ERASED TEST, YOU MAY BE INTERESTED ON PCNSE -TEST H
COMMENTS |
STATISTICS |
RECORDS
|
|---|
TAKE THE TEST
|
Title of test:
PCNSE -TEST H Description: (PCNSE) Palo Alto 330 Author:
Creation Date: 06/11/2024 Category: Others Number of questions: 76 |
Share the Test:
New Comment
No comments about this test.
Content:
|
An engineer manages a high availability network and requires fast failover of the routing protocols. The engineer decides to implement BFD. Which three dynamic routing protocols support BFD? (Choose three.) OSPF IGRP OSPFv3 virtual link BGP RIP. A company has recently migrated their branch office’s PA-220s to a centralized Panorama. This Panorama manages a number of PA-7000 Series and PA-5200 Series devices. All device group and template configuration is managed solely within Panorama. They notice that commit times have drastically increased for the PA-220s after the migration. What can they do to reduce commit times? Disable “Share Unused Address and Service Objects with Devices” in Panorama Settings Perform a device group push using the “merge with device candidate config” option Update the apps and threat version using device-deployment. Use “export or push device config bundle” to ensure that the firewall is integrated with the Panorama config. n administrator is troubleshooting why video traffic is not being properly classified. If this traffic does not match any QoS classes, what default class is assigned? 1 2 3 4. An administrator notices that an interface configuration has been overridden locally on a firewall. They require all configuration to be managed from Panorama and overrides are not allowed. What is one way the administrator can meet this requirement? Reload the running configuration and perform a Firewall local commit. Perform a commit force from the CLI of the firewall. Perform a template commit push from Panorama using the “Force Template Values” option Perform a device-group commit push from Panorama using the “Include Device and Network Templates” option. Where can a service route be configured for a specific destination IP? n Use Network > Virtual Routers, select the Virtual Router > Static Routes > IPv4 Use Device > Setup > Services > Services Use Device > Setup > Services > Service Route Configuration > Customize > IPv4 Use Device > Setup > Services > Service Route Configuration > Customize > Destination. Phase two of a VPN will not establish a connection. The peer is using a policy-based VPN configuration. What part of the configuration should the engineer verify? IKE Crypto Profile Security policy Proxy-IDs PAN-OS versions. Information Security is enforcing group-based policies by using security-event monitoring on Windows User-ID agents for IP-to-User mapping in the network. During the rollout, Information Security identified a gap for users authenticating to their VPN and wireless networks. Root cause analysis showed that users were authenticating via RADIUS and that authentication events were not captured on the domain controllers that were being monitored. Information Security found that authentication events existed on the Identity Management solution (IDM). There did not appear to be direct integration between PAN-OS and the IDM solution. How can Information Security extract and learn IP-to-user mapping information from authentication events for VPN and wireless users Configure the integrated User-ID agent on PAN-OS to accept Syslog messages over TLS. Configure the User-ID XML API on PAN-OS firewalls to pull the authentication events directly from the IDM solution Add domain controllers that might be missing to perform security-event monitoring for VPN and wireless users Configure the Windows User-ID agents to monitor the VPN concentrators and wireless controllers for IP-to-User mapping. An administrator troubleshoots an issue that causes packet drops. Which log type will help the engineer verify whether packet buffer protection was activated? Configuration Data Filtering Traffic Threat. An engineer creates a set of rules in a Device Group (Panorama) to permit traffic to various services for a specific LDAP user group. What needs to be configured to ensure Panorama can retrieve user and group information for use in these rules? A service route to the LDAP server A User-ID agent on the LDAP server A Master Device Authentication Portal. Review the information below. A firewall engineer creates a U-NAT rule to allow users in the trust zone access to a server in the same zone by using an external, public NAT IP for that server. Given the rule below, what change should be made to make sure the NAT works as expected? Change destination NAT zone to Trust_L3 Change destination translation to Dynamic IP (with session distribution) using firewall eth1/2 address Change Source NAT zone to Untrust_L3. Add source Translation to translate original source IP to the firewall eth1/2 interface translation. An engineer is configuring a template in Panorama which will contain settings that need to be applied to all firewalls in production. Which three parts of a template an engineer can configure? (Choose three.) Service Route Configuration Dynamic Address Groups NTP Server Address Antivirus Profile Authentication Profile. A firewall engineer reviews the PAN-OS GlobalProtect application and sees that it implicitly uses web-browsing and depends on SSL. When creating a new rule, what is needed to allow the application to resolve dependencies? Add SSL application to the same rule. SSL and web-browsing must both be explicitly allowed Add SSL and web-browsing applications to the same rule Add web-browsing application to the same rule. In a security-first network, what is the recommended threshold value for apps and threats to be dynamically updated? 1 to 4 hours 6 to 12 hours 24 hours 36 hours. An engineer configures a specific service route in an environment with multiple virtual systems instead of using the inherited global service route configuration. What type of service route can be used for this configuration? Destination-Based Service Route Inherit Global Setting IPv6 Source or Destination Address IPv4 Source Interface. An administrator is receiving complaints about application performance degradation. After checking the ACC, the administrator observes that there is an excessive amount of VoIP traffic. Which three elements should the administrator configure to address this issue? (Choose three.) A QoS policy for each application An Application Override policy for the SIP traffic A QoS profile defining traffic classes QoS on the ingress interface for the traffic flows QoS on the egress interface for the traffic flows. What are three tasks that cannot be configured from Panorama by using a template stack? (Choose three.) Rename a vsys on a multi-vsys firewall Change the firewall management IP address Enable operational modes such as normal mode, multi-vsys mode, or FIPS-CC mode Add administrator accounts Configure a device block list. Based on the screenshots above, what is the correct order in which the various rules are deployed to firewalls inside the DATACENTER_DG device group? shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall DATACENTER_DG post-rules - shared post-rules shared default rules shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall shared post-rules DATACENTER_DG post-rules - DATACENTER_DG default rules shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall shared post-rules DATACENTER_DG post-rules - shared default rules shared pre-rules DATACENTER_DG pre-rules - rules configured locally on the firewall DATACENTER_DG post-rules - shared post-rules DATACENTER_DG default rules. A company wants to implement threat prevention to take action without redesigning the network routing. What are two best practice deployment modes for the firewall? (Choose two.) Virtual Wire Layer 2 Layer 3 TAP. Which operation will impact the performance of the management plane? Enabling DoS protection Enabling packet buffer protection Decrypting SSL sessions Generating a Saas Application report. Which type of policy in Palo Alto Networks firewalls can use Device-ID as a match condition? Tunnel inspection NAT QoS DOS protection. Why would a traffic log list an application as "not-applicable"? There was not enough application data after the TCP connection was established. The TCP connection terminated without identifying any application data. The firewall denied the traffic before the application match could be performed. The application is not a known Palo Alto Networks App-ID. What must be configured to apply tags automatically based on User-ID logs? Device ID Log settings Group mapping Log Forwarding profile. A firewall engineer creates a NAT rule to translate IP address 1.1.1.10 to 192.168.1.10. The engineer also plans to enable DNS rewrite so that the firewall rewrites the IPv4 address in a DNS response based on the original destination IP address and translated destination IP address configured for the rule. The engineer wants the firewall to rewrite a DNS response of 1.1.1.10 to 192.168.1.10. What should the engineer do to complete the configuration? Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Forward. Create a U-Turn NAT to translate the destination IP address 1.1.1.10 to 192.168.1.10 with the destination port equal to UDP/53 Enable DNS rewrite under the destination address translation in the Translated Packet section of the NAT rule with the direction Reverse. Create a U-Turn NAT to translate the destination IP address 192.168.1.10 to 1.1.1.10 with the destination port equal to UDP/53. An engineer is monitoring an active/active high availability (HA) firewall pair. Which HA firewall state describes the firewall that is experiencing a failure of a monitored path? Initial Passive Active-secondary Tentative. You are auditing the work of a co-worker and need to verify that they have matched the Palo Alto Networks Best Practices for Anti-Spyware Profiles. For which three severity levels should single-packet captures be enabled to meet the Best Practice standard? (Choose three.) Critical High Medium Informational Low. In the New App Viewer under Policy Optimizer, what does the compare option for a specific rule allow an administrator to compare? Applications configured in the rule with their dependencies The security rule with any other security rule selected Applications configured in the rule with applications seen from traffic matching the same rule The running configuration with the candidate configuration of the firewall. Given the following snippet of a WildFire submission log, did the end user successfully download a file? Yes, because the final action is set to "allow." No, because the action for the wildfire-virus is "reset-both." No, because the URL generated an alert. Yes, because both the web-browsing application and the flash file have the "alert" action. Which two factors should be considered when sizing a decryption firewall deployment? (Choose two.) Number of security zones in decryption policies Encryption algorithm TLS protocol version Number of blocked sessions. After switching to a different WAN connection, users have reported that various websites will not load, and timeouts are occurring. The web servers work fine from other locations. The firewall engineer discovers that some return traffic from these web servers is not reaching the users behind the firewall. The engineer later concludes that the maximum transmission unit (MTU) on an upstream router interface is set to 1400 bytes. The engineer reviews the following CLI output for ethernet1/1 Which setting should be modified on ethernet1/1 to remedy this problem? Change the subnet mask from /23 to /24. Lower the interface MTU value below 1500 Adjust the TCP maximum segment size (MSS) value. Enable the Ignore IPv4 Don't Fragment (DF) setting. An engineer configures a new template stack for a firewall that needs to be deployed. The template stack should consist of four templates arranged according to the diagram. Values in Global Settings Values in Datacenter Values in efw01ab.chi Values in Chicago. An administrator configures two VPN tunnels to provide for failover and uninterrupted VPN service. What should an administrator configure to enable automatic failover to the backup tunnel? Replay Protection Zone Protection Tunnel Monitor Passive Mode. An administrator configures a site-to-site IPsec VPN tunnel between a PA-850 and an external customer on their policy-based VPN devices. What should an administrator configure to route interesting traffic through the VPN tunnel? Proxy IDs ToS Header GRE Encapsulation Tunnel Monitor. A firewall engineer creates a new App-ID report under Monitor > Reports > Application Reports > New Applications to monitor new applications on the network and better assess any Security policy updates the engineer might want to make. How does the firewall identify the New App-ID characteristic? It matches to the New App-IDs downloaded in the last 90 days. It matches to the New App-IDs in the most recently installed content releases It matches to the New App-IDs downloaded in the last 30 days. It matches to the New App-IDs installed since the last time the firewall was rebooted. An engineer is monitoring an active/active high availability (HA) firewall pair. Which HA firewall state describes the firewall that is currently processing traffic? Passive Initial Active Active-primary. An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks. Which three settings can be configured in this template? (Choose three.) Log Forwarding profile SSL decryption exclusion Email scheduler Login banner Dynamic updates. An organization wants to begin decrypting guest and BYOD traffic. Which NGFW feature can be used to identify guests and BYOD users, instruct them how to download and install the CA certificate, and clearly notify them that their traffic will be decrypted? Authentication Portal SSL Decryption profile SSL decryption policy comfort pages. Which two key exchange algorithms consume the most resources when decrypting SSL traffic? (Choose two.) ECDSA ECDHE RSA DHE. An engineer troubleshoots a Panorama-managed firewall that is unable to reach the DNS servers configured via a global template. As a troubleshooting step, the engineer needs to configure a local DNS server in place of the template value. Which two actions can be taken to ensure that only the specific firewall is affected during this process? (Choose two.) Override the DNS server on the template stack Configure the DNS server locally on the firewall Change the DNS server on the global template. Configure a service route for DNS on a different interface. A consultant advises a client on designing an explicit Web Proxy deployment on PAN-OS 11.0. The client currently uses RADIUS authentication in their environment. Which two pieces of information should the consultant provide regarding Web Proxy authentication? (Choose two.) Kerberos or SAML authentication need to be configured. RADIUS is only supported for a transparent Web Proxy. RADIUS is not supported for explicit or transparent Web Proxy. LDAP or TACACS+ authentication need to be configured. A customer wants to deploy User-ID on a Palo Alto Networks NGFW with multiple vsys. One of the vsys will support a GlobalProtect portal and gateway. The customer uses Windows Active Directory for authentication. What is the most operationally efficient way to redistribute the most accurate IP addresses to username mappings? Deploy a PAN-OS integrated User-ID agent on each vsys Deploy the GlobalProtect vsys as a User-ID data hub Deploy a M-200 as a User-ID collector Deploy Windows User-ID agents on each domain controller. A security engineer wants to upgrade the company's deployed firewalls from PAN-OS 10.1 to 11.0.x to take advantage of the newTLSv1.3 support for management access. What is the recommended upgrade path procedure from PAN-OS 10.1 to 11.0.x? Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x. Optional: Download and install the latest preferred PAN-OS 10.1 release. Optional: Install the latest preferred PAN-OS 10.2 maintenance release. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x Required: Download PAN-OS 10.2.0 or earlier release that is not EOL. Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x. Required: Download and install the latest preferred PAN-OS 10.1 maintenance release and reboot. Required: Download PAN-OS 10.2.0. Required: Download and install the latest preferred PAN-OS 10.2 maintenance release and reboot. Required: Download PAN-OS 11.0.0. Required: Download and install the desired PAN-OS 11.0.x. Which two actions must an engineer take to configure SSL Forward Proxy decryption? (Choose two.) Configure the decryption profile. Configure SSL decryption rules. Define a Forward Trust Certificate. Configure a SSL / TLS service profile. A firewall engineer supports a mission-critical network that has zero tolerance for application downtime. A best-practice action taken by the engineer is to configure an Applications and Threats update schedule with a new App-ID threshold of 48 hours. Which two additional best-practice guideline actions should be taken with regard to dynamic updates? (Choose two.) Configure an Applications and Threats update schedule with a threshold of 24 to 48 hours. Click "Review Apps" after application updates are installed in order to assess how the changes might impact Security policy. Create a Security policy rule with an application filter to always allow certain categories of new App-IDs Select the action "download-only" when configuring an Applications and Threats update schedule. When a new firewall joins a high availability (HA) cluster, the cluster members will synchronize all existing sessions over which HA port? HA1 HA2 HA3 HA4. What can the Log Forwarding built-in action with tagging be used to accomplish? Forward selected logs to the Azure Security Center. Block the destination zones of selected unwanted traffic Block the source zones of selected unwanted traffic. Block the destination IP addresses of selected unwanted traffic. An administrator notices interface ethernet1/2 failed on the active firewall in an active I passive firewall high availability(HA) pair. Based on the image below, what - if any - action was taken by the active firewall when the link failed? No action was taken because interface ethernet1/1 did not fail The active firewall failed over to the passive HA member due to an AE1 Link Group failure. No action was taken because Path Monitoring is disabled The active firewall failed over to the passive HA member because "any" is selected for the Link Monitoring "Failure Condition". A firewall administrator wants to be able to see all NAT sessions that are going through a firewall with source NAT. Which CLI command can the administrator use? show session all filter nat source show running nat-rule-ippool rule “rule_name” show running nat-policy show session all filter nat-rule-source. An engineer needs to configure a standardized template for all Panorama-managed firewalls. These settings will be configured on a template named "Global" and will be included in all template stacks. Which three settings can be configured in this template? (Choose three.) Log Forwarding profile SSL decryption exclusion Tags Login banner Dynamic updates. All firewalls at a company are currently forwarding logs to Palo Alto Networks log collectors. The company also wants to deploy a syslog server and forward all firewall logs to the syslog server and to the log collectors. There is a known logging peak time during the day and the security team has asked the firewall engineer to determine how many logs per second the current Palo Alto Networks log collectors are processing at that particular time. Which method is the most time-efficient to complete this task? Navigate to Panorama > Managed Collectors, and open the Statistics window for each Log Collector during the peak time Navigate to ACC > Network Activity, and determine the total number of sessions and threats during the peak time Navigate to Monitor > Unified logs, set the filter to the peak time, and browse to the last page to find out how many logs have been received Navigate to Panorama > Managed Devices > Health, open the Logging tab for each managed firewall and check the log rates during the peak time. A firewall engineer is configuring quality of service (QoS) policy for the IP address of a specific server in an effort to limit the bandwidth consumed by frequent downloads of large files from the internet. Which combination of pre-NAT and/or post-NAT information should be used in the QoS rule? Pre-NAT source IP address - Pre-NAT source zone Post-NAT source IP address - Pre-NAT source zone Pre-NAT source IP address - Post-NAT source zone Post-NAT source IP address - Post-NAT source zone. The decision to upgrade PAN-OS has been approved. The engineer begins the process by upgrading the Panorama servers, but gets an error when attempting the install. When performing an upgrade on Panorama to PAN-OS, what is the potential cause of a failed install? GlobalProtect agent version Outdated plugins Management only mode Expired certificates. Following a review of firewall logs for traffic generated by malicious activity, how can an administrator confirm that WildFire has identified a virus? By navigating to Monitor > Logs > Traffic, applying filter “(subtype eq virus)” By navigating to Monitor > Logs > Threat, applying filter “(subtype eq virus)” By navigating to Monitor > Logs > Threat, applying filter “(subtype eq wildfire-virus)” By navigating to Monitor > Logs > WildFire Submissions, applying filter “(subtype eq wildfire-virus)”. A firewall engineer is managing a Palo Alto Networks NGFW which is not in line of any DHCP traffic. Which interface mode can the engineer use to generate Enhanced Application logs (EALs) for classifying IoT devices while receiving broadcast DHCP traffic? Virtual wire Layer 3 Layer 2 Tap. An administrator is considering deploying WildFire globally. What should the administrator consider with regards to the WildFire infrastructure? To comply with data privacy regulations, WildFire signatures and verdicts are not shared globally. Palo Alto Networks owns and maintains one global cloud and four WildFire regional clouds. Each WildFire cloud analyzes samples independently of the other WildFire clouds. The WildFire Global Cloud only provides bare metal analysis. Which log type is supported in the Log Forwarding profile? User-ID GlobalProtect Configuration Tunnel. A firewall engineer needs to update a company’s Panorama-managed firewalls to the latest version of PAN-OS. Strict security requirements are blocking internet access to Panorama and to the firewalls. The PAN-OS images have previously been downloaded to a secure host on the network. Which path should the engineer follow to deploy the PAN-OS images to the firewalls? Upload the image to Panorama > Device Deployment > Software menu, and deploy it to the firewalls. Upload the image to Panorama > Device Deployment > Dynamic Updates menu, and deploy it to the firewalls Upload the image to Panorama > Software menu, and deploy it to the firewalls. Upload the image to Panorama > Dynamic Updates menu, and deploy it to the firewalls. Which conditions must be met when provisioning a high availability (HA) cluster? (Choose two.) HA cluster members must be the same firewall model and run the same PAN-OS version. HA cluster members must share the same zone names Panorama must be used to manage HA cluster members Dedicated HA communication interfaces for the cluster must be used over HSCI interfaces. Why are external zones required to be configured on a Palo Alto Networks NGFW in an environment with multiple virtual systems? To allow traffic between zones in different virtual systems while the traffic is leaving the appliance External zones are required because the same external zone can be used on different virtual systems To allow traffic between zones in different virtual systems without the traffic leaving the appliance Multiple external zones are required in each virtual system to allow the communications between virtual systems. Which two are required by IPSec in transport mode? (Choose two.) Auto generated key NAT Traversal IKEv1 DH-group 20 (ECP-384 bits). A firewall engineer needs to patch the company’s Palo Alto Networks firewalls to the latest version of PAN-OS. The company manages its firewalls by using Panorama. Logs are forwarded to Dedicated Log Collectors, and file samples are forwarded to WildFire appliances for analysis. What must the engineer consider when planning deployment? Only Panorama and Dedicated Log Collectors must be patched to the target PAN-OS version before updating the firewalls. Panorama, Dedicated Log Collectors, and WildFire appliances must have the target PAN-OS version downloaded, after which the order of patching does not matter Panorama, Dedicated Log Collectors, and WildFire appliances must be patched to the target PAN-OS version before updating the firewalls. Only Panorama must be patched to the target PAN-OS version before updating the firewalls. Which rule type controls end user SSL traffic to external websites? SSL Inbound Inspection SSH Proxy SSL Forward Proxy SSL Outbound Proxyless Inspection. An internal audit team has requested additional information to be included inside traffic logs forwarded from Palo Alto Networks firewalls to an internal syslog server. Where can the firewall engineer define the data to be added into each forwarded log? Custom Log Format within Device > Server Profiles > Syslog Built-in Actions within Objects > Log Forwarding Profile Logging and Reporting Settings within Device > Setup > Management Data Patterns within Objects > Custom Objects. When you troubleshoot an SSL Decryption issue, which PAN-OS CLI command do you use to check the details of the Forward Trust certificate, Forward Untrust certificate, and SSL Inbound Inspection certificate? show system setting ssl-decrypt certs show system setting ssl-decrypt certificate debug dataplane show ssl-decrypt ssl-stats show system setting ssl-decrypt certificate-cache. Which two items must be configured when implementing application override and allowing traffic through the firewall? (Choose two.) Application filter Application override policy rule Security policy rule Custom app. A firewall administrator is configuring an IPSec tunnel between Site A and Site B. The Site A firewall uses a DHCP assigned address on the outside interface of the firewall, and the Site B firewall uses a static IP address assigned to the outside interface of the firewall. However, the use of dynamic peering is not working. Refer to the two sets of configuration settings provided. Which two changes will allow the configurations to work? (Choose two.) Match IKE version on both firewalls. Configure Local Identification on Site B firewall. Enable NAT Traversal on Site B firewall Disable passive mode on Site A firewall. Which server platforms can be monitored when a company is deploying User-ID through server monitoring in an environment with diverse directory services? Novell eDirectory, Microsoft Terminal Server, and Microsoft Active Directory Red Hat Linux, Microsoft Exchange, and Microsoft Terminal Server Novell eDirectory, Microsoft Exchange, and Microsoft Active Directory Red Hat Linux, Microsoft Active Directory, and Microsoft Exchange. An engineer is monitoring an active/passive high availability (HA) firewall pair. Which HA firewall state describes the firewall that is currently processing traffic? Active-primary Active Active-secondary Initial. A root cause analysis investigation into a recent security incident reveals that several decryption rules have been disabled. The security team wants to generate email alerts when decryption rules are changed. How should email log forwarding be configured to achieve this goal? With the relevant system log filter inside Device > Log Settings With the relevant configuration log filter inside Device > Log Settings With the relevant configuration log filter inside Objects > Log Forwarding With the relevant system log filter inside Objects > Log Forwarding. An engineer has been given approval to upgrade their environment to the latest of PAN-OS. The environment consists of both physical and virtual firewalls, a virtual Panorama HA pair, and virtual log collectors. What is the recommended order of operational steps when upgrading? Upgrade the firewalls, upgrade log collectors, upgrade Panorama Upgrade the firewalls, upgrade Panorama, upgrade the log collectors Upgrade the log collectors, upgrade the firewalls, upgrade Panorama Upgrade Panorama, upgrade the log collectors, upgrade the firewalls. An administrator has a Palo Alto Networks NGFW. All security subscriptions and decryption are enabled and the system is running close to its resource limits. Knowing that using decryption can be resource-intensive, how can the administrator reduce the load on the firewall? Use SSL Forward Proxy instead of SSL Inbound Inspection for decryption Use RSA instead of ECDSA for traffic that isn’t sensitive or high-priority. Use the highest TLS protocol version to maximize security Use ECDSA instead of RSA for traffic that isn’t sensitive or high-priority. A firewall engineer has determined that, in an application developed by the company’s internal team, sessions often remain idle for hours before the client and server exchange any data. The application is also currently identified as unknown-tcp by the firewalls. It is determined that because of a high level of trust, the application does not require to be scanned for threats, but it needs to be properly identified in Traffic logs for reporting purposes. Which solution will take the least time to implement and will ensure the App-ID engine is used to identify the application? Create a custom application with specific timeouts and signatures based on patterns discovered in packet captures. Access the Palo Alto Networks website and complete the online form to request that a new application be added to App-ID Create a custom application with specific timeouts, then create an application override rule and reference the custom application. Access the Palo Alto Networks website and raise a support request through the Customer Support Portal. What happens when the log forwarding built-in action with tagging is used? Selected logs are forwarded to the Azure Security Center. Destination zones of selected unwanted traffic are blocked. Destination IP addresses of selected unwanted traffic are blocked Selected unwanted traffic source zones are blocked. Using the above screenshot of the ACC, what is the best method to set a global filter, narrow down Blocked User Activity, and locate the user(s) that could be compromised by a botnet? Click the hyperlink for the ZeroAccess.Gen threat Click the source user with the highest threat count. Click the left arrow beside the ZeroAccess.Gen threat. Click the hyperlink for the botnet Threat Category. An engineer troubleshoots a high availability (HA) link that is unreliable. Where can the engineer view what time the interface went down? Monitor > Logs > Traffic Device > High Availability > Active/Passive Settings Monitor > Logs > System Dashboard > Widgets > High Availability. What is the best description of the Cluster Synchronization Timeout (min)? The maximum interval between hello packets that are sent to verify that the HA functionality on the other firewall is operational The maximum time that the local firewall waits before going to Active state when another cluster member is preventing the cluster from fully synchronizing The timeframe within which the firewall must receive keepalives from a cluster member to know that the cluster member is functional The time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall. A firewall engineer creates a source NAT rule to allow the company’s internal private network 10.0.0.0/23 to access the internet. However, for security reasons, one server in that subnet (10.0.0.10/32) should not be allowed to access the internet, and therefore should not be translated with the NAT rule. Which set of steps should the engineer take to accomplish this objective? 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.10/32. 2. Check the box for negate option to negate this IP from the NAT translation. 1. Create a NAT rule (NAT-Rule-1) and set the source address in the original packet to 10.0.0.0/23. 2. Check the box for negate option to negate this IP subnet from NAT translation 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port. 2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none. 3. Place (NAT-Rule-2) above (NAT-Rule-1). 1. Create a source NAT rule (NAT-Rule-1) to translate 10.0.0/23 with source address translation set to dynamic IP and port. 2. Create another NAT rule (NAT-Rule-2) with source IP address in the original packet set to 10.0.0.10/32 and source translation set to none. 3. Place (NAT-Rule-1) above (NAT-Rule-2). |
Report abuse