Company.com has an in-house application that the Palo Alto Networks device doesn't identify
correctly. A Threat Management Team member has mentioned that this in-house application is
very sensitive and all traffic being identified needs to be inspected by the Content-ID engine.
Which method should company.com use to immediately address this traffic on a Palo Alto Networks
device? Create a custom Application without signatures, then create an Application Override policy that
includes the source, Destination, Destination Port/Protocol and Custom Application of the traffic. Wait until an official Application signature is provided from Palo Alto Networks. Modify the session timer settings on the closest referanced application to meet the needs of the inhouse application Create a Custom Application with signatures matching unique identifiers of the in-house application
traffic.
After pushing a security policy from Panorama to a PA-3020 firewall, the firewall administrator
notices that traffic logs from the PA-3020 are not appearing in Panorama's traffic logs. What could be the problem? A Server Profile has not been configured for logging to this Panorama device Panorama is not licensed to receive logs from this particular firewall. The firewall is not licensed for logging to this Panorama device. None of the firewall's policies have been assigned a Log Forwarding profile.
A critical US-CERT notification is published regarding a newly discovered botnet. The malware is
very evasive and is not reliably detected by endpoint antivirus software. Furthermore, SSL is used
to tunnel malicious traffic to command-and-control servers on the internet and SSL Forward Proxy
Decryption is not enabled.
Which component once enabled on a perimeter firewall will allow the identification of existing
infected hosts in an environment? Anti-Spyware profiles applied outbound security policies with DNS Query action set to sinkhole File Blocking profiles applied to outbound security policies with action set to alert Vulnerability Protection profiles applied to outbound security policies with action set to block Antivirus profiles applied to outbound security policies with action set to alert.
Which two statements are correct for the out-of-box configuration for Palo Alto Networks NGFWs?
(Choose two)
The devices are pre-configured with a virtual wire pair out the first two interfaces.
The devices are licensed and ready for deployment. The management interface has an IP address of 192.168.1.1 and allows SSH and HTTPS
connections. The interfaces are pingable.
A network security engineer is asked to perform a Return Merchandise Authorization (RMA) on a
firewall
Which part of files needs to be imported back into the replacement firewall that is using Panorama?
A. Device state and license files
Configuration and serial number files
Configuration and statistics files Configuration and Large Scale VPN (LSVPN) setups file
.
A network engineer has revived a report of problems reaching 98.139.183.24 through vr1 on the
firewall. The routing table on this firewall is extensive and complex.
Which CLI command will help identify the issue? test routing fib virtual-router vr1 show routing route type static destination 98.139.183.24 test routing fib-lookup ip 98.139.183.24 virtual-router vr1 show routing interface.
Which two mechanisms help prevent a spilt brain scenario an Active/Passive High Availability (HA)
pair? (Choose two) Configure the management interface as HA3 Backup Configure Ethernet 1/1 as HA1 Backup Configure Ethernet 1/1 as HA2 Backup Configure the management interface as HA2 Backup Configure the management interface as HA1 Backup Configure ethernet1/1 as HA3 Backup.
What are three valid actions in a File Blocking Profile? (Choose three) Forward Block Alert Upload Reset-both Continue.
An Administrator is configuring an IPSec VPN toa Cisco ASA at the administrator's home and
experiencing issues completing the connection. The following is the output from the command:
What could be the cause of this problem? The public IP addresses do not match for both the Palo Alto Networks Firewall and the ASA The Proxy IDs on the Palo Alto Networks Firewall do not match the settings on the ASA. The shared secrets do not match between the Palo Alto firewall and the ASA The deed peer detection settings do not match between the Palo Alto Networks Firewall and the
ASA.
Which interface configuration will accept specific VLAN IDs? Tap Mode Subinterface Access Interface Trunk Interface.
Palo Alto Networks maintains a dynamic database of malicious domains.
Which two Security Platform components use this database to prevent threats? (Choose two) Brute-force signatures BrightCloud Url Filtering PAN-DB URL Filtering DNS-based command-and-control signatures.
Which two methods can be used to mitigate resource exhaustion of an application server? (Choose
two) Vulnerability Object DoS Protection Profile Data Filtering Profile Zone Protection Profile.
A host attached to Ethernet 1/4 cannot ping the default gateway. The widget on the dashboard
shows Ethernet 1/1 and Ethernet 1/4 to be green. The IP address of Ethernet 1/1 is 192.168.1.7
and the IP address of Ethernet 1/4 is 10.1.1.7. The default gateway is attached to Ethernet 1/1. A
default route is properly configured.
What can be the cause of this problem? No Zone has been configured on Ethernet 1/4 Interface Ethernet 1/1 is in Virtual Wire Mode. DNS has not been properly configured on the firewall. DNS has not been properly configured on the host.
A VPN connection is set up between Site-A and Site-B, but no traffic is passing in the system log
of Site-A, there is an event logged as like-nego-p1-fail-psk.
What action will bring the VPN up and allow traffic to start passing between the sites? Change the Site-B IKE Gateway profile version to match Site-A,
Change the Site-A IKE Gateway profile exchange mode to aggressive mode. Enable NAT Traversal on the Site-A IKE Gateway profile Change the pre-shared key of Site-B to match the pre-shared key of Site-A.
A firewall administrator is troubleshooting problems with traffic passing through the Palo Alto
Networks firewall. Which method shows the global counters associated with the traffic after
configuring the appropriate packet filters? From the CLI, issue the show counter global filter pcap yes command. From the CLI, issue the show counter global filter packet-filter yes command. From the GUI, select show global counters under the monitor tab From the CLI, issue the show counter interface command for the ingress interface.
A network security engineer has been asked to analyze Wildfire activity.
However, the Wildfire Submissions item is not visible form the Monitor tab.
What could cause this condition? The firewall does not have an active WildFire subscription. The engineer's account does not have permission to view WildFire Submissions. A policy is blocking WildFire Submission traffic. Though WildFire is working, there are currently no WildFire Submissions log entries.
.
Which Palo Alto Networks VM-Series firewall is supported for VMware NSX? VM-100 VM-200 VM-1000-HV VM-300.
A client is deploying a pair of PA-5000 series firewalls using High Availability (HA) in Active/Passive
mode. Which statement is true about this deployment? The two devices must share a routable floating IP address The two devices may be different models within the PA-5000 series The HA1 IP address from each peer must be on a different subnet The management port may be used for a backup control connection.
What must be used in Security Policy Rule that contain addresses where NAT policy applies? Pre-NAT addresses and Pre-NAT zones Post-NAT addresses and Post-Nat zones Pre-NAT addresses and Post-Nat zones Post-Nat addresses and Pre-NAT zones.
A company has a policy that denies all applications it classifies as bad and permits only application
it classifies as good. The firewall administrator created the following security policy on the
company's firewall.
Which interface configuration will accept specific VLAN IDs?
Which two benefits are gained from having both rule 2 and rule 3 presents? (choose two)
A report can be created that identifies unclassified traffic on the network Different security profiles can be applied to traffic matching rules 2 and 3. Rule 2 and 3 apply to traffic on different ports Separate Log Forwarding profiles can be applied to rules 2 and 3.
How are IPV6 DNS queries configured to user interface ethernet1/3? Network > Virtual Router > DNS Interface Objects > CustomerObjects > DNS Network > Interface Mgrnt Device > Setup > Services > Service Route Configuration.
A Palo Alto Networks firewall is being targeted by an NTP Amplification attack and is being flooded
with tens thousands of bogus UDP connections per second to a single destination IP address and
post.
Which option when enabled with the correction threshold would mitigate this attack without
dropping legitimate traffic to other hosts insides the network? Zone Protection Policy with UDP Flood Protection QoS Policy to throttle traffic below maximum limit Security Policy rule to deny trafic to the IP address and port that is under attack Classified DoS Protection Policy using destination IP only with a Protect action.
Which Security Policy Rule configuration option disables antivirus and anti-spyware scanning of
server-to-client flows only? Disable Server Response Inspection Apply an Application Override Disable HIP Profile Add server IP Security Policy exception.
Which three options are available when creating a security profile? (Choose three) Anti-Malware File Blocking Url Filtering IDS/ISP Threat Prevention Antivirus.
Given the following table. Which configuration change on the firewall would cause it to use
10.66.24.88 as the next hop for the 192.168.93.0/30 network? Configuring the administrative Distance for RIP to be lower than that of OSPF Int. Configuring the metric for RIP to be higher than that of OSPF Int. Configuring the administrative Distance for RIP to be higher than that of OSPF Ext.
Configuring the metric for RIP to be lower than that OSPF Ext.
.
A company hosts a publicly accessible web server behind a Palo Alto Networks next generation
firewall with the following configuration information.
- Users outside the company are in the "Untrust-L3" zone
- The web server physically resides in the "Trust-L3" zone.
- Web server public IP address: 23.54.6.10
- Web server private IP address: 192.168.1.10
Which two items must be NAT policy contain to allow users in the untrust-L3 zone to access the
web server? (Choose two)
Untrust-L3 for both Source and Destination zone Destination IP of 192.168.1.10 Untrust-L3 for Source Zone and Trust-L3 for Destination Zone Destination IP of 23.54.6.10.
Which two interface types can be used when configuring GlobalProtect Portal?(Choose two)
Virtual Wire Loopback Layer 3 Tunnel.
What can missing SSL packets when performing a packet capture on dataplane interfaces? The packets are hardware offloaded to the offloaded processor on the dataplane The missing packets are offloaded to the management plane CPU The packets are not captured because they are encrypted There is a hardware problem with offloading FPGA on the management plane.
A network Administrator needs to view the default action for a specific spyware signature. The
administrator follows the tabs and menus through Objects> Security Profiles> Anti- Spyware and
select default profile.
What should be done next? Click the simple-critical rule and then click the Action drop-down list. Click the Exceptions tab and then click show all signatures View the default actions displayed in the Action column Click the Rules tab and then look for rules with "default" in the Action column.
How does Panorama handle incoming logs when it reaches the maximum storage capacity? Panorama discards incoming logs when storage capacity full. Panorama stops accepting logs until licenses for additional storage space are applied Panorama stops accepting logs until a reboot to clean storage space. Panorama automatically deletes older logs to create space for new ones.
Which three function are found on the dataplane of a PA-5050? (Choose three) Protocol Decoder Dynamic routing Management Network Processing Signature Match.
How is the Forward Untrust Certificate used? It issues certificates encountered on the Untrust security zone when clients attempt to connect to a
site that has be decrypted/ It is used when web servers request a client certificate. It is presented to clients when the server they are connecting to is signed by a certificate authority
that is not trusted by firewall. It is used for Captive Portal to identify unknown users.
A firewall administrator has completed most of the steps required to provision a standalone Palo
Alto Networks Next-Generation Firewall. As a final step, the administrator wants to test one of the
security policies.
Which CLI command syntax will display the rule that matches the test? test security -policy- match source <ip_address> destination <IP_address> destination port <port
number> protocol <protocol number show security rule source <ip_address> destination <IP_address> destination port <port number>
protocol <protocol number>
test security rule source <ip_address> destination <IP_address> destination port <port number>
protocol <protocol number> show security-policy-match source <ip_address> destination <IP_address> destination port <port
number> protocol <protocol number>
test security-policy-match source.
The web server is configured to listen for HTTP traffic on port 8080. The clients access the web
server using the IP address 1.1.1.100 on TCP Port 80. The destination NAT rule is configured to
translate both IP address and report to 10.1.1.100 on TCP Port 8080.
Which NAT and security rules must be configured on the firewall? (Choose two) A security policy with a source of any from untrust-I3 Zone to a destination of 10.1.1.100 in dmz-I3
zone using web-browsing application A NAT rule with a source of any from untrust-I3 zone to a destination of 10.1.1.100 in dmz-zone
using service-http service. A NAT rule with a source of any from untrust-I3 zone to a destination of 1.1.1.100 in untrust-I3 zone
using service-http service. A security policy with a source of any from untrust-I3 zone to a destination of 1.1.100 in dmz-I3
zone using web-browsing application.
A company has a pair of Palo Alto Networks firewalls configured as an Acitve/Passive High
Availability (HA) pair.
What allows the firewall administrator to determine the last date a failover event occurred? From the CLI issue use the show System log Apply the filter subtype eq ha to the System log Apply the filter subtype eq ha to the configuration log Check the status of the High Availability widget on the Dashboard of the GUI.
A network administrator uses Panorama to push security polices to managed firewalls at branch
offices. Which policy type should be configured on Panorama if the administrators at the branch
office sites to override these products? Pre Rules Post Rules Explicit Rules Implicit Rules.
Which client software can be used to connect remote Linux client into a Palo Alto Networks
Infrastructure without sacrificing the ability to scan traffic and protect against threats? X-Auth IPsec VPN GlobalProtect Apple IOS GlobalProtect SSL GlobalProtect Linux.
Only two Trust to Untrust allow rules have been created in the Security policy
- Rule1 allows google-base
- Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly
uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser,
they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly? Add SSL App-ID to Rule1 Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it Add the DNS App-ID to Rule2 Add the Web-browsing App-ID to Rule2.
The GlobalProtect Portal interface and IP address have been configured. Which other value needs
to be defined to complete the network settings configuration of GlobalPortect Portal? Server Certificate Client Certificate Authentication Profile Certificate Profile
.
Which command can be used to validate a Captive Portal policy? eval captive-portal policy <criteria> request cp-policy-eval <criteria> test authentication-policy-match <criteria> debug cp-policy <criteria>.
A company is upgrading its existing Palo Alto Networks firewall from version 7.0.1 to 7.0.4.
Which three methods can the firewall administrator use to install PAN-OS 7.0.4 across the
enterprise?( Choose three)
Download PAN-OS 7.0.4 files from the support site and install them on each firewall after manually
uploading. Download PAN-OS 7.0.4 to a USB drive and the firewall will automatically update after the USB
drive is inserted in the firewall Push the PAN-OS 7.0.4 updates from the support site to install on each firewall. Push the PAN-OS 7.0.4 update from one firewall to all of the other remaining after updating one
firewall. Download and install PAN-OS 7.0.4 directly on each firewall. Download and push PAN-OS 7.0.4 from Panorama to each firewall.
Which Public Key infrastructure component is used to authenticate users for GlobalProtect when
the Connect Method is set to pre-logon? Certificate revocation list Trusted root certificate Machine certificate Online Certificate Status Protocol.
The company's Panorama server (IP 10.10.10.5) is not able to manage a firewall that was recently
deployed. The firewall's dedicated management port is being used to connect to the management
network.
Which two commands may be used to troubleshoot this issue from the CLI of the new firewall?
(Choose two) test panoramas-connect 10.10.10.5 show panoramas-status
show arp all I match 10.10.10.5 tcpdump filter "host 10.10.10.5 debug dataplane packet-diag set capture on.
Which three log-forwarding destinations require a server profile to be configured? (Choose three) SNMP Trap Email RADIUS Kerberos Panorama Syslog.
Which setting allow a DOS protection profile to limit the maximum concurrent sessions from a
source IP address?
Set the type to Aggregate, clear the session's box and set the Maximum concurrent Sessions to
4000 Set the type to Classified, clear the session's box and set the Maximum concurrent Sessions to
4000. Set the type Classified, check the Sessions box and set the Maximum concurrent Sessions to 4000. Set the type to aggregate, check the Sessions box and set the Maximum concurrent Sessions to
4000.
A company has a web server behind a Palo Alto Networks next-generation firewall that it wants to make accessible to the public at 1.1.1.1. The company has decided to configure a destination NAT Policy rule.
Given the following zone information:
DMZ zone: DMZ-L3
Public zone: Untrust-L3
Guest zone: Guest-L3
Web server zone: Trust-L3
Public IP address (Untrust-L3): 1.1.1.1
Private IP address (Trust-L3): 192.168.1.50
What should be configured as the destination zone on the Original Packet tab of NAT Policy rule? Untrust-L3 DMZ-L3 Guest-L3 Trust-L3.
Which two options are required on an M-100 appliance to configure it as a Log Collector? (Choose
two)
From the Panorama tab of the Panorama GUI select Log Collector mode and then commit changes Enter the command request system system-mode logger then enter Y to confirm the change to Log
Collector mode. From the Device tab of the Panorama GUI select Log Collector mode and then commit changes. Enter the command logger-mode enable the enter Y to confirm the change to Log Collector mode. Log in the Panorama CLI of the dedicated Log Collector.
Click the Exhibit button. An administrator has noticed a large increase in bittorrent activity.
The administrator wants to determine where the traffic is going on the company Right-Click on the bittorrent link and select Value from the context menu Create a global filter for bittorrent traffic and then view Traffic logs. Create local filter for bittorrent traffic and then view Traffic logs. Click on the bittorrent application link to view network activity.
Support for which authentication method was added in PAN-OS 7.0? RADIUS LDAP Diameter TACACS+.
Refer to Exhibit. A firewall has three PBF rules and a default route with a next hop of 172.20.10.1
that is configured in the default VR. A user named Will has a PC with a 192.168.10.10 IP address.
He makes an HTTPS connection to 172.16.10.20.
Which is the next hop IP address for the HTTPS traffic from Will's PC? 172.20.30.1 172.20.40.1 172.20.20.1 172.20.10.1.
A company has started utilizing WildFire in its network.
Which three file types are supported? (Choose three.) JARs PSTs PDFs JPGs EXEs.
What is the name of the debug save file for IPSec VPN tunnels? set vpn all up test vpn ike-sa request vpn IPsec-sa test Ikemgr.pcap.
What will the user experience when browsing a Blocked hacking website such as www.2600.com
via Google Translator?
The URL filtering policy to Block is enforced It will be translated successfully It will be redirected to www.2600.com User will get "HTTP Error 503 -Service unavailable" message.
Wildfire may be used for identifying which of the following types of traffic? Malware DNS DHCP URL Content.
What is the URL for the full list of applications recognized by Palo Alto Networks? A. http://www.Applipedia.com B. http://www.MyApplipedia.com C. http://applipedia.paloaltonetworks.com D. http://applications.paloaltonetworks.com.
What does App-ID inspect to identify an application? Source IP Source Port TTL Data Payload Hash Encryption Key.
If malware is detected on the internet perimeter, what other places in the network might be affected? Cloud Endpoints Branch Offices All of the above Data Center.
What are the major families of file types now supported by Wildfire in PAN-OS 7.0? All executable files and all files with a MIME type All executable files, PDF files, Microsft Office files and Adobe Flash applets PE files, Microsoft Office, PDF, Java applets, APK, and Flash All executable files, PDF files and Microsft Office files.
Which of the following are critical features of a Next Generation Firewall that provide Breach
prevention? Choose two. Alarm generation of known threats traversing the device Application Visibility and URL Categorization Endpoint and server scanning for known malware Processing all traffic across all ports & protocols, in both directions Centralized or distributed log collectors.
True or False: One of the advantages of Single Pass Parallel Processing (SP3) is that traffic can
be scanned as it crosses the firewall with minimum amount of buffering, which in turn can allow
advanced features like virus/malware scanning without effecting firewall performance True False.
Which hardware platform should I consider if the customer needs at least 1 Gbps of Threat
Prevention throughput and the ability to handle at least 250K sessions?
Any PA-5000 or PA-7000 series firewall Only the PA-3060 firewall and higher Any PA-3000, PA-5000, or PA-7000 series firewall Only the PA-3050 firewall and higher.
True or False: DSRI degrades the performance of a firewall? True False.
How quickly are Wildfire updates about previously unknown files now being delivered from the
cloud to customers with a WildFire subscription (as of version 6.1)? 15 minutes 30 minutes 1 day 5 minutes 60 minutes.
Which of the following are valid Subscriptions for the Next Generation Platform? [Select All that
apply] URL Filtering Support User ID Content ID SSL Decryption Threat Prevention.
Which of the following are valid Subscriptions for the Next Generation Platform? [Select All that
apply] URL Filtering Support User ID Content ID SSL Decryption Threat Prevention App ID.
Which hardware firewall platforms include both built-in front-to-back airflow and redundant power
supplies? All PA-5000 and PA-7000 series firewall platforms All Palo Alto Networks hardware firewall platforms The PA-3060 firewall platform The PA-7000 series firewall platforms
.
Select all the platform components that Wildfire automatically updates after finding malicious
activity in previously unknown files, URLs and APKs? Decrypt (Port-Mirroring) Mobile (Global Protect) Anti-Virus (Threat) Content/Web Filtering (Pan-DB) Anti-Malware signatures (WildFire) Management (Panorama) Anti Command & Control signatures (Threat).
What are five benefits of Palo Alto Networks NGFWs (Next Generation Firewalls)? (Select the five
correct answers.) Convenient configuration Wizard Comprehensive security platform designed to scale functionality over time Predictable throughput Easy-to-use GUI which is the same on all models Seemless integration with the Threat Intelligence Cloud Identical security subscriptions on all models.
What are the three key components of a successful Three Tab Demo? (Select the three correct
answers.) Providing visibility into recently occurring threats and showing how to block those threats Showing how Palo Alto Networks' firewalls provide visibility into applications and control of those
applications Presenting the information in the Network and Device tabs After setting match criteria in the Object tab showing how that data is presented in the logs Showing which users are running which applications and provide a method for controlling
application access on a by user.
What are the main benefits of WildFire? (Select the three correct answers.) WildFire gathers information from possible threats detected by both NGFWs and Endpoints It's a sandboxing environment that can detect malware by observing the behavior of unknown files. By using Palo Alto Networks' proprietary cloud-based architecture, quarantine holds on suspicious
files are typically reduced to less than 30 seconds By collecting and distributing malware signatures from every major anti-virus vendor, WildFire can
provide comprehensive protection. Signatures for identified malware are quickly distributed globally to all Palo Alto Networks'
customers' firewalls.
The automated Correlation Engine uses correlation objects to analyze the logs for patterns. When a match occurs: The Correlation Engine blocks the connection The Correlation Engine generates a correlation event The Correlation Engine displays a warning message to the end user The Correlation Engine dumps the alarm log.
Which one of these is not a factor impacting sizing decisions? Decryption Sessions Redundancy Number of applications Performance Number of rules.
TRUE or FALSE: Many customers purchase Palo Alto Networks NGFWs (Next Generation Firewalls) just to gain previously unavailable levels of visibility into their traffic flows. TRUE FALSE.
A spike in dangerous traffic is observed. Which of the following PanOS tabs would an administrator
utilize to identify culpable users. ACC Monitor Objects Network Policies Device.
True or False: PAN-DB is a service that aligns URLs with category types and is fed to the WildFire threat cloud. True False.
Firewall administrators cannot authenticate to a firewall GUI.
Which two logs on that firewall will contain authentication-related information useful in
troubleshooting this issue? (Choose two.) ms log authd log System log Traffic log dp-monitor log.
Which option is an IPv6 routing protocol? RIPv3 OSPFv3 OSPv3 BGP NG.
A network security engineer has a requirement to allow an external server to access an internal
web server.
The internal web server must also initiate connections with the external server.
What can be done to simplify the NAT policy?
Configure ECMP to handle matching NAT traffic Configure a NAT Policy rule with Dynamic IP and Port Create a new Source NAT Policy rule that matches the existing traffic and enable the Bi- directional option Create a new Destination NAT Policy rule that matches the existing traffic and enable the Bidirectional option.
A network design change requires an existing firewall to start accessing Palo Alto Updates from a
data plane interface address instead of the management interface.
Which configuration setting needs to be modified?
Service route Default route Management profile Authentication profile.
A Network Administrator wants to deploy a Large Scale VPN solution.
The Network Administrator has chosen a GlobalProtect Satellite solution.
This configuration needs to be deployed to multiple remote offices and the Network Administrator decides to use Panorama to deploy the configurations.
How should this be accomplished? Create a Template with the appropriate IKE Gateway settings Create a Template with the appropriate IPSec tunnel settings Create a Device Group with the appropriate IKE Gateway settings Create a Device Group with the appropriate IPSec tunnel settings.
Which CLI command displays the current management plan memory utilization?
show system info show system resources debug management-server show show running resource-monitor.
Which URL Filtering Security Profile action logs the URL Filtering category to the URL Filtering log? Log Alert Allow Default.
What are two prerequisites for configuring a pair of Palo Alto Networks firewalls in an active/passive
High Availability (HA) pair? (Choose two.) The firewalls must have the same set of licenses. The management interfaces must to be on the same network. The peer HA1 IP address must be the same on both firewalls. HA1 should be connected to HA1. Either directly or with an intermediate Layer 2 device.
Which three rule types are available when defining policies in Panorama? (Choose three.) Pre Rules Post Rules Default Rules Stealth Rules Clean Up Rules.
A network design calls for a "router on a stick" implementation with a PA-5060 performing interVLAN routing All VLAN-tagged traffic will be forwarded to the PA-5060 through a single dot1q trunk
interface
Which interface type and configuration setting will support this design? Trunk interface type with specified tag Layer 3 interface type with specified tag Layer 2 interface type with a VLAN assigned Layer 3 subinterface type with specified tag.
Which Panorama feature allows for logs generated by Panorama to be forwarded to an external Security Information and Event Management(SIEM) system? Panorama Log Settings Panorama Log Templates Panorama Device Group Log Forwarding Collector Log Forwarding for Collector Groups.
Several offices are connected with VPNs using static IPV4 routes.
An administrator has been tasked with implementing OSPF to replace static routing.
Which step is required to accomplish this goal? Assign an IP address on each tunnel interface at each site Enable OSPFv3 on each tunnel interface and use Area ID 0.0.0.0 Assign OSPF Area ID 0.0.0.0 to all Ethernet and tunnel interfaces Create new VPN zones at each site to terminate each VPN connection.
Which authentication source requires the installation of Palo Alto Networks software, other than
PAN-OS 7x, to obtain a username-to-IP-address mapping? Microsoft Active Directory Microsoft Terminal Services Aerohive Wireless Access Point Palo Alto Networks Captive Portal.
People are having intermittent quality issues during a live meeting via web application. Use QoS profile to define QoS Classes Use QoS Classes to define QoS Profile Use QoS Profile to define QoS Classes and a QoS Policy
Use QoS Classes to define QoS Profile and a QoS Policy.
Which two actions are required to make Microsoft Active Directory users appear in a firewall traffic log? (Choose two.) Run the User-ID Agent using an Active Directory account that has "event log viewer" permissions Configure a RADIUS server profile to point to a domain controller Enable User-ID on the zone object for the source zone Enable User-ID on the zone object for the destination zone Run the User-ID Agent using an Active Directory account that has "domain administrator" permissions.
A distributed log collection deployment has dedicated Log Collectors. A developer needs a device to send logs to Panorama instead of sending logs to the Collector Group.
What should be done first? Contact Palo Alto Networks Support team to enter kernel mode commands to allow adjustments Revert to a previous configuration Remove the device from the Collector Group Remove the cable from the management interface. reload the Log Collector and then re-connect
that cable.
Site-A and Site-B need to use IKEv2 to establish a VPN connection. Site-A connects directly to the
internet using a public IP address. Site-B uses a private IP address behind an ISP router to connect
to the internet.
How should NAT Traversal be implemented for the VPN connection to be established between
Site-A and Site-B?
Enable on Site-A only Enable on Site-B only with Passive Mode Enable on Site-A and Site-B Enable on Site-B only.
What happens when the traffic log shows an internal host attempting to open a session to a properly
configured sinkhole address? The internal host tried to resolve a DNS query by connecting to a rogue DNS server A malicious domain tried to contact an internal DNS server A rogue DNS server used the sinkhole address to direct traffic to a known malicious domain. The internal host attempted to use DNS to resolve a known malicious domain into an IP address.
PAS-OS 7.0 introduced an automated correlation engine that analyzes log patterns and generates
correlation events visible in the new Application Command Center (ACC).
Which license must the firewall have to obtain new correlation objectives? Threat Prevention Application Center GlobalProtect URL Filtering.
Site-A and Site-have a site-to-site VPN set up between them. OSPF is configured to dynamically
create the routes between the sites. The OSPF configuration in Site-is configured properly, but the
route for the tunnel is not being established. The Site-interfaces in the graphic are using a broadcast
Link Type. The administrator has determined that the OSPF configuration in Site-is using the wrong
Link Type for one of its interfaces. Set tunnel.10 to p2p Set tunnel.10 to p2mp Set ethernet1/21 to p2mp Set ethernet1/21 to p2p.
A network security engineer for a large company has just installed a PA-5060 Firewall to isolate
the company's PCI environment from its production network. The company's network engineers
made configuration changes to the switches on both network segments, and connected them to
the new firewall.
Soon after the cutover, however, users began to complain about latency and some servers stopped
communicating. There are no security policies that deny traffic between the two network segments.
You suspect that there is an interface misconfiguration on ethernet1/1.
Which two commands should be used to troubleshoot the issue? (Choose two.) show interface management show interface ethernet1/1
show interface logical show interface hardware.
On March 10, 2016, between 11:00 am and 11:30 am, users reported that web-browsing traffic to
the IP address 1.1.1.1 failed.
Which filter can be applied to the traffic logs to show how many users were affected during this
time frame?
( time_generated leq `2016/03/10 11:30:00') and ( app is web-browsing ) ( time_generated geq `2016/03/10 11:00:00') and ( time_generated leq `2016/03/10 11:30:00') and
( addr.dst in 1.1.1.1) ( time_generated leq `2016/03/10 11:00:00') and ( time_generated geq `2016/03/10 11:30:00') and
( app eq web-browsing )
( time_generated geq `2016/03/10 11:00:00') and ( time_generated leq `2016/03/10 11:30:00') and
( app neq web-browsing ).
Server Message Block (SMB), a common file-sharing application, is slow when passing through a
Palo Alto Networks firewall. The Network Security Administrator created an application override
policy, assigning all SMB traffic to a custom application, to resolve the slowness issue.
Why does this configuration resolve the issue?
Security policy assignment is being done more efficiently. Zone Protection is no longer being applied Layer 7 processing has been disabled for SMB traffic. Layer 4 processing has been disabled for the SMB traffic.
QUESTION 139
The Network Security Administrator discovers that the company's NAT-aware SIP phone system
is not working properly through the Palo Alto Networks firewall, even though SIP traffic is being
allowed by policy.
Which configuration change can resolve this issue? Disable ALG within the security policy that permits SIP traffic Create an application override policy to assign all traffic to and from SIP phones to the sip
application Create a security policy that allows any traffic to and from SIP phones. Disable ALG within the SIP application.
Which two statements accurately describe how DoS Protection Profiles and Policies mitigate
attacks? (Choose two.)
They mitigate against volumetric attacks by leveraging known vulnerabilities, brute force methods,
amplification, spoofing, and other vulnerabilities. They mitigate against attacks on a zone basis by providing reconnaissance protection against TCP/
UDP port scans and host sweeps. They mitigate against attacks by providing resource protection by limiting the number of sessions
that can be used. They mitigate against attacks by utilizing "random early drop".
After Migrating from an ASA firewall to a Palo Alto Networks Firewall, the VPN connection between
a remote network and the Palo Alto Networks Firewall is not establishing correctly.
The following entry is appearing in the logs:
Pfs group mismatched: my:0 peer:2
Which setting should be changed on the Palo Alto Networks Firewall to resolve this error message? Update- the IPSec Crypto profile for the Vendor IPSec Tunnel from group2 to no-pfs. Update the IKE Crypto profile for the Vendor IKE gateway from no pfs to group2. Update the IKE Crypto profile for the Vendor IKE gateway from group2 to no pfs Update the IPSec Crypto profile for the Vendor IPSec Tunnel from no-pfs to group2.
Which three user authentication services can be modified to provide the Palo Alto Networks NGFW
with both usernames and role names? (Choose three.) TACACS+ Kerberos PAP LDAP SAML RADIUS.
|
