top of page

Panorama Interview questions and answers

  • Mar 18
  • 4 min read

1. What is Palo Alto Panorama?

Answer:Palo Alto Panorama is a centralized management solution for Palo Alto Networks' firewalls. It allows administrators to control firewall policies, manage logs, generate reports, and automate deployments across multiple firewalls from a single interface.





2. What are the deployment modes of Panorama?

Answer:Panorama can be deployed in three modes:

  1. Management Mode (Manages devices & policies)

  2. Log Collector Mode (Collects logs from firewalls)

  3. Mixed Mode (Both management & log collection)




3. How does Panorama communicate with managed firewalls?


Answer:Panorama uses SSL (Port 3978) to communicate with managed devices and Syslog (Port 514) for logging.



4.What are Log Collectors in Panorama?

Answer:Log Collectors are used in large-scale deployments where firewalls send logs to dedicated log collectors instead of storing logs locally.

5.How can you check if a firewall is sending logs to Panorama?

Answer:

show logging-status device <firewall_serial>


6.How do you troubleshoot if Panorama is not receiving logs?

Answer:

  • Check firewall Log Forwarding Profile

  • Ensure Security Policies allow logging

  • Verify Connectivity on Port 3978

  • Check Disk space & Licensing


-------------------------------------------------------------------------------------------------------------


Deep Questions -


1. How to Add a Firewall to Panorama?


To add a Palo Alto firewall to Panorama, follow these steps:


Step 1: Configure Panorama on the Firewall

  1. Login to Firewall CLI or GUI

  2. Go to Device > Setup > Management

  3. Under Panorama Settings, enter the Panorama IP address

  4. Click Commit


Step 2: Verify Firewall Registration in Panorama

  1. Login to Panorama

  2. Navigate to Panorama > Managed Devices > Summary

  3. Check if the firewall appears in the list




Step 3: Add the Firewall to a Device Group & Template

  1. Go to Panorama > Device Groups and add the firewall

  2. Go to Panorama > Templates and assign a template

  3. Click Commit and Push


Step 4: Verify Connection

Run the following CLI command on the firewall:


show panorama-status


If the status shows Connected, the firewall is successfully added.



2. How to Push the Configuration from Panorama to a Firewall?


To push configuration from Panorama to a firewall:


Step 1: Make Config Changes in Panorama

  1. Modify policies, objects, or network settings

  2. Go to Commit > Commit to Panorama


Step 2: Push Configuration to Firewalls

  1. Go to Panorama > Commit > Push to Devices

  2. Select the firewall(s)

  3. Click Push


Step 3: Verify on Firewall

Run this command on the firewall:


#Show config pushed-from-panorama


3. What is Device Group and Template? Difference?




Device Group

  • A logical grouping of firewalls for centralized policy management

  • Used for Security Policies, NAT, and Objects

  • Example: Group all firewalls in a specific branch office

Template

  • Used for network and system settings (e.g., interfaces, zones, NTP, DNS)

  • Helps maintain consistent network configurations



Key Differences

Feature

Device Group

Template

Purpose

Manages security policies, NAT, objects

Manages network settings, system settings

Scope

Related to security configurations

Related to infrastructure settings

Example

Block Social Media for all branch offices

Configure Interface IPs for all branches

4. How to Upgrade a Firewall from Panorama?


Step 1: Download the Upgrade

  1. Go to Panorama > Device Deployment > Software

  2. Select the target firewall version

  3. Click Download

Step 2: Install the Software on Firewalls

  1. Go to Panorama > Device Deployment > Software

  2. Select the firewall(s)

  3. Click Install

Step 3: Reboot the Firewall

  • After the upgrade, reboot the firewall

Step 4: Verify Upgrade

Run the following command:


show system info | match sw-version


for full upgrade steps visit this link- How to Upgrade Palo Alto Firewall


5. What is the Pre-requisite for PAN-OS Image Version?

  • Panorama should always be on the same or a higher PAN-OS version than the firewalls

  • If a firewall is on PAN-OS 10.1, Panorama should be 10.1 or higher

  • If Panorama is older than the firewall, it may not support all features





Best Practice

  • Always check compatibility documents from Palo Alto

  • Upgrade Panorama first, then firewalls


6. What is Pre-Policy and Post-Security Policy in Panorama?

Pre-Policy

  • Rules that are pushed from Panorama and appear above local firewall rules

  • Cannot be modified at the firewall level

Post-Security Policy

  • Rules that are pushed from Panorama but appear below local firewall rules

  • Typically used for logging and default rules



Example

Policy Type

Position

Can be Overridden?

Example

Pre-Policy

Before local rules

No

Block Social Media for all branches

Local Rules

Middle

Yes

Firewall Admins can add/edit

Post-Policy

After local rules

No

Allow all internal logs to SIEM

7. If Panorama is Down, What is the Impact on Actual Traffic?


  • No impact on live traffic – Firewalls continue using their last known configuration

  • Cannot push new policies

  • Log collection may stop if using Log Collectors



CLI Command to Check Status


show panorama-status


8. How to Check Logs in the Monitor Section of Panorama?

Step 1: Go to Panorama Monitor Section

  1. Login to Panorama

  2. Navigate to Monitor > Logs

Step 2: View Different Logs

  • Traffic Logs – See allowed/blocked traffic

  • Threat Logs – See security events (e.g., malware, attacks)

  • URL Logs – See web filtering logs

  • System Logs – Panorama-related events

Step 3: Filter Logs Using Query


Example: Show logs for a specific IP


( addr.src eq 192.168.1.10 )





9. What is Available Only in Panorama, Not in Palo Alto Firewalls?

Feature

Available in Panorama?

Available in Firewalls?

Centralized Policy Management

✅ Yes

❌ No

Device Groups & Templates

✅ Yes

❌ No

Log Collector

✅ Yes

❌ No

Multi-Firewall Management

✅ Yes

❌ No

Role-Based Admin for Multiple Firewalls

✅ Yes

❌ No

Bulk Software Upgrade

✅ Yes

❌ No

Key Difference

  • Panorama is used for centralized management, while firewalls are standalone

  • Firewalls cannot manage other firewalls

  • Panorama enables log forwarding and reporting across multiple devices

TAgs

Categorys

bottom of page