Panorama Interview questions and answers
- Mar 18
- 4 min read
1. What is Palo Alto Panorama?
Answer:Palo Alto Panorama is a centralized management solution for Palo Alto Networks' firewalls. It allows administrators to control firewall policies, manage logs, generate reports, and automate deployments across multiple firewalls from a single interface.
2. What are the deployment modes of Panorama?
Answer:Panorama can be deployed in three modes:
Management Mode (Manages devices & policies)
Log Collector Mode (Collects logs from firewalls)
Mixed Mode (Both management & log collection)
3. How does Panorama communicate with managed firewalls?
Answer:Panorama uses SSL (Port 3978) to communicate with managed devices and Syslog (Port 514) for logging.
4.What are Log Collectors in Panorama?
Answer:Log Collectors are used in large-scale deployments where firewalls send logs to dedicated log collectors instead of storing logs locally.
5.How can you check if a firewall is sending logs to Panorama?
Answer:
show logging-status device <firewall_serial>
6.How do you troubleshoot if Panorama is not receiving logs?
Answer:
Check firewall Log Forwarding Profile
Ensure Security Policies allow logging
Verify Connectivity on Port 3978
Check Disk space & Licensing
-------------------------------------------------------------------------------------------------------------
Deep Questions -
1. How to Add a Firewall to Panorama?
To add a Palo Alto firewall to Panorama, follow these steps:
Step 1: Configure Panorama on the Firewall
Login to Firewall CLI or GUI
Go to Device > Setup > Management
Under Panorama Settings, enter the Panorama IP address
Click Commit
Step 2: Verify Firewall Registration in Panorama
Login to Panorama
Navigate to Panorama > Managed Devices > Summary
Check if the firewall appears in the list
Step 3: Add the Firewall to a Device Group & Template
Go to Panorama > Device Groups and add the firewall
Go to Panorama > Templates and assign a template
Click Commit and Push
Step 4: Verify Connection
Run the following CLI command on the firewall:
show panorama-status
If the status shows Connected, the firewall is successfully added.
2. How to Push the Configuration from Panorama to a Firewall?
To push configuration from Panorama to a firewall:
Step 1: Make Config Changes in Panorama
Modify policies, objects, or network settings
Go to Commit > Commit to Panorama
Step 2: Push Configuration to Firewalls
Go to Panorama > Commit > Push to Devices
Select the firewall(s)
Click Push
Step 3: Verify on Firewall
Run this command on the firewall:
#Show config pushed-from-panorama
3. What is Device Group and Template? Difference?
Device Group
A logical grouping of firewalls for centralized policy management
Used for Security Policies, NAT, and Objects
Example: Group all firewalls in a specific branch office
Template
Used for network and system settings (e.g., interfaces, zones, NTP, DNS)
Helps maintain consistent network configurations
Key Differences
Feature | Device Group | Template |
Purpose | Manages security policies, NAT, objects | Manages network settings, system settings |
Scope | Related to security configurations | Related to infrastructure settings |
Example | Block Social Media for all branch offices | Configure Interface IPs for all branches |
4. How to Upgrade a Firewall from Panorama?
Step 1: Download the Upgrade
Go to Panorama > Device Deployment > Software
Select the target firewall version
Click Download
Step 2: Install the Software on Firewalls
Go to Panorama > Device Deployment > Software
Select the firewall(s)
Click Install
Step 3: Reboot the Firewall
After the upgrade, reboot the firewall
Step 4: Verify Upgrade
Run the following command:
show system info | match sw-version
for full upgrade steps visit this link- How to Upgrade Palo Alto Firewall
5. What is the Pre-requisite for PAN-OS Image Version?
Panorama should always be on the same or a higher PAN-OS version than the firewalls
If a firewall is on PAN-OS 10.1, Panorama should be 10.1 or higher
If Panorama is older than the firewall, it may not support all features
Best Practice
Always check compatibility documents from Palo Alto
Upgrade Panorama first, then firewalls
6. What is Pre-Policy and Post-Security Policy in Panorama?
Pre-Policy
Rules that are pushed from Panorama and appear above local firewall rules
Cannot be modified at the firewall level
Post-Security Policy
Rules that are pushed from Panorama but appear below local firewall rules
Typically used for logging and default rules
Example
Policy Type | Position | Can be Overridden? | Example |
Pre-Policy | Before local rules | No | Block Social Media for all branches |
Local Rules | Middle | Yes | Firewall Admins can add/edit |
Post-Policy | After local rules | No | Allow all internal logs to SIEM |
7. If Panorama is Down, What is the Impact on Actual Traffic?
No impact on live traffic – Firewalls continue using their last known configuration
Cannot push new policies
Log collection may stop if using Log Collectors
CLI Command to Check Status
show panorama-status
8. How to Check Logs in the Monitor Section of Panorama?
Step 1: Go to Panorama Monitor Section
Login to Panorama
Navigate to Monitor > Logs
Step 2: View Different Logs
Traffic Logs – See allowed/blocked traffic
Threat Logs – See security events (e.g., malware, attacks)
URL Logs – See web filtering logs
System Logs – Panorama-related events
Step 3: Filter Logs Using Query
Example: Show logs for a specific IP
( addr.src eq 192.168.1.10 )
9. What is Available Only in Panorama, Not in Palo Alto Firewalls?
Feature | Available in Panorama? | Available in Firewalls? |
Centralized Policy Management | ✅ Yes | ❌ No |
Device Groups & Templates | ✅ Yes | ❌ No |
Log Collector | ✅ Yes | ❌ No |
Multi-Firewall Management | ✅ Yes | ❌ No |
Role-Based Admin for Multiple Firewalls | ✅ Yes | ❌ No |
Bulk Software Upgrade | ✅ Yes | ❌ No |
Key Difference
Panorama is used for centralized management, while firewalls are standalone
Firewalls cannot manage other firewalls
Panorama enables log forwarding and reporting across multiple devices