Q1. Why Palo Alto is being called as next generation firewall?
Next Generation Firewall is application aware and makes decisions based on application, user and content. It’s natively integrated design simplifies operation and improves security. Given its success, the term NGFW has now become synonymous with firewall.
Q2. Explain about Single pass and Parallel Processing architecture?
Palo Alto Networks next-generation firewalls are based on a unique Single Pass Parallel Processing (SP3) Architecture – which enables high-throughput, low-latency network security, even while incorporating unprecedented features and technology. Palo Alto Networks solves the performance problems that plague today’s security infrastructure with the SP3 architecture, which combines two complementary components: Single Pass software and Parallel Processing hardware. The results is the perfect mix of raw throughput, transaction processing and network security that today’s high performance networks require.
This Single Pass traffic processing enables very high throughput and low latency – with all security functions active. It also offers the additional benefit of a single, fully integrated policy, enabling simple, easier management of enterprise network security. The second important element of the Parallel Processing hardware is the use of discrete, specialized processing groups that work in harmony to perform several critical functions.
Q3. How does Panorama Handle incoming logs when it reaches the maximum storage capacity?
When log storage reaches the maximum capacity, Panorama automatically deletes older logs to create space for new ones.
Q4. A Network design changes requires an existing firewall to start accessing Palo Alto updates from a data plane interface address instead of managment interface. Which configuration setting needs to be modified?
Q5. What must be used in security policy rule that contains address where NAT policy applies?
NAT Policy Rule Functionality
Upon ingress, the firewall inspects the packet and does a route lookup to determine the egress interface and zone. Then the firewall determines if the packet matches one of the NAT rules that have been defined, based on source and/or destination zone. It then evaluates and applies any security policies that match the packet based on the original (pre-NAT) source and destination addresses, but the post-NAT zones.
Q6. An Administrator is finding it hard to manage multiple Palo Alto NGFW firewalls. What solution should he use to simplify and centrally manage firewall through single source?
Panorama is a centralized management system that provides global visibility and control over multiple Palo Alto Networks next generation firewalls through an easy to use web-based interface. Panorama provides centralized management and visibility of Palo Alto Networks next-generation firewalls.
Q7. A new customer wants to setup new forewall to process 10Gbps of traffic. Which firewall models could be recommanded to the customer?
PA-5050 for Specifc 10Gbps and PA-5060 upto 20Gbps.
Q8. What do you mean by Zone Protection profile?
Configure protection against floods, reconnaissance, packet-based attacks, and non-IP-protocol-based attacks with Zone Protection profiles. Apply a Zone Protection profile to each zone to defend it based on the aggregate traffic entering the ingress zone.
Q9. What happens when a URL matchees multiple patterns (multiple custom URL filtering category and allow/block-list) within a URL filtering profile?
When a URL matches multiple categories, the category chosen is the one that has the most severe action defined below (block being most severe and allow least severe). block, override, continue, alert, allow.
For example, if *.yahoo.com exists in MyAlertList and MyBlockList simultaneously) within the same URL filtering profile and www.yahoo.com is the URL, the action will be “block” and the category name will be “MyBlockList”. This is similar to the original behavior between “allow-list” and “block-list” in that the block-list will be checked BEFORE the allow-list if a URL matches both “allow-list” and “block-list”.
The priority for URL filtering is:
1. block list
2. allow list
3. custom categories
5. pre-defined categories
Q10. Difference between User ID, App ID and Content ID.
User ID: User-ID seamlessly integrates Palo Alto Networks next-generation firewalls with a wide range of user repositories and terminal services environments. Depending on your network environment, there are a variety of ways you can map a user's identity to an IP address. Some of these include: Authentication events, User authentication, Terminal services monitoring, Client probing, Directory services integration, Syslog Listener and a powerful XML API,
App ID: App-ID enables you to see the applications on your network and learn how they work, their behavioral characteristics, and their relative risk. When used in conjunction with User-ID, you can see exactly who is using the application based on their identity, not just an IP address.
Content ID: Content-ID gives you a real-time threat prevention engine, combined with a comprehensive URL database, and elements of application identification to: Limit unauthorized data and file transfers, Detect and block exploits, malware and malware communications, Control unapproved web surfing.
The application visibility and control of App-ID, coupled with the content inspection enabled by Content-ID, empowers your IT team to regain control over your application traffic and related content.