P C N S E

SS1 Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic. check. find. test. sim.

SS. A customer has an application that is being identified as unknown-tcp for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.). Application Override policy. Security policy to identify the custom application. Custom application. Custom Service object.

ss. Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from 192.168.111.3 and to the destination 10.46.41.113. ethernet1/6. ethernet1/3. ethernet1/7. ethernet1/5.

Which three authentication services can an administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.). Kerberos. PAP. SAML. TACACS+. RADIUS. LDAP.

sS. Which three authentication services can an administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three. Kerberos. PAP. SAML. TACACS+. RADIUS. LDAP.

sS. An administrator needs to upgrade a Palo Alto Networks NGFW to the most current version of PAN-OSֲ® software. The firewall has internet connectivity through an Ethernet interface, but no internet connectivity from the management interface. The Security policy has the default security rules and a rule that allows all web- browsing traffic from any to any zone. What must the administrator configure so that the PAN-OSֲ® software can be upgraded?. Security policy rule. CRL. Service route. Scheduler.

Ss. Which three steps will reduce the CPU utilization on the management plane? (Choose three.). Disable SNMP on the management interface. Application override of SSL application. Disable logging at session start in Security policies. Disable predefined reports. Reduce the traffic being decrypted by the firewall.

Ss. Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.). TACACS+. Kerberos. PAP. LDAP. SAML. RADIUS.

sS. Which three authentication factors does PAN-OSֲ® software support for MFA? (Choose three.). Push. Pull. Okta Adaptive. Voice. Sms.

sS. Which four NGFW multi-factor authentication factors are supported by PAN-OSֲ®? (Choose four.). Short message service. Push. User logon. Voice. SSH key. One-Time Password.

An administrator has purchased WildFire subscriptions for 90 firewalls globally. What should the administrator consider with regards to the WildFire infrastructure?. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds. Each WildFire cloud analyzes samples and generates malware signatures and verdicts independently of the other WildFire clouds. The WildFire Global Cloud only provides bare metal analysis.

.sS A remote administrator needs access to the firewall on an untrust interface. Which three options would you configure on an Interface Management profile to secure management access? (Choose three.). Permitted IP Addresses. SSH. HTTPS. User-ID. HTTP.

An administrator plans to deploy 15 firewalls to act as GlobalProtect gateways around the world. Panorama will manage the firewalls. The firewalls will provide access to mobile users and act as edge locations to on-premises infrastructure. The administrator wants to scale the configuration out quickly and wants all of the firewalls to use the same template configuration. Which two solutions can the administrator use to scale this configuration? (Choose two.). virtual systems. template stacks. variables. collector groups.

S.s In a security-first network, what is the recommended threshold value for content updates to be dynamically updated?. 1 to 4 hours. 6 to 12 hours. 24 hours. 36 hours.

.Ss Which of the following commands would you use to check the total number of the sessions that are currently going through SSL Decryption processing?. show session all filter ssl-decryption yes total-count yes. show session all ssl-decrypt yes count yes. show session all filter ssl-decrypt yes count yes. show session filter ssl-decryption yes total-count yes.

.Ss While troubleshooting an SSL Forward Proxy decryption issue, which PAN-OS CLI command would you use to check the details of the end entity certificate that is signed by the Forward Trust Certificate or Forward Untrust Certificate?. show system setting ssl-decrypt certs. show system setting ssl-decrypt certificate. debug dataplane show ssl-decrypt ssl-stats. show system setting ssl-decrypt certificate-cache.

.Ss What happens when an A/P firewall cluster synchronizes IPsec tunnel security associations (SAs)?. Phase 2 SAs are synchronized over HA2 links. Phase 1 and Phase 2 SAs are synchronized over HA2 links. Phase 1 SAs are synchronized over HA1 links. Phase 1 and Phase 2 SAs are synchronized over HA3 links.

.. Which three statements correctly describe Session 380280? (Choose three.). The application was initially identified as "ssl.". The session has ended with the end-reason "unknown.". The session cid not go through SSL decryption processing. The application shifted to "web-browsing.". The session went through SSL decryption processing.

.sS What would allow a network security administrator to authenticate and identify a user with a new BYOD-type device that is not joined to the corporate domain?. a Security policy with 'known-user' selected in the Source User field. a Security policy with 'unknown' selected in the Source User field. an Authentication policy with 'known-user' selected in the Source User field. an Authentication policy with 'unknown' selected in the Source User field.

..Ss An engineer is configuring Packet Buffer Protection on ingress zones to protect from single-session DoS attacks. Which sessions does Packet Buffer Protection apply to?. It applies to existing sessions and is not global. It applies to existing sessions and is global. It applies to new sessions and is global. It applies to new sessions and is not global.

..sS The manager of the network security team has asked you to help configure the company's Security Profiles according to Palo Alto Networks best practice. As part of that effort, the manager has assigned you the Vulnerability Protection profile for the Internet gateway firewall. Which action and packet-capture setting for items of high severity and critical severity best matches Palo Alto Networks best practice?. action 'reset-server' and packet capture 'disable. action 'default' and packet capture 'single-packet'. action 'reset-both' and packet capture 'extended-capture'. action 'reset-both' and packet capture 'single-packet'.

Which feature of Panorama allows an administrator to create a single network configuration that can be reused repeatedly for large-scale deployments even if values of configured objects, such as routes and interface addresses, change?. template variables. the 'Shared' device group. template stacks. a device group.

./ sS When using certificate authentication for firewall administration, which method is used for authorization?. LDAP. Radius. Local. Kerberos.

/.. Ss A firewall administrator notices that many Host Sweep scan attacks are being allowed through the firewall sourced from the outside zone. What should the firewall administrator do to mitigate this type of attack?. Create a Zone Protection profile, enable reconnaissance protection, set action to Block, and apply it to the outside zone. Create a DOS Protection profile with SYN Flood protection enabled and apply it to all rules allowing traffic from the outside zone. Enable packet buffer protection in the outside zone. Create a Security rule to deny all ICMP traffic from the outside zone.

./.S An engineer needs to permit XML API access to a firewall for automation on a network segment that is routed through a Layer 3 subinterface on a Palo Alto Networks firewall. However, this network segment cannot access the dedicated management interface due to the Security policy. Without changing the existing access to the management interface, how can the engineer fulfill this request?. Specify the subinterface as a management interface in Setup > Device > Interfaces. Add the network segment's IP range to the Permitted IP Addresses list. Enable HTTPS in an Interface Management profile on the subinterface. Configure a service route for HTTP to use the subinterface.

./. When using SSH keys for CLI authentication for firewall administration, which method is used for authorization?. Radius. Kerberos. LDAP. Local.

./. sS Which three actions can Panorama perform when deploying PAN-OS images to its managed devices? (Choose three.). upload-only. install and reboot. upload and install. upload and install and reboot. verify and install.

./. sS A network administrator notices there is a false-positive situation after enabling Security profiles. When the administrator checks the threat prevention logs, the related signature displays: threat type: spyware category: dns-c2 threat ID: 1000011111 Which set of steps should the administrator take to configure an exception for this signature?. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the signature exceptions tab and then click show all signatures Search related threat ID and click enable Change the default action Commit. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit. Navigate to Objects > Security Profiles > Vulnerability Protection Select related profile Select the Exceptions tab and then click show all signatures Search related threat ID and click enable Commit. Navigate to Objects > Security Profiles > Anti-Spyware Select related profile Select DNS exceptions tabs Search related threat ID and click enable Commit.

./. sS During the implementation of SSL Forward Proxy decryption, an administrator imports the company’s Enterprise Root CA and Intermediate CA certificates onto the firewall. The company’s Root and Intermediate CA certificates are also distributed to trusted devices using Group Policy and GlobalProtect. Additional device certificates and/or Subordinate certificates requiring an Enterprise CA chain of trust are signed by the company’s Intermediate CA. Which method should the administrator use when creating Forward Trust and Forward Untrust certificates on the firewall for use with decryption?. Generate two subordinate CA certificates, one for Forward Trust and one for Forward Untrust. Generate a CA certificate for Forward Trust and a self-signed CA for Forward Untrust. Generate a single subordinate CA certificate for both Forward Trust and Forward Untrust. Generate a single self-signed CA certificate for Forward Trust and another for Forward Untrust.

./. A firewall administrator needs to check which egress interface the firewall will use to route the IP 10.2.5.3 Which command should they use?. test routing fib-lookup ip 10.2.5.0/24 virtual-router default. test routing route ip 10.2.5.3. test routing route ip 10.2.5.3 virtual-router default. test routing fib-lookup ip 10.2.5.3 virtual-router default.

An administrator connected a new fiber cable and transceiver to interface Ethernet1/1 on a Palo Alto Networks firewall. However, the link does not seem to be coming up. If an administrator were to troubleshoot, how would they confirm the transceiver type, tx-power, rx-power, vendor name, and part number via the CLI?. show system state filter sw.dev.interface.config. show chassis status slot s1. show system state filter-pretty sys.s1.*. show system state filter ethernet1/1.

./. Given the Sample Log Forwarding Profile shown, which two statements are true ? Choose two. All traffic from source network 192.168.100.0/24 is sent to an external syslog target. All threats are logged to Panorama. All traffic logs from RFC 1918 subnets are logged to Panorama / Cortex Data Lake. All traffic from source network 172.12.0.0/24 is sent to Panorama / Cortex Data Lake.

Given the Sample Log Forwarding Profile shown, which two statements are true? (Choose two. All traffic from source network 192.168.100.0/24 is sent to an external syslog target. All threats are logged to Panorama. All traffic logs from RFC 1918 subnets are logged to Panorama / Cortex Data Lake. All traffic from source network 172.12.0.0/24 is sent to Panorama / Cortex Data Lake.

./. Based on the screenshots above, and with no configuration inside the Template Stack itself, what access will the device permit on its Management port?. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1. The firewall will allow HTTP Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-2. The firewall will allow HTTP, Telnet, SNMP, HTTPS, SSH and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2. The firewall will allow HTTP, Telnet, HTTPS, SSH, and Ping from IP addresses defined as $permitted-subnet-1 and $permitted-subnet-2.

An auditor is evaluating the configuration of Panorama and notices a discrepancy between the Panorama template and the local firewall configuration. When overriding the firewall configuration pushed from Panorama, what should you consider?. Only Panorama can revert the override. The modification will not be visible in Panorama. Panorama will update the template with the overridden value. The firewall template will show that it is out of sync within Panorama.

./. What happens, by default, when the GlobalProtect app fails to establish an IPSec tunnel to the GlobalProtect gateway?. It tries to establish a tunnel to the GlobalProtect portal using SSL/TLS. It stops the tunnel-establishment processing to the GlobalProtect gateway immediately. It tries to establish a tunnel to the GlobalProtect gateway using SSL/TLS. It keeps trying to establish an IPSec tunnel to the GlobalProtect gateway.

/.. Review the images. A firewall policy that permits web traffic includes the global-logs policy as depicted. What is the result of traffic that matches the “Alert -Threats” Profile Match List?. The source address of SMTP traffic that matches a threat is automatically blocked as BadGuys for 180 minutes. The source address of traffic that matches a threat is automatically blocked as BadGuys for 180 minutes. The source address of traffic that matches a threat is automatically tagged as BadGuys for 180 minutes. The source address of SMTP traffic that matches a threat is automatically tagged as BadGuys for 180 minutes.

../ What must be configured to apply tags automatically to User-ID logs?. User mapping. Log Forwarding profile. Log settings. Group mapping.

The profile is configured to provide granular defense against targeted flood attacks for specific critical systems that are accessed by users from the internet. Which profile is the engineer configuring?. Vulnerability Protection. DoS Protection. Packet Buffer Protection. Zone Protection.

//.. An engineer has been given approval to upgrade their environment to PAN-OS 10.2. The environment consists of both physical and virtual firewalls, a virtual Panorama HA pair, and virtual log collectors. What is the recommended order when upgrading to PAN-OS 10.2?. Upgrade the firewalls, upgrade log collectors, upgrade Panorama. Upgrade the firewalls, upgrade Panorama, upgrade the log collectors. Upgrade the log collectors, upgrade the firewalls, upgrade Panorama. Upgrade Panorama, upgrade the log collectors, upgrade the firewalls.

,/, Four configuration choices are listed, and each could be used to block access to a specific URL. If you configured each choice to block the same URL, then which choice would be evaluated last in the processing order to block access to the URL?. Custom URL category in URL Filtering profile. PAN-DB URL category in URL Filtering profile. EDL in URL Filtering profile. Custom URL category in Security policy rule.

.// How should an administrator enable the Advance Routing Engine on a Palo Alto Networks firewall?. Enable Advanced Routing in General Settings of Device > Setup > Management, then commit and reboot. Enable Advanced Routing Engine in Device > Setup > Session > Session Settings, then commit and reboot. Enable Advanced Routing in Network > Virtual Routers > Redistribution Profiles and then commit. Enable Advanced Routing in Network > Virtual Routers > Router Settings > General, then commit and reboot.

//.. Which three authentication types can be used to authenticate users? (Choose three.). Local database authentication. PingID. Kerberos single sign-on. GlobalProtect client. Cloud authentication service.

..// Which feature checks Panorama connectivity status after a commit. HTTP Server profiles. Device monitoring data under Panorama settings. Automated commit recovery. Scheduled config export.

./. What are two explanations for this type of issue? (Choose two.). Either management or a data-plane interface is used as HA1-backup. One of the firewalls has gone into the suspected state. The peer IP is not included in the permit list on Management Interface Settings. The Backup Peer HA1 IP Address was not configured when the commit was issued.

././. A network administrator wants to deploy SSL Forward Proxy decryption. What two attributes should a forward trust certificate have? (Choose two.). A certificate authority (CA) certificate. A private key. A server certificate. A subject alternative name.

..,/ An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of SSL traffic. Which three elements should the administrator configure to address this issue? (Choose three.). QoS on the egress interface for the traffic flows. QoS on the ingress interface for the traffic flows. A QoS profile defining traffic classes. A QoS policy for each application ID. An Application Override policy for the SSL traffic.

,//. An engineer is creating a template and wants to use variables to standardize the configuration across a large number of devices. Which two variable types can be defined? (Choose two.). IP netmask. Zone. Path group. FQDN.

,//. A company has configured GlobalProtect to allow their users to work from home. A decrease in performance for remote workers has been reported during peak-use hours. Which two steps are likely to mitigate the issue? (Choose two.). Enable decryption. Exclude video traffic. Create a Tunnel Inspection policy. Block traffic that is not work-related.

,//. Which log type would provide information about traffic blocked by a Zone Protection profile?. Data Filtering. IP-Tag. Threat. Traffic.

,//. Which three firewall multi-factor authentication factors are supported by PAN-OS? (Choose three.). Short message service. Push. User logon. One-Time Password. SSH key.

,/. An administrator needs to identify which NAT policy is being used for internet traffic. From the GUI of the firewall, how can the administrator identify which NAT policy is in use for a traffic flow?. From the Monitor tab, click Traffic view and review the information in the detailed log view. From the Monitor tab, click Traffic view, ensure that the Source or Destination NAT columns are included and review the information in the detailed log view. From the Monitor tab, click App Scope > Network Monitor and filter the report for NAT rules. From the Monitor tab, click Session Browser and review the session details.

.,., Which three external services perform both authentication and authorization for administration of firewalls? (Choose three.). Kerberos. TACACS+. SAML. Radius. LDAP.

,., The decision to upgrade to PAN-OS 10.2 has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when trying to install. When performing an upgrade on Panorama to PAN-OS 10.2, what is the potential cause of a failed install?. GlobalProtect agent version. Outdated plugins. Management only mode. Expired certificates.

,//. How can Panorama help with troubleshooting problems such as high CPU or resource exhaustion on a managed firewall?. Firewalls send SNMP traps to Panorama when resource exhaustion is detected. Panorama generates a system log and can send email alerts. Panorama provides visibility into all the system and traffic logs received from firewalls. It does not offer any ability to see or monitor resource utilization on managed firewalls. Panorama provides information about system resources of the managed devices in the Managed Devices > Health menu. Panorama monitors all firewalls using SNMP. It generates a system log and can send email alerts when resource exhaustion is detected on a managed firewall.

In an HA failover scenario what happens with sessions decrypted by a SSL Forward Proxy Decryption policy?. The existing session is transferred to the active firewall. The firewall drops the session. The session is sent to fastpath. The firewall allows the session but does not decrypt the session.

An administrator just enabled HA Heartbeat Backup on two devices. However, the status on the firewall's dashboard is showing as down. What could an administrator do to troubleshoot the issue?. Go to Device > High Availability > General > HA Pair Settings > Setup and configuring the peer IP for heartbeat backup. Go to Device > High Availability > HA Communications > General > and check the Heartbeat Backup under Election Settings. Check peer IP address for heartbeat backup to Device > High Availability > HA Communications > Packet Forwarding settings. Check peer IP address in the permit list in Device > Setup > Management > Interfaces > Management Interface Settings.

,/.. If an administrator wants to apply QoS to traffic based on source, what must be specified in a QoS policy rule?. Post-NAT destination address. Pre-NAT destination address. Pre-NAT source address. Post-NAT source address.

An engineer reviews high availability (HA) settings to understand a recent HA failover event. Review the screenshot below. Which timer determines how long the passive firewall will wait before taking over as the active firewall after losing communications with the HA peer?. Heartbeat Interval. Promotion Hold Time. Additional Master Hold Up Time. Monitor Fail Hold Up Time.

.,, A firewall engineer creates a destination static NAT rule to allow traffic from the internet to a webserver hosted behind the edge firewall. The pre-NAT IP address of the server is 153.6.12.10, and the post-NAT IP address is 192.168.10.10. Refer to the routing and interfaces information below. What should the NAT rule destination zone be set to?. None. Inside. DMZ. Outside.

,//. Which source is the most reliable for collecting User-ID user mapping?. Microsoft Active Directory. Microsoft Exchange. GlobalProtect. Syslog Listener.

An engineer receives reports from users that applications are not working and that websites are only partially loading in an asymmetric environment. After investigating, the engineer observes the flow_tcp_non_syn_drop counter increasing in the show counters global output. Which troubleshooting command should the engineer use to work around this issue?. set deviceconfig setting tcp asymmetric-path drop. set session tcp-reject-non-syn yes. set deviceconfig setting tcp asymmetric-path bypass. set deviceconfig setting session tcp-reject-non-syn no.

,../ Where is Palo Alto Networks Device Telemetry data stored on a firewall with a device certificate installed?. Panorama. M600 Log Collectors. Cortex Data Lake. On Palo Alto Networks Update Servers.

,//. Which GlobalProtect gateway setting is required to enable split-tunneling by access route, destination domain, and application?. Satellite mode. Tunnel mode. No Direct Access to local networks. IPSec mode.

,/.. Which three multi-factor authentication methods can be used to authenticate access to the firewall? (Choose three.). One-time password. User certificate. SMS. Voice. Fingerprint.

,// Which two profiles should be configured when sharing tags from threat logs with a remote User-ID agent? (Choose two.). LDAP. Log Ingestion. HTTP. Log Forwarding.

,//. What is the PAN-OS NPTv6 feature based on RFC 6296 used for?. Application port number translation. IPv6-to-IPv6 network prefix translation. Stateful translation to provide better security. IPv6-to-IPv6 host portion translation.

,.//// An engineer is deploying multiple firewalls with common configuration in Panorama. What are two benefits of using nested device groups? (Choose two.). Inherit all Security policy rules and objects. Inherit settings from the Shared group. Inherit IPSec crypto profiles. Inherit parent Security policy rules and objects.

,//.. A network security administrator wants to inspect HTTPS traffic from users as it egresses through a firewall to the Internet/Untrust zone from trusted network zones. The security admin wishes to ensure that if users are presented with invalid or untrusted security certificates, the user will see an untrusted certificate warning. What is the best choice for an SSL Forward Untrust certificate?. A self-signed certificate generated on the firewall. A web server certificate signed by the organization’s PKI. A web server certificate signed by an external Certificate Authority. A subordinate Certificate Authority certificate signed by the organization’s PKI.

,,//., After implementing a new NGFW, a firewall engineer sees a VoIP traffic issue going through the firewall. After troubleshooting, the engineer finds that the firewall performs NAT on the voice packets payload and opens dynamic pinholes for media ports. What can the engineer do to solve the VoIP traffic issue?. Disable ALG under H.323 application. Increase the TCP timeout under H.323 application. Increase the TCP timeout under SIP application. Disable ALG under SIP application.

,/.. Which new PAN-OS 11.0 feature supports IPv6 traffic?. OSPF. IKEv1. DHCP Server. DHCPv6 Client with Prefix Delegation.

,/. An engineer is reviewing the following high availability (HA) settings to understand a recent HA failover event. Which timer determines the frequency between packets sent to verify that the HA functionality on the other HA firewall is operational?. Hello Interval. Monitor Fail Hold Up Time. Heartbeat Interval. Promotion Hold Time.

,/.. An organization conducts research on the benefits of leveraging the Web Proxy feature of PAN-OS 11.0. What are two benefits of using an explicit proxy method versus a transparent proxy method? (Choose two.). No client configuration is required for explicit proxy, which simplifies the deployment complexity. Explicit proxy supports interception of traffic using non-standard HTTPS ports. It supports the X-Authenticated-User (XAU) header, which contains the authenticated username in the outgoing request. Explicit proxy allows for easier troubleshooting, since the client browser is aware of the existence of the proxy.

,// Which three external authentication services can the firewall use to authenticate admins into the Palo Alto Networks NGFW without creating administrator account on the local firewall? (Choose three.). TACACS+. Kerberos. SAML. RADIUS. LDAP.

,/. To ensure that a Security policy has the highest priority, how should an administrator configure a Security policy in the device group hierarchy?. Clone the security policy and add it to the other device groups. Add the policy to the target device group and apply a master device to the device group. Reference the targeted device’s templates in the target device group. Add the policy in the shared device group as a pre-rule.

,/.. What can be used as an Action when creating a Policy-Based Forwarding (PBF) policy?. Deny. Allow. Discard. Next VR.

,..// An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD. Which three dynamic routing protocols support BFD? (Choose three.). OSPF. IGRP. OSPFv3 virtual link. BGP. RIP.

,./ An administrator is troubleshooting why video traffic is not being properly classified. If this traffic does not match any QoS classes, what default class is assigned?. 1. 2. 3. 4.

,/ Where can a service route be configured for a specific destination IP?. Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4. Use Device > Setup > Services > Services. Use Device > Setup > Services > Service Route Configuration > Customize > IPv4. Use Device > Setup > Services > Service Route Configuration > Customize > Destination.

Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks. Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored. Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution. How can Information Security extract and learn IP-to-user mapping information from authentication events for VPN and wireless users?. Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution. Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users. Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping.

,/. An administrator troubleshoots an issue that causes packet drops. Which log type will help the engineer verify whether packet buffer protection was activated?. Configuration. Data Filtering. Traffic. Threat.

Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external, public NAT IP for that server. Given the rule below, what change should be made to make sure the NAT works as expected?. Change destination NAT zone to Trust_L3. Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address. Change Source NAT zone to Untrust_L3. Add source Translation to translate original source IP to the firewall eth1/2 interface translation.

,/. An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production. Which three parts of a template an engineer can configure? (Choose three.). Service Route Configuration. Dynamic Address Groups. NTP Server Address. Antivirus Profile. Authentication Profile.

A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL. When creating a new rule, what is needed to allow the application to resolve dependencies?. Add SSL application to the same rule. SSL and web-browsing must both be explicitly allowed. Add SSL and web-browsing applications to the same rule. Add web-browsing application to the same rule.

,/ In a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated?. 1 to 4 hours. 6 to 12 hours. 24 hours. 36 hours.

,/ An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration. What type of service route can be used for this configuration?. Destination-Based Service Route. Inherit Global Setting. IPv6 Source or Destination Address. IPv4 Source Interface.

An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic. Which three elements should the administrator configure to address this issue? (Choose three.). A QoS policy for each application. An Application Override policy for the SIP traffic. A QoS profile defining traffic classes. QoS on the ingress interface for the traffic flows. QoS on the egress interface for the traffic flows.

What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.). Rename a vsys on a multi-vsys firewall. Change the firewall management IP address. Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode. Add administrator accounts. Configure a device block list.

,. Based on the screenshots above, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group?. shared pre-rules DATACENTER_DG pre-rules -rules configured locally on the firewall DATACENTER_DG post-rules -shared post-rules shared default rules. shared pre-rules DATACENTER_DG pre-rules -rules configured locally on the firewall shared post-rules DATACENTER_DG post-rules - DATACENTER_DG default rules. shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall shared post-rules DATACENTER_DG post-rules - shared default rules. shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall DATACENTER_DG post-rules - shared post-rules DATACENTER_DG default rules.

,. What must be configured to apply tags automatically based on User-ID logs?. Device ID. Log settings. Group mapping. Log Forwarding profile.

,./. In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare?. Applications configured in the rule with their dependencies. The security rule with any other security rule selected. Applications configured in the rule with applications seen from traffic matching the same rule. The running configuration with the candidate configuration of the firewall.

,. Given the following snippet of a WildFire submission log, did the end user successfully download a file?. Yes, because the final action is set to "allow.". No, because the action for the wildfire-virus is "reset-both.". No, because the URL generated an alert. Yes, because both the web-browsing application and the flash file have the "alert" action.

,// Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.). Number of security zones in decryption policies. Encryption algorithm. TLS protocol version. Number of blocked sessions.

After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations. The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes. The engineer reviews the following CLI output for ethernet1/1. Which setting should be modified on ethernet1/1 to remedy this problem?. Change the subnet mask from /23 to /24. Lower the interface MTU value below 1500. Adjust the TCP maximum segment size (MSS) value. Enable the Ignore IPv4 Don't Fragment (DF) setting.

A company is expanding its existing log storage and alerting solutions. All company Palo Alto Networks firewalls currently forward logs to Panorama. Which two additional log forwarding methods will PAN-OS support? (Choose two.). HTTP. SSL. Email. TLS.

After implementing a new NGFW, a firewall engineer is alerted to a VoIP traffic issue. After troubleshooting, the engineer confirms that the firewall is alerting the voice packets payload. What can the engineer do to solve the VoIP traffic issue?. Increase the TCP timeout under SIP application. Disable ALG under SIP application. Disable ALG under H.323 application. Increase the TCP timeout under H.323 application.

An administrator is considering deploying WildFire globally. What should the administrator consider with regards to the WildFire analysis process?. Each WildFire cloud analyzes samples independently of the other WildFire clouds. To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds. The WildFire Global Cloud only provides bare metal analysis.

,. What happens when an A/P firewall pair synchronizes IPsec tunnel security associations (SAs)?. Phase 2 SAs are synchronized over HA2 links. Phase 1 and Phase 2 SAs are synchronized over HA2 links. Phase 1 SAs are synchronized over HA1 links. Phase 1 and Phase 2 SAs are synchronized over HA3 links.

A new application server 192.168.197.40 has been deployed in the DMZ. There are no public IP addresses available, resulting in the server sharing NAT IP 198.51.100.88 with another DMZ serve that uses IP address 192.168.197.60. Firewall security and NAT rules have been configured. The application team has confirmed that the new server is able to establish a secure connection to an external database with IP address 203.0.113.40. The database team reports that they are unable to establish a secure connection to 198.51.100.88 from 203.0.113.40. However, it confirms a successful ping test to 198.51.100.88. Referring to the NAT configuration and traffic logs provided how can the firewall engineer resolve the situation and ensure inbound and outbound connections work concurrently for both DMZ servers?. Move the NAT rule 6 DMZ server 2 above NAT rule 5 DMZ server 1. Replace the two NAT rules with a single rule that has both DMZ servers as "Source Address" both external servers as "Destination Address," and Source Translation remaining as is with bidirectional option enabled. Configure separate source NAT and destination NAT rules for the two DMZ servers without using the bidirectional option. Sharing a single NAT IP is possible for outbound connectivity not for inbound therefore a new public IP address must be obtained for the new DMZ server and used in the NAT rule 6 DMZ server 2.

.. Which three statements correctly describe Session 380280? (Choose three.). The application was initially identified as "ssl.". The session has ended with the end-reason "unknown.". The session cid not go through SSL decryption processing. The application shifted to "web-browsing.". The session went through SSL decryption processing.