NGFW3

A network security engineer is configuring a GlobalProtect deployment and needs to differentiate the functions of the Portal and the Gateway. The deployment must support remote users on multiple operating systems, provide a list of available gateways based on priority, and also deliver the initial client configuration. Which component is exclusively responsible for storing and distributing the agent configurations, certificate information, and the prioritized list of gateways?. • The GlobalProtect Gateway, which manages the client configuration and builds the VPN tunnel. • The GlobalProtect Portal, which authenticates users and builds the primary VPN tunnel. • The GlobalProtect Portal, which provides the client configuration and list of available gateways. • The GlobalProtect Gateway, which authenticates the user and provides the client configuration.

An organization is deploying an SSL Forward Proxy decryption policy. The security team has a strict compliance requirement to not decrypt any traffic destined for the 'Financial-Services' and 'Health-and-Medicine' URL categories. However, all traffic destined for 'Social-Networking' must be decrypted and inspected. An engineer configures the following Decryption Policy: Rule 1: Source: any, Destination: any, URL Category: 'Social-Networking', Action: Decrypt Rule 2: Source: any, Destination: any, URL Category: 'Financial-Services', 'Health-and-Medicine, Action: No-Decrypt What is the functional outcome of this configuration?. The policy is correct. Social-Networking traffic will be decrypted, and financial traffic will not be decrypted. The policy will fail to commit because 'Decrypt' rules cannot be placed before 'No-Decrypt' rules. The policy is flawed. Financial and health traffic will be decrypted if the firewall has not yet identified the URL category. The policy is flawed. A website categorized as both 'Social-Networking' and 'Financial-Services' would be decrypted, violating compliance.

An administrator has configured an Active/Passive HA pair. To detect upstream outages, a Path Monitoring profile has been configured to monitor the primary ISP's gateway (198.51.100.1) via ICMP. A Link Monitoring profile is also configured for the external interface (ethernet1/1). During a maintenance window, the upstream ISP router (198.51.100.1) goes offline, but the physical link between the firewall and the ISP's switch remains up. What is the expected failover behavior?. • No failover will occur because Link Monitoring shows the interface is still up. • The firewall will enter a suspended state because of the conflicting monitoring information. • A failover will be triggered because the Path Monitoring profile will detect the unreachability of the ISP gateway. • A failSover will only be triggered if the HA1 link also fails, as this is a dual-failure scenario.

A security administrator needs to configure User-ID to collect IP-to-user mappings from a Windows Domain Controller. The corporate security policy prohibits using any account with Domain Admin privileges. The administrator configures the agentless User-ID feature on the firewall. Which permission is required for the service account used by the firewall to successfully monitor the Security Event Logs on the Domain Controller?. • The service account must be a member of the 'Domain Admins' group. • The service account must be a member of the 'Server Operators' group. • The service account must be a member of the 'Event Log Readers' group. • The service account must have 'Local Administrator' rights on the firewall itself.

An administrator is managing a global deployment of 200 firewalls using Panorama. The administrator needs to configure the DNS server IP address (Device > Setup > Services) on all firewalls. However, each of the 200 sites has a different local DNS server IP. How can the administrator use Panorama to manage this without creating 200 separate Templates?. • This is not possible; 200 individual Templates must be created. • By creating a single Template, using a Template Variable for the DNS IP address, and assigning the Template to a Template Stack. • By creating a single Device Group and using a variable in the Security policies. • By creating a single Template Stack and overriding the DNS server IP address on each of the 200 devices.

A company is using Palo Alto Networks SD-WAN. A traffic distribution profile is configured to use two ISPs: ISP-A (Fiber) and ISP-B (Cable). The policy is set to distribute load based on session-count, with a threshold of 250 sessions. An application session is established and is currently using the ISP-A path. The session count on ISP-A then exceeds 250. What happens to new application sessions, and what happens to the existing session?. • New sessions are steered to ISP-B. The existing session is immediately terminated. • New sessions are steered to ISP-B. The existing session continues on ISP-A until it terminates naturally. • New sessions are steered to ISP-B. The existing session is immediately re-routed to ISP-B to alleviate the load. • New sessions and the existing session all continue on ISP-A until the path fails its health check.

A firewall administrator is troubleshooting a commit failure on a VM-Series firewall deployed in a public cloud environment. The commit error indicates that the firewall has exceeded its licensed limit for the number of Security policies. Which component is responsible for defining and enforcing this specific per-model capacity. • The Palo Alto Networks WildFire cloud. • The Panorama management server. • The VM-Series model license that was applied. • The Security Profile attached to the rules.

An administrator configures a WildFire Analysis Profile and applies it to a security rule. A user then downloads a file with a previously unknown hash. The firewall forwards the file to the WildFire cloud. Five minutes later, WildFire returns a 'malicious' verdict. Where would the administrator look to see the log entry that correlates the original user and file download with this newly received 'malicious' verdict?. • In the Traffic log, by filtering for the wildfire' application. • In the Data Filtering log, as the file was a data exfiltration attempt. • In the WildFire Submissions log; this log is updated with the verdict. • In the Threat log, by filtering for the log type wildfire.

A company's security policy dictates that users are allowed to access 'Social-Networking' sites, but they are not allowed to log in, post, or upload content. An administrator has applied a URL Filtering profile to a Security policy rule that allows the 'Social-Networking' category. How can the administrator enforce this granular requirement without blocking the entire category?. A) This is not possible with URL Filtering; it requires a Data Filtering profile. B) By configuring the URL Filtering profile to set the 'Social-Networking' category action to 'alert. C) By using an Application Filter in the Security policy rule to block social-media applications. D) By using App-ID in the Security policy rule, allowing the 'facebook-base' application but explicitly blocking "facebook-posting' and 'facebook-chat'.

A security administrator is configuring a URL Filtering profile to protect users from submitting their corporate login credentials to phishing sites. The administrator wants the firewall to prevent the submission of credentials to any site that is not on a corporate-approved whitelist. Which feature, in conjunction with User-ID, should be configured to achieve this?. • The Data Filtering profile, by adding usernames to the profile. • The Credential Phishing Prevention feature within the URL Filtering profile. • An Anti-Spyware profile with DNS Sinkholing enabled. • A Decryption policy rule with an action of 'no-decrypt for phishing sites.

An administrator is configuring a GlobalProtect Gateway and needs to provide two-factor authentication. The company uses a RADIUS server for one-time passwords (OTPs) and Active Directory for user passwords. The goal is to have the user prompted for both. How should this be configured in the firewall?. A) Create a single Authentication Profile that points to the RADIUS server, as it can proxy to Active Directory. B) Create two separate Authentication Profiles, one for RADIUS and one for LDAP, and apply both to the Gateway. C) Create an Authentication Sequence that includes an Authentication Profile for LDAP and an Authentication Profile for RADIUS. D) Create a SAML Authentication Profile and configure the SAML IdP to handle both RADIUS and LDAP.

An engineer is configuring an Active/Passive HA pair. The HA1 control link is connected directly between the two firewalls using the dedicated HSCI ports. The HA2 data link is also connected directly between the devices. The administrator wants to add redundancy to the HA1 control link in case the HSCI port or cable fails. What is the best-practice method to achieve this redundancy?. • Enable Path Monitoring on the HA1 interface. • Enable Heartbeat Backup and use the HA2 data link as the backup path. • Configure a backup HA1 link using an in-band data port (e.g., ethernet1/8) and a separate cable. • Configure a Link Aggregation Group (LAG) for the HA1 ports.

A security team wants to prioritize network bandwidth for their critical 'SAP' application and strictly limit the bandwidth available to 'youtube'. All other traffic should be treated as best-effort. Which Palo Alto Networks feature is used to enforce these application-based bandwidth rules?. • Quality of Service (QoS). • Policy-Based Forwarding (PBF). • URL Filtering Profile. • Application Override.

An administrator manages a large, distributed network with firewalls at the headquarters (HQ) and at multiple branch offices. A user authenticates to the network at a branch office, and the branch firewall successfully creates a User-ID mapping. The user then tries to access a resource at the HQ, which is protected by the HQ firewall. How can the HQ firewall learn the User-ID mapping from the branch firewall?. • The HQ firewall must be configured to monitor the branch office's Domain Controller. • By configuring User-ID Redistribution, using Panorama or a hub-and-spoke firewall topology. • This is not possible; the user must re-authenticate to the HQ firewall's Captive Portal. • By enabling the 'Forward User-ID' option on the branch firewall's external interface.

An administrator needs to forward all 'Threat' logs to a SIEM for long-term storage and analysis. At the same time, they need to forward all log types (Traffic, Threat,URL, etc.) to Panorama for centralized reporting. What is the correct object to configure to achieve this multi-destination forwarding?. • A single Log Forwarding Profile with two match lists, one for the SIEM and one for Panorama. • Two separate Log Forwarding Profiles: one for the SIEM and one for Panorama, applied to the same rules. • A Log Forwarding Profile with a single match list that sends all logs to Panorama, which then forwards the Threat logs to the SIEM. • A Server Profile for the SIEM and a separate Log Forwarding Profile for Panorama.

An administrator has two ISP connections and wants to load-balance outbound traffic per-session to utilize both links simultaneously. Both ISP routers are connected to the 'Untrust' zone. The administrator has configured two static routes (one for each ISP's gateway) with the same metric. Which additional feature must be configured on the virtual router to enable this per-session load balancing?. • Policy-Based Forwarding (PBF). • ECMP (Equal-Cost Multi-Path). • QoS (Quality of Service). • SD-WAN.

An administrator configures an IPSec tunnel between two Palo Alto Networks firewalls. The tunnel is established, and Phase 1 and Phase 2 SAs are up. However, traffic is not passing through the tunnel. The administrator has confirmed there are no NAT policies interfering and the Security policies are correct. What is the most common remaining reason for this failure?. • The Proxy IDs do not match on both ends of the tunnel. • The firewall is missing a static route in the virtual router to direct traffic into the tunnel. • The IKE Crypto profile is using a different DH Group than the IPSec Crypto profile. • The Security policy rule has logging disabled, which prevents traffic flow.

A company is deploying a Palo Alto Networks firewall to protect an internal web server. The firewall is configured for SSL Inbound Inspection, which requires the server's private key to be imported onto the firewall. Which Decryption policy action is used to enable this specific type of decryption?. • SSL Forward Proxy. • SSL Backward Proxy. • SSH Proxy. • SSL Inbound Inspection.

An administrator wants to create a Security policy rule to block a set of malicious IP addresses that is published by a third-party threat intelligence feed. The list of IPs changes frequently. The administrator wants the firewall to automatically update this list without manual intervention. Which object type should be used as the source or destination in the Security policy rule?. • A Security Profile Group. • An Address Group containing static Address Objects. • An External Dynamic List (EDL). • A Dynamic Address Group (DAG).

An administrator has created a custom in-house application that runs on TCP port 12345. The administrator wants to create a Security policy rule that only allows this specific application, but App-ID is currently identifying it as 'unknown-tcp'. How can the administrator create a strict policy that bypasses App-ID for this traffic and treats it as the custom application?. A) Create a custom Application signature for the traffic. B) Create an Application Filter and add it to the rule. C) Create a Service object for TCP 12345 and set the application to any. D) Create an Application Override policy rule. .

An administrator needs to deploy identical security policies to multiple firewalls with minor variations. Which Panorama feature supports this requirement?. a) Log collector group. b) Device group hierarchy. c) TLS service profile. d) HA1 backup.

Which tool allows automation using YAML playbooks?. a) Terraform. b) CLI macro. c) REST API. d) Ansible.

In GlobalProtect split tunnel configuration, excluding internal subnets will result in what behavior?. a) Internal traffic bypasses the VPN tunnel. b) Internal traffic is dropped. c) Internal traffic is encrypted twice. d) Gateway authentication fails.

04. When configuring virtual systems (VSYS), which resources can be assigned per VSYS? (Choose 2). a) Interfaces. b) Virtual routers. c) Log collector groups. d) GlobalProtect portals.

05. Which feature allows viewing application trends and identifying top applications across devices in Panorama?. a) NAT preview. b) VSYS. c) ACC. d) HA monitoring.

06. A firewall uses both static and dynamic routes. Which value determines route preference?. a) Interface bandwidth. b) NAT rule order. c) Security zone priority. d) Administrative distance.

07. What is the purpose of the HA1 backup link?. a) Synchronize sessions. b) Encrypt VPN tunnels. c) Provide redundancy for control traffic. d) Monitor routes.

08. Which configuration ensures logs are sent to Panorama instead of stored locally?. a) HA preemption. b) NAT rule. c) TLS service profile. d) Log collector group association.

09. An engineer deploys a VM-Series firewall in a public cloud environment but management connectivity fails. Which configuration should be verified first?. a) Security policy rules. b) Management interface IP configuration. c) OSPF area. d) Decryption profile.

10. Which Panorama commit type pushes configuration changes to managed firewalls?. a) Commit and Push. b) Commit to Panorama. c) Commit. d) Local commit.

A network engineer is configuring a new Palo Alto Networks firewall to segment a flat corporate network into multiple VLANs. The firewall has an interface, ethernet1/1, intended to carry traffic for VLANs 10 (HR) and 20 (Finance). The HR VLAN requires DHCP services provided by an external server accessible through a Layer 3 interface on the firewall, while the Finance VLAN needs static IP assignment for critical servers. The firewall is also expected to perform inter-VLAN routing for these segments. Which of the following configurations, when applied to ethernet1 11 , correctly prepares it for this scenario, assuming no other relevant interfaces are configured yet?. A. Configure ethernet1/1 as a Layer 3 interface, then create subinterfaces ethernet1/1 .10 and ethernet1/1 .20, assigning them to VLANs 10 and 20 respectively, and configure IP addresses on these subinterfaces. B. Configure ethernet1/1 as a Layer 2 interface, create VLAN interfaces for VLAN 10 and VLAN 20, and assign ethernet1/1 to a virtual wire with these VLAN interfaces. C. Configure ethernet1/1 as a Layer 2 interface, add it to a new VLAN object named 'Corporate-VLANs', and then create two subinterfaces on this VLAN object, one for VLAN 10 and one for VLAN 20, each with an IP address. D. Configure ethernet1/1 as a Layer 2 interface, create two VLAN objects (VLAN-IO and VLAN-20), assign ethernet1/1 as an access port to both VLAN-IO and VLAN-20, and then create Layer 3 VLAN interfaces for routing. E. Configure ethernet1/1 as a Layer 2 interface, then create a single VLAN interface and add ethernet1/1 as a trunk port to this VLAN interface. Subsequently, create two sub-interfaces on this VLAN interface, one for VLAN 10 and one for VLAN 20, assigning IP addresses.

A Palo Alto Networks firewall is deployed as a transparent bridge in a network segment. Interface ethernet1/2 is configured as a Layer 2 interface and is part of a Bridge Group. The network administrator observes that broadcast traffic from a specific legacy device on ethernet1/2 is flooding other interfaces within the same bridge group, causing performance issues. The administrator needs to prevent this specific device's broadcast traffic from flooding, without blocking unicast communication or impacting other devices on the same segment. Which of the following configuration steps would be most effective to mitigate this issue, assuming the legacy device's MAC address is 00:0A:95:9D:68:1B?. A. Implement a firewall policy to deny all broadcast traffic sourced from 00:0A:95:9D:68:1B within the Bridge Group. B. Configure a MAC ACL (Access Control List) on the ethernet1/2 interface to drop packets with source MAC 00:0A:95:9D:68:1B and a broadcast destination MAC. C. Change ethernet1/2 from a Layer 2 interface to a Layer 3 interface and configure an ARP entry for the legacy device to prevent broadcast lookup. D. Utilize the 'MAC Limiting' feature on the Bridge Group to cap the number of MAC addresses learned, forcing the firewall to drop excessive broadcasts. E. On the ethernet1/2 interface configuration, navigate to the Advanced tab and configure a Broadcast Storm Control threshold for the specific MAC address.

A Palo Alto Networks firewall acts as a Layer 2 transparent bridge between two critical network segments (Segment A and Segment B) for a secure data transfer application. Interface ethernet1/3 is connected to Segment A, and ethernet1/4 is connected to Segment B. Both interfaces are part of the same Bridge Group 'BG-DataTransfer'. The application requires strict latency control and minimal jitter. After deployment, the network team reports intermittent latency spikes and packet retransmissions, particularly during periods of high data throughput. Further investigation reveals that the application servers on Segment A occasionally send very large frames (up to 9216 bytes) that are being dropped by the firewall. The application developers confirm that they are using Jumbo Frames. What is the most precise and comprehensive configuration change to ensure seamless Layer 2 operation with Jumbo Frames and optimize for low latency in this transparent bridge scenario?. A. Increase the MTU on both ethernet1/3 and ethernet1/4 interfaces to 9216 bytes. Then, ensure the Bridge Group 'BG-DataTransfer' is configured with an appropriate MTU, and verify that the firewall's physical interfaces support Jumbo Frames. B. Set the MTU on both ethernet1/3 and ethernet1/4 to 1500 bytes and implement TCP MSS clamping on the Bridge Group to prevent oversized packets from being sent. C. Configure 'Bypass Mode' on the Bridge Group 'BG-DataTransfer' to ensure that all traffic, including Jumbo Frames, is passed through without inspection, thereby reducing latency. D. On both ethernet1/3 and ethernet1/4, configure the MTU to 9216 bytes. Additionally, review the firewall's Threat Prevention and Security Policies for any profiles that might be performing deep packet inspection or reassembly, and adjust them to minimize latency for this specific traffic, or create a bypass rule for known Jumbo Frame traffic. E. The Palo Alto Networks firewall automatically handles Jumbo Frames in Layer 2 mode. The latency issue is likely due to CPU oversubscription. Monitor the firewall's CPU usage and consider upgrading the hardware if necessary.

A Palo Alto Networks firewall needs to act as a Layer 2 bridge for a specialized industrial control network that utilizes custom EtherType protocols in addition to standard IP traffic. Interface ethernet1/5 is connected to this network. The operational requirement is to allow all traffic, including these custom Ether Type frames, to pass through the firewall transparently, while still enforcing security policies only on standard IP and ARP traffic. The firewall must log all dropped packets, even those not matching any security policy. Which of the following configuration adjustments are necessary and sufficient to meet these requirements? ( choose 2). A. Configure ethernet1/5 as a Layer 2 interface and add it to a Bridge Group. Create a security policy to permit all IP and ARP traffic. For custom EtherType traffic, a dedicated firewall policy is not needed as Layer 2 interfaces inherently forward non-IP/ARP traffic. B. Configure ethernet1/5 as a Layer 2 interface and add it to a Bridge Group. Create a security policy with a 'catch-all' rule for IP and ARP traffic. Additionally, create a custom application signature for each EtherType protocol and then create security policies to permit traffic matching these custom applications. C. Configure ethernet1/5 as a Layer 2 interface and add it to a Bridge Group. Ensure the 'ethernet type forwarding' option is enabled on the Bridge Group or individual interface. Create security policies for IP and ARP traffic. Configure the default inter-zone policy for the bridge group's zones to 'allow all' to explicitly permit custom EtherTypes to pass uninspected. D. Configure ethernet1/5 as a Layer 2 interface and add it to a Bridge Group. Create security policies to permit IP and ARP traffic. To log all dropped packets, ensure the implicit 'deny' rule at the end of the security policy rulebase has logging enabled. Custom Ether Type traffic will bypass security processing if no explicit rules match them, but will still be forwarded. E. Configure ethernet1/5 as a Layer 2 interface. Create a Bridge Group and add ethernet1/5. Crucially, in a Layer 2 transparent deployment, non-IP/ARP traffic (including custom Ether Types) is typically forwarded without being subjected to security policies by default, unless specific Packet Filter rules are configured. To log all dropped packets, enable 'Log at Session End' on the implicit deny rule. For any dropped IPIARP packets not matching specific rules, this ensures logging.

A Palo Alto Networks firewall is being configured for a multi-tenant environment. Interface ethernet1/6 is a Layer 2 interface connected to a core switch that carries traffic for several tenants, each segregated by a unique VLAN (e.g., VLAN 100 for Tenant A, VLAN 200 for Tenant B). The security requirement dictates that traffic between tenants (inter-VLAN traffic) must be strictly isolated and pass through a separate, dedicated Layer 3 firewall (not this device), while intra-tenant traffic (traffic within the same VLAN) should be allowed to traverse this Palo Alto firewall for security inspection and logging, specifically for malware detection. This firewall must operate as a transparent Layer 2 device for each tenant's VLAN. Which of the following configurations are necessary to achieve this intricate setup, considering the need for granular intra-VLAN security inspection?. A. Configure ethernet1/6 as a Layer 2 interface. Create a separate Bridge Group for each tenant's VLAN (e.g., BG-TenantA for VLAN 100, BG-TenantB for VLAN 200). Add ethernet1/6 to all these Bridge Groups. Configure security policies between the zones associated with these Bridge Groups to allow intra-tenant traffic and deny inter-tenant traffic. B. Configure ethernet1 16 as a Layer 2 interface. Create a single Bridge Group and add ethernet1/6 to it. For each tenant's VLAN, create a separate VLAN interface (e.g., VLAN-100, VLAN-200) and assign them to the Bridge Group. Configure a virtual wire between each VLAN interface and a corresponding Layer 3 interface for security enforcement. C. Configure ethernet1/6 as a Layer 2 interface. Create a separate Bridge Group for each tenant's VLAN (e.g., BG-TenantA for VLAN 100, BG-TenantB for VLAN 200). Add ethernet1/6 to each respective BridgeGroup, ensuring the 'VLAN Tagging' is set for each Bridge Group to match the tenant's VLAN ID. Then, define security zones for each Bridge Group and create security policies within each zone to allow intratenant traffic. Inter-tenant traffic will not traverse as separate Bridge Groups do not route between themselves by default. D. Configure ethernet1/6 as a Layer 2 interface. Create a single Bridge Group. Create a 'VLAN Tag' object for each tenant's VLAN (e.g., VLAN-IOO, VLAN-200). Assign these VLAN Tags to the Bridge Group. Implement security policies using 'Source Zone' and 'Destination Zone' based on the Bridge Group and 'Source VLAN' and 'Destination VLAN' to permit intra-VLAN traffic and deny inter-VLAN traffic. E. Configure ethernet1 16 as a Layer 2 interface. Create a separate VLAN Interface for each tenant's VLAN (e.g., VLAN-IOO for VLAN 1 00, VLAN-200 for VLAN 200) and assign ethemet1/6 as an access port to each VLAN Interface. Create security zones for each VLAN Interface and configure security policies between these zones to allow intra-VLAN traffic and deny inter-VLAN traffic.

A Palo Alto Networks firewall is providing Layer 2 segmentation within a data center. Interface ethernet1/7 is a Layer 2 interface connected to a virtualized server environment, carrying traffic from multiple virtual machines (VMs) on different VLANs. The security team has mandated that no VM should be able to spoof the MAC address of another VM on the same physical segment. Additionally, if a VM tries to use an unassigned IP address within its VLAN subnet (e.g., an IP not explicitly configured for it), the firewall should drop that traffic without impacting legitimate communication. How can these requirements be most effectively enforced using PAN-OS Layer 2 features, assuming dynamic MAC learning is enabled?. A. On ethernet1/7, enable 'ARP Inspection' and configure 'Static ARP Entries' for all legitimate VM MACto-IP mappings. Also, enable 'MAC Limiting' on the Bridge Group to prevent new MAC addresses from being learned. B. Configure 'DHCP Snooping' on ethernet1/7 and enable 'Dynamic ARP Inspection' (DAI) on the associated Bridge Group. Set up 'IP Source Guard' policies on the Bridge Group to drop packets with source IPs not learned via DHCP or static entries. C. Enable 'ARP Inspection' on ethernet1/7 and populate its 'ARP Trust Table' with legitimate MAC-to-IP bindings for each VM. For MAC spoofing, enable 'MAC Security' on ethernet1/7 and define allowed MAC addresses. For unassigned IP addresses, leverage 'IP-MAC Binding' and configure security rules to drop traffic not matching these bindings. D. Utilize 'MAC-based Forwarding' on ethernet1/7 to restrict traffic to known MAC addresses. Implement 'Dynamic ARP Inspection' (DAI) on the Bridge Group, with a trusted port for the upstream switch and untrusted ports for the VMs, to prevent IP address spoofing for unassigned IPs. E. On the Bridge Group containing ethernet1/7, enable 'ARP Inspection' and ensure 'Validate ARP' is checked. This helps prevent MAC spoofing. To address unassigned IP addresses, enable TIP-MAC Binding' and either statically configure or dynamically learn the valid IP-to-MAC associations. Then, ensure the security policy drops traffic from unlearned/invalid IP-MAC pairs.