Palo Alto High Availability:--

High Availability
Check Status:
CLI: show high-availability state
GUI: Dashboard > High Availability
Failover from active FW
request high-availability state suspend
Or from the GUI:  Device > High Availability > Operational Commands– click Suspend local device
Set firewall as functional again
request high-availability state functional
Or GUI: Device > High Availability > Operational Commands – click on Make local device functional
Preemption: GUI: Device > High Availability > General > Election Settings

Nexus vPC Basics:--

 

BGP Summary Routes Benefits:-

 

PA Firewall Execution Plan:--

 

IPSec Parameters

  Ensure that the IPSec parameters (encryption, authentication, key exchange) match on both ends.

Parameters include:

Encryption Algorithms (e.g., AES, 3DES)
Hash Algorithms (e.g., SHA-1, SHA-256)
Authentication Methods (e.g., Pre-shared Key, Certificates)
Diffie-Hellman Groups
IPSec Policies: Check the security policies or ACLs (Access Control Lists) to ensure they allow the desired traffic.
IKE (Internet Key Exchange) Phases: Verify that the IKE Phase 1 and Phase 2 parameters match.

Virtual Switching System(VSS):

Few Points to remember:--

In Simple terms, VSS is to combine multiple Cisco Catalyst switches into one virtual Switch.
The data plane of both clustered switches is active at the same time in both chassis.
For Control plane only one switch will be active and other will be standby.
In VSS, If one Chassis fails, the other one will take overwithout any downtime.
It eliminates STP.
This is supported both in Catalyst 6500 and 4500 series switches.
Need to make sure that peer VSS switch needs to be same hardware and software version..

Halfduplex and Fullduplex:--

Simplex:-
One way Communication
Example:- RADIO, TV receiver, SMS, etc.


HALF DUPLEX:-
++can send and receive but not at a time.
++this was originally used on coaxial cables(10BASE5, 10Base2)
and For ethernet HUBS. because these cannot use fullduplex.
++it uses CSMA/CD method.

FULL DUPLEX:-
++can send and receive at same time.
++copper twisted pair used in Full duplex.
++NO need of CSMA/CD
++No COLLISION.

Cisco vPC:--

 

OSPF LSA Types:--

 

Neighbor Requirements for EIGRP and OSPF:--

1 - Duplicate EIGRP RIDs do not prevent routers from becoming neighbors, but it can cause problems when adding external EIGRP routes to the routing table.
2 - May allow the other router to be listed in the show ip ospf neighborcommand, but the MTU mismatch will prevent proper operation of the topology exchange

How to troubleshoot PA HA using CLI ?

>show high-availability state : Show the HA state of the firewall
>show high-availability state-synchronization : to check sync status
>show high-availability path-monitoring : to show the status of path monitoring
>request high-availablity state suspend : to suspend active box and make the current passive box as active

Interview Question PA

What are the four deployment mode and explain ?
Tap Mode : Tap mode allows you to passively monitor traffic flow across network by way of tap or switch SPAN/mirror port
Virtual wire : In a virtual wire deployment, the firewall is installed transparently on a network segment by binding two interfaces together
Layer 2 mode : multiple interfaces can be configured into a “virtual-switch” or VLAN in L2 mode.
Layer 3 Deployment : In a Layer 3 deployment, the firewall routes traffic between multiple interfaces. An IP address must be assigned to each interface and a virtual router must be defined to route the traffic.

Palo Alto SSL decryption

>> rests on the premise that people using a corporate network agree to having their traffic decrypted for inspection purpose based on the fact that they are using somebody else's equipment and infrastructure for work related purposes as opposed to private personal use, so the onus in that case would be on the user to moderate their behavior against what they know is going to be seen, however when it comes to financial information and other privileged data such as health and medical for instance there are multiple laws governing the ability to decrypt this traffic and in every case I am aware of it is deemed illegal and can not be done, therefore the situation would never arise, that is why the no-decrypt policy is as important as decrypt policy.


>>SSL decryption does mean that the traffic would pass through the firewall in plain text so we control what data gets decrypted to ensure the balance of security for users privacy and security and the company providing the infrastructure to the employee / sanctioned user.

Restoring the BIG-IP configuration to the factory default setting

1. Restoring the BIG-IP configuration to the factory default setting

Impact of procedure: This procedure removes all BIG-IP local traffic objects, network configuration, and BIG-IP module data. Admin and Root password will be reset to default. Your MGMT interface ip address will be kept.

1.1 Log in to the Traffic Management Shell (tmsh) by typing the following command:
tmsh

1.2 To restore the configuration to the factory default setting, type the following command:
load sys config default

1.3 You are prompted with the following confirmation:
Reset the system configuration to factory defaults? (y/n)

To confirm that you want to restore factory default values, press the following key:
y

1.4 Save the change by typing the following command:
save sys config partitions all

1.5 Reboot the BIG-IP device
reboot


2. Upgrade F5 TMOS

2.1 Download the ISO File from F5 Downloads site.
File name is BIGIP-12.1.2.0.0.249.iso. Make shre verify file's MD5 value

2.2 Go to F5 device's System /Software Management page

2.3 Import the new download IOS file BIGIP-12.1.2.0.0.249.iso 

2.4 Install new imported file into HD1.1 partition

2.5 Active new software

Make sure you install configuration from right Source Volume. Else you will lose all configuration in your new software.

2.6 verify