content traversing the network.
• App-ID: Identifies and controls more than 900 applications of all types, irrespective of port, protocol, SSL encryption or
• User-ID: Leverages user data in Active Directory (as opposed to IP addresses) for policy creation, logging and reporting.
• Content-ID: Blocks a wide range of malware, controls web activity and detects data patterns (SSN, CC#) traversing the
• Logging and reporting: All application, user and threat traffic is logged for analysis and forensics purposes.
• Performance: Designed to act as the primary firewall for enterprises of all sizes which dictates that it deliver high performance
throughput under load. Palo Alto Networks uses a combination of custom hardware, function specific processing and
innovative software design to deliver high performance, low latency throughput.
Key attributes of Web Application Firewalls:
• Designed to compensate for insecure coding practices – only those companies that use web applications and are concerned that
their code is insecure need to buy a WAF.
• Looks specifically for security flaws in the application itself, ignoring the myriad of attacks that may be traversing the
• Highly customized for each environment – looking at how the web application is supposed to act and acting on any odd
• Looks only at the specific L7 fields of a web application – they do not look at any of the other layers in the OSI stack.
• Current WAF offerings are designed to look only at a very small subset of the application traffic and as such, cannot address
the performance requirements of a primary firewall.
What is U-Turn NAT?
The term U-Turn is used when the logical path of a connection traverses the firewall from inside to outside and back in, by connecting to an internal resource using its external IP address. U-Turn NAT is a configuration trick to accommodate a deployment where the external IP needs to reach an internal resource.
Explain the difference between Virtual Routers and Virtual Systems in Palo Alto?
VSYS can come in handy in certain situations where you really should have multiple different firewalls, however for budgetary reasons only one is available.
You can have multiple VR instances running inside VSYS.
A new customer wants to setup firewall to process 10Gbps of traffic. Which firewall models could be recommended to the customer?
Use the Palo Alto Networks PA-5060, PA-5050, and PA-5020 to safely enable applications, users, and content in high-speed datacenter, large Internet gateway, service provider, and multi-tenant environments. Predictable throughput levels of up to 20 Gbps are achieved using dedicated, function-specific processing for networking, security, content inspection, and management.
Which Dynamic Routing protocol cannot be configured on the Palo Alto Firewall?
PAN-OS software supports static routes, BGP, OSPF, RIP, and Multicast routing configured in the virtual router (VR). There are limitations for the number of entries in the forwarding and routing tables.
What is difference between stream-based and file-based application scanning?
Which all IPS mechanisms are used for Content-ID to secure network from attacks?
Content-ID gives you a real-time threat prevention engine, combined with a comprehensive URL database, and elements of application identification to:
- Limit unauthorised data and file transfers
- Detect and block exploits, malware and malware communications
- Control unapproved web surfing
The application visibility and control of App-ID, coupled with the content inspection enabled by Content-ID, empowers your IT team to regain control over your application traffic and related content.
Which all types of logs can be viewed on Palo Alto NGFWs?
Log Types and Severity Levels
- Traffic Logs.
- Threat Logs.
- URL Filtering Logs.
- WildFire Submissions Logs.
- Data Filtering Logs.
- Correlation Logs.
- Tunnel Inspection Logs.
- Config Logs.
A malicious file was not blocked by WildFire evaluation and somehow was allowed to execute. Can such malicious activity still be blocked?
What is Wildfire? Explain its functioning?
The WildFire Analysis Environment identifies previously unknown malware and generates signatures that Palo Alto Networks firewalls can use to then detect and block the malware. The malware found in the file attachment is an advanced VM-aware threat and has not been encountered before
The WildFire™ cloud service analyzes files and email links to detect threats and create protections to block malware. When WildFire identifies a zero-day threat, it globally distributes protection for that threat in under five minutes.
Palo Alto WildFire is a cloud-based service that provides malware sandboxing and fully integrates with the vendor’s on-premises or cloud-deployed next-generation firewall (NGFW) line. The firewall detects anomalies and then sends data to the cloud service for analysis.
By default, what is the IP address of management port on Palo Alto Firewall and default username/password?
By default, the firewall has an IP address of 192.168. 1.1 and a username/password of admin/admin.
What is the key difference between superuser and device administrator?
Superuser: Full access to the firewall, including defining new administrator accounts and virtual systems. You must have Superuser privileges to create an administrative user with Superuser privileges.
Device Administrator: Full access to all firewall settings except for defining new accounts or virtual systems.
What are the HA modes in which Palo Alto Firewall can be configured?
Active / Active & Active / Passive
What is HA Lite?
The PA-200 firewall supports HA lite, a version of active/passive HA that does not include any session synchronization. HA lite does provide configuration synchronization and synchronization of some runtime items. It also supports failover of IPSec tunnels (sessions must be re-established), DHCP server lease information, DHCP client lease information, PPPoE lease information, and the firewall’s forwarding table when configured in Layer 3 mode.
What is HA (High Availability)?
High availability (HA) is a deployment in which two firewalls are placed in a group and their configuration is synchronized to prevent a single point of failure on your network. A heartbeat connection between the firewall peers ensures seamless failover in the event that a peer goes down. Setting up two firewalls in an HA pair provides redundancy and allows you to ensure business continuity.
Pre-requisites for High Availability?
To set up HA on your firewalls, you need a pair of firewalls that meet the following requirements:
- Same Model
- Same PAN-OS Version
- Same Multi-VSYS
- Same Interfaces
- Same Set of Licenses
What are the different states of HA Firewall?
|State||Occurs In||Short Description|
|Initial||A/P or A/A||Transient state of a firewall when it joins the HA pair.|
|Active||A/P||State of the active firewall in an active/passive configuration.|
|Passive||A/P||The passive firewall is synchronizing flow state, runtime objects, and configuration.The passive firewall is monitoring the status of the active firewall using the hello protocol.|
|Active Primary||A/A||In an active/active configuration, state of the firewall that connects to User-ID agents, runs DHCP server and DHCP relay, and matches NAT and PBF rules with the Device ID of the active-primary firewall. A firewall in this state can own sessions and set up sessions.|
|Active Secondary||A/A||In an active/active configuration, state of the firewall that connects to User-ID agents, runs DHCP server, and matches NAT and PBF rules with the Device ID of the active-secondary firewall. A firewall in active-secondary state does not support DHCP relay. A firewall in this state can own sessions and set up sessions.|
|Tentative||A/A||Caused due to Failure of a firewall, Failure of a monitored object (a link or path), The firewall leaves suspended or non-functional state.|
|Non-Functional||A/P or A/A||Error state due to a dataplane failure or a configuration mismatch|
|Suspended||A/P or A/A||The device is disabled so won’t pass data traffic and although HA communications still occur, the device doesn’t participate in the HA election process. It can’t move to an HA functional state without user intervention.|
Which ports types are used in HA Pair?
HA 1 –
HSCI—The HSCI port is a Layer 1 SFP+ interface that connects two PA-3200 Series firewalls in an HA configuration.
The Palo Alto Networks firewall supports how many VPN deployments?
There are two types of VPN: Site-to-site VPN is used to connect branch offices to a central office over the internet when distance prevents direct network connections. Remote access VPN allows individual users to remotely connect to a central network.
What is a service route? What interface is used by default to access external services?
The firewall uses the management (MGT) interface by default to access external services, such as DNS servers, external authentication servers, Palo Alto Networks services such as software, URL updates, licenses and AutoFocus
How many zones can an interface be part of?
A zone can have multiple interfaces of the same type assigned to it (such as tap, layer 2, or layer 3 interfaces), but an interface can belong to only one zone.
2 Zones are configured on a Palo Alto Firewall. IP communication is not happening between both zones. What is required to allow this?
By default, Inter-Zone communication is blocked, so Security Policy is required with Allow Action to pass IP communication between two security zones.
What is bootstrapping in Firewall?
Bootstrapping speeds up the process of configuring and licensing the firewall to make it operational on the network with or without Internet access.
Which file is mandatory for bootstrap process to function?
Create the init-cfg. txt file, a mandatory file that provides bootstrap parameters. The fields are described in Sample init-cfg.
What is the basic approaches to deploy certificates for Palo Alto Networks firewalls?
You can deploy the certificates manually or use a centralized deployment method such as an Active Directory Group Policy Object (GPO).
What parameter decides a primary and secondary HA pair?
The firewalls in an HA pair can be assigned a device priority value to indicate a preference for which firewall should assume the active role.
In active/active configuration, set the Device ID to determine which peer will be active-primary (set Device ID to 0) and which will be active-secondary (set the Device ID to 1).
What is the Application Command Center (ACC)?
The Application Command Center (ACC) is an interactive, graphical summary of the applications, users, URLs, threats, and content traversing your network. The ACC uses the firewall logs to provide visibility into traffic patterns and actionable information on threats.
An administrator to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans?
Anti-Spyware Security Profile
Which virtualization platforms support the deployment of Palo Alto Networks VM-Series firewalls?
Palo Alto VM Supports VMware, Cisco ACI and ENCS, KVM, OpenStack, Amazon Web Services, Microsoft public and private cloud, OCI,
A traffic log displays “incomplete” for a new application. What does that mean?
Incomplete means that either the three-way TCP handshake did not complete OR the three-way TCP handshake did complete but there was no enough data after the handshake to identify the application. In other words that traffic being seen is not really an application.
What are options available on Palo Alto firewall for forwarding the log messages?
Log messages forwarding options include Email Servers, Syslog Server, SNMP trap servers or HTTP based services.
What happens when a URL matches multiple patterns (multiple custom URL filtering categories and allow/block-list) within a URL filtering profile?
When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe and allow least severe).
What actions are available while filtering URLs?
From most strict to least strict, possible URL Filtering profile actions are: block, override, continue, alert, and allow
Which are pre-defined administrator roles?
Super User. —Has full access to the firewall and can define new administrator accounts and virtual systems. …
Super User (Read Only) —Has read-only access to the firewall.
Virtual system administrator. — Access to selected virtual systems on the firewall to create and manage specific aspects of virtual systems. A virtual system administrator doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Virtual system administrator (Read-Only) – Read-only access to selected virtual systems on the firewall and specific aspects of virtual systems. A virtual system administrator with read-only access doesn’t have access to network interfaces, VLANs, virtual wires, virtual routers, IPSec tunnels, DHCP, DNS Proxy, QoS, LLDP, or network profiles.
Device administrator – Full access to all firewall settings except for defining new accounts or virtual systems.
Device administrator (read-only) – Read-only access to all firewall settings except password profiles (no access) and administrator accounts (only the logged in account is visible).
What is the Captive portal and its usage?
The Captive Portal is used to create a user-to-IP mappings on the Palo Alto Networks firewall. The portal is triggered based on the Captive Portal policies for http and/or https traffic only and is triggered only for the IP addresses without existing user-to-IP mapping.
How Does Panorama address new logs Logs when It Reaches Maximum Storage limit?
When log storage reaches the maximum capacity, Panorama automatically deletes older logs to create space for new ones.