Explore topic-wise InterviewSolutions in .

The  VARIOUS STATES of the HA FIREWALL are:

• Initial
• Passive
• Active
• Active-primary
• Active-secondary
• Tentative
• Non-functional
• Suspended

Security zones on the firewall are a logical approach to ARRANGE physical and virtual interfaces in order to restrict and log traffic that passes through certain network interfaces. Before an interface on the firewall can process traffic, it MUST be allocated to a security zone. MULTIPLE interfaces of the same type (such as tap, LAYER 2, or layer 3 interfaces) can be allocated to a zone, but an interface can only belong to ONE zone.

Finding solutions and analysing malware to protect a network from potential attacks is a time-consuming procedure. Wildfire is a cloud-based malware DETECTION service that aids in the detection of unknown files or threats created by attackers. Wildfire provides enterprises with immediate protection and danger intelligence.

The WildFire Analysis Environment detects and blocks previously unknown malware by creating signatures that Palo Alto Networks firewalls can employ to detect and stop it. When a Palo Alto Networks firewall identifies an unknown sample (a file or a link included in an email), it can send the sample to WildFire for analysis. WildFire classifies a sample as benign, grayware, phishing, or malicious based on the traits, behaviours, and activities it exhibits when examined and PERFORMED in the WildFire sandbox. WildFire then creates signatures to RECOGNISE the freshly identified malware and makes the most recent signatures available globally in real-time for retrieval. The malware originally detected by a single Palo Alto Networks firewall can subsequently be automatically blocked by all Palo Alto Networks firewalls by comparing incoming samples against these signatures. From the time where a USER downloads a file containing an advanced VM-aware payload until the point where WildFire develops a signature package utilised by Palo Alto Networks firewalls to protect against future malware exposure, the FOLLOWING sequence explains the WildFire process lifecycle.

In the Palo Alto FIREWALL, the ADMINISTRATION port's default IP address is 192.168.1.1. The USERNAME is "ADMIN," and the PASSWORD is "admin."

Instead of using the CLI, you can use the web interface to execute policy match and CONNECTIVITY CHECKS for firewalls in PAN-OS 9.0. You can simply validate traffic and connectivity to ensure that policy rules are MATCHING policy rules as expected to allow or reject traffic and that firewalls can CONNECT to network resources and external SERVICES like WildFire, Log Collectors, and the Update Server.

1. Go to the firewall's web interface and log in.
2. To execute a policy match or connectivity test, go to DeviceTroubleshooting.
3. To run the policy match test, fill in the required information.
4. Conduct out the policy matching test.
5. To get the Result Details for the policy rule that matches the test criteria, click the policy rule Test Result.

The following is the command that is used to see the MAXIMUM log FILE size: show logdb-quota on the system

Panorama automatically deletes old logs and makes room for new records when the log STORAGE limit is reached. The panorama includes an automated feature that can assess the storage limit and, if necessary, eliminate it.

The Palo ALTO Networks VM-Series virtualization platform aids Palo Alto Networks deployment significantly. It offers open stack, VMware, Cisco ACI, Amazon WEB Services, GOOGLE Cloud Platform, and OTHERS as public and private cloud computing environments.

 In virtual wire mode, PALO Alto SUPPORTS a number of features, INCLUDING App-ID, Decryption, Content-ID, User-ID, and NAT.

The different port numbers that are used in HA are:

The HA1 control link uses TCP 28769 and TCP 28260 for text communication that is clear between the HA peer firewalls. The HA1 link is a LAYER 3 link that necessitates the use of an IP address.

The HA1 control link uses TCP 28 to communicate securely (SSH over TCP) between HA peer firewalls.

For HA1 backup links, use TCP 28770 as a listening port.

TCP 28771 is used to backup heartbeats. If you use an in-band port for the HA1 or HA1 backup connections, Palo Alto Networks advises setting heartbeat backup on the MGT interface.

IP 99 and UDP 29281 synchronises sessions, forwarding tables, IPSec security associations, and ARP tables between firewalls in a HA pair via the HA2 link. The HA2 link's data flow is constantly constant. Data FLOWS unidirectionally from the ACTIVE FIREWALL (Active/Passive) or active-primary (Active/Active) to the passive firewall (Active/Passive) or active-secondary (Active/Active) on the HA2 link (save for the HA2 keep-alive). The HA2 link is a Layer 2 link that defaults to ether type 0x7261.

The HA data connection can also be configured to use IP (protocol number 99) or UDP (port 29281) as the transport, allowing it to cross subnets.

Back-up links ENSURE that the HA1 and HA2 links are redundant. When dedicated backup links are not available, in-band ports can be used for backup links for both HA1 and HA2 connections. When configuring backup HA links, keep the following in mind:

• The primary and backup HA links' IP addresses must not be in the same range.
• Backup HA links must be on a separate subnet than primary HA links.
• On distinct PHYSICAL ports, HA1-backup and HA2-backup ports must be configured. Ports 28770 and 28260 are used by the HA1-backup link.
• For the HA1-backup link, PA-3200 Series firewalls do not SUPPORT IPv6; instead, use an IPV4 address.

 To establish HA or HA INTRODUCTION, there are FOUR sorts of linkages:

• HA1 or control link
• HA2 or Datalink
• Back-up links
• Packet forwarding links

Endpoints are frequently TARGETED in cybercrime, cyberespionage, and cyber warfare attacks. Endpoint security protects endpoints from malicious software. Computing equipment connected to a local or wide AREA network is referred to as an endpoint. Desktop PCs, laptops, smartphones, servers, and even Internet-of-things (IoT) devices are examples of endpoints.

Endpoint security solutions SAFEGUARD endpoints from cyber threats and unauthorised activities. Endpoint security solutions have progressed from standard antivirus to include a comprehensive set of defences to protect against KNOWN and undiscovered malware, fileless attacks, exploits, and post-intrusion attack tactics. Endpoint security solutions are frequently able to isolate compromised endpoints, preventing assaults from spreading to numerous endpoints, because threat ACTORS may target endpoints as a conduit into an organisation's network.

GlobalProtectTM is an application that RUNS on your endpoint (desktop computer, LAPTOP, tablet, or smartphone) to safeguard you by employing the same security STANDARDS that protect important corporate network RESOURCES. GlobalProtectTM encrypts your intranet TRAFFIC and allows you to connect to your corporate network from anywhere in the world to use your company's resources.

You must first activate the licences for each of the services you purchased before you can begin utilising your firewall to safeguard network traffic.

• Locate the licence activation codes that you purchased.
  •  Palo Alto Networks customer care should have sent you an email with the activation codes associated with each subscription when you purchased them. If you can't find this email, you'll need to contact Customer Support to GET your activation codes before continuing.
• You have to activate your Support subscription. If you don't have a VALID Support licence, you won't be able to UPGRADE your PAN-OS software.
  • Select DeviceSupport after logging in to the web portal.
  • Select Activate support with authorisation code from the drop-down menu.
  • Click OK after entering your Authorization Code.
• Activate each licence you've bought. Choose Device>Licences, then activate your licences and subscriptions using one of the methods below:
  • License KEYS can be obtained via the licence server.
  • Use the authorisation code to activate the functionality.
  • Upload the licence key manually.
• Check to see if the licence has been activated.
  • Verify that the licence has been successfully activated on the Device>Licences page. After activating the WildFire licence, for example, you should see that it is valid:
• (For WildFire subscriptions only) To complete the WildFire subscription activation, do a commit.
  • A commit is required for the firewall to begin passing advanced file types after establishing a WildFire subscription.

The following log forwarding options are supported by Palo Alto NETWORKS firewalls and Panorama. Consider the logging capacity of your Panorama Models and Determine Panorama Log Storage Requirements before selecting an option.

• Logs from firewalls are forwarded to Panorama, while logs from Panorama are forwarded to external services: This option is ideal for INSTALLATIONS where the bandwidth between firewalls and external services is insufficient to SUPPORT the logging RATE, which is common when the connections are remote. By offloading some processing to Panorama, this setup increases firewall performance.
• Panorama and external services receive logs from firewalls at the same time: Panorama and the external services are both endpoints of distinct log forwarding flows in this arrangement; the firewalls do not rely on Panorama to pass logs to external services. This setting is suitable for installations where the connections between firewalls and external services have enough bandwidth to support the logging rate, which is common when the connections are local.

The following are a few of Palo Alto's panorama benefits:

• DISTRIBUTED administrations are available, ALLOWING you to CONTROL and delegate evaluation of Palo Alto firewall configurations.
• Deployment and a centralised configuration system are provided.
• Supports logging or aggregated management for reporting and analysis with CENTRAL oversight.
• View a graphical representation of the network's apps, their users, and the security implications.
• Analyze, EVALUATE, and report on network traffic, security issues, and administrative changes from a centralised location.

App-ID is used to identify applications on your network in the following way:

• TRAFFIC is compared to policy to see if it is authorised on the network.
• The application is then identified by applying signatures to approved traffic BASED on application traits and transaction characteristics that are unique to the application. The SIGNATURE also determines whether or not the application is running on its default port. If the traffic is allowed by policy, it is checked for threats and STUDIED further so that the application may be identified.
• If App-ID detects encryption (SSL or SSH) and a Decryption policy rule is in place, the session is decrypted and application signatures are applied again to the decrypted flow.
• Additional context-based signatures are applied to decoders for well-known protocols in order to detect other apps that may be tunnelling within the protocol (for example, Yahoo! Instant Messenger via HTTP). Decoders ensure that traffic follows protocol standards, and they make NAT traversal and dynamic pinhole opening easier for applications like SIP and FTP.
• Heuristics or behavioural analysis may be used to establish the identity of apps that are exceptionally evasive and cannot be identified by advanced signature and protocol analysis.

When an application is found, the policy check decides whether to block it or allow it to operate while screening for risks, inspecting for illegal file transfers and data patterns, or shaping it using QoS.

App-ID is the abbreviated name for application identifications. This is one of Palo Alto's most important elements. App-ID's primary tasks include recognising APPS and traversing firewalls independently.

App-ID allows you to SEE and learn about the applications on your network, including how they work, their behavioural FEATURES, and their risk level. App-ID, a patented traffic classification technology exclusive to Palo Alto Networks firewalls, determines what an application is regardless of its port, protocol, encryption (SSH or SSL), or any other INVASIVE approach. To effectively identify apps, it uses a combination of classification mechanisms—application signatures, application protocol decoding, and heuristics—on your network traffic stream. This enables for more precise management, such as permitting just sanctioned Office 365 accounts or allowing Slack for instant MESSAGING but not file transmission.

PALO Alto Networks' next-generation firewalls are built on SINGLE-pass PARALLEL processing (SP3) architecture that provides high-throughput, low-latency network protection while also including cutting-edge FEATURES and technologies.

Palo Alto Networks' SP3 architecture, which combines two complementing components, tackles the performance concerns that AFFLICT today's security infrastructure. The components are:

• Single Pass software.
• Parallel Processing hardware.

As a result, today's high-performance networks have the ideal blend of raw throughput, transaction processing, and network security.

• HA stands for High AVAILABILITY, which is a Palo Alto deployment model. HA is used in a network to prevent a single point of FAILURE. It includes two firewalls that are set up in a synchronised fashion. Security features are enforced through a different FIREWALL if one fails. The company will be able to continue operating without interruption as a result of this.
• There are two different ports in HA: HA1 and HA2. HA1 is referred to as a control link, while HA 2 is referred to as a datalink. These ports are used to synchronise data and keep track of the current state.
• Hellos, heartbeats, and HA state information are exchanged across the HA1 link, as well as MANAGEMENT plane sync for routing and User-ID information. This connection is often used by firewalls to synchronise configuration updates with their peers. The HA1 link is a Layer 3 link that NECESSITATES the use of an IP address.
• Between firewalls in a HA pair, the HA2 link is used to synchronise sessions, forwarding tables, IPSec security associations, and ARP tables. Except for the HA2 keep-alive, data flow on the HA2 connection is always unidirectional; it flows from the active or active-primary firewall to the passive or active-secondary firewall. The HA2 link is a Layer 2 link that defaults to ether type 0x7261.

The Web Application Firewall (WAF) is the acronym for Web Application Firewall. WAF's main purpose is to KEEP track of web applications and improve their security and functionality. It protects the web application by filtering TRAFFIC between the internet and the application.

Web Application Firewalls include the following key FEATURES:

• Designed to COMPENSATE for insecure coding techniques - only enterprises who employ web apps and are concerned about the security of their code should PURCHASE a WAF.
• Highly customised for each environment — examining how the web application should behave and intervening if it does not.

The Application Command Centre (ACC) provides an interactive graphical summary of the applications, users, URLs, THREATS, and information traversing your network. The firewall logs are used by the ACC to PROVIDE visibility into traffic patterns and actionable threat information. The ACC interface offers a tabbed view of network ACTIVITY, threat activity, and blocked activity, with RELEVANT widgets on each tab for better network traffic visualisation. The graphical representation enables you to ENGAGE with the data and visualise the connections between network events, allowing you to spot abnormalities and improve your network security rules. You can also add a custom tab and include widgets that allow you to drill down into the information that is most important to you for a more personalised picture of your network.

The Zone PROTECTION profile will provide you with total protection against attacks such as floods, reconnaissance, and packet-based attacks. Flood attacks can be of several types, including SYN, ICMP, and UDP. You'll be ABLE to guard against port and host sweeps using the reconnaissance protections. The packet safeguards assist you in DEFENDING against big ICMP and ICMP FRAGMENT attacks.

It is intended to provide broad-based security at the ingress zone (the zone where traffic enters the firewall), rather than protecting a specific end host or traffic heading to a specific destination zone. A zone can have just one zone protection profile attached to it. Configure a DoS Protection policy (Policies > DoS Protection) to match on a specific zone, interface, IP address, or user to enhance zone protection capabilities on the firewall.

Because zone protection is based on new connections per second (cps), not packets per second, it is only implemented when there is no session match for the packet (pps). The zone protection option will be bypassed if the packet matches an EXISTING session.

• Active/Passive:
  • One firewall manages traffic actively, while the other is synced and ready to SWITCH to active mode if one fails. Both firewalls use identical configuration parameters in this mode, and one actively handles traffic until a path, CONNECTION, system, or network fails. When the active firewall fails, the passive firewall easily shifts to the active STATE and maintains network security by enforcing the same regulations. In virtual wire, Layer 2, and Layer 3 deployments, active/passive HA is supported.
• Active/Active:
  • Both firewalls in the pair are active and processing traffic, and they manage session setup and ownership in a synchronised manner. Both firewalls keep their own session and routing tables and synchronise with one another. In virtual wire and Layer 3 deployments, active/active HA is supported.
  • We should consider the following distinctions when selecting whether to employ active/passive or active/active mode:
    • It is substantially easier to troubleshoot routing and traffic flow issues in active/passive mode due to its simplicity of design. Layer 2 deployment is supported in active/passive mode but not in active/active mode.
    • Advanced design concepts are required for active/active mode, which might result in more COMPLICATED networks. Activating networking protocols on both firewalls, DUPLICATING NAT pools, and deploying floating IP addresses, depending on how you implement active/active HA, may necessitate additional settings. Because both firewalls are actively processing traffic, they execute Layer 7 content inspection using the notions of session owner and session setup. If each firewall requires its own routing instances and you need full, real-time redundancy from both firewalls all of the time, active/active mode is advised. Because both firewalls are actively processing traffic, active/active mode has a faster failover and can handle peak traffic flows better than active/passive mode.

In Palo Alto, the U-turn NAT is just a logical path employed in the networking system. The user should be ABLE to access the INTERNAL DMZ servers using this NAT profile. You should utilise the external IP address of the RESPECTIVE servers to accomplish this.

The event is known as a failover when one firewall fails and the peer takes over the role of safeguarding traffic. When a monitored metric on a firewall in the HA pair fails, for example, a failover is initiated.

The scenarios that explain the failure over TRIGGERING are as follows:

• Hello messages and heartbeat POLLING:
  • Hello messages and heartbeats are used by the firewalls to ensure that the peer firewall is responsive and working. To validate the state of the firewall, hello messages are delivered from one peer to the other at the configured Hello Interval.
  • The heartbeat is an ICMP ping over the control link to the HA peer, to which the peer responds to CONFIRM that the firewalls are connected and responding. The heartbeat interval is 1000 milliseconds by default. Every 1000 milliseconds, a ping is ISSUED, and if three consecutive heartbeat losses occur, a failover happens.
• Link monitoring:
  • The monitored physical interfaces are organised into a link group, and their status (link up or link down) is tracked. One or more physical interfaces can be found in a link group. When any or all of the interfaces in a group fail, a firewall failure occurs. The default behaviour is that if any link in the link group fails, the firewall will set the HA status to non-functional (or tentative in active/active mode) to signify a monitored object failure.
• Path monitoring:
  • Path Monitoring keeps track of the whole network path to mission-critical IP addresses. Pings using the ICMP protocol are used to check if an IP address is reachable. Ping intervals are set to 200ms by default. When 10 consecutive pings (the default value) fail, an IP address is declared unreachable, and a firewall failure occurs when any or all of the monitored IP addresses become unreachable. The default behaviour is that if any of the IP addresses becomes unreachable, the firewall will set the HA state to non-functional (or tentative in active/active mode) to signify a monitored object failure.
  • A failover happens when the administrator suspends the firewall or when PREEMPTION occurs, in addition to the above failover triggers.

Palo ALTO Auto Focus is a Palo Alto service that may detect major attacks and respond APPROPRIATELY without the need for additional resources. The service is a CLOUD-based threat intelligence service.

WildFireTM, the PAN-DB URL Filtering DATABASE, Unit 42, and third-party feeds are all used by AutoFocus (including both closed and open-source intelligence). After that, AutoFocus makes the data searchable and layers it with statistics that both emphasise pervasive malware and reveal malware linkages.

Benefits:

• Get unprecedented visibility into attacks by combining data from the industry's largest network, endpoint, and cloud intelligence sources.
• Every threat will be enriched with the most detailed context from world-renowned Unit 42 threat researchers.
• With a unique threat feed and agile APIs, analysts can get a significant time advantage with intel EMBEDDED in any tool.

Virtual routers:

• A virtual router is a Layer 3 routing mechanism built into a firewall. The firewall can use virtual routers to gain ROUTES to other subnets, and you can manually establish static routes or participate in one or more Layer 3 routing protocols (dynamic routes).
• You can also establish numerous virtual routers (VR), each with its own set of routes that are not shared among them, allowing you to configure various routing BEHAVIOURS for distinct interfaces.
  Numerous VSYS can share the same VR, and multiple VSYS can have multiple VRs.

Virtual systems:

• Virtual systems are distinct, logical firewall instances within a single physical Palo Alto Networks firewall. A virtual system is made up of physical and logical interfaces and subinterfaces, virtual routers, and security zones (including VLANs and virtual WIRES). Each virtual system's deployment mode (any combination of virtual wire, Layer 2, or Layer 3) is SELECTED by you.
• Instead of having several firewalls, controlled service providers and organisations should employ a single pair of firewalls (for high availability) and allow virtual environments to run on them. Each virtual system can act as its own firewall, with its own security policy, interfaces, and administrators. This allows you to SEGMENT the management of all policies, reporting, and visibility capabilities provided by the firewall. You can logically separate physical networks by enabling virtual systems on your firewall.

Yes, because all FIREWALL traffic can be routed through the Palo Alto SYSTEM and then matched against a session. More IMPORTANTLY, each session should be COMPARED against a security policy set by the firewall.

There are four deployment MODELS to choose from:

• Tap mode deployment option
• Virtual  (V-Wire) Deployment option
• Layer 2 deployment option
• Layer 3 deployment option

1. Tap mode deployment option:

With the use of a tap or switch SPAN/mirror port, users can observe any form of traffic flow throughout the networking system. This deployment option has the advantage of allowing enterprises to closely monitor traffic to their servers or networks without requiring any network infrastructure upgrades.

It's critical to configure the CORRECT SPAN source and SPAN destination ports, as well as enable Tap mode on the Firewall while configuring SPAN. Although tap mode provides visibility of the application, user, and content, we must keep in mind that the firewall is unable to manage traffic in this mode because no security rules can be enforced. Tap mode just ADDS visibility to the dashboard's ACC tab. The catch is that the tap interface needs to be allocated to a security zone.

2. Virtual  (V-Wire) Deployment option:

The firewall system is installed passively on any network segment USING this deployment model, which combines two interfaces. Engineers can monitor and control traffic across the link with V-Wire deployment choices, which overcomes the restrictions of TAP mode deployment. App-ID, User-ID, Content-ID, NAT, and decryption are all supported via the Virtual Wire interface.

3. Layer 2 deployment option:

Multiple networking interfaces will be configured into a "virtual-switch" or VLAN mode in Layer 2 mode. The firewall is set in Layer 2 deployment mode to switch between two or more network segments. Traffic passing via the firewall is analyzed according to policies, enhancing security and visibility within the internal network.

The firewall interfaces can support Access or Trunk Links (802.1Q trunking) in this mode, but they are not part of the Spanning Tree topology. Any BPDUs received on the firewall interfaces are routed without being processed to the adjoining Layer 2 switch. A default Gateway, which is commonly a Layer 3 switch that supports InterVLAN routing, a Firewall security APPLIANCE, or even a Router-on-a-Stick design, can route traffic across VLAN networks or other networks.

4. Layer 3 deployment option:

The Palo Alto firewall routes allow traffic to flow between various interfaces in this layer 3 deployments. The IP address should be added to each interface by the user.

Layer 3 deployment mode is a common configuration. The firewall directs traffic between many interfaces in this mode, each of which has its own IP address and security zone. The Firewall interfaces can also be set up to get an IP address from a DHCP server and be used to manage the security appliance.

The diagram above depicts a typical Layer 3 deployment scenario in which the Firewall routes and regulates traffic between three IP networks. All traffic passing through the Firewall is reviewed and allowed or prohibited according to the security policies established, just like in previous setup methods.