EMC ISILON Interview questions

Adding one more post to our interview questions post category, this time for ISILON. We are trying to cover some of the frequently asked questions from the ISILON architecture and configuration areas.

  •  Node and drive types supported :  ISILON supported 3 different types of nodes S-Series, X-Series and NL-Series. S-Series (S210) is high performance node type supports SSD drives. X-Series nodes (X210 and X410) supports upto 6 SSDs and can have remaining slots with HDDs in them. NL-Series (NL-410) nodes supports only one SSD in the system and SATA drives in the remaining slots. This node type is intended for the archiving requirements.

Read more

The system with the recent OneFS versions, also supports All-Flash nodes, Hybrid nodes, Archive nodes and IsilonSD nodes. ISILON All-Flash nodes (F800) can have upto 924 TB in a single 4U node and can grow upto 33PB in one cluster. One node can house upto 60 drives. Hybrid nodes (H400, H500 and H600) supports a mix of SSDs and HDDs. H400 and H500 can have SATA drives and SSDs and H600 supports SSDs and SAS drives. Archive nodes (A200 and A2000) are intended for archiving solutions. A2000 nodes can have 80 slots with 10TB drives only supported. This node is for high-density archiving. A200 is for near-primary archiving storage solutions which supports 2 TB, 4 TB or 8 TB SATA HDDs- a maximum of 60 drives.

IsilonSD is the software only node type which can be installed in customer hardware.

  •  Scale-Out and Scale-Up architecture : The first thing comes with ISILON is the architecture, Scale-Out. With Scale-Out architecture, the processing and capacity will be increased in parallel. As we add a node, both capacity and processing power will be increased for the system. Let’s take the example of VNX for Scale-Up architecture. Here, the processing power (i.e. Storage processors) can not be increased as the system limit is 2 SPs, but we can grow the overall system capacity by adding more DAEs (and disks) to the system supported limit.
  •  Infiniband Switches and types : ISILON makes use of IB switches for the internal communication between the nodes. ISILON now supports 40 GbE switches also with the Gen-6 hardware in addition to the 10GbE IB switches.
  •  SmartConnect and SSIP : [definition from ISILON SmartConnect whitepaper] SmartConnect is a licensable software module of the EMC ISILON OneFS Operating System that optimizes performance and availability by enabling intelligent client connection load balancing and failover support. Through a single host name, SmartConnect enables client connection load balancing and dynamic NFS failover  and failback of client connections across storage nodes to provide optimal utilization of the cluster resources. SmartConnect eliminates the need to install client side drivers, enabling the IT administrator to easily manage large numbers of client with confidence. And in the event of a system failure, file system stability and availability are maintained.

For every SmartConnect zone there will be one SSIP (SmarConnect Service IP), which wil be used for the client connections. SSIP and associated hostname will have the DNS entry and the client requests will come to the cluster/zone via SSIP. The zone redirects the request to the nodes for completion.

  •  SmartPool : SmartPool enables effective tiering of storage nodes within the filesystem. Data – based on the utilization – will be moved across the tiers within the filesystem automatically with seamless application and end user access. Customers can define policies for the data movement for different workflows and node types.
  •  Protection types in ISILON : ISILON cluster can have protection types N+M (where N is the number of data blocks and M is the number of nodes/drives failures the system can tolerate) or N+M:B (where N is the number of data blocks M is the number of drives failures the system can tolerate and B is the number of node failures can be tolerated ), where N>M. In case of a 3-node system, it can have +1 (i.e. 2+1) protection type. Here the system can tolerate 1 drive/node failure without any data loss.
  •  Steps to create an NFS export : Here we have listed the commands to create and list/view the NFS export.

To create the NFS export :
isi nfs exports create –clients=10.20.10.31,10.20.10.32 –root-clients=10.20.10.33,10.20.10.34 –description=”Beginnersforum Test NFS Share” –paths=/ifs/BForum/Test –security-flavors=unix

To list the NFS exports :
isi nfs exports list

To view the NFS export :
isi nfs exports view <export_number>

You can create the NFS export alias and quotas also for the NFS export.

Hope this helped you in learning some ISILON stuff. We will have more questions and details in upcoming posts. For more interview questions posts please click here. Please add any queries and suggestions in comments.

Palo Alto Interview Questions and Answers – Part II

Plao Alto Interview Questions and Answers

This post is a continuation to one of our recent post where we discussed a few questions and answers on Palo Alto firewall. Here we are adding another set of Q&A based on our readers interest. Hope this will help you in improving your knowledge of the PA firewall.

1. How to publish internal website to internet. Or how to perform destination NAT ?

To publish internal website to outside world, we would require destination NAT and policy configuration. NAT require converting internal private IP address in to external public IP address. Firewall policy need to enable access to internal server on http service from outside .We can see how to perform NAT and policy configuration with respect to following scenario Read more

Provide the access to 192.168.10.100 through the public IP address 64.10.11.10 from internet

Following NAT and policy rules need to be created.

NAT:-> Here we need to use pre-NAT configuration to identify zone. Both source and destination Zone should be Untrust-L3 as source and destination address part of un trust zone

——————- advertisements ——————-

———————————————————-

Policy-> Here we need to use Post-NAT configuration to identify zone. The source zone will be Untrust-L3 as the source address still same 12.67.5.2 and the destination zone would be Trust-L3 as the translated IP address belongs to trust-l3 zone.

We have to use pre-NAT IP address for the source and destination IP address part on policy configuration. According to packet flow, actual translation is not yet happen, only egress zone and route look up happened for the packet. Actual translation will happen after policy lookup . Please click here to understand detailed packet flow in PA firewall.  Just remember the following technique so it will be easy to understand

In firewall rule,

Zone: Post NAT

IP address: Pre NAT

In NAT rule,

Zone: Pre NAT

Final Configuration looks like below:

2. What is Global Protect ?

——————- advertisements ——————-

———————————————————-

GlobalProtect provides a transparent agent that extends enterprise security Policy to all users regardless of their location. The agent also can act as Remote Access VPN client.  Following are the component

Gateway : This can be or more interface on Palo Alto firewall which provide access and security enforcement for traffic from Global Protect Agent

Portal: Centralized control which manages gatrway, certificate , user authentication and end host check list

Agent : software on the laptop that is configured to connect to the GlobalProtect deployment.

3. Explain about virtual system ?

A virtual system specifies a collection of physical and logical firewall interfaces and security zones.Virtual system allows to segmentation of security policy functionalities like ACL, NAT and QOS. Networking functions including static and dynamic routing are not controlled by virtual systems. If routing segmentation is desired for each virtual system, we should have an additional virtual router.

——————- advertisements ——————-

———————————————————-

4.Explain about various links used to establish HA or HA introduction ?

PA firewall use HA links to synchronize data and maintain state information. Some models of the firewall have dedicated HA ports—Control link (HA1) and Data link (HA2), while others require you to use the in-band ports as HA links.

Control Link :  The HA1 links used to exchange hellos, heartbeats, and HA state information, and management plane sync for routing, User-ID information and synchronize configuration . The HA1 should be layar 3 interface which require an IP address

Data Link : The HA2 link is used to synchronize sessions, forwarding tables, IPSec security associations and ARP tables between firewalls in an HA pair. The HA 2 is a layer 2 link

Backup Links: Provide redundancy for the HA1 and the HA2 links. In-band ports are used as backup links for both HA1 and HA2. The HA backup links IP address must be on different subnet from primary HA links.

Packet-Forwarding Link: In addition to the HA1 and HA2 links, an active/active deployment also requires a dedicated HA3 link. The firewalls use this link for forwarding packets to the peer during session setup and asymmetric traffic flow.

4. What protocol used to exchange heart beat between HA ?

ICMP

——————- advertisements ——————-

———————————————————-

5. Various port numbers used in HA ?

HA1: tcp/28769,tcp/28260 for clear text communication ,tcp/28 for encrypted communication

HA2: Use protocol number 99 or UDP-29281

6. What are the scenarios for fail-over triggering ?

->if one or more monitored interfaces fail

->if one or more specified destinations cannot be pinged by the active firewall

->if the active device does not respond to heartbeat polls (Loss of three consecutive heartbeats over period of 1000 milliseconds)

7. How to troubleshoot HA using CLI ?

>show high-availability state : Show the HA state of the firewall

>show high-availability state-synchronization : to check sync status

>show high-availability path-monitoring : to show the status of path monitoring

>request high-availablity state suspend : to suspend active box and make the current passive box as active

8. which command to check the firewall policy matching for particular destination ?

>test security-policy-match from trust to untrust destination <IP>

9.Command to check the NAT rule ?

>test nat-policy-match

10. Command to check the system details ?

>show system info  // It will show management IP , System version and serial number

11. How to perform debug in PA ?

Following are the steps

Clear all packet capture settings

>debug dataplane packet-diag clear all

set traffic matching condition

> debug dataplane packet-diag set filter match source 192.168.9.40 destination 4.2.2.2
> debug dataplane packet-diag set filter on

——————- advertisements ——————-

———————————————————-

Enable packet capture

> debug dataplane packet-diag set capture stage receive file rx.pcap
> debug dataplane packet-diag set capture stage transmit file tx.pcap
> debug dataplane packet-diag set capture stage drop file dp.pcap
> debug dataplane packet-diag set capture stage firewall file fw.pcap
> debug dataplane packet-diag set capture on

View the captured file

view-pcap filter-pcap rx.pcap

12. What you mean by Device Group and Device Template.?

Device group allows you to group firewalls which is require similar  set of policy , such as firewalls that manage a group of branch offices or individual departments in a company. Panorama treats each group as a single unit when applying policies. A firewall can belong to only one device group. The Objects and Policies are only part of Device Group.

Device Template :

Device Templates enable you to deploy a common base configuration like Network and device specific settings to multiple firewalls that require similar settings.
This is available in Device and Network tabs on Panorama

13. Why you are using Security Profile .?

Security Profile using to scans allowed applications for threats, such as viruses, malware, spyware, and DDOS attacks.Security profiles are not used in the match criteria of a traffic flow. The security profile is applied to scan traffic after the application or category is allowed by the security policy. You can add security profiles that are commonly applied together to a Security Profile Group

Following are the Security Profiles available
Antivirus Profiles
Anti-Spyware Profiles
Vulnerability Protection Profiles
URL Filtering Profiles
Data Filtering Profiles
File Blocking Profiles
WildFire Analysis Profiles
DoS Protection Profiles

Thanks for reading. Hope this helped in improving your Palo Alto knowledge, or clearing some of your doubts. Please let us know if you have any queries/comments.

Palo Alto Interview Questions and Answers – Part I

Plao Alto Interview Questions and Answers

Some of our readers had requested for a post with some of the common questions and answers for the Palo Alto Firewall, after reading our post on PA Firewall. Following are some of the questions normally asked for PA interview. Please use the comment section if you have any questions to add .

1. Why Palo Alto is being called as next generation firewall ?

Ans: Next-generation firewalls include enterprise firewall capabilities, an intrusion prevention system (IPS) and application control features. Palo Alto Networks delivers all the next generation firewall features using the single platformparallel processing and single management systems, unlike other vendors who use different modules or multiple management systems to offer NGFW features. Palo Alto NGFW different from other venders in terms of Platform, Process and architecture Read more

2. Difference between Palo Alto NGFW and Checkpoint UTM  ?

PA follows Single pass parallel processing while UTM follows Multi pass architecture process

3. Describe about Palo Alto architecture and advantage ?

Architecture- Single Pass Parallel Processing (SP3) architecture

Advantage: This Single Pass traffic processing enables very high throughput and low latency – with all security functions active.  It also offers single, fully integrated policy which helps simple and easier management of firewall policy

——————- advertisements ——————-

———————————————————-

4. Explain about Single Pass and Parallel processing architecture ?

Single Pass : The single pass software performs operations once per packet. As a packet is processed, networking functions, policy lookup, application identification and decoding, and signature matching for any and all threats and content are all performed just once.  Instead of using separate engines and signature sets (requiring multi-pass scanning) and instead of using file proxies (requiring file download prior to scanning), the single pass software in next-generation firewalls scans content once and in a stream-based fashion to avoid latency introduction.

Parallel Processing :   PA designed with separate data and control planes to support parallel processing. The second important element of the Parallel Processing hardware is the use of discrete, specialized processing groups to perform several critical functions.

  • Networking: routing, flow lookup, stats counting, NAT, and similar functions are performed on network-specific hardware
  • User-ID, App-ID, and policy all occur on a multi-core security engine with hardware acceleration for encryption, decryption, and decompression.
  • Content-ID content analysis uses dedicated, specialized content scanning engine
  • On the controlplane, a dedicated management processor (with dedicated disk and RAM) drives the configuration management, logging, and reporting without touching data processing hardware.

5. Difference between PA-200,PA-500 and higher models ?

In PA-200 and PA-500, Signature process and network processing implemented on software while higher models have dedicate hardware processer

6. What are the four deployment mode and explain ?
  1. Tap Mode : Tap mode allows you to passively monitor traffic flow across network by way of tap or switch SPAN/mirror port
  2. Virtual wire : In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two interfaces together

——————- advertisements ——————-

———————————————————-

  1. Layer 2 mode : multiple interfaces can be configured into a “virtual-switch” or VLAN in L2 mode.
  2. Layer 3 Deployment : In a Layer 3 deployment, the firewall routes traffic between multiple interfaces. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic.

7. What you mean by Zone Protection profile ?

Zone Protection Profiles offer protection against most common flood, reconnaissance, and other packet-based attacks. For each security zone, you can define a zone protection profile that specifies how the security gateway responds to attacks from that zone. The following types of protection are supported:

-Flood Protection—Protects against SYN, ICMP, UDP, and other IP-based flooding attacks.

-Reconnaissance detection—Allows you to detect and block commonly used port scans and IP address sweeps that attackers run to find potential attack targets.

-Packet-based attack protection—Protects against large ICMP packets and ICMP fragment attacks.

Configured under Network tab -> Network Profiles -> Zone protection.

8. What is u-turn NAT and how to configure ?

U-turn NAT is applicable when internal resources on trust zone need to access DMZ resources using public IP addresses of Untrust zone.

——————- advertisements ——————-

———————————————————-

Let’s explain based on below scenario.

 

In above example, the website company.com (192.168.10.20) statically NAT’ed with public IP address 81.23.7.22 on untrusted zone. Users in the corporate office on the 192.168.1.0/24 segment need to access the company webpage. Their DNS lookup will resolve to the public IP in the Internet zone. The basic destination NAT rules that provide internet users access to the web server will not work for internal users browsing to the public IP .

Following are the NAT rule and policy definition.

  Next Page

 

okay, not making this post too long to read. We will be adding another set of questions in our next post soon.

Thanks for reading. Hope this helped in improving your Palo Alto knowledge, or clearing some of your doubts. Please let us know if you have any queries/comments.

Click Here for Part 2 of this post, another set of questions for you.