Difference between Palo Alto NGFW and Checkpoint UTM ?

Palo Alto Firewall follows Single pass parallel processing 

and

Checkpoint UTM follows Multi pass architecture process

Why Palo Alto is being called as next generation firewall ?

 Next-generation firewalls include enterprise firewall capabilities, an intrusion prevention system (IPS) and application control features. 

Palo Alto Networks delivers all the next generation firewall features using the single platform, parallel processing and single management systems, unlike other vendors who use different modules or multiple management systems to offer NGFW features. 

Palo Alto NGFW different from other venders in terms of Platform, Process and architecture

Plao Alto Interview Questions and Answers

 1. Why Palo Alto is being called as next generation firewall ?

Ans: Next-generation firewalls include enterprise firewall capabilities, an intrusion prevention system (IPS) and application control features. Palo Alto Networks delivers all the next generation firewall features using the single platform, parallel processing and single management systems, unlike other vendors who use different modules or multiple management systems to offer NGFW features. Palo Alto NGFW different from other venders in terms of Platform, Process and architecture

2. Difference between Palo Alto NGFW and Checkpoint UTM  ?

PA follows Single pass parallel processing while UTM follows Multi pass architecture process

3. Describe about Palo Alto architecture and advantage ?

Architecture- Single Pass Parallel Processing (SP3) architecture

Advantage: This Single Pass traffic processing enables very high throughput and low latency – with all security functions active.  It also offers single, fully integrated policy which helps simple and easier management of firewall policy.

4. Explain about Single Pass and Parallel processing architecture ?

Single Pass : The single pass software performs operations once per packet. As a packet is processed, networking functions, policy lookup, application identification and decoding, and signature matching for any and all threats and content are all performed just once.  Instead of using separate engines and signature sets (requiring multi-pass scanning) and instead of using file proxies (requiring file download prior to scanning), the single pass software in next-generation firewalls scans content once and in a stream-based fashion to avoid latency introduction.

Parallel Processing :   PA designed with separate data and control planes to support parallel processing. The second important element of the Parallel Processing hardware is the use of discrete, specialized processing groups to perform several critical functions.

• Networking: routing, flow lookup, stats counting, NAT, and similar functions are performed on network-specific hardware
• User-ID, App-ID, and policy all occur on a multi-core security engine with hardware acceleration for encryption, decryption, and decompression.
• Content-ID content analysis uses dedicated, specialized content scanning engine
• On the controlplane, a dedicated management processor (with dedicated disk and RAM) drives the configuration management, logging, and reporting without touching data processing hardware.

5. Difference between PA-200,PA-500 and higher models ?

In PA-200 and PA-500, Signature process and network processing implemented on software while higher models have dedicate hardware processer

6. What are the four deployment mode and explain ?

1. Tap Mode : Tap mode allows you to passively monitor traffic flow across network by way of tap or switch SPAN/mirror port
2. Virtual wire : In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two interfaces together
1. Layer 2 mode : multiple interfaces can be configured into a “virtual-switch” or VLAN in L2 mode.
2. Layer 3 Deployment : In a Layer 3 deployment, the firewall routes traffic between multiple interfaces. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic.

7. What you mean by Zone Protection profile ?

Zone Protection Profiles offer protection against most common flood, reconnaissance, and other packet-based attacks. For each security zone, you can define a zone protection profile that specifies how the security gateway responds to attacks from that zone. The following types of protection are supported:

-Flood Protection—Protects against SYN, ICMP, UDP, and other IP-based flooding attacks.

-Reconnaissance detection—Allows you to detect and block commonly used port scans and IP address sweeps that attackers run to find potential attack targets.

-Packet-based attack protection—Protects against large ICMP packets and ICMP fragment attacks.

Configured under Network tab -> Network Profiles -> Zone protection.

8. What is u-turn NAT and how to configure ?

U-turn NAT is applicable when internal resources on trust zone need to access DMZ resources using public IP addresses of Untrust zone.

Let’s explain based on below scenario.

In above example, the website company.com (192.168.10.20) statically NAT’ed with public IP address 81.23.7.22 on untrusted zone. Users in the corporate office on the 192.168.1.0/24 segment need to access the company webpage. Their DNS lookup will resolve to the public IP in the Internet zone. The basic destination NAT rules that provide internet users access to the web server will not work for internal users browsing to the public IP .

Following are the NAT rule and policy definition.

  Next Page

Enjoyed Reading.? If you found the above contents useful and easily understandable, you can download a bundle of most frequently asked interview question and answers via the below link. We are sure it will help you increase your confidence in Palo Alto and will help you in tackling the interviews with positive results.Please click below link (you will be re-directed to the payment gateway  – Instamojo) to Download PDF for less than 6 USD (INR 400). This contains 45 + Most frequently asked PA interview question on the following topics with detailed explanation.

• Question from VPN setup and troubleshooting
• Migration of ASA into PA
• Questions from AppID and Vulnerability Protection
• PA Best practices
• Other Hot questions and explanation

1. How to publish internal website to internet. Or how to perform destination NAT ?

To publish internal website to outside world, we would require destination NAT and policy configuration. NAT require converting internal private IP address in to external public IP address. Firewall policy need to enable access to internal server on http service from outside .We can see how to perform NAT and policy configuration with respect to following scenario

Provide the access to 192.168.10.100 through the public IP address 64.10.11.10 from internet

Following NAT and policy rules need to be created.

NAT:-> Here we need to use pre-NAT configuration to identify zone. Both source and destination Zone should be Untrust-L3 as source and destination address part of un trust zone

Policy-> Here we need to use Post-NAT configuration to identify zone. The source zone will be Untrust-L3 as the source address still same 12.67.5.2 and the destination zone would be Trust-L3 as the translated IP address belongs to trust-l3 zone.

We have to use pre-NAT IP address for the source and destination IP address part on policy configuration. According to packet flow, actual translation is not yet happen, only egress zone and route look up happened for the packet. Actual translation will happen after policy lookup . Please click here to understand detailed packet flow in PA firewall.  Just remember the following technique so it will be easy to understand

In firewall rule,

Zone: Post NAT

IP address: Pre NAT

In NAT rule,

Zone: Pre NAT

Final Configuration looks like below:

2. What is Global Protect ?

GlobalProtect provides a transparent agent that extends enterprise security Policy to all users regardless of their location. The agent also can act as Remote Access VPN client.  Following are the component

Gateway : This can be or more interface on Palo Alto firewall which provide access and security enforcement for traffic from Global Protect Agent

Portal: Centralized control which manages gatrway, certificate , user authentication and end host check list

Agent : software on the laptop that is configured to connect to the GlobalProtect deployment.

3. Explain about virtual system ?

A virtual system specifies a collection of physical and logical firewall interfaces and security zones.Virtual system allows to segmentation of security policy functionalities like ACL, NAT and QOS. Networking functions including static and dynamic routing are not controlled by virtual systems. If routing segmentation is desired for each virtual system, we should have an additional virtual router.

4.Explain about various links used to establish HA or HA introduction ?

PA firewall use HA links to synchronize data and maintain state information. Some models of the firewall have dedicated HA ports—Control link (HA1) and Data link (HA2), while others require you to use the in-band ports as HA links.

Control Link :  The HA1 links used to exchange hellos, heartbeats, and HA state information, and management plane sync for routing, User-ID information and synchronize configuration . The HA1 should be layar 3 interface which require an IP address

Data Link : The HA2 link is used to synchronize sessions, forwarding tables, IPSec security associations and ARP tables between firewalls in an HA pair. The HA 2 is a layer 2 link

Backup Links: Provide redundancy for the HA1 and the HA2 links. In-band ports are used as backup links for both HA1 and HA2. The HA backup links IP address must be on different subnet from primary HA links.

Packet-Forwarding Link: In addition to the HA1 and HA2 links, an active/active deployment also requires a dedicated HA3 link. The firewalls use this link for forwarding packets to the peer during session setup and asymmetric traffic flow.

4. What protocol used to exchange heart beat between HA ?

ICMP

5. Various port numbers used in HA ?

HA1: tcp/28769,tcp/28260 for clear text communication ,tcp/28 for encrypted communication

HA2: Use protocol number 99 or UDP-29281

6. What are the scenarios for fail-over triggering ?

->if one or more monitored interfaces fail

->if one or more specified destinations cannot be pinged by the active firewall

->if the active device does not respond to heartbeat polls (Loss of three consecutive heartbeats over period of 1000 milliseconds)

7. How to troubleshoot HA using CLI ?

>show high-availability state : Show the HA state of the firewall

>show high-availability state-synchronization : to check sync status

>show high-availability path-monitoring : to show the status of path monitoring

>request high-availablity state suspend : to suspend active box and make the current passive box as active

8. which command to check the firewall policy matching for particular destination ?

>test security-policy-match from trust to untrust destination <IP>

9.Command to check the NAT rule ?

>test nat-policy-match

10. Command to check the system details ?

>show system info  // It will show management IP , System version and serial number

11. How to perform debug in PA ?

Following are the steps

Clear all packet capture settings

>debug dataplane packet-diag clear all

set traffic matching condition

> debug dataplane packet-diag set filter match source 192.168.9.40 destination 4.2.2.2
> debug dataplane packet-diag set filter on

Enable packet capture

> debug dataplane packet-diag set capture stage receive file rx.pcap
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture stage drop file dp.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set capture on

What is ITIL? Explain?

ITIL, formerly an acronym for Information Technology Infrastructure Library, is a set of practices for IT Service Management (ITSM) that focuses on aligning IT services with the needs of business.

OR

ITIL is an integrated set of best-practice processes for delivering IT services to customers. The primary focus is to maximize value to customers (the business) by aligning IT resources with business needs. 

Since V3, ITIL has been narrowed down to 5 “lifecycle” phases:

1. Service Strategy – focusing on understanding customer needs, directions, requirements, helping improve IT over time
2. Service Design – focusing on turning strategies for services into a detailed Service description, not just the technology.
3. Service Transition – focusing on building, validating, and delivering new and changed services to customers
4. Service Operations – focusing on the day-to-day care and feeding of services
5. Continual Service Improvement – focusing on identifying and managing incremental improvements to services

One of the reasons for ITIL’s widespread adoption is the active involvement of a global and diverse community of IT professionals, consultants, trainers, and professional organizations.

DETAILED DESCRIPTION FROM WIKI :

1) Service strategy

The center and origin point of the ITIL Service Lifecycle, the ITIL Service Strategy (SS) volume,^[5] provides guidance on clarification and prioritization of service-provider investments in services. More generally, Service Strategy focuses on helping IT organizations improve and develop over the long term. In both cases, Service Strategy relies largely upon a market-driven approach. The Service Strategy lifecycle stage is often considered as the core of the service lifecycle. In Service Strategy stage, the strategic approach for the whole lifecycle is identified to provide values to the customers through IT service management. Key topics covered include service value definition, business-case development, service assets, market analysis, and service provider types. List of covered processes:

• Strategy management for IT Services
• Service portfolio management
• Financial management for IT services
• Demand management
• Business relationship management

For candidates in the ITIL Intermediate Capability stream, the Service Offerings and Agreements (SOA) Qualification course and exam are most closely aligned to the Service Strategy (SS) Qualification course and exam in the Lifecycle stream.

2) Service design

The Service Design (SD) volume^[6] provides good-practice guidance on the design of IT services, processes, and other aspects of the service management effort. Significantly, design within ITIL is understood to encompass all elements relevant to technology service delivery, rather than focusing solely on design of the technology itself. As such, service design addresses how a planned service solution interacts with the larger business and technical environments, service management systems required to support the service, processes which interact with the service, technology, and architecture required to support the service, and the supply chain required to support the planned service. Within ITIL, design work for an IT service is aggregated into a single Service Design Package (SDP). Service design packages, along with other information about services, are managed within the service catalogues.

List of covered processes:

1. Design coordination
2. Service catalogue management
3. Service-level management
4. Availability management
5. Capacity management
6. IT service continuity management
7. Security management
8. Supplier management

A model used to help define roles and responsibilities in service design is a RACI matrix (Responsible, Accountable, Consulted and Informed).

3) Service transition

Service transition (ST), as described by the ITIL service transition volume,^[7] relates to the delivery of services required by a business into live/operational use, and often encompasses the "project" side of IT rather than business as usual (BAU). This area also covers topics such as managing changes to the BAU environment.

List of ITIL processes in service transition:

1. Transition planning and support
2. Change management
3. Service asset and configuration management
4. Release and deployment management
5. Service validation and testing
6. Change evaluation
7. Knowledge management

4) Service operation

Service Operation (SO) aims to provide best practice for achieving the delivery of agreed levels of services both to end-users and the customers (where "customers" refer to those individuals who pay for the service and negotiate the SLAs). Service operation, as described in the ITIL Service Operation volume,^[8] is the part of the lifecycle where the services and value is actually directly delivered. Also the monitoring of problems and balance between service reliability and cost etc. are considered. The functions include technical management, application management, operations management and service desk as well as, responsibilities for staff engaging in Service Operation.

Processes

1. Event Management
2. Access Management
3. Request Fulfillment
4. Problem Management
5. Incident Management

Functions

1. Service Desk
2. Technical Management
3. Application Management
4. IT Operations Management

Service desk

The service desk is one of four ITIL functions and is primarily associated with the Service Operation lifecycle stage. Tasks include handling incidents and requests, and providing an interface for other ITSM processes. Features include:

• single point of contact (SPOC) and not necessarily the first point of contact (FPOC)
• single point of entry
• single point of exit
• easier for customers
• streamlined communication channel

Primary purposes of a service desk include:

• incident control: life-cycle management of all service requests
• communication: keeping a customer informed of progress and advising on workarounds

The service desk function can have various names, such as:

• Call center: main emphasis on professionally handling large call volumes of telephone-based transactions
• Help desk: manage, co-ordinate and resolve incidents as quickly as possible at primary support level
• Service desk: not only handles incidents, problems and questions but also provides an interface for other activities such as change requests, maintenance contracts, software licenses, service-level management, configuration management, availability management, financial management and IT services continuity management

The three types of structure for consideration:

• Local service desk: to meet local business needs – practical only until multiple locations requiring support services are involved
• Central service desk: for organizations having multiple locations – reduces operational costs^{[citation needed]} and improves usage of available resources
• Virtual service desk: for organizations having multi-country locations – can be situated and accessed from anywhere in the world due to advances^[when?] in network performance and telecommunications, reducing operational costs^{[citation needed]} and improving usage of available resources

5) Continual service improvement (CSI)

Continual service improvement, defined in the ITIL continual service improvement volume,^[9] aims to align and realign IT services to changing business needs by identifying and implementing improvements to the IT services that support the business processes. It incorporates many of the same concepts articulated in the Deming Cycle of Plan-Do-Check-Act. The perspective of CSI on improvement is the business perspective of service quality, even though CSI aims to improve process effectiveness, efficiency and cost effectiveness of the IT processes through the whole lifecycle. To manage improvement, CSI should clearly define what should be controlled and measured.

CSI needs upfront planning, training and awareness, ongoing scheduling, roles created, ownership assigned,and activities identified to be successful. CSI must be planned and scheduled as process with defined activities, inputs, outputs, roles and reporting. Continual Service Improvement and Application Performance Management (APM) are two sides of the same coin. They both focus on improvement with APM tying together service design, service transition, and service operation which in turn helps raise the bar of operational excellence for IT.^[13]

Improvement initiatives typically follow a seven-step process:

1. Identify the strategy for improvement
2. Define what you will measure
3. Gather the data
4. Process the data
5. Analyse the information and data
6. Present and use the information
7. Implement improvement