Top Palo Alto Networks Firewall Interview Questions – 2023

Posted by January 15, 2024 in Firewall

In this article, we will discuss the top Palo Alto Networks Firewall Interview Questions and Answers. Once you go through all the complete articles, you will have an understanding of Palo Alto Networks Firewall and Panorama. I have divided this article into many sessions. You might continue with the start of this article. Let’s start!

palo-alto-firewall-interview-questions-and-answers

Palo Alto Networks Deployment Questions and Answers

  • What are the Deployment Modes in Palo Alto Firewall?
    • TAP
    • Virtual Wire
    • Layer2
    • Layer3
  • What is the TAP mode in Palo Alto Firewall?
    • TAP mode is a special deployment type in the Palo Alto Firewall that passively monitors the network traffic. Usually, we configure a span port on a network switch and connect to the TAP interface.
  • What is Virtual Wire Mode in Palo Alto Firewall?
    • In Virtual Wire deployment mode, Palo Alto Firewall will be placed transparently on the network. We didn’t need to change the network addresses. Here, we just need to combine two interfaces into a single set. Unlike, TAP deployment, we can monitor as well as control the traffic.
  • What is Layer 2 deployment in Palo Alto Firewall?
    • In Layer 2 deployment we combine multiple network interfaces into a virtual switch.
  • What is Layer 3 deployment in Palo Alto Firewall?
    • In Layer 3 deployment firewall support routing between different network interfaces. We need to assign different IP addresses to each interface.
  • Why do we need Layer3 Subinterfaces?
    • Layer 3 subinterfaces are used to monitor and granularly control the network traffic across different VLANs. Here, we configure Layer 3 interfaces with different VLAN IDs.

Palo Alto Networks High Availability (HA) Questions and Answers

  • What do you mean by HA?
    • HA stands for High Availability. Palo Alto Networks Firewall can be deployed in Active/ Passive and Active-Active High Availability.
  • What are the HA1 and HA2 in Palo Alto Firewall?
    • HA1 and HA2 are the High Availability links that are configured during the HA configurations. HA1 is used for Heartbeat and HA2 is used for Config Synchronizations. We also have the option to configure HA-1 Backup and HA-2 backup links. Backup links are used when the dedicated links go down.
  • What is the HA3 port in Palo Alto Networks Firewall?
    • HA3 is an additional port that is required for Active-Active deployment. The firewalls use this link for forwarding packets to the peer during session setup and asymmetric traffic flow. The HA3 link is a Layer 2 link that uses MAC-in-MAC encapsulation.
  • What is the HSCI Port in Palo Alto Firewall?
    • HSCI stands for High-Speed Chassis Interconnect and is used for HA session setup traffic. HSCI port is available in the High range Palo Alto Networks Firewall starting from the PA-3200 series.
    • You can also configure the HSCI port for HA3 which is used for asymmetric traffic flow in active/active HA only.
  • What are the ports required for High-Availability in Palo Alto Networks Firewall?
    • TCP/28 – For HA1 if encryption is enabled
    • TCP/28769 and TCP/28260 – For HA1 if encryption is disabled
    • ICMP – For Heartbeat
    • TCP/28770 and TCP/28260 – For the HA1 backup link
    • TCP/28771 – Heartbeat backup
    • Ethernet type 0x7261, IP protocol 99, or UDP/29281 – For HA2 link
  • How the failover will trigger in Palo Alto Networks Firewall?
    • Failover will trigger in the below scenario:
      • If one or more monitored physical links go down
      • If one or more defined destinations are unreachable from Active Firewall
      • If no response to heartbeat messages for 3 consecutive messages
Recommended:  How to configure Palo Alto Networks Firewall as a DHCP Server

Palo Alto Networks Uses ID Questions and Answers

  • What is the default port for LDAP Configuration?
    • The LDAP uses TCP 389 for clear-text configuration. Also, the LDAP connection uses TCP 636 for encrypted communication using SSL.
  • What is a User ID Agent in Palo Alto Networks Firewall?
    • Palo Alto Networks Windows User-ID agent is a small agent that is used to connect with Microsoft servers, i.e. Active Directory. This agent has collected the login event logs from the Microsoft Servers and Further, send them to Palo Alto Networks Firewall. The firewall connects to this agent and gets the user to the IP mapping information.
  • What is the port that Palo Alto Networks Firewall uses to connect with the User-ID Agent?
    • Palo Alto Networks Firewall uses a TCP 5007 port to connect with the User-ID agent.
  • What are the authentication methods supported by Palo Alto Networks Firewall?
    • The Palo Alto Networks Firewall supports LDAP, Radius, Tacacs+, SSO, and Kerberos.

Palo Alto Networks APP-ID Questions and Answers

  • What is APP-ID in Palo Alto Networks Firewall?
    • App-ID is the abbreviation used for Application Identification. Palo Alto Networks Firewalls provide full visibility of the applications that are being used in your environment.
    • Palo Alto Networks firewalls determine the application even if the encryption or a custom port is used for traffic.
  • How an application is identified on Palo Alto Networks Firewall?
    • First, the firewall will check if the traffic is allowed or not. In case, if the traffic is getting blocked by Palo Alto Networks Firewall, no application will be identified.
    • Now, signatures are applied to the allowed traffic to identify the application.
    • If we have configured the decryption policy for SSH/SSL, the firewall will decrypt the traffic and will apply the signatures again to determine the application.
    • For tunneling applications, decoders for known protocols are applied to correctly identify the application.
    • If the application is still not identified, we use heuristics or behavioral methods to identify the application.
  • Is it possible to create custom applications on Palo Alto Networks Firewall?
    • Yes, you can define your custom applications just by navigating to Object > Application.
  • How the latest applications are delivered to the Firewall?
    • New as well as modified App-IDs are delivered to the firewall as part of Applications and Threats Content Updates.
Recommended:  How to Configure DHCP Relay on Palo Alto Firewall

Palo Alto Networks Content ID Questions and Answers

  • What do you mean by Content ID in Palo Alto Networks Firewall?
    • Content ID is a threat prevention mechanism in Palo Alto Networks Firewall. Content ID provides real-time threat prevention along with URL Filtering.
    • Content-ID Provides:
      • Real-Time prevention from known and unknown Threats.
      • URL-Filtering
      • Prevent unauthorized file transfer
  • What do you mean by Security Profiles in Palo Alto Networks Firewall?
    • Security Profiles help us to scan the allowed traffic for Threats such as viruses, malware, IPS, DOS, etc. We are having following security profiles:
      • Antivirus
      • Anti-Spyware
      • Vulnerability Protection
      • URL Filtering
      • Data Filtering
      • File Blocking
      • WildFire
  • What is WildFire in Palo Alto Networks Firewall?
    • WildFire is a sandboxing solution for Palo Alto Networks firewalls that provide threat prevention for Zero-Day attacks in near Real-Time. Palo Alto Networks Firewall provides takes approx 5-10 minutes to give a verdict of an unknown file.
  • How do you define the size limit for unknown files that need to be sent to WildFire?
    • To set the limit for WildFire you need to navigate to Device > Setup > WildFire > General Settings and configure the new limits. However, Palo Alto Networks Firewall recommends having the default file size limit.

Palo Alto Networks Routing Questions and Answers

  • What do you mean by Virtual Router in Palo Alto Networks Firewall?
    • Virtual Router is a component of Palo Alto Networks Firewall that is responsible for Layer 3 Routing. We can define a manual route or we can run dynamic routing to retrieve the routing information.
  • What are the dynamic routing protocols supported by Palo Alto Networks Firewalls?
    • Palo Alto Networks Firewalls support, RIP, OSPF, and BGP. However, Palo Alto Networks Firewall does not support EIGRP.
  • How you can define Static Route in Palo Alto Networks Firewall?
    • To define the static route, navigate to Network > Virtual Router > Select the Virtual Router > Click on Static Routes and click on Add.
  • How you can define the routes through a different virtual router?
    • Sometimes, we use different virtual routers for different interfaces. In that case, if we need to forward the traffic to a different virtual router, we need to select the Next-VR option in the Next Hop configuration in the Virtual Route configuration.
Recommended:  How to configure Captive Portal in Palo Alto Firewall

General Palo Alto Networks Firewall Questions and Answers

  • What are the 6 tuples of Palo Alto Networks firewall to store session information?
    •  Source-address
    • Destination-address
    • Source-port
    • Destination-port
    • Protocol
    • Security-zone.

Palo Alto Networks – Panorama Interview Questions and Answers

  • What is Panorama?
    • Panorama is a management solution provided by Palo Alto Networks firewalls. It can centrally manage PaloAlto Networks firewalls and cloud solutions, i.e. Prisma Access and collects the logs from them.
  • What are the hardware models of Panorama?
    • M-200
    • M-300
    • M-600
    • M-700
  • What are the three modes of the Panorama?
    • Management Only Mode
    • Log Collection Mode
    • Panorama
  • Which Panorama mode supports only log collection and doesn’t have GUI?
    • Log Collection Mode
  • What is the port connectivity requirement to integrate a Palo Alto Networks Firewall with Panorama?
    • TCP/3978
  • Describe the steps to integrate a Palo Alto Networks Firewall with Panorama.
    • Copy the serial number of the Palo Alto Networks firewall from the Dashboard.
    • Navigate to Panorama > Device Management > Summary and click on Add and paste the serial number of the Palo Alto Networks firewall.
    • Commit to Panorama and wait till the Firewalls show connected in the Panorama summary.
    • Finally, import the configuration from the Palo Alto Networks firewall.
  • What do you mean by device group and templates?
    • Device groups are the local groups created on Panorama, which is used to store the Palo Alto Networks firewall Policy & Objects related configuration.
    • Templates are used to store the Network & Device tab information of the Palo Alto Networks firewall.

Related Articles

Summary

In this article, we have discussed the top 50 questions that are being asked during a Palo Alto Networks Firewall interview. If you are going to interview for Palo Alto Networks Firewall, I would recommend you go through all of the above questions. If you are looking to cover any other topic, just comment in the comment box!

Hope you love this article. Please share this with your friends and shows us some love to us 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *