Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA) pair? (Choose two) Configure the management interface as HA3 Backup Configure Ethernet 1/1 as HA1 Backup Configure Ethernet 1/1 as HA2 Backup Configure the management interface as HA2 Backup Configure the management interface as HA1 Backup Configure ethernet1/1 as HA3 Backup.
Which two interface types can be used when configuring GlobalProtect Portal?(Choose two) Virtual Wire Loopback Layer 3 Tunnel.
Refer to the exhibit.
An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) received HTTP traffic and host B(10.1.1.101) receives SSH traffic.
Which two security policy rules will accomplish this configuration? (Choose two) Untrust (Any) to Untrust (10.1.1.1) Ssh-Allow Untrust (Any) to DMZ (1.1.1.100) Ssh-Allow Untrust (Any) to DMZ (1.1.1.100) Web-browsing -Allow Untrust (Any) to Untrust (10.1.1.1) Web-browsing -Allow.
When you import the configuration of an HA pair into Panorama, how do you prevent the import from affecting ongoing traffic? Disable HA Disable the HA2 link Disable config sync Set the passive link state to 'shutdown.-.
If the firewall has the link monitoring configuration, what will cause a failover? ethernet1/3 and ethernet1/6 going down ethernet1/3 going down ethernet1/3 or Ethernet1/6 going down ethernet1/6 going down.
6. An administrator accidentally closed the commit window/screen before the commit was finished. Which two options could the administrator use to verify the progress or success of that commit task? (Choose two.) Configuration Logs System Logs Task Manager Traffic Logs.
Which operation will impact the performance of the management plane? WildFire Submissions DoS Protection decrypting SSL Sessions Generating a SaaS Application Report.
8. What can missing SSL packets when performing a packet capture on dataplane interfaces? The packets are hardware offloaded to the offloaded processor on the dataplane The missing packets are offloaded to the management plane CPU The packets are not captured because they are encrypted There is a hardware problem with offloading FPGA on the management plane.
Firewall administrators cannot authenticate to a firewall GUI.
Which two logs on that firewall will contain authentication-related information useful in troubleshooting this issue? (Choose two.) ms log authd log System log Traffic log dp-monitor .log.
You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles.
For Which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three) High Medium Critical Informational Low .
11. Which three log-forwarding destinations require a server profile to be configured? (Choose three) SNMP Trap Email RADIUS Kerberos Panorama Syslog.
What is exchanged through the HA2 link? hello heartbeats User-ID information session synchronization HA state information.
An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make? Detailed Log View URL Filtering Profile > gambling > "allow" Security Policy Rule URL Filtering Profile > Action "continue" URL Filtering Profile > Action "block".
An administrator sees several inbound sessions identified as unknown-tcp in the Traffic logs. The administrator determines that these sessions are form external users accessing the company's proprietary accounting application. The administrator wants to reliably identify this traffic as their accounting application and to scan this traffic for threats.
Which option would achieve this result? Create a custom App-ID and enable scanning on the advanced tab. Create an Application Override policy. Create a custom App-ID and use the "ordered conditions" check box. Create an Application Override policy and custom threat signature for the application.
The web server is configured to listen for HTTP traffic on port 8080. The clients access the web server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to translate both IP address and report to 10.1.1.100 on TCP Port 8080.
Which NAT and security rules must be configured on the firewall? (Choose two) A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3 zone using web-browsing application A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz- zone using service-http service. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone using service-http service. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3 zone using web-browsing application.
When you configure an active/active high availability pair which two links can you use? (Choose two) HA2 backup HA3 Console Backup HSCI-C.
An organization has recently migrated its infrastructure and configuration to NGFWs, for which Panorama manages the devices The organization is coming from a L2-L4 firewall vendor, but wants to use App-ID while identifying policies that are no longer needed Which Panorama tool can help this organization? Config Audit Policy Optimizer Application Groups Test Policy Match.
While troubleshooting an SSL Forward Proxy decryption issue which PAN-OS CLI command would you use to check the details of the end-entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate? show system setting ssl-decrypt certs show system setting ssl-decrypt certificate-cache show system setting ssl-decrypt certificate debug dataplane show ssl-decrypt ssl-stats.
When using the predefined default profile, the policy will inspect for viruses on the decoders. Match each decoder with its default action.
Answer options may be used more than once or not at all. IMAP HTTP FTP, SMB POP3, SMTP.
When an in-band data port is set up to provide access to required services, what is required for an interface that is assigned to service routes? The interface must be used for traffic to the required services You must enable DoS and zone protection You must set the interface to Layer 2 Layer 3. or virtual wire You must use a static IP address.
In a firewall, which three decryption methods are valid? (Choose three ) SSL Inbound Inspection SSL Outbound Proxyless Inspection SSL Inbound Proxy Decryption Mirror SSH Proxy.
Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs? (Choose two) The devices are pre-configured with a virtual wire pair out the first two interfaces. The devices are licensed and ready for deployment. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS connections. A default bidirectional rule is configured that allows Untrust zone traffic to go to the Trust zone. The interface are pingable.
If a template stack is assigned to a device and the stack includes three templates with overlapping settings, which settings are published to the device when the template stack is pushed? The settings assigned to the template that is on top of the stack. The administrator will be promoted to choose the settings for that chosen firewall. All the settings configured in all templates. Depending on the firewall location, Panorama decides with settings to send.
Which method will dynamically register tags on the Palo Alto Networks NGFW? Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC) Restful API or the VMware API on the firewall or on the User-ID agent XML-API or the VMware API on the firewall or on the User-ID agent or the CLI XML API or the VM Monitoring agent on the NGFW or on the User-ID agent.
A company hosts a publically accessible web server behind a Palo Alto Networks next generation firewall with the following configuration information.
Users outside the company are in the "Untrust-L3" zone The web server physically resides in the "Trust-L3" zone. Web server public IP address: 23.54.6.10
Web server private IP address: 192.168.1.10
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the web server? (Choose two) Untrust-L3 for both Source and Destination zone Destination IP of 192.168.1.10 Untrust-L3 for Source Zone and Trust-L3 for Destination Zone Destination IP of 23.54.6.10.
26. Below are the steps in the workflow for creating a Best Practice Assessment in a firewall and Panorama configuration Place the steps in order. In either the NGFW or in Panorama, on the Operations/Support tab, download the technical support file. Log in to the Customer Support Portal (CSP) and navigate to Tools > Best Practice Assessment. Upload or drag and drop the technical support file. Map the zone type and area of the architecture to each zone. Follow the steps to download the BPA report bundle.
A company.com wants to enable Application Override. Given the following screenshot:
Which two statements are true if Source and Destination traffic match the Application Override policy? (Choose two) Traffic that matches "rtp-base" will bypass the App-ID and Content-ID engines. Traffic will be forced to operate over UDP Port 16384. Traffic utilizing UDP Port 16384 will now be identified as "rtp-base". Traffic utilizing UDP Port 16384 will bypass the App-ID and Content-ID engines.
A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a firewall Which part of files needs to be imported back into the replacement firewall that is using Panorama? Device state and license files Configuration and serial number files Configuration and statistics files Configuration and Large Scale VPN (LSVPN) setups file.
When a malware-infected host attempts to resolve a known command-and-control server, the traffic matches a security policy with DNS sinhole enabled, generating a traffic log.
What will be the destination IP Address in that log entry? The IP Address of sinkhole.paloaltonetworks.com The IP Address of the command-and-control server The IP Address specified in the sinkhole configuration The IP Address of one of the external DNS servers identified in the anti-spyware database.
Which GlobalProtect Client connect method requires the distribution and use of machine certificates? User-logon (Always on) At-boot On-demand Pre-logon.
Which data flow describes redistribution of user mappings? User-ID agent to firewall firewall to firewall Domain Controller to User-ID agent User-ID agent to Panorama.
The firewall identifies a popular application as an unknown-tcp.
Which two options are available to identify the application? (Choose two.) Create a custom application. Create a custom object for the custom application server to identify the custom application. Submit an Apple-ID request to Palo Alto Networks. Create a Security policy to identify the custom application.
33. Which two methods can be used to mitigate resource exhaustion of an application server? (Choose two) Vulnerability Object DoS Protection Profile Data Filtering Profile Zone Protection Profile.
How is the Forward Untrust Certificate used? It issues certificates encountered on the Untrust security zone when clients attempt to connect to a site that has be decrypted It is used when web servers request a client certificate. It is presented to clients when the server they are connecting to is signed by a certificate authority that is not trusted by firewall. It is used for Captive Portal to identify unknown users.
An Administrator is configuring an IPSec VPN to a Cisco ASA at the administrator's home and experiencing issues completing the connection. The following is th output from the command: less mp-log ikemgr.log:
What could be the cause of this problem? The public IP addresse do not match for both the Palo Alto Networks Firewall and the ASA. The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA. The shared secerts do not match between the Palo Alto firewall and the ASA The deed peer detection settings do not match between the Palo Alto Networks Firewall and the ASA.
An administrator wants to upgrade a firewall HA pair to PAN-OS 10.1 The firewalls are currently running PAN-OS 8.1.17.
Which upgrade path maintains synchronization of the HA session (and prevents network outage)? Upgrade directly to the target major version Upgrade one major version at a time Upgrade the HA pair to a base image Upgrade two major versions at a time.
37. What is a key step in implementing WildFire best practices? In a mission-critical network, increase the WildFire size limits to the maximum value In a security-first network set the WildFire size limits to the minimum value Configure the firewall to retrieve content updates every minute Ensure that a Threat Prevention subscription is active.
Which value in the Application column indicates UDP traffic that did not match an App-ID signature? not-applicable incomplete unknown-ip unknown-udp.
39. During SSL decryption which three factors affect resource consumption1? (Choose three ) TLS protocol version transaction size key exchange algorithm applications that use non-standard ports certificate issuer .
Which Security policy rule will allow an admin to block facebook chat but allow Facebook in general? Deny application facebook-chat before allowing application facebook Deny application facebook on top Allow application facebook on top Allow application facebook before denying application facebook-chat.
A network security engineer has applied a File Blocking profile to a rule with the action of Block. The user of a Linux CLI operating system has opened a ticket. The ticket states that the user is being blocked by the firewall when trying to download a TAR file. The user is getting no error response on the system.
Where is the best place to validate if the firewall is blocking the user's TAR file? Threat log Data Filtering log WildFire Submissions log URL Filtering log.
When performing the "ping" test shown in this CLI output:
What will be the source address in the ICMP packet? 10.30.0.93 10.46.72.93 10.46.64.94 192.168.93.1.
An engineer is creating a security policy based on Dynamic User Groups (DUG) What benefit does this provide? Automatically include users as members without having to manually create and commit policy or group changes DUGs are used to only allow administrators access to the management interface on the Palo Alto Networks firewall It enables the functionality to decrypt traffic and scan for malicious behaviour for User-ID based policies Schedule commits at a regular intervals to update the DUG with new users matching the tags specified.
What are two benefits of nested device groups in Panorama? (Choose two.) Reuse of the existing Security policy rules and objects Requires configuring both function and location for every device All device groups inherit settings form the Shared group Overwrites local firewall configuration.
45. A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive mode. Which statement is true about this deployment? The two devices must share a routable floating IP address The two devices may be different models within the PA-5000 series The HA1 IP address from each peer must be on a different subnet The management port may be used for a backup control connection.
An administrator logs in to the Palo Alto Networks NGFW and reports that the WebUI is missing the Policies tab. Which profile is the cause of the missing Policies tab? Admin Role WebUI Authentication Authorization.
Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log? (Choose two.) Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions Enable User-ID on the zone object for the destination zone Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions Enable User-ID on the zone object for the source zone Configure a RADIUS server profile to point to a domain controller.
A network administrator wants to use a certificate for the SSL/TLS Service Profile Which type of certificate should the administrator use? certificate authority (CA) certificate client certificate machine certificate server certificate.
49. Using multiple templates in a stack to manage many firewalls provides which two advantages? (Choose two.) inherit address-objects from templates define a common standard template configuration for firewalls standardize server profiles and authentication configuration across all stacks standardize log-forwarding profiles for security polices across all stacks.
Refer to the exhibit.
An administrator is using DNAT to map two servers to a single public IP address. Traffic will be steered to the specific server based on the application, where Host A (10.1.1.100) receives HTTP traffic and HOST B (10.1.1.101) receives SSH traffic.) Which two security policy rules will accomplish this configuration? (Choose two.) Untrust (Any) to DMZ (10.1.1.100.10.1.1.101), ssh, web-browsing -Allow Untrust (Any) to DMZ (1.1.1.100), web-browsing -Allow Untrust (Any) to Untrust (10.1.1.1), web-browsing -Allow Untrust (Any) to Untrust (10.1.1.1), SSH -Allow Untrust (Any) to DMZ (1.1.1.100), SSH -Allow.
51. People are having intermittent quality issues during a live meeting via web application. How can the performance of this application be improved. Use QoS profile to define QoS Classes Use QoS Classes to define QoS Profile Use QoS Profile to define QoS Classes and a QoS Policy Use QoS Classes to define QoS Profile and a QoS Policy.
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log? Log Alert Allow Default.
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to allow cleartext web- browsing traffic to this server on tcp/443. Rule #1: application: web-browsing; service: application-default; action: allow Rule #2: application: ssl; service: application-default; action: allow Rule #1: application: web-browsing; service: service-https; action: allow Rule #2: application: ssl; service: application-default; action: allow Rule # 1: application: ssl; service: application-default; action: allow Rule #2: application: web-browsing; service: application-default; action: allow Rule #1: application: web-browsing; service: service-http; action: allow Rule #2: application: ssl; service: application-default; action: allow.
54. YouTube videos are consuming too much bandwidth on the network, causing delays in mission-critical traffic. The administrator wants to throttle YouTube traffic. The following interfaces and zones are in use on the firewall:
* ethernet1/1, Zone: Untrust (Internet-facing)
* ethernet1/2, Zone: Trust (client-facing)
A QoS profile has been created, and QoS has been enabled on both interfaces. A QoS rule exists to put the YouTube application into QoS class 6. Interface Ethernet1/1 has a QoS profile called Outbound, and interface Ethernet1/2 has a QoS profile called Inbound.
Which setting for class 6 with throttle YouTube traffic? Outbound profile with Guaranteed Ingress Outbound profile with Maximum Ingress Inbound profile with Guaranteed Egress Inbound profile with Maximum Egress.
Refer to Exhibit:
A firewall has three PBF rules and a default route with a next hop of 172.29.19.1 that is configured in the default VR. A user named XX-bes a PC with a 192.168.101.10 IP address. He makes an HTTPS connection to 172.16.10.29.
What is the next hop IP address for the HTTPS traffic from Wills PC. 172.20.30.1 172.20.20.1 172.20.10.1 172.20.40.1.
A Network Administrator wants to deploy a Large Scale VPN solution. The Network Administrator has chosen a GlobalProtect Satellite solution. This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.
How should this be accomplished? Create a Template with the appropriate IKE Gateway settings Create a Template with the appropriate IPSec tunnel settings Create a Device Group with the appropriate IKE Gateway settings Create a Device Group with the appropriate IPSec tunnel settings.
What are three possible verdicts that WildFire can provide for an analyzed sample? (Choose three) Clean Bengin Adware Suspicious Grayware Malware .
Which menu item enables a firewall administrator to see details about traffic that is currently active through the NGFW? App Scope ACC Session Browser System Logs.
To more easily reuse templates and template slacks , you can create term plate variables in place of firewall-specific and appliance-specific IP literals in your configurations Which one is the correct configuration? @Panorama #Pancrama &Panorama $Panorama.
For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two ) equal-cost multipath ingress processing errors rule match with action "allow" rule match with action "deny".
61. An administrator wants to enable zone protection Before doing so, what must the administrator consider? Activate a zone protection subscription. To increase bandwidth no more than one firewall interface should be connected to a zone Security policy rules do not prevent lateral movement of traffic between zones The zone protection profile will apply to all interfaces within that zone.
What are the two behavior differences between Highlight Unused Rules and the Rule Usage Hit counter when a firewall is rebooted? (Choose two.) Rule Usage Hit counter will not be reset Highlight Unused Rules will highlight all rules. Highlight Unused Rules will highlight zero rules. Rule Usage Hit counter will reset.
Which CLI command enables an administrator to view details about the firewall including uptime, PAN-OS® version, and serial number? debug system details show session info show system info show system details.
An administrator wants to upgrade an NGFW from PAN-OS® 9.0 to PAN-OS® 10.0. The firewall is not a part of an HA pair. What needs to be updated first? XML Agent Applications and Threats WildFire PAN-OS® Upgrade Agent.
65. A company has a policy that denies all applications it classifies as bad and permits only application it classifies as good. The firewall administrator created the following security policy on the company's firewall.
Which interface configuration will accept specific VLAN IDs?
Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two) A report can be created that identifies unclassified traffic on the network. Different security profiles can be applied to traffic matching rules 2 and 3. Rule 2 and 3 apply to traffic on different ports. Separate Log Forwarding profiles can be applied to rules 2 and 3.
Which three authentication factors does PAN-OS® software support for MFA (Choose three.) Push Pull Okta Adaptive Voice SMS.
How does Panorama prompt VMWare NSX to quarantine an infected VM? HTTP Server Profile Syslog Server Profile Email Server Profile SNMP Server Profile.
A logging infrastructure may need to handle more than 10,000 logs per second. Which two options support a dedicated log collector function? (Choose two) Panorama virtual appliance on ESX(i) only M-500 M-100 with Panorama installed M-100.
Decrypted packets from the website https://www.microsoft.com will appear as which application and service within the Traffic log? web-browsing and 443 SSL and 80 SSL and 443 web-browsing and 80.
A customer wants to combine multiple Ethernet interfaces into a single virtual interface using link aggregation. Which two formats are correct for naming aggregate interfaces? (Choose two.) ae.8 aggregate.1 ae.1 aggregate.8.
A remote administrator needs access to the firewall on an untrust interlace. Which three options would you configure on an interface Management profile lo secure management access? (Choose three) HTTP User-ID SSH HTTPS Permitted IP Addresses.
72. A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4. Which three methods can the firewall administrator use to install PAN-OS 8.0.4 across the enterprise?( Choose three) Download PAN-OS 8.0.4 files from the support site and install them on each firewall after manually uploading. Download PAN-OS 8.0.4 to a USB drive and the firewall will automatically update after the USB drive is inserted in the firewall. Push the PAN-OS 8.0.4 updates from the support site to install on each firewall. Push the PAN-OS 8.0.4 update from one firewall to all of the other remaining after updating one firewall. Download and install PAN-OS 8.0.4 directly on each firewall. Download and push PAN-OS 8.0.4 from Panorama to each firewall.
73. Which statement accurately describes service routes and virtual systems? Virtual systems can only use one interface for all global service and service routes of the firewall The interface must be used for traffic to the required external services Virtual systems that do not have specific service routes configured inherit the global service and service route settings for the firewall Virtual systems cannot have dedicated service routes configured: and virtual systems always use the global service and service route settings for the firewall.
A users traffic traversing a Palo Alto networks NGFW sometimes can reach http //www company com At other times the session times out. At other times the session times out The NGFW has been configured with a PBF rule that the user traffic matches when it goes to http://www.company.com goes to http://www company com How can the firewall be configured to automatically disable the PBF rule if the next hop goes down? Create and add a monitor profile with an action of fail over in the PBF rule in question Create and add a monitor profile with an action of wait recover in the PBF rule in question Configure path monitoring for the next hop gateway on the default route in the virtual router Enable and configure a link monitoring profile for the external interface of the firewall.
If the firewall is configured for credential phishing prevention using the "Domain Credential Filter" method, which login will be detected as credential theft? Mapping to the IP address of the logged-in user. First four letters of the username matching any valid corporate username. Using the same user's corporate username and password. Marching any valid corporate username.
76. An administrator with 84 firewalls and Panorama does not see any WildFire logs in Panorama.
All 84 firewalls have an active WildFire subscription On each firewall WildFire logs are available.
This issue is occurring because forwarding of which type of logs from the firewalls to Panorama is missing? System logs Traffic logs WildFire logs Threat logs.
77. Support for which authentication method was added in PAN-OS 8.0? RADIUS LDAP Diameter TACACS+.
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic? check find test sim .
79. Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.) Verify AutoFocus status using CLI. Check the WebUI Dashboard AutoFocus widget. Check for WildFire forwarding logs. Check the license Verify AutoFocus is enabled below Device Management tab.
80. On the NGFW. how can you generate and block a private key from export and thus harden your security posture and prevent rogue administrators or other bad actors from misusing keys? 1. Select Device > Certificate Management > Certificates >Devace > Certificates
2. Import the certificate.
3. Select Import Private Key
4. Click Generate to generate the new certificate 1. Select Device > Certificates
2. Select Certificate Profile
3. Generate the certificate
4. Select Block Private Key Export. 1. Select Device > Certificates
2. Select Certificate Profile.
3. Generate the certificate
4. Select Block Private Key Export 1. Select Device > Certificate Management > Certificates > Device > Certificates
2. Generate the certificate
3. Select Block Private Key Export
4. Click Generate to generate the new certificate.
Which administrative authentication method supports authorization by an external service? Certificates LDAP RADIUS SSH keys.
82. How can packet buffer protection be configured? at me device level (globally to protect firewall resources and ingress zones, but not at the zone level at the device level (globally) and it enabled globally, at the zone level at the interlace level to protect firewall resources at zone level to protect firewall resources and ingress zones but not at the device level.
Which Palo Alto Networks VM-Series firewall is valid? VM-25 VM-800 VM-50 VM-400.
An existing NGFW customer requires direct interne! access offload locally at each site and IPSec connectivity to all branches over public internet. One requirement is mat no new SD- WAN hardware be introduced to the environment.
What is the best solution for the customer? Configure a remote network on PAN-OS Upgrade to a PAN-OS SD-WAN subscription Deploy Prisma SD-WAN with Prisma Access Configure policy-based forwarding.
The following objects and policies are defined in a device group hierarchy.
Dallas-Branch has Dallas-FW as a member of the Dallas-Branch device-group
NYC-DC has NYC-FW as a member of the NYC-DC device-group
What objects and policies will the Dallas-FW receive if "Share Unused Address and Service Objects" is enabled in Panorama? Address Objects
-Shared Address1
-Branch Address1
Policies
-Shared Policy1
-Branch Policy1 Address Objects
-Shared Address1
-Shared Address2
-Branch Address1
Policies
-Shared Policy1
-Shared Policy2
-Branch Policy1 Address Objects
-Shared Address1
-Shared Address2
-Branch Address1
-DC Address1
Policies
-Shared Policy1
-Shared Policy2
-Branch Policy1 Address Objects
-Shared Address1
-Shared Address2
-Branch Address1
Policies
-Shared Policy1
-Branch Policy1.
An administrator wants a new Palo Alto Networks NGFW to obtain automatic application updates daily, so it is configured to use a scheduler for the application database.
Unfortunately, they required the management network to be isolated so that it cannot reach the internet. Which configuration will enable the firewall to download and install application updates automatically? Configure a Policy Based Forwarding policy rule for the update server IP address so that traffic sourced from the management interfaced destined for the update servers goes out of the interface acting as your internet connection. Configure a security policy rule to allow all traffic to and from the update servers. Download and install application updates cannot be done automatically if the MGT port cannot reach the internet. Configure a service route for Palo Alto networks services that uses a dataplane interface that can route traffic to the internet, and create a security policy rule to allow the traffic from that interface to the update servers if necessary.
An administrator creates a custom application containing Layer 7 signatures. The latest application and threat dynamic update is downloaded to the same NGFW. The update contains an application that matches the same traffic signatures as the custom application. Which application should be used to identify traffic traversing the NGFW? Custom application System logs show an application error and neither signature is used. Downloaded application Custom and downloaded application signature files are merged and both are used.
Which Panorama administrator types require the configuration of at least one access domain? (Choose two) Dynamic Custom Panorama Admin Role Based Device Group Template Admin.
Match each SD-WAN configuration element to the description of that element. SD-WAN interface profile Path Quality profile Traffic Distribution profile SD-WAN policy rule.
An administrator has left a firewall to use the default port for all management services. Which three functions are performed by the dataplane? (Choose three.) WildFire updates NAT NTP antivirus File blocking.
91. What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three) configure a device block list rename a vsys on a multi-vsys firewall enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode add administrator accounts change the firewall management IP address.
Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two) Brute-force signatures BrightCloud Url Filtering PAN-DB URL Filtering DNS-based command-and-control signatures.
A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab.
The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg txt. The firewall is currently running PAN-OS 10.0 and using a lab config The contents of init-cfg txi in the USB flash drive are as follows:
The USB flash drive has been inserted in the firewalls' USB port, and the firewall has been restarted using command:> request resort system Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because Firewall must be in factory default state or have all private data deleted for bootstrapping The hostname is a required parameter, but it is missing in imt-cfg txt The USB must be formatted using the ext3 file system, FAT32 is not supported PANOS version must be 91.x at a minimum but the firewall is running 10.0.x The bootstrap.xml file is a required file but it is missing.
An Administrator is configuring Authentication Enforcement and they would like to create an exemption rule to exempt a specific group from authentication. Which authentication enforcement object should they select? default-browser-challenge default-authentication-bypass default-web-format default-no-captive-portal.
Which three items are important considerations during SD-WAN configuration planning? (Choose three.) link requirements the name of the ISP IP Addresses branch and hub locations.
96. Which three fields can be included in a pcap filter? (Choose three) Egress interface Source IP Rule number Destination IP Ingress interface.
How can an administrator configure the NGFW to automatically quarantine a device using GlobalProtect? by adding the device's Host ID to a quarantine list and configure GlobalProtect to prevent users from connecting to the GlobalProtect gateway from a quarantined device by using secunty policies, log forwarding profiles, and log settings. by exporting the list of quarantined devices to a pdf or csv file by selecting PDF/CSV at the bottom of the Device Quarantine page and leveraging the approbate XSOAR playbook There is no native auto-quarantine feature so a custom script would need to be leveraged.
99. in URL filtering, which component matches URL patterns? live URL feeds on the management plane security processing on the data plane signature matching on the data plane single-pass pattern matching on the data plane.
100. The GlobalProtect Portal interface and IP address have been configured. Which other value needs to be defined to complete the network settings configuration of GlobalPortect Portal? Server Certificate Client Certificate Authentication Profile Certificate Profile .
Which three file types can be forwarded to WildFire for analysis as a part of the basic WildFire service? (Choose three.) .dll .exe .src .apk .pdf .jar.
Which processing order will be enabled when a Panorama administrator selects the setting "Objects defined in ancestors will take higher precedence?" Descendant objects will take precedence over other descendant objects. Descendant objects will take precedence over ancestor objects. Ancestor objects will have precedence over descendant objects. Ancestor objects will have precedence over other ancestor objects.
104. Which two options are required on an M-100 appliance to configure it as a Log Collector? (Choose two) From the Panorama tab of the Panorama GUI select Log Collector mode and then commit changes Enter the command request system system-mode logger then enter Y to confirm the change to Log Collector mode. From the Device tab of the Panorama GUI select Log Collector mode and then commit changes. Enter the command logger-mode enable the enter Y to confirm the change to Log Collector mode. Log in the Panorama CLI of the dedicated Log Collector.
Refer to the exhibit.
Which will be the egress interface if the traffic's ingress interface is ethernet 1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113? ethernet1/6 ethernet1/3 ethernet1/7 ethernet1/5.
In which two types of deployment is active/active HA configuration supported? (Choose two.) TAP mode Layer 2 mode Virtual Wire mode Layer 3 mode.
107. A network security engineer has a requirement to allow an external server to access an internal web server. The internal web server must also initiate connections with the external server.
What can be done to simplify the NAT policy? Configure ECMP to handle matching NAT traffic Configure a NAT Policy rule with Dynamic IP and Port Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi- directional option Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bi-directional option.
A web server is hosted in the DMZ, and the server is configured to listen for incoming connections only on TCP port 8080. A Security policy rule allowing access from the Trust zone to the DMZ zone need to be configured to enable we browsing access to the server. Which application and service need to be configured to allow only cleartext web-browsing traffic to thins server on tcp/8080. application: web-browsing; service: application-default application: web-browsing; service: service-https application: ssl; service: any application: web-browsing; service: (custom with destination TCP port 8080).
To protect your firewall and network from single source denial of service (DoS) attacks that can overwhelm its packet buffer and cause legitimate traffic to drop, you can configure. BGP (Border Gateway Protocol) PBP (Packet Buffer Protection) PGP (Packet Gateway Protocol) PBP (Protocol Based Protection).
A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port which it connects. How would an administrator configure the interface to 1Gbps? set deviceconfig interface speed-duplex 1Gbps-full-duplex set deviceconfig system speed-duplex 1Gbps-duplex set deviceconfig system speed-duplex 1Gbps-full-duplex set deviceconfig Interface speed-duplex 1Gbps-half-duplex.
Which Zone Pair and Rule Type will allow a successful connection for a user on the internet zone to a web server hosted in the DMZ zone? The web server is reachable using a destination Nat policy in the Palo Alto Networks firewall. Zone Pair:
Source Zone: Internet
Destination Zone: DMZ
Rule Type: "intrazone" Zone Pair:
Source Zone: Internet
Destination Zone: DMZ
Rule Type: "intrazone" or "universal" Zone Pair:
Source Zone: Internet
Destination Zone: Internet
Rule Type: "intrazone" or "universal" Zone Pair:
Source Zone: Internet
Destination Zone: Internet
Rule Type: "intrazone" .
A company needs to preconfigure firewalls to be sent to remote sites with the least amount of preconfiguration Once deployed each firewall must establish secure tunnels back to multiple regional data centers to include the future regional data centers Which VPN preconfigured configuration would adapt to changes when deployed to the future site? IPsec tunnels using IKEv2 PPTP tunnels GlobalProtect satellite GlobalProtect client.
113. After pushing a security policy from Panorama to a PA-3020 firwall, the firewall administrator notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs. What could be the problem? A Server Profile has not been configured for logging to this Panorama device. Panorama is not licensed to receive logs from this particular firewall. The firewall is not licensed for logging to this Panorama device. None of the firwwall's policies have been assigned a Log Forwarding profile.
114. The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router.
Which two options would help the administrator troubleshoot this issue? (Choose two.) View the System logs and look for the error messages about BGP. Perform a traffic pcap on the NGFW to see any BGP problems. View the Runtime Stats and look for problems with BGP configuration. View the ACC tab to isolate routing issues.
If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect traffic to the server? TLS Bidirectional Inspection SSL Inbound Inspection SSH Forward Proxy SMTP Inbound Decryption.
An administrator needs to validate that policies that will be deployed will match the appropriate rules in the device-group hierarchy. Which toot can the administrator use to review the policy creation logic and verify that unwanted traffic is not allowed? Policy Optimizer Test Policy Match Preview Changes Managed Devices Health.
How would an administrator monitor/capture traffic on the management interface of the Palo Alto Networks NGFW? Use the debug dataplane packet-diag set capture stage firewall file command. Enable all four stages of traffic capture (TX, RX, DROP, Firewall). Use the debug dataplane packet-diag set capture stage management file command. Use the tcpdump command.
The firewall is not downloading IP addresses from MineMeld. Based, on the image, what most likely is wrong? A Certificate Profile that contains the client certificate needs to be selected. The source address supports only files hosted with an ftp://<address/file>. External Dynamic Lists do not support SSL connections. A Certificate Profile that contains the CA certificate needs to be selected.
Refer to the exhibit.
A web server in the DMZ is being mapped to a public address through DNAT. Which Security policy rule will allow traffic to flow to the web server? Untrust (any) to Untrust (10. 1.1. 100), web browsing - Allow Untrust (any) to Untrust (1. 1. 1. 100), web browsing - Allow Untrust (any) to DMZ (1. 1. 1. 100), web browsing - Allow Untrust (any) to DMZ (10. 1. 1. 100), web browsing - Allow.
Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services? Configure a Decryption Profile and select SSL/TLS services. Set up SSL/TLS under Polices > Service/URL Category>Service. Set up Security policy rule to allow SSL communication. Configure an SSL/TLS Profile.
123. The UDP-4501 protocol-port is used between which two GlobalProtect components? GlobalProtect app and GlobalProtect gateway GlobalProtect portal and GlobalProtect gateway GlobalProtect app and GlobalProtect satellite GlobalProtect app and GlobalProtect portal.
124. Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a "No Decrypt" action? (Choose two.) Block sessions with expired certificates Block sessions with client authentication Block sessions with unsupported cipher suites Block sessions with untrusted issuers Block credential phishing.
125. A network engineer has revived a report of problems reaching 98.139.183.24 through vr1 on
the firewall. The routing table on this firewall is extensive and complex. Which CLI command will help identify the issue? test routing fib virtual-router vr1 show routing route type static destination 98.139.183.24 test routing fib-lookup ip 98.139.183.24 virtual-router vr1 show routing interface.
126. An administrator needs to troubleshoot a User-ID deployment The administrator believes that there is an issue related to LDAP authentication The administrator wants to create a packet capture on the management plane Which CLI command should the administrator use to obtain the packet capture for validating the configuration? > ftp export mgmt-pcap from mgmt.pcap to <FTP host> > scp export mgmt-pcap from mgmt.pcap to {username@host:path> > scp export pcap-mgmt from pcap.mgiat to (username@host:path) > scp export pcap from pcap to (username@host:path).
127. A remote administrator needs firewall access on an untrusted interface Which two components are required on the firewall to configure certificate-based administrator authentication to the web Ul? (Choose two) client certificate certificate profile certificate authority (CA) certificate server certificate.
128. Which option describes the operation of the automatic commit recovery feature? It enables a firewall to revert to the previous configuration if rule shadowing is detected It enables a firewall to revert to the previous configuration if a commit causes Panorama connectivity failure. It enables a firewall to revert to the previous configuration if application dependency errors are found It enables a firewall to revert to the previous configuration if a commit causes HA partner connectivity failure.
129. Which logs enable a firewall administrator to determine whether a session was decrypted? Correlated Event Traffic Decryption Security Policy.
When setting up a security profile which three items can you use? (Choose three ) Wildfire analysis anti-ransom ware antivirus URL filtering decryption profile .
Refer to exhibit.
An organization has Palo Alto Networks NGFWs that send logs to remote monitoring and security management platforms. The network team has reported excessive traffic on the corporate WAN.
How could the Palo Alto Networks NGFW administrator reduce WAN traffic while maintaining support for all existing monitoring/ security platforms? Forward logs from firewalls only to Panorama and have Panorama forward logs to other external services. Forward logs from external sources to Panorama for correlation, and from Panorama send them to the NGFW. Configure log compression and optimization features on all remote firewalls. Any configuration on an M-500 would address the insufficient bandwidth concerns.
A customer wants to set up a VLAN interface for a Layer 2 Ethernet port.
Which two mandatory options are used to configure a VLAN interface? (Choose two.) Virtual router Security zone ARP entries Netflow Profile.
133. An enterprise has a large Palo Alto Networks footprint that includes onsite firewalls and Prisma Access for mobile users, which is managed by Panorama The enterprise already uses GlobalProtect with SAML authentication to obtain iP-to-user mapping information However information Security wants to use this information in Prisma Access for policy enforcement based on group mapping Information Security uses on-prermses Active Directory (AD) but is uncertain about what is needed for Prisma Access to learn groups from AD How can portaes based on group mapping be learned and enforced in Prisma Access? Configure Prisma Access to learn group mapping via SAML assertion Assign a master device in Panorama through which Prisma Access learns groups Set up group mapping redistribution between an onsite Palo Alto Networks firewall and Prisma Access Create a group mapping configuration that references an LDAP profile that points to on- premises domain controllers.
134. What are three reasons why an installed session can be identified with the “application incomplete” tag? The TCP connection was terminated without identifying any application data The client sent a TCP segment with the PUSH flag set There is not enough application data after the TCP connection was established The TCP connection did not fully establish There was no application data after the TCP connection was established.
Which field is optional when creating a new Security Policy rule? Name Description Source Zone Destination Zone Action.
Refer to the exhibit.
An administrator cannot see any of the Traffic logs from the Palo Alto Networks NGFW on Panorama. The configuration problem seems to be on the firewall side. Where is the best place on the Palo Alto Networks NGFW to check whether the configuration is correct? Panorama Settings > Panorama Servers Security Profile Rule > Actions > Log Setting Syslog Server profile > Servers Panorama Settings > Secure server communication.
A network security engineer needs to configure a virtual router using IPv6 addresses. Which two routing options support these addresses? (Choose two) BGP not sure OSPFv3 RIP Static Route .
PBF can address which two scenarios? (Select Two) forwarding all traffic by using source port 78249 to a specific egress interface providing application connectivity the primary circuit fails enabling the firewall to bypass Layer 7 inspection routing FTP to a backup ISP link to save bandwidth on the primary ISP link.
139. When is the content inspection performed in the packet flow process? after the application has been identified before session lookup before the packet forwarding process after the SSL Proxy re-encrypts the packet.
An administrator encountered problems with inbound decryption. Which option should the administrator investigate as part of triage? Security policy rule allowing SSL to the target server Firewall connectivity to a CRL Root certificate imported into the firewall with "Trust" enabled Importation of a certificate from an HSM.
Updates to dynamic user group membership are automatic therefore using dynamic user groups instead of static group objects allows you to: respond to changes in user behavior or potential threats using manual policy changes respond to changes in user behavior or potential threats without automatic policy changes respond to changes in user behavior and confirmed threats with manual policy changes respond to changes in user behavior or potential threats without manual policy changes.
Which DoS protection mechanism detects and prevents session exhaustion attacks? Packet Based Attack Protection Flood Protection Resource Protection TCP Port Scan Protection.
143. With the default TCP and UDP settings on the firewall what will be me identified application in the following session? incomplete unknown-tcp insufficient-data unknown-udp.
An engines must configure the Decryption Broker feature To which router must the engineer assign the decryption forwarding interfaces that are used m the Decryption Broker security Chain? a virtual router that has no additional interfaces for passing data-plane traffic and no other configured routes than those used in for the security chain the virtual router that routes the traffic that the Decryption Broker security chain inspects a virtual router that is configured with at least one dynamic routing protocol and has at least one entry in the RIB the default virtual router (If there is no default virtual router the engineer must create one during setup).
An administrator deploys PA-500 NGFWs as an active/passive high availability pair. The devices are not participating in dynamic routing and preemption is disabled.
What must be verified to upgrade the firewalls to the most recent version of PAN-OS software? Wildfire update package User-ID agent Anti virus update package Application and Threats update package.
In the following image from Panorama, why are some values shown in red? sg2 session count is the lowest compared to the other managed devices. us3 has a logging rate that deviates from the administrator-configured thresholds. uk3 has a logging rate that deviates from the seven-day calculated baseline. sg2 has misconfigured session thresholds.
Refer to the diagram.
An administrator needs to create an address object that will be useable by the NYC. MA, CA and WA device groups Where will the object need to be created within the device-group hierarchy? Americas US East West.
149. Which option is an IPv6 routing protocol? RIPv3 OSPFv3 OSPv3 BGP NG.
An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router. Which two options enable the administrator to troubleshoot this issue? (Choose two.) View Runtime Stats in the virtual router. View System logs. Add a redistribution profile to forward as BGP updates. Perform a traffic pcap at the routing stage.
An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted? In the details of the Traffic log entries Decryption log Data Filtering log In the details of the Threat log entries.
154. What must be used in Security Policy Rule that contain addresses where NAT policy applies? Pre-NAT addresse and Pre-NAT zones Post-NAT addresse and Post-Nat zones Pre-NAT addresse and Post-Nat zones Post-Nat addresses and Pre-NAT zones.
What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive High Availability (HA) pair? (Choose two.) The firewalls must have the same set of licenses. The management interfaces must to be on the same network. The peer HA1 IP address must be the same on both firewalls. HA1 should be connected to HA1. Either directly or with an intermediate Layer 2 device.
156. Which CLI command can be used to export the tcpdump capture? scp export tcpdump from mgmt.pcap to <username@host:path> scp extract mgmt-pcap from mgmt.pcap to <username@host:path> scp export mgmt-pcap from mgmt.pcap to <username@host:path> download mgmt.-pcap.
Company.com has an in-house application that the Palo Alto Networks device doesn't identify correctly. A Threat Management Team member has mentioned that this in-house application is very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks device? Create a custom Application without signatures, then create an Application Override policy that includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic. Wait until an official Application signature is provided from Palo Alto Networks. Modify the session timer settings on the closest referanced application to meet the needs of the in-house application Create a Custom Application with signatures matching unique identifiers of the in-house application traffic.
Click the Exhibit button
An administrator has noticed a large increase in bittorrent activity. The administrator wants to determine where the traffic is going on the company.
What would be the administrator's next step? Right-Click on the bittorrent link and select Value from the context menu Create a global filter for bittorrent traffic and then view Traffic logs. Create local filter for bittorrent traffic and then view Traffic logs. Click on the bittorrent application link to view network activity.
159. In a Panorama template which three types of objects are configurable? (Choose three) HIP objects QoS profiles interface management profiles certificate profiles security profiles.
160. Which two statements are true for the DNS Security service? (Choose two.) It eliminates the need for dynamic DNS updates It functions like PAN-DB and requires activation through the app portal It removes the 100K limit for DNS entries for the downloaded DNS updates It is automatically enabled and configured.
Which three options are available when creating a security profile? (Choose three) Anti-Malware File Blocking Url Filtering IDS/ISP Threat Prevention Antivirus.
An administrator needs to gather information about the CPU utilization on both the management plane and the data plane Where does the administrator view the desired data? Monitor > Utilization Resources Widget on the Dashboard Support > Resources Application Command and Control Center.
163. A standalone firewall with local objects and policies needs to be migrated into Panoram a. What procedure should you use so Panorama is fully managing the firewall? Use the "import Panorama configuration snapshot" operation, then perform a device-group commit push with "include device and network templates" Use the "import device configuration to Panorama" operation, then "export or push device config bundle" to push the configuration Use the "import Panorama configuration snapshot" operation, then "export or push device config bundle" to push the configuration Use the "import device configuration to Panorama" operation, then perform a device-group commit push with "include device and network templates".
Which two logs on the firewall will contain authentication-related information useful for troubleshooting purpose (Choose two) ms.log traffic.log system.log dp-monitor.log authd.log.
Which method does an administrator use to integrate all non-native MFA platforms in PAN- OS® software? Okta DUO RADIUS PingID .
A Security policy rule is configured with a Vulnerability Protection Profile and an action of 'Deny". Which action will this cause configuration on the matched traffic? The configuration is invalid. The Profile Settings section will be grayed out when the Action is set to "Deny". The configuration will allow the matched session unless a vulnerability signature is detected. The "Deny" action will supersede theper-severity defined actions defined in the associated Vulnerability Protection Profile. The configuration is invalid. It will cause the firewall to skip this Security policy rule. A warning will be displayed during a commit. The configuration is valid. It will cause the firewall to deny the matched sessions. Any configured Security Profiles have no effect if the Security policy rule action is set to "Deny.".
Which two subscriptions are available when configuring panorama to push dynamic updates to connected devices? (Choose two.) Content-ID User-ID Applications and Threats Antivirus.
What type of address object would be useful for internal devices where the addressing structure assigns meaning to certain bits in the address, as illustrated in the diagram? IP Netmask IP Wildcard Mask IP Address IP Range.
A host attached to Ethernet 1/4 cannot ping the default gateway. The widget on the dashboard shows Ethernet 1/1 and Ethernet 1/4 to be green. The IP address of Ethernet 1/1 is 192.168.1.7 and the IP address of Ethernet 1/4 is 10.1.1.7. The default gateway is attached to Ethernet 1/1. A default route is properly configured.
What can be the cause of this problem? No Zone has been configured on Ethernet 1/4. Interface Ethernet 1/1 is in Virtual Wire Mode. DNS has not been properly configured on the firewall. DNS has not been properly configured on the host.
170. Which three authentication services can administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.) Kerberos PAP SAML TACACS+ RADIUS LDAP.
A critical US-CERT notification is published regarding a newly discovered botnet. The malware is very evasive and is not reliably detected by endpoint antivirus software.
Furthermore, SSL is used to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy Decryption is not enabled.
Which component once enabled on a perirneter firewall will allow the identification of existing infected hosts in an environment? Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole File Blocking profiles applied to outbound security policies with action set to alert Vulnerability Protection profiles applied to outbound security policies with action set to block Antivirus profiles applied to outbound security policies with action set to alert.
172. Based on the following image.
What is the correct path of root, intermediate, and end-user certificate? Palo Alto Networks > Symantec > VeriSign Symantec > VeriSign > Palo Alto Networks VeriSign > Palo Alto Networks > Symantec VeriSign > Symantec > Palo Alto Networks.
173. A network administrator wants to deploy GlobalProtect with pre-logon for Windows 10 endpoints and follow Palo Alto Networks best practices.
To install the certificate and key for an endpoint, which three components are required? (Choose three.) server certificate local computer store private key self-signed certificate machine certificate .
Which three firewall states are valid? (Choose three.) Active Functional Pending Passive Suspended.
175. What are two common reasons to use a "No Decrypt" action to exclude traffic from SSL decryption? (Choose two.) the website matches a category that is not allowed for most users the website matches a high-risk category the web server requires mutual authentication the website matches a sensitive category.
SSL Forward Proxy decryption is configured but the firewall uses Untrusted-CA to sign the website https //www important-website com certificate End-users are receiving me "security certificate is not trusted is warning Without SSL decryption the web browser shows that the website certificate is trusted and signed by a well-known certificate chain Well-Known- lntermediate and Well-Known-Root- CA.
The network security administrator who represents the customer requires the following two behaviors when SSL Forward Proxy is enabled:
1 End-users must not get the warning for the https://www.very-important-website.com
website.
2 End-users should get the warning for any other untrusted website Which approach meets the two customer requirements? Navigate to Device > Certificate Management > Certificates > Device Certificates import Well-Known-lntermediate-CA and Well-Known-Root-CA select the Trusted Root CA checkbox and commit the configuration Install the Well-Known-lntermediate-CA and Well-Known-Root-CA certificates on all end- user systems m the user and local computer stores Navigate to Device > Certificate Management - Certificates s Default Trusted Certificate Authorities import Well-Known-intermediate-CA and Well-Known-Root-CA select the Trusted Root CA check box and commit the configuration Clear the Forward Untrust Certificate check box on the Untrusted-CA certificate and commit the configuration.
Given the following configuration, which route is used for destination 10.10.0.4? Route 4 Route 3 Route 1 Route 2.
Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site A connects directly to the internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect to the internet.
How should NAT Traversal be implemented for the VPN connection to be established between Site-A and Site-B? Enable on Site-A only Enable on Site-B only Enable on Site-B only with passive mode Enable on Site-A and Site-B.
Which CLI command displays the current management plan memory utilization? > show system info > show system resources > debug management-server show > show running resource-monitor.
Site-A and Site-B have a site-to-site VPN set up between them. OSPF is configured to dynamically create the routes between the sites. The OSPF configuration in Site-A is configured properly, but the route for the tunner is not being established. The Site-B interfaces in the graphic are using a broadcast Link Type. The administrator has determined that the OSPF configuration in Site-B is using the wrong Link Type for one of its interfaces.
Which Link Type setting will correct the error? Set tunnel. 1 to p2p Set tunnel. 1 to p2mp Set Ethernet 1/1 to p2mp Set Ethernet 1/1 to p2p.
Please match the terms to their corresponding definitions. management plane signature matching security processing network processing.
A host attached to ethernet1/3 cannot access the internet. The default gateway is attached to ethernet1/4. After troubleshooting. It is determined that traffic cannot pass from the ethernet1/3 to ethernet1/4. What can be the cause of the problem? DHCP has been set to Auto. Interface ethernet1/3 is in Layer 2 mode and interface ethernet1/4 is in Layer 3 mode. Interface ethernet1/3 and ethernet1/4 are in Virtual Wire Mode. DNS has not been properly configured on the firewall.
183. Starting with PAN-OS version 9.1, application dependency information is now reported in which new locations? (Choose two.) On the App Dependency tab in the Commit Status window On the Application tab in the Security Policy Rule creation window On the Objects > Applications browsers pages On the Policy Optimizer's Rule Usage page.
184. in an HA failover scenario what occurs when sessions match an SSL Forward Proxy Decryption policy? HA Sync does not occur the existing session is transferred to the active firewall. HA Sync does not occur the firewall drops the session. HA Sync occurs the session is sent to testpath HA Sync occurs the firewall allows the session Put does not decrypt the session.
Given the following snippet of a WildFire submission log. did the end-user get access to the requested information and why or why not? Yes. because the action is set to "allow '' No because WildFire categorized a file with the verdict "malicious" Yes because the action is set to "alert" No because WildFire classified the seventy as "high.".
Which protection feature is available only in a Zone Protection Profile? SYN Flood Protection using SYN Flood Cookies ICMP Flood Protection Port Scan Protection UDP Flood Protections.
187. Which two are valid ACC GlobalProtect Activity tab widgets? (Choose two) Successful GlobalProtect Connection Activity Successful GlobalProtect Deployed Activity GlobalProtect Quarantine Activity GlobalProtect Deployment Activity.
188. A traffic log might list an application as "not-applicable" for which two reasons'? (Choose two) The firewall did not install the session The TCP connection terminated without identifying any application data The firewall dropped a TCP SYN packet There was not enough application data after the TCP connection was established.
An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user's knowledge.
What is the expected verdict from WildFire? Grayware Malware Spyware Phishing .
A distributed log collection deployment has dedicated log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group.
What should be done first? Remove the cable from the management interface, reload the log Collector and then re- connect that cable Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments remove the device from the Collector Group Revert to a previous configuration.
Given the following table.
Which configuration change on the firewall would cause it to use 10.66.24.88 as the next hop for the 192.168.93.0/30 network? Configuring the administrative Distance for RIP to be lower than that of OSPF Int. Configuring the metric for RIP to be higher than that of OSPF Int. Configuring the administrative Distance for RIP to be higher than that of OSPF Ext. Configuring the metric for RIP to be lower than that OSPF Ext.
193. An organization is building a Bootstrap Package to deploy Palo Alto Networks VM-Series firewalls into their AWS tenant Which two statements are correct regarding the bootstrap package contents? (Choose two) The /config /content and /software folders are mandatory while the /license and /plugin folders are optional The bootstrap package is stored on an AFS share or a discrete container file bucket The directory structure must include a /config /content, /software and /license folders The init-cfg txt and bootstrap.xml files are both optional configuration items for the /config folder The bootstrap xml file allows for automated deployment of VM-Senes firewalls with full network and policy configurations.
194. Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing? show session all ssI-decrypt yes count yes show session filter ssl-decryption yes total-count yes show session all filter ssl-decrypt yes count yes show session all filter ssl-decryption yes total-count yes.
Which two settings can be configured only locally on the firewall and not pushed from a Panorama template or template stack? (Choose two) HA1 IP Address Network Interface Type Master Key Zone Protection Profile .
Which option enables a Palo Alto Networks NGFW administrator to schedule Application and Threat updates while applying only new content-IDs to traffic? Select download-and-install. Select download-and-install, with "Disable new apps in content update" selected. Select download-only. Select disable application updates and select "Install only Threat updates".
When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama? Load named configuration snapshot Load configuration version Save candidate config Export device state.
198. In a virtual router, which object contains all potential routes? MIB RIB SIP FIB .
An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in "the cloud"). Bootstrapping is the most expedient way to perform this task.
Which option describes deployment of a bootstrap package in an on-premise virtual environment? Use config-drive on a USB stick. Use an S3 bucket with an ISO. Create and attach a virtual hard disk (VHD). Use a virtual CD-ROM with an ISO.
200. The SSL Forward Proxy decryption policy is configured. The following four certificate authority (CA) certificates are installed on the firewall.
Which certificate authority (CA) certificate will be used to sign the untrusted webserver certificate?
(solo esté configurado Forward Trust Cert) Forward-Untrust-Certificate Forward-Trust-Certificate Firewall-CA Firewall-Trusted-Root-CA.
Which two actions would be part of an automatic solution that would block sites with untrusted certificates without enabling SSL Forward Proxy? (Choose two.) Create a no-decrypt Decryption Policy rule. Configure an EDL to pull IP addresses of known sites resolved from a CRL. Create a Dynamic Address Group for untrusted sites Create a Security Policy rule with vulnerability Security Profile attached. Enable the "Block sessions with untrusted issuers" setting.
A client is concerned about resource exhaustion because of denial-of-service attacks against their DNS servers. Which option will protect the individual servers? Enable packet buffer protection on the Zone Protection Profile. Apply an Anti-Spyware Profile with DNS sinkholing. Use the DNS App-ID with application-default. Apply a classified DoS Protection Profile.
A network security engineer is asked to provide a report on bandwidth usage. Which tab in the ACC provides the information needed to create the report? Blocked Activity Bandwidth Activity Threat Activity Network Activity.
A network administrator uses Panorama to push security polices to managed firewalls at branch offices. Which policy type should be configured on Panorama if the administrators at the branch office sites to override these products? Pre Rules Post Rules Explicit Rules Implicit Rules.
An administrator is considering upgrading the Palo Alto Networks NGFW and central management Panorama version What is considered best practice for this scenario? Perform the Panorama and firewall upgrades simultaneously Upgrade the firewall first wait at least 24 hours and then upgrade the Panorama version Upgrade Panorama to a version at or above the target firewall version Export the device state perform the update, and then import the device state.
206. An administrator has configured PAN-OS SD-WAN and has received a request to find out the reason for a session failover for a session that has already ended Where would you find this in Panorama or firewall logs? Traffic Logs System Logs Session Browser You cannot find failover details on closed sessions.
Which virtual router feature determines if a specific destination IP address is reachable? Heartbeat Monitoring Failover Path Monitoring Ping-Path.
An engineer must configure the Decryption Broker feature
Which Decryption Broker security chain supports bi-directional traffic flow? Layer 2 security chain Layer 3 security chain Transparent Bridge security chain Transparent Proxy security chain.
Which option is part of the content inspection process? Packet forwarding process SSL Proxy re-encrypt IPsec tunnel encryption Packet egress process.
Which tool provides an administrator the ability to see trends in traffic over periods of time, such as threats detected in the last 30 days? Session Browser Application Command Center TCP Dump Packet Capture.
An administrator notices that an interlace configuration has been overridden locally on a firewall. They require an configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement? Perform a device-group commit push from Panorama using the "Include Device and Network Templates" option. Reload the running configuration and perform a Firewall local commit. Perform a template commit push from Panorama using the "Force Template Values'' option Perform a commit force from the CLI of the firewall.
212. An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS® software, the administrator enables log forwarding from the firewalls to PanoramA. Pre-existing logs from the firewalls are not appearing in Panoram A.
Which action would enable the firewalls to send their pre-existing logs to Panorama? Use the import option to pull logs. Export the log database Use the scp logdb export command Use the ACC to consolidate the logs.
What are two characteristic types that can be defined for a variable? (Choose two ) zone FQDN path group IP netmask.
214. What are three valid method of user mapping? (Choose three) Syslog XML API 802.1X WildFire Server Monitoring.
A variable name must start with which symbol? $ & ! #.
An administrator is defining protection settings on the Palo Alto Networks NGFW to guard against resource exhaustion. When platform utilization is considered, which steps must the administrator take to configure and apply packet buffer protection? Enable and configure the Packet Buffer protection thresholds.Enable Packet Buffer Protection per ingress zone. Enable and then configure Packet Buffer thresholdsEnable Interface Buffer protection. Create and Apply Zone Protection Profiles in all ingress zones.Enable Packet Buffer Protection per ingress zone. Configure and apply Zone Protection Profiles for all egress zones.Enable Packet Buffer Protection pre egress zone. Enable per-vsys Session Threshold alerts and triggers for Packet Buffer Limits.Enable Zone Buffer Protection per zone.
An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance.
Which interface type and license feature are necessary to meet the requirement? Decryption Mirror interface with the Threat Analysis license Virtual Wire interface with the Decryption Port Export license Tap interface with the Decryption Port Mirror license Decryption Mirror interface with the associated Decryption Port Mirror license.
A network Administrator needs to view the default action for a specific spyware signature. The administrator follows the tabs and menus through Objects> Security Profiles> Anti- Spyware and select default profile.
What should be done next? Click the simple-critical rule and then click the Action drop-down list. Click the Exceptions tab and then click show all signatures. View the default actions displayed in the Action column. Click the Rules tab and then look for rules with "default" in the Action column.
SAML SLO is supported for which two firewall features? (Choose two.) GlobalProtect Portal CaptivePortal WebUI CLI.
Several offices are connected with VPNs using static IPv4 routes. An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accomplish this goal? Assign an IP address on each tunnel interface at each site Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0 Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces Create new VPN zones at each site to terminate each VPN connection.
221. Starting with PAN-OS version 9.1, Global logging information is now recoded in which firewall log? Authentication Globalprotect Configuration System.
An administrator needs to upgrade an NGFW to the most current version of PAN-OS® software. The following is occurring:
* Firewall has Internet connectivity through e1/1.
* Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone.
* Service route is configured, sourcing update traffic from e1/1.
* A communication error appears in the System logs when updates are performed.
* Download does not complete.
What must be configured to enable the firewall to download the current version of PAN-OS software? DNS settings for the firewall to use for resolution scheduler for timed downloads of PAN-OS software static route pointing application PaloAlto-updates to the update servers Security policy rule allowing PaloAlto-updates as the application.
223. During the packet flow process, which two processes are performed in application identification? (Choose two.) Pattern based application identification Application override policy match Application changed from content inspection Session application identified.
An administrator has users accessing network resources through Citrix XenApp 7 x. Which User-ID mapping solution will map multiple users who are using Citrix to connect to the network and access resources? Client Probing Terminal Services agent GlobalProtect Syslog Monitoring.
Which configuration task is best for reducing load on the management plane? Disable logging on the default deny rule Enable session logging at start Disable pre-defined reports Set the URL filtering action to send alerts.
A firewall administrator has been asked to configure a Palo Alto Networks NGFW to prevent against compromised hosts trying to phone-home or beacon out to external command-and- control (C2) servers.
Which security Profile type will prevent these behaviors? WildFire Anti-Spyware Vulnerability Protection Antivirus.
227. When deploying PAN-OS SD-WAN, which routing protocol can you use to build a routing overlay? OSPFv3 BGP OSPF RIP.
What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)? Phase 2 SAs are synchronized over HA2 links Phase 1 and Phase 2 SAs are synchronized over HA2 links Phase 1 SAs are synchronized over HA1 links Phase 1 and Phase 2 SAs are synchronized over HA3 links.
A superuser is tasked with creating administrator accounts for three contractors For compliance purposes, all three contractors will be working with different device-groups in their hierarchy to deploy policies and objects.
Which type of role-based access is most appropriate for this project? Create a Dynamic Admin with the Panorama Administrator role Create a Custom Panorama Admin Create a Device Group and Template Admin Create a Dynamic Read only superuser.
Which statement is true regarding a Best Practice Assessment? It shows how your current configuration compares to Palo Alto Networks recommendations It runs only on firewalls When guided by an authorized sales engineer, it helps determine the areas of greatest risk where you should focus prevention activities. It provides a set of questionnaires that help uncover security risk prevention gaps across all areas of network and security architecture.
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against worms and trojans. Which Security Profile type will protect against worms and trojans? Anti-Spyware WildFire Vulnerability Protection Antivirus.
An engineer is planning an SSL decryption implementation
Which of the following statements is a best practice for SSL decryption? Obtain an enterprise CA-signed certificate for the Forward Trust certificate Obtain a certificate from a publicly trusted root CA for the Forward Trust certificate Use an enterprise CA-signed certificate for the Forward Untrust certificate Use the same Forward Trust certificate on all firewalls in the network.
Which PAN-OS® policy must you configure to force a user to provide additional credentials before he is allowed to access an internal application that contains highly-sensitive business data? Security policy Decryption policy Authentication policy Application Override policy.
VPN traffic intended for an administrator's Palo Alto Networks NGFW is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior? Zone Protection Replay Web ApplicationWeb Application DoS Protection .
A customer wants to set up a site-to-site VPN using tunnel interfaces? Which two formats are correct for naming tunnel interfaces? (Choose two.) Vpn-tunnel.1024 vpn-tunne.1 tunnel 1025 tunnel. 1.
Based on the graphic, which statement accurately describes the output shown in the Server Monitoring panel? The User-ID agent is connected to a domain controller labeled lab-client. The host lab-client has been found by the User-ID agent. The host lab-client has been found by a domain controller. The User-ID agent is connected to the firewall labeled lab-client.
Where can an administrator see both the management plane and data plane CPU utilization in the WebUI? System log CPU Utilization widget Resources widget System Utilization log.
Which Captive Portal mode must be configured to support MFA authentication? NTLM Redirect Single Sign-On Transparent.
Which rule type controls end user SSL traffic to external websites? SSL Outbound Proxyless Inspection SSL Forward Proxy SSL Inbound Inspection SSH Proxy.
An administrator has 750 firewalls The administrator's central-management Panorama instance deploys dynamic updates to the firewalls The administrator notices that the dynamic updates from Panorama do not appear on some of the firewalls.
If Panorama pushes the configuration of a dynamic update schedule to managed firewalls, but the configuration does not appear what is the root cause? Panorama has no connection to Palo Alto Networks update servers Panorama does not have valid licenses to push the dynamic updates No service route is configured on the firewalls to Palo Alto Networks update servers Locally-defined dynamic update settings take precedence over the settings that Panorama pushed.
241. A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded with tens thousands of bogus UDP connections per second to a single destination IP address and post.
Which option when enabled with the correction threshold would mitigate this attack without dropping legitirnate traffic to other hosts insides the network? Zone Protection Policy with UDP Flood Protection QoS Policy to throttle traffic below maximum limit Security Policy rule to deny trafic to the IP address and port that is under attack Classified DoS Protection Policy using destination IP only with a Protect action.
Which CLI command enables an administrator to check the CPU utilization of the dataplane? show running resource-monitor debug data-plane dp-cpu show system resources debug running resources.
Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system? Panorama Log Settings Panorama Log Templates Panorama Device Group Log Forwarding Collector Log Forwarding for Collector Groups.
244. A global corporate office has a large-scale network with only one User-ID agent, which creates a bottleneck near the User-ID agent server.
Which solution in PAN-OS® software would help in this case? application override Virtual Wire mode content inspection redistribution of user mappings.
Which three options are supported in HA Lite? (Choose three.) Virtual link Active/passive deployment Synchronization of IPsec security associations Configuration synchronization Session synchronization .
A session in the Traffic log is reporting the application as "incomplete." What does "incomplete" mean? The three-way TCP handshake was observed, but the application could not be identified. The three-way TCP handshake did not complete. The traffic is coming across UDP, and the application could not be identified. Data was received but was instantly discarded because of a Deny policy was applied before App-ID could be applied.
Which authentication source requires the installation of Palo Alto Networks software, other than PAN-OS 7x, to obtain a username-to-IP-address mapping? Microsoft Active Directory Microsoft Terminal Services Aerohive Wireless Access Point Palo Alto Networks Captive Portal.
248. An administrator has configured the Palo Alto Networks NGFW's management interface to connect to the internet through a dedicated path that does not traverse back through the NGFW itself.
Which configuration setting or step will allow the firewall to get automatic application signature updates? A scheduler will need to be configured for application signatures. A Security policy rule will need to be configured to allow the update requests from the firewall to the update servers. A Threat Prevention license will need to be installed. A service route will need to be configured.
What are two valid deployment options for Decryption Broker? (Choose two) Transparent Bridge Security Chain Layer 3 Security Chain Layer 2 Security Chain Transparent Mirror Security Chain.
Refer to the exhibit.
Which certificates can be used as a Forwarded Trust certificate? Certificate from Default Trust Certificate Authorities Domain Sub-CA Forward_Trust Domain-Root-Cert.
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto Networks firewall. Which method shows the global counters associated with the traffic after configuring the appropriate packet filters? From the CLI, issue the show counter global filter pcap yes command. From the CLI, issue the show counter global filter packet-filter yes command. From the GUI, select show global counters under the monitor tab. From the CLI, issue the show counter interface command for the ingress interface.
A firewall is configured with SSL Forward Proxy decryption and has the following four enterprise certificate authorities (Cas) i. Enterprise-Trusted-CA; which is verified as Forward Trust Certificate (The CA is also installed in the trusted store of the end-user browser and system ) ii. Enterpnse-Untrusted-CA, which is verified as Forward Untrust Certificate iii.
Enterprise-lntermediate-CA iv. Enterprise-Root-CA which is verified only as Trusted Root CA An end-user visits https //www example-website com/ with a server certificate Common Name (CN) www example-website com The firewall does the SSL Forward Proxy decryption for the website and the server certificate is not trusted by the firewall The end-user's browser will show that the certificate for www.example-website.com was issued by which of the following? Enterprise-Untrusted-CA which is a self-signed CA Enterprise-Trusted-CA which is a self-signed CA Enterprise-lntermediate-CA which was. in turn, issued by Enterprise-Root-CA Enterprise-Root-CA which is a self-signed CA.
In SSL Forward Proxy decryption, which two certificates can be used for certificate signing? (Choose two.) wildcard server certificate enterprise CA certificate client certificate server certificate self-signed CA certificate.
An administrator has been asked to configure active/passive HA for a pair of Palo Alto Networks NGFWs. The administrator assigns priority 100 to the active firewall.
Which priority is correct for the passive firewall? 0 99 1 255.
Which two options prevent the firewall from capturing traffic passing through it? (Choose two.) The firewall is in multi-vsys mode. The traffic is offloaded. The traffic does not match the packet capture filter. The firewall's DP CPU is higher than 50%.
An administrator has been asked to configure active/active HA for a pair of Palo Alto Networks NGFWs. The firewall use Layer 3 interfaces to send traffic to a single gateway IP for the pair.
Which configuration will enable this HA scenario? The two firewalls will share a single floating IP and will use gratuitous ARP to share the floating IP. Each firewall will have a separate floating IP, and priority will determine which firewall has the primary IP. The firewalls do not use floating IPs in active/active HA. The firewalls will share the same interface IP address, and device 1 will use the floating IP if device 0 fails.
257. An internal system is not functioning. The firewall administrator has determined that the incorrect egress interface is being used. After looking at the configuration, the administrator believes that the firewall is not using a static route.
What are two reasons why the firewall might not use a static route? (Choose two.) no install on the route duplicate static route path monitoring on the static route disabling of the static route.
An administrator pushes a new configuration from Panorama to a pair of firewalls that are configured as an active/passive HA pair. Which NGFW receives the configuration from Panorama? The Passive firewall, which then synchronizes to the active firewall The active firewall, which then synchronizes to the passive firewall Both the active and passive firewalls, which then synchronize with each other Both the active and passive firewalls independently, with no synchronization afterward.
What are the differences between using a service versus using an application for Security Policy match? Use of a "service" enables the firewall to take action after enough packets allow for App-ID identification Use of a "service" enables the firewall to take immediate action with the first observed packet based on port numbers Use of an "application" allows the firewall to take action after enough packets allow for App-ID identification regardless of the ports being used. There are no differences between "service" or "application" Use of an "application" simplifies configuration by allowing use of a friendly application name instead of port numbers. Use of a "service" enables the firewall to take immediate action with the first observed packet based on port numbers. Use of an "application" allows the firewall to take immediate action it the port being used is a member of the application standardport list.
260. Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.) TACACS+ Kerberos PAP LDAP SAML RADIUS .
Only two Trust to Untrust allow rules have been created in the Security policy
- Rule1 allows google-base
- Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to access https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly? Add SSL App-ID to Rule1 Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it Add the DNS App-ID to Rule2 Add the Web-browsing App-ID to Rule2.
262. in a template you can configure which two objects? (Choose two.) SD WAN path quality profile application group IPsec tunnel Monitor profile.
Which two features does PAN-OS® software use to identify applications? (Choose two) port number session number transaction characteristics application layer payload.
When you configure a Layer 3 interface what is one mandatory step? Configure Security profiles, which need to be attached to each Layer 3 interface Configure Interface Management profiles which need to be attached to each Layer 3 interface Configure virtual routers to route the traffic for each Layer 3 interface Configure service routes to route the traffic for each Layer 3 interface.
Which action disables Zero Touch Provisioning (ZTP) functionality on a ZTP firewall during the onboarding process? performing a local firewall commit removing the firewall as a managed device in Panorama performing a factory reset of the firewall removing the Panorama serial number from the ZTP service.
266. In a device group, which two configuration objects are defined? (Choose two ) DNS Proxy address groups SSL/TLS profiles URL Filtering profiles.
An administrator cannot see any Traffic logs from the Palo Alto Networks NGFW in Panorama reports. The configuration problem seems to be on the firewall Which settings, if configured incorrectly, most likely would stop only Traffic logs from being sent from the NGFW to Panorama? Syslog Server Profile Security Prolicy Rule Panorama Settings > Panorama Servers Panorama Settings > Receive/Send Timeout ..
Which four NGFW multi-factor authentication factors are supported by PAN-OS? (Choose four.) Short message service Push User logon Voice SSH key One-Time Password.
What should an administrator consider when planning to revert Panorama to a pre-PAN-OS
8.1 version? Panorama cannot be reverted to an earlier PAN-OS release if variables are used in templates or template stacks. An administrator must use the Expedition tool to adapt the configuration to the pre-PAN- OS 8.1 state. When Panorama is reverted to an earlier PAN-OS release, variables used in templates or template stacks will be removed automatically. Administrators need to manually update variable characters to those used in pre-PAN-OS 8.1.
What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway? It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway It stops the tunnel-establishment processing to the GlobalProtect gateway immediately It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS.
To connect the Palo Alto Networks firewall to AutoFocus, which setting must be enabled? Device>Setup>Services>AutoFocus Device> Setup>Management >AutoFocus AutoFocus is enabled by default on the Palo Alto Networks NGFW Device>Setup>WildFire>AutoFocus Device>Setup> Management> Logging and Reporting Settings.
If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites? SSL Forward Proxy SSL Inbound Inspection TLS Bidirectional proxy SSL Outbound Inspection.
Which feature can provide NGFWs with User-ID mapping information? GlobalProtect Web Captcha Native 802.1q authentication Native 802.1x authentication.
274. Which Panorama objects restrict administrative access to specific device-groups? templates admin roles access domains authentication profiles.
Based on PANW Best Practices for Planning DoS and Zone Protection, match each type of DoS attack to an example of that type of attack. application-based attack protocol-based attack volumetric attack.
The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice As part of that effort, the manager has assigned you the Vulnerability Protection profile for the internet gateway firewall Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice'? action 'reset-both' and packet capture 'extended-capture' action 'default' and packet capture 'single-packet' action 'reset-both' and packet capture 'single-packet' action 'reset-server' and packet capture 'disable'.
An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing.
The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL.
Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL? Create a decryption rule matching the encrypted BitTorrent traffic with action "No- Decrypt," and place the rule at the top of the Decryption policy. Create a Security policy rule that matches application "encrypted BitTorrent" and place the rule at the top of the Security policy. Disable the exclude cache option for the firewall. Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule.
A network design calls for a "router on a stick" implementation with a PA-5060 performing inter-VLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk interface Which interface type and configuration setting will support this design? Trunk interface type with specified tag Layer 3 interface type with specified tag Layer 2 interface type with a VLAN assigned Layer 3 subinterface type with specified tag.
279. What are two best practices for incorporating new and modified App-IDs? (Choose two.) Run the latest PAN-OS version in a supported release tree to have the best performance for the new App-IDs Configure a security policy rule to allow new App-IDs that might have network-wide impact Perform a Best Practice Assessment to evaluate the impact of the new or modified App- IDs Study the release notes and install new App-IDs if they are determined to have low impact.
280. Which three split tunnel methods are supported by a globalProtect gateway? (Choose three.) video streaming application Client Application Process Destination Domain Source Domain Destination user/group URL Category.
A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log of Site-A, there is an event logged as like-nego-p1-fail-psk.
What action will bring the VPN up and allow traffic to start passing between the sites? Change the Site-B IKE Gateway profile version to match Site-A, Change the Site-A IKE Gateway profile exchange mode to aggressive mode. Enable NAT Traversal on the Site-A IKE Gateway profile. Change the pre-shared key of Site-B to match the pre-shared key of Site-A.
Panorama provides which two SD_WAN functions? (Choose two.) data plane physical network links network monitoring control plane.
Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalls? (Choose two.) Red Hat Enterprise Virtualization (RHEV) Kernel Virtualization Module (KVM) Boot Strap Virtualization Module (BSVM) Microsoft Hyper-V .
In a security-first network what is the recommended threshold value for content updates to be dynamically updated? 1 to 4 hours 6 to 12 hours 24 hours 36 hours .
An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world Panorama will manage the firewalls.
The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration Which two solutions can the administrator use to scale this configuration? (Choose two.) variables template stacks collector groups virtual systems.
Users within an enterprise have been given laptops that are joined to the corporate domain. In some cases, IT has also deployed Linux-based OS systems with a graphical desktop.
Information Security needs IP-to-user mapping, which it will use in group-based policies that will limit internet access for the Linux desktop users.
Which method can capture IP-to-user mapping information for users on the Linux machines? You can configure Captive Portal with an authentication policy. IP-to-user mapping for Linux users can only be learned if the machine is joined to the domain. You can set up a group-based security policy to restrict internet access based on group membership You can deploy the User-ID agent on the Linux desktop machines.
Which Public Key infrastructure component is used to authenticate users for GlobalProtect when the Connect Method is set to pre-logon? Certificate revocation list Trusted root certificate Machine certificate Online Certificate Status Protocol.
Match each GlobalProtect component to the purpose of that component GlobalProtect Gateway GlobalProtect clientless GlobalProtect Portal GlobalProtect app.
289. Which User-ID method maps IP address to usernames for users connecting through a web proxy that has already authenticated the user? Client Probing Port mapping Server monitoring Syslog listening .
You need to allow users to access the office-suite applications of their choice. How should you configure the firewall to allow access to any office-suite application? Create an Application Group and add Office 365, Evernote Google Docs and Libre Office Create an Application Group and add business-systems to it. Create an Application Filter and name it Office Programs, then filter it on the office programs subcategory. Create an Application Filter and name it Office Programs then filter on the business- systems category.
291. An administrator has left a firewall to use the data of port for all management service which there functions are performed by the data face? (Choose three.) NTP Antivirus Wildfire updates NAT File tracking.
The IT department has received complaints abou VoIP call jitter when the sales staff is making or receiving calls. QoS is enabled on all firewall interfaces, but there is no QoS policy written in the rulebase. The IT manager wants to find out what traffic is causing the jitter in real time when a user reports the jitter.
Which feature can be used to identify, in real time, the applications taking up the most bandwidth? QoS Statistics Applications Report Application Command Center (ACC) QoS Log.
293. Which two events trigger the operation of automatic commit recovery? (Choose two.) when an aggregate Ethernet interface component fails when Panorama pushes a configuration when a firewall HA pair fails over when a firewall performs a local commit.
Which feature can be configured on VM-Series firewalls? aggregate interfaces machine learning multiple virtual systems GlobalProtect.
295. A file sharing application is being permitted and no one knows what this application is used for.
How should this application be blocked? Block all unauthorized applications using a security policy Block all known internal custom applications Create a WildFire Analysis Profile that blocks Layer 4 and Layer 7 attacks Create a File blocking profile that blocks Layer 4 and Layer 7 attacks.
Which item enables a firewall administrator to see details about traffic that is currently active through the NGFW? ACC System Logs App Scope Session Browser.
Which event will happen if an administrator uses an Application Override Policy? Threat-ID processing time is decreased. The Palo Alto Networks NGFW stops App-ID processing at Layer 4. The application name assigned to the traffic by the security rule is written to the Traffic log. App-ID processing time is increased.
298. When configuring the firewall for packet capture, what are the valid stage types? Receive, management , transmit , and drop Receive , firewall, send , and non-syn Receive management , transmit, and non-syn Receive , firewall, transmit, and drop.
299. Refer to the exhibit.
Which certificate can be used as the Forward Trust certificate? Domain Sub-CA Domain-Root-Cert Certificate from Default Trusted Certificate Authorities Forward-Trust.
Which feature must you configure to prevent users form accidentally submitting their corporate credentials to a phishing website? URL Filtering profile Zone Protection profile Anti-Spyware profile Vulnerability Protection profile.
Which two statements are true about DoS Protection and Zone Protection Profiles? (Choose two). Zone Protection Profiles protect ingress zones Zone Protection Profiles protect egress zones DoS Protection Profiles are packet-based, not signature-based DoS Protection Profiles are linked to Security policy rules.
302. A customer has an application that is being identified as unknown-top for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.) Application Override policy. Security policy to identify the custom application. Custom application. Custom Service object.
A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.
Given the following zone information:
* DMZ zone: DMZ-L3
* Public zone: Untrust-L3
* Guest zone: Guest-L3
* Web server zone: Trust-L3
* Public IP address (Untrust-L3): 1.1.1.1
* Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule? Untrust-L3 DMZ-L3 Guest-L3 Trust-L3.
The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match? 6-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Protocol, and Source Security Zone 5-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Protocol 7-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Source User, URL Category, and Source Security Zone 9-tuple match:
Source IP Address, Destination IP Address, Source port, Destination Port, Source User, Source Security Zone.
305. Which feature prevents the submission of corporate login information into website forms? Data filtering User-ID File blocking Credential phishing prevention.
A network-security engineer attempted to configure a bootstrap package on Microsoft Azure, but the virtual machine provisioning process failed. In reviewing the bootstrap package, the engineer only had the following directories: /config, /license and /software Why did the bootstrap process fail for the VM-Series firewall in Azure? All public cloud deployments require the /plugins folder to support proper firewall native integrations The /content folder is missing from the bootstrap package The VM-Series firewall was not pre-registered in Panorama and prevented the bootstrap process from successfully completing The /config or /software folders were missing mandatory files to successfully bootstrap.
307. Which User-ID method should be configured to map IP addresses to usernames for users connected through a terminal server? port mapping server monitoring client probing XFF headers .
309. Which client software can be used to connect remote Linux client into a Palo Alto Networks Infrastructure without sacrificing the ability to scan traffic and protect against threats? X-Auth IPsec VPN GlobalProtect Apple IOS GlobalProtect SSL GlobalProtect Linux .
Which command can be used to validate a Captive Portal policy? eval captive-portal policy <criteria> request cp-policy-eval <criteria> test cp-policy-match <criteria> debug cp-policy <criteria>.
Which three settings are defined within the Templates object of Panorama? (Choose three.) Setup Virtual Routers Interfaces Security Application Override.
312. An engineer must configure a new SSL decryption deployment
Which profile or certificate is required before any traffic that matches an SSL decryption rule is decrypted? There must be a certificate with both the Forward Trust option and Forward Untrust option selected A Decryption profile must be attached to the Decryption policy that the traffic matches A Decryption profile must be attached to the Security policy that the traffic matches There must be a certificate with only the Forward Trust option selected.
313. A customer is replacing its legacy remote-access VPN solution Prisma Access has been selected as the replacement During onboarding, the following options and licenses were selected and enabled:
The customer wants to forward to a Splunk SIEM the logs that are generated by users that are connected to Prisma Access for Mobile Users Which two settings must the customer configure? (Choose two) Configure a log forwarding profile and select the Panorama/Cortex Data Lake checkbox Apply the Log Forwarding profile to all of the security policy rules in Mobile_User_Device_Group Configure Cortex Data Lake log forwarding and add the Splunk syslog server Configure a Log Forwarding profile, select the syslog checkbox and add the Splunk syslog server Apply the Log Forwarding profile to all of the security policy rules in the Mobiie_User_Device_Group Configure Panorama Collector group device log forwarding to send logs to the Splunk syslog server.
Which two features can be used to tag a username so that it is included in a dynamic user group? (Choose two) log forwarding auto-tagging GlobalProtect agent User-ID Windows-based agent XML API.
Which three rule types are available when defining policies in Panorama? (Choose three.) Pre Rules Post Rules Default Rules Stealth Rules Clean Up Rules .
316. Exhibit:
What will be the egress interface if the traffic's ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image? ethernet1/7 ethernet1/5 ethernet1/6 ethernet1/3.
How does Panorama handle incoming logs when it reaches the maximum storage capacity? Panorama discards incoming logs when storage capacity full. Panorama stops accepting logs until licenses for additional storage space are applied Panorama stops accepting logs until a reboot to clean storage space. Panorama automatically deletes older logs to create space for new ones.
318. An enterprise information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems However a recent phisning campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets For users that need to access these systems Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA.
What should the enterprise do to use PAN-OS MFA1? Configure a Captive Porta1 authentication policy that uses an authentication profile that references a RADIUS profile Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy Configure a Captive Portal authentication policy that uses an authentication sequence Use a Credential Phishing agent to detect prevent and mitigate credential phishing campaigns.
Which three steps will reduce the CPU utilization on the management plane? (Choose three.) Disable SNMP on the management interface. Application override of SSL application. Disable logging at session start in Security policies. Disable predefined reports. Reduce the traffic being decrypted by the firewall.
Which two methods can be configured to validate the revocation status of a certificate? (Choose two.) CRL CRT OCSP Cert-Validation-Profile SSL/TLS Service Profile.
Starling with PAN-OS version 9.1, GlobalProtect logging information is now recorded in which firewall log? Configuration GlobalProtect Authentication System.
322. An administrator needs to evaluate a recent policy change that was committed and pushed to a firewall device group.
How should the administrator identify the configuration changes? review the configuration logs on the Monitor tab click Preview Changes under Push Scope use Test Policy Match to review the policies in Panorama context-switch to the affected firewall and use the configuration audit tool.
At which stage of the cyber-attack lifecycle would the attacker attach an infected PDF file to an email? exploitation IP command and control delivery reconnaissance.
Which Palo Alto Networks VM-Series firewall is supported for VMware NSX? VM-100 VM-200 VM-1000-HV VM-300.
What are three valid qualifiers for a Decryption Policy Rule match? (Choose three ) Destination Zone App-ID Custom URL Category User-ID Source Interface.
An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OS® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web-browsing traffic from any to any zone.
What must the administrator configure so that the PAN-OS® software can be upgraded? Security policy rule CRL Service route Scheduler.
A client has a sensitive application server in their data center and is particularly concerned about session flooding because of denial of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against session floods originating from a single IP address? Define a custom App-ID to ensure that only legitimate application traffic reaches the server Add QoS Profiles to throttle incoming requests Add a tuned DoS Protection Profile Add an Anti-Spyware Profile to block attacking IP address.
When configuring a GlobalProtect Portal, what is the purpose of specifying an Authentication Profile? To enable Gateway authentication to the Portal To enable Portal authentication to the Gateway To enable user authentication to the Portal To enable client machine authentication to the Portal.
A company wants to install a PA-3060 firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone which options differentiates multiple VLAN into separate zones? Create V-Wire objects with two V-Wire interfaces and define a range of "0-4096" in the "Tag Allowed" field of the V-Wire object. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the Tag Allowed" field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface tA. unique zone. Do not assign any interface an IP address. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/sub interface to a unique zone.
What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure an SSL/TLS connection? link state stateful firewall connection certificates profiles .
An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors.
How would the administrator establish the chain of trust? Use custom certificates Enable LDAP or RADIUS integration Set up multi-factor authentication Configure strong password authentication.
Which is the maximum number of samples that can be submitted to WildFire per day, based on wildfire subscription? 15,000 10,000 75,000 5,000.
A Palo Alto Networks NGFW just submitted a file to WildFire for analysis. Assume a 5-minute window for analysis. The firewall is configured to check for verdicts every 5 minutes.
How quickly will the firewall receive back a verdict? More than 15 minutes 5 minutes 10 to 15 minutes 5 to 10 minutes.
Which User-ID mapping method should be used in a high-security environment where all IP address-to-user mappings should always be explicitly known? PAN-OS integrated User-ID agent LDAP Server Profile configuration GlobalProtect Windows-based User-ID agent.
Which three function are found on the dataplane of a PA-5050? (Choose three) Protocol Decoder Dynamic routing Management Network Processing Signature Match.
How does an administrator schedule an Applications and Threats dynamic update while delaying installation of the update for a certain amount of time? Configure the option for "Threshold". Disable automatic updates during weekdays. Automatically "download only" and then install Applications and Threats later, after the administrator approves the update. Automatically "download and install" but with the "disable new applications" option used.
When overriding a template configuration locally on a firewall, what should you consider? Only Panorama can revert the override Panorama will lose visibility into the overridden configuration Panorama will update the template with the overridden value The firewall template will show that it is out of sync within Panorama.
Which version of GlobalProtect supports split tunneling based on destination domain, client process, and HTTP/HTTPS video streaming application? GlobalProtect version 4.0 with PAN-OS 8.1 GlobalProtect version 4.1 with PAN-OS 8.1 GlobalProtect version 4.1 with PAN-OS 8.0 GlobalProtect version 4.0 with PAN-OS 8.0.
A firewall administrator has completed most of the steps required to provision a standalone Palo Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the security policies.
Which CLI command syntax will display the rule that matches the test? test security -policy- match source <ip_address> destination <IP_address> destination port
<port number> protocol <protocol number show security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number> test security rule source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number> show security-policy-match source <ip_address> destination <IP_address> destination port <port number> protocol <protocol number>.
A customer wants to spin their session load equally across two SD-WAN-enabled interfaces. Where would you configure this setting? Path Quality profile ECMP setting on virtual router Traffic Dtstnbution profile SD-WAN Interface profile.
In an enterprise deployment, a network security engineer wants to assign to a group of administrators without creating local administrator accounts on the firewall.
Which authentication method must be used? LDAP Kerberos Certification based authentication RADIUS with Vendor-Specific Attributes.
343. An administrator is using Panorama and multiple Palo Alto Networks NGFWs. After upgrading all devices to the latest PAN-OS® software, the administrator enables log forwarding from the firewalls to Panorama.
Pre-existing logs from the firewalls are not appearing in PanoramA.
Which action would enable the firewalls to send their pre-existing logs to Panorama? Use the import option to pull logs into Panorama. A CLI command will forward the pre-existing logs to Panorama. Use the ACC to consolidate pre-existing logs. The log database will need to exported form the firewalls and manually imported into Panorama.
344. Which three statements accurately describe Decryption Mirror? (Choose three.) Decryption Mirror requires a tap interface on the firewall Decryption, storage, inspection and use of SSL traffic are regulated in certain countries Only management consent is required to use the Decryption Mirror feature You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel.
Which two virtualized environments support Active/Active High Availability (HA) in PAN-OS 8.0? (Choose two.) KVM VMware ESX VMware NSX AWS.
The certificate information displayed in the following image is for which type of certificate?
Exhibit: Forward Trust certificate Self-Signed Root CA certificate Web Server certificate Public CA signed certificate.
348. Based on the image, what caused the commit warning? The CA certificate for FWDtrust has not been imported into the firewall. The FWDtrust certificate has not been flagged as Trusted Root CA. SSL Forward Proxy requires a public certificate to be imported into the firewall. The FWDtrust certificate does not have a certificate chain.
Place the steps in the WildFire process workflow in their correct order. The firewall hashes the file and looks up a verdict in the Wildfire database. However, the firewall does not find a match. Wildfire use static analysis based on machine learning to analyze the file, in order to classify malicious features. Regardless of the verdict, Wildfire uses a heuristic engine to examine the file and determines that the file exhibits suspicious behavior. Wildfire generates a new DNS, URL categorization, and antivirus signatures for the new threat.
A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High Availability (HA) pair.
What allows the firewall administrator to determine the last date a failover event occurred? From the CLI issue use the show System log Apply the filter subtype eq ha to the System log Apply the filter subtype eq ha to the configuration log Check the status of the High Availability widget on the Dashboard of the GUI.
351. Which CLI command displays the physical media that are connected to ethernetl/8? > show system state filter-pretty sys.si.p8.stats > show interface ethernetl/8 > show system state filter-pretty sys.sl.p8.phy > show system state filter-pretty sys.si.p8.med.
Before you upgrade a Palo Alto Networks NGFW, what must you do? Make sure that the PAN-OS support contract is valid for at least another year Export a device state of the firewall Make sure that the firewall is running a version of antivirus software and a version of WildFire that support the licensed subscriptions. Make sure that the firewall is running a supported version of the app + threat update.
A security engineer needs to mitigate packet floods that occur on a set of servers behind the internet facing interface of the firewall. Which Security Profile should be applied to a policy to prevent these packet floods? URL Filtering profile Vulnerability Protection profile Data Filtering profile DoS Protection profile.
354. Which three options does the WF-500 appliance support for local analysis? (Choose three) E-mail links APK files jar files PNG files Portable Executable (PE) files.
View the GlobalProtect configuration screen capture.
What is the purpose of this configuration? It configures the tunnel address of all internal clients to an IP address range starting at 192.168.10.1. It forces an internal client to connect to an internal gateway at IP address 192.168.10.1. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client. It forces the firewall to perform a dynamic DNS update, which adds the internal gateway's hostname and IP address to the DNS server.
An administrator device-group commit push is failing due to a new URL category How should the administrator correct this issue? verify that the URL seed Tile has been downloaded and activated on the firewall change the new category action to alert" and push the configuration again update the Firewall Apps and Threat version to match the version of Panorama ensure that the firewall can communicate with the URL cloud.
What is the purpose of the firewall decryption broker? Decrypt SSL traffic a then send it as cleartext to a security chain of inspection tools Force decryption of previously unknown cipher suites Inspection traffic within IPsec tunnel Reduce SSL traffic to a weaker cipher before sending it to a security chain of inspection tools.
Which CLI command displays the current management plane memory utilization? > debug management-server show > show running resource-monitor > show system info > show system resources.
An administrator needs to implement an NGFW between their DMZ and Core network EIGRP Routing between the two environments is required Which interface type would support this business requirement? Layer 3 interfaces but configuring EIGRP on the attached virtual router Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ Layer 3 or Aggregate Ethernet interfaces but configuring EIGRP on subinterfaces only Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel {with the GlobalProtect License to support LSVPN and EIGRP protocols).
What file type upload is supported as part of the basic WildFire service? PE BAT VBS ELF.
Which two statements correctly identify the number of Decryption Broker security chains that are supported on a pair of decryption-forwarding interfaces'? (Choose two) A single transparent bridge security chain is supported per pair of interfaces L3 security chains support up to 32 security chains L3 security chains support up to 64 security chains A single transparent bridge security chain is supported per firewall.
The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently deployed. The firewall's dedicated management port is being used to connect to the management network.
Which two commands may be used to troubleshoot this issue from the CLI of the new firewall? (Choose two) test panoramas-connect 10.10.10.5 show panoramas-status show arp all I match 10.10.10.5 tcpdump filter "host 10.10.10.5 debug dataplane packet-diag set capture on.
Click the Exhibit button below.
A firewall has three PBF rules and a default route with a next hop of 172.20.10.1 that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address. He makes an HTTPS connection to 172.16.10.20.
Which is the next hop IP address for the HTTPS traffic from Will's PC? 172.20.30.1 172.20.40.1 172.20.20.1 172.20.10.1.
An administrator wants multiple web servers in the DMZ to receive connections initiated from the internet. Traffic destined for 206.15.22.9 port 80/TCP needs to be forwarded to the server at 10.1.1.22
Based on the information shown in the image, which NAT rule will forward web-browsing traffic correctly? Source IP: Any
Destination IP: 206.15.22.9
Source Zone: Internet
Destination Zone: DMZ
Destination Service: 80/TCP
Action: Destination NAT
Translated IP: 10.2.2.23
Translated Port: 53/UDP Source IP: Any
Destination IP: 206.15.22.9
Source Zone: Internet
Destination Zone: Internet
Destination Service: 80/TCP
Action: Destination NAT
Translated IP: 10.1.1.22
Translated Port: 53/UDP Source IP: Any
Destination IP: 206.15.22.9
Source Zone: Internet
Destination Zone: Internet
Destination Service: 80/TCP
Action: Destination NAT
Translated IP: 10.1.1.22
Translated Port: None Source IP: Any
Destination IP: 206.15.22.9
Source Zone: Internet
Destination Zone: DMZ
Destination Service: 80/TCP
Action: Destination NAT
Translated IP: 10.1.1.22
Translated Port: 53/UDP.
An administrator has configured a QoS policy rule and a QoS profile that limits the maximum allowable bandwidth for the YouTube application. However , YouTube is consuming more than the maximum bandwidth allotment configured.
Which configuration step needs to be configured to enable QoS? Enable QoS Data Filtering Profile Enable QoS monitor Enable Qos interface Enable Qos in the interface Management Profile.
Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of server-to-client flows only? Disable Server Response Inspection Apply an Application Override Disable HIP Profile Add server IP Security Policy exception.
367. A firewall should be advertising the static route 10 2 0 0/24 into OSPF The configuration on the neighbor is correct but the route is not in the neighbor's routing table Which two configurations should you check on the firewall'? (Choose two) Within the redistribution profile ensure that Redist is selected In the redistribution profile check that the source type is set to "ospf" In the OSFP configuration ensure that the correct redistribution profile is selected in the OSPF Export Rules section Ensure that the OSPF neighbor state is "2-Way".
Which interface configuration will accept specific VLAN IDs? Tab Mode Subinterface Access Interface Trunk Interface.
Which benefit do policy rule UUIDs provide? functionality for scheduling policy actions the use of user IP mapping and groups in policies cloning of policies between device-groups an audit trail across a policy's lifespan.
370. What are three valid actions in a File Blocking Profile? (Choose three) Forward Block Alert Upload Reset-both Continue .
A client has a sensitive application server in their data center and is particularly concerned about resource exhaustion because of distributed denial-of-service attacks.
How can the Palo Alto Networks NGFW be configured to specifically protect this server against resource exhaustion originating from multiple IP addresses (DDoS attack)? Define a custom App-ID to ensure that only legitimate application traffic reaches the server. Add a Vulnerability Protection Profile to block the attack. Add QoS Profiles to throttle incoming requests. Add a DoS Protection Profile with defined session count.
Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a source IP address? Set the type to Aggregate, clear the session's box and set the Maximum concurrent Sessions to 4000. Set the type to Classified, clear the session's box and set the Maximum concurrent Sessions to 4000. Set the type Classified, check the Sessions box and set the Maximum concurrent Sessions to 4000. Set the type to aggregate, check the Sessions box and set the Maximum concurrent Sessions to 4000.
A customer is replacing their legacy remote access VPN solution The current solution is in place to secure internet egress and provide access to resources located in the main datacenter for the connected clients.
Prisma Access has been selected to replace the current remote access VPN solution. During onboarding the following options and licenses were selected and enabled
What must be configured on Prisma Access to provide connectivity to the resources in the datacenter? Configure a mobile user gateway in the region closest to the datacenter to enable connectivity to the datacenter Configure a remote network to provide connectivity to the datacenter Configure Dynamic Routing to provide connectivity to the datacenter Configure a service connection to provide connectivity to the datacenter.
374. Which type of interface does a firewall use to forward decrypted traffic to a security chain for inspection? Layer 2 Tap Layer 3 Decryption Mirror.
Which User-ID method maps IP addresses to usernames for users connecting through an 802.1x-enabled wireless network device that has no native integration with PAN-OS® software? XML API Port Mapping Client Probing Server Monitoring.
An administrator has a PA-820 firewall with an active Threat Prevention subscription The administrator is considering adding a WildFire subscription.
How does adding the WildFire subscription improve the security posture of the organization1? Protection against unknown malware can be provided in near real-time WildFire and Threat Prevention combine to provide the utmost security posture for the firewall After 24 hours WildFire signatures are included in the antivirus update WildFire and Threat Prevention combine to minimize the attack surface.
A organizations administrator has the funds available to purchase more firewalls to increase the organization's security posture.
The partner SE recommends placing the firewalls as close as possible to the resources that they protect Is the SE's advice correct and why or why not? Yes Firewalls are session based so they do not scale to millions of CPS No Placing firewalls m front of perimeter DDoS devices provides greater protection tor sensitive devices inside the network Yes Zone Protection profiles can be tailored to the resources that they protect via the configuration of specific device types and operating systems No Firewalls provide new defense and resilience to prevent attackers at every stage of the cyberattack lifecycle independent of placement.
An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system.
Which Security Profile type will prevent this attack? Vulnerability Protection Anti-Spyware URL Filtering Antivirus.
A security engineer needs firewall management access on a Inside interface When three settings are required on an SSI/TVS Service Profile to provide secure Wet) Ui authentication? (Choose three.) Maximum TLS version Minimum TLV version Encryption Algorithm Certificate Authentication Algorithm.
A network design change requires an existing firewall to start accessing Palo Alto Updates from a data plane interface address instead of the management interface.
Which configuration setting needs to be modified? Service route Default route Management profile Authentication profile.
381. How can a Palo Alto Networks firewall be configured to send syslog messages in a format compatible with non-standard syslog servers? Enable support for non-standard syslog messages under device management Check the custom-format check box in the syslog server profile Select a non-standard syslog server profile Create a custom log format under the syslog server profile.
Which prerequisite must be satisfied before creating an SSH proxy Decryption policy? Both SSH keys and SSL certificates must be generated. No prerequisites are required. SSH keys must be manually generated. SSL certificates must be generated.
An administrator needs to optimize traffic to prefer business-critical applications over non- critical applications. QoS natively integrates with which feature to provide service quality? Port Inspection Certificate revocation Content-ID App-ID.
384. To support a new compliance requirement, your company requires positive username attribution of every IP address used by wireless devices You must collect IP address-to- username mappings as soon as possible with minimal downtime and minimal configuration changes to the wireless devices themselves The wireless devices are from various manufacturers Given the scenario, choose the option for sending IP address-to-username mappings to the firewall UID redistribution RADIUS syslog listener XFF headers.
Which is not a valid reason for receiving a decrypt-cert-validation error? Unsupported HSM Unknown certificate status Client authentication Untrusted issuer.
How are IPV6 DNS queries configured to user interface ethernet1/3? Network > Virtual Router > DNS Interface Objects > CustomerObjects > DNS Network > Interface Mgrnt Device > Setup > Services > Service Route Configuration.
Which log file can be used to identify SSL decryption failures? Configuration Threats ACC Traffic.
In High Availability, which information is transferred via the HA data link? session information heartbeats HA state information User-ID information.
Which Device Group option is assigned by default in Panorama whenever a new device group is created to manage a Firewall? Master Universal Shared Global.
How can a candidate or running configuration be copied to a host external from Panorama? Commit a running configuration. Save a configuration snapshot. Save a candidate configuration. Export a named configuration snapshot.
When is it necessary to activate a license when provisioning a new Palo Alto Networks firewall? When configuring Certificate Profiles When configuring GlobalProtect portal When configuring User Activity Reports When configuring Antivirus Dynamic Updates.
392. SD-WAN is designed to support which two network topology types? (Choose two.) ring point-to-point hub-and-spoke full-mesh.
A network security engineer has been asked to analyze Wildfire activity. However, the Wildfire Submissions item is not visible form the Monitor tab.
What could cause this condition? The firewall does not have an active WildFire subscription. The engineer's account does not have permission to view WildFire Submissions. A policy is blocking WildFire Submission traffic. Though WildFire is working, there are currently no WildFire Submissions log entries.
As a best practice, which URL category should you target first for SSL decryption*? Online Storage and Backup High Risk Health and Medicine Financial Services.
395. Which three statements correctly describe Session 380280? (Choose three.) The application was initially identified as "ssl." The session has ended with the end-reason "unknown." The session did not go through SSL decryption processing. The application shifted to "web-browsing." The session went through SSL decryption processing.
396. Refer to the image. An administrator is tasked with correcting an NTP service configuration for firewalls that cannot use the Global template NTP servers. The administrator needs to change the IP address to a preferable server for this template stack but cannot impact other template stacks.
How can the issue be corrected? Override the value on the NYCFW template. Override a template value using a template stack variable. Override the value on the Global template. Enable "objects defined in ancestors will take higher precedence" under Panorama settings.
397. What is the function of a service route? The service packets exit the firewall on the port assigned for the external service. The server sends its response to the configured source interface and source IP address. The service packets enter the firewall on the port assigned from the external service. The server sends its response to the configured destination interface and destination IP address. The service route is the method required to use the firewall's management plane to provide services to applications. Service routes provide access to external services, such as DNS servers, external authentication servers or Palo Alto Networks services like the Customer Support Portal.
A firewall administrator requires an A/P HA pair to fail over more quickly due to critical business application uptime requirements.
What is the correct setting? Change the HA timer profile to "user-defined" and manually set the timers. Change the HA timer profile to "fast". Change the HA timer profile to "aggressive" or customize the settings in advanced profile. Change the HA timer profile to "quick" and customize in advanced profile.
A company wants to use their Active Directory groups to simplify their Security policy creation from Panorama.
Which configuration is necessary to retrieve groups from Panorama? Configure an LDAP Server profile and enable the User-ID service on the management interface. Configure a group mapping profile to retrieve the groups in the target template. Configure a Data Redistribution Agent to receive IP User Mappings from User-ID agents. Configure a master device within the device groups.
400. What happens to traffic traversing SD-WAN fabric that doesn't match any SD-WAN policies? Traffic is dropped because there is no matching SD-WAN policy to direct traffic. Traffic matches a catch-all policy that is created through the SD-WAN plugin. Traffic matches implied policy rules and is redistributed round robin across SD-WAN links. Traffic is forwarded to the first physical interface participating in SD-WAN based on lowest interface number (i.e., Eth1/1 over Eth1/3).
Which two features require another license on the NGFW? (Choose two.) SSL Inbound Inspection SSL Forward Proxy Decryption Mirror Decryption Broker.
402. What are three reasons for excluding a site from SSL decryption? (Choose three.) the website is not present in English unsupported ciphers certificate pinning unsupported browser version mutual authentication.
403. An administrator has purchased WildFire subscriptions for 90 firewalls globally.
What should the administrator consider with regards to the WildFire infrastructure? To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds. The WildFire Global Cloud only provides bare metal analysis.
404. An administrator receives the following error message:
"IKE phase-2 negotiation failed when processing Proxy ID. Received local id 192. 168.33.33/24 type IPv4 address protocol 0 port 0, received remote id
172.16.33.33/24 type IPv4 address protocol 0 port 0."
How should the administrator identify the root cause of this error message? Verify that the IP addresses can be pinged and that routing issues are not causing the connection failure. Check whether the VPN peer on one end is set up correctly using policy-based VPN. In the IKE Gateway configuration, verify that the IP address for each VPN peer is accurate. In the IPSec Crypto profile configuration, verify that PFS is either enabled on both VPN peers or disabled on both VPN peers.
Before an administrator of a VM-500 can enable DoS and zone protection, what actions need to be taken? Create a zone protection profile with flood protection configured to defend an entire egress zone against SYN, ICMP, ICMPv6, UDP, and other IP flood attacks. Add a WildFire subscription to activate DoS and zone protection features. Replace the hardware firewall, because DoS and zone protection are not available with VM-Series systems. Measure and monitor the CPU consumption of the firewall data plane to ensure that each firewall is properly sized to support DoS and zone protection.
What will be the egress interface if the traffic's ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image? ethernet1/7 ethernet1/5 ethernet1/6 ethernet1/3.
|
