TEST F

Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.). upload-only. install and reboot. upload and install. upload and install and reboot. verify and install.

A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks. The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate. What else should the administrator do to stop packet buffers from being overflowed?. Apply DOS profile to security rules allow traffic from outside. Enable packet buffer protection for the affected zones. Add the default Vulnerability Protection profile to all security rules that allow traffic from outside. Add a Zone Protection profile to the affected zones.

A firewall administrator is investigating high packet buffer utilization in the company firewall. After looking at the threat logs and seeing many flood attacks coming from a single source that are dropped by the firewall, the administrator decides to enable packet buffer protection to protect against similar attacks. The administrator enables packet buffer protection globally in the firewall but still sees a high packet buffer utilization rate. What else should the administrator do to stop packet buffers from being overflowed?. Apply DOS profile to security rules allow traffic from outside. Enable packet buffer protection for the affected zones. Add the default Vulnerability Protection profile to all security rules that allow traffic from outside. Add a Zone Protection profile to the affected zones.

What is a correct statement regarding administrative authentication using external services with a local authorization method?. The administrative accounts you define on an external authentication server serve as references to the accounts defined locally on the firewall. Prior to PAN-OS 10.2, an administrator used the firewall to manage role assignments, but access domains have not been supported by this method. Starting with PAN-OS 10.2, an administrator needs to configure Cloud Identity Engine to use external authentication services for administrative authentication. The administrative accounts you define locally on the firewall serve as references to the accounts defined on an external authentication server.

A network administrator notices there is a false-positive situation after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays: threat type: spyware category: dns-c2 threat ID: 1000011111 Which set of steps should the administrator take to configure an exception for this signature?. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit.

In the screenshot above, which two pieces of information can be determined from the ACC configuration shown? (Choose two.). Insecure-credentials, brute-force, and protocol-anomaly are all a part of the vulnerability Threat Type. The Network Activity tab will display all applications, including FTP. Threats with a severity of high are always listed at the top of the Threat Name list. The ACC has been filtered to only show the FTP application.

Given the screenshot, how did the firewall handle the traffic?. Traffic was allowed by policy but denied by profile as encrypted. Traffic was allowed by policy but denied by profile as a threat. Traffic was allowed by profile but denied by policy as a threat. Traffic was allowed by policy but denied by profile as a nonstandard port.

Your company wants greater visibility into their traffic and has asked you to start planning an SSL Decryption project. The company does not have a PKI infrastructure, and multiple certificates would be needed for this project. Which type of certificate can you use to generate other certificates?. self-signed root CA. external CA certificate. server certificate. device certificate.

Refer to the screenshots. Without the ability to use Context Switch, where do admin accounts need to be configured in order to provide admin access to Panorama and to the managed devices?. The Panorama section overrides the Device section. The accounts need to be configured only in the Panorama section. The sections are independent. The accounts need to be configured in both the Device and Panorama sections. The Device section overrides Panorama section. The accounts need to be configured only in the Device section. Configuration in the sections is merged together. The accounts need to be configured in either section.

A firewall administrator needs to be able to inspect inbound HTTPS traffic on servers hosted in their DMZ to prevent the hosted service from being exploited. Which combination of features can allow PAN-OS to detect exploit traffic in a session with TLS encapsulation?. a WildFire profile and a File Blocking profile. a Vulnerability Protection profile and a Decryption policy. a Vulnerability Protection profile and a QoS policy. a Decryption policy and a Data Filtering profile.

Engineer was tasked to simplify configuration of multiple firewalls with a specific set of configurations shared across all devices. Which two advantages would be gained by using multiple templates in a stack? (Choose two.). inherits address-objects from the templates. standardizes server profiles and authentication configuration across all stacks. standardizes log-forwarding profiles for security policies across all stacks. defines a common standard template configuration for firewalls.

Which protocol is supported by GlobalProtect Clientless VPN?. FTP. HTTPS. SSH. RDP.

During the implementation of SSL Forward Proxy decryption, an administrator imports the company’s Enterprise Root CA and Intermediate CA certificates onto the firewall. The company’s Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company’s Intermediate CA. Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust.

A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3. Which command should they use?. test routing fib-lookup ip 10.2.5.0/24 virtual-router default. test routing route ip 10.2.5.3. test routing route ip 10.2.5.3 virtual-router default. test routing fib-lookup ip 10.2.5.3 virtual-router default.

A client is concerned about web shell attacks against their servers. Which profile will protect the individual servers?. Anti-Spyware profile. Zone Protection profile. DoS Protection profile. Antivirus profile.

Which firewall feature do you need to configure to query Palo Alto Networks service updates over a data-plane interface instead of the management interface?. service rout. data redistribution. SNMP setup. dynamic updates.

How is an address object of type IP range correctly defined?. 192.168.40.1-192.168.40.255. 192.168 40 1/24. 192.168 40 1, 192.168 40.255. 192 168 40 1-255.

An administrator wants to prevent users from unintentionally accessing malicious domains where data can be exfiltrated through established connections to remote systems. From the Pre-defined Categories tab within the URL Filtering profile what is the right configuration to prevent such connections?. Set the malware category to block. Set the Command and Control category to block. Set the phishing category to override. Set the hacking category to continue.

In order to fulfill the corporate requirement to back up the configuration of Panorama and the Panorama-managed firewalls securely which protocol should you select when adding a new scheduled config export?. HTTPS. FTP. SMB v3. SCP.

A network administrator created an intrazone Security policy rule on the firewall. The source zones were set to IT, Finance, and HR. Which two types of traffic will the rule apply to? (Choose two.). traffic between zone Finance and zone HR. traffic between zone IT and zone Finance. traffic within zone HR. traffic within zone IT.

An administrator connected a new fiber cable and transceiver to interface Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not seem to be coming up. If an administrator were to troubleshoot, how would they confirm the transceiver type, tx-power, rx-power, vendor name, and part number via the CLI?. show system state filter sw.dev.interface.config. show chassis status slot s1. show system state filter-pretty sys.s1.*. show system state filter ethernet1/1.

An engineer wants to forward all decrypted traffic on a PA-850 firewall to a forensic tool with a decrypt mirror interface. Which statement is true regarding the configuration of the Decryption Port Mirroring feature?. The engineer should install the Decryption Port Mirror license and reboot the firewall. The PA-850 firewall does not support decrypt mirror interface, so the engineer needs to upgrade the firewall to PA-3200 series. The engineer must assign an IP from the same subnet with the forensic tool to the decrypt mirror interface. The engineer must assign the related virtual-router to the decrypt mirror interface.

Which statement is true regarding a heatmap in a BPA report?. When guided by authorized sales engineer, it helps determine the areas of the greatest security risk. It runs only on firewalls. It provides a percentage of adoption for each assessment area. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.

An engineer is configuring secure web access (HTTPS) to a Palo Alto Networks firewall for management. Which profile should be configured to ensure that management access via web browsers is encrypted with a trusted certificate?. A Certificate profile should be configured with a trusted root CA. An SSL/TLS Service profile should be configured with a certificate assigned. An Interface Management profile with HTTP and HTTPS enabled should be configured. An Authentication profile with the allow list of users should be configured.

In an existing deployment, an administrator with numerous firewalls and Panorama does not see any WildFire logs in Panorama. Each firewall has an active WildFire subscription. On each firewall, WildFire logs are available. This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing?. System logs. WildFire logs. Threat logs. Traffic logs.

An administrator wants to configure the Palo Alto Networks Windows User-ID agent to map IP addresses to usernames. The company uses four Microsoft Active Directory servers and two Microsoft Exchange servers, which can provide logs for login events. All six servers have IP addresses assigned from the following subnet: 192.168.28.32/27. The Microsoft Active Directory servers reside in 192.168.28.32/28, and the Microsoft Exchange servers reside in 192.168.28.48/28. What information does the administrator need to provide in the User Identification > Discovery section?. the IP-address and corresponding server type (Microsoft Active Directory or Microsoft Exchange) for each of the six servers. network 192.168.28.32/28 with server type Microsoft Active Directory and network 192.168.28.48/28 with server type Microsoft Exchange. one IP address of a Microsoft Active Directory server and “Auto Discover” enabled to automatically obtain all five of the other servers. network 192.168.28.32/27 with server type Microsoft.

Refer to the diagram. Users at an internal system want to ssh to the SSH server. The server is configured to respond only to the ssh requests coming from IP 172.16.15.1. In order to reach the SSH server only from the Trust zone, which Security rule and NAT rule must be configured on the firewall?. NAT Rule: Source Zone: Trust - Source IP: Any - Destination Zone: Server - Destination IP: 172.16.15.10 - Source Translation: Static IP / 172.16.15.1 Security Rule: Source Zone: Trust - Source IP: Any - Destination Zone: Trust - Destination IP: 172.16.15.10 - Application: ssh. NAT Rule: Source Zone: Trust - Source IP: 192.168.15.0/24 - Destination Zone: Trust - Destination IP: 192.168.15.1 - Destination Translation: Static IP / 172.16.15.10 Security Rule: Source Zone: Trust - Source IP: 192.168.15.0/24 - Destination Zone: Server - Destination IP: 172.16.15.10 - Application: ssh. NAT Rule: Source Zone: Trust - Source IP: Any - Destination Zone: Trust - Destination IP: 192.168.15.1 - Destination Translation: Static IP /172.16.15.10 Security Rule: Source Zone: Trust - Source IP: Any - Destination Zone: Server - Destination IP: 172.16.15.10 - Application: ssh. NAT Rule: Source Zone: Trust - Source IP: Any - Destination Zone: Server - Destination IP: 172.16.15.10 - Source Translation: dynamic-ip-and-port / ethernet1/4 Security Rule: Source Zone: Trust - Source IP: Any - Destination Zone: Server - Destination IP: 172.16.15.10 - Application: ssh.

What is the best definition of the Heartbeat Interval?. the interval during which the firewall will remain active following a link monitor failure. the frequency at which the HA peers exchange ping. the interval in milliseconds between hello packets. the frequency at which the HA peers check link or path availability.

A QoS profile is configured as shown in the image. The following throughput is realized: Class 3 traffic 325Mbps - Class 5 traffic 470Mbps - Class 7 traffic: 330Mbps - What happens as a result?. Available bandwidth from the unused classes will be used to maintain the Egress Guaranteed throughput for each. Class 7 traffic will have the most packets dropped in favor of Classes 3 and 5 maintaining their Egress Guaranteed throughput. All traffic continues to flow based on the overhead in each class’s Egress Max settings. Classes 3, 5, and 7 will each have round-robin packet drops as needed against the profile Egress Max.

Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.). Check dependencies. Schedules. Verify. Revert content. Install.

A network security engineer configured IP multicast in the virtual router to support a new application. Users in different network segments are reporting that they are unable to access the application. What must be enabled to allow an interface to forward multicast traffic?. IGMP. SSM. BFD. PIM.

Review the screenshots and consider the following information: Review the screenshots and consider the following information: • FW-1 is assigned to the FW-1_DG device group and FW-2 is assigned to OFFICE_FW_DG • There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups Which IP address will be pushed to the firewalls inside Address Object Server-1?. Server-1 on FW-1 will have IP 2.2.2.2 Server-1 will not be pushed to FW-2. Server-1 on FW-1 will have IP 3.3.3.3 Server-1 will not be pushed to FW-2. Server-1 on FW-1 will have IP 1.1.1.1 Server-1 will not be pushed to FW-2. Server-1 on FW-1 will have IP 4.4.4.4 Server-1 on FW-2 will have IP 1.1.1.1.

Given the Sample Log Forwarding Profile shown, which two statements are true? (Choose two.). All traffic from source network 192.168.100.0/24 is sent to an external syslog target. All threats are logged to Panorama. All traffic logs from RFC 1918 subnets are logged to Panorama / Cortex Data Lake. All traffic from source network 172.12.0.0/24 is sent to Panorama / Cortex Data Lake.

Which benefit do policy rule UUIDs provide?. Functionality for scheduling policy actions. The use of user IP mapping and groups in policies. An audit trail across a policy’s lifespan. Cloning of policies between device-groups.

A system administrator runs a port scan using the company tool as part of vulnerability check. The administrator finds that the scan is identified as a threat and is dropped by the firewall. After further investigating the logs the administrator finds that the scan is dropped in the Threat Logs. What should the administrator do to allow the tool to scan through the firewall?. Add the tool IP address to the reconnaissance protection source address exclusion in the DoS Protection profile. Add the tool IP address to the reconnaissance protection source address exclusion in the Zone Protection profile. Remove the Zone Protection profile from the zone setting. Change the TCP port scan action from Block to Alert in the Zone Protection profile.

A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation. What is the valid naming convention for aggregate interfaces?. po1/250. aggregate.1. ae.1. lag.100.

A company with already deployed Palo Alto firewalls has purchased their first Panorama server. The security team has already configured all firewalls with the Panorama IP address and added all the firewall serial numbers in Panorama. What are the next steps to migrate configuration from the firewalls to Panorama?. Export Named Configuration Snapshot on each firewall, followed by Impart Named Configuration Snapshot in Panorama. Use the Firewall Migration plugin to retrieve the configuration directly from the managed devices. Import Device Configuration to Panorama, followed by Export or Push Device Config Bundle. Use API calls to retrieve the configuration directly from the managed devices.

Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2. The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet2. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

View the screenshots. A QoS profile and policy rules are configured as shown. Based on this information, which two statements are correct? (Choose two.). SMTP has a higher priority but lower bandwidth than Zoom. Facetime has a higher priority but lower bandwidth than Zoom. google-video has a higher priority and more bandwidth than WebEx. DNS has a higher priority and more bandwidth than SSH.

An engineer is attempting to resolve an issue with slow traffic. Which PAN-OS feature can be used to prioritize certain network traffic?. Prisma Access for Mobile Users. Forward Error Correction (FEC). SaaS Quality Profile. Quality of Service (QoS).

An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama template and the local firewall configuration. When overriding the firewall configuration pushed from Panorama, what should you consider?. Only Panorama can revert the override. The modification will not be visible in Panorama. Panorama will update the template with the overridden value. The firewall template will show that it is out of sync within Panorama.

What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?. It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS. It stops the tunnel-establishment processing to the GlobalProtect gateway immediately. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS. It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway.

Review the images. A firewall policy that permits web traffic includes the global-logs policy as depicted. What is the result of traffic that matches the “Alert -Threats” Profile Match List?. The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes. The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes. The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes. The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI. Which CLI command can the engineer use?. test vpn flow. test vpn tunnel. test vpn gateway. test vpn ike-sa.

What is the dependency for users to access services that require authentication?. An authentication profile that includes those services. An authentication sequence that includes those services. Disabling the authentication timeout. A Security policy allowing users to access those services.

An engineer is designing a deployment of multi-vsys firewalls. What must be taken into consideration when designing the device group structure?. Only one vsys or one firewall can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group. Multiple vsys and firewalls can be assigned to a device group, and a multi-vsys firewall can have each vsys in a different device group. Multiple vsys and firewalls can be assigned to a device group. and a multi-vsys firewall must have all its vsys in a single device group. Only one vsys or one firewall can be assigned to a device group, except for a multi-vsys firewall, which must have all its vsys in a single device group.

An engineer needs to collect User-ID mappings from the company’s existing proxies. What two methods can be used to pull this data from third party proxies? (Choose two.). Client probing. XFF Headers. Syslog. Server Monitoring.

An engineer needs to configure SSL Forward Proxy to decrypt traffic on a PA-5260. The engineer uses a forward trust certificate from the enterprise PKI that expires December 31, 2025. The validity date on the PA-generated certificate is taken from what?. The root CA. The untrusted certificate. The server certificate. The trusted certificate.

A network administrator is troubleshooting an issue with Phase 2 of an IPSec VPN tunnel. The administrator determines that the lifetime needs to be changed to match the peer. Where should this change be made?. IKE Gateway profile. IPSec Crypto profile. IKE Crypto profile. IPSec Tunnel settings.

Which statement about High Availability timer settings is true?. Use the Moderate timer for typical failover timer settings. Use the Critical timer for faster failover timer settings. Use the Aggressive timer for faster failover timer settings. Use the Recommended timer for faster failover timer settings.

A firewall administrator is trying to identify active routes learned via BGP in the virtual router runtime stats within the GUI. Where can they find this information?. Routes listed in the routing table with flags O. Routes listed in the routing table with flags A?B. Under the BGP Summary tab. Routes listed in the forwarding table with BGP in the Protocol column.

An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2. Which three platforms support PAN-OS 10.2? (Choose three.). PA-220. PA-800 Series. PA-5000 Series. PA-500. PA-3400 Series.

As a best practice, logging at session start should be used in which case?. While troubleshooting. Only on Deny rule. Only when log at session end is enabled. On all Allow rules.

What must be configured to apply tags automatically to User-ID logs?. User mapping. Log Forwarding profile. Log settings. Group mapping.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet. Which profile is the engineer configuring?. Vulnerability Protection. DoS Protection. Packet Buffer Protection. Zone Protection.

Which states will a pair of firewalls be in if their HA Group ID is mismatched?. Active/Non-functional. Active/Passive. Init/Init. Active/Active.

An engineer troubleshooting a site-to-site VPN finds a Security policy dropping the peer’s IKE traffic at the edge firewall. Both VPN peers are behind a NAT, and NAT-T is enabled. How can the engineer remediate this issue?. Add a Security policy to allow UDP/500. Add a Security policy to allow the IKE application. Add a Security policy to allow the IPSec application. Add a Security policy to allow UDP/4501.

An administrator wants to grant read-only access to all firewall settings, except administrator accounts, to a new-hire colleague in the IT department. Which dynamic role does the administrator assign to the new-hire colleague?. Superuser (read-only). Device administrator (read-only). Firewall administrator (read-only. System administrator (read-only).

An engineer has been given approval to upgrade their environment to PAN-OS 10.2. The environment consists of both physical and virtual firewalls, a virtual Panorama HA pair, and virtual log collectors. What is the recommended order when upgrading to PAN-OS 10.2?. Upgrade the firewalls, upgrade log collectors, upgrade Panorama. Upgrade the firewalls, upgrade Panorama, upgrade the log collectors. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls.

Review the screenshot of the Certificates page An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems. When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings. What is the cause of the unsecured website warnings?. The forward trust certificate has not been signed by the self-singed root CA certificate. The forward trust certificate has not been installed in client systems. The forward untrust certificate has not been signed by the self-singed root CA certificate. The self-signed CA certificate has the same CN as the forward trust and untrust certificates.

An engineer is tasked with deploying SSL Forward Proxy decryption for their organization. What should they review with their leadership before implementation?. Browser-supported cipher documentation. Cipher documentation supported by the endpoint operating system. URL risk-based category distinctions. Legal compliance regulations and acceptable usage policies.

Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?. Custom URL category in URL Filtering profile. PAN-DB URL category in URL Filtering profile. EDL in URL Filtering profile. Custom URL category in Security policy rule.

A network security engineer needs to enable Zone Protection in an environment that makes use of Cisco TrustSec Layer 2 protections. What should the engineer configure within a Zone Protection profile to ensure that the TrustSec packets are identified and actions are taken upon them?. Stream ID in the IP Option Drop options. Record Route in IP Option Drop options. Ethernet SGT Protection. TCP Fast Open in the Strip TCP options.

How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?. Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot. Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot. Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit. Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

An administrator wants to enable Palo Alto Networks cloud services for Device Telemetry and IoT. Which type of certificate must be installed?. External CA certificate. Server certificate. Device certificate. Self-signed root CA certificate.

Which Palo Alto Networks tool provides configuration heat map displays for security controls?. Expedition. Security Life Cycle Review. Prevention Posture Assessment. Best Practice Assessment.

An engineer is configuring SSL Inbound Inspection for public access to a company’s application. Which certificate(s) need to be installed on the firewall to ensure that inspection is performed successfully?. Intermediate CA(s) and End-entity certificate. Root CA and Intermediate CA(s. Self-signed certificate with exportable private key. Self-signed CA and End-entity certificate.

A network security administrator wants to begin inspecting bulk user HTTPS traffic flows egressing out of the internet edge firewall. Which certificate is the best choice to configure as an SSL Forward Trust certificate?. A Machine Certificate for the firewall signed by the organization’s PKI. A web server certificate signed by the organization’s PKI. A subordinate Certificate Authority certificate signed by the organization’s PK. A self-signed Certificate Authority certificate generated by the firewall.

A company has configured a URL Filtering profile with override action on their firewall. Which two profiles are needed to complete the configuration? (Choose two.). Decryption. HTTP Serve. SSL/TLS Service. Interface Management.

Which three authentication types can be used to authenticate users? (Choose three.). Local database authentication. PingID. Kerberos single sign-on. GlobalProtect client. Cloud authentication service.

Which feature checks Panorama connectivity status after a commit?. HTTP Server profiles. Device monitoring data under Panorama settings. Automated commit recovery. Scheduled config export.

What are two explanations for this type of issue? (Choose two.). Either management or a data-plane interface is used as HA1-backup. One of the firewalls has gone into the suspected state. The peer IP is not included in the permit list on Management Interface Settings. The Backup Peer HA1 IP Address was not configured when the commit was issued.

A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.). A certificate authority (CA) certificate. A private key. A server certificate. A subject alternative name.

An administrator is assisting a security engineering team with a decryption rollout for inbound and forward proxy traffic. Incorrect firewall sizing is preventing the team from decrypting all of the traffic they want to decrypt. Which three items should be prioritized for decryption? (Choose three.). Financial, health, and government traffic categories. Less-trusted internal IP subnets. Known malicious IP space. High-risk traffic categories. Public-facing servers.

During a laptop-replacement project, remote users must be able to establish a GlobalProtect VPN connection to the corporate network before logging in to their new Windows 10 endpoints. The new laptops have the 5.2.10 GlobalProtect Agent installed, so the administrator chooses to use the Connect Before Logon feature to solve this issue. What must be configured to enable the Connect Before Logon feature?. The Certificate profile in the GlobalProtect Portal Authentication Settings. Registry keys on the Windows system. The GlobalProtect Portal Agent App Settings Connect Method to Pre-logon then On-demand. X-Auth Support in the GlobalProtect Gateway Tunnel Settings.