ERASED TEST, YOU MAY BE INTERESTED ON nsepc
COMMENTS |
STATISTICS |
RECORDS
|
|---|
TAKE THE TEST
|
Title of test:
nsepc Description: test of ncesp Author:
Creation Date: 23/12/2024 Category: Personality Number of questions: 112 |
Share the Test:
New Comment
No comments about this test.
Content:
|
An engineer has been asked to limit which routes are shared by running two different areas within an OSPF implementation. However, the devices share a common link for communication.
Which virtual router configuration supports running multiple instances of the OSPF protocol over a single link?
ASBR OSPFv3 ECMP OSPF. Based on the graphic which statement accurately describes the output shown in the Server Monitoring panel? The User-ID agent is connected to a domain controller labeled lab-client The host lab-client has been found by a domain controller The host lab-client has been found by the User-ID agent. The User-ID aaent is connected to the firewall labeled lab-client. Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus? By navigating to Monitor > Logs > Traffic, applying filter “(subtype eq virus)” By navigating to Monitor > Logs > Threat, applying filter “(subtype eq virus)” By navigating to Monitor > Logs > Threat, applying filter “(subtype eq wildfire-virus)” By navigating to Monitor > Logs > WildFire Submissions, applying filter “(subtype eq wildfire-virus)”. The server team is concerned about the high volume of logs forwarded to their syslog server, it is determined that DNS is generating the most logs per second. The risk and compliance team requests that any Traffic logs indicating port abuse of port 53 must still be forwarded to syslog. All other DNS. Traffic logs can be exclude from syslog forwarding. How should syslog log forwarding be configured? With (port,dst neq 53)' Traffic log filter Object > Log Forwarding. With '(port dst neq 53)' Traffic log filter inside Device > log Settings With '(app neq dns-base)'' Traffic log filter inside Device> Log Settings. With '(app neq dns-base)'' Traffic log filter inside Objects> Log Forwarding. An engineer decides to use Panorama to upgrade devices to PAN-OS 10.2. Which three platforms support PAN-OS 10.2? (Choose three.) PA-220 PA-800 Series PA-5000 Series PA-500 PA-3400 Series. Which three options does Panorama offer for deploying dynamic updates to its managed devices? (Choose three.) Check dependencies Schedules Verify Revert content Install. An administrator Just enabled HA Heartbeat Backup on two devices However, the status on tie firewall's dashboard is showing as down High Availability. What could an administrator do to troubleshoot the issue? Go to Device > High Availability> General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup Check peer IP address In the permit list In Device > Setup > Management > Interfaces > Management Interface Settings Go to Device > High Availability > HA Communications> General> and check the Heartbeat Backup under Election Settings Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings. An administrator has configured a pair of firewalls using high availability in Active/Passive mode. Link and Path Monitoring is enabled with the Failure Condition set to `any`. There is one link group configured containing member interfaces ethernet1/1 and ethernet1/2 with a Group Failure Condition set to `all`. Which HA state will the Active firewall go into if ethernet1/1 link goes down due to a failure? Active Passive Active-Secondary Non-functional. With the default TCP and UDP settings on the firewall, what will be the identified application in the following session? Incomplete unknown-tcp Insufficient-data not-applicable. Which rule type controls end user SSL traffic to external websites? SSL Inbound Inspection SSH Proxy SSL Forward Proxy SSL Outbound Proxyless Inspection. Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.) ECDSA ECDHE RSA DHE. An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production. Which three parts of a template an engineer can configure? (Choose three.) IT Certification Guaranteed, The Easy Way! NTP Server Address Antivirus Profile Authentication Profile Service Route Configuration Dynamic Address Groups. An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below. Which timer determines the frequency at which the HA peers exchange messages in the form of an ICMP (ping) Hello Interval Promotion Hold Time Heartbeat Interval Monitor Fail Hold Up Time. An enterprise Information Security team has deployed policies based on AD groups to restrict user access to critical infrastructure systems. However, a recent phishing campaign against the organization has prompted Information Security to look for more controls that can secure access to critical assets. For users that need to access these systems. Information Security wants to use PAN-OS multi-factor authentication (MFA) integration to enforce MFA. What should the enterprise do to use PAN-OS MFA? Configure a Captive Portal authentication policy that uses an authentication sequence. Configure a Captive Portal authentication policy that uses an authentication profile that references a RADIUS profile. Create an authentication profile and assign another authentication factor to be used by a Captive Portal authentication policy. Use a Credential Phishing agent to detect, prevent, and mitigate credential phishing campaigns. If an administrator wants to apply QoS to traffic based on source, what must be specified in a QoS policy rule? A. s B. s C. D. Post-NAT destination address Pre-NAT destination addres Post-NAT source address Pre-NAT source address. What must be configured to apply tags automatically based on User-ID logs Device ID Log Forwarding profile Group mapping Log settings. What happens when the log forwarding built-in action with tagging is used? Selected logs are forwarded to the Azure Security Center. Destination zones of selected unwanted traffic are blocked. Destination IP addresses of selected unwanted traffic are blocked. Selected unwanted traffic source zones are blocked. What can the Log Forwarding built-in action with tagging be used to accomplish? Forward selected logs to the Azure Security Center. Block the destination zones of selected unwanted traffic. Block the source zones of selected unwanted traffic. Block the destination IP addresses of selected unwanted traffic. A company wants to implement threat prevention to take action without redesigning the network routing. What are two best practice deployment modes for the firewall? (Choose two.) TAP Layer 2 Layer 3 Virtual Wire. An engineer is reviewing policies after a PAN-OS upgrade What are the two differences between Highlight Unused Rules and the Rule Usage Hit counters immediately after a reboot? Highlight Unused Rules will highlight all rules. Highlight Unused Rules will highlight zero rules. Rule Usage Hit counter will not be reset Rule Usage Hit counter will reset. An engineer is monitoring an active/active high availability (HA) firewall pair. Which HA firewall state describes the firewall that is experiencing a failure of a monitored path? Initial Tentative Passive Active-secondary. If an administrator were to troubleshoot, how would they confirm the transceiver type, tx-power, rx-power, vendor name, and part number via the CLI? show system state filter sw.dev.interface.config show chassis status slot s1 show system state filter-pretty sys.s1.* show system state filter ethernet1/1. A company is expanding its existing log storage and alerting solutions All company Palo Alto Networks firewalls currently forward logs to Panoram a. Which two additional log forwarding methods will PAN-OS support? (Choose two) SSL TLS HTTP Email. An administrator needs to identify which NAT policy is being used for internet traffic. From the GUI of the firewall, how can the administrator identify which NAT policy is in use for a traffic flow? From the Monitor tab, click Traffic view and review the information in the detailed log view. From the Monitor tab, click Traffic view, ensure that the Source or Destination NAT columns are included and review the information in the detailed log view. From the Monitor tab, click App Scope > Network Monitor and filter the report for NAT rules. From the Monitor tab, click Session Browser and review the session details. A firewall administrator is configuring an IPSec tunnel between a company's HQ and a remote location. On the HQ firewall, the interface used to terminate the IPSec tunnel has a static IP. At the remote location, the interface used to terminate the IPSec tunnel has a DHCP assigned IP address. Which two actions are required for this scenario to work? (Choose two.) On the HQ firewall select peer IP address type FQDN On the remote location firewall select peer IP address type Dynamic On the HQ firewall enable DDNS under the interface used for the IPSec tunnel On the remote location firewall enable DDNS under the interface used for the IPSec tunnel. A firewall engineer needs to update a company's Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network. Which path should the engineer follow to deploy the PAN-OS images to the firewalls? Upload the image to Panorama > Software menu, and deploy it to the firewalls. * Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the firewalls. Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls. Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls. An administrator needs to build Security rules in a Device Group that allow traffic to specific users and groups defined in Active Directory. What must be configured in order to select users and groups for those rules from Panorama? A User-ID Certificate profile must be configured on Panorama. The Security rules must be targeted to a firewall in the device group and have Group Mapping configured. User-ID Redistribution must be configured on Panorama to ensure that all firewalls have the same mappings. A master device with Group Mapping configured must be set in the device group where the Security rules are configured. If a URL is in multiple custom URL categories with different actions, which action will take priority? Block Allow Alert Override. An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits. Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall? Use RSA instead of ECDSA for traffic that isn't sensitive or high-priority. Use the highest TLS protocol version to maximize security. Use ECDSA instead of RSA for traffic that isn't sensitive or high-priority. Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption. A security team has enabled real-time WildFire signature lookup on all its firewalls. Which additional action will further reduce the likelihood of newly discovered malware being allowed through the firewalls? A. B. C. increase the frequency of the applications and threats dynamic updates. Increase the frequency of the antivirus dynamic updates Enable the "Hold Mode" option in Objects > Security Profiles > Antivirus. Enable the "Report Grayware Files" option in Device > Setup > WildFire. An engineer is deploying multiple firewalls with common configuration in Panorama. What are two benefits of using nested device groups? (Choose two.) Inherit settings from the Shared group Inherit IPSec crypto profiles Inherit all Security policy rules and objects Inherit parent Security policy rules and object. An engineer troubleshoots a high availability (HA) link that is unreliable. Where can the engineer view what time the interface went down? Monitor > Logs > System Device > High Availability > Active/Passive Settings Monitor > Logs > Traffic Dashboard > Widgets > High Availability. An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic. Which three elements should the administrator configure to address this issue? (Choose three.) An Application Override policy for the SIP traffic QoS on the egress interface for the traffic flows A QoS profile defining traffic classes A QoS policy for each application ID QoS on the ingress interface for the traffic flows. An engineer needs to collect User-ID mappings from the company's existing proxies. What two methods can be used to pull this data from third party proxies? (Choose two.) Client probing Syslog XFF Headers Server Monitoring. Please match the terms to their corresponding definitions. Select and Place: management plane signature matching security processing network processing. A network administrator notices a false-positive state after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays the following: threat type: spyware category: dns-c2 threat ID: 1000011111 Which set of steps should the administrator take to configure an exception for this signature? Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the Exceptions lab and then click show all signatures Search related threat ID and click enable Commit Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the Exceptions lab and then click show all signatures Search related threat ID and click enable Commit. Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application? Satellite mode Tunnel mode No Direct Access to local networks IPSec mode. An administrator needs to gather information about the CPU utilization on both the management plane and the data plane. Where does the administrator view the desired data? Support > Resources Application Command and Control Center Resources Widget on the Dashboard Monitor > Utilization. An engineer troubleshooting a VPN issue needs to manually initiate a VPN tunnel from the CLI Which CLI command can the engineer use? test vpn ike-sa test vpn gateway test vpn flow test vpn tunnel. A firewall administrator configures the HIP profiles on the edge firewall where GlobalProtect is enabled, and adds the profiles to security rules. The administrator wants to redistribute the HIP reports to the data center firewalls to apply the same access restrictions using HIP profiles. However, the administrator can only see the HIP match logs on the edge firewall but not on the data center firewall What are two reasons why the administrator is not seeing HIP ((TBC)) Log Forwarding Profile is configured but not added to security rules in the data center firewall. HIP profiles are configured but not added to security rules in the data center firewall. User ID is not enabled in the Zone where the users are coming from in the data center firewall. HIP Match log forwarding is not configured under Log Settings in the device tab. An organization is interested in migrating from their existing web proxy architecture to the Web Proxy feature of their PAN-OS 11.0 firewalls. Currently. HTTP and SSL requests contain the c IP address of the web server and the client browser is redirected to the proxy Which PAN-OS proxy method should be configured to maintain this type of traffic flow? DNS proxy Explicit proxy SSL forward proxy Transparent proxy. Where can a service route be configured for a specific destination IP? Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4 Use Device > Setup > Services > Services Use Device > Setup > Services > Service Route Configuration > Customize > Destination Use Device > Setup > Services > Service Route Configuration > Customize > IPv4. An engineer has been given approval to upgrade their environment to PAN-OS 10.2. The environment consists of both physical and virtual firewalls, a virtual Panorama HA pair, and virtual log collectors. What is the recommended order when upgrading to PAN-OS 10.2? Upgrade the firewalls, upgrade log collectors, upgrade Panorama Upgrade the firewalls, upgrade Panorama, upgrade the log collectors Upgrade the log collectors, upgrade the firewalls, upgrade Panorama Upgrade Panorama, upgrade the log collectors, upgrade the firewalls. A customer wants to deploy User-ID on a Palo Alto Networks NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. The customer uses Windows Active Directory for authentication. What is the most operationally efficient way to redistribute the most accurate IP addresses to username mappings? Deploy a PAN-OS integrated User-ID agent on each vsys Deploy the GlobalProtect vsys as a User-ID data hub Deploy a M-200 as a User-ID collector Deploy Windows User-ID agents on each domain controller. A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3. Which command should they use? test routing route ip 10.2.5.3 * test routing route ip 10.2.5.3 virtual-router default test routing fib-lookup ip 10.2.5.0/24 virtual-router default test routing fib-lookup ip 10.2.5.3 virtual-router default. When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama? Export device state Load configuration version Load named configuration snapshot Save candidate config. An engineer is tasked with decrypting web traffic in an environment without an established PKI When using a self-signed certificate generated on the firewall which type of certificate should be in? approved web traffic? {{baru}} An Enterprise Root CA certificate The same certificate as the Forward Trust certificate A Public Root CA certificate The same certificate as the Forward Untrust certificate. Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.) Log Ingestion HTTP Log Forwarding LDAP. What is the best description of the Cluster Synchronization Timeout (min)? The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational. What does SSL decryption require to establish a firewall as a trusted third party and to establish trust between a client and server to secure SSL/TLS connection? link state profiles stateful firewall connection certificates. A firewall administrator has been tasked with ensuring that all Panorama configuration is committed and pushed to the devices at the end of the day at a certain time. How can they achieve this? Use the Scheduled Config Push to schedule Commit to Panorama and also Push to Devices. Use the Scheduled Config Push to schedule Push to Devices and separately schedule an API call to commit all Panorama changes. Use the Scheduled Config Export to schedule Push to Devices and separately schedule an API call to commit all Panorama changes Use the Scheduled Config Export to schedule Commit to Panorama and also Push to Devices. Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed? On Palo Alto Networks Update Servers M600 Log Collectors Cortex Data Lake Panorama. Which operation will impact the performance of the management plane? Enabling DoS protection Enabling packet buffer protection Decrypting SSL sessions Generating a Saas Application report. A network engineer has discovered that asymmetric routing is causing a Palo Alto Networks firewall to drop traffic. The network architecture cannot be changed to correct this. Which two actions can be taken on the firewall to allow the dropped traffic permanently? (Choose two.) Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to No Set "Asymmetric Path" to Bypass > set session tcp-reject-non-syn no Navigate to Network > Zone Protection Click Add Select Packet Based Attack Protection > TCP/IP Drop Set "Reject Non-syn-TCP" to Global Set "Asymmetric Path" to Global # set deviceconfig setting session tcp-reject-non-syn no. A firewall engineer has determined that, in an application developed by the company's internal team, sessions often remain idle for hours before the client and server exchange any dat a. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes. Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application? Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures. Access the Palo Alto Networks website and raise a support request through the Customer Support Portal. Create a custom application with specific timeouts, then create an application override rule and reference the custom application. Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-ID. Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify? IKE Crypto Profile Security policy Proxy-IDs PAN-OS versions. An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value. Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two ) Configure the DNS server locally on the firewall. Change the DNS server on the global template. Override the DNS server on the template stack. Configure a service route for DNS on a different interface. A company has recently migrated their branch office's PA-220S to a centralized Panoram a. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices All device group and template configuration is managed solely within Panorama They notice that commit times have drastically increased for the PA-220S after the migration What can they do to reduce commit times? Disable "Share Unused Address and Service Objects with Devices" in Panorama Settings. Update the apps and threat version using device-deployment Perform a device group push using the "merge with device candidate config" option Use "export or push device config bundle" to ensure that the firewall is integrated with the Panorama config. A security engineer has configured a GlobalProtect portal agent with four gateways. Which GlobalProtect Gateway will users connect to based on the chart provided? East South West Central. A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make. How does the firewall identify the New App-ID characteristic? It matches to the New App-IDs downloaded in the last 90 days. It matches to the New App-IDs in the most recently installed content releases. It matches to the New App-IDs downloaded in the last 30 days. It matches to the New App-IDs installed since the last time the firewall was rebooted. A threat intelligence team has requested more than a dozen Short signatures to be deployed on all perimeter Palo Alto Networks firewalls. How does the firewall engineer fulfill this request with the least time to implement? Use Expedition to create custom vulnerability signatures, deploy them to Panorama using API and push them to the firewalls. Create custom vulnerability signatures manually on one firewall export them, and then import them to the rest of the firewalls Use Panorama IPs Signature Converter to create custom vulnerability signatures, and push them to the firewalls. Create custom vulnerability signatures manually in Panorama, and push them to the firewalls. A firewall engineer is configuring quality of service (QoS) policy for the IP address of a specific server in an effort to limit the bandwidth consumed by frequent downloads of large files from the internet. Which combination of pre-NAT and/or post-NAT information should be used in the QoS rule? Pre-NAT source IP address - Pre-NAT source zone Post-NAT source IP address - Pre-NAT source zone Pre-NAT source IP address - Post-NAT source zone Post-NAT source IP address - Post-NAT source zone. An engineer is configuring a firewall with three interfaces: * MGT connects to a switch with internet access. * Ethernet1/1 connects to an edge router. * Ethernet1/2 connects to a visualization network. The engineer needs to configure dynamic updates to use a dataplane interface for internet traffic. What should be configured in Setup > Services > Service Route Configuration to allow this traffic? Set DNS and Palo Alto Networks Services to use the ethernet1/1 source interface. Set DNS and Palo Alto Networks Services to use the ethernet1/2 source interface. Set DNS and Palo Alto Networks Services to use the MGT source interface. Set DDNS and Palo Alto Networks Services to use the MGT source interface. Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change? the 'Shared' device group template stacks a device group template variables. An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.) collector groups template stacks virtual systems variables. Which two components are required to configure certificate-based authentication to the web Ul when an administrator needs firewall access on a trusted interface'? (Choose two.) Server certificate SSL/TLS Service Profile Certificate Profile CA certificate. A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours. Which two steps are likely to mitigate the issue? (Choose TWO) Exclude video traffic Enable decryption Block traffic that is not work-related Create a Tunnel Inspection policy. Which GlobalProtect gateway selling is required to enable split-tunneling by access route, destination domain, and application? No Direct Access to local networks Tunnel mode iPSec mode Satellite mode. A company requires that a specific set of ciphers be used when remotely managing their Palo Alto Networks appliances. Which profile should be configured in order to achieve this? Certificate profile SSL/TLS Service profile SSH Service profile Decryption profile. When you troubleshoot an SSL Decryption issue, which PAN-OS CLI command do you use to check the details of the Forward Trust certificate, Forward Untrust certificate, and SSL Inbound Inspection certificate? show system setting ssl-decrypt certs show system setting ssl-decrypt certificate debug dataplane show ssl-decrypt ssl-stats show system setting ssl-decrypt certificate-cache. An engineer is bootstrapping a VM-Series Firewall Other than the /config folder, which three directories are mandatory as part of the bootstrap package directory structure? (Choose three.) /content /software /plugins /license /opt. Which three items must be configured to implement application override? (Choose three ) Custom app Security policy rule Application override policy rule Decryption policy rule Application filter. A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working. Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.) Site A configuration: Enable NAT Traversal on Site B firewall Configure Local Identification on Site firewall Disable passive mode on Site A firewall Match IKE version on both firewalls. An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy. Without changing the existing access to the management interface, how can the engineer fulfill this request? Specify the subinterface as a management interface in Setup > Device > Interfaces. Add the network segment's IP range to the Permitted IP Addresses list. Enable HTTPS in an Interface Management profile on the subinterface. Configure a service route for HTTP to use the subinterface. An administrator has two pairs of firewalls within the same subnet. Both pairs of firewalls have been configured to use High Availability mode with Active/Passive. The ARP tables for upstream routes display the same MAC address being shared for some of these firewalls. What can be configured on one pair of firewalls to modify the MAC addresses so they are no longer in conflict? Configure a floating IP between the firewall pairs. B Change the Group IDs in the High Availability settings to be different from the other firewall pair on the same subnet. Change the interface type on the interfaces that have conflicting MAC addresses from L3 to VLAN. On one pair of firewalls, run the CLI command: set network interface vlan arp. How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall? Panorama provides information about system resources of the managed devices in the Managed Device > Health menu. Firewalls send SNMP traps to Panorama wen resource exhaustion is detected Panorama generates a system log and can send email alerts. Panorama monitors all firewalls using SNMP. It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall. Panorama provides visibility all the system and traffic logs received from firewalls it does not offer any ability to see or monitor resource utilization on managed firewalls. What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain? an Authentication policy with 'unknown' selected in the Source User field an Authentication policy with 'known-user' selected in the Source User field a Security policy with 'known-user' selected in the Source User field a Security policy with 'unknown' selected in the Source User field. A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL. When creating a new rule, what is needed to allow the application to resolve dependencies? Add SSL and web-browsing applications to the same rule. Add web-browsing application to the same rule. Add SSL application to the same rule. SSL and web-browsing must both be explicitly allowed. An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices. What should an administrator configure to route interesting traffic through the VPN tunnel? Proxy IDs GRE Encapsulation Tunnel Monitor ToS Header. Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the firewall? (Choose three.) RADIUS TACACS+ Kerberos LDAP SAML. Review the screenshot of the Certificates page. An administrator for a small LLC has created a series of certificates as shown, to use for a planned Decryption roll out. The administrator has also installed the self-signed root certificate in all client systems. When testing, they noticed that every time a user visited an SSL site, they received unsecured website warnings. What is the cause of the unsecured website warnings? The self-signed CA certificate has the same CN as the forward trust and untrust certificates. The forward trust certificate has not been installed in client systems. The forward untrust certificate has not been signed by the self-singed root CA certificate. The forward trust certificate has not been signed by the self-singed root CA certificate. An engineer is pushing configuration from Panorama to a managed firewall What happens when the pushed Panorama configuration has Address Object names that duplicate the Address Objects already configured on the firewall? The firewall ignores only the pushed objects that have the same name as the locally configured objects, and it will commit the rest of the pushed configuration. The firewall fully commits all of the pushed configuration and overwrites its locally configured objects The firewall rejects the pushed configuration, and the commit fails. The firewall renames the duplicate local objects with "-1" at the end signifying they are clones; it will update the references to the objects accordingly and fully commit the pushed configuration. Which two statements correctly describe Session 380280? (Choose three) The application was initially identified as "ssl." The session has ended with the end-reason "unknown." The session cid not go through SSL decryption processing. The application shifted to "web-browsing." The session went through SSL decryption processing. Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition? NAT DOS protection QoS Tunnel inspection. A company is deploying User-ID in their network. The firewall team needs to have the ability to see and choose from a list of usernames and user groups directly inside the Panorama policies when creating new security rules. How can this be achieved? By configuring Data Redistribution Client in Panorama > Data Redistribution By configuring User-ID group mapping in Panorama > User Identification By configuring User-ID source device in Panorama > Managed Devices By configuring Master Device in Panorama > Device Groups. Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port? The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2. The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2. A network security engineer needs to ensure that virtual systems can communicate with one another within a Palo Alto Networks firewall. Separate virtual routers (VRs) are created for each virtual system. In addition to confirming security policies, which three configuration details should the engineer focus on to ensure communication between virtual systems? (Choose three.) Add a route with next hop next-vr by using the VR configured in the virtual system. Layer 3 zones for the virtual systems that need to communicate. Add a route with next hop set to none, and use the interface of the virtual systems that need to communicate. Ensure the virtual systems are visible to one another. External zones with the virtual systems added. A firewall engineer creates a source NAT rule to allow the company’s internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule. Which set of steps should the engineer take to accomplish this objective? 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32. 2. Check the box for negate option to negate this IP from the NAT translation. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23. 2. Check the box for negate option to negate this IP subnet from NAT translation. 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port. 2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none. 3. Place (NAT-Rule-2) above (NAT-Rule-1). 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port. 2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none. 3. Place (NAT-Rule-1) above (NAT-Rule-2). An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks. Which sessions does Packet Buffer Protection apply to? It applies to existing sessions and is global. It applies to new sessions and is not global. It applies to existing sessions and is not global. It applies to new sessions and is global. Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.) Application filter Application override policy rule Security policy rule Custom app. A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning. What is the best choice for an SSL Forward Untrust certificate? A self-signed certificate generated on the firewall A web server certificate signed by the organization’s PKI A web server certificate signed by an external Certificate Authority A subordinate Certificate Authority certificate signed by the organization’s PKI. A company wants to add threat prevention to the network without redesigning the network routing. What are two best practice deployment modes for the firewall? (Choose two.) VirtualWire Layer3 TAP Layer2. Which function does the HA4 interface provide when implementing a firewall cluster which contains firewalls configured as active-passive pairs? Perform packet forwarding to the active-passive peer during session setup and asymmetric traffic flow. Perform synchronization of routes, IPSec security associations, and User-ID information. Perform session cache synchronization for all HA cluster members with the same cluster ID. Perform synchronization of sessions, forwarding tables, and IPSec security associations between firewalls in an HA pair. A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the new TLSvl.3 support for management access. What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x? Required: Download PAN-OS 10.2.0 or earlier release that is not EOL. Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0. Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x. Optional: Download and install the latest preferred PAN-OS 10.1 release. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x. An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below. Which timer determines how long the passive firewall will wait before taking over as the active firewall after losing communications with the HA peer? Heartbeat Interval Promotion Hold Time Additional Master Hold Up Time Monitor Fail Hold Up Time. ln a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated? 1 to 4 hours 6 to 12 hours 24 hours 36 hours. An organization wants to begin decrypting guest and BYOD traffic. Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted? Authentication Portal SSL Decryption profile SSL decryption policy comfort pages. A firewall administrator has been tasked with ensuring that all firewalls forward System logs to Panoram a. In which section is this configured? Monitor > Logs > System Objects > Log Forwarding Panorama > Managed Devices Device > Log Settings. Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services? Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory. A network administrator is trying to prevent domain username and password submissions to phishing sites on some allowed URL categories Which set of steps does the administrator need to take in the URL Filtering profile to prevent credential phishing on the firewall? Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select Use Domain Credential Filter Commit Choose the URL categories in the User Credential Submission column and set action to block Select the User credential Detection tab and select use IP User Mapping Commit Choose the URL categories on Site Access column and set action to block Click the User credential Detection tab and select IP User Mapping Commit Choose the URL categories in the User Credential Submission column and set action to block Select the URL filtering settings and enable Domain Credential Filter Commit. View the screenshots. A QoS profile and policy rules are configured as shown. Based on this information, which two statements are correct? (Choose two.) SMTP has a higher priority but lower bandwidth than Zoom. DNS has a higher priority and more bandwidth than SSH google-video has a higher priority and more bandwidth than WebEx. Facetime has a higher priority but lower bandwidth than Zoom. Which log type is supported in the Log Forwarding profile? Configuration GlobalProtect Tunnel User-ID. Review the screenshots and consider the following information 1. FW-1is assigned to the FW-1_DG device group, and FW-2 is assigned to OFFICE_FW_DC 2. There are no objects configured in REGIONAL_DG and OFFICE_FW_DG device groups Which IP address will be pushed to the firewalls inside Address Object Server-1? Server-1 on FW-1 will have IP 4.4.4.4. Server-1 on FW-2 will have IP 1.1.1.1 Server-1 on FW-1 will have IR 111.1. Server-1 will not be pushed to FW-2. Server-1 on FW-1 will have IP 2.2.2.2. Server-1 will not be pushed to FW-2. Server-1 on FW-1 will have IP 3.3.3.3. Server-1 will not be pushed to FW-2. An administrator wants to use LDAP, TACACS+, and Kerberos as external authentication services for authenticating users. What should the administrator be aware of regarding the authentication sequence, based on the Authentication profile in the order Kerberos LDAP, and TACACS+? The firewall evaluates the profiles in the alphabetical order the Authentication profiles have been named until one profile successfully authenticates the user. The firewall evaluates the profiles in top-to-bottom order until one Authentication profile successfully authenticates the user. The priority assigned to the Authentication profile defines the order of the sequence. If the authentication times cut for the firs: Authentication profile in the authentication sequence, no further authentication attempts will be made. A firewall administrator is changing a packet capture filter to troubleshoot a specific traffic flow Upon opening the newly created packet capture, the administrator still sees traffic for the previous fitter What can the administrator do to limit the captured traffic to the newly configured filter? Command line > debug dataplane packet-diag clear filter-marked-session all In the GLH under Monitor > Packet Capture > Manage Filters under Ingress Interface select an interface Command line> debug dataplane packet-diag clear filter all In the GUI under Monitor > Packet Capture > Manage Filters under the Non-IP field, select "exclude". PBF can address which two scenarios? (Choose two.) routing FTP to a backup ISP link to save bandwidth on the primary ISP link providing application connectivity the primary circuit fails enabling the firewall to bypass Layer 7 inspection forwarding all traffic by using source port 78249 to a specific egress interface. Which three statements accurately describe Decryption Mirror? (Choose three.) Decryption Mirror requires a tap interface on the firewall Use of Decryption Mirror might enable malicious users with administrative access to the firewall to harvest sensitive information that is submitted via an encrypted channel Only management consent is required to use the Decryption Mirror feature. Decryption, storage, inspection, and use of SSL traffic are regulated in certain countries. You should consult with your corporate counsel before activating and using Decryption Mirror in a production environment. A firewall administrator manages sets of firewalls which have two unique idle timeout values. Datacenter firewalls needs to be set to 20 minutes and BranchOffice firewalls need to be set to 30 minutes. How can the administrator assign these settings through the use of template stacks? a Create one template stack and place the BranchOffice_Template in higher priority than Datacenter_Template. Create one template stack and place the Datanceter_Template in higher priority than BranchOffice_template. Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_Template and BranchOffice_template are at the bottom of their stack Create two separate template stacks one each for Datacenter and BranchOffice, and verify that Datacenter_template are at the top of their stack. An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks. Which three settings can be configured in this template? (Choose three.) Log Forwarding profile SSL decryption exclusion Email scheduler Login banner Dynamic updates. Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.) User logon Push One-Time Password SSH key Short message service. QUESTION NO: 113 Which Panorama mode should be used so that all logs are sent to. and only stored in. Cortex Data Lake? Log Collector Panorama Legacy Management Only. Forwarding of which two log types is configured in Device > Log Settings? (Choose two.) Threat HIP Match Traffic Configuration. |
Report abuse