Palo Alto Interview Questions and Answers – Part I

Plao Alto Interview Questions and Answers

Some of our readers had requested for a post with some of the common questions and answers for the Palo Alto Firewall, after reading our post on PA Firewall. Following are some of the questions normally asked for PA interview. Please use the comment section if you have any questions to add .

1. Why Palo Alto is being called as next generation firewall ?

Ans: Next-generation firewalls include enterprise firewall capabilities, an intrusion prevention system (IPS) and application control features. Palo Alto Networks delivers all the next generation firewall features using the single platformparallel processing and single management systems, unlike other vendors who use different modules or multiple management systems to offer NGFW features. Palo Alto NGFW different from other venders in terms of Platform, Process and architecture

2. Difference between Palo Alto NGFW and Checkpoint UTM  ?

PA follows Single pass parallel processing while UTM follows Multi pass architecture process

3. Describe about Palo Alto architecture and advantage ?

Architecture- Single Pass Parallel Processing (SP3) architecture

Advantage: This Single Pass traffic processing enables very high throughput and low latency – with all security functions active.  It also offers single, fully integrated policy which helps simple and easier management of firewall policy

——————- advertisements ——————-


4. Explain about Single Pass and Parallel processing architecture ?

Single Pass : The single pass software performs operations once per packet. As a packet is processed, networking functions, policy lookup, application identification and decoding, and signature matching for any and all threats and content are all performed just once.  Instead of using separate engines and signature sets (requiring multi-pass scanning) and instead of using file proxies (requiring file download prior to scanning), the single pass software in next-generation firewalls scans content once and in a stream-based fashion to avoid latency introduction.

Parallel Processing :   PA designed with separate data and control planes to support parallel processing. The second important element of the Parallel Processing hardware is the use of discrete, specialized processing groups to perform several critical functions.

  • Networking: routing, flow lookup, stats counting, NAT, and similar functions are performed on network-specific hardware
  • User-ID, App-ID, and policy all occur on a multi-core security engine with hardware acceleration for encryption, decryption, and decompression.
  • Content-ID content analysis uses dedicated, specialized content scanning engine
  • On the controlplane, a dedicated management processor (with dedicated disk and RAM) drives the configuration management, logging, and reporting without touching data processing hardware.

5. Difference between PA-200,PA-500 and higher models ?

In PA-200 and PA-500, Signature process and network processing implemented on software while higher models have dedicate hardware processer

6. What are the four deployment mode and explain ?
  1. Tap Mode : Tap mode allows you to passively monitor traffic flow across network by way of tap or switch SPAN/mirror port
  2. Virtual wire : In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two interfaces together

——————- advertisements ——————-


  1. Layer 2 mode : multiple interfaces can be configured into a “virtual-switch” or VLAN in L2 mode.
  2. Layer 3 Deployment : In a Layer 3 deployment, the firewall routes traffic between multiple interfaces. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic.

7. What you mean by Zone Protection profile ?

Zone Protection Profiles offer protection against most common flood, reconnaissance, and other packet-based attacks. For each security zone, you can define a zone protection profile that specifies how the security gateway responds to attacks from that zone. The following types of protection are supported:

-Flood Protection—Protects against SYN, ICMP, UDP, and other IP-based flooding attacks.

-Reconnaissance detection—Allows you to detect and block commonly used port scans and IP address sweeps that attackers run to find potential attack targets.

-Packet-based attack protection—Protects against large ICMP packets and ICMP fragment attacks.

Configured under Network tab -> Network Profiles -> Zone protection.

8. What is u-turn NAT and how to configure ?

U-turn NAT is applicable when internal resources on trust zone need to access DMZ resources using public IP addresses of Untrust zone.

——————- advertisements ——————-


Let’s explain based on below scenario.


In above example, the website ( statically NAT’ed with public IP address on untrusted zone. Users in the corporate office on the segment need to access the company webpage. Their DNS lookup will resolve to the public IP in the Internet zone. The basic destination NAT rules that provide internet users access to the web server will not work for internal users browsing to the public IP .

Following are the NAT rule and policy definition.

  Next Page


okay, not making this post too long to read. We will be adding another set of questions in our next post soon.

Thanks for reading. Hope this helped in improving your Palo Alto knowledge, or clearing some of your doubts. Please let us know if you have any queries/comments.

Click Here for Part 2 of this post, another set of questions for you.



Leave a comment :