cloud pcnse

Which two virtualization platforms officially support the deployment of Palo Alto Networks VM-Series firewalis? (Choose two.). Red Hat Enterprise Virtualization (RHEV). Kernel Virtualization Module (KVM) Most Vose. Bot Strap Virtualization Module (BSVM). Microsoft Hyper-V.

A user's traffic traversing a Palo Alto Networks NGFW sometimes can reach http://www.company.com. At other times the session times out. The NGFW has been configured with a PBF rule that the user's traffic matches when it goes to http://www.company.com. How can the firewall be configured automatically disable the PBF rule if the next hop goes down?. Create and add a Monitor Profile with an action of Wait Recover in the PBF rule in question. Create and add a Monitor Profile with an action of Fail Over in the PBF rule in question. Enable and configure a Link Monitoring Profile for the external interface of the firewall. Configure path monitoring for the next hop gateway on the default route in the virtual router.

What are two benefits of nested device groups in Panorama? (Choose two.). Requires configuring both function and location for every device. Reuse of the existing Security policy rules and objects. Overwrites local firewall configuration. All device groups inherit settings from the Shared group.

An administrator needs to implement an NGFW between their DMZ and Core network. EIGRP Routing between the two environments is required. Which interface type would support this business requirement?. Layer 3 or Aggregate Ethernet interfaces, but configuring EIGRP on subinterfaces only. Tunnel interfaces to terminate EIGRP routing on an IPsec tunnel (with the GlobalProtect License to support LSVPN and EIGRP protocols). Layer 3 interfaces, but configuring EIGRP on the attached virtual router. Virtual Wire interfaces to permit EIGRP routing to remain between the Core and DMZ.

A speed/duplex negotiation mismatch is between the Palo Alto Networks management port and the switch port to which it connects. How would an administrator configure the interface to 1Gbps?. set deviceconfig interface speed-duplex 1Gbps-full-duplex. set deviceconfig system speed-duplex 1Gbps-duplex. set deviceconfig system speed-duplex 1Gbps-full-duplex. set deviceconfig Interface speed-duplex 1Gbps-half-duplex.

Which method does an administrator use to integrate all non-native MFA platforms in PAN-OS® software?. Okta. DUO. RADIUS. PingID.

Which three settings are defined within the Templates object of Panorama? (Choose three.). Setup. Virtual Routers. Interfaces
. Security. Application Override.

A customer has an application that is being identified as unknown-tep for one of their custom PostgreSQL database connections. Which two configuration options can be used to correctly categorize their custom database application? (Choose two.). Application Override policy. Security policy to identify the custom application. Custom application. Custom Service object.

Which three authentication services can an administrator use to authenticate admins into the Palo Alto Networks NGFW without defining a corresponding admin account on the local firewall? (Choose three.). Kerberos. PAP. SAML
Most. TACACS+. RADIUS. LDAP.

If the firewall is configured for credential phishing prevention using the 'Domain Credential Filter' method, which login will be detected as credential theft?. Mapping to the IP address of the logged in user. First four letters of the username matching any valid corporate username. Using the same user's corporate username and password. Matching any valid corporate username.

Which option is part of the content inspection process?. Packet forwarding process. SSL Proxy re-encrypt. IPsec tunnel encryption. Packet egress process.

An administrator creates an SSL decryption rule decrypting traffic on all ports. The administrator also creates a Security policy rule allowing only the applications DNS, SSL, and web-browsing. The administrator generates three encrypted BitTorrent connections and checks the Traffic logs. There are three entries. The first entry shows traffic dropped as application Unknown. The next two entries show traffic allowed as application SSL. Which action will stop the second and subsequent encrypted BitTorrent connections from being allowed as SSL?. Create a decryption rule matching the encrypted BitTorrent traffic with action a€No-Decrypt,€ and place the rule at the top of the Decryption policy. Create a Security policy rule that matches application a€encrypted BitTorrenta€ and place the rule at the top of the Security policy. Disable the exclude cache option for the firewall. Create a Decryption Profile to block traffic using unsupported cyphers, and attach the profile to the decryption rule.

Which option would an administrator choose to define the certificate and protocol that Panorama and its managed devices use for SSL/TLS services?. Configure a Decryption Profile and select SSL/TLS services. Set up SSL/TLS under Policies > Service/URL Category > Service. Set up Security policy rule to allow SSL communication. Configure an SSL/TLS Profile.

Which protection feature is available only in a Zone Protection Profile?. SYN Flood Protection using SYN Flood Cookies. ICMP Flood Protection. Port Scan Protection. UDP Flood Protections.

Which CLI command can be used to export the tepdump capture?. scp export tepdump from mgmt.pcap to < username@host:path>. scp extract mgmt-pcap from mgmt.pcap to < username@host:path>. scp export mgmt-pcap from mgmt.pcap to < username@host:path>. download mgmt-pcap.

During the packet flow process, which two processes are performed in application identification? (Choose two.). Pattern based application identification. Application override policy match. Application changed from content inspection. Session application identified.

The administrator has enabled BGP on a virtual router on the Palo Alto Networks NGFW, but new routes do not seem to be populating the virtual router. Which two options would help the administrator troubleshoot this issue? (Choose two.). View the System logs and look for the error messages about BGP. Perform a traffic pcap on the NGFW to see any BGP problems. View the Runtime Stats and look for problems with BGP configuration. View the ACC tab to isolate routing issues.

An administrator has enabled OSPF on a virtual router on the NGFW. OSPF is not adding new routes to the virtual router. Which two options enable the administrator to troubleshoot this issue? (Choose two.). View Runtime Stats in the virtual router. View System logs. Add a redistribution profile to forward as BGP updates. Perform a traffic pcap at the routing stage.

Which virtual router feature determines if a specific destination IP address is reachable?. Heartbeat Monitoring. Failover. Path Monitoring. Ping-Path.

An administrator has a requirement to export decrypted traffic from the Palo Alto Networks NGFW to a third-party, deep-level packet inspection appliance. Which interface type and license feature are necessary to meet the requirement?. Decryption Mirror interface with the Threat Analysis license. Virtual Wire interface with the Decryption Port Export license. Tap interface with the Decryption Port Mirror license. Decryption Mirror interface with the associated Decryption Port Mirror license.

When is the content inspection performed in the packet flow process?. after the application has been identified. before session lookup. before the packet forwarding process. after the SSL Proxy re-encrypts the packet.

An administrator has created an SSL Decryption policy rule that decrypts SSL sessions on any port. Which log entry can the administrator use to verify that sessions are being decrypted?. In the details of the Traffic log entries. Decryption log. Data Filtering log. In the details of the Threat log entries.

An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system. Which Security Profile type will prevent this attack?. Vulnerability Protection. Anti-Spyware. URL Filtering. Antivirus.

An administrator using an enterprise PKI needs to establish a unique chain of trust to ensure mutual authentication between Panorama and the managed firewalls and Log Collectors. How would the administrator establish the chain of trust?. Use custom certificates. Enable LDAP or RADIUS integration. Set up multi-factor authentication. Configure strong password authentication.

What will be the egress interface if the traffic's ingress interface is ethernet1/6 sourcing from 192.168.111.3 and to the destination 10.46.41.113 during the time shown in the image?. ethernet1/7. ethernet1/5. ethernet1/6. ethernet1/3.

Which two options prevent the firewall from capturing traffic passing through it? (Choose two.). The firewall is in multi-vsys mode. The traffic is offloaded. The traffic does not match the packet capture filter. The firewall's DP CPU is higher than 50%.

An administrator has been asked to create 100 virtual firewalls in a local, on-premise lab environment (not in ג€the cloudג€). Bootstrapping is the most expedient way to perform this task. Which option describes deployment of a bootstrap package in an on-premise virtual environment?. Use config-drive on a USB stick. Use an S3 bucket with an ISO. Create and attach a virtual hard disk (VHD). Use a virtual CD-ROM with an ISO.

Which two benefits come from assigning a Decryption Profile to a Decryption policy rule with a `No Decrypt` action? (Choose two.). Block sessions with expired certificates. Block sessions with client authentication. Block sessions with unsupported cipher suites. Block sessions with untrusted issuers. Block credential phishing.

If an administrator wants to decrypt SMTP traffic and possesses the server's certificate, which SSL decryption mode will allow the Palo Alto Networks NGFW to inspect. TLS Bidirectional Inspection. SL Inbound Inspection. SSH Forward Proxy. SMTP Inbound Decryption.

Which two methods can be used to verify firewall connectivity to AutoFocus? (Choose two.). Verify AutoFocus status using the CLI ג€testג€ command. Check the WebUI Dashboard AutoFocus widget. Check for WildFire forwarding logs. Check the license. Verify AutoFocus is enabled below Device Management tab.

Which DoS protection mechanism detects and prevents session exhaustion attacks?. Packet Based Attack Protection. Flood Protection. Resource Protection. TCP Port Scan Protection.

Which three user authentication services can be modified to provide the Palo Alto Networks NGFW with both usernames and role names? (Choose three.). TACACS+. PAP. LDAP. SAML. RADIUS. Kerberos.

Which three authentication factors does PAN-OSֲ® software support for MFA? (Choose three.). Push. Pull. Okta Adaptive. Voice. SMS.

VPN traffic intended for an administrator's firewall is being maliciously intercepted and retransmitted by the interceptor. When creating a VPN tunnel, which protection profile can be enabled to prevent this malicious behavior?. Zone Protection. Replay. DoS Protection. Web Application.

A company wants to install a NGFW firewall between two core switches on a VLAN trunk link. They need to assign each VLAN to its own zone and to assign untagged (native) traffic to its own zone. Which option differentiates multiple VLANs into separate zones?. Create V-Wire objects with two V-Wire interfaces and define a range of ג€0-4096ג€ in the ג€Tag Allowedג€ field of the V-Wire object. Create V-Wire objects with two V-Wire subinterfaces and assign only a single VLAN ID to the ג€Tag Allowedג€ field of the V-Wire object. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone. Create Layer 3 subinterfaces that are each assigned to a single VLAN ID and a common virtual router. The physical Layer 3 interface would handle untagged traffic. Assign each interface/subinterface to a unique zone. Do not assign any interface an IP address. Create VLAN objects for each VLAN and assign VLAN interfaces matching each VLAN ID. Repeat for every additional VLAN and use a VLAN ID of 0 for untagged traffic. Assign each interface/subinterface to a unique zone.

Which data flow describes redistribution of user mappings?. . User-ID agent to firewall. Domain Controller to User-ID agent. User-ID agent to Panorama. firewall to firewall.

Which two features does PAN-OSֲ® software use to identify applications? (Choose two.). transaction characteristics. session number. port number. application layer payload.

When backing up and saving configuration files, what is achieved using only the firewall and is not available in Panorama?. Load configuration version. Save candidate config. Export device state. Load named configuration snapshot.

An administrator just submitted a newly found piece of spyware for WildFire analysis. The spyware passively monitors behavior without the user's knowledge. What is the expected verdict from WildFire?. Malware. Grayware. Phishing. Spyware.

Which GlobalProtect Client connect method requires the distribution and use of machine certificates?. At-boot. Pre-logon. User-logon (Always on). On-demand.

Which feature can provide NGFWs with User-ID mapping information?. Web Captcha. Native 802.1q authentication. GlobalProtect. Native 802.1x authentication.

Which Panorama administrator types require the configuration of at least one access domain? (Choose two.). Role Based. Custom Panorama Admin. Device Group. Dynamic. Template Admin.

In which two types of deployment is active/active HA configuration supported? (Choose two.). Layer 3 mode. TAP mode. Virtual Wire mode. Layer 2 mode.

For which two reasons would a firewall discard a packet as part of the packet flow sequence? (Choose two.). ingress processing errors. rule match with action ג€denyג€. rule match with action ג€allowג€. equal-cost multipath.

An administrator needs to upgrade an NGFW to the most current version of PAN-OSֲ® software. The following is occurring: ✑ Firewall has internet connectivity through e 1/1. ✑ Default security rules and security rules allowing all SSL and web-browsing traffic to and from any zone. ✑ Service route is configured, sourcing update traffic from e1/1. ✑ A communication error appears in the System logs when updates are performed. ✑ Download does not complete. What must be configured to enable the firewall to download the current version of PAN-OS software?. Static route pointing application PaloAlto-updates to the update servers. Security policy rule allowing PaloAlto-updates as the application. Scheduler for timed downloads of PAN-OS software. DNS settings for the firewall to use for resolution.